Apple Music Karaoke Mode Musk Briefly Not Richest COVID Variants Call of Duty and Nintendo 'Avatar 2' Director 19 Gizmo and Gadget Gifts Gifts $30 and Under Anker MagGo for iPhones
Want CNET to notify you of price drops and the latest stories?
No, thank you

The spyware inferno

Venture capitalist Sharon Wienbar explains why any rational discussion ultimately tends to wind up swallowed into something resembling Dante's Nine Circles of Hell.

The proliferation of advertising programs on the PC is called by many names--most of which involve unprintable language. To the Slashdot crowd, it's spyware and its authors should be burned at the stake. Some in Congress call it "cyber trespass" and want to outlaw specific "deceptive practices." To Claria, the biggest company in the niche, it's extraordinarily profitable to the tune of $90 million in revenue and $35 million in profit last year. To most Net surfers, it's an annoyance they don't understand.

But to small developers and content providers, it's a way to make a living that's much more consistent than hoping downloaders pay for shareware. Because of varying degrees of intrusiveness and offensiveness, I've placed the various programs that are considered "spyware" into nine distinct circles, similar to Dante's "Inferno."

The word "spyware" first appeared on the Usenet on Oct. 16, 1995, in a humorous post about Microsoft's business model. A Lexis/Nexis search shows that the word was used for spy equipment such as small cameras until about 1999 when Zone Labs used it in a press release for their Zone Alarm Personal Firewall. From there, the word quickly entered common usage, prompting the first anti-spyware program--Steve Gibson's OptOut--which appeared in early 2000.

While 1999 marks the beginning of the modern usage of the word, there is vast disagreement on what "spyware" means.
While 1999 marks the beginning of the modern usage of the word, there is vast disagreement on what "spyware" means. The term "spy" is misleading because even some of the most annoying software doesn't actually send any information back to the server, though it does retrieve plenty of information. Computer security people tend to call it all "malware," meaning it is harmful software. The people who write it like to call it "adware" to distinguish themselves from the remote access Trojans and keyloggers that can safely be called spyware.

So why did adware evolve? Unlike viruses, it's not written by shadowy programmers looking to vandalize the Internet. Fundamentally, three forces created adware: the failure of the retail software model for low-priced software, the rise of peer-to-peer apps, and the rise of cost-per-click advertising.

Download Adware's Nine Circles of Hell PDF

For whatever reason, selling software for $30 or less has not worked for new entrants in either retail or Internet channels. In retail, most of the high-value applications (such as tax software or an operating system) have entrenched players. The one recent exception is video editing and DVD software, where Intervideo was able to succeed in retail.

Likewise, people expect most low-functionality software for free on the Internet. Most great Internet-based applications have been free: the IM client, the Web browser, Web-based email, even chess and card games. Shareware conversion rates have thus been terrible, and companies that started with this model had to be aggressive and morph their business models. (An example is Zone Labs.)

It should be noted that IM clients, Web mail and casual games have so far been monetized via advertising. It's just that the maker of the software (say America Online or Yahoo) also happens to have a large advertising sales force and network. For the smaller developers, they have to outsource this function via adware. This accounts for a lot of the adware in screen savers and little utilities but is a small part of the adware out there.

Virtual money laundering
To really explode, adware required two forces: the rise of peer-to-peer applications and the rise of cost-per-click advertising. Imagine you own a peer-to-peer file-sharing application (for example, Kazaa) that is being used for copyright infringement en masse. People will do almost anything to get it, short of paying for it directly. So you get an adware distributor (say Claria, formerly Gator) to pay per installation of your application if you will bundle its adware. Claria spent about $19.3 million in 2003 on distribution arrangements such as this, or about 43 cents per active user.

To cover the installation payment, the adware watches the user's Web surfing and advertises accordingly, usually with a pop-up ad. For example, when we visited the Dish Network home page with Claria installed, an advertisement for DirecTV popped up. This is politely called "contextual advertising."

The aggressive tactics of some advertising-supported software has given the whole sector a bad name.
The advertiser, DirecTV in this case, often has a contract directly with the adware distributer, but often indirectly through a cost-per-click network such as Overture. (Claria derived 31 percent of its revenue from Overture in 2003.) Note that Overture, in their final public filing before the Yahoo acquisition, averaged over 43 cents per click, thus covering Claria's user acquisition costs on the first click.

Thus the process starts with the file-sharing taint, but gets washed by the adware vendor and the cost-per-click vendor until it is finally clean enough for the advertiser to buy into.

Legal purgatory
As one can imagine, this is controversial for a number of reasons. As stated in the introduction, Dante's Nine Circles of Hell provides a framework for describing spyware. In part this is reflected in the fact that the most religious (namely the Utah legislature) are the most fervent objectors. Utah passed an antispyware law, the Spyware Control Act, that prohibits contextual advertising, or pop-ups based on what Web sites a person visits--unless at install time, everything ranging from what data is transmitted to representative ad examples are disclosed. In addition, any software would have to be obviously removable and could not send back personal information without full disclosure.

The U.S. Congress has gone a step further and is considering outlawing many of the practices used in spyware as did the state of Utah. To get a more granular understanding of this controversial software, I believe an older paradigm is needed--Dante's "Inferno." It may seem extreme, but as anyone who has ever downloaded some of these programs can attest, it is apt. In addition to ordering the level of sin, I have added what House Resolution 2929--the Spy Act--says about the software.

At BA Venture Partners, we would not consider any application that uses pop-ups, is distributed through file sharing such as Kazaa or is not removable. Beyond that, we would look for applications that provide consumers value and would be installed on their own if people knew about them.

The aggressive tactics of some advertising-supported software has given the whole sector a bad name. But if the software is fully disclosed and doesn't rely on intrusive methods such as pop-ups, the consumer should have a choice to view ads in return for software. What's more, the developer should have a right to make money. Beyond these guidelines, the legal risks and moral problems become clear, and legitimate businesses should stay away from these practices. So we certainly would not consider anything beyond Circle 3.

It is a fitting conclusion that we venture capitalists are comfortable with Circle 3: It is where the gluttons go.