The remedy for spyware...not anytime soon

The remedy for spyware...not anytime soon

Summary: Lydia Parnes, director of the Bureau of Consumer Protection at the Federal Trade Commission, kicked off the CNET Antispyware Workshop saying that in defining spyware “it all depends.” And, a year after the FTC held a spyware workshop, the spyware and adware companies and their anti counterparts are still battling and consumers are caught in the middle.

SHARE:
TOPICS: Security
7

parnes.jpgLydia Parnes, director of the Bureau of Consumer Protection at the Federal Trade Commission, kicked off the CNET Antispyware Workshop saying that in defining spyware “it all depends.” And, a year after the FTC held a spyware workshop, the spyware and adware companies and their anti counterparts are still battling and consumers are caught in the middle. 


A State of Spyware Report, issued today by the security firm Webroot, claims that nearly 90 percent of consumers and business computers harbored some form of unwanted software during the first quarter of 2005.

Parnes said the most useful way to deal with spyware and adware is to focus on two concepts: notice and harm. Malevolent software, which can be spyware, doesn’t raise difficult legal issues for the FTC--drive-by installations, hijacking browsers, keystroke logging and adding bookmarks surreptitiously, for example, violate a range of laws including criminal statutes, she said. Adware, which is usually in the form of pop ups, is not inherently wrong, Parnes said, but without proper notice and disclosure can be illegal and potentially harmful, such as causing a system to slow to a crawl or crash. She said the recent case against Intermix brought by the New York attorney general Elliot Spitzer is a textbook case of deception assuming the allegations are true.

The panel and Q&A following Parnes opening remarks, however, challenged her definitions. Ralph Terkowitz, vice chairman of Truste and an investor in WhenU.com, said that rather than trying to define the terms spyware or adware, the industry should focus on a specific set of behaviors, which he said will take editorial judgment to define. “How do you editorially classify [behaviors] so that the antispyware vendors can deliver and consumers can decide what they would like to have on their machines?…Both vendors and consumers need to have a vote,” Terkowitz said. The challenge, he said, is coming up with a way to encapsulate a set of behaviors, and talk about in a way that is easy to make distinctions and judgments. Terkowitz told me that antispyware vendors could offer a variety of profiles developed by "editors" that give users different value propositions based on the offers from adware vendors.

Eric Howes, who consults for antispyware vendor Sunbelt Software, recommends that antispyware vendors build flexibility into targeting criteria. “Antispyware vendors want criteria to be complete objective, hard and fast and grounded in pure functionality. But, in dealing with spyware and adware, you need to change the approach. It’s a mistake to be limited to functionality--it should be behavior- or practice-based. The difference is ‘context.’ Functionality is an inherent quality of program. Behavior is about human decision-making, design and intention. It’s a paradigm shift, and no longer a business of simply assessing risk based on inherent functionality. It’s more like the FTC evaluating and judging business practices, which is more messy than functionality.” Howe added that in dealing with the detection, scanning and removal functions of antispyware tools, detection is a threshold issue, but once something is detected, you have to change the presentation for users to deal with borderline cases.

Ben Edleman showed a children's website that offers a clock synchronization program from Claria, and the subsequent dialog showed the divide among the various parties with a stake in the game. Richard Stiennon, vice president of Threat Research for Webroot software, described the Claria adware as a form social engineering to get people to install software. mcfadden.jpg Christine Varney, a former FTC commissioner, didn't think that is was a clearcut case of an inappropriate business practice. Jeff McFadden, CEO of Claria (formerly Gator), responded, dismissing the notion that his company targeted kid's sites and said that about 90 percent of distribution is through the company's own screen saver titles and Kaaza. He points out that consumers are asked if they want to install and run the software offered, which use Active X controls to get into the user's system flow. "We and other companies are changing procedures all the time," McFadden said. "Month after month we get requests. If we could all agree on a common set of rules of the road, we would be leading the charge. The trouble is, we get different opinions from different people."  

McFadden does identify the key issue. The opposing parties have different opinions and agendas, and, as a result, getting the equivalent of food packaging disclosure for downloadable software isn't going to come easily.

Legal remedies--bills in Congress--aren't expected to have much impact any time soon. Declan McCullagh wrote in his News.com column that the Bono bill (the Spy Act) is problematic:

It prohibits "diverting the Internet browser," but doesn't mention mischief aimed at instant-messaging clients. Manipulating "a list of bookmarks used by the computer to access Web pages" is verboten, but not manipulating a list of RSS bookmarks. Monitoring the "Web pages" visited to deliver ads is explicitly covered, but not monitoring the contents of e-mail correspondence.

