William Jackson | Cybereye: Lack of definition for spyware can put security apps on trial
Recent reports on the status of IT security offer few surprises: more vulnerabilities, sneakier exploits and a growing focus on theft and fraud.
Tom Leighton, chief scientist for Akamai Technologies Inc. of Cambridge, Mass., recently summed up the state of cybersecurity in four words: 'Bad, and getting worse.'
It is not just a technology problem. Dean Turner, executive editor of the Internet Threat Report, produced twice a year by Symantec Corp., said existing tools for blocking malicious behavior and known malware offer pretty good protection.
But what is malicious code? You might know it when you see it, but that defnition's not good enough if your security vendor lands in court'and the chances of that appear to be growing.
What are missing are clear definitions of common terms such as 'adware' and 'spyware.' Without legal standards for what is malicious, 'we have to protect ourselves,' Turner said.
'We've been sued,' said Symantec government relations manager Tiffany Jones.
Symantec is not alone. Consultant Ben Edelman has documented seven lawsuits filed by spy- or adware providers since 2001 against Symantec, Zone Labs LLC, PC Pitstop, Lavasoft AB and the Internet Advertising Bureau. There were also 26 other demands or threats of legal action against a variety of companies and Web sites for having the temerity to call a piece of software spyware.
Apparently, companies whose software serves up online ads to your desktop (whether you want them or not) are touchy about other programs detecting and removing that code, and even about having their programs called spyware. They prefer the term adware. To an outsider, this sounds somewhat like a snake becoming upset because someone calls it a serpent. It's hard to see the distinction, but apparently it makes a difference to the snake (or serpent).
Symantec has been sued or threatened at least twice, once by Hotbar.com
Inc., a supplier of emoticons (among other things) for the linguistically challenged, and a San Diego company called TrekEight that maintains its software is actually anti-spyware.
So far, none of the suits against anti-spyware providers has been successful.
'But that doesn't change the fact that we're putting a lot of money and resources into defending these suits,' Jones said.
To avoid problems, the security companies want legislation clearly defining just what adware and spyware are and protecting the right of security companies to detect, identify and provide remedies against them.
At least three such bills have been introduced in the House and another two in the Senate. Although the House passed two of the bills last year, none has come to the floor of the Senate. Given the distractions of an election year in which Congress has bigger fish to fry'such as immigration reform and a budget'it does not seem likely that a federal spyware law will be passed anytime soon.
According to the National Conference of State Legislatures, spyware legislation was being considered in at least 28 states last year, and 12 states passed laws protecting consumers and computer users.
It doesn't seem too much to ask that the person who owns and uses a computer should be allowed to have the final say over what software runs on it, no matter how that software is labeled. This shouldn't take an act of Congress.William Jackson is a GCN senior writer. E-mail him at email@example.com.