Antispyware emerges, slowly, from the Wild West

After months of work, the Anti-Spyware Coalition has published its final Definitions and Supporting Documents. A draft of this document was posted for public comment last July. The final version is far more complete and has a useful matrix that illustrates how fuzzy the definition of some unwanted software can be. Is this just a bunch of hot air, or is the start of some real progress?

The document starts off with a pretty good summary of the problem:

Spyware has quickly evolved from an online nuisance to one of the most dire threats facing the Internet. As users struggle to maintain control over their computers, many find themselves trapped in a cyclical battle against programs that install themselves without warning, open dangerous security holes and reinstall themselves after they’ve been deleted. The worst of these programs allow online criminals to hijack users’ sensitive personal information at will. Even the most benign variants can slow computers to a crawl by wasting their processing power to provide unwanted “services.” Compounding the problem are the sophisticated ploys spyware developers use to install their programs on unsuspecting users’ computers. Spyware distributors often rely on security holes, clever cons, opaque “bundling” arrangements and other unsavory practices to spread their unwanted payload. As the threat has grown, so has the need to mount a coordinated defense against these unwanted programs and their adverse effects.

There’s also a Glossary, a document with advice for end users (“Safety Tips for Fighting Spyware”), and a process document for resolving vendor disputes.

This document is a consensus statement from a lot of companies that have economic interests in fighting spyware and not making the kind of mistakes that will get one or all of them sued into oblivion. It’s easy to say that “most folks … know spyware when they see it,” but that defense won’t hold up in court.

This document isn’t a magic bullet, and its publication isn’t going to make a single bit of difference in the average end user’s experience with this plague – at least not immediately. As Mike at TechDirt editorialized:

It’s not clear, from the description, how useful these guidelines really are. It took them five months to basically say surreptitious installs are really bad and tracking cookies aren’t quite so bad. That was pretty clear before — so it’ll be interesting to see what the various anti-spyware firms actually do with these guidelines, and if it makes any kind of a difference.

That’s right, but in my opinion it underestimates the importance of the process by which this document was produced. The coalition includes some really big names in the computing industry (Dell, Microsoft, AOL, Yahoo), all the major security companies, a strong legal component (Samuelson Law, Technology & Public Policy Clinic at Boalt Hall, UC Berkeley School of Law), and a number of public interest groups from the U.S. and Canada. It was produced after a period of public comment (neatly summarized in this PDF document.) That combination produces pretty powerful legal cover, especially when a spyware vendor tries to bully a small security software provider with threats of lawsuits.

Most of the online commentary I’ve seen so far dismisses this document as an exercise in futility. I haven’t seen any of the online commentators mention that there are at least two more steps in the process. Next up is a risk model description that defines the lines between acceptable and unacceptable behaviors along with risk and consent factors that a security provider can use to make actionable decisions when those behaviors are detected. A draft for public comment is available here, with comments open until November 27, 2005.

Up until now, the battle between sleaze merchants and the anti-spyware community has been fairly ad hoc, with the purveyors of crapware acting like roving gangs and most security companies playing the role of vigilantes. Building a solid legal framework is an important step, not just to get rid of this problem but to protect the rights of people who fight this stuff.

Building this kind of legal framework takes time, a fact that can be frustrating to people who just want to wipe out the spyware. For now, at least, you’re still responsible for your own online safety.

AntiSpyware to be part of Windows Vista

Ryan Naraine reports:

Microsoft has confirmed plans to bundle anti-spyware protection into Windows Vista, a move that is sure to raise eyebrows among competitors and possibly antitrust regulators.

The Windows AntiSpyware product, which currently ships to consumers as a free standalone application, will be integrated into Vista, as is indicated in the newest beta build of Vista distributed to technical beta testers on Monday.

Good. And baseline anti-virus protection should be baked in too, with the user having the option to replace it with a full-featured alternative. It’s just like the firewall bundled with Windows XP SP2. This level of protection should be a core part of the operating system. If someone files an antitrust complaint over this move, I will be among the first to complain about their move.

Oh, and this same baseline level of security should be ported to Windows XP as well. It’s only right.

Tip of the day: Get free antivirus tech support

Think you (or someone you know) has contracted a virus or been afflicted with spyware? According to Microsoft’s Security Help and Support for Home Users page, you can call 1-866-PCSAFETY (1-866-727-2338):

This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada.

If you live in another region, there’s a link to find the phone number for your area.

(Thanks to Suzi Turner at Spyware Confidential for the pointer.)

