Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

Spyware: An Attack on Privacy in the End User Computing Environment | DCS 823, Papers of Computer Science

Pace UniversityComputer Science

Material Type: Paper; Class: Systems Development and Analysis III; Subject: Doctoral Computing Studies; University: Pace University-New York; Term: Spring 2005;

Typology: Papers

2009/2010

Uploaded on 02/24/2010

koofers-user-1sj-1
koofers-user-1sj-1 🇺🇸

10 documents

1 / 20

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Spyware: An Attack on Privacy in the End User Computing
Environment
by
Jahngir Alam
James F. Kile
Donald Little
Khaled Mohamed
Samir Shah
at
School of Computer Science and Information Systems
Pace University
April 2005
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14

Partial preview of the text

Download Spyware: An Attack on Privacy in the End User Computing Environment | DCS 823 and more Papers Computer Science in PDF only on Docsity!

Spyware: An Attack on Privacy in the End User Computing

Environment

by Jahngir Alam James F. Kile Donald Little Khaled Mohamed Samir Shah at School of Computer Science and Information Systems Pace University April 2005

Table of Contents

  • 1.0 Introduction
  • 2.0 Privacy
  • 3.0 Sources of Privacy Threats
    • 3.1 Government........................................................................................................
    • 3.2 Commercial Organizations.................................................................................
    • 3.3 Individuals..........................................................................................................
  • 4.0 An Attack on Privacy: Spyware
    • 4.1 Types of Spyware and Their Risk to Privacy.....................................................
      • 4.1.1 Browser Cookies..........................................................................................
      • 4.1.2 Associated Cookies......................................................................................
      • 4.1.3 Browser-enabled Adware Applications.......................................................
      • 4.1.4 Applications.................................................................................................
  • 5.0 Responses to Privacy Threats from Spyware
    • 5.1 Technical Responses.........................................................................................
      • 5.1.1 Individual User Vigilance..........................................................................
      • 5.1.2 Browser Selection......................................................................................
      • 5.1.3 Firewalls.....................................................................................................
      • 5.1.4 Anit-Spyware Software..............................................................................
    • 5.2 Legal Responses...............................................................................................
  • 6.0 Conclusions
  • 7.0 Areas for Additional Research
  • 8.0 References

2.0 Privacy

Personal privacy is the foundation of personal freedom. While despotic regimes throughout history have removed privacy as a way to control a population [21], the recognition of the need for privacy is deeply rooted. The Bible makes numerous references to privacy. Jewish law has long recognized the concept of freedom from being watched. There were even privacy protections in classical Greece and ancient China. The Hippocratic Oath, dating from 300 BC, demands confidentiality in doctor-patient relationships. In the early 19th^ century, William Pitt, Earl of Chatham wrote: “The poorest man may in his cottage bid defiance to all the forces of the Crown. It may be frail – its roof may shake – the wind may blow through it – the storm may enter – the rain may enter – but the King of England cannot enter – all his forces dare not cross the threshold of the ruined tenement! [2]” Although its history is long, defining privacy is not a simple matter. The concept of personal privacy differs from society to society – even those that are closely related (e.g. U. S. and Europe) [21]. In order to present this paper, however, we must provide a definition of privacy as it relates to computers and personal information. To begin, it seemed appropriate to go to Google to search for such a definition. Some representative samples appear in the following table: Source URL Definition CIO Magazine http:// www.cio.com/ research/ “For citizens and consumers, freedom from unauthorized intrusion. For organizations, privacy involves the policies that determine what information is gathered, how it is used, and how

