Results 1 to 1 of 1

Thread: How we classify products for detection in Spybot

  1. #1
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default How we classify products for detection in Spybot

    Definitions

    We put every file to be tested into FileAlyzer 2 (a new version not yet released that offers an iPhone app details page) and SDPhoneScan, a new scanning module from Spybot 2, which identifies half a dozen of tracking/advertisement modules commonly used, more additions pending.

    If your application uses one of these, we follow the Anti-Spyware Coalitions definition on Tracking Software and classify an application as such:
    Tracking software: Software that monitors user behavior, or gathers information about the user, sometimes including personally identifiable or other sensitive information, through an executable program.
    We then test how the user gets notified about usage of such software, and this ASC definition on spyware:
    In its narrow sense, Spyware is a term for Tracking Software deployed without adequate notice, consent, or control for the user.
    The key point here is that the notification has to be adequate, which a sentence in the original Apple iTunes Store EULA is not.

    Implementation

    The above classifications would mean that every single application using Tracking Software would be ultimately flagged as such or even as Spyware; to give software authors a chance, we will divide the Tracking Software category into two parts, giving a "fair use" label to those that follow our suggestions. This part will most likely (final plans are not yout finished) not be part of the official detection updates, but available through OpenSBI or other downloads only.



    Arguments

    Every website receives the IP address!

    And that is why every website that shares this information with third parties should have a privacy policy informing the visitor about this, just like any iPhone application implementing third party connectivity code needs to have one.

    I understand that many users don't regard IPs as PII. An example for the contrary: universities, as early adopters of the Internet, often have huge IP ranges. Back when I was at university, students had fixed IP addresses is their dorms, and reverse DNS lookups and traceroutes clearly revealed the location through subdomains and router names. Combined with the universities phone book, such an IP address easily leads to a name.

    Anyway, websites cannot show any privacy policy before a user visits them - applications can before they transmit data!

    Why do you regard the UDID personally identifiable?

    It's a unique number assigned to the device. Other software might - through legit and legal means - collect this information combined e.g. with real names. Which means others might be able to use it to identify a person.

    Granted, the tracking or advertisement solution in question might not pass this information to others. Still, they might be able to buy - through legal means - such information. And whether they do or not - it should be up to the owner of this information to decide whether he wants third parties to have it, and not to the software developer.

    A special difficulty on the iPhone that does not exist with browsers is the sandbox for each application. On desktop browsers, tracking is usually done by using so-called third-party cookies, which have a unique, but randomly generated, ID. The iPhone does not allow applications to easily share data, so there's no way to create and use a random ID between applications using one specific tracking or advertisement solution.

    The developer of the software states that Apples iTunes Store EULA covers this collection and transmission!

    This might depend on local law - in Europe, the customer has to be informed about each instance that receives collected (personally identifying) data, and about the exact kind of data. Since the iTunes EULA cannot list the details for every iPhone application available, but only in basic general form, it is not sufficient here.

    Next to that, it's not a question whether the user gets informed in some way - he needs to get informed in an appropiate way!
    Last edited by PepiMK; 2010-05-21 at 13:20.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •