Real Networks And More Privacy Concerns

Arrogant-Bastard writes: "Lauren Weinstein's Privacy Forum Digest V09 #15 reports that RealNetworks' "Download Demon" forwards the details of any download (i.e. URLs, filenames) to RealNetworks. See The Digest for details. " Now, granted, this time the program, if you read the fine print, says that it will do this - but c'mon people - how many bone-headed moves do you have to make?

Re:Download Demon, NOT RealPlayer

What would you rather have, Windows Media Player?

Well, since you've asked, yes.

(1) WMP works better than the RealPlayer -- it crashes less often (note: "less often", not "rarely") and AFAIK supports more formats. Besides, I don't really watch anything in RealAudio/Video anyway.

(2) RealNetworks has a very consistent pattern of trying to spy on its users -- much more so than Microsoft.

(3) Given a choice between dealing with a big lumbering dinosaur (e.g. stegosaurus) and a smaller more aggressive one (e.g. velociraptor), I'll take the big one any time.

Kaa

Re:Alternatives?

Sorry, but no.

I think however that you might find that similiar situations are going to become "industry standard".

As a point in case, I recently installed a "personalized firewall" product on a friends machine. As a confirmed paranoid, I had a packet sniffer running at the time and guess what?

Suprise, suprise, it fired of a packet to it's creators to let them know that it had been installed at that IP address. My advice to my friend was simple - get ride of it.

The moral of my tale is obvious. If your stuck using Windoze in certain situations, get yourself a packet sniffer first and worry about your multi-media ( and other utilities ) later.

This kind of idiocy is becoming so pervasive it's gone beyond a joke. The only reason why it even gets of the ground is simply because the general public doesn't know. If they did, they wouldn't touch these products and companies would very quickly learn to leave the issue alone.

You might be strangling my chicken, but you don't want to know what I'm doing to your hampster.

ZoneAlarm caught them

Howdy,

I just installed RA last night on win2k, funny coincidence. ZoneAlarm from ZoneLabs [zonelabs.com] started warning me as soon as I restarted that something was up. First, Real Jukebox wanted to access the internet. Now way, Sorry. Then something called main_program (I think, this is from memory) tried to access the internet. Again, no way.

At this point I started to uninstall all the crap that I didn't ask for. When I got to the Zip download thing, after I hit the uninstall program they provided, main_program wanted to access the internet again. jeez, these people are desperate for stats I guess.

So not only does is keep track of download stats, it also wants to know when you install and un-install the app.

--mark

Caveat emptor is no excuse

If only it were that simple. Have you used any commercial software lately? If you have, then you know that a several page long "license agreement" laden with incomprehensible legalese has become de rigueur for even the most trivial piece of software. Moreover, the sum total of most of these agreements is something along the lines of "You are about to install a piece of software. Use at your own risk." As a result, clicking on "Agree" has become a meaningless ritual. Personal responsibility or not, it isn't reasonable to put critical information inside a body of text that is generally acknowledged as being content-free. Reality check: could you get away with selling a box of breakfast cereal laced with strychnine just because you listed it right after polysorbate 60 in the ingredients list? Hell, no.

Does this come as any surprise to Real? Quite the contrary, they know that people generally read at most the first page of those agreements; they were counting on it. They could have put the notice about the software's logging in big bold letters at the top of the agreement, but they didn't. Why? Because they knew many people wouldn't agree to it; that's why. You can scream "caveat emptor" until you're blue in the face, but the fact is that a merchant that cheats his customers is still a villain, even if the customers should have known better than to be taken in.

-rpl

Gaol?

Is there a technical solution to this?

Some sort of bionic-chroot-on-steriods might be the answer for running untrusted binary-only software. FreeBSD has jail() which is like an improved version of chroot(), but what's needed here is something more sophisticated.

Ideally you'd make it so that _all_ access to the outside world can be filtered through some userland process. Preferably a Perl program, hehehe. This is roughly what I have in mind:

filter_syscall() {
if (call is 'open file for reading') {
if (filename one of those allowed) {
return OKAY;
} else {
modify the 'open' call so the mode is
set to read-only; return OKAY;
}
} else if (call is 'read') {
return OKAY;
} else if (call is 'send data over network') {
check to see if the data is being sent
back to RealNetworks - if it is then
return FAIL_SILENTLY;

else return OKAY;
} else {
/* Not recognized */
warn("program is doing systemcall we haven't
seen before");
return FAILURE;
}
}

It could be quite a lot of work to do this _fully_ for any large program, but a quick hack to allow all system calls except those sending private data, or to overwrite any private data being sent with 'X' characters, might be quite easy.

Download Demon, NOT RealPlayer

Folks, you might want to read the article. The problem is with a piece of software called Download Demon, a part of Netzip, NOT Realplayer. It's the same company, and you might want to stop using their products on principle, but don't rush off to find an alternative to Realplayer just because you're worried it'll track personal information...

What would you rather have, Windows Media Player?

~P

I am sparticus

Rather than getting indignant every time Real (or similar companies) are found violating peoples privacy like this, why don't we just work towards obfuscating their data set. What about a little hack that sent random junk data to them rather than whatever it is they're trying to collect?

This could have the additional benefit of making companies act more overtly about their data collections, if that is the only way they can successfully collect accurate information.


-Spazimodo

Fsck the millennium, we want it now.

Online Privacy Policies

Download Demon may well claim that "this is all anonymous, we don't link names with activity, blah blah blah" but as we have seen in the past with DoubleClick (who just created a special privacy panel within their company to act as window dressing while addressing privacy issues) companies start out collecting 'anonymous' data and then later suddenly decide to link the data to names.

I work in Marketing Research, where data collection is mostly what we do and so privacy issues, especially internet privacy, is "suddenly" a hot topic. MRA has a forum where any marketing research issue, including how you feel about your privacy, can be addressred. If you are interested in having some voice in how that data is used and collected, please post at www.mra-net.org/forum/ [mra-net.org]. MRA sets a lot of marketing research industry standards which our members follow, and I'd rather privacy was a bigger concern, not a brief one or two lines buried in policies somewhere. We don't even have a privacy policy right now.

You can keep marketing research from doing what other industries are doing.

*shrug*

It really should be illegal...

They are creating a program for the express purpose of doing one thing: aiding downloads. It is bundled without mention with other Real software, and it installs itself without permission as the default file-download handler on your system. But what it does is provide RealNetworks with unprecedented access to the downloading habits of users; it's not software it's a trojan horse! Its most useful function is to real, and its method of inclusion is suspicious. They don't need that data to make anything for you more convenient -- it is entirely to aid their marketing program!

They shouldn't be allowed to do that. I don't know how to stop them, but that shit should be illegal. Or at least force them to advertise functions which do not directly relate to the purpose you bought the software for: it's like buying a word processor with an undocumented feature which changes your networking settings, it's not what you bought it to do.

Netzip privacy statement is *long* reading

The "Privacy Statment" [netzip.com] for NetZip is online. I recommend reading it. It's many screens long. Yes, there is the following gem down in the middle:

Whenever a download is initiated using Netzip Download Demon, the product sends the name and URL of the file you are downloading along with relevant product and Internet communication information (including IP address, connection speed, whether downloads were finished or incomplete, use of pause and resume) to Netzip.

But how many people are ever going to read down that far?