The Stealth Factor~~ISP's taking over your computer

greenspun.com : LUSENET : Poole's Roost II : One Thread

The Stealth Factor
By Fred Langa, Byte.com
Feb 22, 2001 (1:42 PM)
URL: http://www.byte.com/column/BYT20010222S0006

In the dark ages of computing, when CPUs and memory were dear, many people (and projects) often time-shared a single computer: Each person or project got a tiny slice of the precious central computer's time. Today, with hundreds of millions of cheap CPUs and who-knows how many terabytes of RAM in the world, peer-to-peer (P2P) computing has turned the concept 180 degrees. Many CPUs (or even entire systems) can be shared across a network as if they were one large supercomputer. It's the technological embodiment of "e pluribus unum."

Of course, perhaps the best-known examples of P2P is the SETI@Home project which uses millions of Internet-connected PCs to help in the search for extraterrestrial intelligence. To date, almost 3 million users have contributed an aggregate of over half a million years of CPU time, that's about 7e+20 floating-point operations in all, to process data from various radiotelescopic observations.

But this column isn't about P2P per se, nor its many benefits: That's been covered excellently and in depth elsewhere on Byte.Com.

Nor is this column about the first blatant, overt example of P2P abuse -- Napster -- whose ad hoc, P2P distributed-storage technology allowed for the free and profligate distribution of copyrighted MP3 music files. (The Napster case also has been covered extensively on CMP's Techweb sites.)

Rather, this column is about a new kind of business model whereby a software vendor takes over its customers' CPUs in an aggressive and stealthy manner, and sells the aggregate computing power to third parties. The concept is so lucrative that if it succeeds in this first case, it surely will spread to other software vendors.Juno, the giant ISP with over 14 million subscribers, recently altered its Terms Of Service to include something that on the surface is a fairly standard P2P implementation: Juno will connect its subscribers' computers as an ad-hoc distributed computing network. Someone with a large computational problem will contract with Juno, which will divvy up the large problem into smaller chunks and feed it into its subscribers' PCs, which will execute this external code and send the results of the computations back to Juno. The process then repeats.

But it's the implementation that makes my neck hairs stand up, as you can see from this amazing paragraph taken from the current Juno Service Agreement (yes, it's long, but trust me, it's worth reading through it all!):

2.5. You expressly permit and authorize Juno to (i) download to your computer one or more pieces of software (the "Computational Software") designed to perform computations, which may be unrelated to the operation of the Service, on behalf of Juno (or on behalf of such third parties as may be authorized by Juno, subject to the Privacy Statement), (ii) run the Computational Software on your computer to perform and store the results of such computations, and (iii) upload such results to Juno's central computers during a subsequent connection, whether initiated by you in the course of using the Service or by the Computational Software as further described below ... you agree not to take any action to disable or interfere with the operation of ... any component of the Computational Software.

You agree that, as between you and Juno, you shall be responsible for any costs or expenses resulting from the continuous operation of your computer, including without limitation any associated charges for electricity, and that you shall have sole responsibility for any maintenance or technical issues that might result from such continuous operation.

You agree that, as between you and Juno, Juno shall have sole rights to the results of any computations performed by the Computational Software, including without limitation any revenues or intellectual property generated directly or indirectly as a result of such computations, without further compensation to you. ...[Y]ou expressly permit and authorize Juno to initiate a telephone connection from your computer to Juno's central computers using a dial-in telephone number you have previously selected for accessing the Service ... you agree that, as between you and Juno, you shall be responsible for any costs and expenses (including without limitation any applicable telephone charges) resulting from the foregoing ... You agree that you will not attempt to reverse engineer any such software, data, or other materials or transfer or disclose any such software, data, or other materials, or the results of any such computations, to any third party.

You acknowledge that your compliance with the requirements of this Section 2.5 may be considered by Juno to be an inseparable part of the Service, and that any interference with the operation of the Computational Software (including, but not limited to, any failure to leave your computer turned on at all times) may result in termination or limitation of your use of the Service. ...

In effect, Juno is saying that you must give it the right to use your PC for whatever purposes it chooses, when it chooses. You have no rights to what it does with or on your PC. You can't even try to find out what Juno's doing. You must perform these forced services at your own risk and expense. You must keep your PC on at all times in order to run Juno's calculations. If you don't leave your PC on -- say you want to perform system maintenance or just save some energy -- Juno can cancel your account. You pay for the call (if needed) to send in the results, and if Juno's software crashes your PC and eats your data, well, tough luck.

It even emphasizes its total lack of liability, even in cases where it is clearly at fault, in another part of the service agreement, done up in shouting capitals: "6.4. UNDER NO CIRCUMSTANCES (INCLUDING NEGLIGENCE AND FUNDAMENTAL BREACH) WILL JUNO OR ANYONE ELSE INVOLVED IN PROVIDING THE SERVICE OR SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES OR LOSSES FROM OR THROUGH THE USE OF OR INABILITY TO USE THE SERVICE OR THAT RESULT FROM MISTAKES, OMISSIONS, INTERRUPTIONS, DELETION OF FILES OR E-MAIL, DEFECTS, VIRUSES, DELAYS IN OPERATION OR TRANSMISSION OR ANY FAILURE OF PERFORMANCE, EVEN IF ADVISED OF THE POSSIBILITY THEREOF."

I like the part where it absolves itself of liability even in cases of negligence or fundamental breach of the agreement. It can't lose! Amazing.

