The remedy for spyware--not anytime soon, part II

The remedy for spyware--not anytime soon, part II

Summary: Updated 5/16: Yesterday I blogged the early morning session of the CNET spyware event (MP3 files of all the panel discussions are here--registration required), concluding that the two sides--adware/spyware purveyors and their antitheses--are not far along in formulating a truce that would reduce at least the non-rogue/organized crime induced failures to disclosure and other abuses that result in minor irritants to material harm.

TOPICS: Security

Updated 5/16: Yesterday I blogged the early morning session of the CNET spyware event (MP3 files of all the panel discussions are here--registration required), concluding that the two sides--adware/spyware purveyors and their antitheses--are not far along in formulating a truce that would reduce at least the non-rogue/organized crime induced failures to disclosure and other abuses that result in minor irritants to material harm.

Esther Dyson hosted a panel of adware vendors, who were giving assurances that they want to be on the good side of consumers, while spyware expert Ben Edelman and Ari Schwartz, associate director of the Center for Democracy and Technology (CDT), demonstrated the devious methods and the extended ecosystem the adware vendors use to fuel billions of dollars in revenue. Webroot's recent "State of Spyware Report" claims that pop-up ads, hijacked home pages, redirected Web searches and DNS poisoning to steal Web traffic generate about $2 billion in yearly revenue, a huge slice of the entire online advertising pie.

Claria CEO Jeff McFadden and spyware expert Ben Edelman smiling, but not at each other (photo courtesy Esther Dyson)

Daniel Doman, CTO at Direct-Revenue, said his company is reforming by taking "great pains to make sure software is always uninstallable [and] that all of the clients are branded." He said his company has grown about 1000 percent over the last year, going from 10 to 120 people, including 40 engineers to help improve the reliability and integrity of its adware client. "We are branding our software to  be increasingly transparent and visible to users, and to distinguish ourselves from those not branding software. We are careful not show too many ads per hour or per given day," Doman said. 

Dan Todd, 180solutions COO, came in for the brunt of criticism from the audience of experts, vendors and government officials. Alex Eckelberry accused 180solutions of enabling stealth installs of unwanted software, some of which could be avoided with a programmatic fix. "You worte an application that is completely crackable," Eckelberry said. "My eleven-year-old kid can change the registry." Todd responded, talking about meeting with the antispyware players and trying to develop best practices. He also said that 180solutions, like the other larger adware vendors,  is moving toward using fewer distributors to gain better control of the process.  

Claria CEO Jeff McFadden talked about putting the consumer first and transparency. "Spyware proliferation is an enormous problem for companies like mine. For my business to work, the antispyware companies have to work and to do it correctly," McFadden said.  On the other hand, Claria's biggest bundling partner is Kaaza, which has been known to deliver unwanted, non-disclosed code to computers. "This is an issue we are grappling with all the time. We have only a limited amount of control over how companies distribute," McFadden said. "We have a stringent set of requirements about how our software is described. It's a constant back and forth with people." He concluded that some "clean up" work is required and that the current model for adware is a 1.0 version.

At the end of the day, the adware vendors represented at the workshop walk a fine line, talking about reform but chasing as much revenue as possible through legitimate means, as well as borderline and possibly fraudulent techniques.

As a relatively tame example, Edelman's site chronicles what he calls Claria's misleading installation practices:

Claria says it "keep[s] software free" by offering payments to those who distribute Claria programs to users' PCs. But after examining Claria's installation methods, my sense is that Claria often plays on user confusion, carelessness, or naivete -- including distributing its software in ways that disproportionately target children.
Notable characteristics of this installation:
Bundles Claria advertising software with a game likely to be of particular interest to youth. Details.
Fails to mention privacy effects in any on-screen text. Details.
Mentions advertising, and includes a large graphic, but fails to show an example ad. Details.
Does not mention advertising on the screen at which users are asked to select "I agree." Details.
No uninstaller included in Control Panel. Details.

Other trickery examples include mimicing the design of a site, such as McAfee or PCPitStop, with a popup ad for a competitive, questionable product or inserting a different shopping cart for a different product in a popup. At the other end of the spectrum are the keyloggers, hijacking and other spyware hacks that can lead to serious harm.

"I really think that, much like the spam problem, it will not be solved without a technology solution brought by people in this room, but we have to sit at table and figure this out," McFadden said during the adware panel. Doman chimed in that it's incumbent upon the adware community to police itself and to retroactively police some of the distributions, but that it can't be done unless there is  reasonable agreement and definition about what is appropriate behavior."  Todd mentioned that 180solutions has a code of conduct, which isn't a claim to fame.

It's difficult to take the adware vendor community's desire for self-policing and major reforms seriously at this point. The profit margins and potential growth is simply too enticing. Edelman pointed out that some of the biggest corporations on earth use adware (more politely called behavioral  marketing) and the venture capital investors see huge potential for a big payday. CDT's Schwartz said that there isn't much incentive for the advertisers to self-regulate. In addition, he noted that the adware business model complex (see the Seismic Entertainment complaint filed by the FTC) makes it "extremely difficult to police."  Ralph Terkowitz, an investor in WhenU, said that the adware players have to act more like traditional publishers, establishing good, long-standing relationships with consumers via their brands.   

