This article by Stuart Adams appeared in Louisville Computer News September, 1999
Will your next computer come with a back door? As a matter of fact, theres some chance that the one you have already has a secret back door youre not aware of. And you thought you were a power user who at least knew all about your own hardware and software.
Were not talking about those CPU cases that have thumb screws on the back panel instead of the less convenient kind, where you have to whip out your tool case to access the insides. Were talking about the kind where the software manufacturer has inserted something in the application program code which allows it to gain access to, and some degree of control over, your computer.
AND YOU THOUGHT Y2K WAS THE ONLY "TIME BOMB" TO WORRY ABOUT
The code could be something as simple as a "time bomb" which disables software after a certain number of uses of the program or after a specific period of time. This is more and more prevalent in "shareware," so the developer can be sure you pay the minimal fee, rather than simply continuing to use the "free trial" software without paying. It is also growing in popularity with other software companies, which will disable their software, even if you bought it directly from the developer, if you do not follow through on their software registration process.
Ive run afoul of this registration time bomb a couple of times, when Ive installed an upgrade, typically put off registration, and then been in a time bind on a project, only to have the software lock up because I havent gone through the online registration. In one particular instance with a Quicken® upgrade, although admittedly warned a couple of time I really should go ahead and register the upgrade, I was also having some modem problems preventing electronic registration, and suddenly couldnt use the program until I ran a major diagnostic and repair on a brand new computer.
I personally have less problem with the shareware time bomb than with the other variety. Im notorious for buying software and upgrades, only to forget to send in the little registration card or to click "register later," when the installation process gets to the option to register electronically. It typically is a good idea to register hardware and software immediately, so you dont forget, like I often do. Registration will normally allow you smoother access to technical support, in the event of installation problems, as well as developer initiated reminders of product updates and bug fixes. Often, you also get some type of "freebie," such as additional fonts in a word processing program, or an additional stylus for a PalmPilot type device, upon registering. The down side, however, is that you get yourself on more mailing lists, which are resold again and again, and you have left a longer trail with more data about yourself, such as passwords and other demographic or personal information you might not want to volunteer for addition to your electronic database.
On the other hand, it seems that, increasingly, even the higher end software developers rely on broad, general marketing efforts to sell upgrades, while neglecting to specifically advise registered users that a newer version is available. Even more often, you have to constantly hunt, or subscribe to one of the commercial programs or services which tracks such things, to learn of bug fixes. From my point of view, it would seem the developers would do a better job for themselves and their customers, if they did more direct marketing of both bug fixes and upgrades to their registered customers. They already have a likely high percentage sale rate on upgrades, since the customer has selected their product over the competition and presumably has an investment of time and money in their product. It would also seem that they would enhance their reputation through customer satisfaction, if they were more aggressive in advising their existing customers that actual or potential problems could now be easily fixed with a new patch or bug fix.
Building in a mechanism to allow a diagnostic to be run by the customer, or remotely by customer support, seems like a good thing on its face. As suggested in the July column, however, the passage in late July of the Uniform Computer Information Transactions Act (UCITA) by the National Conference of Commissioners on Uniform State Laws (NCCUSL), has perhaps ushered in a new era of covert vendor programming aimed directly at the end users.
THE UCITA CREEPS CLOSER
The interesting thing about the NCCUSL is that when it suggests a change in the law by producing one of its "uniform" laws, like the UCITA, it cannot make the suggestion an actual law. What does often happen, however, is that one by one, many, if not all, state legislatures begin to adopt the suggested model or "uniform" law. Sometimes, like the Uniform Commercial Code in Kentucky, "model" laws are not adopted without some changes. For the most part, when a state enacts one of them, it adopts the vast majority of it without significant alteration. For that reason, there is a substantial likelihood you will be subject to this new suggested law, within a time frame probably not exceeding one or two sessions of your local state legislature.
In the case of the UCITA, the fear by consumer groups is that its provisions, such as those allowing software vendors to insert time bombs and other devices, will allow a new level of customer vulnerability to software developers. All this comes on the eve of a new wave of technology which makes it more likely than not that, in the not too distant future, your common household appliances, like microwaves, refrigerators, burglar alarms, VCRs, and the like, will be able to "communicate" with each other and with you.
IS YOUR COMPUTER "CHEATING" ON YOU?
The question may be, are your computerized appliances "cheating" on you by calling up their "master" software developer under the guise of routine maintenance or warranty "registration," only to give "Big Brother" covert marketing data. If this sounds like Im paranoid or had my head in the toaster oven too long, check the Internet for information on a multitude of these devices already on the market. Then compare that to the information and allegations that companies like Microsoft and Intel have already been caught red handed using such technology to allow them to gather customer information remotely, without the customers knowledge. (See my April column, for background)
If you still dont believe me, check out just how sophisticated your local vending machine has become. You might find that, in addition to the digital marquee scrolling across its front panel, it is already tied to a remote distribution center, by wired or wireless communications hardware and software. Fortunately you dont yet have to use your uniform debit card (containing personal information for the private, government or corporate hacker), to buy a soft drink or candy bar, but the day may come sooner than you might think, when you may leave an electronic signature almost everywhere you go.
There are a number of other potentially frightening provisions for consumers in the UCITA. Some feel that market pressure will cause the whole threat to blow over, because some vendors will not take advantage of the new license non-transferability and electronic self-help provisions, out of fear their competitors will try to court their customers away by not using such legal leverage, to prove they are more user friendly.
IF YOU THOUGHT ONLY THE SOFTWARE VENDORS WANTED TO INTRUDE...
Leave it to a lawyer to make everybody paranoid. Guess whos also in line to do more covert investigation through your computer. Yes, the Justice Department has sent a request to Capital Hill to ask for legislation called the Electronic Security Act. This bill, which would enable law enforcement officials to obtain sealed warrants from a judge authorizing them to enter private property to install encryption override devices and look for computer passwords, would substantially increase the government access to private computers.
The legislation is supposedly a response to the use of encryption software, by terrorists and other criminals, to thwart investigators. This bill is only one of many which have been proposed to Congress, to allow government access to private data on computers. Another highly publicized bill proposes a mandate for hardware and software manufactures to incorporate "back doors," which would allow criminal investigators to do an end run around encryption software and complex password protection. One such mechanism is the "Clipper Chip." While this type of legislation is not meeting with much support on Capitol Hill, if a surge occurs, such as that which propelled the UCITA out of an apparent early grave, such measures could become a reality.
Some serious things are going on in terms of legislation which could change the way we use computers and the degree of privacy we have. Since more and more of us are keeping our most important information on a computer, and often transmitting bits and pieces of it across the Internet, the ability to encrypt it and keep out unwanted visitors will become a much more important fulcrum in the balancing act of privacy and commerce, versus crime fighting. This Country has a history of zealously guarding individual privacy. It also has a history of reacting to mass tragedies, such as recent school massacres and terrorists activities, with counter-measures which give away some of those freedoms in order to thwart more horrors. Many of the laws being proposed seem excellent. Some contain their own agendas, which may not match yours. Since they will impact you in a major way, whether you see it coming or not, you might want to watch and, perhaps, occasionally give your legislator some input.