Re: Marketscore and Higher Ed

["David L. Wasley" <david.wasley () UCOP EDU>]

I suggest that the SALSA statement of concern (below) fails to
identify the most insidious "problem" with MarketScore: it falsifies
the only available so-called security mechanism that is in broad use
on the Internet today, SSL.  While it may be doing nothing "wrong"
with the passwords or credit card data it sees, the fact that it
isn't obvious to the user makes it a fraud, in my view.  They are
"consensual" only on the sense that the user had to do something to
allow them to be installed.

If a person uses their browser at work to access secure
business-related web sites, and MarketScore is installed, they
potentially are exposing University information to an unknown third
party without their knowledge.  After all, the browser's padlock icon
is "locked" which means (a) they've reached the web site they
intended, and (b) the information will be safe in transit - right?.
Neither is true.

We forbid use of any such software here at UCOP.  We monitor the
network for any srd/dst addresses known to be associated with such
monitoring packages.  We wish there was a better way to learn of
their existence and kill them on sight.

       David

Re:
At 3:13 PM -0500 12/23/04, Mark Poepping wrote:
> While we may argue about specific intent or technique, the consensual
> nature of these applications generally excludes them from our classifying
> them as 'spyware'.  However, the use of these applications may expose
> health, financial, or other protected or personal information to third
> parties in violation of the security policy of a campus, user, or other
> external service.  Institutions that wish to reduce the likelihood of
> these types of violations should consider some or all of the following
> techniques as they assess their own risk-mitigation
> efforts:

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.