Where are the ethical boundaries defined between malware and parental control software? Recently one privacy violation resulted in litigation against a school and a complaint has been filed against a parental control software company for data mining their proxy service’s filtered content. Are we forgetting where security measures come from?
Sheepdogs: Our Oldest Security
Human civilization has raised herd animals for thousands of years. Quickly, guard dogs became the tactic of choice for security of these herds against predators and thieves. Intelligent and able to be trusted with the smallest lambs and calves, all traced their DNA lineage from wolves. Because these dogs had the same weapons as the wolves, teeth and speed of pursuit, they were the best method our ancestors had for thousands of years.
Software programming is very similar. The tools are the same for cybercriminals and legitimate software companies. Only ethics of use, referred to as ‘cyber-ethics’, determine whether a programmer is creating a legitimate product or malware designed for cybercrime.
As an example, malware known spyware is designed to record or ‘key-log’ passwords and other online activity for transmission back to the cybercriminal. In this manner, billions of dollars annually are lost to cybercrime, most recently with the Zeus Banking Trojan.
Cybercrime as the Wolf
One threat to the family is the online predator. As Bill Maheu, former San Diego Police Chief and Qualcomm Senior Director mentioned as a participant in ESET’s sponsored ‘Securing the Perimeter’ event:
“…Predators are no longer just in your neighborhood, they’re in your living room and on your child’s side (raises cell phone).”
The challenge comes in how to effectively parent when your children are the family network technicians. The online threat is also framed by this information quoted from Sentry Parental Controls’ website:
Did you know that over 55 Million children use the internet on a weekly basis? Did you that 1 in 5 of those children were sexually solicited online? Did you know that only 18% of the most serious incidents were actually reported? [JET – these figures come from Sentry and are not verified.]
The disconnect between parental intent and parental technological acuity is often bridged by specialty software, sometimes referred to as the ‘network nanny’. The software offers parental control of online content through filtering. It also allows the same ‘keylogging’ of passwords and other online activity for transmission back to the parent.
One quote from Sentry Parental Controls:
“Sentry brings TIVO-like recording to parental control software. Parents can define specific times of the day they would like Sentry to record in their child’s computer activity. Once a session has been recorded, parents can stop, play, fast-forward and even rewind their child’s activity all over the Internet!”
In this manner, the value to the parent is to become aware of their child’s activities or to simply keep their living room from being invaded by those with ill intent.
But what do you do when the software you trust with your most precious resource – your family – is actually reporting all activity to others outside your household?
Sheepdogs or Wolves: Pulse, Sentry and FamilySafe
Recently this disturbing article (Web-monitoring software gathers data on kid chats) found its way to my desk:
“Software sold under the Sentry and FamilySafe brands can read private chats conducted through Yahoo, MSN, AOL and other services, and send back data on what kids are saying about such things as movies, music or video games. The information is then offered to businesses seeking ways to tailor their marketing messages to kids.”
The source company for both Sentry and FamilySafe is Echometrix, which was formerly known as SearchHelp until 2008. In a cyber-ethical conflict of interest, Echometrix also markets a product called Pulse:
“PULSE is a proprietary software engine that reads digital content from multiple sources across the web, including: instant messages (“IM”), blogs, social environment communities, forums, and chat rooms. PULSE analyzes the sentiment, and delivers the unsolicited raw conversations in real time. Pulse is the most real market research available! …We have access to an exclusive and steadily growing teen communications data pool, which guarantees authentic and unbiased teen data.”
Upon investigation, not only was this found to be true, but the opinion was voiced that the online persona actually didn’t matter:
“…Greene, the EchoMetrix CEO, said the company complies with U.S. privacy laws. “We never know the name of the kid — it’s bobby37 on the house computer,” he said.”
Cyber-Ethics Quiz Time
According to current marketing research the EchoMetrix statement is not based in fact.
In fact, the quote from Associated Press’ interview mentions that the most valuable personal data is saved: the online persona, or screen-name. Two years ago Gartner, a research firm, published a trend analysis called ‘Generation Virtual: Sell to the Online Persona, Not the Person’. Their strategic findings were summed up in two key points:
“Working with personas will provide a wealth of data for understanding intent…
By 2020, the sales and marketing of products and services to virtual personas will overtake business-to-consumer (B2C) spending on known customers.”
Bottom line: this appears to be an unethical use of children’s online data usage without parental awareness.
