The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/apr24,2004.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

Permalink | Top

As everyone with an internet connection has no doubt heard by now, on April 19 the Federal Trade Commission (FTC) held a workshop on the issue of spyware. The discussion ranged from how spyware should be defined to what it does and how it effects consumers, their computers and their overall internet experience.

I was hoping to be a panelist at that workshop. However, they decided to trim the size of each panel and I was bumped. I don't believe it really matters. I don't believe anything useful will result from the workshop. All signs point to an effort to have companies regulate themselves and an establishment of "Industry Best Practices", whatever that means.

The day before the workshop, PC Pitstop held a conference at The Hotel George to discuss the FTC workshop and the entire spyware issue. Besides myself, there were Rob Cheng and Dave Methvin of PC Pitstop, Paul and Robin Laudanski from ComputerCops.biz, Bill Pytlovany of WinPatrol, Steve Reutter of Pest Patrol, Eric Howes from the University of Illinois and Ben Edelman from Harvard University.

The first of the six panels was very discouraging. It included Avi Naider, CEO of WhenU and Marty Lafferty of the Distributed Computing Industry Association, a group which proudly lists Gator/Claria as a member. The topic for this first panel was how to define spyware. Considering that WhenU is considered to be spyware, things did not start well.

Predictably, Naider at one point said that "adware is the most promising technology for the internet today" and that it is "pro consumer and pro competition". He also said that software which can show you contextual, relevant coupons is a good thing. That may be his opinion, but several tens of millions of people tend to disagree.

One amusing moment came when someone mentioned a recent survey of WhenU "users" conducted by PC Pitstop. The survey found that 87% of people with WhenU's software on their PC had no idea it was there. WhenU's CEO, Avi Naider, stuttered for a second before saying that he had not seen the survey.

Naider maintains that his "users" know the software is being installed beforehand and tried to back this up by saying that of 100 million users, 80 million had uninstalled the software. If you ask me, those 80 million people probably are also users of Ad-aware or Spybot and discovered the software after it had been installed. Also, when 80% of your users remove your software, something clearly is wrong.

Permlink | Top

Program: Spycop
Platform: Windows 95, 98, ME, NT, 2000, XP
License: $49.95 [20% off for SpywareInfo visitors until May 3]
Purchase: Click here to purchase (Coupon code: SPY-37QS-INFO)
More Info: Click here for more information

There is the sort of spyware that comes from installing programs like Kazaa and Imesh. This kind of spyware will track your web usage to produce more relevant pop-up ads. This is an annoying and unfair invasion of privacy. However, other than the aggravation of dealing with pop-up ads and spam, this kind of spyware usually is not dangerous. These can be cleaned up relatively easily with Ad-aware and Spybot.

More dangerous are the surveillance and monitoring programs. These programs are used to steal passwords to bank and credit card accounts. A business rival can bribe an employee to install spyware on the company network. Or the company itself might install spyware to watch you while you work. These programs cost money to buy for testing and not all antispyware companies can afford to keep up with each new version.

SpyCop is the leading solution for finding computer monitoring spy programs, keyloggers and commercially available software designed specifically to record your screen, email and passwords. SpyCop will detect the spy, tell you when it was installed and disable it. SpyCop claims to have the largest database of surveillance spyware, 401 targets in all.

More information about Spycop http://www.spywareinfo.com/downloads/spycop/

Permalink | Top

PC Pitstop's survey was not the only piece of bad news for WhenU during the workshop. In a later panel, Chris Jay Hoofnagle of the Electronic Privacy Information Center urged the FTC and other parties at the workshop to review a public comment filed by Ben Edelman concerning WhenU.

Ben Edelman is a Harvard Law student and PhD candidate who has become very active in the antispyware movement. He represented 1800Contacts when that company discovered that WhenU's software was popping up advertisements based on their web site's content. Further, he had a part in creating Utah's Spyware Control Act.

Edelman has filed a comment at the Federal Trade Commission concerning spyware and it is very interesting. He says he has logged evidence that Gator/Claria's software and WhenU's software are "spyware", not "adware", even if using the strictest definition of "spyware". He says he even has caught WhenU violating their own privacy policy.

From Edelman's comment filed with the FTC:

16. I have reviewed the WhenU privacy policy, and I have concluded that WhenU violates this policy when it transmits to its servers some of the specific URLs viewed by WhenU users. The policy reads, in relevant part, as follows: 'As the user surfs the Internet, URLS visited by the user (i.e. the user's 'clickstream data') are NOT transmitted to WhenU.com or any third party server.'

17. In my examinations, it is true that WhenU software does not transmit to its server all URLs visited by WhenU users. But WhenU software does transmit to its server some URLs visited by WhenU users. Since WhenU's privacy policy seems to promise not to transmit any URLs visited by WhenU users ('URLs are not transmitted'), I consider WhenU's transmissions to be in violation of its privacy policy.

All in all, despite the CEO being on the panel discussing the definition of spyware, WhenU did not have a very good day.

