July 12, 2005
Coalition Issue Definitions for ‘Spyware’
NEW YORK -- Anti-spyware vendors and consumer groups took a stab at issuing uniform definitions for "spyware" and "adware" on Tuesday in hopes of giving computer users more control over their machines.
The definitions seek clarity that could help improve anti-spyware products, educate consumers and fend off lawsuits from developers of software that sneaks onto computers.
The 13-page document is silent, for instance, on what developers must do to obtain consent from consumers. Nor does the document, still formally a draft, clearly state how specific programs might fall under a certain category.
"It's not the end game but it's a great starting point," said Dave Cole, director of product management at Symantec Corp. (SYMC), a member of the coalition that spent three months crafting the terms. "You've got to have a foundation, a common vocabulary to start with ... and have all of us speak the same language."
Forty-three percent of adult U.S. Internet users say they've been hit with spyware, adware or both, according to the Pew Internet and American Life Project. More than 90 percent of Internet users have changed their online behavior, meanwhile, to try to avoid becoming victimized.
The coalition flags as potential threats - an umbrella definition that includes spyware, adware and other categories such as "hijackers" and "cookies" - programs that:
_impair users' control over their systems, including privacy and security;
_impair the use of system resources, including what programs are installed on their computers; or
_collect, use and distribute personal or otherwise sensitive information.
By classifying "adware" as falling under the umbrella term, "Spyware and Other Potentially Unwanted Technologies," the coalition avoided a key dispute that has led to lawsuits: Is adware a form of spyware or are the two separate?
The coalition recognized that not all advertising software is unwanted and restricted the use of "adware" to the potentially unwanted kind. It created a separate category for "hijackers" that change browser settings and noted that some data files, or "cookies," have legitimate uses for saving preferences.
The industry can now discuss and define how specific technologies or practices harm users, said Ari Schwartz of the Center for Democracy and Technology, which led the coalition. He said more specific guidelines are expected this fall.
The definitions themselves could undergo revision after a one-month period for public comment.
Release of the definitions comes as Microsoft Corp. (MSFT) acknowledges that it has revised its treatment of adware made by Claria Corp., formerly known as Gator Corp.
Instead of putting the programs in "quarantine," Microsoft's anti-spyware tool recommends users "ignore" the items it detects. Microsoft said the change was unrelated to speculation that Microsoft has been in talks to buy Claria (Neither company would comment on any talks).
The three months that the coalition spent discussing the terms, Edelman said, could have been better used to get to the heart of the problem: Clarifying what constitutes a user's consent to allow spyware or adware to be installed on a personal computer.
The coalition did, however, provide tips for consumers, including advice on how to read license agreements and other "fine print" where consent is often sought.
Adware vendors said they welcome clearer rules on what's acceptable, though they consider definitions a good start.
"Is it perfect? No, but any kind of refinement, any added clarity is going to be helpful," said Sean Sundwall, a spokesman for 180solutions Inc. "50 percent is way better than 0 percent."
Bill Day, chief executive of WhenU.com Inc., said the terms "will tend to add structure to what has now been unstructured conversations" with anti-spyware vendors.
Schwartz said nothing in the definitions or the upcoming "best practices" guidelines will eliminate all differences among makers of anti-spyware programs.
"Companies are going to make decisions, and people are going to have to decide which anti-spyware tool is best for them," Schwartz said. "Each company itself will have to make decisions about whether something is unwanted or unexpected."