Security researcher Steve Gibson was testing intrusion-detection software on his computer when it suddenly warned him: A program he knew nothing about was trying to send data out to the internet.

Gibson thought he was familiar with all the programs on his computer. He was wrong. An uninvited guest had hitched a ride on another application he had installed, and it was there to retrieve and display ads.

“This thing was in my computer using the internet behind my back,” said Gibson, founder of Gibson Research Corp. in Laguna Hills, Calif. “It meant my computer was no longer my own.”

Two years later, a practice Gibson termed “frightening” has only grown more common. Every week, hundreds of thousands of people download free software—and with it, third-party tools that can do strange, unexpected things to their computers. And although many of the offending companies claim they respect privacy and are not trying to deceive, mistakes happen.

That was the case for about a week earlier this month, when a free application called WeatherBug from Maryland-based AWS Inc. gave some users a promotional tool from Ebates that pitches rebates while they visit participating sites.

WeatherBug provides users with real-time weather data for their zip code when downloaded to a desktop computer. AWS also markets the application as a school fund-raising project; by promoting it within the community, schools can earn up to $2,000 if 2,000 or more members of the community download WeatherBug to their computers.

AWS stopped offering Ebates pending an internal review after being contacted by the Associated Press.

“It was an honest mistake,” said Andy Jedynak, AWS’s vice president of business development. “We have a very strict policy of making sure that all of our users understand exactly what’s happening.”

Jedynak stressed—and eSchool News has confirmed—that WeatherBug is not spyware. “This incident affected less than one tenth of one percent of our nearly 10 million WeatherBug users. It has never been our policy to install software on consumers’ computers without their permission, and we take great pains to give consumers choice and freedom of privacy,” said Jedynak. Mikko Hypponen, a security expert at F-Secure Corp. in Finland, considers “spyware” to be software that typically claims to send only anonymous data but which causes web addresses to be transmitted that sometimes contain usernames and passwords. Kyle Hutson, director of technology for Rock Creek Schools in Kansas, told eSchool News that spyware is a problem he constantly encounters in his school district.

“Currently, we just wait until somebody complains and then remove [the software], but if I were to inspect our labs now, well over half would have something of this sort installed,” Hutson said. Not only are these programs installed without permission, but they make computers sluggish, he added.

Gibson worries that these programs increase security and privacy risks.

Though many of them do no more than subject users to ads, more sophisticated applets send information about surfing habits—so an ad for allergy medication might pop up while someone checks the weather. Other programs change internet settings or the appearance of web pages.

“Publishers are starting to look for new revenue streams, and this is one really easy way,” said Kelly Green, director of the software distribution site Download.com.

As an indication of what a nuisance many users consider such tools, software that finds and removes them ranks eighth on Download.com.

Many companies have gotten better at telling users about these tag-alongs and explaining how they help keep the core products free, but critics say that’s not always enough.

“A lot of people out there will just click ‘yes’ and not bother to read [the pop-up warning box],” said Richard M. Smith, former chief technology officer for the Privacy Foundation.

In some cases, third-party software is installed unless users notice and uncheck a box, or pay a fee. In a few cases, there’s no option but to accept.

Though Smith believes few, if any, of these tools are truly malicious, he worries hackers might exploit their weaknesses. He also notes that some can cause computers to crash.

Phil Morle, director of technology at Sharman Networks, says tools bundled with its KaZaA file-sharing application, which is popular with online music-swappers, are tested for privacy and security and are easy to remove.

Since February, Brilliant Digital Entertainment has been distributing software with KaZaA designed to build a separate network for sharing files, storage capacity, and processing power.

Users can remove the Brilliant software—but only after KaZaA installs it.

Though the arrangement appears in licensing agreements that KaZaA users must accept beforehand, Brilliant’s chief executive, Kevin Bermeister, admits the software caught some by surprise.

He said the company will seek users’ permission before activating the network in about a month.

A tool for speeding downloads, Go!Zilla, carries TopText iLookup, which highlights words on regular web pages and links them to sponsors and other sites. Go!Zilla also offers the WeatherBug weather tracker, which in turn sometimes comes with advertising tools of its own.

KaZaA and fellow file-sharing application BearShare are bundled with New.net, which lets computers recognize nonstandard domain names, such as “.school.”

David Hernand, chief executive of New.net, said the partnerships his company forges are crucial for getting a critical mass of users. Without enough computers recognizing the domain names, people won’t want to buy them, he said.

Even if these programs are relatively innocuous, security researcher Gibson warns, the fact that one can slip by means something more malicious can as well.

“The technology is under the covers,” he said. “Nobody knows what’s being loaded any more.”

Links:

AWS WeatherBug
http://www.weatherbug.com/schools

F-Secure Corp.
http://www.F-Secure.com

Privacy Foundation
http://www.privacyfoundation.org

Gibson Research Corp.
http://grc.com/default.htm