Earlier this week, when anti-spyware vendor eTrust PestPatrol temporarily removed detections for eight adware applications marketed by Claria, the move caused many a raised eyebrow among anti-spyware advocates.
PestPatrol said Friday it would relist all of the Claria Corp. applications on its threat database after a one-week Vendor Appeal Process, but the absence of a standard approach to defining the unwanted programs has plunged the industry into deep chaos and confusion.
PestPatrol, which is marketed by Computer Associates International Inc., uses a strict, 21-point Spyware Scorecard to determine whether to flag a piece of software as a privacy or security threat.
“We use a behavior-based list of criteria, and we make that list public. If your software meets any of the criteria, youre classified as spyware in our database,” said Tori Case, director of security management at eTrust PestPatrol.
That approach, Case argued, sets up a structure for a legitimate adware vendor with good intentions to “clean up their act” in an open, transparent way.
In stark contrast to the PestPatrol approach, anti-spyware players such as Webroot Software Inc., Sunbelt Software and newcomer Microsoft Corp. deliberately avoid limiting or restricting the definition criteria.
“The adware vendors want you to use strict definitions so they can play games and work around those lists. Thats why PestPatrol is having problems with delisting and relisting,” said Eric Howes, an anti-spyware advocate who provides consulting services for Sunbelt. “The minute you set up these definition lists, you are setting yourself up for cat-and-mouse games.”
“A better approach is to define a set of objectionable practices. Many people want to focus on the quality and functionality of the software, but that doesnt work because theres a lot of deceptive intent [from adware vendors],” Howes said in an interview with eWEEK.com.
“You have to focus on the business practices and outline a list of objectionable behavior. Yes, it can be subjective, but thats the only way it works in the interest of the consumer,” Howes said.
Paul Bryan, director of product management in Microsofts Security Business and Technology Unit, said the differing approaches, definitions and types of criteria are a problem that needs to be addressed.
Bryan told eWEEK.com that key elements of any anti-spyware product are the approach and criteria used to determine whether a program should be added to the definition library for detection, and what classification would be appropriate.
“Today, the industry uses different approaches, definitions and types of criteria for identifying and categorizing spyware and other potentially unwanted software, which limits the industrys ability to have a broad, coordinated impact in addressing the problem,” Bryan said.
Microsofts Windows AntiSpyware, which is currently in beta, will not use strict, publicly known definitions. According to a white paper outlining its approach, Microsoft will zero in on deceptive behaviors and the amount of control the user is given.
“Unlike other forms of software, which tend to either be good or bad, spyware often exists in shades of gray. With the exception of malicious behaviors, many of the behaviors could have legitimate purposes,” according to the Microsoft document.
The software giant said the Windows AntiSpyware product will sift through issues such as notice and consent about what is running on the users machine; control over the actions taken by the program while it is running on the machine; the way private data is collected and used without explicit consent; and the negative impact on the security of a PC.
Microsofts criteria also address the general impact on performance, reliability and quality of the users computing experience. For example, if an adware program slows down PC performance or corrupts the operating system, it is likely to be flagged as a spyware threat.
Microsofts white paper received a thumbs-up from researcher Eric Howes. “They are moving in the right direction. There are a few weaknesses here and there, and Id like to see them provide some more details, but generally their approach is good.”
Next Page: An increase in legal threats.
Legal Threats
Richard Stiennon, vice president of threat research at Webroot, said the latest brouhaha around spyware definitions is a direct result of an increase in legal threats against anti-spyware vendors and advocates.
“The threat of litigation is a growing issue. The only reason PestPatrol would stop identifying a piece of adware as a threat is because the lawyers are sending them letters,” Stiennon said.
Clarias GAIN is listed high on Webroots top 10 spyware threats because, according to Stiennon, it falls under the three broad criteria used to determine threats.
GAIN is described as an adware program that displays banner advertisements based on a users Web surfing habits. The application is usually bundled with numerous free software programs, including the Kazaa file-sharing program.
Stiennon wont discuss individual legal threats from adware companies, but he said the company was constantly receiving cease-and-desist letters from some of the biggest names in the behavioral marketing business.
“The legal threats are constant. Its becoming a drain on our resources, but that tells us were having an impact on dealing with spyware,” Stiennon said. “I dont think PestPatrol should have backed down because thats what the adware vendors want. They want to force the issue and avoid detection.”
Ben Edelman, a Harvard University student who monitors the spyware scourge, has published a detailed list of threats and demands made by adware providers. The list includes actual lawsuits filed against anti-spyware vendors and legal complaints against bloggers and other spyware critics.
Webroots Stiennon said his company uses very simple and straightforward definition criteria. “If the software displays ads, its adware. Its that simple.”
But even then, he said he agrees there are gray areas, especially when the ads are displayed with the applications real estate. The free versions of the Opera browser and the Eudora e-mail client display advertising, but those arent classified as spyware.
Webroot also looks closely for system monitors or keystroke loggers, programs that gather data about a users activity and transmit that data to unknown destinations. “These are the more dangerous threats because it can be used to steal passwords, credit card numbers and other sensitive data.”
Webroot also flags behavior-tracking cookies that identify Web sites that users visit for the explicit purpose of serving targeted advertisements.
PestPatrols Tori Case defended the companys use of a rigid definition formula, which is revisited and updated to accommodate new threats.
“We revisit the scorecard every 90 days to make modifications to reflect the changing nature of the spyware market. Thats how we address the issues of a company playing games. Its a rapidly evolving world out there, and we have systems in place to deal with it,” Case said.
She said the vast majority of vendor appeals do not result in big changes to the PestPatrol product, and even when detections are removed, old versions of the adware program are still detected and deleted.
“Were very committed to the approach weve taken with the scorecard. Thats not going to change anytime in the future,” Case added.
Microsofts Bryan said he thinks the confusion points to the need for an industry body to kick-start dialogue. Such an initiative would take the place of COAST, the anti-spyware coalition that collapsed earlier this year amid a rash of acrimony and finger-pointing.
The COAST group fell apart after several founding members objected to the decision to allow membership to 180solutions Inc., a Bellevue, Wash.-based search marketing company that uses questionable tactics to install ad-serving software on computers.
PestPatrol, Webroot and Sunbelt all have echoed Microsofts call for a new coalition with clearly defined guidelines and objectives.
“There is a crying need for information-sharing [among anti-spyware vendors],” Howes said. “The goal of a new coalition needs to be narrower and tightly defined.”
PestPatrols Case said she agrees. “Hindsight is 20-20 for all of us. Some big mistakes were made in COAST that we can all learn from. Although there is a place for certification [of adware applications], it should not be within an anti-spyware group. We need to build a wall to avoid those conflict-of-interest issues.”
