Is there Spyware in Trillian 3?

This originally started as a five-minute review of Trillian 3, and ended with something entirely different- forcing me to ask “Is Trillian Spyware?”


After installing Trillian, I was looking through the configuration options in Trillian, and was a bit disturbed to find that Trillian had an option to “submit anonymous usage statistics” enabled by default.
I actually wanted to be fair, so I fired up a packet sniffer, so that I could determine the nature of the usage statistics Trillian was sending. What I discovered was rather troubling:
When Trillian Basic 3 starts, it establishes an encrypted connection with www.ceruleanstudios.com
I still wanted to be fair, since I know so many people _genuinely like_ this software, but I was a bit suspicious. So I turned off Trillians feature to send these stats. Guess what:
*Even when you turn off usage stat reporting, Trillian 3 establishes an encrypted connection with www.ceruleanstudios.com*
If you have trouble believing me, here are the captured packets, for your enjoyment.
* “What is being sent to www.ceruleanstudios.com”:/download/482/sent.txt
* “Data received from www.ceruleanstudios.com”:/download/482/received.txt
The capture was made using “Ethereal 0.10.8 “:http://www.ethereal.com/ and “WinPcap 2.3”:http://winpcap.polito.it/ and is from the session when I had told Trillian not to report usage stats. Before anyone asks: Trillian’s feature to check for new versions was also turned off.
* Why is Trillian establishing this encrypted session?
* Why aren’t Cerulean Studios telling us about this?
* More importantly: *What is Trillian sending that is so secret and important that they can’t send it in plain text over the wire?*

38 Comments

  1. Do you use the Pro version? They might be checking your Pro account to see if it is valid.

  2. No, as I said: I was using Trillian Basic.

  3. Sorry… I didn’t see that. If you want I can post this to the Trillian Forums and see what they say.

  4. I don’t think you would be able to see it, but I posted it to the Members area thinking there is a better chance of a Cerulean Studios person seeing it.
    http://www.ceruleanstudios.com/forums/showthread.php?s=&threadid=64017

  5. qbj

     /  2004-12-22

    Did you try turning off the option to check for updates on startup too?

  6. bq. Did you try turning off the option to check for updates on startup too?
    Indeed I did. To quote myself:
    bq. Before anyone asks: Trillian’s feature to check for new versions was also turned off.

  7. Mike: I tried that link, and even _after_ registering I cannot reach it.

  8. uh...no

     /  2004-12-22

    Trillian 3 pro and basic are the same program now. Trillian 3 verifies if you have Pro or Basic everytime you start it.

  9. puck

     /  2004-12-22

    From the linked thread: “Open the Trillian Preferences and look around. You will see there are things such as the “Did you know?” section that are being fed from ceruleanstudios.com. It also uses it for the instant lookup database, etc.
    There is no spyware in Trillian.”

  10. Puck, I’ve already said something about this in the forum thread I started, so I can actually follow what is being said: _There is no reason to send that kind of data encrypted._

  11. actown

     /  2004-12-24

    I bet it is sending to see if you a a registered trillian buyer or checking for updates. Quote: There is no reason to send that kind of data encrypted. Yes there is because someone might ge a hold of your trillian username and pass and steal your account that is $25

  12. actown: How much did you bet? As I said, I was evaluating Trillian Basic, and therefore, there is no Trillian username or password to send. Update checking was turned off, and so was the Wikipedia integration.
    There is a “thread on the subject”:http://www.trillian.cc/forums/showthread.php?s=&threadid=64064 in the Trillian forums. The essence of this thread is that there is an option to turn off the SSL(Secure Sockets Layer) encryption, after which what goes over the wire looks “innocent” enough. Even though, Trillian _is_ phoning home every time you use it.
    What I can add to this is that if you place http://www.ceruleanstudios.com in the hosts file, to prevent Trillian from contacting Cerulean Studios, it will not start until the http session has timed out.
    There is also one very heavy privacy issues in another part of Trillian. One of the new options in Trillian is an ability to underline every word for which there is a definition in WikiPedia. Every time you mouse over one of these words, Trillian contacts the Cerulean Studios servers to fetch the definition.
    From a practical point of view, I can understand that you don’t want to download a local copy of Wikipedia every time you use the program. From a privacy point of view, I don’t understand why Cerulean Studios is not offering me to do so. I don’t trust Cerulean Studios with my usage information: They have no stated privacy policy regarding the WikiPedia lookups, and what is found on the Wikipedia site is this:
    bq. We collect information volunteered by the consumer, such as survey information and/or site registrations.
    Have I volunteered any information to Cerulean Studios? No. Have I been informed that they are collecting data? No.
    In addition, there is also this question in the “Trillian FAQ”:http://trillian.cc/faqs/
    bq. How does Instant Lookup™ work?
    As you chat with your contacts, Trillian scans each of your messages in realtime to determine which words or phrases have interesting information associated with them. You may then choose to click these words to take further action, or can simply move your mouse over the words for a brief summary. Your messages are never sent to our servers for processing for any reason; all actions are taken locally, on your machine. Cerulean Studios has no access whatsoever to your messages.
    So, Trillian may not be sending my verbatim messages to Cerulean Studios, but they’re sending everything I mouse over to them, and they’re conveniently avoiding to tell me. People have to use packet sniffers to find out.

