INTERHACK  


PCFriendly Enables DVD Backchannels

Matt Curtin

February 28, 2002

This report available in PDF and PostScript

Abstract:

Numerous DVD titles from major movie producers between 1996 and 2000 come enabled with ``PCFriendly,'' an application developed by InterActual Technologies that tracks DVD usage. The system is designed to identify users persistently, without using an HTTP cookie, thus bypassing any privacy-enhancing technologies like cookie management software or browser configurations. The identifying token is persistent through product registration and PCFriendly use.

Normal use of popular DVD titles on computers will result in users being identified verinymously, along with the DVDs that were used on the machine. Privacy problems for the user are significantly exacerbated by the DVD titles' links to Web sites, some of which have nonexistent privacy policies and in at least one case, send the user's email address to a third party.

This behavior conflicts directly with the PCFriendly posted privacy policy of December 2000. Further discussion with InterActual showed that the policy was written to apply to the newer InterActual Player, released to replace the PCFriendly player, for which no privacy policy existed.

PCFriendly appears to offer users granular control over which parts of the backchannel to enable, but the controls are not obvious, and are all enabled by default. Further, the software has been deprecated in favor of the newer InterActual Player, which includes additional features for user control over backchannel behavior.

1 Executive Summary

Various movie producers, including Universal, Elektra, Dreamworks, and Paramount, add ``advanced interactive features'' to their DVD titles that allow for additional ``content'' to be served to the client from the Internet. As the ``PCFriendly'' application that enables this functionality is used, the user's activity is uniquely tagged and reported to the PCFriendly web site. Because each installation of PCFriendly is uniquely identified with a USERID token, it is also possible for InterActual Technologies to profile the PCFriendly system's users, which ``advanced feature'' DVD titles are in their collections. (Notably, this token is passed from PCFriendly to an advertising service at NetFlix.com.) Depending on which DVD title installs the software, this will happen with no notice whatsoever, or with an reminder to read the PCFriendly privacy policy that has no link or posted URI.

Additionally, many of the sites we investigated collect personal information like name, address, and email address, but have no stated privacy policy. Others have varying levels of disclosure about the data collection and privacy-related practices of the sites and their operators. It is important to note that PCFriendly is an enabling technology, connecting the DVD content to Web content provided by the DVD producers. It is the DVD producers and Web content developers involved responsible for privacy erosion taking place.

2 How PCFriendly Works

PCFriendly is a Microsoft Windows application created by InterActual Technologies, Inc. When a DVD title is put into a Windows machine, the system will recognize the PCFriendly application, which will be started, alerting the user that the DVD contains ``advanced features'' which may be now used. If the user proceeds, the PCFriendly application is installed on the machine. The application includes ``channels'' that will provide the user with buttons to identify various sites that can be visited. Users can then watch the content as they would any other DVD title, with the exception that there's the additional benefit of a banner ad at the bottom of the viewer and some extra navigation buttons in the ``channels'' frame on the screen. Additional content might be suggested to the user (presumably in the ``channels'' window, but we don't really know) based on what InterActual knows about the user, as collected through the use of PCFriendly.

2.1 Who Knows What, When

Registration data, including name, address, email address, and age are gathered from the user. A unique ``user ID'' is created--interestingly, the number seems to be created on the client. The client tests to see whether it's on the network with a ``ping'' (ICMP ECHO) to www.pcfriendly.com. After the return of the ping from the server, an HTTP connection is made to www.pcfriendly.com that will alert PCFriendly to the user's presence. The format of the connection is fairly consistent, created such that InterActual knows:

2.2 Types of Connections Made to InterActual

Analysis of the connections to InterActual show that there are several, consistent types of connections in the backchannel.

2.3 Types of Responses From PCFriendly/InterActual

Additionally, responses from the PCFriendly site are highly standardized.

3 Other Sites Involved in Investigation

In addition to PCFriendly and InterActual sites, PCFriendly-enabled DVDs we examined linked to other sites.

4 Conclusions

InterActual developed PCFriendly to provide additional interactive content to DVD titles. Thus, Internet connectivity is a necessity for the title to work as advertised. Analysis of the system's operation shows that little attention was given to user privacy in the system's original design. In particular:

Significantly, the newer version of the software--the InterActual Player--was designed to address privacy concerns. According to InterActual:

InterActual proactively redesigned its second-generation software to take consumer privacy into account. The InterActual Player software now works in a completely anonymous mode (no personally identifying information), gives complete disclosure of all anonymous information that is tracked, provides controls within the software to limit any data tracking, and provides links directly to the InterActual Player privacy policy for additional information.

