Whats Spyware? Lets Ask Congress!

It can be good to keep laws that are short and simple, but the SPY BLOCK Act leaves the mysteries of spyware a little too unexplained.

Spyware doesnt get discussed enough for a number of unfortunate reasons. For most people, the distinction between spyware and some other malware installed on their system is too subtle to bother with. Even experts are vague with their use of the term spyware at times, conflating it with "adware" and other vague categories of nasty things.

I think the subtlety of the distinction is an argument for consolidating antispyware features into antivirus software, which is far more widespread and performs a very similar function. But this puts antivirus companies into a bad position: They have to know what spyware is.

It seems that there must be a critical mass of mad people out there, because enough of them complained to their U.S. senators to get a bill pending. The Software Principles Yielding Better Levels of Consumer Knowledge (SPY BLOCK) Act doesnt ban the software it addresses, but it sets some tough rules for it. It also doesnt really define spyware. I dont have a good definition available, but I think the lack of definitions in this bill is a problem.

I read the act, and my premonition was confirmed. The definitions in it are loose enough that they could easily apply to legitimate programs as well, although the authors clearly are trying to carve out proper exceptions.

In general terms, some of the actions banned by the act include:

  • installing software without notice to and consent from the user
  • installing software without a proper uninstall available
  • misleading the user about who is responsible for the program or about the services provided by it
  • not taking reasonable measures to protect users privacy.

The act requires that disclosure precede and consent be obtained for each instance of "information collection, advertising, distributed computing and settings modification." The program is required to remind users, more or less constantly, that they can uninstall it and how to do so.

OEM, preinstalled software is exempt as long as users are still informed of any "information collection, advertising, distributed computing and settings modification." All of these notifications and consents are waived if the function is "reasonably needed to … provide capability for general-purpose online browsing, electronic mail or instant messaging, or for any optional function that is directly related to such capability and that the user knowingly chooses to use." Its also waived if the function is related to determining whether the license is valid or to provide technical support.

But some of the language in that first waiver—"for any optional function that is directly related to such capability and that the user knowingly chooses to use"—sounds like wiggle room for companies such as Claria Corp., formerly called Gator Corp., that install misleading ad servers on users computers. Claria recently used the threat of lawsuits to stop people from referring to its product as "spyware." Fine, well call it "adware," as some security programs such as Norton Antivirus 2004 do. What exactly does it do?

According to Clarias own Web site:

"The GAIN Network is the worlds largest in-context behavioral advertising network. The GAIN Network helps keep many popular software applications and Web sites free in exchange for delivering advertising, which is selected for display based on your online surfing behavior.

Users of GAIN Network Web sites and software applications receive GAIN AdServer Software, which displays (or facilitates the display of) online advertising from the GAIN Network."

But will the act require that Claria get approval from the user each time it puts up an ad? Thats harsh, and it probably makes the program too intrusive to be tolerable. Boo-hoo.

But Im more concerned about other definitions and their implications for legitimate software. What is "information collection"? Its easy to assume that they are referring to personal information such as name and social security number. But its not defined. How about antivirus software, or the Windows indexing service? They both scan the system for "information" and collect it. Are they both supposed to get consent for each time they run now? Even when they run on a schedule?

I guess we can expect software companies to be commenting on this bill as the hearings on it proceed. You can be sure theyll pick it apart. I expect that, at the end of the day, this particular bill wont make it all the way.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.


Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:

More from Larry Seltzer