How Spyware Works

In this paper, we'll briefly outline two systems that could be classified as spyware to demonstrate different methods for collecting information from users without their knowledge. In both cases, these systems perform some kind of surreptitious user tracking and then format some part of that data for reporting back to system's operator. It should be noted that there are significantly more egregious cases of spyware in use; we choose these two systems because they represent a Windows-based system that collects and reports information and a Web-based system to do the same. Other cases that we have analyzed include Spector Professoinal [5], [2], Coremetrics [7], DoubleClick [8,9], and Netscape [6].


PCFriendly is an application that shipped on numerous DVD titles between 1996 and 2000. In addition to its stated objective (providing a software-based DVD player for Windows machine), the system collected information about the user and the user's DVD collection, occasionally reporting such things back to InterActual Technologies, the maker of PCFriendly.

PCFriendly is a Windows-based application that starts when a DVD is inserted into the system's DVD player. The first time that the application starts, the user is asked for information like name, address, email address, and age. A unique identifier is assigned to the user, and the application appears to track changes over time, for example, additional DVD titles put into the system.

As of Interhack's last look at the system (in May 2002), PCFriendly was being replaced by a new system, known as InterActual Player, written to address privacy concerns, among other things.

Defenses that we identified at the time essentially meant breaking PCFriendly functionality:

  • Do not watch DVD titles on a computer. Backchannels are easy to implement on systems with Internet connectivity.
  • Upgrade to the latest InterActual Player. Privacy problems with Web-based content provided by the DVD producers (as opposed to InterActual Technologies) will not be addressed in this case, making this solution incomplete.
  • Block all access to and domains.

Note that in our second option--using the InterActual Player--only meant using newer software designed to give the user a greater number of options for protecting privacy--default behavior was still invasive.

Detailed analysis and discussion is available in the Interhack Research Technical Report, “PCFriendly Enables DVD Backchannels”. [4]


Pharmatrak was a company that provided a Web site tracking and reporting service to pharmaceutical companies. Its system works much like the Coremetrics system Interhack analyzed in 2000 [7], with two critical differences. Interhack provided forensic analysis to plaintiffs' counsel in the Pharmatrak privacy litigation. Facts regarding the operation of Pharmatrak's service are identified in court documents. [10]

The first difference was that Pharmatrak did not have JavaScript code that was designed to pull users' responses to form data out of the form and to put them into a request for a Web bug. Pharmatrak's entire collection mechanism was predicated on collecting HTTP Referer [sic], though it did go to some significant lengths to get the data--including the use of JavaScript (and even a Java applet in the earliest instance of the software).

The Pharmatrak system was designed to collect information about users of pharmaceutical companies Web sites. The users would be pseudonymously tagged, and their activity observed and reported back to the pharmaceutical company. In addition, very high-level information (such as total traffic) would be reported to other pharmaceutical companies that were Pharmatrak clients, allowing each Pharmatrak client to see not only detailed information about its site activity, but high-level information about its competitors' sites. All of this happened with the knowledge and consent of the pharmaceutical companies that hired Pharmatrak to perform the reporting service and implanted the Pharmatrak-supplied code on their sites.

This leads us to our second difference: Pharmatrak was not authorized by its clients to collect personally-identifiable information, and by all appearances, Pharmatrak did not have specific intent to collect such information. (Forensic investigation and analysis showed that they did have detailed personal information on several hundred users.)

Detailed information on the mechanisms for client and server interaction on the Pharmatrak system can be found in court documents. Interaction between Web browsers and clients and how these impact user privacy is described in detail in Developing Trust: Online Privacy and Security. [3]