The audience was invited to submit written questions during each panel, some of which were read at the end and answered by the panelists. My submission to the first panel was read where I asked the following: 'wouldn't it be better to identify behavior that needs to be regulated rather than simply defining spyware and regulating that?'. One of my examples of bad behavior was software which aggressively resists being removed, something which is becoming more and more common these days.

Mark Bohannon of the Software & Information Industry Association answered by saying he does not believe consumers should have a specific legal right to uninstall software from their PC. I wanted to rise up out of my chair at that rubbish.

I'm sorry Mr Bohannon, but it doesn't work that way. When I buy $2,000 worth of PC equipment, that hard drive is my private property to do with as I wish. Just as I can remove some politician's "vote for me ... FOR THE CHILDREN!!!!" sign from my front lawn, I should be able to remove any software program from my computer. Any software which refuses to be removed is violating my property rights and the company which developed it should be sanctioned for creating it.

The first panel was not a complete disaster however, as Ari Schwartz of the Center for Democracy and Technology (CDT) was a panelist. Ari had several good points to make. I also liked what Ed Black of the Computer & Communications Industry Association had to say. Black appeared to lean more towards punishing the nasty habits of spyware than trying to define it.

The later panels were more encouraging. Finally, the massive problem that spyware has become was discussed in the most public forum possible. The incessant whining of spyware companies that only people who dislike advertising complain about their products finally was put to rest.

Representatives from Dell and McAfee agreed that trouble caused by spyware accounts for more tech support calls than any other issue. I personally have talked with scores of tech support persons working for Internet Service Providers about the enormous volume of calls caused by spyware-related problems.

One ISP, SpeakEasy, has grown so frustrated that they have decided to take matters into their own hands. SpeakEasy has started redirecting all attempts from their Seattle customers to load coolwebsearch.com to a page on their company web site. The page alerts the user that they have a virus and provides a link to CWShredder, the only tool able to keep up with all of the scores of mutations of the coolwebsearch trojan. Speakeasy's coolwebsearch redirection should be rolled out nationwide soon.

One of the largest ISPs in the world, AOL, also plans to deal with spyware in a more active role. AOL's vice president for Integrity Assurance, Jules Polonetsky, announced that spyware detection will be built into AOL's software and will run automatically when a user logs on. If I'm not mistaken, that software will be based on Aluriasoftware's Spyware Eliminator.

McAfee's Bryson Gordon showed some statistics that were mind boggling. Millions upon millions of spyware programs have been removed by McAfee's antivirus and antispyware software in the last eight months. McAfee has removed four million, two hundred thousand dialer programs during that time. Over 300,000 keyloggers were detected. Roger Thompson of Pest Patrol said that his company is discovering over 4,000 new "pests" and 300 adwares every month.

Google's senior policy counsel, Andrew McLaughlin, discussed the two most hated companies on the internet, coolwebsearch and lop.com. He showed slides of one variant of CWS which adds adult-oriented links to the bottom of Google's home page. The entire room gasped in one collective voice as they looked at the links added by CWS. I can't repeat any of the link descriptions because it would set off every spam filter in the world. He also showed lop.com's toolbar, which interferes with Google's own toolbar.

Perhaps the most encouraging piece of information came from Microsoft's Director of Windows Privacy, Jeffrey Friedberg.

With the release date for Microsoft's next operating system, code named Longhorn, having been pushed back to 2006, Microsoft has decided to create a new service pack for Windows XP to address its many security problems. Service Pack 2 seems to have been created with the problem of browser hijacking and drive by installations in mind.

I have had many harsh words for Internet Explorer in the past. Current and past versions of MSIE make it far too easy to install a browser hijacker and make it too difficult to secure against them. I have to say that I am extremely impressed by the changes I've seen with Internet Explorer in XP SP2.

To start with, the ActiveX drive by installer will be a thing of the past. Regardless of security settings, there will be a prompt whenever an ActiveX control is downloaded and tries to install. This prompt also will occur only once per page. This ends the problem of sites trying repeatedly to make you accept the ActiveX installation.

With SP2, you also will be able to block all content signed by a certain company. In the past, you only could choose always to accept content from a company. The new prompt will give you the option of always trusting content from the company trying to install an ActiveX control or always to refuse from a company.

Currently, you can block ActiveX CLSID numbers to stop known spyware-infected ActiveX controls from running. Unfortunately, several spyware programs have started using random numbers for a CLSID, making efforts to block them pointless. With XP SP2, programs such as SpywareBlaster will be able to block any ActiveX control signed by a company, regardless of what CLSID it uses. Those digital signatures are expensive to purchase and no doubt it will be far too much trouble to generate them just to circumvent efforts to block them.

Microsoft also will include an "addon manager" which will let the user see what toolbars, browser helper objects, ActiveX controls and browser extensions are installed. The user also will be able to disable those addons. Say good bye to unwanted toolbars and pop-up generating BHOs.

