A high-powered coalition of anti-spyware vendors has collapsed amid a rash of acrimony and finger-pointing.
The Consortium of Anti-Spyware Technology vendors (COAST) was rendered toothless when three founding members—Webroot Software Inc., Aluria Software LLC and Computer Associates International Inc.s PestPatrol—withdrew from the group, citing separate reasons for quitting.
Another founder, Lavasoft Inc., pulled out of the consortium earlier and accused COASTs leadership of adopting an “overt agenda to concentrate on revenue generation.”
The latest withdrawals stem from the decision by COAST to allow membership to 180solutions Inc., a Bellevue, Wash.-based search marketing company that uses questionable tactics to install ad-serving software on computers.
In statements released over the weekend, Webroot and Aluria listed different reasons for leaving COAST, and although the inclusion of 180solutions was not mentioned, company executives made it clear that they were uncomfortable with the idea of adware firms using COAST membership as a marketing tool.
“Of late, we have become concerned that COAST is moving in a direction with which we cannot agree,” Boulder, Colo.-based Webroot said in a statement.
“We have long championed an open dialog among anti-spyware solutions on standards criteria for defining spyware. However, we are not comfortable with the idea of COAST as a certification body or as a marketing tool for member companies.”
Aluria, based on Orlando, Fla., said it tried in vain to get COAST to define a clear and comprehensive set of spyware standards and code of ethics for adware developers. “Despite our best efforts, however, COAST was slow-moving in setting standards. We have tried, but COAST is no longer a viable organization,” Aluria added.
Sam Curry, vice president of product management for CAs eTrust brand, told eWEEK.com that PestPatrol also would pull out of the consortium, but he pinned the blame for the breakup squarely on the shoulders of Webroot and Aluria.
“I find it odd that 180solutions is the source of the conflict. The goal [of COAST] was to certify vendors that reformed their product. 180solutions went to great pains to make major changes. The new versions of their software conform to scorecards and standards,” Curry said.
“Its sad that some ill-informed and hasty moves are drawing such attention. COAST really was doing something valuable and getting developers to change their questionable tactics,” he added.
Richard Stiennon, vice president of threat research at Webroot, confirmed that the company was uncomfortable with the inclusion of adware/spyware companies and the direction in which COAST was headed.
“When we were originally forming COAST, we never envisaged it as a certification body. It was created as a place for anti-spyware vendors to meet, discuss and create standards for treating a common problem,” Stiennon said in an interview with eWEEK.com.
“Suddenly, we have 180solutions and other adware vendors purchasing membership as some sort of marketing ploy. We were not comfortable with that direction.”
He said Webroot abstained from the vote to include 180solutions and hinted that at least two other adware vendors with questionable installation and tracking techniques are in the queue for COAST membership.
Next Page: Whom can users trust?
Users Trust
Ben Edelman, a Harvard University student who monitors the spyware scourge, said the inclusion of 180solutions in COAST was problematic from the start. In fact, Edelman said, Webroot and PestPatrol detect and remove the 180solutions application.
“For a fee, COAST is certifying controversial providers of allegedly unwanted software, dramatically complicating the role and duties of COAST and its members. COAST staff are providing favorable quotes in 180 press releases. Who can users trust?” Edelman argued.
Edelman has published a detailed research report with evidence of installation practices by 180solutions that are “outrageous and unethical.” Among other things, Edelman found that 180solutions took advantage of known security vulnerabilities and failed to provide adequate disclosure notice.
“Indeed, in my testing, 180s installation practices remain among the worst in the industry,” Edelman said.
PestPatrols Curry confirmed that there were problems with legacy software released by 180solutions but insisted that COAST could be used to positively influence the companys business ethics.
“With viruses, youre dealing with malicious people. But in the spyware industry, youre dealing with legitimate companies with known investors. Its very valuable to reach out to them and set up guidelines for them. COAST was moving in that direction and having a positive influence,” Curry insisted.
However, Webroots Stiennon argued that 180solutions had not yet improved its installation practices. “They just promised to improve with a new version thats due out in the next 60 days. We dont know for sure,” he argued.
He said the companys n-CASE adware program, which is bundled with freeware applications, remains listed as one of the top three spyware threats most frequently identified by Webroots Spy Audit tool.
Edelman told eWEEK.com that COAST was always on tricky ground when it decided to get into the business of certifying companies that market spyware applications.
“Deceptive installations can be hard to find. On what basis would an organization certify a companys practices as improved? That the organization hasnt observed any bad practices in recent history? What if they just havent been looking in the right places?” he argued.
“Certification is all the trickier when the certifying authority has a clear financial interest in issuing the certificate,” Edelman added, noting that membership in COAST amounted to an annual fee of less than $10,000.
“Certifying any company on the basis of promises rather than actual reformed behavior is a bad idea. But thats exactly what COAST did with 180—certifying 180 on the basis that 180 has agreed to work with COAST to improve its practices, but not that 180s practices have already improved,” Edelman said.
Officials at COAST and 180solutions did not respond to queries for comment.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.