With lawmakers aiming to control it, spyware has become a hot topic – but combating the sneaky software can be a tricky business when it comes down to it.
First of all, there is no hard-and-fast definition of spyware. The term typically refers to software that secretly downloads on to a user’s system to track web surfing habits, hijack the web browser, or log keystrokes to steal personal information. But spyware is often also used to describe any old adware, including some that is relatively innocuous, and is even sometimes used to describe cookies.
“Unlike the anti-virus market, there is no established industry standard,” said Brian Foster, a senior director of product management at Symantec. “There is no third party that said ‘this is what spyware is, this is the difference between spyware and adware.’ What one vendor calls adware, others might call malicious code.”
Ed English, CEO of content filtering firm InterMute, said that the ambiguities surrounding spyware make standards difficult, and a legislative solution impossible.
The financial motivation behind spyware, coupled with the tricky ways end-user agreements can be written so as to permit software that a user never agreed to, will allow spyware to stay ahead of any laws, he explained.
“It’s too wiggly a worm to get in a cage,” said English. “The law won’t be able to get its hands around this animal. It’s a technology problem.”
Yet legislators remain intent on controlling the surreptitious software. In January, Rep. Mary Bono (R-Calif.) reintroduced her bill, Securely Protect Yourself Against Cyber Trespass (Spy Act).
Co-sponsored by Rep. Joe Barton (R-Texas) and Rep. Edolphus Towns (D-NY), the bill would require that consumers receive clear notice prior to downloading spyware, and would ban deceptive activities such as keystroke logging.
While lawmakers hammer out the laws, security suppliers are working with customers to thwart spyware. But they have run into some sticky issues.
“This adware-spyware thing is a quagmire,” said Vincent Gullotto, vice-president of McAfee’s Avert anti-virus team.
For example, what can be classified as spyware might be a remote-access program used by an IT administrator. And blocking adware can bring complaints and legal threats from marketing firms which claim that their business is being blocked, he said.
“We have to proceed cautiously. We’re not going to blatantly call things adware or spyware,” he said.
“We will call it a potentially unwanted program and let the customers decide.”
Richard Stiennon, vice-president of threat research at anti-spyware supplier Webroot, said an anti-spyware solution should enable an enterprise to create a whitelist of programs they want, such as keyloggers installed for legitimate reasons. But adware firms do not have any legal protection from being blocked on a PC, he said.
“It’s pretty cut and dried that they are trespassing on someone’s computer,” said Stiennon. “The defense for any anti-spyware company is to give the end user a choice over what’s running on their computer.”
Stephen Wu, CEO of InfoSec Law Group, a Silicon Valley-based law firm, said an adware firm could potentially claim that a software firm is intentionally interfering with its economic prospects. But there would need to be a sense of wrongfulness, which is lacking if the software does not single out a particular adware company, but instead filters a broad group of adware, he added.
Aside from liability concerns, the lack of spyware standards leaves security firms creating their own systems for classifying software as spyware or invasive adware.
Symantec, for instance, has developed a risk matrix that rates a program’s impact on system performance, privacy impact, how it installs, how much effort is required to remove it, and its prevalence.
“With those five categories, Symantec is working to set up some industry standards,” said Foster.
“We’re working to set up independent testing bodies so that, at the end of the day, this becomes similar to the malicious code arena.”
One standards effort has already foundered. In February, the three original members of the Consortium of Anti-Spyware Technology vendors (Coast) dropped out.
The alliance was set up back in 2003 by Webroot, Aluria Software and Pest Patrol (acquired last year by Computer Associates) in order to standardize industry terminology and create a code of ethics for the nascent anti-spyware industry.
But dissent between members stemmed from Coast’s decision to allow membership to an adware firm.
InterMute’s English doubts that standards for spyware are possible, due to the sophistication and financial drive of its writers, but he decried how some anti-spyware firms inflate their databases with cookies and other non-spyware elements.
“We’re not going to participate in an arms race – who has a bigger number of signatures in their database – because that doesn’t do anyone any good,” he said.
As the industry debates how to deal with spyware, it is clearly something that enterprises are worried about.
“We are concerned about the protection of information assets, and making sure that privacy is protected and that no keystroke loggers make it in here,” said Gene Fredriksen, CSO for investment firm and NYSE member Raymond James & Associates.
His firm tested some anti-spyware solutions, but did not use any because they lacked a good management console, he added.
“The other side is strictly performance. Our technical support people will get a call and, typically, they discover that the machine has 200 or 300 variants of adware, all of them eating little bits of CPU cycles.”