Source URL Definition security/edit/ glossary.html customers are informed and involved in this process…” L-Soft International, Inc http:// www.lsoft.com/ resources/ glossary.asp “A major concern of Internet users that … involves the sharing of personally identifiable information …” Walt’s Internet Glossary http:// www.walthowe.c om/glossary/ p.html “A source of concern to many on the Internet as how much personal information is available for all who look for it…” Oregon State University http:// osulibrary.orego nstate.edu/ archives/ handbook/ definitions “The right of an individual to be secure from unauthorized disclosure of information about oneself that is contained in documents.” RSA Laboratories http:// www.rsasecurity. com/rsalabs/ node.asp? id= “The state or quality of being secluded from the view and/or presence of others.” University of Nebraska Medical Center http:// www.unmc.edu/ ethics/ words.html#P “… information privacy is a restriction on facts about the person that are unknown or unknowable …” e-Start http://www.e- start.sbdc.com.au /glossary.asp “... the right to freedom from unauthorized intrusion. Increasing use of … technologies has made it easier to gather volumes of information about individuals – including buying and spending habits, finances, lifestyles, preferences, and movements.” Austin College http:// artemis.austincol lege.edu/help/ dict.html#spam- proofing “Privacy is becoming more and more of a concern on the Internet. Anyone whom you can give information such as your email address or credit card number can very easily give that information to someone else.” A common thread among these various definitions is that the collection and sharing of personally identifiable information including name, birth date, Social Security number, shopping habits, and financial data without a person’s permission is a violation of privacy. It should be noted that none of the above definitions include collection of such information with malicious intent. They focus on preventing the unauthorized collection of data.

by large organizations and governments. This ability combined with currently inadequate safeguards surrounding sensitive private information provides a rich field for individuals to invade others’ privacy [21].

4.0 An Attack on Privacy: Spyware

Spyware is a type of monitoring computer program that collects and shares personal information without a user’s permission and as such violates a user’s privacy per our working definition (“ 2 Privacy” on page 2 ) [9]. Spyware can be used to collect information about another user’s computing activities [1] which can result in mild to serious privacy risks to both consumers and businesses. The information collected can include Internet activity for use by a third party, personal information entered into online forms (such as user ids, passwords, social security numbers, and credit card numbers), and general communications and online activities. Spyware has a significant presence in end user computer systems. It is estimated that spyware is installed on over 85% of personal computers [14]. A recent survey by an Internet Service Provider (Earthlink) found an average of 27.8 spyware objects per installed per computer [3]. Perhaps more disturbing is the dramatic rate of increase identified in a March 2004 report by a senior manager from McAfee indicating that their software had detected over 14.3 million instances of spyware that month compared with 1.5 million instances in August 2003 [1] – a 853% increase over a seven month period! Adding to the concern over spyware’s prevalence and, possibly, the reason for its pervasiveness, is that it is frequently distributed in the same manner as other software and is typically installed without the user’s “fully informed consent [9].” But, what are the privacy risks to such a seemingly well established monitoring technique? With over

etc [1, 12]. This type of spyware does not create a high level of privacy risk as it only contains data that a user would reasonably expect a business to know. However, it is still meets our definition for privacy invasion if the user is not informed that this information will be stored and how it will be used. 4.1.2 Associated Cookies A second type of spyware is a variation on browser cookies, called associated cookies, where the information stored about a user by a business or web site is uniquely identified and transmitted to a third party [1]. Use of associated cookies typically stems from advertising interests and are used along with so-called “web bugs” – small one pixel graphic objects that are often hidden in a web page or email message [14] – to record user site visits. This type of tracking and use of the aggregate information for advertising purposes is also called “adware” [6]. It typically generates advertising banners or popup windows to display advertisements while viewing member web sites. The privacy risk related to this type of spyware is that users “do not see, access, or control” the data being collected and used and are usually unaware of the entire process [1]. 4.1.3 Browser-enabled Adware Applications A third type of spyware also falls into the adware category, but its intrusion on a user’s computer is more insidious. Rather than merely collecting information and relying on member web sites to display ads, they install a piece of browser plug-in software (either Java or ActiveX) to display pop-up advertisements [14]. Adware plug-ins may also alter the behavior of a user’s web browser in a manner that is contrary to their wishes [14]. Because this type of spyware is installed as a plug-in application within a user’s

web browser, it has direct access to the computer’s hard drive and, for example, can send the contents of the browser’s data cache to a third party without knowledge of the owner [6]. Files in the browser cache may contain a significant amount of personal information from visited web sites. Since this information is taken from the user’s machine without their full knowledge, it presents a significant risk to personal privacy. 4.1.4 Applications The final type of spyware we will introduce is spyware that is application-based. This type of spyware, also called snoopware, can create substantial privacy risks to a user [1]. It can covertly collect information about almost anything a person does on a computer. The most popular implementations include keyboard logging and screen capture. Keyboard logging spyware captures all of the keystrokes that a user types on the keyboard and can include user ids, passwords, phone numbers, financial information, etc [6]. Screen capture spyware, such as SpectorSoft’s eBlaster, can similarly record and send hundreds of screen snapshots every hour [6]. This type of spyware is the most serious risk to personal privacy since it can transmit virtually any information on a user’s computer without their knowledge.