A better approach might be one that takes aim at problematic behavior rather than problematic technology. That's what a competing spyware bill, introduced by Republican Rep. Bob Goodlatte of Virginia, proposes. Goodlatte's one-page bill simply says it's illegal to install software "without authorization" if it leaks personal information or "impairs" a computer's security--an approach backed by the ITAA and other technology groups.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Politicians Bamboozled Again

    Why are they listening to the adware and spyware companies? Spyware should be patently illegal and adware should only be installed if the consumer is made completely aware of the consequences of installing the software.

    The definitions are not that difficult. Keep your grubby spyware off my computer.
    kdickson@...
  • CNET spyware cookies to stop anytime soon?

    CNET Antispyware Workshop?? I guess that in defining spyware ?it all depends.? is the ZDNet/CNet attitude. I've been using Sunbelt's CounterSpy for about 2 months now and have a spyware scan scheduled to run every night while I'm sleeping. Isn't it odd that almost every night it finds a spyware cookie? No it's not odd at all since I like to read some of these ZDNet articles. Since I read this one, CounterSpy will be finding a spyware cookie on my system tonight. I just checked and I currently have 171 cookies on my system. If I was to do a spyware scan right now CounterSpy would only find one of them to be a spyware cookie and it would be a CNET cookie. One of the defining attributes of a cookie that causes CounterSpy to deem it a spyware cookie is that it serves no useful purpose to the user. I?m curious about what the defining attribute of a cookie that would deem it a spyware cookie in the eyes of the ZDNet writers?
    zdnet@...
    • CounterSpy as judge?

      ZDNet puts cookies on users every time they visit the site. Uh-oh! It's a "spyware cookie" -- [b]give me a break[/b]. The cookies are anonymous and most are session-based (i.e. they disappear when you shut down your browser). How in the world can CounterSpy determine whether a cookie serves a useful purpose to you? They can't.

      Here's some of the reasons we anonymously cookie you:
      -- Count sessions so we understand how often groups of users visit. Daily? Monthly? It matters to us.
      -- Reduce the repitition of certain ads. Sounds good, doesn't it? Needs a cookie.
      -- Remember your video-playback settings. Real? WMP? You'd rather not set that every time I bet.
      -- Reduce repeating voting in online polls.
      -- Passive relevancy like Amazon ("users who read this also read this"), which helps get people more stuff they might like.

      If you register to post a TalkBack or receive a newsletter, we cookie you TWICE: once in the session and once with a "permanent" cookie. Again, this helps us know what registered users like, control what they have access to, and reduce the need for you to log in again and again.

      Calling all of this "spyware" is really stretching it. Cookies are a pretty lousy solution to many of these problems, but the better solutions all require users to log in a lot more. That a PITA that we try to avoid.

      So when we don't need to know precisely who you are, when we can provide a better experience while still treating you anonymously, we use cookies. and for this we get labeled as spyware. Phooey!

      Stephen Howard-Sarin
      VP, ZDNet.com
      Stephen Howard-Sarin
      • Did I stike an exposed nerve?

        <html>

        <body bgcolor="#FFFFFF">

        <p class="MsoNormal"><font size="4"><strong><i>&quot;CounterSpy
        as judge?&quot;</i></strong></font></p>

        <p class="MsoNormal">I suppose you think SpyBot would do better
        than CounterSpy in a head to head spy chase because SpyBot did
        better than a couple of beta versions of anti-spyware from a
        couple of software giants. Or is it so better because it costs
        $20 less than CounterSpy? Sorry, but to me free does not equal
        effective.</p>

        <p class="MsoNormal"><font size="4"><strong><i>&quot;</i></strong></font><i>How
        in the world can CounterSpy determine whether a cookie serves a
        useful purpose to you? They can't.</i><font size="4"><strong><i>&quot;</i></strong></font></p>

        <p class="MsoNormal">Sunbelt probably just doesn&#146;t like
        ZDNet/CNET so I bet they purposely programmed CounterSpy to only
        alert users that cnet.com cookies are spyware cookies. Along the
        lines of that conspiracy theory, it makes sense that the web
        sites that the 170 other cookies on my system probably gave
        Sunbelt some payola so CounterSpy wouldn&#146;t bother with their
        cookies.</p>

        <p class="MsoNormal"><i><br>
        </i><font size="4"><strong><i>&quot;</i></strong></font><i>Here's
        some of the reasons we anonymously cookie you:</i></p>

        <p class="MsoNormal"><i>-- Count sessions so we understand how
        often groups of users visit. Daily? Monthly? It matters to us.</i><font
        size="4"><strong><i>&quot;</i></strong></font></p>

        <p class="MsoNormal">This serves no useful purpose to me.</p>

        <p class="MsoNormal"><i><br>
        </i><font size="4"><strong><i>&quot;</i></strong></font><i>--
        Reduce the repitition of certain ads. Sounds good, doesn't it?
        Needs a cookie.</i><font size="4"><strong><i>&quot;</i></strong></font></p>

