<!--#include virtual="/server/html5-header.html" -->
<!-- Parent-Version: 1.96 -->
<!-- This page is derived from /server/standards/boilerplate.html -->
<!-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  Please do not edit <ul class="blurbs">!
    Instead, edit /proprietary/workshop/mal.rec, then regenerate pages.
           See explanations in /proprietary/workshop/README.md.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-->
<title>Proprietary Software
- GNU Project - Free Software Foundation</title>
 <!--#include virtual="/proprietary/po/proprietary.translist" -->
<style type="text/css" media="print,screen">
<!--
#skiplinks .button { float: left; margin: .5em; }
#skiplinks .button a { display: inline-block; }
#about-section { font-size: 1.1em; font-style: italic; }
table#TOC {
   display: block;
   max-width: 100%; width: max-content;
   overflow: auto;
   border: .2em solid #e0dfda;
   margin: 2.5em auto;
}
#TOC th, #TOC td {
   text-align: center;
   padding: .7em;
   border-collapse: collapse;
}
#TOC th {
   vertical-align: middle;
   font-size: 1.1em;
   font-weight: bold;
   background: #fffae0;
}
#TOC td {
   vertical-align: top;
}
#TOC ul { padding-top: .5em; margin: 0; }
#TOC ul li { padding-bottom: .5em; margin: 0; list-style: none; }
#TOC ol { text-align: left; margin: 0; }
#TOC ol li { margin: .5em 5%; }
#TOC a, #TOC a:visited,
 #skiplinks a, #skiplinks a:visited {
   color: #004caa;
   text-decoration: none;
}
#TOC a { text-decoration: none; }
#TOC a:hover { text-decoration: underline; }
-->
</style>
<style type="text/css" media="print,screen">
  .reduced-width { width: 55em; }
</style>
<!--#include virtual="/server/banner.html" -->
<div class="reduced-width">

<h2>Proprietary Software Is Often Malware</h2>

<div id="skiplinks">
<p class="button"><a href="#TOC">Table of contents</a></p>
<p class="button"><a href="#latest">Latest additions</a></p>
</div>
<div style="clear: both"></div>

<div id="about-section">
<p>Proprietary software, also called nonfree software,
means software that doesn't
<a href="/philosophy/free-sw.html">respect users' freedom and
community</a>.  A proprietary program puts its developer or owner
<a href="/philosophy/free-software-even-more-important.html">
in a position of power over its users.</a>
This power is in itself an injustice.</p>

<p>The point of this page is that the initial injustice of proprietary
software often leads to further injustices: malicious
functionalities.</p>

<p>In this section, we also list <a
href="/proprietary/malware-mobiles.html#phone-communications">one
other malicious characteristic of mobile phones, location tracking</a>
which is caused by the underlying radio system rather than by the
specific software in them.</p>

<p>Power corrupts; the proprietary program's developer is tempted to
design the program to mistreat its users.  (Software whose functioning
mistreats the user is called <em>malware</em>.)  Of course, the
developer usually does not do this out of malice, but rather to profit
more at the users' expense.  That does not make it any less nasty or
more legitimate.</p>

<p>Yielding to that temptation has become ever more frequent; nowadays
it is standard practice.  Modern proprietary software is typically
a way to be had.</p>
<hr class="thin" />
</div>

<p>As of December, 2021, September, 2022, the pages in this directory list around 550
instances of malicious functionalities (with more than 630 670 references to
back them up), but there are surely thousands more we don't know about.</p>

<p>If you want to be notified when we add new items or make other changes,
subscribe to the <a
href="https://lists.gnu.org/mailman/listinfo/www-malware-commits">mailing list
<www-malware-commits@gnu.org></a>.</p>

