<!--#include virtual="/server/header.html" virtual="/server/html5-header.html" -->
<!-- Parent-Version: 1.84 1.96 -->
<!-- This page is derived from /server/standards/boilerplate.html -->
<!-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  Please do not edit <ul class="blurbs">!
    Instead, edit /proprietary/workshop/mal.rec, then regenerate pages.
           See explanations in /proprietary/workshop/README.md.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-->
<title>Proprietary Software
- GNU Project - Free Software Foundation</title>
 <!--#include virtual="/proprietary/po/proprietary.translist" -->
<style type="text/css" media="print,screen">
div.companies
<!--
#skiplinks .button { float: right; margin-bottom: left; margin: .5em; }
div.malfunctions
#skiplinks .button a { display: inline-block; }
#about-section { font-size: 1.1em; font-style: italic; }
table#TOC {
   display: block;
   max-width: 27em; 100%; width: max-content;
   overflow: auto;
   border: .2em solid #e0dfda;
   margin: 2.5em auto;
}
<!--
div.toc h3
#TOC th, #TOC td {
   text-align: left;
   font-size: 1.2em; center;
   padding: 0 .83em; .7em;
   border-collapse: collapse;
}
#TOC th {
   vertical-align: middle;
   font-size: 1.1em;
   font-weight: bold;
   background: #fffae0;
}
#TOC td {
   vertical-align: top;
}
#TOC ul { padding-top: .5em; margin: .5em 1.5% 1em; 0; }
div.toc
#TOC ul li { padding-bottom: .5em; margin: 0; list-style: none; margin-bottom: 1em; }
div.toc
#TOC ol { margin-top: 1em; text-align: left; margin: 0; }
#TOC ol li { margin: .5em 5%; }
--></style>
#TOC a, #TOC a:visited,
 #skiplinks a, #skiplinks a:visited {
   color: #004caa;
   text-decoration: none;
}
#TOC a { text-decoration: none; }
#TOC a:hover { text-decoration: underline; }
-->
</style>
<style type="text/css" media="print,screen">
  .reduced-width { width: 55em; }
</style>
<!--#include virtual="/server/banner.html" -->
<div class="reduced-width">

<h2>Proprietary Software Is Often Malware</h2>

<div id="skiplinks">
<p class="button"><a href="#TOC">Table of contents</a></p>
<p class="button"><a href="#latest">Latest additions</a></p>
</div>
<div style="clear: both"></div>

<div id="about-section">
<p>Proprietary software, also called nonfree software,
means software that doesn't
<a href="/philosophy/free-sw.html">respect users' freedom and
community</a>.  A proprietary program puts its developer or owner
<a href="/philosophy/free-software-even-more-important.html">
in a position of power over its users.</a>
This power is in itself an injustice.</p>

<p>The point of this page is that the initial injustice of proprietary
software often leads to further injustices: malicious
functionalities.</p>

<p>In this section, we also list <a
href="/proprietary/malware-mobiles.html#phone-communications">one
other malicious characteristic of mobile phones, location tracking</a>
which is caused by the underlying radio system rather than by the
specific software in them.</p>

<p>Power corrupts; the proprietary program's developer is tempted to
design the program to mistreat its users.  (Software whose functioning
mistreats the user is called <em>malware</em>.)  Of course, the
developer usually does not do this out of malice, but rather to profit
more at the users' expense.  That does not make it any less nasty or
more legitimate.</p>

<p>Yielding to that temptation has become ever more frequent; nowadays
it is standard practice.  Modern proprietary software is typically
a way to be had.</p>
<hr class="thin" />
</div>

<p>As of April, 2017, September, 2022, the files pages in this directory list around 300 550
instances of malicious functionalities, functionalities (with more than 670 references to
back them up), but there are surely thousands more we don't know about.</p>

<div class="toc">
<div class="companies">
<h3>Company

<p>If you want to be notified when we add new items or type of product</h3>
<ul> make other changes,
subscribe to the <a
href="https://lists.gnu.org/mailman/listinfo/www-malware-commits">mailing list
<www-malware-commits@gnu.org></a>.</p>

