So, is KaZaA/BDE ... Spyware? www.iMilly.com
[ N.B. Update w.e.f. KaZaA version 1.7.x : see bottom of page ]
Executive Summary :
Oh my, YES!
Terms of Reference:
My interest in this matter was sparked by Steve Gibson's disgusted reaction to being deceptively quoted on KaZaA'a website. This page is a slightly edited version of my post of the 17th April 2002 to the GRC news groups .
I mean 'Spyware' as defined by the GRC Code of Backchannel Conduct (which is how KaZaA claim they wish to be judged) ...
"Spyware Defined: Silent background use of an Internet "backchannel" connection MUST BE PRECEDED by a complete and truthful disclosure of proposed backchannel usage, followed by the receipt of explicit, informed, consent for such use. Any software communicating across the Internet absent of these elements is guilty of information theft and is properly and rightfully termed: Spyware"
Don't like the word 'Spyware' unless it's, er, spying? Well, no matter, we can keep it neutral too. Just ask whether KaZaA/Brilliant Digital Entertainment ('K/BDE') precedes its installation with a complete and truthful disclosure of proposed usage, and obtains explicit, informed, consent for such use?
The answer is - No.
But we may as well stick with 'Spyware', since it's KaZaA's use of that term as defined above, quoting Steve Gibson, which started this ball rolling.
KaZaA comes with compulsory "3rd Party Applications" (Cydoor and BDE), and optional "Bundles" (4 of 'em). I'm only considering KaZaA/BDE (except to check that none of the other documentation helps explain what BDE does - which it doesn't). So there may or may not be other things which fail that definition. Moreover, it isn't a complete analysis of where else KaZaA/BDE might fail, since it fell at the first hurdle. (For example, Robin Keir has advised that it fails to uninstall properly - I'll be using his tool to clean up soon - hope it works ;).
So, imagine I'm looking as an ordinary person, interested in finding and sharing files, and having been told that KaZaA is the best software and network around. I don't know much about peer-to-peer or computers, but I'm reasonably cautious about what I install. Off to KaZaA.com then ...
Not much on the start page, but a reassuringly big link to a privacy pledge. Better check that out later, but first "Read About It". Okay, no details, only general stuff. Next the Download page. Nope. The Help pages? Ah, how my PC and Net connection will be used ...
"What Resources On Your Computer KaZaA Will Use And How To Configure Your Installation When you have installed KMD the KMD install program e.g. kmd160_en.exe will be saved in your My Shared Folder and shared out to other users. Other users may download this file from your computer and by doing so your Internet connection will be used. [...] Files that you save in the My Shared Folders will be available for any other user of Kazaa Media Desktop and compatible programs. These users may find your files and subsequently download them from you. By doing so your Internet connection is being used. [...]
The KaZaA Media Desktop program is a so called "peer-to-peer" program, this means that it communicates with other peers (other KaZaA Media Desktop or compatible programs). Your copy of KaZaA Media Desktop may serve as a SuperNode. When your computer is a SuperNode other peers will upload an index of files they are sharing to your computer and they will send search queries to your computer. Your computer will reply to these requests and also forward the request to other SuperNodes. It is not harmful to be a SuperNode, no information about you or your computer is obtained by KaZaA. If you do not want to serve as a SuperNode go to Tools->Options->Advanced and check Do not function as a SuperNode. When you are a SuperNode your CPU and Internet connection is being used, but not more than 10% of the resources will be used."
Good stuff. I now know, so far, how my PC and connection will be used.
Okay, into that privacy stuff . No sign of that pledge, but nevertheless - lots of info...
"About 3rd Party Applications Two applications are integrated inside the KMD. Cydoor provide the advertising technology in the bottom left hand corner of the KMD. Brilliant Digital make the engine for the incredible 3d ads you will start to see."
Yeah, I'd heard it was ad supported. 3D ads, no less. Wow. Better check those out ...
