Language Selection

English French German Italian Portuguese Spanish

Little Agreement on Spyware Guidelines

Filed under
Security

Many anti-spyware programs scour computer hard drives for those data-tracking files called cookies that we often get from Web visits. Microsoft Corp.'s tool does not. And there are disputes aplenty about whether certain widely used advertising programs circulating on the Internet are clean of spyware.

No surprise, then, that there's little agreement on what should be considered spyware, and what adware is exactly. Or on whether adware, which delivers ads, is a form of spyware or a breed apart.

Consumers are confounded. Is their computer-cleaning overzealous or not thorough enough? Are they removing useful programs with the dreck?

No less vexed are makers of anti-spyware software. They're beset by legal headaches, constantly challenged for what their products define and target as malware.

"It certainly distracts us from the job at hand," said David Moll, chief executive of Webroot Software Inc.

Help may be on the way. Led by the tech-advocacy group Center for Democracy and Technology, the anti-spyware industry is crafting definitions and plans to eventually set up dispute-resolution procedures. A draft is expected by late summer.

"A definition is the foundation," said Ari Schwartz, the center's associate director. "If a consumer's going to make a decision in the marketplace about what they have and what software they are going to use, it's helpful to have a basis to do that on."

Similar efforts, however, have failed before.

Part of the challenge stems from how the term "spyware" evolved.

"It started out as being called spyware because a lot of it was spying on people and sending personal information," said Dave Methvin, chief technology officer with tech diagnostic site PC Pitstop. "It's a catchy, quick word that is always easy for people to understand and say."

But the term stuck even as some of these programs, in response to consumer complaints, began sending back less data and became less sneaky.

In some people's minds, spyware came to include programs that change Web browser settings without asking or trick users into racking up huge phone bills by making the equivalent of "900" calls to foreign porn sites.

"`Spyware' has sort of become the euphemism for any software I don't want," said Wayne Porter, co-founder of SpywareGuide.com.

The result is chaos.

Microsoft, for instance, chose not to scan cookies because many sites need them to remember passwords and otherwise customize a surfer's experience. Cory Treffiletti of the online ad agency Carat Interactive says cookies help sites identify repeat visitors so the same ads aren't shown over and over.

But other spyware hunters flag cookies on the grounds that they help advertisers track behavior. EarthLink Inc.'s Scott Mecredy says anti-spyware programs have gotten sophisticated enough to distinguish good cookies from bad.

Then there's the question of whether "spyware" includes adware.

Claria Corp., formerly known as Gator Corp., has sued several anti-spyware companies and Web sites for calling its advertising software "spyware." PC Pitstop rewrote some of its materials as part of a settlement.

Even "adware" isn't good enough for some.

Joseph Telafici, director of operations for McAfee Inc.'s security research unit, says the company now gets one or two complaints a week, compared with two or three per quarter last year from companies whose programs it has dubbed spyware or adware.

McAfee is in the process of assigning a full-time lawyer.

Symantec Corp. sought to pre-empt a lawsuit by filing one itself, asking a federal court to declare that it had the right to call Hotbot.com Inc.'s toolbar adware. Hotbot did not respond to requests for comment.

Symantec still faces a lawsuit by Trekeight LLC, whose product Symantec brands adware.

Though it has yet to sue, 180solutions Inc. takes issue with "adware," preferring "searchware" or "sponsorware." "Adware" has become too linked with bad actors, and the industry needs more differentiation, said its chief executive, Keith Smith. Most anti-spyware vendors, however, still put 180solutions in that category.

Aluria Software LLC says one company, WhenU.com Inc., has changed its practices enough that it is now spyware- and adware-safe.

But America Online Inc., though it uses Aluria's technology, prefers a different test: What its users think.

AOL found that users overwhelmingly choose to rid their computers of WhenU's SaveNow application when anti-spyware scans uncover it, so AOL continues to list as adware.

Adding to the confusion is the fact that many legitimate programs -- including Microsoft Corp.'s Windows operating system and Web browser -- send out data without making the user fully aware, one of the common attributes of spyware.

And many programs that spy do have legitimate functions -- people may run a keystroke recorder to monitor spouses whom they suspect of cheating. Or they may willingly accept adware in exchange for a free game or screensaver.

