Author Topic: So,*is*KaZaA/BDE Spyware? [VeryLong]  (Read 5552 times)

Offline dannjr

  • Main Certifiable NutcAsE
  • Administrator Nut
  • Certifiable Nut
  • *****
  • Posts: 6342
  • Gender: Male
  • Share your life. Be a organ donor other Bday 1998
    • DSLnuts | Broadbandnuts | Cablenut
So,*is*KaZaA/BDE Spyware? [VeryLong]
« on: April 21, 2002, 01:02:19 am »
Part 1 of I lost count  ;D

I couldnt have done this better so I'll leave it to the original author

quote
x-posted and f/ups set to grc.spyware

Executive Summary :
-------------------

Oh my, YES!

Terms :
-------------------

I mean 'Spyware' as defined here (which is how KaZaA claim they wish to
be judged) ...

http://grc.com/oo/cbc.htm

"Spyware Defined:

Silent background use of an Internet "backchannel" connection
MUST BE PRECEDED by a complete and truthful disclosure of
proposed backchannel usage, followed by the receipt of explicit,
informed, consent for such use. Any software communicating across
the Internet absent of these elements is guilty of information
theft and is properly and rightfully termed: Spyware"

Don't like the word 'Spyware' unless it, er, spies? Well, no matter, we
can keep it neutral too. Just ask whether K/BDE precedes it's
installation with a complete and truthful disclosure of proposed usage,
and obtains explicit, informed, consent for such use? The answer is - No.

But we may as well stick with 'Spyware', since it's KaZaA's use of that
term *as defined above*, quoting Steve, which started this ball rolling.

Limitations :
-------------------

KaZaA comes with compulsory "3rd Party Applications" (Cydoor and BDE),
and optional "Bundles" (4 of 'em). I'm *only* considering KaZaA/BDE
(except to check that none of the other documentation helps explain what
BDE does - which it doesn't). So there may or may not be other things
which fail that definition. Moreover, it isn't a complete analysis of
where else KaZaA/BDE might fail, since it fell at the first hurdle. (For example, Robin Keir has advised that it fails to uninstall properly -
I'll be using his tool to clean up soon - hope it works ;).




« Last Edit: April 21, 2002, 01:14:54 am by dannjr »
Be a Organ Donor. A chance at life.
This site never spams or sells its list to anyone. No pop up's or scams
An inconvenience, but if you want to make omelettes, you have to break some eggs.

Offline dannjr

  • Main Certifiable NutcAsE
  • Administrator Nut
  • Certifiable Nut
  • *****
  • Posts: 6342
  • Gender: Male
  • Share your life. Be a organ donor other Bday 1998
    • DSLnuts | Broadbandnuts | Cablenut
Re:So,*is*KaZaA/BDE Spyware? [VeryLong]
« Reply #1 on: April 21, 2002, 01:03:56 am »
Findings :
-------------------

So, I'm looking as an ordinary person, interested in finding and sharing
files, and having been told that KaZaA is the best software and network
around. I don't know much about peer-to-peer or computers, but I'm
reasonably cautious about what I install. Off to KaZaA.com then ...

Not much on the start page www.kazaa.com/en/kmdstart.htm, but a
reassuringly big link to a privacy pledge. Better check that out later,
but first "Read About It" ... www.kazaa.com/en/kmd160.htm . Okay, no
details, only general stuff.
Next ... www.kazaa.com/en/download.htm . Nope.
Next ... www.kazaa.com/en/help/resourceusage.htm

Ah, how my PC and Net connection will be used ...

"What Resources On Your Computer KaZaA Will Use And How To
Configure Your Installation

When you have installed KMD the KMD install program e.g.
kmd160_en.exe will be saved in your My Shared Folder and shared
out to other users. Other users may download this file from your
computer and by doing so your Internet connection will be used.
[...]

Files that you save in the My Shared Folders will be available
for any other user of Kazaa Media Desktop and compatible
programs. These users may find your files and subsequently
download them from you. By doing so your Internet connection is
being used. [...]

