Blocking Marketscore: Why Cornell Did It
By Steve Schuster, director of IT security at Cornell University
Feb. 15, 2005Printable (PDF) version of this paperSYNOPSIS
This paper looks at the issue of spyware, Marketscore in particular, in the Cornell environment and examines the universityıs decision to block usage of Marketscore within the campus network.
What is spyware?
Spyware is any technology that aids in gathering information about a person or organization without their knowledge. In the context of the Internet (where it is sometimes called a spybot or tracking software), spyware is programming that is installed on an individualıs computer to secretly gather information about that individualıs Internet activities and relay it to advertisers or other interested parties. Adware is software designed to distribute advertising. It is usually also thought of as spyware because it almost invariably includes components for tracking and reporting user information.
Spyware is typically installed without consent. An individual can unintentionally install it by clicking an option in a deceptive pop-up window or e-mail message, or installing software that also includes the spyware (usually hidden).
Data-collecting programs that are installed with the individualıs knowledge are not, properly speaking, spyware, if the individual fully understands what data is being collected and with whom it is being shared.
What is Marketscore?Marketscore is an application distributed by Marketscore, Inc., which is a wholly owned subsidiary of ComScore Networks, a market research company serving Fortune 500 companies and large news organizations. Marketscore is one of several so-called "research panels" that ComScore Networks operates. ComScore claims that over 2 million people are members of these panels.
Marketscoreıs purpose is to collect Internet usage data, which can then be used to create reports that track such activities as e-commerce sales trends, website traffic, and online advertising campaigns.
Marketscore gets installed when individuals sign up for a service that claims to speed up their Internet access and defend against e-mail viruses, or when they join community-specific research services. Although Marketscore openly states that its software will "provide us with information about how you and members of your household use the Internet," it may not be clear to many people that Marketscore tracks everything they do on the Internet.
This tracking includes which websites individuals visit, what they purchase on the Internet, what type of credit card they used for the purchase, and any other information they provide when on the Internet. Information is even collected from encrypted connections that normally provide for the secure transmission of sensitive data such as credit card numbers, financial transactions, and medical records.
Is Marketscore spyware?It depends who is asked.
Marketscore, Inc. claims that Marketscore is not spyware and is leading an effort to create a new category called "researchware," which would encompass "software and other systems properly used to facilitate market research." Marketscore, Inc. spells out the details of what is collected, how it is collected, what security measures are taken, and what is done with the information in the end-user license agreement (EULA) that an individual agrees to when installing the software.
However, many believe that ComScore Networks is walking a rather fine line by purporting that a lengthy user agreement constitutes appropriate user notification, and may be taking advantage of the fact that very few people actually read user agreements before installing software.
The Marketscore EULA is 5 pages long and the privacy statement is another 6 pages long. It is questionable how many people actually take the time to read the full EULA and privacy statement, much less fully consider the ramifications of statements such as this one taken from the Marketscore privacy statement:
"...Marketscore monitors all of your Internet behavior, including both the normal web browsing you perform, and also the activity you may have through secure sessions, such as when filling a shopping basket or filling out an application form that may contain personal financial and health information. Marketscore's proprietary and patent pending technology allows us to see the details of secure pages while protecting such content from parties other than the site to which you are connected. ..."Many people also believe how Marketscore gets installed strengthens the case for it being considered spyware. Typically, individuals believe they are getting a tool that will speed up their Internet access and provide protection from e-mail viruses, or that they are part of a group selected for a research study. The message below is an example (JDARC is a service of Marketscore, Inc.):
Dear ,You are invited to join the JD Academic Research Council (JDARC), a select group of law students who are passively participating in ongoing Internet research. For participating in JDARC, you are eligible to receive up to $20 in cash benefits, payable as follows:
- A $10 check for registering
- A $5 check for continued membership through January 2005
- An additional $5 check for remaining active through May 2005Register now at http://www.jdcouncil.org
JDARC is an Internet research community that confidentially and anonymously assesses Internet usage habits among law students. By aggregating this anonymous data, we are able to help companies understand the needs and interests of law students. JDARC will never sell your personal information to anyone for any reason. Please visit the web site to read our detailed privacy policy.
To join or to learn more, go to:
http://www.jdcouncil.orgBased on the evidence seen to date, many in the Internet community consider Marketscore to be spyware.
Why is Marketscore a greater concern than other data-collecting applications?Unlike many other data-collecting (spyware) applications, Marketscore gathers data on all Internet connections, even those that are secured using SSL (Secure Socket Layer). It's this SSL aspect that is causing the greatest concern.