Anti-spyware software companies say they leave removal decisions to customers, though many users simply follow their recommendations, failing to distinguish the mild from the malicious.

"If an anti-spyware company recommends that the software (gets) blocked, consumers will typically block it," said Keith Smith, chief executive of 180solutions. "It doesn't matter how good an experience they have with it."

Alex St. John, chief executive of WildTangent Inc., says anti-spyware companies have an incentive to overlist programs: It makes their products appear effective. Better definitions, he said, would help clear his company's game-delivery product.

"We want to do anything under our power to be clearly defined as a legitimate, upright consumer company," he said. "We would love to have something to adhere to."

Guidelines could give anti-spyware vendors a better defense.

For consumers, said Tori Case of Computer Associates International Inc., "if we start using the correct terminology, we can demystify it a bit and help people understand what the real risks are."

By ANICK JESDANUN
Associated Press

More in Tux Machines

OSS and Sharing/Standards Leftovers

  • Linux Announces New Open Network Automation Platform Project
    The Linux Foundation has announced the creation of the new Open Network Automation Platform (ONAP) Project with the merger of Open Orchestrator Project (OPEN-O) and open source ECOMP. This new platform will help in designing, automating, orchestrating, and managing network services and virtual functions by creating a comprehensive and a harmonized framework that allows virtual network functions to be automated by using real-time, policy-driven software.
  • Open-Source Networking Is Coming of Age
    Service providers of all sizes and types should take note of some changes occurring across the open-source community—changes that promise to accelerate the adoption of software-defined networks (SDN). The first is a decision by AT&T to open source the ECOMP management and orchestration (MANO) framework it developed via the Linux Foundation. Through a variety of working groups, the foundation has been accelerating the development of core network function virtualization (NFV) software and associated SDN technologies. But a big piece missing from that equation has been the management plane.
  • CAVO Continues to Advance Open Source for Democracy [Ed: Remember what Microsoft did there]
    OSI Affiliate Member, the California Association of Voting Officials (CAVO), has shared some exciting news regarding their advocacy work in San Francisco: according to the San Francisco Examiner, the city of San Francisco is pushing forward with plans to develop their open source election system. In addition, the paper is reporting that the San Francisco Elections Commission voted unanimously on Feb 17th to request $4 million to fund the initial stages of the open source voting system. For many years board members of CAVO have been urging San Francisco to expedite, "the creation and deployment of a GPL v3 open source / paper ballot printing system that would set the standard for voting systems nationally." According to CAVO, currently only New Hampshire has deployed a voting system using open source software, Prime III.
  • Mozilla Acquires Pocket, Will Open Source Pocket Code
    Chances are you've heard the new: Mozilla has acquired Pocket, the go-to 'read it later' service, and says it plans to open-source Pocket code in due course.
  • The Speed Of LLVM's LLD Linker Continues Looking Good
    LLVM's LLD linker still isn't too widely used yet on Linux systems, but the performance of this linker alternative to GNU Gold and GNU ld are quite compelling. We've written many times before about the much progress and better performance of "the LLVM linker" while some new numbers were committed to the LLD documentation.
  • Welcome to Code.mil - an experiment in open source at the Department of Defense!
  • DoD Announces the Launch of “Code.mil,” an Experiment in Open Source
    The Department of Defense (DoD) announced the launch of Code.mil, an open source initiative that allows software developers around the world to collaborate on unclassified code written by federal employees in support of DoD projects.
  • An Introduction to Open Data Kit

Leftovers: Software

  • Linux Command Line Browser To Surf Internet
    Links is an open source text and graphical web browser with a pull-down menu system. It renders complex pages, has partial HTML 4.0 support (including tables and frames and support for multiple characters sets such as UTF-8), supports color and monochrome terminals and allows horizontal scrolling. It’s very useful for low resources computers because day by day the web pages are bigger and heavier. If your computer doesn’t have a suitable performance you’ll have some mistakes while you’re surfing. So, Links is much faster than any common web browser (with GUI) because it doesn’t load all the content of a website, for example, videos, flash, etc.
  • Stacer – The Linux System Optimizer You’ve Been Waiting For
    System optimizer apps are quite the thing on platforms such as Windows and Android. Their usefulness, however, is debatable considering how notorious they are when it comes to using system resources. On the Linux platform, however, we can almost always find the applications, a developer puts their time in developing to be mostly useful. Stacer is one such app created to better optimized your Linux PC in the sense that it packs quite the list of features you’d normally expect from an optimizer and more to give your system a refresh whenever you feel the need.
  • Ulauncher – A Lightweight Application Launcher for Linux
    Each Desktop environment has the own launcher and doing their job nicely but it take a while to launch the application whenever we are searching. Ulauncher is a lightweight application launcher that loads instant search results, usese low resources, and remembers your previous choices and automatically selects the best option for you. It’s written in Python and uses GTK as a GUI toolkit. When you are typing wrong application name, after few words or spelling, it will figure out what you meant. Use Ulauncher to open your files and directories faster with fuzzy search. Type ~ or / to start browsing. Press Alt+Enter to access the alt menu.

Linux Kernel and Graphics

Security News

  • Windows 10 least secure of Windows versions: study
    Windows 10 was the least secure of of current Windows versions in 2016, with 46% more vulnerabilities than either Windows 8 or 8.1, according to an analysis of Microsoft's own security bulletins in 2016. Security firm Avecto said its research, titled "2016 Microsoft Vulnerabilities Study: Mitigating risk by removing user privileges", had also found that a vast majority of vulnerabilities found in Microsoft products could be mitigated by removing admin rights. The research found that, despite its claims to being the "most secure" of Microsoft's operating systems, Windows 10 had 395 vulnerabilities in 2016, while Windows 8 and 8.1 each had 265. The research also found that while 530 Microsoft vulnerabilities were reported — marginally up from the 524 reported in 2015 — and 189 given a critical rating, 94% could be mitigated by removing admin rights. This was up from 85% in 2015.
  • Windows 10 Creators Update can block Win32 apps if they’re not from the Store [Ed: By Microsoft Peter. People who put Vista 10 on a PC totally lose control of that PC; remember, the OS itself is malware, as per textbook definitions. With DRM and other antifeatures expect copyright enforcement on the desktop soon.]
    The latest Windows 10 Insider Preview build doesn't add much in the way of features—it's mostly just bug fixes—but one small new feature has been spotted, and it could be contentious. Vitor Mikaelson noticed that the latest build lets you restrict the installation of applications built using the Win32 API.
  • Router assimilated into the Borg, sends 3TB in 24 hours
    "Well, f**k." Harsh language was appropriate under the circumstances. My router had just been hacked. Setting up a reliable home network has always been a challenge for me. I live in a cramped three-story house, and I don't like running cables. So my router's position is determined by the fiber modem in a corner on the bottom floor. Not long after we moved in, I realized that our old Airport Extreme was not delivering much signal to the attic, where two game-obsessed occupants fought for bandwidth. I tried all sorts of things. I extended the network. I used Ethernet-over-powerline connectors to deliver network access. I made a mystic circle and danced naked under the full moon. We lost neighbors, but we didn't gain a signal.
  • Purism's Librem 13 Coreboot Port Now "100%" Complete
    According to Purism's Youness Alaoui, their Coreboot port to the Librem 13 v1 laptop is now considered complete. The Librem 13 was long talked about having Coreboot over a proprietary BIOS while the initial models still had shipped with the conventional BIOS. Finally in 2017, they have now Coreboot at what they consider to be 100% complete for this Linux-friendly laptop.
  • The Librem 13 v1 coreboot port is now complete
    Here are the news you’ve been waiting for: the coreboot port for the Librem 13 v1 is 100% done! I fixed all of the remaining issues, it is now fully working and is stable, ready for others to enjoy. I fixed the instability problem with the M.2 SATA port, finished running all the tests to ensure coreboot is working correctly, fixed the headphone jack that was not working, made the boot prettier, and started investigating the Intel Management Engine issue.
  • Linux Update Fixes 11-Year-Old Flaw
    Andrey Konovalov, a security researcher at Google, found a use-after-free hole within Linux, CSO Online reported. This particular flaw is of interest because it appears to be situational. It only showed up in kernels built with a certain configuration option — CONFIG_IP_DCCP — enabled.