Workshop: Sizing Up Spyware

The technology industry wants to stamp out spyware, but first there's a question of semantics: Just what is it? Everyone agrees spyware is a growing menace--one that has become a security concern for many IT departments--but defining it hasn't been easy. Now, an effort is under way to better understand the pesky programs that are clogging up computers, at the same time IT professionals are hustling to contain them.

"We have to deal with spyware/adware on a weekly basis," Scott Larsen, manager of information systems with group-travel company Groople Inc., says in an E-mail. "From a staffing perspective, the cleanup usually exceeds the time it takes to handle an antivirus infection."

The problem is complicated by the fact that a fuzzy line separates intrusive spyware from legitimate online-marketing programs called adware. Microsoft recently learned how hard it can be to distinguish what's legitimate when a test version of its new Windows AntiSpyware

tool mistakenly treated a Dutch Web site, Startpagina.nl, as a "browser hijacker." Microsoft was forced to issue an apology, along with undisclosed compensation. Last week, Microsoft issued a paper explaining how it classifies spyware and other potentially unwanted software.

Earlier this month, the Federal Trade Commission issued a report, based on an industry workshop it hosted last year, that calls on the business community to come up with a definition of spyware. "Because of the challenges of developing a workable definition of spyware, nearly all panelists expressed the concern that legislation or regulations tied to a definition of the term 'spyware' might define the term so broadly that it would inadvertently cover some types of beneficial or benign software," the FTC observed.

Despite the question of definition, the FTC's report says spyware creates substantial privacy and security risks for consumer information. The FTC sees two issues. First, people frequently aren't notified when spyware is placed on their computers. And second, the software they do seek comes bundled with adware they don't want because end-user licensing agreements often aren't clear. "These agreements give a patina of legitimacy by having some form of disclosure," says Tom Pahl, the FTC's assistant director for advertising practices. "But consumers often don't understand the choices they're making."

California and Utah have passed anti-spyware legislation, and several other states are mulling such laws. But no federal law that regulates spyware or adware exists, though several bills to do so are before Congress. One bill--HR 29, which received unanimous approval by the House Commerce and Energy Committee earlier this month--would prohibit the uploading of software that collects personally identifiable information. The bill, now awaiting a House vote, also bans adware unless users agree to its use. Penalties, under certain circumstances, can be as high as $3 million.

End-user license agreements are a big issue. When users download a software program, they should be given a clear choice about accepting or declining other software with it. Spyware doesn't give them that choice, or does so surreptitiously. "You can segment the market into responsible practices and practices that are irresponsible," says Robert Weber, president of Freeze.com LLC, which operates Web sites that distribute adware along with its screen savers and PC wallpaper.

The catch, of course, is that few users actually read the fine print in those license agreements, where "opt out" options are sometimes buried. "Everybody who's in this category needs to do a better job of educating consumers," Weber says.

For IT departments, the distinction between spyware and adware may be moot. "We don't want any of it on or around our network," says Zachary Grant, senior network engineer with health-care company Sun Healthcare Inc. "My opinion is that we're affected more by adware and spyware than we ever were from viruses." Spyware continuously ties up IT-support people as they clean up and rebuild PCs, Grant says. Sun Healthcare tries to limit the amount of spyware and adware that gets onto its PCs using application-control software from SecureWave SA. The extent of the problem is eye-opening. The computers used by a group at the National Center for Missing and Exploited Children that investigates child pornography and other kinds of illicit online activity got so clogged with spyware, pop-ups, and other malicious software that an IT project to migrate to Microsoft's Active Directory had to be delayed. The center's five-person help desk was spending all its time fixing corrupted registries and rebuilding user systems at a pace of 15 per day."Our disk drives looked like they were in a gumball machine, with all the moving in and out," says Steve Gelfound, director of IT at the center. "We were talking about isolating that group on their own network."

The center installed Computer Associates' eTrust PestPatrol Anti-Spyware software, which brought the problem under control. The software also revealed just how much of the stuff was attacking the center's PCs: 300 instances of attempted spyware installation per machine each day.

Security vendor Symantec Corp. recently conducted a study to see how much spyware and adware finds its way onto PCs during Web surfing. Symantec monitored what types of spyware and adware glommed on to PCs while users surfed to different types of Web sites. The company spent one hour per category visiting sports, kids, gaming, news, reseller, shopping, and travel sites. It found that 468 adware applications and 10 instances of spyware were left behind on Symantec's test machine. The system also was infected with seven so-called hijackers, tiny apps that redirect users' Web browsers to unintended sites.

