September 19, 2018

CDT Report on Spyware

The Center for Democracy and Technology has issued a sensible and accessible paper about the spyware problem and associated policy issues.

Spyware is software, installed on your computer without your consent, that gathers information about what you do on your computer. It’s shockingly common – if you are a typical active web surfer using Internet Explorer in its default configuration, and you haven’t been taking specific steps to protect yourself against spyware, then you probably have several spyware programs on your computer right now.

CDT recommends that end users protect themselves by using anti-spyware tools such as AdAware, Spybot Search and Destroy, Spyware Eliminator, or BPS Spyware/Adware Remover. (I have had good luck with Spybot Search and Destroy.)

At the policy level, CDT is lukewarm about attempts to ban spyware specifically, because of the difficult line-drawing exercise involved in distinguishing spyware from certain types of legitimate programs. They argue instead for policies that address the underlying problems: installation without consent, and surreptitious monitoring of user behavior.

Kudos to CDT for advancing the policy discussion on this often overlooked issue.

Comments

  1. Spyware and dialers

  2. Cypherpunk says:

    Spyware is often installed with the user’s consent, as a price for receiving some other software that the user desires. People complained about the BDE “Altnet” software that was installed with KaZaa, but it was in fact described in the license agreement displayed on the screen. Also, BDE didn’t “spy”, it didn’t gather information about the user, it just proposed to use (and sell) his computer’s processing power.

  3. Certainly, if you wanted to pick a really egregious example of spyware, Altnet-with-KaZaa wouldn’t be it. And if KaZaa had notified its users prominently that accepting Altnet was the price of getting KaZaa, then nobody would be in a position to complain. But apparently KaZaa chose instead to try to keep many of its users from noticing Altnet, while using the EULA to meet the minimum legal requirement for consent. Even if not illegal, this is a pretty unsavory practice.

    The fact that this kind of thing happens so often and so easily is cause for concern. The more difficult question is what, if anything, to do about it. It’s unsatisfying to propose new laws when, in theory at least, caveat emptor plus public discussion of EULA terms should be enough to protect consumers.

    Laws are probably needed, though, to ban some of the more extreme practices like eavesdropping on consumers’ browsing without notice or consent (unless these practices are already illegal).