Language Selection

English French German Italian Portuguese Spanish

Little Agreement on Spyware Guidelines

Filed under
Security

Many anti-spyware programs scour computer hard drives for those data-tracking files called cookies that we often get from Web visits. Microsoft Corp.'s tool does not. And there are disputes aplenty about whether certain widely used advertising programs circulating on the Internet are clean of spyware.

No surprise, then, that there's little agreement on what should be considered spyware, and what adware is exactly. Or on whether adware, which delivers ads, is a form of spyware or a breed apart.

Consumers are confounded. Is their computer-cleaning overzealous or not thorough enough? Are they removing useful programs with the dreck?

No less vexed are makers of anti-spyware software. They're beset by legal headaches, constantly challenged for what their products define and target as malware.

"It certainly distracts us from the job at hand," said David Moll, chief executive of Webroot Software Inc.

Help may be on the way. Led by the tech-advocacy group Center for Democracy and Technology, the anti-spyware industry is crafting definitions and plans to eventually set up dispute-resolution procedures. A draft is expected by late summer.

"A definition is the foundation," said Ari Schwartz, the center's associate director. "If a consumer's going to make a decision in the marketplace about what they have and what software they are going to use, it's helpful to have a basis to do that on."

Similar efforts, however, have failed before.

Part of the challenge stems from how the term "spyware" evolved.

"It started out as being called spyware because a lot of it was spying on people and sending personal information," said Dave Methvin, chief technology officer with tech diagnostic site PC Pitstop. "It's a catchy, quick word that is always easy for people to understand and say."

But the term stuck even as some of these programs, in response to consumer complaints, began sending back less data and became less sneaky.

In some people's minds, spyware came to include programs that change Web browser settings without asking or trick users into racking up huge phone bills by making the equivalent of "900" calls to foreign porn sites.

"`Spyware' has sort of become the euphemism for any software I don't want," said Wayne Porter, co-founder of SpywareGuide.com.

The result is chaos.

Microsoft, for instance, chose not to scan cookies because many sites need them to remember passwords and otherwise customize a surfer's experience. Cory Treffiletti of the online ad agency Carat Interactive says cookies help sites identify repeat visitors so the same ads aren't shown over and over.

But other spyware hunters flag cookies on the grounds that they help advertisers track behavior. EarthLink Inc.'s Scott Mecredy says anti-spyware programs have gotten sophisticated enough to distinguish good cookies from bad.

Then there's the question of whether "spyware" includes adware.

Claria Corp., formerly known as Gator Corp., has sued several anti-spyware companies and Web sites for calling its advertising software "spyware." PC Pitstop rewrote some of its materials as part of a settlement.

Even "adware" isn't good enough for some.

Joseph Telafici, director of operations for McAfee Inc.'s security research unit, says the company now gets one or two complaints a week, compared with two or three per quarter last year from companies whose programs it has dubbed spyware or adware.

McAfee is in the process of assigning a full-time lawyer.

Symantec Corp. sought to pre-empt a lawsuit by filing one itself, asking a federal court to declare that it had the right to call Hotbot.com Inc.'s toolbar adware. Hotbot did not respond to requests for comment.

Symantec still faces a lawsuit by Trekeight LLC, whose product Symantec brands adware.

Though it has yet to sue, 180solutions Inc. takes issue with "adware," preferring "searchware" or "sponsorware." "Adware" has become too linked with bad actors, and the industry needs more differentiation, said its chief executive, Keith Smith. Most anti-spyware vendors, however, still put 180solutions in that category.

Aluria Software LLC says one company, WhenU.com Inc., has changed its practices enough that it is now spyware- and adware-safe.

But America Online Inc., though it uses Aluria's technology, prefers a different test: What its users think.

AOL found that users overwhelmingly choose to rid their computers of WhenU's SaveNow application when anti-spyware scans uncover it, so AOL continues to list as adware.

Adding to the confusion is the fact that many legitimate programs -- including Microsoft Corp.'s Windows operating system and Web browser -- send out data without making the user fully aware, one of the common attributes of spyware.

And many programs that spy do have legitimate functions -- people may run a keystroke recorder to monitor spouses whom they suspect of cheating. Or they may willingly accept adware in exchange for a free game or screensaver.

Anti-spyware software companies say they leave removal decisions to customers, though many users simply follow their recommendations, failing to distinguish the mild from the malicious.