Some of the vendors see the legislative and litigation writing on the wall--such as the Intermix suit brought by New York attorney general Elliot Spitzer--and are cleaning up their acts, but the adware and spyware underground--companies, individuals and crime syndicates that run beneath the radar and offshore--are elevating their games, keeping the antispyware vendors in business and busy trying to keep up. David Moll, CEO of Webroot, believes that federal legislation that defines the parameters of adware/spyware is critical to reducing the number of bad "actors" abusing consumers and businesses. "I'd rather see a widely adopted, united  federal bill that deals with the situation and gets us on the front line of technology dealing with the problem,  not in the courtroom," Moll said.  However, federal legislation is a partial aid. It's not going to fix foreign or out-of-jurisdiction problems, which are the main cause of our headaches at the moment," said Simon Clauson, CEO of PC Tools. "Potentially, it brings in line the current adware companies and makes sure they follow some standard procedures." 


Webroot CEO David Moll and WhenU investor Ralph Terkowitz share their perspectives

I moderated the final panel with the more prominent antispyware vendors, including Alex Eckelberry, president of Sunbelt Software; Kelly Mackin, director of long range planning, eTrust, Computer Associates; Joe Telafici, director of operations for virus response team, McAfee; Webroot's Moll; and PC Tools' Clausen. The panel consensus was that behavioral analysis, in addition to signature-based techniques, is needed to keep up with the increasingly sophisticated spyware programmers. Instead of looking only for specific signatures, behavioral analysis looks at many vectors, such as events occuring within an application. The assembled group also said that they were making efforts to work together to establish standards and practices. Some are working with the Network Advertising Initiative (NAI), which has a spyware workshop next week in New York.  However, it appears to be at its beginning stage. The executives had never met previous to yesterday's CNET spyware event.

A major issue for the antispyware vendors is deciding who should be listed as an offender, and then quarantined. Vendors create their own definition silos, and it's in their best financial interest to keep the methodology proprietary. As a result, the adware/spyware vendors have to go through arbitration with each vendor, lawsuits are issued, and the end users can't rely on consistent detection and protection. McAfee's Telfici said that trading collections (such as virus definitions) among competitive vendors hasn't caused harm in the more mature antivirus industry, but concerns among the antispyware vendors over commoditization of their industry has so far prevented it from happening.

As a closing argument, Esther challenged both sides to come up with an education campaign and to agree on what behavior is clearly wrong and drive it into the sea. The contingents from both sides support the goal, but that's not much different than a politician voicing support for a bill and then hoping that it doesn't come to a vote...

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • There's money involved. Nothing's going to be done.

    Cynical, yes. Prove me wrong.
  • There IS a resolution for Spyware

    It's the same as for Virus Writers.

    You throw them UNDER the damned Jail!

    Until the government gets tough with these heathens the Internet is a total loss...
    • I agree

      Just kill them all, slowly, painfully and publically; and make sure that every penny of any money they have derived from these works gets confiscated and donated to some legitimate charity. Finally make sure that every penny from any investor giving these jerks money also is confiscated - both personal and corporate money. Make it so painful and publically humiliating that no-one wants to touch them with a 10 foot pole.
  • This is simple

    All of the ludicrous discussion that goes on at these meetings/conventions is just lip service, and a huge waste of time. You just have to laugh at the doublespeak platitudes that CEO and COO's of these adware/spyware companies are spewing out, trying to come off as responsible and legitimate.

    And then there's the endless back-and-forth and the lawsuits between these guys and the anti-spyware companies regarding the terms "adware" and "spyware." Hey, you can't call us spyware, we're adware, they say. In fact, don't even call us adware, we're a customer service tool that provides enhanced content to....blah blah blah blah....

    Let's just throw out those categories and call it what it is -- unauthorizedware.

    If something, ANYTHING, puts itself on my computer, and I didn't explicitly authorize it to be there, then it is in violation of the law. Period. No ifs, ands, or buts, no semantics games, and no wiggle room.

    The impending legislation by Mary Bono leaves far too many loopholes, talking about outlawing any software that redirects the browser -- but says nothing about instant messaging and other means. Same with the competing legislation by Bob Goodlatte, which is better, but still says that it is illegal to install software "without authorization" if it leaks personal information or "impairs" a computer's security.

    Bollocks to that. Delete all the stuff after the "if" in Goodlatte's bill, and you might have something that works. It is illegal to install software without authorization. PERIOD.

    Don't let them hide behind a convoluted EULA either. Add in a clause that says that it is illegal to have a misleading, ambiguous, or otherwise confusingly written EULA, and that the EULA must be presented front-and-center before ANY software is installed. Any tricks such as hiding it in 2-point type on a window that takes five clicks to get there, and then has the EULA acceptance question worded like , "Would you like to not NOT install the software?," is misleading and in violation of the law.

    Of course, legislation alone won't solve this, but given that most of the spyware companies ARE based in the U.S., this would be a start. The law would allow the feds to bust all of the scumballs like the head of Claria and 180Solutions, put them out of business. It would be a start.

    Put a sock in all of this ludicrous talk back and forth, with both sides showing up in snazzy business suits and discussing their differences. The only suits these jerks should be wearing are orange jumpsuits. PERIOD.
    • and...

      And leave all of the offenders and their investors absolutely penniless!
    • Amen brother - call it trespassware

      If these guys painted a billboard on your bedroom ceiling would that be B&E and/or criminal damage? D#amn right it would.
  • Simple free solutions

    Spybot S & D

    Javacool Software Spyware Blaster from
    Neil Parks
  • Unbelievable nerve

    These clowns show up and pretend that:

    a) they have a legitimate business model
    b) promising to change their ways in the future somehow excuses their ethical and/or legal lapses in the past
    c) they point the fingers at the users, other (legitimate) advertisers, and even the anti-spyware companies!

    It's like saying - you put a bank there, that's why I robbed it. These guys should be put in stocks and horsewhipped.
  • free remedy