The remedy for spyware...not anytime soon

Lydia Parnes, director of the Bureau of Consumer Protection at the Federal Trade Commission, kicked off the CNET Antispyware Workshop saying that in defining spyware “it all depends.” And, a year after the FTC held a spyware workshop, the spyware and adware companies and their anti counterparts are still battling and consumers are caught in the middle. 

A State of Spyware Report, issued today by the security firm Webroot, claims that nearly 90 percent of consumers and business computers harbored some form of unwanted software during the first quarter of 2005.

Parnes said the most useful way to deal with spyware and adware is to focus on two concepts: notice and harm. Malevolent software, which can be spyware, doesn’t raise difficult legal issues for the FTC--drive-by installations, hijacking browsers, keystroke logging and adding bookmarks surreptitiously, for example, violate a range of laws including criminal statutes, she said. Adware, which is usually in the form of pop ups, is not inherently wrong, Parnes said, but without proper notice and disclosure can be illegal and potentially harmful, such as causing a system to slow to a crawl or crash. She said the recent case against Intermix brought by the New York attorney general Elliot Spitzer is a textbook case of deception assuming the allegations are true.

The panel and Q&A following Parnes opening remarks, however, challenged her definitions. Ralph Terkowitz, vice chairman of Truste and an investor in WhenU.com, said that rather than trying to define the terms spyware or adware, the industry should focus on a specific set of behaviors, which he said will take editorial judgment to define. “How do you editorially classify [behaviors] so that the antispyware vendors can deliver and consumers can decide what they would like to have on their machines?…Both vendors and consumers need to have a vote,” Terkowitz said. The challenge, he said, is coming up with a way to encapsulate a set of behaviors, and talk about in a way that is easy to make distinctions and judgments. Terkowitz told me that antispyware vendors could offer a variety of profiles developed by "editors" that give users different value propositions based on the offers from adware vendors.

Eric Howes, who consults for antispyware vendor Sunbelt Software, recommends that antispyware vendors build flexibility into targeting criteria. “Antispyware vendors want criteria to be complete objective, hard and fast and grounded in pure functionality. But, in dealing with spyware and adware, you need to change the approach. It’s a mistake to be limited to functionality--it should be behavior- or practice-based. The difference is ‘context.’ Functionality is an inherent quality of program. Behavior is about human decision-making, design and intention. It’s a paradigm shift, and no longer a business of simply assessing risk based on inherent functionality. It’s more like the FTC evaluating and judging business practices, which is more messy than functionality.” Howe added that in dealing with the detection, scanning and removal functions of antispyware tools, detection is a threshold issue, but once something is detected, you have to change the presentation for users to deal with borderline cases.

Ben Edleman showed a children's website that offers a clock synchronization program from Claria, and the subsequent dialog showed the divide among the various parties with a stake in the game. Richard Stiennon, vice president of Threat Research for Webroot software, described the Claria adware as a form social engineering to get people to install software. Christine Varney, a former FTC commissioner, didn't think that is was a clearcut case of an inappropriate business practice. Jeff McFadden, CEO of Claria (formerly Gator), responded, dismissing the notion that his company targeted kid's sites and said that about 90 percent of distribution is through the company's own screen saver titles and Kaaza. He points out that consumers are asked if they want to install and run the software offered, which use Active X controls to get into the user's system flow. "We and other companies are changing procedures all the time," McFadden said. "Month after month we get requests. If we could all agree on a common set of rules of the road, we would be leading the charge. The trouble is, we get different opinions from different people."  

McFadden does identify the key issue. The opposing parties have different opinions and agendas, and, as a result, getting the equivalent of food packaging disclosure for downloadable software isn't going to come easily.

Legal remedies--bills in Congress--aren't expected to have much impact any time soon. Declan McCullagh wrote in his News.com column that the Bono bill (the Spy Act) is problematic:

It prohibits "diverting the Internet browser," but doesn't mention mischief aimed at instant-messaging clients. Manipulating "a list of bookmarks used by the computer to access Web pages" is verboten, but not manipulating a list of RSS bookmarks. Monitoring the "Web pages" visited to deliver ads is explicitly covered, but not monitoring the contents of e-mail correspondence.

A better approach might be one that takes aim at problematic behavior rather than problematic technology. That's what a competing spyware bill, introduced by Republican Rep. Bob Goodlatte of Virginia, proposes. Goodlatte's one-page bill simply says it's illegal to install software "without authorization" if it leaks personal information or "impairs" a computer's security--an approach backed by the ITAA and other technology groups.