Whats Spyware? (Part Deux)

Congress asked what spyware was and gave a shallow answer, but the good answer isn't so obvious. Even different anti-spyware vendors disagree on who the bad guys are.

In a recent column, I looked at the proposed SPYBLOCK (Software Principles Yielding Better Levels of Consumer Knowledge) act in Congress and concluded that the initial drafting of the bill does a poor job of defining the activities it bans. I dont want to defend a bad definition of spyware, but in all fairness, I dont have a good one, either. Truth is, there is no general agreement in the anti-spyware community—even among vendors of anti-spyware software—of what programs and other things to block.

A workshop is being held this week in Washington D.C. by the Federal Trade Commission. Its not the kind of forum for making decisions, but I hope its a helpful step in defining some boundaries for vendors. I may not like the SPYBLOCK act, but I do think theres an important role for the law here, since fraud and misappropriation of computer resources should be illegal. I dont have much confidence in the government being able to define the line between proper and improper program behavior, so I think the industry needs to come to a consensus.

Sure, there are some cases that are unambiguous, so much so that anti-virus software probably detects it, too. Keyloggers, for example, which are programs that track what your keystrokes and perhaps mouse selections on the PC are and send them off to others. Or Trojan horse programs that remote attackers use to form a "bot army" for some distributed denial-of-service attack. These things exist, and therefore too many people have them. But, in an important sense, they arent what the real problem is.

The problem is with the ambiguous cases. Maybe "ambiguous" is too generous, but consider that some companies are completely open about what they are doing. Others call what theyre doing spyware or, more likely, "adware." Im not a lawyer, so I cant say, for example, whether Clarias explanation of what its Gator software does, not to mention the license agreement they present at install time, is accurate and fair. But assume, for the sake of argument, that they are. I still think Gain is a sleazy piece of software, but being upfront about it counts for something.

There are other difficult cases, at least from the point of view of anti-spyware software. Do you have a copy of the free remote-control program Virtual Network Computing on your computer? You might have one that you installed yourself, and that would be fine. How about the copy that some attacker installed and which you dont know about? That would be a very bad thing indeed, but how is an anti-spyware program supposed to know?

The next level of controversy is ad-supported software, the classic example of which is the Eudora mail client in "sponsored" mode. Eudora is a mail client for Windows, Mac and Palm OS. If you dont pay $49.95, you can still use the program, but ads will appear in it, including up to three "sponsored toolbar links" that appear alongside toolbar items that do actual Eudora stuff. The Opera Web browser has similar arrangements.

Some people, and some anti-spyware programs, consider Eudora in sponsored mode to be "adware." Why? Because it serves ads. This seems a bit simple-minded to me.

But the most significant controversy over such definitions has to do with cookies. I run SpyBot Search & Destroy on a system here, and its always warning me about various threats that basically are just cookies.

Are cookies spyware or adware? Some people go ape over cookies and have no perspective on them at all. First, without cookies, browsing becomes a much less convenient experience. Youd have a lot more typing and memorizing to do without cookies. What people dont like about cookies is how they get tracked as they move from site to site, and how a picture of their habits is taken and sold, and so on. This sounds sinister, but for the most part I consider it part of the price for free content. Also, some of the better-known "threats," such as Avenue A (which youll probably find on this page), conform to P3P (Platform for Privacy Preferences), so you have some control generally in Internet Explorer over whether youll accept their cookies on their terms.

We could argue all day about whether cookies like that are a bad thing and if people need to be protected against them, but I think its far out of proportion to put them in the same ball park as programs that serve surreptitious ads or, for that matter, run any sort of software on your system. In case you didnt know, cookies arent programs that run on your computer.

Perhaps the SPYBLOCK act isnt all that far off. Defining what programs can and cant do is a daunting task; the important part of the bill is that it bans what the user doesnt consent to, and thats the good part of the approach.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/3/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

More from Larry Seltzer