Spyware, Part 1

In previous articles, I've described some of the security threats and solutions that a small office/home office (SOHO) user needs to consider regarding firewalls, routers, email, and backdoor programs. One security threat that I haven't examined is spyware. Spyware is a threat to your data, and its use violates programming ethics.

Loosely defined, spyware is software that covertly sends and receives information about a person or an organization without that party’s express consent. Most frequently, spyware comes in the form of software that you've installed on your systems—a component that quietly gathers information (e.g., usage statistics, browsing patterns, and marketing data) to send to the software's manufacturer or to third parties. If you install such software, and you're aware of the program’s intended purpose, that software isn't spyware.

For that reason, cookies are not spyware. Cookies are small files that a Web server creates and, with the Web browser's cooperation, stores on a user's hard disk, providing a way for a Web site to keep track of a user's patterns and preferences. However, most Web sites have options that let you turn off persistent features like cookies. You can also configure your Web browsers to prompt you about whether to allow or deny the cookie to be set. Because the Web site gives you the option of not using the cookie option, cookies don’t fall under the same category of privacy-degrading programming as spyware. In fact, DoubleClick, a company that hosts and distributes most of the banner advertisements you see on popular Web sites, altered its user policy after a public outcry. Previously, the company had used cookie information, along with information from its vast marketing database, to develop targeted advertising to send to users without their permission. DoubleClick's current policy doesn't permit the company to construct personally-identifiable information about the use without the user's explicit permission—a big step forward in protecting your privacy.

Unfortunately, software vendors and advertising companies promote spyware as a positive feature, claiming that using spyware is a way for authors of small, useful programs that aren't marketed by large companies to ensure a constant stream of revenue when releasing their products to the public. Many advertising agencies offer a way for shareware authors to include banner ads in their products, and in return, the author gets a percentage of the ad sale revenue. This way, the agency pays the author for unregistered copies (where advertisements are functional) as well as registered copies (where venders turn off advertisements). As fair as this might seem, advertisers overstep some boundaries. The code to include the ad banners in shareware sometimes performs other functions of a more discreet nature—tracking what you do online, how you use the program, and even with which people you correspond. The software uses your Internet connection without your knowledge to continually report back to the company. Most companies' customer service and privacy statements claim that they won't collect or subsequently distribute sensitive information about you, but a gaping security hole remains. You’re unknowingly leaking information to another company, which invites unsolicited advertising campaigns and other nuisances.

In spite of the ominous name, spyware is not illegal. However, most users have concerns about privacy, and they want companies that use spyware to address these concerns. Although privacy-conscious companies disclose in their privacy statements the nature of data that they send to and receive from spyware, users have little control over this data. Moreover, even if it's not used now, spyware has the potential capability to gather and send much more than just usage data. Also, in addition to privacy and security concerns, resource-hogging spyware and adware can cause systems and browsers to become unstable and slow. For users who pay for dial-up services according to the amount of time they use, ad-loading and hidden communications with servers can become costly. Nevertheless, many Internet users who have advertising-supported spyware products installed on their machines don't even seem to be concerned about this security breach—but they should be.

One corporation that users have criticized for not plainly indicating what data it gathers and for making it difficult to remove its programming is Aureate Media, a company that makes tracking software that's embedded inside many popular downloads and applications—about 300.

Aureate software makes applications that collect and send data about you and your computer back to Aureate or the companies who have built Aureate's software into their applications or downloads. In July 2000, alert users discovered that another company, RealNetworks, which was distributing spyware integrated with its RealDownload, Netscape/AOL Smart Download, and Netzip Download Demon software. RealNetworks claimed it was unaware of the presence of the monitoring code in its software, but the fact that the software contained the spyware functionality is unnerving.

The US Senate is now looking at the problem with spyware and other surreptitious software. Senator John Edwards, a Democrat from North Carolina, has proposed a bill that would require manufacturers and developers to indicate that their software has monitoring code integrated into it. At the time of installation, a message would appear on the screen displaying what information the program collects and who gets the data. The customer can then decline to activate the monitoring code. This bill would also mandate that usage data that companies send to a third party from monitoring code would have to be encrypted for additional security and privacy. Senator Edwards said, "I have been closely following the privacy debate for some time now, and I am struck by how often I discover new ways in which our privacy is being eroded. Spyware is among the more startling examples of how this erosion is occurring."

What can you do to protect your SOHO from spyware? In Part 2 of this article, I'll discuss the options you have for determining what software has spyware and how to eliminate the offensive programs from your system.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.