<table id="TOC">
 <tr>
  <th>Injustices or techniques</th>
  <th>Products or companies</th>
 </tr>
 <tr>
  <td>
   <ul class="columns">
    <li><a href="/proprietary/proprietary-addictions.html">Addictions</a></li>
    <li><a href="/proprietary/proprietary-back-doors.html">Back doors</a> (<a href="#f1">1</a>)</li>
    <li><a href="/proprietary/malware-apple.html">Apple Malware</a></li> href="/proprietary/proprietary-censorship.html">Censorship</a></li>
    <li><a href="/proprietary/malware-microsoft.html">Microsoft Malware</a></li> href="/proprietary/proprietary-coercion.html">Coercion</a></li>
    <li><a href="/proprietary/malware-google.html">Google Malware</a></li> href="/proprietary/proprietary-coverups.html">Coverups</a></li>
    <li><a href="/proprietary/malware-adobe.html">Adobe Malware</a></li> href="/proprietary/proprietary-deception.html">Deception</a></li>
    <li><a href="/proprietary/malware-amazon.html">Amazon Malware</a></li> href="/proprietary/proprietary-drm.html">DRM</a> (<a href="#f2">2</a>)</li>
    <li><a href="/proprietary/malware-webpages.html">Malware in webpages</a></li> href="/proprietary/proprietary-fraud.html">Fraud</a></li>
    <li><a href="/proprietary/malware-phones.html">Malware in phones</a></li> href="/proprietary/proprietary-incompatibility.html">Incompatibility</a></li>
    <li><a href="/proprietary/malware-mobiles.html">Malware in mobile devices</a></li> href="/proprietary/proprietary-insecurity.html">Insecurity</a></li>
    <li><a href="/proprietary/malware-games.html">Malware in games</a></li> href="/proprietary/proprietary-interference.html">Interference</a></li>
    <li><a href="/proprietary/malware-appliances.html">Malware in appliances</a></li> href="/proprietary/proprietary-jails.html">Jails</a> (<a href="#f3">3</a>)</li>
    <li><a href="/proprietary/malware-cars.html">Malware in cars</a></li> href="/proprietary/proprietary-manipulation.html">Manipulation</a></li>
    <li><a href="/proprietary/proprietary-obsolescence.html">Obsolescence</a></li>
    <li><a href="/proprietary/proprietary-sabotage.html">Sabotage</a></li>
    <li><a href="/proprietary/proprietary-subscriptions.html">Subscriptions</a></li>
    <li><a href="/proprietary/proprietary-surveillance.html">Surveillance</a></li>
    <li><a href="/proprietary/proprietary-tethers.html">Tethers</a> (<a href="#f4">4</a>)</li>
    <li><a href="/proprietary/proprietary-tyrants.html">Tyrants</a> (<a href="#f5">5</a>)</li>
    <li><a href="/proprietary/potential-malware.html">In the pipe</a></li>
   </ul>
</div>

<div class="malfunctions">
<h3>Type of malware</h3>
  </td>
  <td>
   <ul>
    <li><a href="/proprietary/proprietary-back-doors.html">Back doors</a></li> href="/proprietary/malware-appliances.html">Appliances</a></li>
    <li><a href="/proprietary/proprietary-censorship.html">Censorship</a></li> href="/proprietary/malware-cars.html">Cars</a></li>
    <li><a href="/proprietary/proprietary-coverups.html">Coverups</a></li> href="/proprietary/malware-in-online-conferencing.html">Conferencing</a></li>
    <li><a href="/proprietary/proprietary-deception.html">Deception</a></li> href="/proprietary/malware-edtech.html">EdTech</a></li>
    <li><a href="/proprietary/proprietary-insecurity.html">Insecurity</a></li> href="/proprietary/malware-games.html">Games</a></li>
    <li><a href="/proprietary/proprietary-sabotage.html">Sabotage</a></li> href="/proprietary/malware-mobiles.html">Mobiles</a></li>
    <li><a href="/proprietary/proprietary-interference.html">Interference</a></li> href="/proprietary/malware-webpages.html">Webpages</a></li>
    
   </ul>
   <ul>
    <li><a href="/proprietary/proprietary-surveillance.html">Surveillance</a></li> href="/proprietary/malware-adobe.html">Adobe</a></li>
    <li><a href="/proprietary/proprietary-subscriptions.html">Subscriptions</a></li> href="/proprietary/malware-amazon.html">Amazon</a></li>
    <li><a href="/proprietary/proprietary-tethers.html">Tethers</a> to
servers</li> href="/proprietary/malware-apple.html">Apple</a></li>
    <li><a href="/proprietary/proprietary-drm.html">Digital href="/proprietary/malware-google.html">Google</a></li>
    <li><a href="/proprietary/malware-microsoft.html">Microsoft</a></li>
   </ul>
  </td>
 </tr>
 <tr>
  <td colspan="2">
   <ol>
    <li id="f1"><em>Back door:</em>  any feature of a program
     that enables someone who is not supposed to be in control of the
     computer where it is installed to send it commands.</li>