"Brilliant Digital We make our revenue from advertising and Brilliant Digital helps us to be innovative in this field. We install Brilliant's b3d Projector with KaZaA to enable richer, more entertaining forms of advertising. With an extensive history working in entertainment creating 3d spectacles for the likes of Warner Bros and Def Jam Records, Brilliant will help us show that ad-powered apps can be fun! The integrated b3d Projector sends statistics to a webserver when you play a 3d ad in KaZaA. Brilliant Digital promises us that no personally identifiable information is collected when they whether or not an ad has been viewed."
Ads, then. Fun, not nosey, 3D, ads. Righto. But it gives a link to BDE full privacy statement too. More of the same, though this too ...
"Updates The b3d Projector includes an auto-update module. Periodically this module checks with our web server for updates to b3d Projector or related technology components. This is done without sending any personally identifiable information. If such updates are available they may be automatically downloaded as needed."
Okay, they can update the ad or ad-related engine as well as the ads themselves. Sounds reasonable (if you don't mind ads).
Where next ...
"KaZaA Media Desktop contains banner advertising and the option to install other third party applications in order to remain free to the user. Sharman Networks does not condone the use of 'spyware' and does not use 'spyware' in KaZaA Media Desktop. Noted privacy software expert Steve Gibson of Gibson Research describes 'spyware' as: "...use of an Internet 'backchannel' connection must be preceded by a complete and truthful disclosure of proposed backchannel usage..." [well, you know the rest]
Okay, the bundles are optional, and the compulsory stuff is banner advertising. And they're being completely truthful in disclosing their proposed use of my Net connection. Great!
Onwards though ... the FAQ - always a likely source of answers ...
"Do I have to pay to use the KaZaA Media Desktop? No you do not have to pay anything; KaZaA’s costs are covered through our advertising. In the future advanced features and upgrades may come at a cost, but not now." "Can you remove the advertising? KaZaA’s costs are covered through companies who advertise with us. We could not afford to continue to offer you such a quality product with continual upgrades and technical developments without this revenue."
Yeah, yeah, it's adware. I get the idea. Nothing else about usage there.
Last one . Ah, ...
4. Things you need to know when using KaZaA
4.2 We may add, delete or change some or all of the Software’s functionality provided in connection with KaZaA at any time. This may include download of necessary software modules. Any new features that augment or enhance
4.5 You acknowledge that KaZaA or parties appointed by KaZaA may from time to time provide programming fixes, updates and upgrades to you, including automatic updates to the KaZaA Media Desktop, through automatic electronic dissemination and other means.
Pretty open-ended, but this is the EULA, after all.
8. KaZaA’s Right to Run Advertising without payment to Users
8.1 KaZaA reserves the right to run advertisements and promotions on the KaZaA Media Desktop.
8.2 By accepting the terms of this Licence, you agree that we have the right to run such advertisements and promotions without compensation to you.
Yep, I know about about the ads.
10. Third Party Software
10.1 During the process of installing KaZaA, you may be offered the possibility to download or install software from third party software vendors pursuant to licenses or other arrangements between such vendors and yourself ("Third Party Software"). In the event you do not wish to download this THIRD PARTY SOFTWARE you should uncheck the appropriate boxes.
Hang on, I thought the "third party software" was the compulsory stuff, and the "bundles" were optional. Guess no one told the lawyers. No matter.
Okay, will do. It's also posted on the site, or via a link, right? Er, no. It'll be in the Setup.exe, I imagine.
Okay, I've been through all the KaZaA site, and any links they gave. Nothing of substance more than the above.
So, I now know it's peer-to-peer software, and roughly what that's about. I know it includes advert modules. I know how it will use my PC's resources, including CPU and Net connection. I know they've gone to the specific trouble of assuring me that they're being complete and truthful in disclosing their proposed use of my Net connection. Great.
On with the install ... Opening screen - "This package contains advertising technology from BDE..". Then the KaZaA EULA, and one for BDE. Nothing new in either, except this for BDE ...
4. Upgrades and Access.
(a) You acknowledge that BDE may from time to time provide future programming fixes, updates and upgrades to you ("b3d Updates"), including automatic updates to KaZaA and other software bundled with KaZaA, through automatic electronic dissemination and other means. You consent to such automatic updates and agree that the terms and conditions of this Agreement will apply to all such b3d Updates.
