Security researcher Steve Gibson was testing intrusion-detection software on his computer when it suddenly warned him: A program he knew nothing about was trying to send data out to the internet.

Gibson thought he was familiar with all the programs on his computer. He was wrong. An uninvited guest had hitched a ride on another application he had installed, and it was there to retrieve and display ads.

“This thing was in my computer using the internet behind my back,” said Gibson, founder of Gibson Research Corp. in Laguna Hills, Calif. “It meant my computer was no longer my own.”

Two years later, a practice Gibson termed “frightening” has only grown more common. Every week, hundreds of thousands of people download free software—and with it, third-party tools that can do strange, unexpected things to their computers, often called “spyware.” And although many of the offending companies claim they respect privacy and are not trying to deceive, mistakes happen.

That was the case for about a week in April, when a free application called WeatherBug from Maryland-based AWS Inc. gave some users a promotional tool from Ebates that pitched rebates while they visited participating sites.

WeatherBug provides users with real-time weather data for their zip code when downloaded to a desktop computer. AWS also markets the application as a school fund-raising project; by promoting it within the community, schools can earn up to $2,000 if 2,000 or more members of the community download WeatherBug to their computers.

AWS stopped offering Ebates pending an internal review after being contacted by the Associated Press.

“It was an honest mistake,” said Andy Jedynak, AWS’s vice president of business development. “We have a very strict policy of making sure that all of our users understand exactly what’s happening.”

Jedynak stressed that WeatherBug itself is not spyware. “This incident affected less than one tenth of one percent of our nearly 10 million WeatherBug users. It has never been our policy to install software on consumers’ computers without their permission, and we take great pains to give consumers choice and freedom of privacy,” he said.

Kyle Hutson, director of technology for Rock Creek Schools in Kansas, told eSchool News that spyware is a problem he constantly encounters in his school district.

“Currently, we just wait until somebody complains and then remove [the software], but if I were to inspect our labs now, well over half would have something of this sort installed,” Hutson said. Not only are these programs installed without permission, but they make computers sluggish, he added.

Though many of them do no more than subject users to ads, more sophisticated applets send information about surfing habits—so an ad for allergy medication might pop up while someone checks the weather. Other programs change internet settings or the appearance of web pages.

“Publishers are starting to look for new revenue streams, and this is one really easy way,” said Kelly Green, director of the software distribution site Download.com.

As an indication of what a nuisance many users consider such tools, software that finds and removes them ranks eighth on Download.com.

Many companies have gotten better at telling users about these tag-alongs and explaining how they help keep the core products free, but critics say that’s not always enough.

“A lot of people out there will just click ‘yes’ and not bother to read [the pop-up warning box],” said Richard M. Smith, former chief technology officer for the Privacy Foundation.

In some cases, third-party software is installed unless users notice and uncheck a box, or pay a fee. In a few cases, there’s no option but to accept.

Even if these programs are relatively innocuous, security researcher Gibson warns, the fact that one can slip by means something more malicious can as well.

“The technology is under the covers,” he said. “Nobody knows what’s being loaded any more.”

Related links:
AWS WeatherBug
http://www.weatherbug.com/schools

Gibson Research Corp.
http://grc.com/default.htm

Privacy Foundation
http://www.privacyfoundation.org