Security

Beware the Spread of Weaselware

Microsoft's announcement last week that it would require of customers the ability to reach into their personal PCs todisable, restrict, uninstall or repair software bought from the Windows Store made me realize how pervasive this sense of entitlement is among software vendors.

Mobile app vendors and the carriers involved are greatest offenders in the invasion-of-privacy contest, but with some justification, however inadequate.

Carriers have to track the location of customers in order to keep the network connections to their handsets alive.

The requirement doesn't go much further than that, but most carriers add monitoring software called Carrier IQ that tracks how well an app runs on their smartphone, what conflicts apps create for each other, and how well the carrier's own services are performing for that customer.

Great idea, except the software carriers install is also capable of auditing and reporting on all the apps, data and software living on a phone, all the keys a user presses, all the locations he or she has been and every person he or she has called, texted or e-mailed.

They do that without telling customers up front either what information they are collecting, or what information the software could collect if they wanted it to, or if some malware writer decided to take advantage of the spyware to collect information even more secretly and even more maliciously.

Next: To the Desktop

Microsoft's decision to extend the kill-switch, vendor-meddling, customer-paternalization policies to desktop software is a big step forward in the development of what I'm calling "weaselware."

Technically, weaselware is any informationtechnology product designed or distributed for dishonest purposes – anything that, when you found out about it, would cause you to think the people who sent it to you are weasels.

Recent examples include cell-phone carriers' Carrier IQ, iPhones and LocationGate, anything from Facebook, flash cookies, persistent cookies, profile comparisons and otherpassive or active tracking mechanisms web sites plant in your browser.

More specifically, it's technology that doesn't quite qualify as completely evil (malware), but violates the expectation of users that software vendors aren't trying to spy on them, manipulate their choices, or market them to third parties.

Spyware or software with spyware-ish properties is the most obvious example, but the list of examples itself has grown so long it's developing into different categories.

Essentially, anything that installs secretly and gives the develop access to or control over software running on a machine it doesn't own qualifies as weaselware.

(Yes, I've heard there's no such thing as anonymity anymore, too; knowing anyone who can build an Android or iOS app can invade your privacy doesn't mean you should let them do it. Have a backbone; fight back a little.)

The traditional core of weaselware is the maleware-ish co-marketing arrangement under which a user can download a piece of freeware or demo version of an application and inadvertently get toolbar software from Ask.com or other add-ons whose primary purpose is to get themselves installed for long enough to market something to unsuspecting end users.

This last category was once almost the sole source of weaselware; mobile apps and, thanks to Microsoft, mainstream desktop software have now devolved to the point that they are leading a purposeful charge down what had been considered a slippery ethical slope.

Subscribe to the Security Watch Newsletter

Comments