(b) You hereby grant BDE the right to access and use the unused computing power and storage space on your computer/s and/or internet access or bandwidth for the aggregation of content and use in distributed computing. The user acknowledges and authorizes this use without the right of compensation. Notwithstanding the above, in the event usage of your computer is initiated by a party other than you, BDE will grant you the ability to deny access.
Hmm ... "access and use the unused computing power and storage space on your computer/s and/or internet access or bandwidth for the aggregation of content and use in distributed computing."
What does that mean?
Well, this is peer-to-peer computing, after all. I know I'm going to be storing files for other people (3.4 MB of kmd160_en.exe for starters), and the CPU usage and Net access has already been specifically mentioned. 4(a) suggests that BDE will also be the used as the mechanism for updates to KaZaA itself. And it's only in the EULA (where the legal language always conveys wide rights to the supplier in many areas) not on the web site nor any other 'user-friendly' place. And they've said they've given a complete and truthful disclosure of proposed backchannel usage.
I guess it must just be legalise for what I've already been told about what it's supposed to do. Guessing, with no other information, that it's the basis for a whole other, separate, commercial, system would be ridiculous - wouldn't it? (Er, hindsight apart, folks).
And that's it.
How could anyone reasonably come to believe it's anything but 'ordinary' P2P software, with adware included? What we now know is that BDE planned something else entirely, from the outset. What from the above (or go check the whole website, EULA's and install for yourself), could reasonably qualify as "complete and truthful disclosure" and/or obtaining "informed consent" for this lot ...
"Excerpt from Brilliant Digital Entertainment's Annual Report (Form 10KSB), Filed with SEC April 1, 2002"
"Millions of computers are logged onto the Internet at any given time, each with excess processing power, excess storage capacity and unused bandwidth. Through Altnet, we intend to create a private peer-to-peer network to enable our clients to access and utilize this excess processing power, storage capacity and unused bandwidth for multiple applications. [...] To develop the Altnet private peer-to-peer network, each computer that comprises the network must be equipped with a software program. To distribute the program, we bundled it in a package, that we call ALTNET SECUREINSTALL, with our Digital Projector. Pursuant to an agreement with Sharman Networks, SecureInstall, along with the Digital Projector, is being downloaded as part of Sharman Networks KaZaA Media Desktop, which has consistently been averaging in excess of two million downloads per week since we began bundling our software in the fall, 2001. [...] Our longer-term goal is for Altnet, through multiple client relationships, to be the next advancement in distributed bandwidth, storage and computing. Currently, distributed storage and computing companies, such as Akamai, operate [...] by delivering the Web content and applications of their customers [...] to a server geographically closer to end users. Altnet intends to go the next step, which is directly to the end user in a private, peer-to-peer network. [...] We intend to market Altnet's peer-to-peer services in three main areas: Network Services, Distributed Storage and Distributed Processing. NETWORK SERVICES - Altnet's Network Services will be marketed as money saving, enterprise solutions to companies that spend significant amounts on Internet bandwidth and infrastructure for the following applications: File downloads from web sites or servers; Content distribution, including "push" (where content such as music, movies, news, sports or weather, is automatically "pushed" to the user) and cached on their PC; Ad serving; Content backup; and Video messaging/conferencing. DISTRIBUTED STORAGE - [...] By leveraging the excess storage capacity on the Altnet network, we believe, in certain storage market segments, Altnet can generate significant storage cost savings for its clients, a portion of which may be earned by Altnet as consideration for its services. DISTRIBUTED PROCESSING - [...] After the tasks are processed via individual computers, the data is transmitted back to a central server, which assembles the results. Altnet's Distributed Processing services will be marketed to companies currently in the high performance computing field, as well as the performance testing/measurement areas. [...] Altnet intends to earn a portion of the cost savings realized by its customers as consideration for its Distributed Processing services. ALTNET'S COMPETITIVE ADVANTAGE We believe that Altnet is well positioned to compete effectively with companies currently providing distributed computing services. The software necessary to operate Altnet's peer-to-peer network has been installed on tens of millions of computers worldwide, and additional computers are added with each successive download of the KaZaA Media Desktop, providing a competitive advantage over other P2P competitors that have not achieved similar success in mass distribution of their software application."