<table id="TOC">
 <tr>
  <th>Injustices or techniques</th>
  <th>Products or companies</th>
 </tr>
 <tr>
  <td>
   <ul class="columns">
    <li><a href="/proprietary/proprietary-addictions.html">Addictions</a></li>
    <li><a href="/proprietary/proprietary-back-doors.html">Back doors</a> (<a href="#f1">1</a>)</li>
    <li><a href="/proprietary/proprietary-censorship.html">Censorship</a></li>
    <li><a href="/proprietary/proprietary-coercion.html">Coercion</a></li>
    <li><a href="/proprietary/proprietary-coverups.html">Coverups</a></li>
    <li><a href="/proprietary/proprietary-deception.html">Deception</a></li>
    <li><a href="/proprietary/proprietary-drm.html">DRM</a> (<a href="#f2">2</a>)</li>
    <li><a href="/proprietary/proprietary-fraud.html">Fraud</a></li>
    <li><a href="/proprietary/proprietary-incompatibility.html">Incompatibility</a></li>
    <li><a href="/proprietary/proprietary-insecurity.html">Insecurity</a></li>
    <li><a href="/proprietary/proprietary-interference.html">Interference</a></li>
    <li><a href="/proprietary/proprietary-jails.html">Jails</a> (<a href="#f3">3</a>)</li>
    <li><a href="/proprietary/proprietary-manipulation.html">Manipulation</a></li>
    <li><a href="/proprietary/proprietary-obsolescence.html">Obsolescence</a></li>
    <li><a href="/proprietary/proprietary-sabotage.html">Sabotage</a></li>
    <li><a href="/proprietary/proprietary-subscriptions.html">Subscriptions</a></li>
    <li><a href="/proprietary/proprietary-surveillance.html">Surveillance</a></li>
    <li><a href="/proprietary/proprietary-tethers.html">Tethers</a> (<a href="#f4">4</a>)</li>
    <li><a href="/proprietary/proprietary-tyrants.html">Tyrants</a> (<a href="#f5">5</a>)</li>
    <li><a href="/proprietary/potential-malware.html">In the pipe</a></li>
   </ul>
  </td>
  <td>
   <ul>
    <li><a href="/proprietary/malware-appliances.html">Appliances</a></li>
    <li><a href="/proprietary/malware-cars.html">Cars</a></li>
    <li><a href="/proprietary/malware-in-online-conferencing.html">Conferencing</a></li>
    <li><a href="/proprietary/malware-edtech.html">Ed Tech</a></li> href="/proprietary/malware-edtech.html">EdTech</a></li>
    <li><a href="/proprietary/malware-games.html">Games</a></li>
    <li><a href="/proprietary/malware-mobiles.html">Mobiles</a></li>
    <li><a href="/proprietary/malware-webpages.html">Webpages</a></li>
    
   </ul>
   <ul>
    <li><a href="/proprietary/malware-adobe.html">Adobe</a></li>
    <li><a href="/proprietary/malware-amazon.html">Amazon</a></li>
    <li><a href="/proprietary/malware-apple.html">Apple</a></li>
    <li><a href="/proprietary/malware-google.html">Google</a></li>
    <li><a href="/proprietary/malware-microsoft.html">Microsoft</a></li>
   </ul>
  </td>
 </tr>
 <tr>
  <td colspan="2">
   <ol>
    <li id="f1"><em>Back door:</em>  any feature of a program
     that enables someone who is not supposed to be in control of the
     computer where it is installed to send it commands.</li>

    <li id="f2"><em>Digital restrictions management, or
     “DRM”:</em>  functionalities designed to restrict
     what users can do with the data in their computers.</li>

    <li id="f3"><em>Jail:</em>  system that imposes censorship on
     application programs.</li>

    <li id="f4"><em>Tether:</em>  functionality that requires
     permanent (or very frequent) connection to a server.</li>

    <li id="f5"><em>Tyrant:</em>  system that rejects any operating
     system not “authorized” by the manufacturer.</li>
   </ol>
  </td>
 </tr>
</table>

<p>Users of proprietary software are defenseless against these forms
of mistreatment.  The way to avoid them is by insisting on
<a href="/philosophy/free-software-even-more-important.html">free
(freedom-respecting) software</a>.  Since free software is controlled
by its users, they have a pretty good defense against malicious
software functionality.</p>

<h3 id="latest">Latest additions</h3>

<p style="margin-bottom: .5em">
  <!--#set var="DATE" value='<small class="date-tag">2022-07</small>'
  --><!--#echo encoding="none" var="DATE" --></p>
<p id="uefi-rootkit" class="important" style="margin-top: 0">
  <strong><a href="/proprietary/proprietary-insecurity.html#uefi-rootkit">
  UEFI makes computers vulnerable to advanced persistent threats that are almost impossible
  to detect once installed...</a></strong></p>

<ul class="blurbs">
  <li id="M202111201"> id="M202209000">
    <!--#set var="DATE" value='<small class="date-tag">2021-11</small>' class="date-tag">2022-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>NordicTrack,
    <p><a hreflang="ja"
    href="https://ja.wikipedia.org/wiki/B-CAS">B-CAS</a> <a
    href="#m1">[1]</a> is the digital restrictions management (DRM) system
    used by Japanese TV broadcasters, including state-run TV. It is sold
    by the B-CAS company, which has a de-facto monopoly on it. Initially
    intended for pay-TV, its use was extended to digital free-to-air
    broadcasting as a company means to enforce restrictions on copyrighted
    works. The system encrypts works that sells
    exercise machines with ability permit free redistribution
    just like other works, thus denying users their nominal rights.</p>

