The trouble with trying to define spyware
A group called the Anti-Spyware Coalition (ASC) is putting together a document on how to define spyware. This is how they define their efforts:
The Anti-Spyware Coalition (ASC) is a group dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies.
Although the group includes some big name vendors like Microsoft, Dell, HP, Symantec and a few consumer groups I do not personally see much benefit to you and me from this sort of semantic exercise. The impetus for this debate over words comes from some adware vendors who do not like it when an antispyware program includes them in its database. If spyware gets a formal definition, that will allow shady programs to be specifically designed to get around the definition. Larry Seltzer has a piece in PC Magazine that puts the problems of the ASC approach in focus. He says
So far, it’s hard to see what the ASC documents accomplish. Sunbelt Software stayed away from ASC because it argues that adware vendors have the most to gain from consistent definitions. The authors of adware and spyware are innovative and fast-moving, and they spend as much time trying to fool antispyware programs as they do trying to fool users. Giving them consistent definitions would help them work within the loopholes in those definitions.
Moreover, there’s a lot more to writing antispyware than just defining terms. Which threats, for example, should merit a default action of Remove? What language in end-user license agreements is proper? What information needs to be disclosed during installation? These are some of the important and difficult decisions in the antispyware business, and the ASC documents don’t address them at all.
Seltzer also concludes
So what do the ASC documents do for the poor end-user? Not a whole lot, it seems to us. Formalized definitions are more likely to constrain legitimate software than to limit the activities of spyware and adware vendors. In addition to relying on an antispyware vendor’s software and its judgments about the threat landscape, you should continue to cast a wary eye and be alert for signs that may indicate programs you’d prefer to avoid.
Nobody at ASC will care but I have a suggestion. Instead of looking at the problem from the point of view of the vendor, approach it from the user’s side. Stop the legalistic arguing about words. Spyware, adware, whateverware, the name doesn’t matter, it’s the result that counts. I suggest that the following be used as criteria for whether software is or isn’t useful and desirable. The following are undesirable programs:
- Programs that are downloaded to a computer without the user’s knowledge
- Programs that pretend to do something but do something else
- Programs that do their stated functions but also do things unknown to the user
- Programs that have functions that are not revealed except in a hard to find place like the EULA
- Programs that call out to the Internet without first informing the user
- Programs that send out any information about the user or the system without asking
- Programs that change system settings or files without first informing the user
- Programs that cannot be uninstalled by standard methods
- Programs that leave behind executable files when uninstalled. (I would like to say programs that leave behind anything when uninstalled but that would include almost every program that is currently written.)
Those are my criteria. What are yours? Add a comment!
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
I think that your criteria are right on. How can you make the “outside world” aware of them?