The Anti-Spyware Coalition (ASC), a group of IT companies and public interest groups, is hoping to succeed where a previous vendor organization failed in tackling the global problem of spyware. The ASC released an agreed-upon draft definition of spyware Tuesday that it hopes will promote public comment and ultimately result in users becoming better educated about the dangers of spyware.
The Consortium of Anti-Spyware Technology Vendors (Coast), initially drawn from the security software vendor community, fell apart in February after a failed 16-month effort to coordinate its members’ conflicting goals and an ongoing debate over admitting companies that created spyware. The ASC, convened by the Center for Democracy and Technology, has a much wider membership than Coast.
ASC members include the likes of America Online Inc., Computer Associates International Inc., Hewlett-Packard Co., Microsoft Corp. and Yahoo Inc., along with McAfee Inc., Symantec Corp. and Trend Micro Inc., and antispyware specialist vendors Aluria Software LLC and Webroot Software Inc.The main difference between us and Coast is that we’re trying to help antispyware companies communicate better together and with consumers.Ari Schwartz>Text The organization also numbers the Canadian Internet Policy and Public Interest Clinic, the Cyber Security Industry Alliance and The University of California Berkeley’s Samuelson Law, Technology & Public Policy Clinic among its members. The ASC was formed in early April, after a number of companies approached the Center for Democracy and Technology about forming a group to combat spyware. The organization’s web site at http://www.antispywarecoalition.org/ went live Tuesday.
Ari Schwartz, associate director of the Center for Democracy and Technology, has been heading up the ASC’s work. He said that the new antispyware consortium had learned from Coast’s experience. “The main difference between us and Coast is that we’re trying to help antispyware companies communicate better together and with consumers,” Schwartz said. “Coast was more about communication between antispyware companies and software publishers.”
Another key differentiator from Coast is that ASC has instituted a policy of full consensus membership where everyone has to agree on bringing on new members, according to Schwartz. He’s keen for the organization to include more public interest groups, pointing out that although they’re not members, the National Consumer Law Center and the Consumers Union came to an ASC meeting in Washington, D.C.
Schwartz also wants ASC to become more global. “We’ve been contacted by a couple of companies from London,” he said. Schwartz also pointed out that the group already numbers several European companies — LavaSoft from Sweden, Safer-Networking Ltd. from Germany and, new member as of Tuesday, Panda Software from Spain. Australian firm PC Tools is also an ASC member, he added.
One fear the ASC has is the potential harm spyware could be having on consumers’ Internet behavior, Schwartz said, as indicated by last week’s Pew Internet & American Life Project survey. The study revealed that 91 percent of Internet users polled have changed their behavior online to try and avoid being attacked by spyware and other unwanted technologies. Spyware isn’t only plaguing consumers.
“What we’re hearing from companies is that spyware is starting to become a bigger enterprise problem,” Schwartz said, pointing to the recent multimillion dollar contract for antispyware technology issued by the U.S. Department of Defense.
“We’d like to see more enforcement actions,” Schwartz said, adding that the ASC will hope to improve communications between antispyware vendors and law enforcement to track down spyware companies. A commissioner from the U.S. Federal Trade Commission (FTC) attended the ASC’s Washington, D.C., meeting.
The ASC is inviting public comment for the next month on documents it released Tuesday. “We’re just trying to get a foundation down,” Schwartz said. The documents include a list of spyware and other potentially harmful technologies aimed at users, a glossary defining commonly used terms relating to spyware and safety tips about how to protect against spyware.
There’s also a process laying out how to resolve disputes if a vendor believes its software has been wrongly tagged as spyware. Previously each antispyware company worked on developing its own process and spyware companies would try to play off one antispyware company against another using their various dispute processes, according to Schwartz. “We’re leveling the playing field so that antispyware companies spend less time talking about the [vendor dispute] process and more time on how to tackle spyware,” he said.
Spyware can be defined two ways, according to the ASC. “In its narrow sense, spyware is a term for tracking software deployed without adequate notice, consent or control for the user,” the organization states in its glossary. However spyware is also used as an umbrella term encompassing not only its narrow definition, but also other “potentially unwanted technologies,” the ASC adds, including harmful adware, unauthorized dialers, rootkits and hacker tools.
In its antispyware safety tips document, the ASC has six major recommendations for users to defend themselves against spyware. The organization suggests that users keep the security on their computers up to date; only download programs from Web sites they trust; familiarize themselves with the fine print attached to any downloadable software; avoid being tricked into clicking dialog boxes; beware of so-called “free” programs; and use antispyware, antivirus and firewall software.
Come Aug. 12, ASC will review and respond to all the comments it has received, Schwartz said. The organization will then meet toward the end of August and produce a final document. “The next step is do risk modeling, help companies make decisions about what they flag as spyware, what’s their objective criteria for flagging, and work on best practices,” Schwartz said.
Ben Edelman, a Harvard Law School student researching the methods and effects of spyware, doubts the usefulness of a uniform definition of spyware. “Users know what software they don’t like, and there’s substantial benefit to letting antispyware vendors compete to best match users’ desires and preferences,” he commented in an e-mail.
A uniform definition may actually end up benefitting spyware makers, Edelman wrote, adding, “They [the spyware makers] hope to get a single definition they can then manage to escape, and they hope to use those definitional tricks to avoid having their software brought to users’ attention for possible removal. … This is still a potential worry in any definition project, but the ASC seems to avoid many of the most obvious pitfalls.”
Although he was dubious about the potential benefits from the ASC’s spyware definition, he concluded, “Still, if the ASC promises more work in the future, perhaps their further work product will have greater benefits for users.”
Related links:
Canadian academia, industry team up for IT security
The quest for security: Interview with Mary Carman, CIO Industry Canada