  13. jnz

     /  2004-12-26

    bq. The essence of this thread is that there is an option to turn off the SSL encryption, after which what goes over the wire looks “innocent” enough.
    If you want to see what is being sent even with SSL turned on, you can install the debug version of the WinInet library. This can log the plaintext version of data exchanged over SSL connections, and I’ve used it to watch the Wiki lookups done by Trillian.
    Grab an appopriate version from here: http://www.mathies.com/win32tips.html (scroll down to the “Debug versions of Wininet.dll” section). Read the readme for installation instructions. It seems that the instructions were written before Windows File Protection became a feature, so you might have to shut that off to get it installed. This is not for the faint of heart.

  14. It seems then that in good conscience you _cannot_ recommend trillian to other people. I never have been able to. It’s not simply that they have a history of providing memory leaky bloatware, or that their client lacks basic features of the native clients, but that their “support” forums are unprofessionally hostile especially towards general “discussion” topics that deviate from the secular humanist party line.
    If you want an excellent multiprotocol chat client look no further than either “Gaim”:http://gaim.sourceforge.net/ or “Miranda”:http://miranda-im.com
    Miranda, like Gaim, is totally free, and unlike trillian “pro” has free plugins which are both more powerful and more diverse than the trillian weakling.
    Miranda does not _spy_ on its userbase!
    (Ed. note: Typographical edits performed)

  15. Nathan C

     /  2005-01-07

    ‘they have a history of providing memory leaky bloatware’ … where is this “history”, exactly?
    ‘their client lacks basic features of the native clients’ … Yet you recommend GAIM and Miranda instead? How exactly can a program be both bloatware AND lack functionality of the actual clients, and still use less Ram…exactly?
    ‘their “support” forums are unprofessionally hostile especially towards general “discussion” topics that deviate from the secular humanist party line.’ … those support forums are maintained by users in their free time, and they are some of the most helpful forum users I’ve seen, especially considering the hundreds of posts per day asking for help. The support is done for free – making unfounded comments about a program the users like and then insulting the people who provide their time for free (in the wrong forum, i might add), isn’t the way to garner the help of said users.
    And, I’d like to be linked to this “unprofessionally hostile” “community”. A single link to a single angry post in the “general” forum (which is NOT for Trillian chat) is not acceptable either, sir.

  16. Nathan, while “that figures” comment will have to be answered on it’s own merit, I have something to say about the behavior say about certain people frequenting the Trillian forums.
    I posted a thread in the Trillian forums, raising my concerns with Trillian’s “phone home feature”:http://www.ceruleanstudios.com/forums/showthread.php?threadid=64064 — and another user voiced his concerns regarding the “privacy of the Instant Lookup feature”:http://www.ceruleanstudios.com/forums/showthread.php?threadid=64094.
    Some of the forum regulars and moderators immediatly turn hostile, and resort extensively to “logical fallacies”:http://fallacyfiles.org/ to make their argument.
    Let it be no secret that I regard the MozillaZine forums as a zealotist forum, but the Trillian forums are a hundred times worse.

  17. Nathan C

     /  2005-01-07

    I just read through the phone home thread, and I can’t find anything that would constitute hostility. I think you might have been mistaken about ameoba’s posts, as he was not replying to your questions with some of those posts (notice the quoting of the member “Roguer”, who is a friend of ameoba’s).
    Regarding the privacy policy, i don’t think that sending language information to a web server has to be included. Only information that is archived. If the first was the case, every web site you visit would have to have a privacy policy stating that they are recording your web browser version and IP address. I’m not sure of this, but does anyone know if IE or firefox state they send out your IP and browser info when they connect to a website?
    Anyways, if Trillian was collecting information or doing anything shady, the trillian forum users would be the first to get venehmently mad. It’s a small, close knit company (3 devs), and I can understand if the privacy policy has not been updated for version 3.0 However, if you have a big problem with that, it is completly your perogative to not use the software.

