William Jackson | Anti-spyware: double agent?
Cybereye'commentary<@VM>Coda | Better to test than ban social networking in the workplace
- By William Jackson
- Feb 13, 2008
The fight against malicious software can look like a game of Spy vs. Spy, with each player doing his best to put a knife in the other's back.
In the case of spyware vs. anti-spyware, it can be so difficult to tell good guys from bad that the question can end up in court. Tim Bennett, president of the Cyber Security Industry Alliance, said recently that tens of the alliance's members have been sued by content providers who bristled at the labels pinned on them by online filtering tools.
It's easy to see why, Internet law expert Phil Malone said. When a company's core business is providing software, its executives tend to be upset when someone labels their software as bad, Malone told a recent Anti- Spyware Coalition workshop. 'It is understandable that people on the receiving end might want to use legal means to fight back.'
Many coalition members liked a decision last year from the U.S. District Court in Seattle that curtails those means. Judge John Coughenour ruled that anti-spyware vendors have immunity under the Communications Decency Act and cannot be sued for interfering with other companies' business.
The Ninth Circuit Court of Appeals will consider that decision this spring. Even if it is upheld, serious questions will remain about the degree of legal protection anti-spyware companies should receive.
The decision came in the case of Zango v. Kaspersky
. When Kaspersky Lab, a Russian company that also sells anti-spyware tools in the United States, classified Zango software as potentially harmful, Zango sued Kaspersky for tortious interference with its business. Kaspersky claimed immunity under a section of the act that protects providers of technology that enables users to block material considered 'obscene, lewd, lascivious, filthy, excessively violent, harassing or otherwise objectionable.'
The law states that the section was included 'to encourage the development of technologies which maximize user control over what information is received by individuals, families and schools who use the Internet.'
'The government really can't get into censoring the Web' because of the First Amendment, said Erik Belt, lead attorney for Kaspersky. So the users are empowered with technology to block material on their own.
Zango objected that Kaspersky was engaging in 'a scare campaign intended to generate additional interest in' Kaspersky's products.
But the judge said that did not matter because the law does not require Kaspersky to act in good faith.
Zango's argument is not unreasonable.
There is a long history on the Web of bad actors generating business by spreading infections and then offering to clean them up.
I do not know if Judge Coughenour's decision is right according to the law. But if this law grants immunity without requiring good faith on the part of the blocker, perhaps it is too broadly written. Maybe Congress should revisit this issue and clarify the policy. Personal technology has a way of sneaking into the office.
Instant messaging, for instance, began as a fun way to keep in touch with friends and morphed into a business tool. Today, social networking is an increasingly popular way to stay in touch.
Managers should pay attention to sites such as Facebook and weigh the risks and benefits of bringing them into the workplace, said Kevin Haley, director of product management at Symantec Security Response. 'As with IM, there is good and bad to it.'
Social-networking technology allows users to keep in touch and share data with colleagues in an increasingly rich environment. But features are being developed without much thought to security, making social-networking sites a vector for delivering malware.
'It's inevitable when you see something as popular as Facebook or MySpace and have the ability to create applications for them,' Haley said.
Then there is the question of privacy. A great deal of personal information can be exposed on a social-networking site, especially among members of the generation that grew up online and are now moving into the workforce.
'I don't think there is an expectation of privacy in Web 2.0,' said David Marcus, security research and communications manager at McAfee Avert Labs.
As with instant messaging and wireless access, banning the technology from the office is not effective because it is likely to creep in anyway. It is better to recognize it, evaluate it, manage it and then use it appropriately.
William Jackson is freelance writer and the author of the CyberEye blog.