The KaZaA Media Desktop program is a so called "peer-to-peer"
program, this means that it communicates with other peers (other
KaZaA Media Desktop or compatible programs). Your copy of KaZaA
Media Desktop may serve as a SuperNode. When your computer is a
SuperNode other peers will upload an index of files they are
sharing to your computer and they will send search queries to
your computer. Your computer will reply to these requests and
also forward the request to other SuperNodes. It is not harmful
to be a SuperNode, no information about you or your computer is
obtained by KaZaA. If you do not want to serve as a SuperNode go
to Tools->Options->Advanced and check Do not function as a SuperNode. When you are a SuperNode your CPU and Internet
connection is being used, but not more than 10% of the resources
will be used."

Be a Organ Donor. A chance at life.
This site never spams or sells its list to anyone. No pop up's or scams
An inconvenience, but if you want to make omelettes, you have to break some eggs.

Offline dannjr

  • Main Certifiable NutcAsE
  • Administrator Nut
  • Certifiable Nut
  • *****
  • Posts: 6342
  • Gender: Male
  • Share your life. Be a organ donor other Bday 1998
    • DSLnuts | Broadbandnuts | Cablenut
Re:So,*is*KaZaA/BDE Spyware? [VeryLong]
« Reply #2 on: April 21, 2002, 01:05:25 am »
Good stuff. I now know, so far, how my PC and connection will be used.

Okay, into that privacy stuff ... www.kazaa.com/en/privacy/index.htm
No sign of that pledge, but nevertheless - lots of info...

"About 3rd Party Applications
Two applications are integrated inside the KMD. Cydoor provide
the advertising technology in the bottom left hand corner of the
KMD. Brilliant Digital make the engine for the incredible 3d ads
you will start to see."

Yeah, I'd heard it was ad supported. 3D ads, no less. Wow.
Better check those out ... www.kazaa.com/en/privacy/3rdparty.htm

"Brilliant Digital
We make our revenue from advertising and Brilliant Digital helps
us to be innovative in this field. We install Brilliant's b3d
Projector with KaZaA to enable richer, more entertaining forms of
advertising. With an extensive history working in entertainment
creating 3d spectacles for the likes of Warner Bros and Def Jam
Records, Brilliant will help us show that ad-powered apps can be
fun!

The integrated b3d Projector sends statistics to a webserver when
you play a 3d ad in KaZaA. Brilliant Digital promises us that no
personally identifiable information is collected when they
whether or not an ad has been viewed."

Ads, then. Fun, not nosey, 3D, ads. Righto. But it gives a link to BDE
full privacy statement too ...
www.brilliantdigital.com/content.asp?ID=780  More of the same, though
this too ...

"Updates
The b3d Projector includes an auto-update module. Periodically
this module checks with our web server for updates to b3d
Projector or related technology components. This is done without
sending any personally identifiable information. If such updates
are available they may be automatically downloaded as needed."

Okay, they can update the ad or ad-related engine as well as the ads
themselves. Sounds reasonable (if you don't mind ads).

Where next ... www.kazaa.com/en/privacy/spyware.htm ...

"KaZaA Media Desktop contains banner advertising and the option
to install other third party applications in order to remain free
to the user. Sharman Networks does not condone the use of
'spyware' and does not use 'spyware' in KaZaA Media Desktop.

Noted privacy software expert Steve Gibson of Gibson Research
describes 'spyware' as: "...use of an Internet 'backchannel'
connection must be preceded by a complete and truthful disclosure
of proposed backchannel usage..." [well, you know the rest]

Okay, the bundles are optional, and the compulsory stuff is banner
advertising. And they're being completely truthful in disclosing their
proposed use of my Net connection. Great!

Onwards though ... www.kazaa.com/en/help/faq_index.htm - always a likely
source of answers ...

Be a Organ Donor. A chance at life.
This site never spams or sells its list to anyone. No pop up's or scams
An inconvenience, but if you want to make omelettes, you have to break some eggs.