Fortunately consumer privacy watchdog groups exist to warn parents of these types of information gathering efforts. One such group, the online rights group Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission (FTC) regarding the legality of this subscription-based malware.
EPIC alleges in their complaint that:
- The provider of this parental control software and market-intelligence technology is engaging in unfair and deceptive acts and practices and empowers the FTC to enforce this prohibition…
- Parental control software, if used for its narrow purposes as advertised, is not inherently deceptive. However, risks come with the company’s failure to disclose their practices concerning information collection, disclosure, and use…
- The failure to adequately warn users of the dangers of misusing the product or of the disclosure and use policy of gathered information is deceptive because it is likely to materially mislead consumers, causing injury to the victims of surveillance.”
Is this judgment lapse intentional?
Basic criminology breaks down each crime into motive, means, and opportunity. Looking at this issue as a ethical violation, this breaks down as follows:
Motive: According to Associated Press, Echometrix happens to be $25 million in the red for this year and this strategy appears to be a hail-Mary. Gathering young adult information right now ensures that their entire online persona is stored, to be cross-referenced in the future. This would show multiple revenue streams for whoever gathered that data. More than a blatant violation of end-user trust, this shows a very significant prime motivation also shared by cybercriminals: This data is where the money is.
Means: While acting as a filter for online content and acting as a keystroke logger for parental oversight, these programs have the technical capacity to store all information which is displayed on the screen or input by the user. Because the software is built for remote access, this allows a potential for caching offsite.
Opportunity: Because the software is installed and available whenever particular users log in, the resource is readily available. Repurposing cached private data creates a future opportunity which is not cyber-ethical. In fact, matching a persona with a real name based on functions like writing style, screen name attributes, or other factors is likely to become a key marketing skill set as we approach Gartner’s 2020 scenario.
The message to the market is clear: if a company has decided to offer similar-to-cybercriminal-malware yet legitimate methods of cyber-surveillance and cyber-tracking in order to maintain a parental oversight on online activity, the cyber-ethics of their activity mandates the purest of motivations. Any data gathered on minors requires an ‘opt-in’ not an ‘opt-out’ format. Most importantly as a parent, I don’t want to have a policy changed after I’ve made the purchasing choice on a parental controls software.
Are There Echometrix OPSEC Concerns?
OPSEC is a military term meaning ‘OPerational SECurity’. This term is used to describe measures required by law to not compromise the safety of troops while they deploy during times of war. In October of this year, Echometrix announced that it had completed a deal with the AAFES – Army-Air Force Exchange Service:
“FamilySafe, a subsidiary of Echometrix Inc. (EHMI) has announced that it will join forces with the Army & Air Force Exchange Service (AAFES) to offer its My Military Sentry program to military personnel and their families around the globe. My Military Sentry is now available through the AAFES online site (www.aafes.com) and at military installations throughout the world.”
Because of this relationship with AAFES, the only retail channel for overseas deployed families now will carry and promote a software product known to be gathering personal data and whole conversations of minors. There’s an appalling irony here when a company with complaints of privacy violations with the Federal Trade Commission can gain military service contracts.
As a veteran I shudder to think of the ramifications of spyware installed anywhere sensitive information could be compromised by hostile forces. The horrifying thought comes to mind of any Special Forces team being called up, with ‘bobby37’ mentioning through an instant message to a friend that he or she misses daddy, providing troop movement information directly to any opposing force.
UPDATE: While reviewing this article it was determined that My Military Sentry had been quietly pulled from the online shelves last December.
Bottom Line: Sheepdog or Wolf?
The ethical dilemma is similar to a research group asking for a school-age child’s participation in a blind survey, or a medical research group asking for survey participation by parents of a child with any health issue such as asthma. The difference is that when my child participates in those surveys, absolutely no identifiable information is allowed due to California privacy laws and HIPAA respectively.
Just like any child’s medical history or scholastic history must be specifically approved, it is my belief that using a child’s online activity for any other purpose than expressed breaks the ethical agreement between the programmer and the end user.
The difference between the guard dogs and the wolves must be more tangible when it comes to anything involving my family. I will be closely following the FTC investigation of this matter.
Charles Jeter / Securing Our eCity Contributing Writer
{ 2 comments… read them below or add one }
Pretty insightful post. Never thought that it was this simple after all. I had spent a good deal of my time looking for someone to explain this subject clearly and you’re the only one that ever did that. Kudos to you! Keep it up.
Thanks For this blog, was added to my bookmarks.
{ 1 trackback }