February 10, 2006 12:19 PM PST
Spyware fight attracts a crowd
- Related Stories
Security consortium creates guidelinesJanuary 30, 2006
Google, Sun, others band to fight spyware, adwareJanuary 24, 2006
Anti-spyware guidelines get final versionJanuary 12, 2006
Group seeks spyware's defining momentJune 3, 2005
Anti-spyware group Coast hits an icebergApril 12, 2005
Last month, the number of efforts to fight adware and spyware doubled with the announcement of two new initiatives: Spywaretesting.org, a consortium of antivirus companies, and StopBadware.org, an initiative led by two universities. These join the Trusted Download Program and the Anti-Spyware Coalition, both formed last year.
The new initiatives were the hot hallway topic outside an event hosted by the Anti-Spyware Coalition here Thursday. People there disagreed on whether more is merrier. Some predict the efforts will collide, as each group is dedicated to helping consumers deal with the insidious software. Others say the peer pressure will keep each organization on its toes, helping the cause.
Launch of two new anti-spyware groups mean there are now four industry initiatives to fight software that pops up ads on screens or spies on PC users.
Industry members are divided on whether the presence of several efforts will backfire on consumers. Some say the initiatives will collide, others that they will end up collaborating.
For more info:
More on spyware initiatives
"To many of us, it is completely baffling why there are so many different groups out there," said Alex Eckelberry, president of Sunbelt Software, a maker of anti-spyware tools. Sunbelt has not joined any of the efforts in order to maintain its independence, he said.
According to a Pew Internet & American Life Project study published last year, roughly 59 million American adults have spyware or adware on their computers. Other experts have said as many as 80 percent of consumers' PCs are infected with the annoying software.
Eric Allred, who works at Anti-Spyware Coalition member Microsoft as an anti-spyware response coordinator, said the existence of several bodies could make the work of each group less effective. That could hurt their overall goal of protecting consumers, he said.
But more voices can only help, said David Fewer, a staff counsel at the Canadian Internet Policy and Public Interest Clinic, a consumer advocacy group in Ottawa associated with the Anti-Spyware Coalition. "More consumer education is a good thing, especially if these groups have consistent messaging, which I think they do," he said.
Each of the four groups appears to be dedicated to a distinct purpose, said Tori Case, director of security management at Computer Associates International. Though the goals of each group sometimes overlap, that spread should help stop them stepping on each other's toes.
"That provides focus," she said. "You risk losing focus and (having) conflict of interest in a large organization."
Who's doing what
The Anti-Spyware Coalition only got going in June last year, but is still the oldest group dealing with adware and spyware. It is focusing on coming up with a definition of spyware, to help draw a line between legitimate adware and intrusive downloads. In January, it published guidelines for identifying and combating spyware. It also issued tips for makers of anti-spyware tools to help them deal with companies that complain their software has been inappropriately flagged.
Picking a fight
The four industry groups working to combat spyware and adware are taking different tacks, though their efforts do sometimes overlap.
Set up in mid-2005. The group is working on a definition of spyware, a common lexicon and an appeals process for those who contest that their software is not adware or spyware. Members include Microsoft, Symantec, Computer Associates, McAfee, AOL and Yahoo. CNET Download.com, a sister site of News.com, is also signed up.
Trusted Download Program
Launched in November, the program promises to use certification to guarantee an application does only what it says. It's backed by America Online, Yahoo, CNET Networks, Verizon and Computer Associates.
A more community-focused effort that aims to publish a blacklist of companies and software judged to be the worst offenders. Solicits stories and reports of offending downloads from Net users. Has support from Google, PC maker Lenovo and Sun Microsystems.
An initiative launched last month by a consortium of antivirus companies. It plans to draft standards for spyware samples and testing, help consumers determine the risks posed by new software and the effectiveness of anti-spyware products. The members are McAfee, Symantec, Trend Micro, ICSA Labs and Thompson Cyber Security Labs.
The formation of the group came just months after the collapse of the Consortium of Anti-Spyware Technology vendors, or Coast, which had many of the same goals. Coast fell apart after it allowed a company suspected of making adware to join, a decision that prompted the departure of several key members.
In November, the Trusted Download Program made its debut. The stated aim of the organization is to certify software downloads that are friendly and noninvasive. The program is run by privacy watchdog Truste and backed by America Online, Yahoo, CNET Networks, Verizon and Computer Associates. (CNET Networks is the parent of CNET News.com.)
The Trusted Download Program is creating a list of approved applications, which may in fact still display advertising. To be certified, makers of the software have to clearly communicate what their product does. The consumer has to consent to a software download before it begins, and then click again before the installation starts.
Critics have expressed doubts about the Trusted Download Program, saying that it may legitimize adware. They contend that some makers of disputed software may be able to gain certification and use that to expand their distribution.
StopBadware.org is taking the opposite approach. It plans to publish a blacklist of offending software and publicly shame the companies that create such applications. The initiative is run by Harvard University and Oxford University with backing from Google, Sun Microsystems and Lenovo.
On the StopBadware.org Web site, Internet users will be able to check if a piece of software is invasive and alert others to annoying programs they have encountered. The group is trying to tap into the experience of ordinary Internet users, and encourages people to share horror stories and technical reports. It plans to craft its own definitions for this kind of malicious software--a goal that overlaps somewhat with that of the Anti-Spyware Coalition.
"What is spyware? It is not a settled question," said Luis Villa, senior technologist at the Berkman Center for Internet & Society at Harvard Law School. Villa works on the StopBadware.org site. "It is not entirely clear that all the options out there are providing clear standards," he added.
Another area of development is spyware testing guidelines--both StopBadware and the Spywaretesting.org have pledged to come up with these. Spywaretesting.org is an initiative launched last month by antivirus companies McAfee, Symantec and Trend Micro, along with ICSA Labs and Thompson Cyber Security Labs. It plans to draft standards for spyware samples in addition to testing. All the companies involved, except for Thompson, are also members of the Anti-Spyware Coalition.
Though now separate, the groups may one day come together. Villa of StopBadware pointed out that any competition between the groups is friendly, and others noted that the efforts are still in an early, pioneering phase. Truste, which runs the Trusted Download Program, also appears to expect consolidation.
"I think they could all be complementary and get together over time," said Fran Maier, executive director of Truste.
There were some talk of this at the Washington event. Some attendees speculated that the Spywaretesting.org group might become part of the Anti-Spyware Coalition. In addition, a scheduled Friday meeting to discuss Spywaretesting.org's work spurred others into predicting that the organization might pick up more allies.
"Spywaretesting.org has been predominantly driven out of the antivirus industry," Eschelbeck said. "They probably have a need to involve the anti-spyware vendors as well. We're ready."
11 commentsJoin the conversation! Add your comment