Offline dannjr

  • Main Certifiable NutcAsE
  • Administrator Nut
  • Certifiable Nut
  • *****
  • Posts: 6342
  • Gender: Male
  • Share your life. Be a organ donor other Bday 1998
    • DSLnuts | Broadbandnuts | Cablenut
Re:So,*is*KaZaA/BDE Spyware? [VeryLong]
« Reply #3 on: April 21, 2002, 01:06:45 am »
"Do I have to pay to use the KaZaA Media Desktop?
No you do not have to pay anything; KaZaA's costs are covered
through our advertising. In the future advanced features and
upgrades may come at a cost, but not now."

"Can you remove the advertising?
KaZaA's costs are covered through companies who advertise with
us. We could not afford to continue to offer you such a quality
product with continual upgrades and technical developments
without this revenue."

Yeah, yeah, it's adware. I get the idea. Nothing else about usage there.

Last one ... www.kazaa.com/en/terms.htm Ah, ...

4.  Things you need to know when using KaZaA

4.2  We may add, delete or change some or all of the Software's
functionality provided in connection with KaZaA at any time. This
may include download of necessary software modules. Any new
features that augment or enhance

4.5  You acknowledge that KaZaA or parties appointed by KaZaA may
from time to time provide programming fixes, updates and upgrades
to you, including automatic updates to the KaZaA Media Desktop,
through automatic electronic dissemination and other means.

Pretty open-ended, but this is the EULA, after all.

8   KaZaA's Right to Run Advertising without payment to Users

8.1  KaZaA reserves the right to run advertisements and
promotions on the KaZaA Media Desktop.

8.2  By accepting the terms of this Licence, you agree that we
have the right to run such advertisements and promotions without
compensation to you.

Yep, I know about about the ads.

10   Third Party Software

10.1   During the process of installing KaZaA, you may be offered
the possibility to download or install software from third party
software vendors pursuant to licenses or other arrangements
between such vendors and yourself ("Third Party Software"). In
the event you do not wish to download this THIRD PARTY SOFTWARE
you should uncheck the appropriate boxes.

Hang on, I thought the "third party software" was the compulsory stuff,
and the "bundles" were optional. Guess no one told the lawyers. No
matter.
Be a Organ Donor. A chance at life.
This site never spams or sells its list to anyone. No pop up's or scams
An inconvenience, but if you want to make omelettes, you have to break some eggs.

Offline dannjr

  • Main Certifiable NutcAsE
  • Administrator Nut
  • Certifiable Nut
  • *****
  • Posts: 6342
  • Gender: Male
  • Share your life. Be a organ donor other Bday 1998
    • DSLnuts | Broadbandnuts | Cablenut
Re:So,*is*KaZaA/BDE Spyware? [VeryLong]
« Reply #4 on: April 21, 2002, 01:09:28 am »
Please note that the THIRD PARTY SOFTWARE is subject to different
licenses or other arrangements, which you should read carefully,
compared to the Terms of Use and License of KaZaA. By downloading
and using this THIRD PARTY SOFTWARE you accept these THIRD PARTY
SOFTWARE licenses or other arrangements and acknowledge that you
have read them and understand them.

Okay, will do. It's also posted on the site, or via a link, right? Er,
no. It'll be in the setup.exe, I imagine.

Okay, I've been through all the KaZaA site, and any links they gave.
Nothing of substance more than the above.

So, I now know it's peer-to-peer software, and roughly what that's
about. I know it includes advert modules. I know how it will use my PC's
resources, including CPU and Net connection. I know they've gone to the
specific trouble of assuring me that they're being complete and truthful
in disclosing their proposed use of my Net connection. Great.

On with the install ... Opening screen - "This package contains
advertising technology from BDE ...". Then the KaZaA EULA, and one for
BDE. Nothing new in either, except this for BDE ...

4. Upgrades and Access.

(a) You acknowledge that BDE may from time to time provide future
programming fixes, updates and upgrades to you ("b3d Updates"),
including automatic updates to KaZaA and other software bundled
with KaZaA, through automatic electronic dissemination and other
means. You consent to such automatic updates and agree that the
terms and conditions of this Agreement will apply to all such b3d
Updates.

