Applications that wait to steal your personal information are legion, so Carlos Valiente recommends constant vigilence
Surf's up, and catching the wave on the newest and most innovative web sites can be enticing. But that ride can exact a heavy price on unsuspecting users, particularly when advertisers may be tempted to use any means to increase their sales.
There are currently more than 800 freeware and shareware applications that have been identified as having the ability to collect and distribute your personal information across the internet, and that number is growing every day. Only a fine line exists between privacy and what these parasitic agents are capable of collecting.
Targeting personal information
I am not referring to commercial software whose functions are legitimately used to perform computer surveillance, parental control or law enforcement. What we are discussing here are applications that falsely advertise their intended use or bury their intent in small- print legal jargon within those 'License Agreements' that most users quickly check off during an install process.
The spyware of the 70s was characteristically a 'Trojan horse,' and its intent was typically to cause damage to a computing infrastructure. Today's spyware also carries a hidden payload, but one that more frequently targets collection of information on the personal likes and dislikes of unsuspecting surfers.
While information collection of that sort can result in unsolicited junk mail, a much more serious line is crossed when information collection includes recording keystrokes that can expose confidential information such as passwords and credit card numbers. At that point, spyware is transformed into malware - a serious problem. After all, your identity and privacy are at risk in a world where identity theft has become a booming business.
An infestation can occur in numerous ways, though the most common source is visits to web sites that prompt users to auto-install Java or ActiveX applets. The majority of freeware and shareware applications also bundle this code. For instance, the music file sharing and interactive applications industries are literally plagued with adware-type code attached to them.
Many of the symptoms are common: your browser setting is changed, you are bombarded with pop-up ads and junk email, automatic file transfers occur without your consent, and your computer may even be used to co-opt or steal CPU processing resource time.
Going on the offensive
Only a handful of anti-virus companies integrate spyware detection capabilities into their anti-virus programs; some require you to purchase it as an additional application. In the interim, protect your company and yourself by considering the countermeasures listed in the accompanying boxout.
The Online Personal Privacy Act, a proposed U.S. senate bill that would require companies to obtain permission prior to disclosing the information collected, would allow consumers a way to opt out, and place responsibility on those that gather the data by requiring safeguards from potential unauthorized access. The European Union and many other countries are introducing similar legislation under the internet privacy umbrella.
Until then, we must remain aware of the risk and implement protective measures that prevent these applications from transmitting information without full disclosure. As more users become aware of the risks they pose, it is likely that pressure will be placed on the marketplace and applicable laws will be enacted to protect you.
Carlos Valiente, Jr. is an internal security IT risk management technical director for PricewaterhouseCoopers (www.pwc.com).
Here are just a few of the laws in the U.S. relating to spyware and privacy in cyberspace. There are many others, some relating to specific areas such as health.
House of Representatives
All legislation is published by the Library of Congress (https://thomas.loc.gov).