Group seeks spyware's defining moment

Makers of anti-spyware tools are taking another shot at pinning down their nemesis, this time with help from consumer groups.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
6 min read
Makers of anti-spyware software are taking another shot at creating a definition of spyware, this time with help from consumer organizations.

A new group, tentatively named the Anti-Spyware Coalition, plans to publish proposed guidelines later this summer that define spyware, best practices for desktop software development, and a common lexicon, people involved with the group told CNET News.com.

Debate has gone on for years over spyware and adware, with manufacturers of the applications defending them as legitimate marketing tools. The terms are slippery, frequently used to apply both to the information-thieving software and the often-annoying advertising tools bundled with free software programs.


What's new:
Anti-spyware software makers are taking another shot at creating a definition of spyware.

Bottom line:
If the new coalition succeeds, its work could clear up confusion over spyware and adware, helping consumers keep their PCs clean.

More stories on spyware

"Consumers will benefit by clarity in the rules that apply to those kinds of applications. It will also help software makers understand where the line is so they can stay on the clear side of it," said David Fewer, staff counsel at the Canadian Internet Policy and Public Interest Clinic, a consumer advocacy group in Ottawa associated with the new coalition.

Both spyware and adware can impact PC performance. They're often surreptitiously installed on computers to gather information about people that is used for advertising or provided to other interested parties. The market for tools to remove the unwanted software is booming.

If the new coalition succeeds, its work could clear up confusion over spyware and adware, helping consumers keep their PCs clean. Also, the group's work could help software makers and legitimate advertisers improve their products.

While clear examples of legitimate and illegitimate behavior aren't hard to find, drawing a bright line between them has proved difficult. "The key benefit is getting a handle on the nature of the problem, industrywide (agreement) on what is accepted and what is not," Fewer said.

In an example of why standard definitions are needed, Computer Associates International earlier this year temporarily removed the Gator adware program from the spyware detected by its PestPatrol program. It has since been put back on CA's list of spyware, and the company has changed the way it deals with appeals from spyware makers.

Drafts of the coalition's guidelines are finished and should be published by the end of the summer, when they will be open to public comments, said Ari Schwartz, an associate director at the Center for Democracy and Technology.

Who's joined?

The Anti-Spyware Coalition counts software makers, online businesses and security providers among its members. Watchdog groups are taking part too, but they have an associate role.

Aluria Software
America Online
Computer Associates International (PestPatrol)
Lavasoft (Ad-Aware)
Safer Networking (Spybot)
Trend Micro
Webroot Software
Business Software Alliance
Cyber Security Industry Alliance

Also involved:
National Consumer Law Center
Canadian Internet Policy and Public Interest Clinic
Berkeley Center for Law & Technology
Consumers Union
Center for Democracy & Technology

Source: Center for Democracy & Technology

The Anti-Spyware Coalition is still in its formative stages, with all the parties involved meeting for the first time last week at the CDT offices, Schwartz said. There is commitment to form the coalition, but the group's name has not been formally announced yet, he said. The CDT, a Washington-based public advocacy group, is running the coalition.

Ultimately, according to Fewer, judging whether software is spyware comes down to three components: notice, consent and control. During installation of an application, it should be clear to the user what the tool does. The user should also have to give permission for installation and should be able to remove the application. In many cases, spyware and adware don't meet those basic rules, Fewer said.

The lack of a common approach to defining the unwanted programs has resulted in the anti-spyware tools that flag perceived threats in different ways. Sometimes one anti-spyware tool will identify an application as spyware or adware, while another won't.

"There is much confusion over what spyware is and what it is not. And it starts with the fact that there is no definition," said Tori Case, director of security management at CA.

"What one person calls spyware, another calls adware, another calls surveillance software and yet another says it is not anything. That has

led to a lot of confusion," Case said. "If we could all agree, that would allow us to focus our energy on (making) better products and actually protecting against this stuff."

At the same time, makers of software judged to be adware or spyware have protested the flagging of their products by anti-spyware companies, to the point of threatened lawsuits. Microsoft, one of the new coalition's members and an anti-spyware tool provider, last week asked the Senate to rewrite anti-spyware legislation to prevent such lawsuits.

Coalition members include the major anti-spyware makers and several industry groups. Some consumer organizations, including the Consumers Union, also participate, Schwartz said.

"This effort is really to try and answer questions about what consumers can do to protect themselves," Schwartz said.

Coast's rocky road

The collapse of the Consortium of Anti-Spyware Technology vendors shows the difficulties facing industry efforts to tackle the problem.

2003: Anti-spyware software providers set up nonprofit Coast, aiming to define spyware and lay down a code of ethics for software distribution.

Dec 2003: Founding member Lavasoft, maker of Ad-Aware, quits, criticizes the group's membership fees and focus on "revenue generation."

January 2005: 180Solutions, an advertising software maker that's drawn widespread criticism in the industry, joins Coast. The consortium downplays 180's membership, saying it plans to help adware developers reform their practices and become certified members.

February 2005: Remaining founding members Webroot Software, Aluria Software and CA walk out.

April 2005: Coast is dissolved.

Source: CNET News.com

If a user has a question about a potential threat, it should be answered in the same way, regardless of which anti-spyware company is involved, he said. "Users should not feel like they get a bureaucratic runaround from different companies," Schwartz said.

Formation of the Anti-Spyware Coalition comes two months after the collapse of the Consortium of Anti-Spyware Technology vendors, or Coast, which had many of the same goals. Coast fell apart after it admitted a company suspected of making adware, prompting the departure of several key anti-spyware members.

Despite similar goals, the coalition is different from Coast, Schwartz said. "Coast seemed to be trying to do too many things and trying to please too many people all at the same time. There seemed to be a lack of clarity as to their mission and who exactly they were serving," he said.

The Anti-Spyware Coalition won't allow members beyond anti-spyware software companies, consumer advocacy groups and distributors of anti-spyware tools such as PC vendors and Internet access providers, Schwartz said. Also, all new members have to be approved by existing members.

The participation of consumer watchdogs is also a key difference, said Richard Stiennon, vice president of threat research at anti-spyware company Webroot.

"At least there is a forum and the industry can't be accused of working blindly. It is extremely good that consumer advocates are part of the consortium because we are aligned with them," he said.

Still, while Webroot is part of the new coalition, Stiennon has doubts about its chances of success, especially in regard to the likelihood of a quick agreement on definitions.

"When you get a bunch of technologists together in a room there are very strongly held opinions on definitions," he said.