SSL connections are easily identified by the "https://" at the beginning of the address or by the "closed lock" icon in the bottom status bar on Internet Explorer or Netscape. SSL is the de facto standard for secure web transactions between an individual's computer and the intended destination. With Marketscore, the security of those transactions is jeopardized.
Normally, when an individual makes a purchase at, say, Amazon.com, SSL is used to encrypt the entire transaction, including the individual's identity, what was ordered, and the credit-card information. If Marketscore is installed on the individual's computer, the transaction is first sent to Marketscore, Inc.'s "proxy" servers, where it is decrypted so that Marketscore, Inc. can see the same information that Amazon.com would.
Marketscore does not notify the individual that this is happening and, short of uninstalling Marketscore, the individual has no way to prevent it. Although Marketscore, Inc. goes to great lengths to safeguard the information it gathers, even earning an Ernst & Young Webtrust/Cyber Certification, the fact remains that it is a third party essentially eavesdropping on what should be private conversations.
At a technical level, Marketscore alters an individual's computer and web browser(s) to assign a unique ID and direct the browser(s) to route traffic through Marketscore, Inc.'s server network. Marketscore, Inc. claims that this routing gives individuals faster Internet speeds because the Marketscore, Inc. network stores website addresses and caches static webpages and images for sites visited by Marketscore members, and also does data compression and optimizes response time.
What is the risk to Cornell?While individuals at Cornell certainly have a right to install and use any application for personal use, including applications such as Marketscore, Cornell is required to implement adequate mechanisms to protect the confidentiality of information such as student and employee data, medical records, and financial records.
Like many other institutions and companies, Cornell uses web-based services to update records and track federally regulated information. Cornell secures these transactions using SSL to ensure they are as safe as can be. Because Marketscore can gather and decrypt SSL traffic, allowing its use would put critical university and personal information at risk.
For example, a staff member viewing or making changes to his/her record in Employee Essentials would be providing that same information to Marketscore, Inc. Further, the individualıs NetID and password could also be compromised since that information would also be passed along through Marketscore.
In addition, there may be regulatory implications. Cornell cannot adequately ensure the privacy and proper handling of federally regulated data if it is being collected by an outside organization such as Marketscore, Inc. Cornell's policies reflecting both personal responsibilities with respect to responsible use of information technology and the institutional responsibility to protect specific types of data include:
University Policy 5.1 Responsible Use of Electronic Communications
http://www.policy.cornell.edu/CM_Images/Uploads/POL/vol5_1.html
University Policy 4.12 Data Stewardship and Custodianshiphttp://www.policy.cornell.edu/vol4_12.cfm
What has Cornell done to address this issue?In October 2004, Cornell began blocking all outbound connections to Marketscore to help identify those computers on which Marketscore was installed and mitigate the potential loss of sensitive information.
In December 2004, Cornell changed this strategy to further protect data for users of Cornell services who were off site. This was accomplished by redirecting all web communications to or from Marketscore IP addresses to a Cornell webpage (http://132.236.69.201:9980/) that describes the problem and outlines how to manually remove Marketscore.
Individuals who have Marketscore installed are redirected to that page whenever they try to visit any webpage if they're connected via the Cornell network, or visit any Cornell websites if they're connected via an external Internet service provider.
This strategy did cause some confusion initially because the Cornell/Marketscore webpage would occasionally appear in a banner or advertisement area of some other website, causing some individuals to believe their computers might be infected. CIT was able to tune the redirection to avoid this side effect.
For the latest information concerning Cornell's response to Marketscore, see http://www.cit.cornell.edu/computer/security/alerts/marketscore.html
For information about what other institutions are doing in response to the Marketscore threat, see http://www.educause.edu/Browse/645?PARENT_ID=741
Who is affected by the actions Cornell has taken?Cornell has taken a fairly aggressive and comprehensive approach to protect Cornell data and the data concerning members of the Cornell community, including students, faculty, and staff. This approach includes computers operated within the Cornell network as well as computers accessing Cornell resources from anywhere. In short, any computer that appears to be proxied through the Marketscore proxy servers will be redirected to the Cornell webpage described above and not allowed access to Cornell websites.
Although this action affects a very broad range of individuals (both Cornell-affiliated and not), Cornell believes this is the only way to adequately protect data for those in the Cornell community who need to access information from their residences off campus or while on business-related travel.