    <li id="f2"><em>Digital restrictions
    management</a> management, or “DRM” means
     “DRM”:</em>  functionalities designed to restrict
     what users can do with the data in their computers.</li>
<li><a href="/proprietary/proprietary-jails.html">Jails</a>—systems

    <li id="f3"><em>Jail:</em>  system that impose imposes censorship on
     application programs.</li>
<li><a href="/proprietary/proprietary-tyrants.html">Tyrants</a>—systems

    <li id="f4"><em>Tether:</em>  functionality that requires
     permanent (or very frequent) connection to a server.</li>

    <li id="f5"><em>Tyrant:</em>  system that reject rejects any operating
     system not “authorized” by the manufacturer.</li>
<li><a href="/proprietary/potential-malware.html">Potential Malware</a></li>
</ul>
</div>
</div>
   </ol>
  </td>
 </tr>
</table>

<p>Users of proprietary software are defenseless against these forms
of mistreatment.  The way to avoid them is by insisting on
<a href="/philosophy/free-software-even-more-important.html">free
(freedom-respecting) software.</a> software</a>.  Since free software is controlled
by its users, they have a pretty good defense against malicious
software functionality.</p>

<h3 id="latest">Latest additions</h3>

<p style="margin-bottom: .5em">
  <!--#set var="DATE" value='<small class="date-tag">2022-07</small>'
  --><!--#echo encoding="none" var="DATE" --></p>
<p id="uefi-rootkit" class="important" style="margin-top: 0">
  <strong><a href="/proprietary/proprietary-insecurity.html#uefi-rootkit">
  UEFI makes computers vulnerable to advanced persistent threats that are almost impossible
  to detect once installed...</a></strong></p>

<ul class="blurbs">
  <li id="M202209000">
    <!--#set var="DATE" value='<small class="date-tag">2022-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a hreflang="ja"
    href="https://ja.wikipedia.org/wiki/B-CAS">B-CAS</a> <a
    href="#m1">[1]</a> is the digital restrictions management (DRM) system
    used by Japanese TV broadcasters, including state-run TV. It is sold
    by the B-CAS company, which has a de-facto monopoly on it. Initially
    intended for pay-TV, its use was extended to digital free-to-air
    broadcasting as a means to enforce restrictions on copyrighted
    works. The system encrypts works that permit free redistribution
    just like other works, thus denying users their nominal rights.</p>

    <p>On the client side, B-CAS is typically implemented by a card
    that plugs into a compatible receiver, or alternatively by a tuner
    card that plugs into a computer. Beside implementing drastic copying
    and viewing restrictions, this system gives broadcasters full power
    over users, through back doors among other means. For example:</p>

    <ul>
      <li>It can force messages to the user's TV screen, and the user
      can't turn them off.</li>

      <li>It can collect viewing information and share it with other
      companies to take surveys. Until 2011, user registration was
      required, so the viewing habits of each customer were recorded. We
      don't know whether this personal information was deleted from the
      company's servers after 2011.</li>

      <li>Each card has an ID, which enables broadcasters to force
      customer-specific updates via the back door normally used to update
      the decryption key. Thus pay-TV broadcasters can disable decryption
      of the broadcast wave if subscription fees are not paid on time.
      This feature could also be used by any broadcaster (possibly
      instructed by the government) to stop certain persons from watching
      TV.</li>

      <li>Since the software in receivers is nonfree, and tuner cards are
      designed for either Windows or MacOS, it is impossible to legally
      watch Japanese TV from the Free World.</li>

      <li>As the export of B-CAS cards is illegal, people outside Japan
      can't (officially) decrypt the satellite broadcast signal that may
      spill over to their location. They are thus deprived of a valuable
      source of information about what happens in Japan.</li>
    </ul>

    <p>These unacceptable restrictions led to a sort of cat-and-mouse
    game, with some users doing their best to bypass the system, and
    broadcasters trying to stop them without much success: cryptographic
    keys were retrieved through the back door of the B-CAS card, illegal
    cards were made and sold on the black market, as well as a tuner for
    PC that disables the copy control signal.</p>

    <p>While B-CAS cards are still in use with older equipment, modern
    high definition TVs have an even nastier version of this DRM (called
    ACAS) in a special chip that is built into the receiver. The chip
    can update its own software from the company's servers, even when
    the receiver is turned off (but still plugged into an outlet). This
    feature could be abused to disable stored TV programs that the power
    in place doesn't agree with, thus interfering with free speech.</p>

    <p>Being part of the receiver, the ACAS chip is supposed to be
    tamper-resistant. Time will tell…</p>

    <p id="m1"><small>[1] We thank the free software supporter who
    translated this article from Japanese, and shared his experience of
    B-CAS with us. (Unfortunately, the article presents DRM as a good
    thing.)</small></p>
  </li>