    <p>On the client side, B-CAS is typically implemented by a card
    that plugs into a compatible receiver, or alternatively by a tuner
    card that plugs into a computer. Beside implementing drastic copying
    and viewing restrictions, this system gives broadcasters full power
    over users, through back doors among other means. For example:</p>

    <ul>
      <li>It can force messages to show videos <a
    href="https://arstechnica.com/information-technology/2021/11/locked-out-of-god-mode-runners-are-hacking-their-treadmills/">limits
    what people the user's TV screen, and the user
      can't turn them off.</li>

      <li>It can watch, collect viewing information and recently disabled a feature</a> that share it with other
      companies to take surveys. Until 2011, user registration was
    originally functional. This happened through automatic
      required, so the viewing habits of each customer were recorded. We
      don't know whether this personal information was deleted from the
      company's servers after 2011.</li>

      <li>Each card has an ID, which enables broadcasters to force
      customer-specific updates via the back door normally used to update
      the decryption key. Thus pay-TV broadcasters can disable decryption
      of the broadcast wave if subscription fees are not paid on time.
      This feature could also be used by any broadcaster (possibly
      instructed by the government) to stop certain persons from watching
      TV.</li>

      <li>Since the software in receivers is nonfree, and
    probably involved tuner cards are
      designed for either Windows or MacOS, it is impossible to legally
      watch Japanese TV from the Free World.</li>

      <li>As the export of B-CAS cards is illegal, people outside Japan
      can't (officially) decrypt the satellite broadcast signal that may
      spill over to their location. They are thus deprived of a universal back door.</p>
  </li>

  <li id="M202111200">
    <!--#set var="DATE" value='<small class="date-tag">2021-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Hundreds valuable
      source of Tesla drivers <a
    href="https://www.theguardian.com/technology/2021/nov/20/tesla-app-outage-elon-musk-apologises">were
    locked out information about what happens in Japan.</li>
    </ul>

    <p>These unacceptable restrictions led to a sort of cat-and-mouse
    game, with some users doing their cars best to bypass the system, and
    broadcasters trying to stop them without much success: cryptographic
    keys were retrieved through the back door of the B-CAS card, illegal
    cards were made and sold on the black market, as well as a result tuner for
    PC that disables the copy control signal.</p>

    <p>While B-CAS cards are still in use with older equipment, modern
    high definition TVs have an even nastier version of Tesla's app suffering this DRM (called
    ACAS) in a special chip that is built into the receiver. The chip
    can update its own software from the company's servers, even when
    the receiver is turned off (but still plugged into an
    outage</a>, which happened because outlet). This
    feature could be abused to disable stored TV programs that the app power
    in place doesn't agree with, thus interfering with free speech.</p>

    <p>Being part of the receiver, the ACAS chip is tethered supposed to company's
    servers.</p> be
    tamper-resistant. Time will tell…</p>

    <p id="m1"><small>[1] We thank the free software supporter who
    translated this article from Japanese, and shared his experience of
    B-CAS with us. (Unfortunately, the article presents DRM as a good
    thing.)</small></p>
  </li>

  <li id="M202111110"> id="M202208240">
    <!--#set var="DATE" value='<small class="date-tag">2021-11</small>' class="date-tag">2022-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Some researchers at Google
    <p>A security researcher found that the iOS in-app browser of TikTok <a href="https://www.vice.com/en/article/93bw8y/google-caught-hackers-using-a-mac-zero-day-against-hong-kong-users">found
  a zero-day vulnerability
    href="https://www.theguardian.com/technology/2022/aug/24/tiktok-can-track-users-every-tap-as-they-visit-other-sites-through-ios-app-new-research-shows">
    injects keylogger-like JavaScript code into outside web pages</a>. This
    code has the ability to track all users' activities, and to
    retrieve any personal data that is entered on MacOS, the pages. We have
    no way of verifying TikTok's claim that the keylogger-like code
    only serves purely technical functions. Some of the accessed data
    could well be saved to the company's servers, and even shared with
    third parties. This would open the door to extensive surveillance,
    including by the Chinese government (to which crackers TikTok has indirect
    ties). There is also a risk that the data would be stolen by crackers,
    and used to target people visiting the websites</a> launch malware attacks.</p>