        <p class="MsoNormal">Oh yes! I love variety in the ads I don&#146;t
        look at. Honestly, when I read something, it&#146;s almost always
        because I have an interest in the subject, so I tend to loose my
        peripheral vision while I&#146;m reading. And since most of your
        ads are at the top of the pages, by the time I&#146;m done
        reading the article, there&#146;s no ads to look at without going
        back to the top.</p>

        <p class="MsoNormal"><i><br>
        </i><font size="4"><strong><i>&quot;</i></strong></font><i>--
        Remember your video-playback settings. Real? WMP? You'd rather
        not set that every time I bet.</i><font size="4"><strong><i>&quot;</i></strong></font></p>

        <p class="MsoNormal">Heavens no! That would require me to make an
        extra mouse click.</p>

        <p class="MsoNormal"><i><br>
        </i><font size="4"><strong><i>&quot;</i></strong></font><i>--
        Reduce repeating voting in online polls.</i><font size="4"><strong><i>&quot;</i></strong></font></p>

        <p class="MsoNormal">This serves no useful purpose to me. I don&#146;t
        participate or read online polls and I don&#146;t vote for the
        next Teen Idol either.</p>

        <p class="MsoNormal"><i><br>
        </i><font size="4"><strong><i>&quot;</i></strong></font><i>--
        Passive relevancy like Amazon (&quot;users who read this also
        read this&quot;), which helps get people more stuff they might
        like.</i><font size="4"><strong><i>&quot;</i></strong></font></p>

        <p class="MsoNormal">This serves no useful purpose to me.
        Personally, the &#147;Customers who bought this book also bought&#148;
        is an annoyance to me. If I wanted to deal with a pushy
        salesperson I&#146;ll go to a used car lot. And excuse me for
        being a private person, I know that&#146;s a bad thing to be but
        I am. I mind my own business and I don&#146;t want anyone else&#146;s
        nose in it without an invitation from me.</p>

        <p class="MsoNormal"><i><br>
        </i><font size="4"><strong><i>&quot;</i></strong></font><i>Again,
        this helps us know what registered users like, control what they
        have access to, and reduce the need for you to log in again and
        again.</i><font size="4"><strong><i>&quot;</i></strong></font></p>

        <p class="MsoNormal">Oh no! Not more typing! Sorry, but this
        serves no useful purpose to me either. I come from that dark
        prehistoric place called DOS. I know it&#146;s spooky, but some
        of us old timers still prefer a keyboard over a mouse.</p>

        <p class="MsoNormal"><font size="4"><strong><i>&quot;</i></strong></font><i>Calling
        all of this &quot;spyware&quot; is really stretching it. Cookies
        are a pretty lousy solution to many of these problems, but the
        better solutions all require users to log in a lot more.</i><font
        size="4"><strong><i>&quot;</i></strong></font></p>

        <p class="MsoNormal">Thanks for the Cookies 101 lecture Mr.
        Howard-Sarin and keep up the good work. Until I read your
        explanation/defense of using cookies as little spybots, I had no
        idea what cookies were good for.</p>
        </body>
        </html>
        zdnet@...
        • Sorry about the html, I guess I don't know the secret handshake.

          I guess I don't know how to spell strike either.
          zdnet@...
  • I have met the enemy and he is us (Pogo)

    It would seem the existance of spyware, viruses, worms, phishing, and a host of other problems that have emerged along with the Internet are literally a "feature" of the system thus far embraced for deploying Information Technology (binary digital computers). It is doubtful if any non-technical types appreciate this, and it is also doubful if the techies are in any way prepared for what might be required to siginificantly change anything.

    One simple case in point, serving as an illustration only, is the continuing saga of daily/weekly "patches" announced for Microsoft Windows. It should be obvious by now, even without a theoretical/mathematical discourse, that Windows by its very nature permits virtually unlimited opportunities for mischief. Think of a window screen that must suddenly be required to block the flow of air, but with the requirement that every opening be closed in a way that is unique relative to all the other openings.

    It may well be that so long as computers use a simple binary system (only two states are allowed: one or zero) as the method of encoding, storing, and exchanging information nothing definitave can be done about most security issues. A multi-state system may be the eventual answer, although it would require starting over from square one. [NOTE: The common system for counting has ten states (numbers), the ordinary alphabet has 26 states (letters)]
    dmennie
  • Horse muffins...

    Ads are ads. No matter how they are served.

    Spyware, Adware, Malware all serve one purpose and that is to make the vendor rich at the cost of the enduser's pc.

    While I have no sympathy for P2P users who are infected, I do have disdain for the drive-by downloads and other mechanisms.

    But the fault in this lies with the user's OS.

    If there was a way for the enduser to tell the PC that no software can be installed without my explicit permission, then this stuff couldn't latch on.

    The problem is that most OS vendors, Microsoft, Linux, Unix, etc... cannot or will not do this simple thing.
    jachamp