[REVS] PCFriendly DVD Backchannel

From: support@securiteam.com
Date: 03/03/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun,  3 Mar 2002 08:29:40 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  PCFriendly DVD Backchannel
------------------------------------------------------------------------

SUMMARY

Various movie producers, including Universal, Elektra, DreamWorks, and
Paramount, add ``advanced interactive features'' to their DVD titles that
allow for additional ``content'' to be served to the client from the
Internet. As the ``PCFriendly'' application that enables this
functionality is used, the user's activity is uniquely tagged and reported
to the PCFriendly web site. Because each installation of PCFriendly is
uniquely identified with a USERID token, it is also possible for
InterActual Technologies to profile the PCFriendly system's users, which
``advanced feature'' DVD titles are in their collections. (Notably, this
token is passed from PCFriendly to an advertising service at NetFlix.com.)
Depending on which DVD title installs the software, this will happen with
no notice whatsoever, or with a reminder to read the PCFriendly privacy
policy that has no link or posted URI.

Additionally, many of the sites that were checked collect personal
information like name, address, and email address, but have no stated
privacy policy. Others have varying levels of disclosure about the data
collection and privacy-related practices of the sites and their operators.
It is important to note that PCFriendly is an enabling technology,
connecting the DVD content to Web content provided by the DVD producers.
It is the DVD producers and Web content developers involved responsible
for privacy erosion taking place.

DETAILS

Abstract:
Numerous DVD titles from major movie producers between 1996 and 2000 come
enabled with ``PCFriendly,'' an application developed by InterActual
Technologies that tracks DVD usage. The system is designed to identify
users persistently, without using an HTTP cookie, thus bypassing any
privacy-enhancing technologies like cookie management software or browser
configurations. The identifying token is persistent through product
registration and PCFriendly use.
Normal use of popular DVD titles on computers will result in users being
identified uniquely, along with the DVDs that were used on the machine.
Privacy problems for the user are significantly exacerbated by the DVD
titles' links to Web sites, some of which have nonexistent privacy
policies and in at least one case, send the user's email address to a
third party.

This behavior conflicts directly with the PCFriendly posted privacy policy
of December 2000. Further discussion with InterActual showed that the
policy was written to apply to the newer InterActual Player, released to
replace the PCFriendly player, for which no privacy policy existed.

PCFriendly appears to offer users granular control over which parts of the
backchannel to enable, but the controls are not obvious, and are all
enabled by default. Further, the software has been deprecated in favor of
the newer InterActual Player, which includes additional features for user
control over backchannel behavior.

ADDITIONAL INFORMATION

The complete article can be downloaded from:
 <http://www.interhack.net/pubs/pcfriendly/>
http://www.interhack.net/pubs/pcfriendly/

The information has been provided by <mailto:cmcurtin@interhack.net> Matt
Curtin.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: Zone Alarm 3.0 Some Bad News for web sites !
    ... I would be perfectly fine with the automatic blocking of cookies. ... What is the point of a web site if no one can find you? ... is dependant on visitors whether a personal, public service or a business ... there is some privacy issue here, ...
    (comp.security.firewalls)
  • Re: Zone Alarm 3.0 Some Bad News for web sites !
    ... have the option of passing this on to the web site. ... Touted as a privacy issue, ... > within the frames if you are coming from already being on the site. ... > don't let yet another false concept interfere with the free development ...
    (comp.security.firewalls)
  • Re: Update #2 - Re: Google Bobbles NSA wiretap searches
    ... The United States Export Controls laws prohibit the export of certain ... All claims or issues regarding this Web site, ... I do not want to be making any choices between security and privacy. ...
    (comp.os.linux.security)
  • Re: Zone Alarm 3.0 Some Bad News for web sites !
    ... hi fox. ... Touted as a privacy issue, ... > within the frames if you are coming from already being on the site. ... > and most important need for this field, is that this tells a web site ...
    (comp.security.firewalls)
  • Zone Alarm 3.0 Some Bad News for web sites !
    ... Zone Alarm 3.0 shuts down browser header field "REFERER" by default. ... Touted as a privacy issue, ... within the frames if you are coming from already being on the site. ... and most important need for this field, is that this tells a web site ...
    (comp.security.firewalls)