The battle lines are drawn in the war on spyware

LAS VEGAS'The good news from the war on spyware is that there seems to be less support for organizations engaging in questionable behavior such as installing adware on the computers of unsuspecting users.

'There were a lot of companies getting venture capital in this gray area,' said Ari Schwartz, deputy director of the Center for Democracy and Technology. 'That is less the case now. We're starting to see more of a distinction between what is and is not spyware.'

That distinction has resulted in enforcement of existing laws against spyware distributors at both the state and federal levels.

But the bad news is that as the gray hats are being weeded out of the industry, the real bad guys are being left with the field to themselves.

'We're seeing a lot more cases of keystroke loggers,' Schwartz said. 'There is no question that all of this has to do with money.'

Schwartz moderated a panel discussing the corporate threat of spyware during this week's Black Hat Briefings.

The CDT coordinates the Anti-Spyware Coalition industry group. It took a leadership role in the issue because spyware, privacy and user control are closely tied together, Schwartz said. The ability to retain privacy gives the Internet the potential to be the most democratic medium we have, and spyware threatens this potential, he said.

The industry groups formed the coalition a year ago to not only help in the development of standardized practices for combating spyware, but also to hash out ethical and legal questions of just when software crosses the line from gray to black.

'They really needed to bring in some of the public interest viewpoint,' Schwartz said.

In the past year the coalition has grown to 40 companies, including Internet, hardware and software heavyweights such as America Online, Dell Corp. and Microsoft Corp., as well as public interest groups such as the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley School of Law.

Some agreement has been reached on what constitutes spyware. A number of companies have engaged in questionable behavior, such as installing software to deliver advertisements to a user's desktop based on their browsing habits. Everyone agrees this is irritating, but does it rise to the level of a crime?

At the very least, 'it played into the idea that it was OK to get on a user's computer surreptitiously and hang on by any means possible,' Schwartz said.

There have been calls for anti-spyware legislation, but it has been difficult to say just what spyware was. That question has been answered in large part by applying existing laws on fraud and deception rather than by crafting new legislation.

Federal laws brought to bear against spyware in the past year include the Federal Trade Commission Act, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act; along with a number of state fraud laws.

According to the Center for Democracy and Technology, the FTC has initiated six spyware cases, resulting in orders for $6.2 million in forfeitures; the Justice Department has prosecuted 11 criminal cases, resulting in $307,100 in fines and forfeitures, and sentences of up to five years probation; and the states of New York and Washington have secured judgments totaling more than $8 million. Additional cases are pending.

The application of criminal law has put a damper on the adware industry, with some of the larger companies shrinking in terms of revenues and employees, Schwartz said.

'It's disappearing to some degree,' he said. 'I think this is a step backward' for adware.

But that means that what is left are the unequivocal bad guys who are using tools like keyloggers to steal passwords, account information and other valuable data. Those threats are not likely to disappear soon.

'It seems like it's going to exist for the foreseeable future, because so much of it exists underground,' Schwartz said. 'It's going to take a long time to clean that up.'

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group