  18. Nathan: There is a big difference between “I am making a network connection to X, so they will have my IP address” and “I am making a network connection to X, so information from my computer is being sent to third-party Y”. Any application that connects to the Internet does the former. The latter is often done by rouge software. Trillian is doing the latter.
    Further: Trillian, is, “in contradiction with their own FAQ”:http://www.trillian.cc/faqs/ is sending information back to Cerulean as to which Wiki words you are mousing over. The relevant FAQ entry says (my emphasis):
    bq.. How does Instant Lookup™ work?
    As you chat with your contacts, Trillian scans each of your messages in realtime to determine which words or phrases have interesting information associated with them. You may then choose to click these words to take further action, or can simply move your mouse over the words for a brief summary. Your messages are never sent to our servers for processing for any reason; all actions are taken locally, on your machine. Cerulean Studios has no access whatsoever to your messages.
    p. This is a blatant lie from Cerulean Studios: Trillian sends back a lookup request to the Cerulean Studios server _every time you mouse over a message._
    The most disappointing thing about this entire ordeal is that it’s impossible to get Cerulean employees to respond to _anything_ regarding these privacy issues.

  19. Nathan C

     /  2005-01-07

    bq.. Upon request we provide site visitors with access to all information [including proprietary information] that we maintain about them.
    If you feel that this site is not following its stated information policy, you may contact us at the above email address.
    p. I suggest you do that.

  20. Nathan, personally, I don’t use Trillian, but I suggest that anyone who uses Trillian contacts them.
    If nothing else, if Cerulean are pestered with users’ requests about Trillian 3’s behavior, they might change the behavior to becoming less privacy-invasive.

  21. SS

     /  2005-01-11

    It caches the words locally for Wikipedia lookup, but it does periodically check to make sure it has the most recent version of the Wikipedia entry. Witness how sometimes the entry will change while you’re mouse-overed it if there’s a newer one than the one you have cached.
    You can always just turn off the Wikipedia (Preferences, Message Windows, uncheck ‘Underline words with encyclopedia entries in green’) if that’s a concern to you, or request a feature that would allow you to turn off the entry updates and force you to just download new lookup databases periodically. (Which isn’t a bad idea anyway.)
    As for the other part, if you have the automatic version update check turned off, are running Basic, and have the anonymous usage statistics turned off (Preferences, Installation & Startup, uncheck ‘Send anonymous usage statistics’)… have one of the beta team log it in the bug database for the 3.1 cycle, maybe?
    Perhaps there’s a check happening from the Pro codebase that doesn’t get turned off in the Basic one, a legacy of the recent codebase merge, or something like that.

  22. SS

     /  2005-01-11

    Oh! I just re-read and noticed that you did have the anonymous statistics on.
    All that contains is basically ‘hi, I am a copy of Trillian version and I have been run x times’ type information. The contents of the anonymous statistics packet have been posted before in the forums and publicly known since around 1.0 or 0.7x, though I don’t have a link handy at the moment. If you look at the packets you pasted in, the majority of the data is the SSL handshake and certificate exchange.
    As for it being SSL, that’s because Trillian reuses the same code for its communications with the core database server, and any of the paid-member transactions you really /want/ those communications SSL-encrypted.
    Code reuse is good, though in this case, perhaps not necessary. ๐Ÿ˜›

  23. SS: No, I have turned everything, including usage stats off.
    I have examined the data sent with usage stats on or off — when you have usage stats on, Trillian appears to be sending some GUIDs and additional data when connecting.
    The bottom line is: Trillian is connecting when it’s not supposed to.

  24. bq. It caches the words locally for Wikipedia lookup, but it does periodically check to make sure it has the most recent version of the Wikipedia entry. Witness how sometimes the entry will change while you’re mouse-overed it if there’s a newer one than the one you have cached.
    Sorry, SS, this is wrong. When you install Trillian, Trillian downloads and installs a dictionary in the users\default\instantlookup directory, named wiki.dat. This file only contains the words present in the WikiPedia copy at http://www.ceruleanstudios.com.
    Whenever you mouse over a word that exists in
    wiki.dat Trillian connects to look up the word. In doing so, Trillian are actually able to collect _extensive_ data on your interests. This is _a huge_ privacy issue.

  25. SS

     /  2005-01-12

    Try entering a phrase you haven’t seen before and mouse-overing it quickly, and you’ll see ‘Loading…’ for a moment before the entry appears the first time. Try it again, later, and you’ll see it’s cached. Maybe I explained it wrong; this is what I get for blog-surfing while tired.
    Basically, let’s say you have a word ‘foo’ in the index. You’ve never seen ‘foo’ before. So it connects, downloads the text, and caches that. It keeps the cache around for a while for the next time you mouseover, however.
    That said, if it’s a huge privacy concern, enough that you want the feature but would prefer to have the entire wikipedia locally, honest, write it up and send it to them. Request an alternate download-only version. I’m reasonably sure they’re omitting such a thing not because of Evil Marketing Schemes but because it seemed simpler at the time.
    I’m reasonably familiar with the developers, and I’d say it’s much more likely this is an oversight — and that the connect on startup is a product of the Pro/Basic codebase merge, perhaps a check that isn’t properly excluded from Basic — than that they’re being sinister, evil sorts out to violate your privacy. ๐Ÿ™‚
    Either way, I’d imagine they’re more likely to notice a submitted letter going ‘hey, this is a concern to me, can it be explained or something’ or ‘hey, here’s a request for a feature I’d really like, maybe others would too,’ than to notice a random blog post among the myriad, many millions out there.

