Spying on the spyware makers

The 25-year-old researcher has spent years analyzing how spyware and adware programs work and disclosing his findings publicly. That often results in red faces and, occasionally, lawsuit threats from companies like WhenU and Claria, formerly known as Gator.

When testing spyware and adware, Edelman isn't about to sacrifice his own Windows XP computer. So he uses the VMware utility to create a virtual Windows box.

"I infect the hell out of it," he says. "It destroys the infected machine."

A law student at Harvard University, Edelman also is completing a doctoral degree in economics. CNET News.com caught up with him after he spoke at a conference in San Francisco sponsored by News.com's sister site, Download.com.

Q: What got you interested in spyware in the first place?

Edelman: I took a call from the plaintiffs in the Washington Post case against Gator. They thought what Gator was doing was absolutely destructive to the availability of free content on the Web. After all, if advertisers could buy ads from Gator to reach the Washington Post's audience, who would buy ads from the Washington Post?

I happened to think they were right. But the case settled out of court on the eve of trial so we didn't find out for sure whether Gator's business was legit.

How much time have you spent since then on spyware-related topics?

Edelman: It's scary. It's what gets me out of bed in the morning right now, more so than classes, more so than my dissertation research. I probably spend 30 hours a week. It's been nonstop for the past 15 months. Before that, it was quite a bit less intense.

What was the most interesting thing you've discovered?

Edelman: There's just a huge amount of money changing hands here. The biggest, richest American companies are buying advertising through spyware. The biggest, richest venture capital firms are investing in those who make this kind of unwanted software. That's names like American Express, Sprint PCS, Disney, Expedia, Guy Kawasaki's firm.

Edelman: Absolutely right. My claim is that each of the so-called adware networks has obtained installations and is still obtaining installations in ways that offer such poor notice and obtain such limited consent--sometimes none at all--that users can't fairly be said to have consented. If they didn't consent, and their activities are being monitored or transmitted, then that's spying.

Have you ever been threatened by spyware makers or adware makers?

Edelman: Yes. Some vendors have challenged the permissibility of my methods, for example, Gator was awfully angry when I posted a Web service that let any Web site operator see how Gator was targeting their site with competitors' pop-ups. They sent a series of legal papers, complaints, threats to me and my then-bosses at Harvard's Berkman Center.

I seem to remember that you had written some controversial software that tested what one adware program was doing--I think it was WhenU.

Edelman: I can't comment about that.

Ask Jeeves seems to be an above-the-board company. What's your complaint with them?

Edelman: The core problem is Ask Jeeves' installation practices. Sometimes their software gets installed without any notice or consent at all through security hole exploits. When they do ask for permission, they don't always tell users everything they need to know to make an informed choice. For example, when installing a Web browser toolbar, they use euphemisms like "directly accessible from your Web browser" instead of the obvious and natural word "toolbar."

You don't have any objection to pop-up applications like WhenU or Claria as long as the user knows what they're getting?

Edelman: I have no comment on any matter pertaining to WhenU. As to Claria, their core business seems to me to be troubling because it's so parasitic. They can only show ads thanks to users requesting other sites which get no share of the revenues from those ads.

Suppose a site spends a million dollars on a Super Bowl ad or $3 on a Google pay-per-click ad. Claria's pop-up then siphons away the resulting users. This undermines the incentives for sites to promote themselves through legitimate advertising.

Edelman: The background here is that historically users have been tricked into getting all manner of unwanted software into their computers. Their computers become slow, unreliable. Companies step in to help by offering detection programs.

From the perspective of the spyware makers these detection programs are bandits: they take the spyware off the users' computer after the spyware makers have gone to such lengths to infect the computers in the first place. So the spyware companies have been attempting intimidation tactics to force the removers to omit removal of particular advertising software.

Name names. Who's been the most litigious?

Edelman: One of the few companies to file suit is Claria, which sued PC Pitstop in 2003 alleging unfair business practices when PC Pitstop told its users its view of Claria's software. And New.net took the novel approach of suing Lavasoft in federal court.

Mostly these threats don't lead to litigation. Either the spyware vendors give up or they succeed in their intimidation tactics without having to go to court. There have been at least half a dozen examples just in the past few months.

It's absolutely fascinating to watch Symantec and McAfee struggle with this. It's a very different problem from what they're used to. Virus writers don't fight back.

Edelman: They're getting installations from kids' sites. I've been trying to figure out how these programs have such a large installed base: Who in their right mind would agree to have their computer become a vehicle for pop-up ads? It turns out that many of these programs target kids. They advertise their software at kids sites. They bundle it with videogames. They use advertisement images like smiley faces.

Ask Jeeves has a search engine that nobody really wants to go to. To get users to come, they push these toolbars. But if the toolbars are installed without proper notice and consent, then the entire business collapses. They have no legitimate business source of any substantial traffic to their web site.

Ask Jeeves just tries to get people to download their toolbar. Does that make it spyware or adware?

Edelman: It's not exactly spyware like the others. It doesn't show pop-up ads. As far as I know it doesn't track and transmit to its servers every Web site you visit. Yet it uses equally tricky installation tactics. (Editor's note: This week, CBS MarketWatch calculated that Ask Jeeves is valued at $1.8 billion and receives up to two-thirds of its search traffic from sources that also distribute adware.)

How much money have you made by consulting for anti-adware companies so far?

Edelman: I've made enough to pay for law school.

What next?

Edelman: I don't know. I might end up teaching. I can see myself practicing law, and potentially serving as some sort of a professional consultant.