Symantec defines spyware as applications that have the potential to steal confidential information such as user names, passwords, and financial data. Adware typically tracks Web surfers' activities, and, while generally more above board, it can be troublesome, too. "Adware can cause serious performance issues," says Vincent Weafer, senior director of Symantec's security-response team.

Even without new legislation, FTC and Justice Department officials say existing statutes give them the power to pursue those who load spyware onto PCs without the knowledge of users if the software causes harm. It's not the software itself, but the harm it can cause that gets federal authorities to act. Over the past decade, the FTC has brought 14 spyware cases. And the Justice Department recently indicted one person who installed a keystroke logger--software that tracks each key a user types--on a computer where he worked, and prosecuted another for doing the same thing on several public PCs at FedEx Kinko's stores.Some companies that do online advertising have begun to think more carefully about it. Online retailer Overstock.com Inc., which installed spyware on customers' PCs a few years ago, has stopped. "It's an ethical issue. Spyware is evil," says Jonathan Johnson, Overstock's VP of corporate affairs.

Overstock is suing rival SmartBargains.com LP in Utah for using pop-up ads to offer competitive products just as a shopper is about to check out at Overstock. "It's akin to a shopper standing in line with a cart full of merchandise at Target and a Wal-Mart greeter comes up to get the customer to buy the same stuff at the Wal-Mart across the street," Johnson says. SmartBargains didn't return phone calls seeking comment.

The pop-up ads have cost Overstock and affiliates that refer shoppers to its Web site significant revenue, Johnson says, though he declined to specify how much. Overstock now uses cookies and other software to identify visitors' shopping habits, in order to recommend other products.1-800-Contacts Inc., another online retailer and backer of the Utah anti-spyware law, uses software tools to see if its affiliates employ spyware. If they do, the contact-lens retailer removes those affiliates from its referral program, says Clint Schmidt, online marketing director. "As the brand equity leader, we have the most to lose from spyware as others piggyback on our brand awareness," he says.

While spyware is malicious and harmful, says Michael Overly, a technology attorney at law firm Foley & Lardner, adware can be a marketing tool that online advertisers use to serve targeted advertisements. But there's plenty of adware installed without users' consent, and Overly says that's illegal under California's Comprehensive Computer Data Access and Fraud Act. "There are no statistics that I'm aware of on this, but a good portion of adware we encounter is problematic under the law," he says.

The law firm is considering starting a consortium of businesses that would donate legal funds to go after companies that illegally use adware and spyware as part of their marketing practices. "We see that this affects most every type of company today," Overly says.One of the worries about adware is that few people believe the information about their surfing habits will remain anonymous. "Most people don't trust that the information collected about them online will be kept private," Overly says. "They don't believe the information about what Web sites they surf and what books or pages they read won't be connected back to them."

Adware proponent Claria Corp., which publishes advertising messages from companies and agencies to tens of millions of consumers who agree to receive advertising based on their online behavior, admits that finding middle ground between its efforts and spyware might take some time. "The proposed HR 29 federal bill would allow [online] tracking and ads as long as we provide information and let customers change their minds," says Scott Eagle, chief marketing officer at Claria. "And users are getting more savvy about what they download."

Anti-spyware tools aren't perfect, but they help. The Denver Health & Hospital Authority expects to save more than $170,000 annually in help-desk costs by using a policy-control appliance from Blue Coat Systems Inc. to keep spyware and adware off of 4,000 PCs. "Before, we had about 200 spyware intrusions per month on each machine," chief technology officer Jeffrey Pellot says. Now the problem has been mostly eliminated, he says.

Behavioral-based approaches to spyware defense hold future promise, says Gartner analyst Avivah Litan. "Software that looks for unusual behavior, such as specific open ports or a process that's logging keystrokes or programs that are trying to hide, is much more effective than [today's] signature-based anti-spyware," she says.

Benjamin Edelman, an independent researcher and graduate student of economics at Harvard University, calls the techniques used to install spyware "ripe for investigation." It's not just Web-site operators that are part of the problem, but also companies that distribute online advertising and those whose products and services are featured in pop-up ads, he says."Money is still being pumped in, and users are still being tricked," Edelman says. He has researched spyware for four years and says it's getting worse. Many PC users and system administrators agree.

--with Eric Chabrow, John Foley, George V. Hulme, and TechWeb's Gregg Keizer