  <li id="M202208240">
    <!--#set var="DATE" value='<small class="date-tag">2022-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A security researcher found that the iOS in-app browser of TikTok <a
    href="https://www.theguardian.com/technology/2022/aug/24/tiktok-can-track-users-every-tap-as-they-visit-other-sites-through-ios-app-new-research-shows">
    injects keylogger-like JavaScript code into outside web pages</a>. This
    code has the ability to track all users' activities, and to
    retrieve any personal data that is entered on the pages. We have
    no way of verifying TikTok's claim that the keylogger-like code
    only serves purely technical functions. Some of the accessed data
    could well be saved to the company's servers, and even shared with
    third parties. This would open the door to extensive surveillance,
    including by the Chinese government (to which TikTok has indirect
    ties). There is also a risk that the data would be stolen by crackers,
    and used to launch malware attacks.</p>

    <p>The iOS in-app browsers of Instagram and Facebook
    behave essentially the same way as TikTok's. The main
    difference is that Instagram and Facebook allow users
    to access third-party sites with their default browser, whereas <a
    href="https://www.reddit.com/r/Tiktokhelp/comments/jlep5d/how_do_i_make_urls_open_in_my_browser_instead_of/">
    TikTok makes it nearly impossible</a>.</p>

    <p>The researcher didn't study the Android versions of in-app
    browsers, but we have no reason to assume they are safer than the
    iOS versions.</p>

    <p><small>Please note that the article wrongly refers
    to crackers as “hackers.”</small></p>
  </li>

  <li id="M202208070">
    <!--#set var="DATE" value='<small class="date-tag">2022-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some Epson printers are programmed to <a
    href="https://hardware.slashdot.org/story/22/08/07/0350244/epson-programs-some-printers-to-stop-operating-claiming-danger-of-ink-spills">
    stop working after they have printed a predetermined number
    of pages</a>, on the pretext that ink pads become saturated
    with ink. This constitutes an unacceptable infringement on
    users' freedom to use their printers as they wish, and on their <a
    href="https://fighttorepair.substack.com/p/citing-danger-of-ink-spills-epson">
    right to repair them</a>.</p>
  </li>

  <li id="M202204140">
    <!--#set var="DATE" value='<small class="date-tag">2022-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Today's “smart” TVs <a
    href="https://www.techdirt.com/2022/04/14/its-still-stupidly-ridiculously-difficult-to-buy-a-dumb-tv/">
    push people to surrender to tracking via internet</a>. Some won't work
    unless they have a chance to download nonfree software. And they are
    designed for programmed obsolescence.</p>
  </li>

  <li id="M202208290">
    <!--#set var="DATE" value='<small class="date-tag">2022-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>US states that ban abortion talk about making it a
    crime to go to another state to get an abortion.  They could <a
    href="https://www.cnn.com/2022/08/29/tech/wireless-carriers-locations-fcc/index.html">
    use various forms of location tracking, including the network,
    to prosecute abortion-seekers</a>.  The state could subpoena the
    data, so that the network's “privacy” policy would be
    irrelevant.</p>

    <p>That article explains why wireless networks collect location
    data, one unavoidable reason and one avoidable (emergency calls).
    It also explains some of the many ways the location data are
    used.</p>

    <p>Networks should never do localization for emergency calls
    except when you make an emergency call, or when there is a court order
    to do so. It should be illegal for a network to do precise localization
    (the kind needed for emergency calls) except to handle an emergency
    call, and if a network does so illegally, it should be required to
    inform the owner of the phone in writing on paper, with an apology.</p>
  </li>
</ul>
<p class="button right-align">
<a href="/proprietary/all.html">More items…</a></p>
</div>

</div><!-- for id="content", starts in the include above -->
<!--#include virtual="/server/footer.html" -->
<div id="footer"> id="footer" role="contentinfo">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">
        <web-translators@gnu.org></a>.</p>

        <p>For information on coordinating and submitting contributing translations of
        our web pages, see <a
        href="/server/standards/README.translations.html">Translations
        README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and submitting contributing translations
of this article.</p>
</div>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.

     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).

     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2013, 2014, 2015, 2016, 2017 2013-2022 Free Software Foundation, Inc.</p>

<p>This page is licensed under a <a rel="license"
href="http://creativecommons.org/licenses/by-nd/4.0/">Creative
href="http://creativecommons.org/licenses/by/4.0/">Creative
Commons Attribution-NoDerivatives Attribution 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2022/09/23 14:13:52 $
<!-- timestamp end -->
</p>
</div>
</div>
</div><!-- for class="inner", starts in the banner include -->
</body>
</html>