Experts weigh in on spyware's defining moment

Trying to define spyware is like climbing a steep mountain littered with landmines, most IT professionals agree. Nobody disputes that a program that spies on your network without your knowledge and steals sensitive data is malicious. Most Trojan horse programs and keystroke loggers do that and are universally accepted as forms of spyware. The trouble begins when you start looking at adware and cookies.

Information security experts have said the challenge can't be left to legislative bodies or online user communities alone. Both have a role to play. But a non-government intermediary must bear the brunt of the storm and hammer out a technical framework where applications can be classified and defined, the experts say. Then, at least, lawmakers and the general public will have a guide to help them separate the malicious from the legitimate.

The nonprofit Center for Democracy and Technology

Read our spyware series:   Part 1: A wolf in sheep's clothing   Part 2: Who best to define spyware?

"Without question, it's a really good step in the right direction. But it's a drafty draft," said Ed Skoudis, co-founder of Washington, D.C.-based security consultancy Intel Guardians. "They're working on something never done before."

A topic of hot debate
Skoudis and Joshua Lutz, network analyst for a large Boston law firm, took particular interest in the coalition's attempt to adopt an industry-wide set of procedures companies can follow to dispute an antispyware vendor's classification of their programs as spyware. They also believe the effort will be hotly debated by accused spyware distributors and antispyware vendors alike. Lutz believes it could actually do more harm than good in the long run.

"I can easily see the vendor dispute process becoming a bottleneck for antispyware and software vendors as they try to push the limits of classification," Lutz said in an e-mail interview. "I can see them tweaking small segments of code and resubmitting the program, [and] the antispyware vendor rejecting the new code as not having met the criteria. Wash. Rinse. Repeat. In the end, it will end up costing everyone (vendors and end users) more money."

Skoudis said accused spyware distributors might complain that the final guidelines are too harsh, while antispyware vendors might complain they're not tough enough.

"Accused spyware pushers may come back and say that if the common approach is in line with the vendors who most aggressively target them as spyware, that will put them in an even more difficult position," he said. "Vendors that are more aggressive about who they list as spyware might not like it if the common approach is lighter than what they do. Those with the more cautious approach might say they're being forced to go too aggressive."

But in the end, Skoudis thinks a common approach is worth striving for. "I think it's important to have a consistent appeals process across the board for everyone in the antispyware business."

More detail needed
Skoudis and Lutz also agreed the coalition has to better classify the methodology used to install software applications.

"This is of the greatest concern to me because often the most nefarious spyware is not installed with knowledge or consent… but via exploitation of known security vulnerabilities," Lutz said. "The draft mentions that this type of installation is often performed, but offered no classifications/criteria related to the distribution methodology. In my book, for example, if you distribute your code by exploiting a flaw in someone else's code there is no better way to indicate that the software publisher/provider is being deceptive in the first place."

Lutz hopes the coalition will come up with a concrete, legalese-free recommendation on what an end user license agreement should look like. The plainer the language, the easier it will be for users to know when potentially unwanted programs (PUPs) are being bundled into software they're about to download, he said.

"They focus on the pop-up ads, which are visible or frustrating, but the document doesn't yet address the more insidious forms of spyware that tamper with your customized search engine set-up; that change the results you get from a search engine based on what the spyware author wants you to see," Skoudis said. "It also doesn't address what to do about the customized media players. It's something a lot of people want, but then there's the issue of how to deal with things that are bundled into those programs that might be considered spyware."

Skoudis also believes the current list of potential spyware is too random. "It doesn't go from least insidious to most insidious," he said. "It's all over the place. Going from a keystroke logger to a cookie seems kinds of strange."

He suggested the coalition start with the lighter stuff and build their case toward the bigger threats. "That way, someone reading it can organize things better in their mind -- what they should consider the least serious or most serious," he said. "This would help them make better choices on what to block or let through."

A work in progress
Criticisms aside, Lutz and Skoudis understand this is just the first draft. The coalition itself acknowledges that it may never come up with the perfect set of guidelines, saying its goal is to lay the groundwork for better solutions in the future.

"One of the biggest challenges we've had with spyware has been agreeing on what it is," Ari Schwartz, associate director of the Center for Democracy and Technology, said in a statement. "The antispyware community needs a way to quickly and decisively categorize the new programs spawning at exponential rates across the Internet. The definitions will serve as a foundation for all future efforts to help users make more informed decisions about which programs to keep and which to delete."

Coalition members include Aluria, AOL; Computer Associates; EarthLink; HP; Lavasoft; McAfee Inc.; Microsoft; PC Tools; Safer-Networking Ltd.; Symantec; Tenebril; Trend Micro; Webroot Software; Yahoo! Inc.; Samuelson Law, Technology & Public Policy Clinic at Boalt Hall School of Law, UC Berkeley; the Canadian Internet Policy and Public Interest Clinic; and the Cyber Security Industry Alliance. The coalition has also consulted with the National Consumer Law Center and Consumers Union.