The Sad State of Spyware

Opinion: One year after the FTC workshop on spyware, things have gotten worse.

Theres reason to be optimistic about many security problems, but others are less encouraging. One of the worst is the problem of spyware and adware, which, in the year since the FTC held a workshop on it, has metastasized badly.

As detailed by spyware hunter Eric L. Howes, use of misleading and illegal techniques has mushroomed in the last year, but the FTC has brought action in only two cases, neither of them involving actual adware or spyware vendors.

The two cases instead involve shady anti-spyware vendors, certainly worth pursuing, but only a side-effect of the real problem.

Actually, the extent of this side-effect is indicative of just how bad things have become: Howes Rogue Anti-Spyware List began about a year ago and has grown to almost 200 phony and hypocritical products.

The most common technique they use is a free demo version that uses false positive detection of spyware as a goad to purchase the product.

But some go further, actually installing adware, lacking privacy policies, and stealing each others databases. What, youre surprised?

In the meantime, the actual adware out there (when we say spyware, we mostly mean adware; the two terms have come to be intertwined for reasons which arent entirely logical) has become more aggressive, utilizing vulnerabilities in Windows to install themselves.

The adware industry, which showed up at the workshop, makes all manner of lame excuses for itself, blaming, among others, users for not being more savvy about these things and not reading the lengthy license agreements in which the companies often state that they will install other software when and how they please.

I think its fair to say that other forms of threats and malware, for the most part, are in retreat.

Users who want to can protect themselves in almost all cases automatically and unobtrusively.

But adware is growing as a threat, and adware vendors are getting more aggressive.

They even have the temerity to attempt to silence their critics, as Ben Edelman has documented in his "Threats Against Spyware Detectors, Removers, and Critics" page.

Some have succeeded in bullying anti-spyware companies into removing signatures.

Howes is most distressed at the attempt by adware vendors to distance themselves from the act of infecting the system by using third-party "pay-per-install" affiliate networks to attach the programs to other applications.

Its not hard to see how theyll get away with this by using legal intimidation and obfuscation.

There is good news, although I have to feel that Ill defer my optimism until its clearly warranted.

Windows XP SP2 has many new features that make illicit installations of programs more difficult—but not at all impossible.

Good anti-spyware products are emerging, even from companies, such as Microsoft, that are difficult to bully, and the anti-virus industry is finally awakening to the notion that it should be blocking threats like these. (Its about time.)

ISPs are also beginning to provide software to protect users.

Howes is encouraged at some legal developments, but this worries me also.

Id rather see the federal government go after miscreant adware vendors than either state attorneys general or the plaintiffs bar.

Since the feds dont seem inclined to go after the problem, even though they claim they have the legal authority to do so, Ill stick with my downcast attitude.

As long as there are teenagers, it seems computers will get infected with adware.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

28571.gif

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

More from Larry Seltzer