This is why we need independent sources

The normally reliable eWeek did a dreadful job with a story last week that highlighted a report from Webroot Software. The story has the alarming title Webroot: Spyware Rampant in the Enterprise. And sure enough, in the second sentence reporter Paul F. Roberts writes:

Webroot Software Inc.’s State of Spyware Report for the second quarter of 2005, claims that 80 percent of enterprise computers are infected with some kind of adware or spyware.

Meanwhile, in the story’s 15th graf, we read:

A new enterprise version of Spy Sweeper, which is being released Monday, will be able to detect and remove sophisticated spyware that changes the configuration of Windows systems and interacts with the operating system at a low level, said Brian Kellner, vice president of enterprise products at Webroot.

eWeek didn’t interview a single independent source for this story. It was essentially a press release for Webroot.

I’ve asked Webroot’s PR department to send me a copy of the report and will comment more after I see it. You can get one from their Web site, but you have to provide a lot of personal information, including company name and the number of computers in your organization. Why not make this important study freely available for download? Hmmm. It’s almost as though they’re building a mailing list they can use for sales calls.

Update: Webroot hasn’t gotten back to me yet, but Paul Roberts of eWeek was kind enough to send me a copy of the report. I flipped to the Enterprise SpyAudit section to break down that frightening 80% number. And sure enough, on page 36 is this gem: “…cookies tend to make up the largest number of infections per enterprise machine.” Cookies! As I’ve written before, cookies are not spyware. In my opinion, Webroot is totally wrong to claim, that a computer containing one or more tracking cookies is “infected with spyware.” Ironically, Webroot even acknowledges this fact in a sentence buried at the end of the section (page 40): “Webroot will continue to monitor cookies until a definitive decision on whether cookies constitute spyware is determined.”

Meanwhile, there actually are some frightening statistics in that report, including the observation that 7 percent of the 60,000 enterprise PCs in their sample were infected with malicious spyware, which they define as “system monitors and Trojans.” If that data point is accurate (a point I’m not willing to take at face value, given the report’s willingness to exaggerate in other areas), it’s cause for great alarm. Even one such program is too high for comfort on any corporate network.

Claria claims to be cleaning up its act

From today’s Washington Post:

Internet Ad Pioneer Now Shunning Pop-Ups

A new service Claria Corp. is launching this month will still deliver advertising to the computer desktops of Web surfers. Only this time, they won’t be annoying pop-ups. …

[Claria] began a pilot in May of a new ad network called BehaviorLink that serves banner ads targeted to a user’s interests. With software for it installed, someone reading online news articles on maternity might get pitches for baby products. And while Claria’s pop-up ads sometimes covered up someone else’s Web site, BehaviorLink ads come with the site’s permission. In some cases, Claria buys ad space and resells it at a premium; in others, Claria works out a revenue-sharing arrangement.

The story quotes Ben Edelman, who points out that the new Claria service will still require that the user have a piece of software installed. “The question is how sneaky they are going to be about it.” Ben’s absolutely right. The big question is how the Claria software gets installed. There are too many loopholes in the whole affiliate distribution system, which allow the parent company to claim that “rogue affiliates” are actually doing the bad things. Meanwhile, of course, they benefit financially from those dishonest installations. According to the Post story, Claria made $100 million last year, mostly from pop-ups. When that much money is on the line, there are too many incentives for people to cheat, and without scrupulous third-party verification I refuse to believe that this service will be as clean as Claria promises it will be.

The company claims to have hired privacy consultants and to have cleaned up its act. We’ll see. “They have to be completely aboveboard and take extra steps other companies don’t have to do to gain trust back,” Ari Schwartz, associate director with the Center for Democracy and Technology, told the Post.

Indeed.

Trash your PC because of spyware? Rubbish!

This post is from guest blogger Carl Siechert:

On Sunday, the New York Times published “Corrupted PC’s Find New Home in the Dumpster”:

“I was spending time every week trying to keep the machine free of viruses and worms,” said Mr. Tucker, [an Internet industry executive who holds a Ph.D. in computer science and] a vice president of Salesforce.com, a Web services firm based here. “I was losing the battle. It was cheaper and faster to go to the store and buy a low-end PC.”

Until Mr. Tucker secures his computer (with a firewall, automatic updates, and an antivirus program), he’s soon going to have the same problems with his new computer. In his case, since he apparently can’t say no to installation of unwanted software, he ought to add an antispyware program to the arsenal.

In the face of a constant stream of pop-up ads, malfunctioning programs and performance slowed to a crawl or a crash – the hallmarks of spyware and adware – throwing out a computer “is a rational response,” said Lee Rainie, director of the Pew Internet and American Life Project.

