The Chaotic World of Defining Spyware

Anti-spyware vendors each use different criteria for classifying spyware applications, leading to chaos, confusion and a drastic increase in legal threats.

Earlier this week, when anti-spyware vendor eTrust PestPatrol temporarily removed detections for eight adware applications marketed by Claria, the move caused many a raised eyebrow among anti-spyware advocates.

PestPatrol said Friday it would relist all of the Claria Corp. applications on its threat database after a one-week Vendor Appeal Process, but the absence of a standard approach to defining the unwanted programs has plunged the industry into deep chaos and confusion.

PestPatrol, which is marketed by Computer Associates International Inc., uses a strict, 21-point Spyware Scorecard to determine whether to flag a piece of software as a privacy or security threat.

"We use a behavior-based list of criteria, and we make that list public. If your software meets any of the criteria, youre classified as spyware in our database," said Tori Case, director of security management at eTrust PestPatrol.

That approach, Case argued, sets up a structure for a legitimate adware vendor with good intentions to "clean up their act" in an open, transparent way.

In stark contrast to the PestPatrol approach, anti-spyware players such as Webroot Software Inc., Sunbelt Software and newcomer Microsoft Corp. deliberately avoid limiting or restricting the definition criteria.

"The adware vendors want you to use strict definitions so they can play games and work around those lists. Thats why PestPatrol is having problems with delisting and relisting," said Eric Howes, an anti-spyware advocate who provides consulting services for Sunbelt. "The minute you set up these definition lists, you are setting yourself up for cat-and-mouse games."

"A better approach is to define a set of objectionable practices. Many people want to focus on the quality and functionality of the software, but that doesnt work because theres a lot of deceptive intent [from adware vendors]," Howes said in an interview with

"You have to focus on the business practices and outline a list of objectionable behavior. Yes, it can be subjective, but thats the only way it works in the interest of the consumer," Howes said.

/zimages/6/28571.gifClick here to read about how a Windows Media Player update failed a spyware infection test.

Paul Bryan, director of product management in Microsofts Security Business and Technology Unit, said the differing approaches, definitions and types of criteria are a problem that needs to be addressed.

Bryan told that key elements of any anti-spyware product are the approach and criteria used to determine whether a program should be added to the definition library for detection, and what classification would be appropriate.

"Today, the industry uses different approaches, definitions and types of criteria for identifying and categorizing spyware and other potentially unwanted software, which limits the industrys ability to have a broad, coordinated impact in addressing the problem," Bryan said.

Microsofts Windows AntiSpyware, which is currently in beta, will not use strict, publicly known definitions. According to a white paper outlining its approach, Microsoft will zero in on deceptive behaviors and the amount of control the user is given.

"Unlike other forms of software, which tend to either be good or bad, spyware often exists in shades of gray. With the exception of malicious behaviors, many of the behaviors could have legitimate purposes," according to the Microsoft document.

The software giant said the Windows AntiSpyware product will sift through issues such as notice and consent about what is running on the users machine; control over the actions taken by the program while it is running on the machine; the way private data is collected and used without explicit consent; and the negative impact on the security of a PC.

Microsofts criteria also address the general impact on performance, reliability and quality of the users computing experience. For example, if an adware program slows down PC performance or corrupts the operating system, it is likely to be flagged as a spyware threat.

Microsofts white paper received a thumbs-up from researcher Eric Howes. "They are moving in the right direction. There are a few weaknesses here and there, and Id like to see them provide some more details, but generally their approach is good."

Next Page: An increase in legal threats.