By Bob Sullivan Technology correspondent
msnbc.com
updated 4/20/2005 3:13:40 PM ET 2005-04-20T19:13:40

It's just a small download, promoted as a free antivirus program. But the software is really designed to sit silently on consumers' computers, watch everything they do online, and send the critical data back to the program’s creator. The program has swept the Internet in the last year, with millions of people downloading it.

The newest spyware? Nope. Welcome to the Internet's newest marketing tool, "researchware." 

Consider it spyware's above-board, distant relative. Unlike spyware, researchware makes its purpose clear when downloaded by consumers. Its intent is not to trick people into receiving annoying pop-up advertisements, but rather, to gather legitimate market research data. And it's easy to uninstall, unlike spyware, which is as hard to shake as a bad cold in winter.

Still, not everyone is comfortable with researchware. Privacy advocates wonder if consumers really know what they are doing when they consent to use it. And security-conscious firms say re-transmitting all that Internet traffic — which can include personal financial information — poses a big risk.

Company: It's not spyware
The term "researchware" was invented by the field's pioneer, comScore Networks, to distinguish its Marketscore program from spyware software, to which it had been compared. Marketscore is available as a free download directly from a comScore Web site and from Internet affiliates.

MarketScore entices volunteers by offering protection from computer viruses. In the past, using the name Netsetter, comScore software promised faster Internet connections. In both cases, by downloading the software consumers grant comScore permission to redirect all their Internet traffic through the company's servers. ComScore then studies the traffic to develop powerful market research the firm later sells.

Video: Searching the past Marketscore has about 1 million U.S. users and another 1 million users overseas, the company said.

“There are responsible ways for companies to gather information about your online preferences,” said Chris Lin, chief privacy officer of ComScore. She compared MarketScore to the television audience research firm Nielsen, which watches the viewing habits of volunteers.

Nielsen, Forrester Research, and Compete Inc. all collect information from Internet users that voluntarily join a panel for research purposes — though none of those firms use the term "researchware" to describe their work. (Nielsen//NetRatings provides user data to MSNBC.com.)

“This is no different than what a lot of other market research companies are doing," Lin said.

Banks cut off researchware users
Not everyone agrees. Security professionals say ComScore dangerously slurps up all manner of personal information, including passwords for online banking services. Several financial institutions have complained about the service, and last month, major banks in New Zealand announced they would no longer do business with consumers who have installed Marketscore.

A fraud official for one of Canada's largest banks who asked not to be identified told MSNBC.com that his firm had recently begun to reject all traffic flowing through Marketscore servers.

“I think people who download the software don't fully understand how much information is going to be collected,” said Larry Ponemon, director of the research firm The Ponemon Institute.

“They tell you it's a value for value exchange.  But as a rational human being, how much would you have to be compensated to take this risk? Their data is incredibly valuable. And there are risks that haven't really been thought about.”

ComScore carefully controls those risks, Lin said. The company’s research data has never been stolen, she said, and the firm regularly submits to outside audits of its privacy and other procedures.

ComScore also goes to great pains to avoid storing critical, personal data, she said. “If identifying information exists, we either ignore it or scrub it,” Lin said.  “We destroy pieces of key numbers and data elements that we think are highly sensitive and that possession of would create a potential vulnerability.”

Detected by anti-spyware software
ComScore's explanations haven’t satisfied everyone.  Along with bank offering online services, several universities have also cried foul at Marketscore. The University of Toronto issued a warning to students earlier this year about the service, claiming it can actually peek inside secure transactions, creating a risk that sensitive data can be stolen, even if the user believes the data is being transmitted in encrypted form.

"They have unencrypted access to their users' secure transaction information. If your computer has Marketscore software installed, all your SSL secured transactions — banking, purchasing, passwords or personal record access information is available unencrypted to the Marketscore organization," the university says on its Web site.

The firm must decrypt the information to find what's there and conduct its research, the school claims.

ComScore officials said the sensitive data is never at risk.

"We establish two secure communications. One with you, and one with the bank," Lin said.

Anti-spyware firms confused
Antivirus firms and other companies that sell anti-spyware products don’t quite know how to treat researchware. Symantec, for example, designates the program as spyware on its Web site.

Symantec spokesman David Cole refused to comment on Marketscore. He did say the antivirus industry was considering a new designation for researchware products. Computer Associates already has done so -- it calls Marketscore "trackware."

“The landscape is changing very quickly. We’re talking to other vendors about this,” Symantec's Cole said. “It’s a really challenging environment right now.”

That’s why ComScore created the term researchware, Lin said.  She believes one critical distinction between malicious spyware and honest researchware is the ease of removal. 

“There is a dramatic difference between software that obtains your consent and software that doesn’t. We wanted to create a distinction between software that is out there tracking you, popping up ads without your knowledge, and software that conscientiously obtains consent,” she said. 

The marketing industry doesn’t know what to make of researchware yet, either.  Dwayne Berlin, general counsel of The Council of American Survey Research Organizations, said his organization has yet to take a position on the software.

“There's no official meaning to the term. ... It's really something we're in the process of learning about ourselves,” he said. “Observational research is extremely legitimate. But we need to make sure industry codes fit the new methods.”

Powerful research tool
Not only is observational research legitimate, it is powerful, all sides agree.  Thanks to MarketScore, ComScore can provide incredibly detailed consumer research to its clients, which ironically include online banks. In traditional surveys, filled out by consumers on their own, people tend to distort and mis-report their behavior and preferences. MarketScore allows researchers to watch consumers in their native environments, making real-life choices. 

The firm isn’t interested in the personal data, Lin said.  Instead, it wants to observe usage trends.

“The fact that you are online banking, for example,” she said, “And are you interested in mortgages or are you interested in bill pay? Which services do you find useful? Are you going to just take a look at the account or are you really going to do something active?”

But even absent security issues, privacy advocates wonder if it’s possible for consumers to make an informed choice when they elect to trade so much information for a small benefit like faster Internet service or virus protection.

“I would claim that even the most interested and informed individual cannot forecast the implications of this deal,” said Alessandro Acquisti, a professor at Carnegie Mellon University who studies the economics of privacy.

“This is why: Customers are entering a contract in which they are selling away their future behavior and information without knowing in advance what that behavior and that information will be ... They cannot predict what kind of information will be gathered, how it will be used, and therefore how valuable it may be, or how damaging it could be to the customer.”

© 2013 msnbc.com Reprints

Discuss:

Discussion comments

,

Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments