November 27, 2020

What is Spyware?

Recently the Anti-Spyware Coalition released a document defining spyware and related terms. This is an impressive-sounding group, convened by CDT and including companies like HP, Microsoft, and Yahoo.

Here is their central definition:

Spyware and Other Potentially Unwanted Technologies

Technologies implemented in ways that impair users’ control over:

  • Material changes that affect their user experience, privacy, or system security
  • User of their system resources, including what programs are installed on their computers
  • Collection, use and distribution of their personal or otherwise sensitive information

These are items that users will want to be informed about, and which the user, with appropriate authority from the owner of the system, should be able to easily remove or disable.

What’s interesting about this definition is that it’s not exactly a definition – it’s a description of things that users won’t like, along with assertions about what users will want, and what users should be able to do. How is it that this impressive group could only manage an indirect, somewhat vague definition for spyware?

The answer is that spyware is a surprisingly slippery concept.

Consider a program that lurks on your computer, watching which websites you browse and showing you ads based on your browsing history. Such a program might be spyware. But if your gave your informed consent to the program’s installation and operation, then public policy shouldn’t interfere. (Note: informed consent means that the consequences of accepting the program are conveyed to you fully and accurately.) So behaviors like monitoring and ad targeting aren’t enough, by themselves, to make a program spyware.

Now consider the same program, which comes bundled with a useful program that you want for some other purpose. The two programs are offered only together, you have to agree to take them both in order to get either one, and there is no way to uninstall one without uninstalling the other too. You give your informed consent to the bundle. (Bundling can raise antitrust problems under certain conditions, but I’ll ignore that issue here.) The company offering you the useful program is selling it for a price that is paid not in dollars but in allowing the adware to run. That in itself is no reason for public policy to object.

What makes spyware objectionable is not the technology, but the fact that it is installed without informed consent. Spyware is not a particular technology. Instead, it is any technology that is delivered via particular business practices. Understanding this is the key to regulating spyware.

Sometimes the software is installed with no consent at all. Installing and running software on a user’s computer, without seeking consent or even telling the user, must be illegal under existing laws such as the Computer Fraud and Abuse Act. There is no need to change the law to deal with this kind of spyware.

Sometimes “consent” is obtained, but only by deceiving the user. What the user gets is not what he thinks he agreed to. For example, the user might be shown a false or strongly misleading description of what the software will do; or important facts, such as the impossibility of uninstalling a program, might be withheld from the user. Here the issue is deception. As I understand it, deceptive business practices are generally illegal. (If spyware practices are not illegal, we may need to expand the legal rules against business deception.) What we need from government is vigilant enforcement against companies that use deceptive business practices in the installation of their software.

That, I think, is about as far as the law should go in fighting spyware. We may get more anti-spyware laws anyway, as Congress tries to show that it is doing something about the problem. But when it comes to laws, more is not always better.

The good news is that we probably don’t need complicated new laws to fight spyware. The laws we have can do enough – or at least they can do as much as the law can hope to do.

(If you’re not running an antispyware tool on your computer, you should be. There are several good options. Spybot Search & Destroy is a good free spyware remover for Windows.)

Comments

  1. It strikes me as ironic that the first and second bullets apply to most DRM systems, and the third to many of them. Let’s face it, spyware companies aren’t the only ones seeking to impair users’ control over their computers.

  2. I was a little surprised to find the statement “you should be running antispyware on your PC” coming from Mr. Felten.

    I often argue against running anti-virus, antispyware and personal firewalls – and argue for user education instead. It’s becoming more and more clear that most security software aimed at end users was developed with the same speed and carelessness as the operatingsystems they’re running on. The world can’t continue this constant race of new, undetectable malware and pattern updates.

    Granted, the default install of Windows, even with the latest service pack, leave a great deal to be desired. However, I would rather teach users how to avoid malware than teach them to rely on technology that promises more than it can deliver.

    I strongly believe even regular, non-technical users can be made to tell the difference between legitimate email and websites – and illegitimate ditto.

  3. Alex,

    I don’t think user education can solve the problem. I’m not lacking for computer systems education, and I find it necessary to use an antispyware tool. I am as scrupulous as anybody about where I click and what I download, yet spyware accumulates (slowly) on my machine anyway. Presumably it exploits security holes to install itself. I’m happy to have a tool that can remove it.

  4. Edward,

    I’d be *very* interested in a write-up examining the garbage that actually gets in. I have never experienced spyware on my system and all the computer literate people I know tell exactly the same tale.

    In most cases where I have had to clean up someone’s system, I have been able to trace any unwanted software back to something silly the user did.

  5. I think this is interesting

    http://isc.sans.org/diary.php?date=2005-07-13

    which describes an EULA that you agree to that agrees you will allow the supplier of some software (it claims to be a codec) to load anything onto your machine.

  6. … the same program, which comes bundled with a useful program that you want for some other purpose … there is no way to uninstall one without uninstalling the other too

    Not to be “that guy,” but what about PC distributors and Microsoft?

    Companies like Dell load tons of flaky programs onto computers, and there is nothing preventing one of those from one day exhibiting malicious behavior. Further, no effort is made to obtain informed consent before installing the programs “bundled with” Windows — such as Internet Explorer and Outlook — many of which have more useful competitors.

  7. At the Cybersecurity Association, we needed a defintion that was both useful and testable. As Ed points out, none of the definitions of “spyware” so far are clear-cut enough. We came up with a defintion of “malware” (which is really what people care about) at http://www.cybersecurity.org/malware-detection-and-removal.html.

    The two salient features are:
    – It does not appear in the Add or Remove Programs dialog in the Windows Control Panel, or it appears in that menu but cannot be fully removed using the Add or Remove Programs dialog
    – It automatically launches at system startup or user login without a clear on-screen alert to the user
    Those can be tested, and they are th essence of what angers and/or worries users. When we launch the association, we will be issuing logos for mebers’ programs that meet the requirements.

  8. I agree with a definition that can be tested based on removal. However, it fails to include visibility of data transfer and resource use.

    The program should have a default (obviously something the user can disable) notification and permission whenever information is transferred. The reason it is called SPY ware is because it transmits information without the observation of the subject.

    The program should also have a default notification and permission about any use of resources.

    As to anti-spyware, well true I cannot rid myself of spyware. I cannot rid myself of the risk of lost material goods but I still have locks. I cannot rid myself of the risk of cancer but I am not taking up smoking. Absolute vs zero risk is not a coherent basis for decision-making in spyware or anything other domain.

  9. “In most cases where I have had to clean up someone’s system, I have been able to trace any unwanted software back to something silly the user did.”

    Which in this case is “surf the internet”. I use firefox, with adblock, with Gfilterset, with scriptblock, and firewall, and a modified with nlite windows version. Until install scriptblock I would find myself getting spyware for simply vising the “wrong” website. Now all I have to worry about is cookies (although I do use spyware blaster AND spyboy S&D). Even flash is succeptable to certain issue. I assure you, without all that protection my computer will have hundreds of malware instances. Nothing compared to the tens of thosands some users get (I am not joking, litterally 5 digit numbers, the computers cant even run properly when offline) it is still impossible to avoid such things if you ever intend to use a webbrowser. And you just cant ask people to give up on visiting websites.

    As a side note, I had to disable my script blocker for freedom to tinker to be able to post this reply. misUSE? no, just USE!

  10. […] Freedom to Tinker What is Spyware? […]