Proprietary Software Is Often Malware

Proprietary software, also called nonfree software, means software that doesn't respect users' freedom and community. A proprietary program puts its developer or owner in a position of power over its users. This power is in itself an injustice.

The point of this directory is to show by examples that the initial injustice of proprietary software often leads to further injustices: malicious functionalities.

Power corrupts; the proprietary program's developer is tempted to design the program to mistreat its users. (Software designed to function in a way that mistreats the user is called malware.) Of course, the developer usually does not do this out of malice, but rather to profit more at the users' expense. That does not make it any less nasty or more legitimate.

Yielding to that temptation has become ever more frequent; nowadays it is standard practice. Modern proprietary software is typically an opportunity to be tricked, harmed, bullied or swindled.

Online services are not released software, but in regard to all the bad aspects, using a service is equivalent to using a copy of released software. In particular, a service can be designed to mistreat the user, and many services do that. However, we do not list instances of malicious dis-services here, for two reasons. First, a service (whether malicious or not) is not a program that one could install a copy of, and there is no way at all for users to change it. Second, it is so obvious that a service can mistreat users if the owner wishes that we hardly need to prove it.

However, most online services require the user to run a nonfree app. The app is released software, so we do list malicious functionalities of these apps. Mistreatment by the service itself is imposed by use of the app, so sometimes we mention those mistreatments too—but we try to state explicitly what is done by the app and what is done by the dis-service.

When a web site provides access to a service, it very likely sends nonfree JavaScript software to execute in the user's browser. Such JavaScript code is released software, and it's morally equivalent to other nonfree apps. If it does malicious things, we want to mention them here.

When talking about mobile phones, we do list one other malicious characteristic, location tracking which is caused by the underlying radio system rather than by the specific software in them.

As of November 2024, the pages in this directory list around 600 instances of malicious functionalities (with more than 720 references to back them up), but there are surely thousands more we don't know about.

Ideally we would list every instance. If you come across an instance which we do not list, please write to [email protected] to tell us about it. Please include a reference to a reputable article that describes the malicious behavior clearly; we won't list an item without documentation to point to.

If you want to be notified when we add new items or make other changes, subscribe to the mailing list <[email protected]>.

Injustices or techniques Products or companies
  1. Back door:  any feature of a program that enables someone who is not supposed to be in control of the computer where it is installed to send it commands.
  2. Digital restrictions management, or “DRM”:  functionalities designed to restrict what users can do with the data in their computers.
  3. Jail:  system that imposes censorship on application programs.
  4. Tether:  functionality that requires permanent (or very frequent) connection to a server.
  5. Tyrant:  system that rejects any operating system not “authorized” by the manufacturer.

Users of proprietary software are defenseless against these forms of mistreatment. The way to avoid them is by insisting on free (freedom-respecting) software. Since free software is controlled by its users, they have a pretty good defense against malicious software functionality.

Latest additions

  • 2023-06

    Eclypsium discovered an insecure universal back door on many computers using Gigabyte mainboards. Gigabyte designed their nonfree firmware so they could add a program to Windows to download additional software from the Internet, and run it behind the user's back.

    To add injury to injury, the back-door program was insecure, and opened ways for crackers to run their own programs on the affected systems, also behind the user's back. Gigabyte's “solution” was to ensure the back door would only run programs from Gigabyte.

    Eclypsium at least mentions the problem of “unwanted behavior within official firmware,” but does not seem to recognize that the only real solution is for firmware to be free, so users can fix these problems without having to rely on the vendor.

    Nonfree software does not make your computer secure—it does the opposite: it prevents you from trying to secure it. When nonfree programs are required for booting and impossible to replace, they are, in effect, a low-level rootkit. All the things that the industry has done to make its power over you secure against you also protect firmware-level rootkits against you.

    Instead of allowing Intel, AMD, Apple and perhaps ARM to impose security through tyranny, we should demand laws that require them to allow users to install their choice of startup software and make available the information needed to develop such. Think of this as right-to-repair at the initialization stage.

  • 2025-01

    Google is forcing its bullshit generator, Gemini, on many users of Gmail without asking them, and not even offering the users a way to deactivate it.

    Workplace IT managers, whose employees are forced to use Gmail, can get it turned off after a laborious procedure, followed by waiting—the darkest of dark patterns.

  • 2024-09

    Kia cars were built with a back door that enabled the company's server to locate them and take control of them. The car owner had access to these controls through the Kia server. That the car owner had such control is not objectionable. However, that Kia itself had such control is Orwellian, and ought to be illegal. The icing on the Orwellian cake is that the server had a security fault which allowed absolutely anyone to activate those controls for any Kia car.

    Many people will be outraged at that security bug, but this was presumably an accident. The fact that Kia had such control over cars after selling them to customers is what outrages us, and that must have been intentional on Kia's part.

  • 2024-11

    Dating apps exploit their users; fundamental features require an expensive subscription, and they are designed to be addictive.

  • 2023-09

    BMW has retreated from making car owners pay for a subscription to the heated seats feature.

    Customers rejected it. Bravo for them!

    Instead BMW plans to require subscriptions for digital services and disservices—things related to the Orwellian tracking done by any “connected” car.

More items…