Wednesday, July 13, 2005

fyi Industry looks to unite again to tackle spyware


Pointer to article:,10801,103149,00.html?source=NLT_PM&nid=103149

Kobielus kommentary:
The Anti-Spyware Coalition (ASC) has produced a well-written, crisp, authoritative definition of spyware, plus discussion of an industry governance process (“Vendor Dispute Resolution Process”) and user protection guidelines (“Anti-Spyware Safety Tips”).

My only other comment on the draft is that ASC seems to suffer from dynamic scope creep. They seem to lump all malware into the core definition of spyware, thereby diluting their focus. The coalition defines spyware as follows:

• “In its narrow sense, Spyware is a term for Tracking Software deployed without adequate notice, consent, or control for the user. In its broader sense, Spyware is used as a synonym for what the ASC calls ‘Spyware and Other Potentially Unwanted Technologies.’ In technical setting, we use the term Spyware only in its narrower sense. However, we understand that it is impossible to avoid the broader connotations of the term in the colloquial or popular usage, and we do not attempt to do so.”

Further blurring the distinctions between spyware and other malware, they offer this further definition of the former:

• “Spyware and Other Potentially Unwanted Technologies: Technologies implemented in ways that impair users’ control over: material changes that affect their user experience, privacy, or system security; use of their system resources, including what programs are installed on their computers; and collection, use, and distribution of their personal or otherwise sensitive information. These are items that users will want to be informed about, and which the user, with appropriate authority from the owner of the system, should be able to easily remove or disable.”

I have no beef with this broader definition of malware generally. Actually, I think the ASC should rename itself the AMC (Anti-Malware Coalition) and attack the more general problem of which spyware is just one variant. Their core definition of malware highlights what, imho, is the defining feature: unsolicited, remote, persistent third-party tampering with other people’s computing and network resources.

With that as the guiding definition, I would rename malware as “tamperware” and suggest that “tamper-evident computing” should be the principal framework for defining prevention, detection, and remediation approaches.

From the user’s point of view, how can they immediately detect tampering with their computing resources, whether that tampering takes the form of spyware, adware, backdoors, bots, browser helper objects, browser plug-ins, cookies, dialers, DDoS attacks, downloaders, droneware, hijackers, keyloggers, password crackers, rootkits, screen scrapers, tricklers, trojans, viruses, worms, or zombies? How can software publishers ensure that their products are delivered to requesting users in a way that both users and publishers recognize is consent-driven, authorized, legitimate, and doesn’t create the conditions under which those products might be mistakenly tagged as tamperware? How can users reasonably give full consent (and know/accept the consequences of that consent) when they’re dealing with a steady stream of complex software downloadables that issue from various publishers, get installed/configured in sundry complex ways, and interact with local and remote programs in such a way as to open up the gates to still more software that may try to slip nasty stuff down without consent?

The industry governance issues surrounding all of this are daunting. How can software publishers ensure that their products don’t cross the tricky borderzone into apparent tamperware, and how can they make sure that false-positive tamperware identifications get reversed immediately across all anti-tamperware programs so as to not impair their continued ability to do business? How can even the most technically astute users ensure that they’re granting consent only to the most trustworthy software publishers who’ve engineered their download, installation, EULA/registration, and configuration features in such a way as to not cross the nasty divide into tamperware territory?

And how can we make our computer operating environments, like the containers in which over-the-counter medications are dispensed, reliably tamper-evident?