Group seeks spyware's defining moment

Makers of anti-spyware software are taking another shot at creating a definition of spyware, this time with help from consumer organizations.

A new group, tentatively named the Anti-Spyware Coalition, plans to publish proposed guidelines later this summer that define spyware, best practices for desktop software development, and a common lexicon, people involved with the group told CNET News.com.

Debate has gone on for years over spyware and adware, with manufacturers of the applications defending them as legitimate marketing tools. The terms are slippery, frequently used to apply both to the information-thieving software and the often-annoying advertising tools bundled with free software programs.

News.context

What's new:
Anti-spyware software makers are taking another shot at creating a definition of spyware.

Bottom line:
If the new coalition succeeds, its work could clear up confusion over spyware and adware, helping consumers keep their PCs clean.

More stories on spyware

"Consumers will benefit by clarity in the rules that apply to those kinds of applications. It will also help software makers understand where the line is so they can stay on the clear side of it," said David Fewer, staff counsel at the Canadian Internet Policy and Public Interest Clinic, a consumer advocacy group in Ottawa associated with the new coalition.

Both spyware and adware can impact PC performance. They're often surreptitiously installed on computers to gather information about people that is used for advertising or provided to other interested parties. The market for tools to remove the unwanted software is booming.

If the new coalition succeeds, its work could clear up confusion over spyware and adware, helping consumers keep their PCs clean. Also, the group's work could help software makers and legitimate advertisers improve their products.

While clear examples of legitimate and illegitimate behavior aren't hard to find, drawing a bright line between them has proved difficult. "The key benefit is getting a handle on the nature of the problem, industrywide (agreement) on what is accepted and what is not," Fewer said.

In an example of why standard definitions are needed, Computer Associates International earlier this year temporarily removed the Gator adware program from the spyware detected by its PestPatrol program. It has since been put back on CA's list of spyware, and the company has changed the way it deals with appeals from spyware makers.

Drafts of the coalition's guidelines are finished and should be published by the end of the summer, when they will be open to public comments, said Ari Schwartz, an associate director at the Center for Democracy and Technology.

Who's joined?

The Anti-Spyware Coalition counts software makers, online businesses and security providers among its members. Watchdog groups are taking part too, but they have an associate role.

Members:
Aluria Software
America Online
Computer Associates International (PestPatrol)
EarthLink
Hewlett-Packard
Lavasoft (Ad-Aware)
McAfee
Microsoft
Safer Networking (Spybot)
Symantec
Tenebril
Trend Micro
Webroot Software
Yahoo
Business Software Alliance
Cyber Security Industry Alliance

Also involved:
National Consumer Law Center
Canadian Internet Policy and Public Interest Clinic
Berkeley Center for Law & Technology
Consumers Union
Center for Democracy & Technology

Source: Center for Democracy & Technology

The Anti-Spyware Coalition is still in its formative stages, with all the parties involved meeting for the first time last week at the CDT offices, Schwartz said. There is commitment to form the coalition, but the group's name has not been formally announced yet, he said. The CDT, a Washington-based public advocacy group, is running the coalition.

Ultimately, according to Fewer, judging whether software is spyware comes down to three components: notice, consent and control. During installation of an application, it should be clear to the user what the tool does. The user should also have to give permission for installation and should be able to remove the application. In many cases, spyware and adware don't meet those basic rules, Fewer said.

The lack of a common approach to defining the unwanted programs has resulted in the anti-spyware tools that flag perceived threats in different ways. Sometimes one anti-spyware tool will identify an application as spyware or adware, while another won't.

"There is much confusion over what spyware is and what it is not. And it starts with the fact that there is no definition," said Tori Case, director of security management at CA.

"What one person calls spyware, another calls adware, another calls surveillance software and yet another says it is not anything. That has

[crosstalk]

what is the web site?

how do you contact the new antispyware forum?

[Below Meigh]

don't you have the toolbar for it?

Isn't there an adware popup that directs you to the site?
Or a toolbar in your browser?

