After months of work, the Anti-Spyware Coalition has published its final Definitions and Supporting Documents. A draft of this document was posted for public comment last July. The final version is far more complete and has a useful matrix that illustrates how fuzzy the definition of some unwanted software can be. Is this just a bunch of hot air, or is the start of some real progress?
The document starts off with a pretty good summary of the problem:
Spyware has quickly evolved from an online nuisance to one of the most dire threats facing the Internet. As users struggle to maintain control over their computers, many find themselves trapped in a cyclical battle against programs that install themselves without warning, open dangerous security holes and reinstall themselves after they’ve been deleted. The worst of these programs allow online criminals to hijack users’ sensitive personal information at will. Even the most benign variants can slow computers to a crawl by wasting their processing power to provide unwanted “services.” Compounding the problem are the sophisticated ploys spyware developers use to install their programs on unsuspecting users’ computers. Spyware distributors often rely on security holes, clever cons, opaque “bundling” arrangements and other unsavory practices to spread their unwanted payload. As the threat has grown, so has the need to mount a coordinated defense against these unwanted programs and their adverse effects.
There’s also a Glossary, a document with advice for end users (“Safety Tips for Fighting Spyware”), and a process document for resolving vendor disputes.
This document is a consensus statement from a lot of companies that have economic interests in fighting spyware and not making the kind of mistakes that will get one or all of them sued into oblivion. It’s easy to say that “most folks … know spyware when they see it,” but that defense won’t hold up in court.
This document isn’t a magic bullet, and its publication isn’t going to make a single bit of difference in the average end user’s experience with this plague – at least not immediately. As Mike at TechDirt editorialized:
It’s not clear, from the description, how useful these guidelines really are. It took them five months to basically say surreptitious installs are really bad and tracking cookies aren’t quite so bad. That was pretty clear before — so it’ll be interesting to see what the various anti-spyware firms actually do with these guidelines, and if it makes any kind of a difference.
That’s right, but in my opinion it underestimates the importance of the process by which this document was produced. The coalition includes some really big names in the computing industry (Dell, Microsoft, AOL, Yahoo), all the major security companies, a strong legal component (Samuelson Law, Technology & Public Policy Clinic at Boalt Hall, UC Berkeley School of Law), and a number of public interest groups from the U.S. and Canada. It was produced after a period of public comment (neatly summarized in this PDF document.) That combination produces pretty powerful legal cover, especially when a spyware vendor tries to bully a small security software provider with threats of lawsuits.
Most of the online commentary I’ve seen so far dismisses this document as an exercise in futility. I haven’t seen any of the online commentators mention that there are at least two more steps in the process. Next up is a risk model description that defines the lines between acceptable and unacceptable behaviors along with risk and consent factors that a security provider can use to make actionable decisions when those behaviors are detected. A draft for public comment is available here, with comments open until November 27, 2005.
Up until now, the battle between sleaze merchants and the anti-spyware community has been fairly ad hoc, with the purveyors of crapware acting like roving gangs and most security companies playing the role of vigilantes. Building a solid legal framework is an important step, not just to get rid of this problem but to protect the rights of people who fight this stuff.
Building this kind of legal framework takes time, a fact that can be frustrating to people who just want to wipe out the spyware. For now, at least, you’re still responsible for your own online safety.
Ed Bott 
The rule of thumb is it’s my computer, my data and my software. I paid for it fair and square.
That’s what made the PC revolution in the first place and what made it work.
Anything else is a short-term solution to make a few individuals rich as we have seen with Windows deliberatly leaving the doors open to the world. How long has ActiveX been a known hazard, ports open, etc etc? Since day freaking one. This was all done to make ease of use a reality for marketing.
The problem is that there is so many newbies, that now they are oldbies and they have no commitment to demanding software that is done right. They all think the advertisers are going to pay for it all. Well look what you have.