Anti Spyware Coalition Watching the Henhouse

In 2003 the Consortium of Anti-Spyware Technology vendors (COAST) was formed to “collaborate on projects to increase awareness of issues involving spyware.” Their goals included helping consumers understand what had been installed on their systems, enabling them to remove what they didn’t want and pressuring the advertising software industry to change their business practices.

However, things began to unravel when several founding members (Lavasoft, Computer Associates, Webroot and Aluria) pulled out of the consortium, reportedly because of the group’s inability to create a set of standards and code of ethics. Some of those departing members also indicated that COAST had begun to certify — for a fee — certain publishers that were known by many anti-spyware firms as purveyors of spyware. Yes, my friends, allegedly the fox was watching the henhouse!

So COAST basically disintegrated and many say that was a good thing! The good news is this: in early 2005 the Center for Democracy and Technology (CDT) convened a meeting with industry anti-spyware leaders to discuss issues facing the anti-spyware industry, and the Anti-Spyware Coalition (ASC) was then formed. The new group includes the original COAST founders as well as consumer groups, academia and just about every big name in computing, including all the top anti-virus players.

Spyware has previously been defined as a computer program that, surreptitiously, gathers information without the knowledge of the user and may port that data back to another entity or as software that asserts control over a computer without the user’s knowledge.

One of the first tasks that ASC did was to create a formal definition of spyware and other potentially unwanted technologies. Their description is this: Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over the following: (1) material changes that affect their user experience, privacy or system security; (2) use of their system resources, including the programs that are installed on their computers; and/or (3) collection, use and distribution of their personal or other sensitive information.

Another task of ASC was to create a set of common industry guidelines for publishers who allege that their software has been improperly flagged as spyware. This is an important step because, well frankly, sometimes anti-spyware vendors make mistakes and it can be quite costly for a publisher to be flagged as a bad guy! The guidelines are just that — guidelines — ASC does not independently resolve the disputes but has framed recommended best practices for anti-spyware software publishers. Bravo!

ASC also has published a glossary of terms commonly used in discussions about spyware and a list of anti-spyware Safety Tips to provide basic guidelines for consumers to protect themselves and their computers. They recommend that users keep their security patches up to date, download programs only from websites they trust, read the fine print in license agreements, not be tricked into clicking anything on a popup window, beware of free software and use tools to detect and delete spyware.

In an effort to fight spyware, three U.S. Senators have introduced a bill that would attempt to combat this plague by making it a crime to offer this type of spying computer program. The bill (S.2145) is entitled “Software Principles Yielding Better Levels of Consumer Knowledge Act,” or the “SPY BLOCK Act.” Cute name!

If passed it will outlaw software that, without explicit user permission, installs itself or other programs, reconfigures settings (or redirects the user), captures personal information or keeps track of visited websites. And, this is the best part: the software must disclose in clear language each aspect of what the program will do to your computer and with your information and must obtain your consent to do so.

In addition, the software must be easily uninstallable through the “add and remove programs” feature (in Windows OS) or other standard methods. Spyware programs are so notoriously difficult to remove from infected systems they are often referred to as parasitic. It appears the proposed legislation is lingering in committee. So, we’ll have to wait to see what happens to publishers of “unwanted technology” if SPY BLOCK ever becomes law.

According to a recent study by the Pew Internet & American Life Project, nine out of ten Internet users say they have adjusted their online behavior out of fear of falling victim to software intrusions and about 59 million American adults, say they have had spyware or adware on their home computer. Additionally the project reports that 68% of home Internet users or about 93 million American adults have experienced at least one computer problem in the past year that was consistent with problems caused by spyware or viruses.

While those stats are discouraging, the report also indicated that 25% of Internet users say they have stopped downloading music or video files from peer-to-peer networks to avoid getting unwanted software programs on their computers. Perhaps there is some silver lining to the epidemic!

The report also indicated that there is a significant gap between people’s perceptions and the reality of what is on their computers. An October 2004 study by AOL and the National Cyber Security Alliance reported that 53% of respondents said they had spyware or adware on their computers, but a scan revealed that 80% of them actually had such programs installed. Yikes!

That same study found an average of 93 spyware applications on users’ computers. The thought of nearly a hundred spyware applications per computer just blows my mind. Experts conservatively estimate that for every 1,000 users in an organization, the costs of fixing spyware-related problems are $83,000 per year. Forrester Research released “AntiSpyware Adoption In 2005,” which indicated that 39% of respondents, dubbed “technology decision makers,” did not know the percentage of desktops infected with spyware in their organizations and 56% were unsure of what percentage of help desk calls were related to spyware issues. However, the Forrester report indicates that, on average, 7% of all help desk calls are made in response to spyware infections. Considering how much time it usually takes to resolve a serious spyware infection, that number is huge.

I have been infected a couple of times on my home computer — ahem — when someone other than me was using it. It takes days to “fix” the problem. In fact, I now just re-image my PC because it is easier than trying to find the culprit(s) and eliminate them. I simply keep a backup of my data on an ongoing basis so that I don’t have to deal with the potential loss of it.

Meanwhile, the need to fight spyware will push anti-spyware revenues from $12 million in 2003 to an estimated $305 million in 2005. Hum … with all that revenue to be had, how motivated could anti-spyware publishers be to find a cure?

Folks, this insidious problem is not going away any time soon. The best we can do is to alter our cyber-behavior and keep our anti-spyware and anti-virus software up to date. Remember, my little chickens, it may not be Big Brother watching you, but somebody probably is — let’s hope it isn’t a fox! Safe surfing.