Defining Spyware: A Solution

What is spyware? Many of today's definitions are inconsistent. A solution would be to require software vendors to document the behaviors in their software that most computer users find surprising.

What is spyware? Many of todays definitions are inconsistent. Meanwhile, other terms such as adware have emerged to describe software that doesnt actually spy but which some people find objectionable.

Definitions are important because they frame the debate and because they will be at the root of any legislation that Congress proposes. And if spyware is ever made illegal, companies that create the stuff will work hard to show that their software doesnt match the legal definition.

Instead of engaging in a war of words, a cleaner solution would be to require software vendors to document the behaviors in their software that most computer users find surprising. For example, programs such as Microsofts Word and PowerPoint dont display pop-up windows when they are running in the background—but programs such as GAIN Publishings Precision Time and Gator eWallet do. So lets require that Precision Time and Gator display a standardized icon that discloses this behavior.

A new federal law could empower the Federal Trade Commission to develop such icons and specify the locations inside the computer interface where the icons must appear. Logical places would include the programs installer or license agreement; its "About" box; and, in the case of Windows, the Add or Remove Programs control panel. Companies that intentionally included functions without including the icons would be guilty of an unfair or deceptive trade practice.

This legislation could be modeled on the Pure Food and Drug Act of 1906. Back then, U.S. consumers faced a horrible problem of narcotics and other addictive drugs being routinely added to foods of all kinds, from soft drinks to baby food. The act didnt outlaw the practice; it simply required that specific ingredients had to be disclosed on a products label.

A century later, the problem is not hidden drugs but hidden software functions. So the modern equivalent—lets call it the Pure Software Act of 2006—would require companies to disclose that their programs perform functions such as monitoring keystrokes when other programs are active, autonomously searching a computers files, dialing a telephone, automatically running at system startup and letting a computer be remotely controlled. The law could also prohibit programs from invisibly installing and from preventing themselves from being uninstalled.

Such companies as GAIN say users are happy to see ads in exchange for the useful features their programs provide. If this is so, they should be pleased to have those features clearly disclosed in standardized icons. Those icons, with support for uninstalling the programs, will let users who object make their own choices.

Simson Garfinkel recently completed his doctoral thesis at the Massachusetts Institute of Technology on the interrelationship of security and usability. Chapter 8, "Regulatory Approaches," can be downloaded from Free Spectrum is a forum for the IT community and welcomes contributions. Send submissions to


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.