No, it’s not a rational response, whether you’re looking at it from an environmental perspective or merely a technical one. Clean up your mess (or hire someone who can; the article reports the cost of professional cleanup averages $129, which is still only a third the price of the cheapest replacement computer), set up a few basic protections, and learn to not click OK to every installation prompt that pops up.

Rupert Murdoch, spyware magnate

The Wall Street Journal (paid subscribers only) reports this morning:

Seeking to expand its Web presence, News Corp. said it is buying online entertainment company Intermix Media Inc. for about $580 million in cash.

[…]

Intermix, which is based in Los Angeles, owns more than 30 Web sites, including sites that deliver online greeting cards and games, though its social-networking site MySpace.com is the best known. The network of sites attracts more than 27 million unique monthly users, News Corp. said.

The company came under fire from New York Attorney General Eliot Spitzer, who accused Intermix of secretly installing “adware” — software that delivers pop-up advertisements or similar promotions. Last month the company reached a tentative agreement to pay $7.5 million over three years to settle the accusations.

It was stupid when Microsoft was thinking of acquiring a company that has an adware division. It is double-plus bad for the company that owns Fox and Fox News to get into the spyware business. But it’s completely in character with the Murdoch empire’s complete lack of business ethics.

Microsoft won’t buy Claria

ClickZ News:

Microsoft has ended its acquisition talks with behavioral targeting firm Claria, ClickZ News has learned from a source close to the discussions. Another Microsoft source later confirmed that report.

A Microsoft staffer, who asked not to be identified, characterized the end of the talks as driven by concerns about a PR fallout that could follow a Claria purchase. That company has, in the past, been associated with spyware.

Good.

Update: Oh, and will someone please find whoever it was at Microsoft who thought this was a good idea and lock them in a room until they realize what a stupid, stupid, stupid idea this was?

Someone could even read them this quote:

I cannot believe how incredibly stupid you are. I mean rock-hard stupid. Dehydrated-rock-hard stupid. Stupid so stupid that it goes way beyond the stupid we know into a whole different dimension of stupid. You are trans-stupid stupid. Meta-stupid. Stupid collapsed on itself so far that even the neutrons have collapsed. Singularity stupid. Blazing hot mid-day sun on Mercury stupid. You emit more stupid in one second than our entire galaxy emits in a year. Quasar stupid. Perhaps this is some primordial fragment from the original big bang of stupid. Some pure essence of a stupid so uncontaminated by anything else as to be beyond the laws of physics that we know.

Just stupid.

Spyware: Defining the problem

The Anti-Spyware Coalition, which is led by the Center for Democracy and Technology, has published a draft document that seeks to define spyware and other potentially unwanted technologies (announcement is here, document is here, both in PDF format). It includes an excellent glossary and is now in a 30-day public comment period. Here’s the definition the ASC has proposed, which is followed by a table listing lots of examples:

Spyware and Other Potentially Unwanted Technologies

Technologies implemented in ways that impair users’ control over:

Material changes that affect their user experience, privacy, or system security

Use of their system resources, including what programs are installed on their computers

Collection, use, and distribution of their personal or otherwise sensitive information

These are items that users will want to be informed about, and which the user, with appropriate authority from the owner of the system, should be able to easily remove or disable.

Of course, any definition that a broad coalition can agree on is going to be vague and inspecific. The really hard work begins when someone tries to turn that general definition into specific, actionable items.

Whatever happened to SpyNet?

I wrote this back in February, shortly after the first beta of Microsoft AntiSpyware was released:

There’s always going to be suspicion when a single company is making go/no-go decisions on whether a program should be considered a threat or benign. That’s why I like the community-based approach introduced by GIANT AntiSpyware (the original developer of the antispyware product that Microsoft purchased). Microsoft has committed to keeping the SpyNet community as a key part of the final release.

I would like to see as much transparency as possible from all security vendors, especially when you’re talking about products that are legal but unethical. The products in this category aren’t viruses, pushed into the world by anonymous vandals. These are typically commercial products, released by identified companies. The bar to removal should be high (although the user should be able to make the level of protection more stringent). One thing I like about Microsoft AntiSpyware is that it is first and foremost a preventive measure. It alerts you when a program is trying to sneak an auto-starting module into the Registry or change your home page, and it gives you the power to stop damage before it can occur. The real problem with spyware comes when it sneaks onto a computer. Anything that Microsoft can do to prevent Windows from being misused in this fashion is a Good Thing.

Whatever happened to the SpyNet community? And can you call something a “community” when people don’t have a way to communicate with other members of the community?

Hey, Scoble, maybe you should start bringing in some guest interviewers for your Channel 9 interviews? I’d love to ask some questions of the AntiSpyware team with your cameras rolling. Don’t you think customers would enjoy that?