Spyware: Too Many Labels, Not Enough Clarity

Written by
Coordinator of Anti-Spyware Operations, Association of Software Professionals

All these definitions for what is loosely being called “spyware” are a problem.

Earlier this year, the Federal Trade Commission decided that a working definition was good enough, without a formal definition based on new legislation. They can deal with the problem based on existing regulations.

Various industry groups have attempted definitions. Some of these groups include publishers of products sometimes self-labeled as adware. Most include publishers of cleanup tools.

Most of the definitions focus on whether or not a program sends out personally-identifiable information. Spyware supposedly sends information that’s trackable back to you, and adware either sends non-identifiable information, or just acts as a server for additional advertising in some fashion. The difference is subtle and pointless, for most consumers–the issue is generally more of regaining system performance than of blocking surfing history. While the information stolen isn’t always significant, the theft of service, or unauthorized use of a computer and connection bandwidth, is generally an invasion, and most of the definitions focus in on trying to place a specific label, rather than using existing privacy laws and existing commercial regulation as approaches to prosecution of offending providers of software and services.

Here is the definition proposed by the Anti-Spyware Coalition:

“Spyware: The term Spyware has been used in two ways.
In its narrow sense, Spyware is a term for Tracking Software deployed without adequate notice, consent, or control for the user.

In its broader sense, Spyware is used as a synonym for what the ASC calls “Spyware and Other Potentially Unwanted Technologies.”

In technical settings, we use the term Spyware only in its narrower sense. However, we understand that it is impossible to avoid the broader connotations of the term in colloquial or popular usage, and we do not attempt to do so. For example, we refer to the group as the Anti-Spyware Coalition and vendors as makers of anti-spyware software, even recognizing that their scope of concern extends beyond tracking software.”

Compare this to the Federal Trade Commission’s definition from their workshop of April 19, 2004, titled “Monitoring Software on Your PC: Spyware, Adware, and Other Software.” For the workshop, the working definition of Spyware is “…software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer’s consent, or asserts control over a computer without the consumer’s knowledge.”

Note the hedge words “such software aides in gathering, and therefore may not actually be doing the gathering alone, or may do something else. It may send information but also may not. This is deliberately vague, and therefore flexible.

A more precise definition would be great for the spyware publishers, and even better for the publishers of adware, who would gain some protection from a legal distinction that shows that their behavior is not automatically labeled as illegal. A definition would also help some of the antispyware companies, temporarily–it would allow them freedom to label a particular ad technology and publisher as illegal, and delete that product with some partial protection from potential legal actions for libel and for removing some other company’s products. Again, that, for a time, would help.

As the industry of spyware (etc) now exists, everything that can be done, is being done, whether it is to deliver targeted ads, to steal information, or to steal bandwidth and processor time. There are no limits. Everything that can be done in the future, will be done. As new security holes are found, they will be exploited. As holes close, others open, and any new legal definition will be obsolete faster than legal action can be brought to stop newly-prohibited behavior.

Some of the definitions, including that of the Anti-Spyware Coalition, attempt to simultaneously show that “spyware” technology can have a legitimate purpose for monitoring the internet activities of children or employees. That’s a big distraction. Monitoring of that type is legal. Using the same technology to monitor which city I’m trying to find a hotel reservation for is not. Any technology-based definition of spyware may be useful for system technicians, but is meaningless for capturing illegal activity, or for proving legal use for de-listing products from a spyware removal database.

The ASC definition, by including “without adequate notice, consent, or control”, continues to include terms that require additional definitions. As such, it’s open to interpretation by the user who doesn’t know where the software came from, by the cleanup product publisher who doesn’t know what to remove, and by the courts, who will have to wrestle with the meaning of “adequate notice” before deciding whether to allow a libel claim to proceed against an antispyware publisher. The existing case law on user licenses will come into effect here; so-called “shrinkwrap licenses” have been used to hide practices just as illegal as spyware, but not quite as blatant.

The temptation to label everything is strong in this industry. Labels add structure, but they also provide innuendo, distortion, and false security. Spyware can be many things, and in the current technological landscape, it will be more varied and more devious than can be predicted with a legal definition. Working definitions can help a technician in triage and cleanup, but once enacted into regulation, precise legal definitions of what is and is not spyware can only damage the industry.

The ASC definition of spyware would be far stronger without the words “deployed without adequate notice, consent, or control.” A spy may still be a spy after the press has published a leak stating their identity. A spy camera doesn’t stop being a spy camera if it’s being used to monitor your babysitter. Screen-scraper software isn’t something else if it’s monitoring your corporate network for illegal behavior. And finally, spyware doesn’t stop being spyware if the publisher asks for permission to snoop.

Yes, that would mean that spyware can be judged on the basis of action instead of apparent intent, and on what information is being transmitted, based on existing privacy laws. That would make the identification and removal of spyware much simpler. Definitions based on intentions and permissions lead to prosecutions based on telepathy and hearsay. Definitions based on feature lists, actions, and information are practical, and can lead to a clear view of what software is useful on a system, and what should be removed.

This article was written on behalf of the Association of Software Professionals.