Cornell University Cornell University Cornell University Office of Information Technologies

Blocking Marketscore: Why Cornell Did It

By Steve Schuster, director of IT security at Cornell University
March 31, 2005

This paper is an update to the original document that looked at the issue of spyware, Marketscore in particular, in the Cornell environment and examined the university's decision to block usage of Marketscore within the campus network. The original document is located at http://www.cit.cornell.edu/computer/security/marketscore/MktScrPaper-05feb15.html.

An accompanying technical document, An Analysis of the New Marketscore Proxy, was added to this site in April, with an addendum in June.

What is spyware?

Spyware is any technology that aids in gathering information about a person or organization without their knowledge. In the context of the Internet (where it is sometimes called a spybot or tracking software), spyware is programming that is installed on an individual's computer to secretly gather information about that individual's Internet activities and relay it to advertisers or other interested parties. Adware is software designed to distribute advertising. It is usually also thought of as spyware because it almost invariably includes components for tracking and reporting user information.

Spyware is typically installed without consent. An individual can unintentionally install it by clicking an option in a deceptive pop-up window or e-mail message or by installing software that also includes the spyware (usually hidden).

Data-collecting programs that are installed with the individual's knowledge are not, properly speaking, spyware, if the individual fully understands what data is being collected and with whom it is being shared.

What is Marketscore?

Marketscore is an application distributed by Marketscore, Inc., which is a wholly owned subsidiary of ComScore Networks, a market research company serving Fortune 500 companies and large news organizations. Marketscore is one of several so-called "research panels" that ComScore Networks operates. ComScore claims that over 2 million people are members of these panels.

Marketscore's purpose is to collect Internet usage data, which can then be used to create reports that track such activities as e-commerce sales trends, web site traffic, and online advertising campaigns.

Is Marketscore spyware?

It depends who is asked.

Marketscore, Inc., claims that Marketscore is not spyware and is leading an effort to create a new category called "researchware," which would encompass "software and other systems properly used to facilitate market research." Marketscore, Inc. spells out the details of what is collected, how it is collected, what security measures are taken, and what is done with the information in the end-user license agreement (EULA) and the privacy statement that an individual agrees to when installing the software.

However, many believe that ComScore Networks is walking a rather fine line by purporting that a very large and lengthy user agreement constitutes appropriate user notification, and may be taking advantage of the fact that very few people actually read user agreements before installing software.

The Marketscore EULA is 5 pages long and the privacy statement is another 7 pages long. It is questionable how many people actually take the time to read the full EULA and privacy statement, much less fully consider the ramifications of statements such as this one taken from the Marketscore privacy statement:

"...Marketscore's proprietary and patent pending technology allows us to see the details of secure pages while protecting such content from parties other than the site to which you are connected. We monitor the Internet connections of our users so we can not only accurately and anonymously model the browsing habits of Internet users, but also their shopping, registration, and other interactions as well.. "

Many people also believe the way in which Marketscore gets installed strengthens the case for it being considered spyware. Typically, individuals believe they are getting protection from e-mail viruses or that they are part of a group selected for a research study. The message below is an example (JDARC is a service of Marketscore, Inc.):

Dear ,

You are invited to join the JD Academic Research Council (JDARC), a select group of law students who are passively participating in ongoing Internet research. For participating in JDARC, you are eligible to receive up to $20 in cash benefits, payable as follows:

- A $10 check for registering
- A $5 check for continued membership through January 2005
- An additional $5 check for remaining active through May 2005

Register now at http://www.jdcouncil.org

JDARC is an Internet research community that confidentially and anonymously assesses Internet usage habits among law students. By aggregating this anonymous data, we are able to help companies understand the needs and interests of law students. JDARC will never sell your personal information to anyone for any reason. Please visit the web site to read our detailed privacy policy.

To join or to learn more, go to:
http://www.jdcouncil.org

Based on the practices of Marketscore seen to date such as the interception of web traffic, instant message connections and a possibility for keystroke logging, many in the Internet community consider Marketscore to be spyware.

Exactly what does Marketscore do?

Marketscore gets installed on computers when individuals sign up for a service that claims to "protect your computer from email viruses" or when they join community-specific research services. Although Marketscore openly states that its software will "provide us with information about how you and members of your household use the Internet," just how much of a person's Internet activity can be tracked by Marketscore may not be clear to many people.

This tracking includes a full inventory of the computer Marketscore is installed on, which websites are visited, what users purchase on the Internet, what type of credit card they used for the purchase, and any other information they provide when on the Internet. Information is even collected from encrypted connections that normally provide for the secure transmission of sensitive data such as credit card numbers, financial transactions, and medical records. Additionally, the Marketscore software can monitor FTP sessions, AOL Instant Messenger Sessions, and POP-based email sessions.

Unlike many other data-collecting (spyware) applications, Marketscore can gather data on all Internet connections, even those that are secured using SSL (Secure Socket Layer) through its "proprietary and patent pending technology". Further, there are some indications of a potential for user keystroke logging within the Marketscore application. It's these two functions that are causing the greatest concerns.

SSL connections are easily identified by the "https://" at the beginning of the address or by the "closed lock" icon in the bottom status bar on Internet Explorer or Netscape. SSL is the de facto standard for secure web transactions between an individual's computer and the intended destination. With Marketscore installed on a computer, the security of those transactions is jeopardized.

Normally, when an individual makes a purchase at, say, Amazon.com, SSL is used to encrypt the entire transaction, including the individual's identity, what was ordered, and the credit-card information. If Marketscore is installed on the individual's computer, the transaction is first sent through the Marketscore application that is installed on that computer, where it is decrypted so Marketscore, Inc. can see the same information that Amazon.com would and collect all information they are interested in.

