Phoning home is a controversial issue for software manufacturers, developers and end-users. Phoning home refers to communication between a user’s software or hardware and the manufacturer. Certain applications may collect and store information about the end user and transmit it back “home” to the manufacturer. However, phone-home software has a number of different applications that include malicious and non-malicious uses. This article will explore various uses of phone-home software, as well as the security questions that are raised.
Applications of phone-home software
Phone-home features have been integrated into numerous software titles for reasons including:
- Anti-piracy measures
- Tracking lost/stolen hardware
- Access control
- Marketing purposes
Often, the traffic on the end-user’s network is encrypted, so it can be difficult to determine exactly what data is being transmitted back to the manufacturer.
A well-known example of phone-home software is Windows Genuine Advantage (WGA). In 2005, Microsoft launched this application as part of an anti-piracy program. The installation of the application was required if users wanted to download further Windows updates. It checked if users were working from a licensed copy of Windows XP. Should a user be running a pirated version, the user would receive notifications. Finally, if no action was taken, the user would be blocked from downloading some updates.
WGA garnered much criticism in mid-2006 as users learned that it would “phone home” on a daily basis, without informing users of this function. In response to the controversy, Microsoft made significant adjustments to the phone home activities of WGA. Once systems were validated, WGA would cease connection attempts altogether. Systems that could not be validated would be restricted from certain automatic updates, downloads, installation procedures and some program executions. Microsoft also changed its End User License Agreement (EULA) to include more explicit information regarding the WGA. The EULA presented users with the choice to accept or reject the WGA procedures.
Microsoft was not the only one receiving criticism for its phone home practices at this time. Users of Apple’s Mac OS X were also noticing network activity, which was supposedly for the purposes of verifying Dashboard widgets. According to users, Apple did not inform them of the new feature or its activities. Such activity was only determined through the use of firewalls, which informed users when the program would attempt to establish outgoing internet connections. Although it was unclear what exactly was being communicated between the client and the server, users were obviously uncomfortable with the fact that their computers were automatically checking in with Apple.
Another example of phone-home software is the iTunes MiniStore, which introduced a feature that suggested music from the iTunes Music Store based on users’ song selections. This was one of many downloadable updates from Apple. However, the EULA for iTunes did not inform users that the application would transmit information about the user’s music preferences back to Apple. With the new feature, whenever a user selected a song, iTunes connected to the internet to update the MiniStore. User information would be passed to Apple through a third party.
Although the iTunes MiniStore feature could be disabled easily enough (by closing the pane), users were enraged that their personal information was being passed through third party without their consent. Even though this information was relatively harmless, users demanded that Apple make this feature clear and explain how it could be turned off.
Windows Activation Technologies
In February 2010, Microsoft announced a new anti-piracy initiative, referred to as Windows Activation Technologies (WAT) update KB971033 for Windows 7. This would involve an automatic phone-home procedure to Microsoft servers every ninety days. The purpose of the WAT is to ensure that users are not using pirated versions of Windows. Critics have voiced concerns regarding the repeated authentication checks. These quarterly checks would mean that systems need to meet a certain set of criteria, or be subject to restrictions, even if that same system had previously been verified.
This could result in previously verified systems being downgraded to a non-genuine level. Such systems would still be able to function normally, but users may face some annoying changes. For instance, desktop backgrounds will periodically change to black, users would only have limited access to updates and piracy notifications will appear frequently.
The incentive for downloading and running WAT is still unclear to many users. While it may be important to identify if systems are running illegitimate versions of Windows 7, the downgrade process is largely unnecessary. Certain users may be concerned if their system is running a pirated version of Windows, which may have a chance of allowing viruses or other malware into their system. However, it may be more common that people are using legitimate copies that simply have not been authenticated yet.
While Microsoft insists that the WAT upgrade is completely voluntary, critics argue that consumers should not be tied to application manufactures as a result of cradle-to-grave authentication processes. This sort of surveillance regime is an unacceptable intrusion on the privacy of individuals and could potentially harm a large number of innocent computer users.
Not all phone home applications receive a negative response from end-users. Certain tracking technology allows police to locate stolen computers across the world. One of the most effective types of tracking software is embedded within the BIOS of a computer’s motherboard. This software cannot be wiped or removed from the system. If the stolen computer attempts to connect to the internet, the phone home software transmits information to a monitoring center, reports the IP address and allows law enforcement officials to find its location. One such application, ComputraceOne, created by Absolute Software, claims to have helped recovered over 5,000 stolen computers.
This article explores the issue of phone-home features embedded in certain software. While phone-home features are found in spyware and other forms of malware, they are also integrated in legitimate software, such as Microsoft Windows, Apple OS and other applications. The feature may be used as an anti-piracy measure, to track lost or stolen hardware, to control access or for collecting information for marketing purposes. Security issues that are raised by such a feature include lack of disclosure to users, lack of consent, scope of functionality and level of surveillance.
In preparation for the Certified Information Privacy Professional/Information Technology exam, a privacy professional should be comfortable with topics related to this post, including:
- Privacy concerns and the consumer perspective (II.A.a.)
- System monitoring (II.A.l.)
- Phone-home software (II.A.l.i.)
- Privacy expectations and consumer behaviors (II.B.a.)