TOC
 Work Order
 Trouble
 Modems
 NOC

Marketscore Security Alert

1. What is Marketscore?
2. Privacy Issues Concerning Marketscore
3. Blocking access to Marketscore Proxies
4. Removing Marketscore from Your Computer
5. Background on How Marketscore Looks at Encrypted Data
6. Notes

 

1. What is Marketscore?

The Marketscore service provides Web proxy and caching for secure and non-secure Web traffic (http://www.marketscore.com), and antivirus scanning for email. This service is primarily marketed as a way for computers users to speedup Web access.


2. Privacy Issues Concerning Marketscore

Marketscore introduces an unreasonable intrusion into the secure Web communications of our users, including access to otherwise secure Web resources hosted within our network. This is not to imply that Marketscore is attempting to hide the workings of their software. To their credit they have outside auditors who verify their adherence to their privacy policies [2], though end users may want to factor in past behavior of those auditors as well [3].

Specifically:

a. UNET has an obligation to make reasonable efforts to comply with established privacy regulations, such as HIPAA for medical information, Sarbanes/Oxley Act for student information, and Gramm-Leach-Bliley for financial and customer records. Permitting the use of Marketscore software makes it more difficult for us to ensure these privacy regulations are met.

b. End users may not be aware that their sensitive data is being analyzed by a 3rd party. Though detailed in the privacy statement [1], it is only alluded to on Marketscore's homepage as an "Opportunity to influence the Internet as a member of our premier Internet research community".

c. Access to even local resources (PeopleSoft, medical records, student records, etc) are being routed outside the network and analyzed via this third party.

d. The use of Marketscore introduces additional points during network transfer where sensitive data could be misused, or compromised by attack.

e. Marketscore's use of collected information may change over time. "Marketscore reserves the right to change the composition, operation and function of the Marketscore Network at any time and without notice or liability to you or any third party, provided that Marketscore continues to give you, our member, a reasonable commercial benefit." [1]


3. Blocking access to Marketscore Proxies

UNET is blocking access to all of Marketscore's proxy servers, which will prevent computers connected to either the UMS or MSLN networks from using this service. From outside our network, users would be able to use Marketscore, but not to access resources within our network.

Users will need to remove the Marketscore software from their computers to be able to use their Web browsers.


4. Removing Marketscore Software from Your Computer

For those who have installed Marketscore's software on their computer, instructions are available in the Members area of the Marketscore website. The software can also be removed by using Add/Remove Programs in the Control Panel, though this alone may not terminate the user agreement between the user and Marketscore. Columbia University has also posted information on how to ensure the Marketscore software is removed from your computer at http://www.columbia.edu/acis/security/howto/remove/marketscore.html


5. Background on How Marketscore Looks at Encrypted Data

Secure Web services are usually expected by the end user to be encrypted from end to end, that is, from his or her computer to a remote server. This is not the case for those using the Marketscore service.

a) The Marketscore installation process establishes a new Certificate Authority (CA) on the user's computer. The CA will validate any Marketscore certificates that are presented to the user's Web browser.

b) All Web traffic (secure and non-secure), are routed through the Marketscore proxy servers.

c) When a secure data connection is requested (i.e. bank, credit card, or online shopping), a Marketscore proxy server intercepts the certificate from the secure site, and substitutes a Marketscore certificate, which the user's browser will automatically accept, due to step a) above.

d) The end user sees a “lock” icon indicating a secure connection, which now represents only the connection from the user's computer to the Marketscore proxy server. Marketscore is now free to decrypt and analyze the data, then encrypt with the original certificate and send it along to the final destination (bank, credit card company, etc).


6. Notes:

[1] http://www.marketscore.com/privacy.aspx

[2] External Audit Report of Marketscore by Ernst & Young LLP
(https://cert.webtrust.org/SealFile?seal=383&file=pdf)

[3] Excerpt from Bloomberg News service posting of Apr 16, 2004, concerning the behavior of Ernst & Young LLP
(http://www.srimedia.com/artman/publish/article_816.shtml):

"Ernst & Young LLP, the third-biggest U.S. accounting firm, was barred from accepting new audit clients for six months by a U.S. Securities and Exchange Commission judge.

Ernst & Young's business venture with audit client PeopleSoft Inc. violated SEC rules that are designed to preserve the independence of audits, SEC Chief Judge Brenda Murray said in a ruling today.

Murray also ordered Ernst & Young to pay $1.7 million and required the firm to be overseen by an independent monitor.

The firm ``committed repeated violations of the auditor independence standards by conduct that was reckless, highly unreasonable and negligent,'' Murray wrote in a 69-page order. "

Comments or problems: noc@maine.edu

Last updated: 12/08/04