Marketscore does not notify the individual that this is happening and, short of uninstalling Marketscore, the individual has no way to prevent it. Although Marketscore, Inc. goes to great lengths to safeguard the information it gathers, even earning an Ernst & Young Webtrust/Cyber Certification, the fact remains that it is a third party essentially eavesdropping on what should be private conversations.

At a more technical level, Marketscore alters an individual's computer and web browsers to act as a local proxy to capture and report on the user's Internet activities and behaviors. Marketscore performs proxy activity as well as network packet capture to obtain the information they are interested in. Additionally, if a user chooses to implement email antivirus analysis then Marketscore proxies the POP protocol to retrieve mail on behalf of the user and processes it through antivirus software on Marketscore servers before the mail is finally delivered to the user. The type of information Marketscore is interested in includes specific hardware information gathered from the computer, websites visited, instant messaging activity and FTP sessions. Once captured, this information is then sent to Marketscore for collection and analysis.

This software creates a significant risk to the confidentiality of any data which is processed by a system running the software and affects the usability of the system in negative ways. The presence of keystroke logging software, mouse-monitoring software, packet-sniffing capabilities, and SSL session hijacking all threaten to expose sensitive information to parties that should not have access to that information. This is especially dangerous in academic institutions where federal and state regulations (such as FERPA, HIPAA, and GLBA) stipulate the need for strict data controls to ensure confidentiality. The fact that the Marketscore software can make changes in the system configuration transparently affects the stability of the system. For example, when the software disables AOL's pop-up blocker, it degrades the usability of the system and could potentially affect the productivity of any users.

What is the risk to Cornell?

While individuals at Cornell certainly have a right to install and use any application for personal use, including applications such as Marketscore, Cornell is required to implement adequate mechanisms to protect the confidentiality of information such as student and employee data, medical records, and financial records.

Like many other institutions and companies, Cornell uses web-based services to update records and track federally regulated information. Cornell secures these transactions using SSL to ensure they are as safe as can be. Because Marketscore can gather and decrypt SSL traffic, allowing its use would put critical university and personal information at risk.

For example, a staff member viewing or making changes to his/her record in Employee Essentials would be providing that same information to Marketscore, Inc.. Further, the individual's NetID and password could also be compromised since that information would also be passed along through Marketscore.

In addition, there may be regulatory implications. Cornell cannot adequately ensure the privacy and proper handling of federally regulated data if it is being collected by an outside organization such as Marketscore, Inc. Cornell's policies reflecting both personal responsibilities with respect to responsible use of IT and the institutional responsibility to protect specific types of data include:

What has Cornell done to address this issue?

October 2004
Cornell began blocking all outbound connections to Marketscore to help identify those computers on which Marketscore was installed and mitigate the potential loss of sensitive information.

December 2004
Cornell changed this strategy to further protect data for users of Cornell services who were off site. This was accomplished by redirecting all web communications to or from Marketscore IP addresses to a Cornell web page [http://132.236.69.201:9980/] that describes the problem and outlines how to manually remove Marketscore.

Individuals who have Marketscore installed are redirected to that page whenever they try to visit any web page if they're connected via the Cornell network or visit any Cornell web sites if they're connected via an external Internet service provided.

This strategy did cause some confusion initially because the Cornell/Marketscore web page would occasionally appear in a banner or advertisement area of some other website, causing some individuals to believe their computers might be infected. CIT was able to tune the redirection to avoid this side effect.

March 2005
Further analysis of the Marketscore application led to the conclusion that the functionality of the Marketscore application had changed significantly enough to warrant an analysis of our solution to determine overall effectiveness and appropriateness for the Cornell user community. Changes within the Marketscore application have limited the effectiveness of the redirected web page but at the same time have made our response less disruptive to the community. Additionally, the new version of Marketscore makes it virtually impossible to identify infected systems that are not directly connected to the Cornell network thus increasing the risk of Cornell information being lost as remote users access Cornell data.

Cornell has determined that, while the response that was implemented in December is not as optimal as it had been previously due to these changes within the Marketscore application, this response is still appropriately blocking the loss of information from infected systems within our infrastructure.

Additionally, the Cornell Information Security Office has begun vulnerability scanning within the Cornell infrastructure for the purpose of identifying systems that have Marketscore installed. Upon identification, users and network administrators are notified of the issue. Common anti-spyware tools have been tested against the Marketscore software and have shown an ability to identify and remove the software with varying levels of success. Using more than one anit- spyware package seems to be the best way to remove the Marketscore software from affected systems.

For the latest information concerning Cornell's response to Marketscore, see http://www.cit.cornell.edu/computer/security/alerts/marketscore.html

For information about what other institutions are doing in response to the Marketscore threat, see http://www.educause.edu/Browse/645?PARENT_ID=741

Who is affected by the actions Cornell has taken?

Cornell has taken a fairly aggressive and comprehensive approach to protect Cornell data and the data concerning members of the Cornell community including students, faculty and staff. For those systems that are running an earlier version of the Marketscore application this approach includes computers operated within the Cornell network and those accessing Cornell resources from the Internet. What this means is that any system that appears to be proxied through the Marketscore proxy servers will redirected to the web page described above and not allowed access.

However, for those systems that are running the most current version of Marketscore this approach affects only those computers operating within the immediate Cornell network. While these actions may affect a very broad range of users (both Cornell affiliated and not), Cornell believes this is the only way to adequately protect data for the Cornell community who need to access information while living off campus, on business related travel or at home over weekends.