Spying on the spyware makers

Harvard student Ben Edelman hasn't made any friends in spyware and adware makers, thanks to his work publicizing how the programs work.

Ben Edelman may be spyware's most dangerous enemy.

The 25-year-old researcher has spent years analyzing how spyware and adware programs work and publicizing his findings. That often results in red faces and, occasionally, lawsuit threats from companies like WhenU and Claria, formerly known as Gator.

When testing spyware and adware, Edelman isn't about to sacrifice his own Windows XP computer. So he uses the VMware utility to create a virtual Windows box.

"I infect the hell out of it," he says. "It destroys the infected machine."

A law student at Harvard University, Edelman is also working on a doctoral degree in economics. CNET News.com caught up with him after he spoke at a conference in San Francisco sponsored by News.com's sister site, Download.com.

Q: What got you interested in spyware in the first place?
Edelman: I took a call from the plaintiffs in the Washington Post case against Gator. They thought what Gator was doing was absolutely destructive to the availability of free content on the Web. After all, if advertisers could buy ads from Gator to reach the Washington Post's audience, who would buy ads from The Washington Post?

I happened to think they were right. But the case settled out of court on the eve of trial, so we didn't find out for sure whether Gator's business was legit.

It's absolutely fascinating to watch Symantec and McAfee struggle with this.

How much time have you spent since then on spyware-related topics?
Edelman: It's scary. It's what gets me out of bed in the morning right now, more so than classes, more so than my dissertation research. I probably spend 30 hours a week. It's been nonstop for the past 15 months. Before that, it was quite a bit less intense.

What was the most interesting thing you've discovered?
Edelman: There's just a huge amount of money changing hands here. The biggest, richest American companies are buying advertising through spyware. The biggest, richest venture capital firms are investing in those who make this kind of unwanted software. That's names like American Express, Sprint PCS, Disney, Expedia, Guy Kawasaki's firm.

You're using the word 'spyware.' But you also mean the advertising-based networks with pop-up ads, right?
Edelman: Absolutely right. My claim is that each of the so-called adware networks has obtained installations and is still obtaining installations in ways that offer such poor notice and obtain such limited consent--sometimes none at all--that users can't fairly be said to have consented. If they didn't consent, and their activities are being monitored or transmitted, then that's spying.

Have you ever been threatened by spyware makers or adware makers?
Edelman: Yes. Some vendors have challenged the permissibility of my methods. For example, Gator was awfully angry when I posted a Web service that let any Web site operator see how Gator was targeting their site with competitors' pop-ups. They sent a series of legal papers, complaints, threats to me and my then-bosses at Harvard's Berkman Center.

I seem to remember that you had written some controversial software that tested what one adware program was doing--I think it was WhenU.
Edelman: I can't comment about that.

Ask Jeeves seems to be an above-the-board company. What's your complaint with them?
Edelman: The core problem is Ask Jeeves' installation practices. Sometimes their software gets installed without any notice or

Featured Video