We disagree with InterActual's use of the term ``anonymous''. To be anonymous is to have no name, but as long as users are identified uniquely, they are pseudonymous, which is to have a persistent name, but one separate from one's real life identity. Risks endured by pseudonymous users are significantly different from risks borne by anonymous users [12,10,1,4].

There are two main privacy-related failures here.

Lack of fail-safe default.
A privacy-aware system would not assign user IDs or have any profiling of user behavior by default. A safer approach would be to have the software do nothing in the backchannel by default, allowing users to enable the pieces they want [5,13].

Misunderstanding nymity.
Problems resulting from the backchannel are incorrectly understood because InterActual believes that its token is anonymous (no name), when it is in fact pseudonymous (a name, not necessarily connected to the user in other contexts), and if the user registers the product, verinymous (a real name).

These are significant shortcomings, not because InterActual intends to harm users, but because unintended side-effects with significant consequences can arise even in systems designed by competent professionals with the best of intentions [6,9,8,7,3,11,2].

5 Defenses

There are several avenues of defense available to privacy-conscious consumers.

In any case, functionality will be inhibited.

6 Caveat

This report originally compiled on January 31, 2001, and amended in May 2001. PCFriendly's privacy policy, however, has not been updated between December 2000 and February 2002. Additionally, since PCFriendly clients are installed from DVD media, new versions of the software might or might not be in use. Thus, our findings are as relevant in February 2002 as they were in January 2001.


7 Acknowledgment

Paul Graves and Lawrence Williams provided valuable assistance on this project.

InterActual Technologies has been clear, forthright, and prompt in its response to a draft of this article.


A. Titles Used in Investigation

Bibliography

1
Daniel Bleichenbacher, Eran Gabber, Phillip B. Gibbons, Yossi Matias, and Alain Mayer.
On secure and pseudonymous client-relationships with multiple servers.
In 3rd USENIX Workshop on Electronic Commerce, page 99, Boston, Massachusetts, August 31-September 3 1998. USENIX.

2
Fernando J. Corbató.
On building systems that will fail.
Communications of the ACM, 34(9):72-81, 1991.

3
Matt Curtin.
A failure to communicate: When a privacy seal doesn't help.
Technical report, Interhack Corporation, August 2000.

4
Matt Curtin.
Shibboleth: Private mailing list manager.
In Proceedings of the 9th USENIX Security Symposium. USENIX Association, August 2000.

5
Matt Curtin.
Developing Trust: Online Privacy and Security.
Apress, November 2001.

6
Matt Curtin, Gary Ellison, and Doug Monroe.
``What's Related?'' Everything But Your Privacy.
Technical report, The Ohio State University, Department of Computer and Information Science, October 1998.

7
Matt Curtin, Paul Graves, and Shaun Rowland.
Getting to know you (intimately): Surreptitious privacy invasion on the e-commerce web.
Technical report, Interhack Corporation, July 2000.

8
Gary Ellison, Matt Curtin, and Doug Monroe.
DoubleClick Opt Out Protocol Failure == Opt In.
Technical report, Interhack Corporation, May 2000.

9
Gary Ellison, Matt Curtin, and Doug Monroe.
Opting In, By Accident.
Technical report, Interhack Corporation, May 2000.

10
Ian Avrum Goldberg.
A Pseudonymous Communications Infrastructure for the Internet.
PhD thesis, UNIVERSITY of CALIFORNIA at BERKELEY, 2000.
[online] http://www.isaac.cs.berkeley.edu/ iang/thesis-final.pdf.

11
Paul Graves and Matt Curtin.
Bank one online puts customer account information at risk.
Technical report, Interhack Corporation, October 2000.

12
Josyula R. Rao and Pankaj Rohatgi.
Can pseudonymity really guarantee privacy?
In Proceedings of the 9th USENIX Security Symposium, pages 85-96. IBM T.J. Watson Research Center, USENIX Association, August 2000.
[online] http://www.usenix.org/publications/library/proceedings/sec2000/rao.html.

13
Jerome H. Saltzer and Michael D. Schroeder.
The protection of information in computer systems.
In Proceedings of the IEEE, volume 63, pages 1278-1308, September 1975.

About this document ...

This document was generated using the LaTeX2HTML translator Version 99.2beta8 (1.46)

Copyright © 1993, 1994, 1995, 1996, Nikos Drakos, Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999, Ross Moore, Mathematics Department, Macquarie University, Sydney.

The command line arguments were:
latex2html -split 0 -no_navigation -show_section_numbers pcfriendly-pub.tex

The translation was initiated by Matt Curtin on 2002-02-28


corporate | research | news | people | projects | publications | services | feedback | legal

Matt Curtin 2002-02-28