Group pitches anti-spyware guidelines

Anti-Spyware Coalition gives final definition of spyware, as it works toward industry standards.

Alorie Gilbert Staff Writer, CNET News.com
Alorie Gilbert
writes about software, spy chips and the high-tech workplace.
Alorie Gilbert
2 min read
The Anti-Spyware Coalition offered up standard guidelines on Thursday for detecting, rating and protecting against unwelcome programs that have plagued Internet users in recent years.

The group, composed of software companies and consumer advocates, also finalized its definition of spyware, veering little from the version it proposed in July.

The coalition defines spyware and other potentially unwanted technologies as programs deployed without sufficient user consent or impair user control over any of the following: privacy, system security and user experience; use of their system resources; or collection, use and distribution of personal information.

Spyware and adware have become widely despised for sneaky distribution tactics, unauthorized data gathering, the eating-up of computer processing power and other annoyances. Although adware makers say there are legitimate uses for their programs, an entire anti-spyware market has been spawned to combat the stuff.

Yet attempts to define spyware and create guidelines are also controversial. Critics fear spyware makers will use the guidelines to avoid getting caught by blocking tools, but will find ways to continue bad behaviors.

The Anti-Spyware Coalition acknowledged the concern in one of the documents it published on Thursday. "This is a valid concern that ASC discussed in detail," the group said in a document summarizing public comments it had received. "However, it is ASC's contention that the current 'Definitions' has been written with the problem in mind and leaves plenty of room for individual anti-spyware software companies to decide what fits their criteria for detection."

In its proposed spyware detection guidelines, the group said anti-spyware companies should focus on how the programs in question behave and rate them on risk. Among the behaviors the group considers high-risk are programs that replicate themselves via mass e-mails, worms, viruses and those that install themselves without a user's permission or knowledge, via a security exploit, for example.

Other high-risk programs are those that intercept e-mail or instant messages without user consent, transmit personally identifiable data, or change security settings. Using tracking cookies to collect information or running programs automatically without explicit user consent are considered low risk, according the guidelines.

The Anti-Spyware Coalition is collecting public comment on the document until Nov. 27 and plans to release a final version next year. The group said it expects the guidelines to set the stage for "best practices" for the anti-spyware industry.