If you want to read the whole thing in context, the entire agreement is posted.All this might be somewhat more palatable if it were really out in the open. But Juno's sign-up materials make no mention of any of this. If you surf into Juno's home page you'll see various come-ons for Juno 5.0; following those links takes you to a download page. But neither that page nor the "more info" link on the page mentions anything about the P2P software. Worse, you must download AND INSTALL the Juno software before you're presented with the service agreement; and of course, most people never read those long legal documents anyway.

It gets better: For all the millions of current Juno subscribers being enticed into upgrading to the new version, the current Service Agreement contains the following:

"...[Y]ou agree to accept the terms of the Agreement... as if you had signed it. Juno may change this Agreement at any time; such changes will be effective immediately upon transmission.... Each time you use the Service reaffirms your acceptance of the then-current Agreement."

And when they do post a new agreement, it includes the magic phrase: "This Agreement, the Guidelines and the Privacy Statement supersede all prior communications and agreements."

So, it's both stealthy and ironclad: Juno can post software that takes over your PC and makes it part of a P2P network over which you have no control. It can notify you of this change via paragraphs buried inside a legal document you may never see. And if you do, it doesn't matter because it's wonderfully worded so that Juno can do what it wants with your system, and yet is totally free of any liability or obligations to you if its software screws up your system in any way.

Imagine the benefits to Juno: It gets, in effect, a risk-free, low-cost supercomputer it can use for whatever purpose whatsoever. It's a potential gold mine!

Today, Juno. Tomorrow...?You might be tempted to blow this off with the thought "Hey, Juno's a free ISP, and people who use it deserve what they get."

Even if it were just Juno, with over 14 million affected subscribers, it's not a small thing.

But I think that Juno's model may prove hard for other companies to resist. Think about how many software updates you routinely install over the course of a year. Worse, think of the auto-updaters you probably use for your OS, your office suite, your anti-virus definitions. It would be incredibly simple for a software vendor to add a P2P component into its next update download. The thinking might go like this:

"Let's see. If we slip a P2P component into our next software update, adjust our Terms of Service to make it all retroactively mandatory, legal and risk-free for us, then we can build a distributed supercomputing network at our customers' risk and expense."

And you might not even know that P2P software had been installed on your system ... until your system maintenance no longer worked (because there were no idle times when it would kick in); or when your or your business' own P2P projects got derailed because something else was already sopping up all the spare CPU cycles. Then there's the extra wear and tear on the system, the electricity consumed by systems that never go into sleep mode. ... Well, you get the idea.

Good Or Evil: It's All In The Implementation Like all technologies, P2P in itself is neither good nor evil, but can be used for either or both. Projects like SETI@Home show the upside, Juno's behavior shows the dark side.

I believe that Juno may prove to be only the first of many such backdoor attempts to cobble together P2P networks that do little or nothing to benefit the people lassoed -- perhaps unwittingly -- into the network, but that offer enormous benefit to the companies setting up the stealth P2P networks.

But what's your take? Is Juno an aberration or a harbinger of something that will become more common?

You can contact Fred at fred@langa.com or via his website at http://www.langa.com.



-- Anonymous, March 15, 2001

Answers

Warning! More ISPs Follow Juno's Lead!

Remember Juno's plan to consume all the spare CPU cycles in their subscriber's PCs? (See "Peer-To-Peer's Dark Side" at http://www.byte.com/column/BYT20010222S0004 )

In that article, I said "I believe that Juno may prove to be only the first of many such backdoor attempts to cobble together P2P networks that do little or nothing to benefit the people lassoed -- perhaps unwittingly -- into the network, but that offer enormous benefit to the companies setting up the stealth P2P networks."

Well, it's already starting. LangaList reader Clarence Lowe found that out when he paid close attention to his ISP's signup page:

After reading your article on Juno's latest attempt to invade the privacy of (and not to mention lying to) of their subscribers, I guess I was on the lookout for similar "terms of service" in other isp's. Check out this one under "How it works". http://www.highstream.net/

That section states:

While online, your computer's idle capacity performs computational tasks received from our server. It's that simple. As part of the set up process, our software application is loaded on your pc. It runs in the background and does not interrupt or degrade your internet access experience in any way.

So, it seems that other ISP's are indeed doing the Juno thing and taking over their subscriber's PCs.

It probably only will get worse. It'd be wise for *everyone* to start reading the full license terms of all software, including ISP installation software, from now on.



-- Anonymous, March 15, 2001


Probably not legally enforceable.

Pizza Hut can't take over your car and deliver pizza with it just because you ate there once. Same principle here. They can't take over your phone (DSL, wireless, T1, etc) line just because you use their email or ISP service.

OTOH, it might be great fun to reverse engineer the application and figure out how to send bogus data back to Juno.

-- Anonymous, March 15, 2001


seti@home must be pretty much a bust. Signed on last July w/ my at home slowpoke and now rank in the 80th percentle of work done vs the some 3M purported others. Fad stuff. If Morbius calls I'll let you know.

-- Anonymous, March 15, 2001

I duuno before we all go off running with fear, understand the concept is not inherently evil, but this Juno type implementation is really bad IMHO.

For a better understanding of what exactly this P2P deal is about, what it can do etc. read some of this here:Saving Lives with P2P.

I think the whole problem lies in ignorance and those who think it their right to take advantage of that. This Juno situation lasts as long as a significant number of their users remain oblivious. I have no doubt that will fade as time passes.

Companies will offer software which will detect and deflect rogue P2Pers. Others will offer win-win type of business arrangements where P2P is an everyday use of one's computer.

In the meantime shutoff your computer when not being used.

-- Anonymous, March 16, 2001


Moderation questions? read the FAQ