    <p>The iOS in-app browsers of
  a media outlet Instagram and a pro-democracy labor Facebook
    behave essentially the same way as TikTok's. The main
    difference is that Instagram and political group in Hong
  Kong.</p> Facebook allow users
    to access third-party sites with their default browser, whereas <a
    href="https://www.reddit.com/r/Tiktokhelp/comments/jlep5d/how_do_i_make_urls_open_in_my_browser_instead_of/">
    TikTok makes it nearly impossible</a>.</p>

    <p>The researcher didn't study the Android versions of in-app
    browsers, but we have no reason to assume they are safer than the
    iOS versions.</p>

    <p><small>Please note that the article wrongly refers
    to crackers as “<a href="/philosophy/words-to-avoid.html#Hacker">hackers</a>”.</small></p> “hackers.”</small></p>
  </li>

  <li id="M202110250"> id="M202208070">
    <!--#set var="DATE" value='<small class="date-tag">2021-10</small>' class="date-tag">2022-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Ed Tech companies use their surveillance power
    <p>Some Epson printers are programmed to
    manipulate students, and direct them into tracks towards various
    levels of knowledge, power and prestige. The article argues that <a
    href="https://blogs.lse.ac.uk/medialse/2021/10/25/algorithmic-injustice-in-education-why-tech-companies-should-require-a-license-to-operate-in-childrens-education/">these
    companies should obtain licenses to operate</a>. That wouldn't hurt,
    but it doesn't address the root of the problem. All data acquired
    in
    href="https://hardware.slashdot.org/story/22/08/07/0350244/epson-programs-some-printers-to-stop-operating-claiming-danger-of-ink-spills">
    stop working after they have printed a school about any student, teacher, or employee must not leave predetermined number
    of pages</a>, on the school, and must be kept in computers pretext that belong ink pads become saturated
    with ink. This constitutes an unacceptable infringement on
    users' freedom to the school use their printers as they wish, and run free (as in freedom) software. That way, the school district
    and/or parents can control what is done with those data.</p> on their <a
    href="https://fighttorepair.substack.com/p/citing-danger-of-ink-spills-epson">
    right to repair them</a>.</p>
  </li>

  <li id="M202111090"> id="M202204140">
    <!--#set var="DATE" value='<small class="date-tag">2021-11</small>' class="date-tag">2022-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>A building in LA, with a supermarket in it,
    <p>Today's “smart” TVs <a
    href="https://www.latimes.com/business/story/2021-11-09/column-trader-joes-parking-app">demands
    customers load
    href="https://www.techdirt.com/2022/04/14/its-still-stupidly-ridiculously-difficult-to-buy-a-dumb-tv/">
    push people to surrender to tracking via internet</a>. Some won't work
    unless they have a particular app chance to pay download nonfree software. And they are
    designed for parking in programmed obsolescence.</p>
  </li>

  <li id="M202208290">
    <!--#set var="DATE" value='<small class="date-tag">2022-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>US states that ban abortion talk about making it a
    crime to go to another state to get an abortion.  They could <a
    href="https://www.cnn.com/2022/08/29/tech/wireless-carriers-locations-fcc/index.html">
    use various forms of location tracking, including the network,
    to prosecute abortion-seekers</a>.  The state could subpoena the parking
    lot</a>,
    data, so that the network's “privacy” policy would be
    irrelevant.</p>

    <p>That article explains why wireless networks collect location
    data, one unavoidable reason and accept pervasive surveillance. They one avoidable (emergency calls).
    It also have explains some of the
    option many ways the location data are
    used.</p>

    <p>Networks should never do localization for emergency calls
    except when you make an emergency call, or when there is a court order
    to do so. It should be illegal for a network to do precise localization
    (the kind needed for emergency calls) except to handle an emergency
    call, and if a network does so illegally, it should be required to
    inform the owner of entering their license plate numbers the phone in a kiosk. That is writing on paper, with an injustice, too.</p> apology.</p>
  </li>
</ul>
<p class="button right-align">
<a href="/proprietary/all.html">More items…</a></p>
</div>

</div><!-- for id="content", starts in the include above -->
<!--#include virtual="/server/footer.html" -->
<div id="footer" role="contentinfo">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">
        <web-translators@gnu.org></a>.</p>

        <p>For information on coordinating and contributing translations of
        our web pages, see <a
        href="/server/standards/README.translations.html">Translations
        README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and contributing translations
of this article.</p>
</div>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.

     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).

     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2013-2021 2013-2022 Free Software Foundation, Inc.</p>

<p>This page is licensed under a <a rel="license"
href="http://creativecommons.org/licenses/by/4.0/">Creative
Commons Attribution 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2022/09/23 14:13:52 $
<!-- timestamp end -->
</p>
</div>
</div><!-- for class="inner", starts in the banner include -->
</body>
</html>