Though we have been firmly entrenched in the information age for almost 20 years now, the Internet still retains a Wild West atmosphere, without a Wyatt Earp to tame it. Rules are made and discarded at will, virtue a dead end, pimping a virtue. You must get yours before the next guy grabs it, any way you can, and there are plenty of sharpies promising an edge, bottles of snake oil in hand labeled DRINK ME.
Witness the latest con, spyware, software that is able to swipe personal data from your computer and sell it to the highest bidder. All this is done under the guise of collecting general demographics and providing users with exciting offers, but its potential is far too frightening to ignore.
Spyware usually comes to your computer in the form of a simple data-collection program, bundled along with a piece of freeware (an application that the developer offers to the public gratis) that contains embedded banner ads. As you use the application, the spyware takes the personal information you provided when registering and adds to it other appliction-related data; what you are using the application for, how long you use it, etc. This information is sent to a server that interprets the data in order to target you with very specific advertising.
Rotating banner ads are like airport surveys: If you want to ignore them, you can. And since most freeware relies on advertising dollars to pay the bills, this may seem a fair price to pay for a programmer's labor (and the reason why these programs are often referred to more benignly as adware). However, there are troubling aspects to this practice; some potential, some already in play.
First of all, users are rarely notified of the presence of any spyware when they download; if so, only in the glaucoma-inducing lines of tiny text that make up a User Agreement. More often than not, spyware is not administered by the company from which users receive the application, but by a third party that markets the spyware. So while you may have agreed to the terms and conditions set forth by the application's developers, you did not specifically agree anything the spyware's administrator has in store for you. Under current laws, this is all perfectly kosher. Software providers are under no legal obligation to inform the public of their purpose in gathering personal information, let alone how they do it and with whom. Most sites do disclose some information about what software you receive and what it does, merely to give lip service to privacy concerns, knowing full well that their security policies have the same judicial weight as handshake agreements.
So it was only a matter of time until a program such as VX2 would hit the Web, and hit it hard. VX2 takes spyware to a new level by pulling information, not just from use of an application, but from the use of a computer. When freeware that includes VX2 is installed on a computer, the program saves itself to a directory on the hard drive. Once firmly in place, it keeps track of the user's Web browsing (current and historical), information entered into forms, and configuration of the user's hardware and software. Based on all this information, pop-up ads begin to appear incessantly in the user's Web browser, giving the false impression that the Web page being viewed is responsible for the constant annoyances.
In order to discover that VX2 is on your computer, you would have to determine the IP of the pop-up ads plaguing your browser, a task that less technically-inclined Web surfers are not able to do. Even harder to determine is how VX2 got on your computer, and where it is stored. To top it all off, VX2 is an incredibly difficult program to completely remove from a hard drive, and doing so often disables the freeware that let it in.
Even more disturbing information can be culled from the VX2's Privacy Policy, as featured on its Web site. Although VX2 insists that it does not collect any truly damaging data (i.e., credit card information), it does concede that "the operation of certain third party websites may result in some personal information being included in URL data...Such instances are rare and are the result of poor security practices by these third party websites." Thereby, the buck is passed when some mysterious charges suddenly appear on your Visa bill. VX2 also reserves the right to update its software at any time, saying that "upgrades may include third party applications.... They will be done automatically in the background while you are surfing the web in order to cause the least amount of inconvenience to our users as possible." Its stated reason for capturing data that the user enters into forms (which includes even secure, encrypted forms) goes past disingenuousness and straight into Orwell country: "This information is automatically sent to VX2 in order to save you the time and trouble of submitting such information to us yourself." [emphasis added]
What VX2 boils down to is this: A program you never wanted squats in your computer's hard drive, sending personal information to a company with whom you never had any direct contact and never agreed to give such access; a program that, furthermore, can upgrade itself and add any other program to your computer that it sees fit. It is the kind of application that would make the CIA drool, but once again, private industry has beaten the public sector to the punch.
It is difficult to determine which applications are or have been bundled with VX2, due to the frequency of freeware updates and the program's inherently insidious nature. Companies that use VX2 are obviously tight lipped about it; companies who no longer use it, but once did, are in no rush to inform users that they were being spied on. Because of the nature of VX2's operation, however, these once-guilty firms still have a responsibility to inform their users. This spyware embeds itself into a user's hard drive; therefore, the application once bundled with VX2 does not even have to be running for it to gather information and send it to an ad server. Even if a company no longer maintains a relationship with VX2, unless it alerts its users to VX2's existence, and how to effectively delete it from their hard drive, the program will continue to do its dirty work. By keeping quiet, under the guise of not alarming their users, these firms remain co-conspirators in VX2's quest to snoop on the Web-browsing public.
The most popular application known to have used VX2 is the Audio Galaxy Satellite, a music-downloading application similar to Napster. Portal of Evil, a Web site that collects pages "from the margins of society," and one of the first sites to break the whole sordid VX2 story, has attempted to make Audio Galaxy accountable for bundling VX2 along with their Satellite freeware. In responses to both Portal of Evil and Wired.com, Audio Galaxy merely stated that VX2 was no longer included with their freeware, refusing to state when it was and for how long. The company said it had little knowledge of the program's use and blamed its presence in their software on Onflow, a software company that supplied Audio Galaxy with advertising graphics enhancers. Onflow maintains that it had never heard of VX2 until it was alerted by Portal of Evil.
Ignorance is a poor excuse for what companies such as Audio Galaxy have unleashed on the Web. What is now crystal clear is this: many companies offering freeware attach add-ons to their software willy-nilly, presumably under the spell of sleazy marketers, not knowing or not caring what this software will do to its users. Imagine the slaughterhouse conditions of The Jungle, transposed to the Internet, and you will have a good idea of the situation we find ourselves in today. (Audio Galaxy did not respond to this writer's request for comment.)
The origins of the program are incredibly murky, and fraught with more incest and secrecy than I, Claudius. No one has ever taken responsibility for writing the code (or funding such). As is often the case with such spyware, the program was probably developed and tested by a third-party tech department far removed from whoever wields it now, and then funneled through several different subsidiaries of a large parent company, in order to throw any curious bloodhounds off the scent.
According to cexx.org, a Web watchdog site, VX2's first major appearance was under the name Transponder, marketed by the Blackstone Data Corporation. Blackstone's public Web site has disappeared from the Internet, but since VX2 shares a PO Box in Las Vegas with them, the two are probably one and the same. Confusing matters further is Mindset, a 'Web solutions' company that gives away freeware of screensavers and trivia games bundled with VX2. A sharp eye reveals that their Privacy Policy is identical to the one on VX2's Web site.
Thanks to the venal efforts of these people, the Web remains a lawless place huddled on the edge of civilization, full of mustache twirling barkers who cruise for those easy marks just off the stagecoach. And since times are tighter these days, the stakes are higher, the con jobs meaner, the medicine show a lot less funny. In the current political climate, anything that threatens our privacy deserves a long hard look, and a long hard fight. Until a sheriff finally arrives--until everyone realizes how much we stand to lose and how soon it will happen--we must get used to the hustler's hello: one hand slapping us in the back and the other one reaching into our pockets.
Incidentally, VX2 happens to share a name with a component of a variety of nerve agent. This brand of biological weapon is ten times more powerful than other nerve agents, and is characterized by its oily texture and long half-life. Whether the spyware's nomenclature was a loving tribute or a dark coincidence remains to be seen.