(b) You hereby grant BDE the right to access and use the unused
computing power and storage space on your computer/s and/or
internet access or bandwidth for the aggregation of content and
use in distributed computing. The user acknowledges and
authorizes this use without the right of compensation.
Notwithstanding the above, in the event usage of your computer is
initiated by a party other than you, BDE will grant you the
ability to deny access.

Hmm. "access and use the unused computing power and storage space on
your computer/s and/or internet access or bandwidth for the aggregation
of content and use in distributed computing." What does *that* mean?

Well, this *is* peer-to-peer computing, after all. I know I'm going to
be storing files for other people (3.4 MB of kmd160_en.exe for
starters), and the CPU usage and Net access has already been
specifically mentioned. 4(a) suggests that BDE will also be the used as
the mechanism for updates to KaZaA itself. And it's only in the EULA
(where the legal language always conveys wide rights to the supplier in
many areas) not on the web site nor any other 'user-friendly' place. And
they've said they've given a complete and truthful disclosure of
proposed backchannel usage.

I guess it must just be legalise for what I've already been told about
what it's supposed to do. Guessing, with no other information, that it's
the basis for a whole other, separate, commercial, system would be
ridiculous - wouldn't it? (Er, hindsight apart, folks).

And that's it.

How could anyone reasonably come to believe it's anything but 'ordinary'
P2P software, with adware included? What we *now* know is that BDE
planned something else entirely, from the outset. What from the above
(or go check the whole website, EULA's and install for yourself), could
reasonably qualify as "complete and truthful disclosure" and/or
obtaining "informed consent" for *this* lot ...

http://news.com.com/2009-1023-873905.html

"Excerpt from Brilliant Digital Entertainment's Annual Report
(Form10KSB), Filed with SEC April 1, 2002"


Be a Organ Donor. A chance at life.
This site never spams or sells its list to anyone. No pop up's or scams
An inconvenience, but if you want to make omelettes, you have to break some eggs.

Offline dannjr

  • Main Certifiable NutcAsE
  • Administrator Nut
  • Certifiable Nut
  • *****
  • Posts: 6342
  • Gender: Male
  • Share your life. Be a organ donor other Bday 1998
    • DSLnuts | Broadbandnuts | Cablenut
Re:So,*is*KaZaA/BDE Spyware? [VeryLong]
« Reply #5 on: April 21, 2002, 01:10:41 am »
"Millions of computers are logged onto the Internet at any given
time, each with excess processing power, excess storage capacity
and unused bandwidth. Through Altnet, we intend to create a
private peer-to-peer network to enable our clients to access and
utilize this excess processing power, storage capacity and unused
bandwidth for multiple applications. [...]

To develop the Altnet private peer-to-peer network, each computer
that comprises the network must be equipped with a software
program. To distribute the program, we bundled it in a package,
that we call ALTNET SECUREINSTALL, with our Digital Projector.
Pursuant to an agreement with Sharman Networks, SecureInstall,
along with the Digital Projector, is being downloaded as part of
Sharman Networks KaZaA Media Desktop, which has consistently been
averaging in excess of two million downloads per week since we
began bundling our software in the fall, 2001. [...]

Our longer-term goal is for Altnet, through multiple client
relationships, to be the next advancement in distributed
bandwidth, storage and computing. Currently, distributed storage
and computing companies, such as Akamai, operate [...] by
delivering the Web content and applications of their customers
[...] to a server geographically closer to end users. Altnet
intends to go the next step, which is directly to the end user in
a private, peer-to-peer network. [...]

We intend to market Altnet's peer-to-peer services in three main
areas: Network Services, Distributed Storage and Distributed
Processing.

NETWORK SERVICES - Altnet's Network Services will be marketed as
money saving, enterprise solutions to companies that spend
significant amounts on Internet bandwidth and infrastructure for
the following applications:
File downloads from web sites or servers;
Content distribution, including "push" (where content such as

music, movies, news, sports or weather, is automatically "pushed"
to the user) and cached on their PC;
Ad serving;
Content backup; and
Video messaging/conferencing.