Since it appears that the government is going to go the self-regulation route, this new technology hopefully will put a serious crimp in the ability of browser hijacking web sites to install their viruses.

I do have to question the decision to distribute these changes through a service pack for Windows XP rather than as a service pack for Internet Explorer. Microsoft seems to be putting profit before security by not making these changes available to users of Internet Explorer on older versions of Windows, such as 2000 and ME.

It is well known that Microsoft is not pleased with the number of people who have not upgraded to XP. This appears to be just another way to coerce people into doing that. If Microsoft is serious about trying to protect their customers, these changes will be released as an Internet Explorer 6 service pack.

It is obvious that I do not like how the workshop turned out. My biggest worry was that the FTC was going to create a box, write the word "spyware" on that box and then leave us all with the problem of software which does not fit into that box. That would leave out most dialers and browser hijackers. However, it is even worse that they are leaning towards self regulation by the industry. We've all seen how well that worked for the spam problem.

Here is how I would solve the problem of spyware, adware, browser hijackers, dialers and every other malicious piece of software out there.

Rather than trying to create a legal definition of "spyware" and "adware" and then regulating any software that falls within either category, instead the FTC should regulate the behavior that makes spyware so obnoxious. Legal definitions can have loopholes and many spyware companies have clever lawyers. So let's just ignore the term entirely and be concerned only with the behavior.

Coolwebsearch can argue all they want that their software is not spyware or adware or a browser hijacker. What they cannot dispute is that their software makes irrevocable changes to Internet Explorer and Windows. What Coolwebsearch cannot argue about is that their software actively resists removal. Instead of trying to define "spyware" and making Coolwebsearch's software fit into it somehow, instead let's spend our time outlawing its behavior.

I propose to make the following activity illegal:

Making alterations to any web browser which cannot be reversed by the built-in tools.

If Coolwebsearch wants to change the home page to coolwebsearch.com, that is fine. If their software resists the owner's efforts to change the home page back to the owner's preference, that should be illegal.

Resisting the removal of unwanted software.

Once installed, software must not resist being removed in any manner. A PC is private property belonging to the consumer who purchased it.

If the software is going to provide its own uninstaller, that uninstaller should be provided along with the software. No one should be forced to go to a web page and either download a separate uninstaller or trust an ActiveX control to remove the software. Very often, spyware will destroy a PC's internet connection, so the owner might not be able to go online at all.

Installing without clear and explicit consent.

Software should not be allowed to install unless the owner has given clear and unmistakable consent to its installation. This does not include an ActiveX security warning that pops up in Internet Explorer. This does not include clicking "I agree" to a 10,000 word EULA. Before CoolWebSearch can copy a single file to a person's hard drive, a box should pop up asking "Do you wish to install this software from coolwebsearch.com?". This dialog box should appear regardless of browser security settings.

This would include software bundles, where more than one distinct piece of software is being installed. If KaZaA is going to install Cydoor adware, it cannot do so without first informing the user that it is a separate piece of software and asking permission to do so. If Sharman Networks wants the KaZaA installer to exit if you choose not to install its sponsor(s), that is their choice.

This also includes auto update functions, regardless of which program to which it belongs. No software should be allowed to install software on someone's property without first gaining the consent of the owner. If someone wants to go into the options menu and specifically allow a program to do that, that is perfectly fine. If a piece of software does this without first gaining explicit consent to do so, that should be illegal, without exception.

Transmitting information without clear consent.

Software should not be allowed to transmit any data to its vendor or any third party without the owner's explicit consent. If Gator/Claria's software is going to transmit the address of a web site I visit, regardless of the reason it is transmitting it, this fact needs to disclosed to me before it is installed. If Wild Tangent's updater is going to transmit the specifications of my hardware, regardless of the reason it is doing so, this fact should be disclosed before it is installed. I should be required to check a box stating that I understand that this information is going to be transmitted before the program finishes installing, separate from the EULA or security warning or whatever.

Generating advertisements of any sort without disclosure.

If Gator/Claria's software is going to launch a pop-up ad every time I search for a hotel room or eye glasses, so be it. However, their installer must inform me before the program is installed that it will be displaying advertisements and in what form those advertisement will be displayed.

I believe this covers just about every nasty habit common to all software referred to as "spyware", "adware", "malware", "grayware" or any other such label. These are common sense requirements that can be and should be applied to all software, regardless of whatever label someone cares to give it. It protects consumers and avoids the inevitable problem of a company finding a loophole in a legal definition of "spyware".

It also does something that very few software companies do these days; it would force them to show respect for the user and to acknowledge their property rights. Any company that would refuse to follow these guidelines is declaring its contempt for the user and displaying a shameful lack of ethics.

That is how I would solve the problem. It is not unduly burdensome. It does not ban spyware or adware or threaten to put any legitimate company out of business. It simply forces companies to behave in a certain way that is to the benefit of all consumers.

I will be filing what I have written here at the FTC and I hope someone there listens.