  26. dodo

     /  2005-01-30

    Hi,
    I agree with Arve. Trillian is dirty. I found that out 2 days ago. My PC crashed during a chat session and as i checked back later to see if my conversation has been logged for convenient re-reading i was astounded. I saw that at the time of crash in my log, there was a part of my mozilla session-saver data (This is the data that remembers your last viewed webpages). Also I found a huge amount of encrypted data after that part.
    I don’t know about you guys, but to me it is obvious that something is being sent via Trillian that ought not to be sent.
    Trillian is nice, yes, it works fine, yes, but, my advice to anyone:
    DO NOT USE TRILLIAN !

  27. Bee

     /  2005-03-13

    Hi, what about earlier versions of trillian? Are similar problems known?

  28. I don’t know what Trillian 2 does, but I believe the 0.x versions might be clean.

  29. Trillian contains..

     /  2005-09-05

    Trillian sends your account information to the site. The information is then stolen, changed password, etc.. You’ll find your account gone (if you’re one of the unlucky people that they picked out of the hat).

  30. david

     /  2005-09-13

    Our company has been using both Trillian Pro and Akeni Enterprise IM and have not detected them as spywares.

  31. Moca

     /  2005-09-20

    Has this every happened to user of trillian? I downloaded the free version bundeled with the vid player and God knows what else.
    Trillian crashed a lot. I finally deleted it and left the player in my HD…Then the player started thowing an ad on my desktop.
    I deleted the player…THEN the “fun” started…
    Gradually,over a week,the buttons on the task bar started acting sluggish,responding increasingly slow to my input.
    Then,last night,with no apps running,my CPU output was at one hundered percent and my task bar froze.
    Anything off the taskbar worked. Any games opened and closed would cause the bottom of the game image to “stick” to the taskbar.
    I used the restore feature,going back to before I installed Trillian and the problem went away…
    Now,is this weird,or what? neithor I or a geek friend have ever seen such a thing.

  32. D-cat

     /  2005-12-12

    ZoneAlarm Pro warning for Trillian 3:
    “Security Alert: Suspicious Activity
    The Application Trillian is trying to monitor your Keystrokes and Mouse Movements.”
    Now I find out it’s phoning home? I think I just stuck myself to gAIM.

  33. Ted

     /  2006-01-04

    Hi I use to use trillian untill I got a worm notice from [Perfect Process Shield] I will never use Trillian again.. I can’t say if it is sending or receving bad or good data .. all I can say is untill they fix that I will not use it.

  34. Abstracted Matt

     /  2006-01-05

    David, Moca and Ted, you are dumb. Everyone else, Trillian sux0rs. Get a life.

  35. Eddy

     /  2006-02-13

    We reverse-engineered trillian pro 3 and found out that there are several section in the code to confirm these findings. Also part of the code was designed to allow remote control of the system by a simple upload to change the behaviour of trillian. For several reasons we cannot officially release the work.

  36. Oldtimer

     /  2006-02-22

    ZoneAlarm Pro warning for Trillian 3:
    ย“Security Alert: Suspicious Activity
    The Application Trillian is trying to monitor your Keystrokes and Mouse Movements.ย”
    I get the same message when using trillian BASIC OR PRO! I have been a long time trillian user BUT I Got this msg when I installed the pro Version of Zone Alram… I guess its time to find some other progie ๐Ÿ™

  37. none

     /  2006-02-26

    Did anyone notice that choicepoint in the received package? Wasn’t that the company which stored tons of user data and lost it?
    For everything else: If a prog does anything which I am not informed about I have the good right to suspect that this program is doing evil. Esp. when it comes to starting encrypted sessions with anything on the net that I! did not call.
    Does Trillian obey the hosts file? Might be blocking cerulean and stuff in there.
    On the other hand I was already thinking about switching to JABBER and using a system independent and free (as in software) client for it.

  38. Nathan C

     /  2006-03-09

    By the way, the monitor mouse/keyboard thing is so that it can set you away/back when you’re idle. Moca, your psychology of blame really needs to re-evaluate the situation, because you probably have a causation error. Arve, you might have delusions of grandeur. Do you use google? Do you use any search engine for that matter? Do you use Amazon.com? All of these companies collect, store, and collate more information than the handful of developers at Cerulean Studios could ever dream about.