The latest scandal over so-called spyware involves a mysterious and particularly insidious program that tracks your surfing, delivers pop-up ads and could even collect your credit card information.
You may not have heard of the VX2 Corporation, but if you've downloaded Audio Galaxy lately, VX2 may know a lot about you.
VX2's spyware program comes bundled with other software. Audio Galaxy, a company that makes Napster-style file-sharing software, delivered it for a short time last fall, but says it no longer does so.
The VX2 program is currently bundled with a free screensaver program from Aadcom, an Internet advertising company, and may be included in other popular file-sharing programs.
Like other spyware, the program, once installed, tracks which websites the user visits, and reports the information back to the company's servers to build a user profile. It also serves pop-up ads so they appear to be coming from websites that don't actually serve the ads.
But that's not all it does. According to VX2's own privacy policy, "VX2's software also collects some information from online forms that you fill out."
The policy statement assures users it has engineered the program not to collect sensitive data, such as credit card numbers. However, "if such data were -- despite VX2's best efforts -- ever inadvertently collected, VX2 would immediately purge such information from its database."
But that should offer little comfort, according to privacy expert Richard Smith, because there's really no way to verify what VX2 does with the data it collects.
"The privacy policy says a lot of nice things," Smith wrote in an e-mail, "but I am not sure what to believe because the company refuses to identify itself, and the e-mail address given in the privacy policy does not appear to be valid."
A similar flap arose a few weeks ago over "ClickTillUWin" spyware bundled with file-sharing programs Kazaa, BearShare and LimeWire. But VX2 may be even more dangerous.
Trying to get to the bottom of who is behind VX2, what information it collects and what it does with it is a case study in just how insecure a place the Internet can be.
The only contact information available on the company is a Hotmail address and a post office box in Las Vegas, Nevada. The address belongs to a company that specializes in setting up corporate shelters. E-mail to the Hotmail address went unanswered.
Even Audio Galaxy, which bundled VX2's software with its software for a 34-day period ending Nov. 4, 2001, said it doesn?t know anything about VX2. Audio Galaxy spokesman Michael Merhej said he had never even heard of VX2 until he received an angry inquiry about it earlier this week from the editor of a website called Portal of Evil.
"We know nothing about VX2," Merhej said. The VX2 program file (called vx2.dll) was part of an advertising graphics enhancer made by the Onflow Corporation, he said. Audio Galaxy offered the Onflow program as part of its software package from Oct. 1 through Nov. 4, 2001, Merhej said. The partnership was cancelled due to unpaid bills.
How Audio Galaxy could not know what it was delivering its customers baffled Portal of Evil editor Chet Faliszek, who described his website as "Yahoo for the strange." He published his article, about VX2, Audio Galaxy and Onflow on Tuesday. He stumbled onto the issue while investigating the origin of pop-up ads that appeared to be coming from his own site -- which he knew shouldn't have pop-ups.
"I was annoyed by these pop-ups," Faliszek said. He started digging, but ran into a wall of shadows, denials and false trails. He thinks the problem of sneaky programs like VX2 is growing, and something needs to be done. "Self-policing isn't working," he said. "I hate to say we need government intervention, but something needs to be done."
But Merhej discounted Faliszek concern as paranoia. "That Portal of Evil stuff: It was like one big conspiracy theory," he said. "There's no conspiracy, that I know of."
But VX2 remains a mystery. Merhej passed the buck for the program onto Onflow, but in a statement made to POE, Onflow also denied any involvement with VX2. "We have absolutely nothing to do with VX2," the statement read. "We have never even heard of it until today."
There was a middleman in the deal. Audio Galaxy actually received the Onflow software package through Mindset Interactive, an advertising agency. Neither Onflow nor Mindset Interactive responded to requests for comment.
There are some ways to get rid of VX2. A website called Counterexploitation is a good source of information on fighting back against spyware in general, and it has removal instructions for VX2.
One way to avoid spyware is to download Ad-Aware, a free spyware removal program.
