Light is shed on spyware and other ware wolves

July 14, 2005|By Mike Himowitz

IT MAY NOT be easy to define spyware, but if your computer is infected with it, you probably know what it looks like. It makes ads for porn sites pop up, hijacks your Web browser to a site you've never heard of or slows your computer to a crawl for no apparent reason.

That's if you're lucky. In the worst case, you may not know you're infected at all as some forms of spyware track your Web surfing habits, steal your passwords and credit card numbers, or turn your computer into a "zombie" that sends out thousands of spam e-mails.

It's a serious problem. Forty-three percent of adult Internet users say their computers have been invaded by some form of intrusive software they never asked for and don't want, and 91 percent have changed their Internet habits in some way to avoid it, according to a survey released in June by the Pew Internet and American Life Project.

Still, it has been difficult for lawmakers and regulators to get a handle on the problem because there's no general agreement about what spyware is - other than that you know it when you see it.

Toward that end, a group of anti-spyware vendors and consumer groups backed by some of the industry's biggest players this week issued a set of draft definitions for spyware and its kissing cousin, adware, that could help shape rules for the behavior of publishers who create the software and those who want to eliminate it.

The Anti-Spyware Coalition includes small software specialists such as Tenebril and Webroot; Web giants such as Microsoft, Yahoo and America Online, and Internet activist groups such as the Center for Democracy and Technology, which organized the effort.

The coalition's 13-page report, available on its Web site and open for public comment until Aug. 12, unfortunately dances around the delicate issue of what constitutes spyware versus "legitimate" adware.

This will always be the subject of dispute with publishers of advertising-supported software such as browser tool bars, amusing cursors, online games, password managers and file sharing utilities.

They build popup-ad delivery and Web-tracking features into these popular applications. But the adware publishers claim they're not violating any legal or ethical guidelines as long as they inform the user and get permission - usually in a few phrases buried deep in a 5,000-word, onscreen disclaimer that no one without a law degree, let alone the average 12-year-old, can understand.

Instead of confronting adware head-on, the anti-spyware group defines "Spyware and Other Potentially Unwanted Technologies" as software that impairs users' control over:

Material changes that affect their user experience, privacy or system security.

Use of their system resources, including what programs are installed on their computers.

Collection, use and distribution of their personal or otherwise sensitive information.

"These are items that users will want to be informed about," the organization concludes, "and which the user, with appropriate authority from the owner of the system, should be able to easily remove or disable."

Despite its flaws, the document is worth downloading and reading because it contains a good glossary of spyware and adware and other malware, along with an account of the dangers and benefits - often real - that these types of programs can provide.

Botnets, too

In addition to adware and spyware, they include alternate data streams, botnets, back doors, browser plug-ins, bundles, dialers, downloaders, droneware, key loggers, port scanners and screen scrapers.

Although I've followed the issue for years, there were a few types of malware I'd never heard of. My favorite is the "trickler," a program that slowly and silently downloads or reinstalls malicious software in the background.

It's hard to say whether this effort will have any real impact. One of its major omissions, for example, is any standard for how up-front a program has to be about informing you that it's going to pop up ads or track your surfing habits.

It's also hard to see how a group like this can rise above its members' vested interests and internal conflicts.

Microsoft conflict?

Consider Microsoft, a member of the coalition and publisher of its own anti-spyware software. The company developed its widely respected spyware eradicator because malware was threatening user confidence in Microsoft's franchise Web program, Internet Explorer.

But critics note that Microsoft recently changed the way the anti-spyware program treats adware from a company called Claria, which developed a reputation for intrusiveness under its former name of Gator (it was certainly intrusive and hard to get rid of on my computer).

Instead of recommending that users get rid of Claria's software, Microsoft anti-spyware program now recommends that users ignore it - which means it will stay on computers whose users trust Microsoft to protect them. Is it a coincidence that Microsoft is reportedly in negotiations to acquire Claria?

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.