Good grief. That was the plan all along. Yet there is NOTHING saying anything like that anywhere on the KaZaA site; the linked BDE page; or the install files. The only hint is that one, vague, ambiguous paragraph within the EULA.
Complete and truthful disclosure? Obtaining informed consent? On the contrary, it's a deliberate, concerted and fraudulent plan to plant software intended for one purpose, but disguised as (only) for another, "on tens of millions of computers worldwide".
A plague of cuckoos.
1. But it's all there in clause 4(b) above.
No, it isn't. That's not informed consent by any stretch. It's misleading, ambiguous and alone amongst the entire paper/web trail. This plan was intended from the outset - where's the complete and truthful disclosure? As Steve Gibson puts it ...
"Since the goal is to inform the user, burying this information beneath a mountain of legal mumbo-jumbo, then claiming to have "informed the user", misses the mark. Legal mumbo-jumbo is not informative, it is disinformative. It obscures and intimidates rather than communicates. The goal is to produce a short set of clear statements that the user WILL WANT TO READ rather than dread."
2. But they say they'll ask users before they turn it on.
TOO LATE! They knew what they were doing all along, and deliberately mislead users prior to and during installation, in order to get the cuckoos widely installed. Squawking to be fed later on is a whole separate matter.
3. But they're not actually spying - how can it be spyware?
Go back to the top of the page. In some respects 'spyware' is a misnomer - the whole point is about unauthorised (by informed consent) use of the PC. Whether or not they are actually spying (and remember that this page doesn't try to address spying by the bundled components), KaZaA (ab)used Steve Gibson's definition - their package is what they specifically claim it isn't.
4. But if, as they say, they'll ask before actually using the Altnet stuff, they haven't gained much?
They've gained privileged access to millions of eyeballs, by deception. Marketing people know how valuable such access to those eyeballs is. But valuing their gain isn't the point. Deception is deception.
5. Altnet it isn't spyware - they tell everyone all about it on the Brilliant Digital site.
Now they do, now that the truth had to be disclosed in an SEC filing. But even that is by the way. KaZaA is installed on the basis of the information on its site; the links it gives on its site; and the installation program. Ordinary users shouldn't have to be investigative reporters. Steve Gibson's words again (not because he's a deity, as someone put it, but because the words make good sense) ...
"Up Front, Full, Plain Language, Disclosure When first installed and activated, the communicating software components must present a simple, tractable, accessible, bulleted explanation of the software's purpose, intent, and use of the Internet backchannel."
(Yeah, okay, we can manage without bullet formatting)
6. ... hmm ...
It's a startlingly calculated campaign of deception. A confidence trick on a massive scale.
Steve Gibson wrote that it sickened him. It sickens me too :(
Further Information : As is so often the case, Eric Howes has a great page within his amazing web site.
N.B. Update w.e.f. KaZaA version 1.7.x : -
With effect from version 1.7.1 (I think, but maybe 1.7.0) KaZaA have significantly changed the install/bundle arrangements. The Altnet stuff is now a core part of KaZaA itself, rather than a core part of BDE. And guess what? BDE is no longer compulsory! It doesn't need to be, since Altnet - the central plank of KaZaA's business plan - is now built into KaZaA itself. This is not a recognition of their previous wrongdoings, only an easier way of including the Altnet stuff now that there's no longer any need to hide it within the BDE component.
But as a result, and since the Altnet stuff is now disclosed (its cover having been well and truly blown, and since they now want to use it, not just covertly plant it for future use) KaZaA's spyware activity as described above has been superseded by the fruits of that spying. Their plan worked. They planted millions of cuckoos, and now they are squawking to be fed there is no longer any point in secrecy. Crime does pay, it seems :(
Whether you still want to deal with a business which has acted so deceptively, is another matter.