5.1.1 Individual User Vigilance The first defense against loss of privacy is individual user vigilance against privacy violations. There are a few simple steps that will reduce exposure to potential privacy threatening infestations:

  1. A user should carefully read the End User License Agreement (EULA) before downloading any software. Ethically and legally the EULA must disclose that spyware is bundled with the download. Occasionally, but not frequently, there may be an opt-out provision for the spyware software. Usually, the existence of the spyware software is hidden in the small print and difficult to find [13].
  2. If a popup window appears during the download asking if you want to install software, click the "X" window closer. Many of these messages will allow the installation of the spyware if the user selects “No” [13].
  3. Avoid peer-to-peer networks and freeware or shareware which offer free downloads. Very often these downloads contain spyware because of the revenues generated from advertising [14]. 5.1.2 Browser Selection Most spyware products are written to take advantage of the weaknesses of Internet Explorer because of its dominant market position. Use of a non Microsoft Internet browser, such as Mozilla’s Firefox, may provide more protection against privacy invasion since they provide smaller, more specialized targets for spyware creators [13].

5.1.3 Firewalls Personal firewalls are software/hardware products that protect computers against identifiable threats from the Internet. These firewalls can identify and block malicious characteristics before they reach the system based upon IP address, URL port, protocol, application and signature strings [1]. However, Firewalls are now being used to prevent spyware programs on a user’s machine from accessing the Internet in the first place [13], thus removing the ability of the software to send a users private information. A personal firewall provides the means for users to identify which processes are attempting to access the Internet and provide the option to disallow the access [4]. Internet Service Provides (e.g. AOL and EarthLink) have now made spyware blockers part of their services [20]. This allows users who carefully select their ISP an additional measure of protection from spyware violations of privacy. 5.1.4 Anit-Spyware Software Since spyware is itself a type of software technology, a number of software vendors now provide anti-spyware solutions so that computer users have the means to keep their personal computer or network free of compromising and intrusive threats to their privacy [13]. The software offers two types of functionality:

  1. Scanning of the machine and removal of spyware threats. When this type of software runs, it reveals items that pose a threat (cookies, executables, etc.). The computer user then has the option of removing these threats from their system [13].

5.2 Legal Responses The threats to user privacy and other problems caused by spyware have evoked a legal response. During 2004, anti-spyware legislation was enacted in California and Utah and was introduced in at least five other states [1, 10, 14]. By March 18, 2005 twenty-five states had considered spyware legislation [11, 14]. State spyware legislation over the last two years has generally focused on and considered protection from certain acts: taking control of a computer; modifying settings without authorization; collecting personally identifiable information; preventing reasonable efforts to block the installation of software; misrepresentation that the software will be uninstalled or disabled; and removing or rendering inoperative anti- spyware software [10, 11]. On the national level, the United States Senate is considering an anti-spyware law (S.

  1. [1, 15]. In 2003 and 2004, the United States House of Representatives drafted bills such as HR 2929 [18] (Securely Protect Yourself against Cyber Trespass Act) and HR 4661 [16] (Internet Spyware Prevention Act) [1]. Both pieces of legislation were re- introduced this year (2005) as HR 29 [19] and HR 744 [17]. As with other attempts to legislate solutions to high-tech problems, implementing legislation against spyware would appear on the surface to be challenging. Since most spyware usage and privacy violation attempts are by organizations, it is possible that legislation, if enacted, may have some success. However, many of these organizations profit from the private information gathered through spyware which may prove to be a

barrier to truly effective legislation at any level [1]. Further, the effectiveness of state and national legislation remains to be seen because it has not been tested in the courts.

7.0 Areas for Additional Research

This paper merely touched the surface of one type of technology, spyware, and its effects on compromising personal privacy. The concept of organizational use of information that can compromise individual privacy protections through technological means is a compelling topic for additional research. That these organizations stand to loose money if legislation is enacted preventing them from gathering personal information without the knowledge of the individual could provide the basis for research into what the correct balance should be between the privacy rights of the individual and the rights of an organization.

8.0 References