"If an anti-spyware company recommends that the software (gets) blocked, consumers will typically block it," said Keith Smith, chief executive of 180solutions. "It doesn't matter how good an experience they have with it."

Alex St. John, chief executive of WildTangent Inc., says anti-spyware companies have an incentive to overlist programs: It makes their products appear effective. Better definitions, he said, would help clear his company's game-delivery product.

"We want to do anything under our power to be clearly defined as a legitimate, upright consumer company," he said. "We would love to have something to adhere to."

Guidelines could give anti-spyware vendors a better defense.

For consumers, said Tori Case of Computer Associates International Inc., "if we start using the correct terminology, we can demystify it a bit and help people understand what the real risks are."

By ANICK JESDANUN
Associated Press

More in Tux Machines

Server: GNU/Linux Dominance in Supercomputers, Windows Dominance in Downtime

  • Five Supercomputers That Aren't Supercomputers
    A supercomputer, of course, isn't really a "computer." It's not one giant processor sitting atop an even larger motherboard. Instead, it's a network of thousands of computers tied together to form a single whole, dedicated to a singular set of tasks. They tend to be really fast, but according to the folks at the International Supercomputing Conference, speed is not a prerequisite for being a supercomputer. But speed does help them process tons of data quickly to help solve some of the world's most pressing problems. Summit, for example, is already booked for things such as cancer research; energy research, to model a fusion reactor and its magnetically confined plasma tohasten commercial development of fusion energy; and medical research using AI, centering around identifying patterns in the function and evolution of human proteins and cellular systems to increase understanding of Alzheimer’s, heart disease, or addiction, and to inform the drug discovery process.
  • Office 365 is suffering widespread borkage across Blighty
     

    Some users are complaining that O365 is "completely unusable" with others are reporting a noticeable slowdown, whinging that it's taking 30 minutes to send and receive emails.  

Google: VR180, Android and the Asus Chromebook Flip C101

Security Leftovers

  • Hackers May Have Already Defeated Apple’s USB Restricted Mode For iPhone
    Recently, the iPhone-maker announced a security feature to prevent unauthorized cracking of iPhones. When the device isn’t unlocked for an hour, the Lightning port can be used for nothing but charging. The feature is a part of the iOS 12 update, which is expected to launch later this month.
  • Cops Are Confident iPhone Hackers Have Found a Workaround to Apple’s New Security Feature
    Apple confirmed to The New York Times Wednesday it was going to introduce a new security feature, first reported by Motherboard. USB Restricted Mode, as the new feature is called, essentially turns the iPhone’s lightning cable port into a charge-only interface if someone hasn’t unlocked the device with its passcode within the last hour, meaning phone forensic tools shouldn’t be able to unlock phones. Naturally, this feature has sent waves throughout the mobile phone forensics and law enforcement communities, as accessing iPhones may now be substantially harder, with investigators having to rush a seized phone to an unlocking device as quickly as possible. That includes GrayKey, a relatively new and increasingly popular iPhone cracking tool. But forensics experts suggest that Grayshift, the company behind the tech, is not giving up yet.
  • How Secure Are Wi-Fi Security Cameras?
  • Trump-Kim Meeting Was a Magnet For Russian Cyberattacks

KDE: Usability and Productivity initiative, Kraft and Konsole

  • This week in Usability & Productivity, part 23
    This has been a bit of a light week for KDE’s Usability and Productivity initiative, probably because everyone’s basking in the warm glow of a well-received release: KDE Plasma 5.13 came out on Tuesday and is getting great reviews!
  • Kraft Version 0.81 Released
    I am happy to announce the release of Kraft version 0.81. Kraft is a Qt based desktop application that helps you to handle documents like quotes and invoices in your small business. Version 0.81 is a bugfix release for the previous version 0.80, which was the first stable release based on Qt5 and KDE Frameworks5. Even though it came with way more new features than just the port, it’s first release has proven it’s stability in day-to-day business now for a few month.
  • Giving Konsole some love
    I started to hack in Konsole, and first I was afraid, I was petrified. You know, touching those hardcore apps that are the center of the KDE Software Collection. I started touching it mostly because some easy to fix bugs weren’t fixed, and as every cool user knows, this is free software. So I could pay for someone to fix my bugs, or I could download the source code and try to figure out what the hell was wrong with it. I choosed the second approach.