(sarcasm)

I find that lavasoft has caved in to HT.exe makers and the likes because they are making $ (just from WHO I wish someone would publish their home addresses) and leveraging with frivalous lawsuits.

popups, spyware, junkware,... its all malicious. IMHO.

So what's there to be confused about?

From the article:

"There is much confusion over what spyware is and what it is not. And it starts with the fact that there is no definition," said Tori Case, director of security management at CA.

If it is tracking in any way shape or form, anything you do on your computer, IT IS SPYWARE.

If it is installed on your computer with out your consent, and by consent, I mean it clearly and specifically reveals it's true purpose during install and gives you the option to accept or deny it, IT IS MALWARE.

If it pops up ads without any interaction or effort on your part, IT IS ADWARE.

This is no different than breaking into someones house or car and installing cameras and microphones so you can monitor them.

[Michael Grogan]

Of course it's obvious

That's why all the noise. The people making the noise have a vested interest in confusing the issue before it gets clarified to the lawmakers. I can just imagine the back room deals that the spyware vendors and the anti-spyware vendors cut in preparation for this effort. Whatever 'definition' they come up with will certainly be narrow enough to allow the spyware vendors to keep on keeping on and leave something for anti-spyware software to purge from our computers on a daily basis. The whole point is to stop lawsuits, not spyware.

[Duncan12b]

Spyware: A Clarification

I think the spyware definition needs some more clarification. You say that anything that tracks you in any way is spyware. But what if you want something that tracks you, like the Google Toolbar? Is that spyware? I say no, it isn't. If you know what it is doing it can't be spying. Spying implies that something covert is going on. It is only spyware if you don't know what it is doing.

Take the example of a video camera for instance. It can track you, so is it spyware? Maybe. It depends on how it is used. If somebody you know comes up to you and asks if they can take your picture, it is not spyware. If somebody hides in a bush and takes your picture without your permission, then it is spyware.

The real issue is informed consent. Tracking software, like the Google Toolbar, has a place in the market and shouldn't be labeled as spyware.

[Michael Grogan]

The definition will never come

Since a proper definition of spyware/adware would facilitate effective legislation and ultimately prosecution of spyware/adware vendors with the possibility of severly curtailing or even stopping the problem it wiil not be defined by this coalition. The reason is simple; the heart of the coalition is software vendors who rely on the continued practice of software/spyware deployment for there business. These companies have a vested interest in the continuing good health of the spyware vendors and are unlikely to cut their own throats businesswise.

[Jonathan]

Call it what it is: A type of virus.

Most spyware now a days tricks you into installing it on your computer and does things to said computer that most users would NOT approve of. People are splitting hairs on what is a virus/worm/trojan/adware/spyware. All of this falls under the name malware and any spyware program can be just as damaging as a virus. We wouldn't be dealing with this issue if spy/adware wasn't being distributed under the guise of a legit business practice. Imagine what would happen if a worm that sends out mass mail spam was classified as a legit business tool and was acceptable because people clicked on the exe in the e-mail so its obviously something they wanted to install right? BS.

spyware

spyware is anything that goes in my computer without my express permission in advance ... also, it is criminal theif, end of story, period.

[GregJameson]

Spyware/Adware are flawed terms anyway

Trying to come up with a definition of "spyware" vs "adware" is a waste of time. The ASC needs to wake up and realize that these terms should be thrown out in favor of a single unified term. Call it something like "trespassware."

If something -- I don't care what it is -- installs itself on my PC, and I did not explicitly authorize it to be there, then it's trespassware and it is illegal. Period, end of story. How difficult is that to figure out?

The best quote on the futility of what the ASC is doing comes from Ben Edelman, spyware researcher: "From the perspective of users whose computers are infected, there is nothing hard about [defining spyware]. If you have adware or spyware on your computer, you want it gone. Maybe the toolbar is Mother Theresa, but it's Mother Theresa sitting in your living room uninvited and you want her gone also. You don't need a committee of 50 smart guys in D.C. sipping ice tea in order to decide that."

Amen.