DISTRIBUTED STORAGE - [...] By leveraging the excess storage
capacity on the Altnet network, we believe, in certain storage
market segments, Altnet can generate significant storage cost
savings for its clients, a portion of which may be earned by
Altnet as consideration for its services
Be a Organ Donor. A chance at life.
This site never spams or sells its list to anyone. No pop up's or scams
An inconvenience, but if you want to make omelettes, you have to break some eggs.

Offline dannjr

  • Main Certifiable NutcAsE
  • Administrator Nut
  • Certifiable Nut
  • *****
  • Posts: 6342
  • Gender: Male
  • Share your life. Be a organ donor other Bday 1998
    • DSLnuts | Broadbandnuts | Cablenut
Re:So,*is*KaZaA/BDE Spyware? [VeryLong]
« Reply #6 on: April 21, 2002, 01:11:34 am »
DISTRIBUTED PROCESSING - [...] After the tasks are processed via
individual computers, the data is transmitted back to a central
server, which assembles the results. Altnet's Distributed
Processing services will be marketed to companies currently in
the high performance computing field, as well as the performance
testing/measurement areas. [...] Altnet intends to earn a portion
of the cost savings realized by its customers as consideration
for its Distributed Processing services.

ALTNET'S COMPETITIVE ADVANTAGE
We believe that Altnet is well positioned to compete effectively
with companies currently providing distributed computing
services. The software necessary to operate Altnet's peer-to-peer
network has been installed on tens of millions of computers
worldwide, and additional computers are added with each
successive download of the KaZaA Media Desktop, providing a
competitive advantage over other P2P competitors that have not
achieved similar success in mass distribution of their software
application. "

Good grief. *That* was the plan all along. Yet there is NOTHING saying
anything like that anywhere on the KaZaA site; the linked BDE page; or
the install files. The *only* hint is that one, vague, ambiguous
paragraph within the EULA.  

Complete and truthful disclosure? Obtaining informed consent? On the
contrary, it's a deliberate, concerted and fraudulent plan to plant
software intended for one purpose, but disguised as (only) for another,
"on tens of millions of computers worldwide".

A plague of cuckoos.

Defences :
-------------------

1. But it's all there in clause 4(b) above.

No, it isn't. That's not informed consent by *any* stretch. It's
misleading, ambiguous and alone amongst the entire paper/web trail. This
plan was intended from the outset - where's the complete and truthful
disclosure? As Steve puts it ...

"Since the goal is to inform the user, burying this information
beneath a mountain of legal mumbo-jumbo, then claiming to have
"informed the user", misses the mark. Legal mumbo-jumbo is not
informative, it is disinformative. It obscures and intimidates
rather than communicates. The goal is to produce a short set of
clear statements that the user WILL WANT TO READ rather than
dread."

2. But they say they'll ask users before they turn it on.

TOO LATE! They knew what they were doing all along, and deliberately
mislead users prior to and during installation, *in order* to get the
cuckoos widely installed. Squawking to be fed later on is a whole
separate matter.

3. But they don't actually spy - how can it be spyware?

Go back to the top of the post. In some respects 'spyware' is a misnomer
- the whole point is about unauthorised (by *informed* consent) use of
the PC. KaZaA (ab)used Steve's definition - their package *is* what they
specifically claim it isn't.

4. But if, as they say, they'll ask before actually using the Altnet
stuff, they haven't gained much?

They've gained privileged access to millions of eyeballs, by deception.
Marketing people know how valuable such access to those eyeballs is. But
valuing their gain isn't the point. Deception is deception.

5. Altnet it isn't spyware - they tell everyone all about it on the
www.brilliantdigital.com site.

*Now* you do, now that the truth had to be disclosed in an SEC filing.
But even that is by the way. *KaZaA* is installed on the basis of the
information on it's site; the links it gives on it's site; and the
installation program. Ordinary users shouldn't have to be investigative
reporters. Steve's words again (not because he's a deity, as someone put
it, but because the words make good sense) ...
Be a Organ Donor. A chance at life.
This site never spams or sells its list to anyone. No pop up's or scams
An inconvenience, but if you want to make omelettes, you have to break some eggs.