Finding a Better Label for Spyware

All these definitions for what is loosely being called “spyware” are getting out of control. What has been called “spyware” is software whose publishers would prefer any one of these labels instead: adware, sponsored software, value-added software, or possibly even free software. Spyware? Never. But legislating a clear definition of spyware based on behavior makes as much sense as calling a firearm a “gun” when used to shoot at people but “sporting technology” if used for some other purpose. It’s the same (smoking) gun, and the same software. Spyware may (or may not) send information home. Same with adware. Allegedly, adware doesn’t send “personally-identifiable” information, but since all information sent through the internet leaves a trail by IP number, and finding the user system that matches an IP number isn’t rocket science, all adware is spyware. So whether the software in question has broken any laws is not something that can be settled by a label. Maybe it’s just wrong to attempt to use labels for behavior that can’t be discovered, much less proven, without knowing the intentions of a publisher, the contents of a license agreement, and the invisible internal behavior of a product.

At last year’s Federal Trade Commission Spyware workshop, a working definition for spyware was in use, specifically: “software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer’s consent, or asserts control over a computer without the consumer’s knowledge.”

Earlier this year, the FTC, in their report on spyware based on the 2004 workshop, decided that the working definition was good enough, without a formal definition based on new legislation. They can deal with the problem based on existing regulations.

Apparently, the urge to label things is strong–various industry groups have attempted definitions. Some of these groups include publishers of products sometimes self-labeled as adware. Some don’t. Many include publishers of cleanup tools.

Most of the definitions focus on whether or not a program sends out personally-identifiable information. For most computer users, the distinction is pointless. In most cleanups, information stolen is surfing results, and the damage done is theft of service and damage to computer systems. Unless there is also an identity theft, what the computer user wants is for the problems with the computer to go away, and for the computer to return to full speed.

The lawyers can have their legal definitions. Maybe they can come up with something to do with them. Legal definitions have a possible use for avoiding payment of damages to companies causing damages to computers; if a program is defined as spyware by a government-legislated definition, an antispyware cleanup program can remove it without danger of being sued for labeling a commercial product as spyware, or in other words, libeling a product with venture capital and lawyers on staff. But it’s of dubious value whether such a definition would do anything at all for the owner of a computer during an infection.

We need a more practical definition for computer owners and computer technicians. Such a definition will cover all programs installed without permission of the system owners, including silent installations (drive-by downloads), backpack installations of programs bundled with other products, and Trojan horse programs that claim to be something they aren’t.

Starting at the practical end, we need a definition of everything that needs removal. That’s everything that wasn’t installed by the user or as a needed system component. That’s a tricky bit–there are lots of hardware gadgets that include excess software. Now, I really don’t have a big problem, for example, with a program that installs an extra desktop or menu shortcut that will take the user to a value-added service that will provide additional income for the publisher. Such desktop clutter is action on a very fine line between helpful and annoying, but a few icons can be deleted easily enough, and they don’t run at startup–such icons are distracting trivia, but no big deal.

Installed auto-run programs are another matter. Some printers need software running to print, and some don’t. The cheaper printers substitute software for chips, and process fonts in the computer, and send the job to the printer as dots instead of letters and numbers. These brain-dead printers do require an autoplay component to process print jobs, and perhaps to monitor ink usage. By comparison, a traditional printer that works from just a printer driver doesn’t require autostarting software; it sends text and command codes that tell the printer what fonts and page options to use. All right, so cheap printers need one autoplay program to work. So why do some have five? I have yet to hear why a major printer manufacturer’s setup for a photo printer should include web sharing software for photographs and not offer an option to skip installing it, or why there would be four additional autoplay entries, none of which affect printing when they are deleted. Such software is neither spyware or adware. It is, however, a resource hog that slows down computers, installs without permission, and is totally useless for most owners of the hardware. I routinely disable these false drivers.

It’s not just hardware. I’ve found that most CD and DVD-burning software adds autoplay entries. Many are phoning home to check for updates. Here’s a hint for the software vendors: Get a clue. You wouldn’t buy a dozen wall clocks for your office, would you? No, you would use the clock you already have. No autoplay is required for update checks. Just create a task in the Windows Scheduled Tasks list, set it to run an update check every 30 days, and stop adding to the glut of software in memory, and stop inventing your own private task scheduler to run every time the system boots, and then hang around all day waiting for tomorrow to come.

OK, now that’s two types of software that isn’t spyware and should be deleted–accessory “products” for purchased hardware and software, and the general category of “yet another phone home for updates scheduler.” Add spyware, viruses, adware, and trojans, and let’s find a definition and a name. All these items waste computer cycles. Some of them take over, and send information home. Some don’t. They all slow down computers with no benefit to the user.

From a legal standpoint, no definition is needed. Existing privacy laws, and laws on fair trade and competitive practices, give tools to law enforcement agencies for prosecuting spyware producers. Any new definitions for spyware will just give shelter to the enemy as the producers of such products adjust their products to dance on the near side of the very fine line of legality.

On the other hand, consumers need help to determine what is a problem and what isn’t, from a technical standpoint. We need a useful definition. I’ll propose a definition and see what it’s good for: startupware.

start’-up-ware, noun, any software that configures portions of itself to automatically start with the operating system of a computer, or to start with other previously-installed software.

Note that startupware doesn’t judge whether a program is good or evil, useful or destructive. So to take this a step further:

Requested startupware: any autoplaying software whose installation asked for permission for every auto-starting component individually.

Backpack startupware: any autoplaying software whose installation asked permission to install something, but neglected to ask permission for autostarting software. Includes mismatched permissions, such as installing multiple autoplay components after asking permission to install only one.

Trojan startupware: Autoplaying software that claims to be one thing, but is another.

Stealth startupware: Doesn’t ask permission at all before installing startupware. Includes most viruses and worms, and all drive-by downloads.

So are these good or evil? Well, requested startupware is good if it works well at the job that it was described to do, and does nothing else. Stealth startupware is probably bad, most of the time. Backpack startupware is a system slowdown waiting to happen, but may actually have some redeeming value for a minority of users. Should the majority of these startupware programs be allowed on any user’s PC? Generally, no. Are they all evil? No.

Now, are these definitions are more useful than the already tainted word “spyware”? Yes, because there isn’t any question of whether a given product is startupware, and the basic label makes no judgement of good or evil. It can be identified, and the owner of a computer can judge whether to remove it or not. The auxiliary definitions also deal with permissions, not behavior.

Next, what can an antistartupware vendor do with these definitions? If they do a scan, and find startupware, they can create a list of everything running on the system, and categorize it. Program producers can argue with the category of startupware in which they’ve been placed, and provide proof of whether their product is or is not in a group, but overall, a scan for startupware can list everything found, its claimed utility, and then offer to test the system with all startupware disabled except for a private safe list, usually consisting of nothing more than an antivirus product. Most users will stop there, and find some system speed they never knew they had, but a cleanup product could also allow the option of adding back in any identified product for testing, preferably one at a time.

This reverses the current model–remove everything not known to be good. Current products allow everything they don’t recognize to autoplay. This guarantees infection as new products take advantage of newly-found security holes. They are cleanup tools for software known to be evil. An antistartupware tool is a system optimizer that reserves system resources for programs known to be wanted. Anti-spyware says innocent until proven guilty, expressed as software and policy. Anti-startupware is more practical–all new startupware is guilty until proven helpful.