August 29th, 2007

Downloadable Coupons Come With Sneaky Extras, Researcher Says

By David Kravets
Wired

Thousands of shoppers clipping downloadable coupons from Coupons.com may be getting more than they bargained for, according to a Harvard researcher who says the site’s free software hides deceptively named tracking files on users’ PCs, and leaves them there after the software is ostensibly uninstalled.

Coupons Inc., which makes the software and runs Coupons.com, is the same Mountain View, California, firm that last month sued a Fremont, California, man for posting a program that lets consumers print as many copies of a particular coupon as they want, circumventing company limits.

That program worked by removing the remnants of Coupons Inc.’s software from a shopper’s computer. But Harvard Business School assistant professor and spyware geek Ben Edelman says in a report this week that those remnants are designed to masquerade as part of the Windows operating system.

“Coupons.com’s choice of registry keys and file names has a clear purpose and effect: to deter users from deleting the specified keys and files,” Edelman wrote. “Even among users sophisticated enough to manually delete unwanted files and registry keys, the chosen registry keys and file names look so official that removal appears unwise. The typical result is that users will elect to retain these files, mistakenly concluding that these files are part of Windows.”

Steven Boal, chief executive officer and founder of Coupons Inc., said the company was not practicing deception.

“They don’t actually look like Microsoft system files,” he said. “We certainly would never use extensions that falsely pretend to be somebody else’s extensions.”

One file that lodges into a user’s computer after installing the coupon-printing software, Edelman said, is titled “windowShellOld.Manifest.1.” Windows includes a file called “WindowsShell.Manifest.”

Boal agreed that pieces of the coupon-downloading software remain in a user’s computer even after the uninstall program says the software has been removed. That is so coupon clippers cannot merely reinstall the program and download an unlimited number of coupons, he said.

The unique identifier left behind in computers lets Coupons Inc. track how many coupons a person prints, and cap the user at a specified number of printouts for each product.

Each coupon also has a serial number. Photocopying coupons is illegal.

John Stottlemire, who’s being sued for copyright violations under the Digital Millennium Copyright Act, continues to post the code to remove those files. He’s accused of publishing illegal circumvention software.

Many legal scholars suggest Coupons Inc. has a good case. But Stottlemire says users should be able to remove any files they want from their own computers, even if it thwarts companies like Coupons Inc. Some shareware publishers use similar techniques to allow users to test-drive software for a limited time.

“If the uninstall program removed those files, those entries, Coupons.com and others’ business model just fails,” Stottlemire said.

Edelman also says a flaw in the Coupons Inc. software would allow malicious, third-party websites to discover what coupons a visitor has downloaded, by using the ActiveX control installed with the coupon-printing software.

“The website can thereby build a rich profile of the user’s purchasing interests—despite the promise in Coupons.com’s privacy policy that such information would be distributed only to Coupons.com’s clients, ad servers and advertisers,” Edelman wrote.

Boal calls that allegation hogwash.

“That’s incorrect. It’s literally impossible,” Boal said. “I tried his instructions. It literally just doesn’t work.”

Boal added that users of the printing software never have to enter their names to make coupons.

Stottlemire said the company reconfigured its software to close the alleged security hole prior to Edelman’s report.

Comments

Add your own Comment

(optional)