Doing Something About Spyware
Many of us find ourselves in a constant battle with our own computers and our own software due to sneaky programs that install themselves and do things we don’t want to happen--while taking up valuable computing power. And it’s even worse if you share a computer with a kid: Kids not only smudge your monitor with their sticky fingers, they do equivalently nasty things to the software as well.
The work of the Anti-Spyware Coalition (ASC) in setting definitions, agreed-upon language that can be used to clearly define the myriad of spyware-type threats, is a promising new step in reducing the problem. Unlike the Can-Spam Act, with its twisted title, this group seems really serious about being against spyware. Its definitional draft is open for comments from the public until August 12. You should read it and comment.
Wh'ever created the title for the Can-Spam Act had a great sense of humor at the time. Most of us, and all of the general public thought it was all about “canning” (stopping) spam and that the fact that the original meaty spam came in a can was a cool pun. Little did we understand, at least until it was all over, was that the act was intended to create parameters inside of which legitimate commercial interests now find that they can do what we all thought was spam a few years ago, but legally. They just have to follow a few rules. (Oh, by the way, they changed the definition of “spam” in the process—remember UCBE, unsolicited commercial bulk email?)
We don’t all even come close to agreeing about definitions for malware/spyware. Just get any group together right now and spend a little time discussing the differences between “spyware,” “adware,” or “surveillance software.” The intent of this current work is to set agreed-upon definitions so discussions can get past that part and move toward effective action.
Given the Can-Spam Act experience, I have to be a little concerned that this group might have something of the same intent. On the other hand, the current definitional draft is a really valuable piece of work and not only should result in standard definitions to make discussions clearer, just reading the relatively brief 13-page document is an education in itself. The idea is that once definitions are agreed upon, lines can be drawn between permissible and impermissible software and practices, and companies will be able to clearly see how to stay legitimate. (Of course the Can-Spam Act did that, too.)
A piece of good news is that the Anti-Spyware Coalition (ASC) not only includes software manufacturers and trade associations, it includes a number of consumer advocacy groups as well. In a Silicon.com article, David Fewer of the Canadian Internet Policy and Public Interest Clinic (a member of ASC) notes that what consumers need is “notice, consent, and control. During installation of an application, it should be clear to the user what the tool d'es. The user should also have to give permission for installation and should be able to remove the application.”
Here’s just a part of the draft, which is titled “Spyware Definitions and Supporting Documents:”
Spyware and Other Potentially
Unwanted Technologies
Technologies implemented in ways that impair users’ control over:
- Material changes that affect their user experience, privacy, or system security
- Use of their system resources, including what programs are installed on their computers
- Collection, use, and distribution of their personal or otherwise sensitive information
These are items that users will want to be informed about, and which the user, with appropriate authority from the owner of the system, should be able to easily remove or disable.
- from Spyware Definitions and Supporting Documents (PDF), p.2
A previous group, the Consortium of Anti-Spyware Technology Vendors fell apart after a year and a half of internal wrangling. The current group says its membership is broader and likely to stick together until they accomplish something good. I’d say that the definitional draft is definitely something good already.
In the section subtitled “Examples of Spyware and Potentially Unwanted Technologies” I definitely learned a few things--having not previously known about, for example, “screen scrapers,” “droneware,” “rootkits,” “trickers,” and quite a bit more. The document also includes a great glossary, a suggested process for vendor disputes, suggested best practices, and a section on anti-spyware safety tips.
It’s hard to believe that anyone would not benefit from downloading this document and giving it at least a once-over. It may even be useful in helping to educate our students as they arrive back on campus in a month or two.
ASC is asking interested parties to send comments by email or though this web form. Comments are due by August 12.
It’s my opinion that the folks in higher education who have to cope with the many things that older teenagers can do to their own and to their institution’s computers may have the greatest amount of expertise about what matters with regard to spyware than just about anyone else. So, in a sense, we have an obligation to look over this document and let the ASC know what we think. Especially if you look ahead and realize that this could definitely end up making our jobs easier!
Please do so. Like I said, you’ll enjoy having this document as a reference piece anyway, and your comments could make it a better substrate for what is expected to be some sort of action once it is agreed upon. What have you got to lose except a few moments? Either you’ll learn something, realize that you know it all and they’ve got it right, or you’ll have something useful to contribute. Again, the comments deadline is August 12, 2005.