‘I Know It When I See It’ Isn’t Enough?

by on July 14, 2005 · 632 comments

Although the word “spyware” alone can make the blood boil for those who have struggled to remove the stuff from their computers, coming up with an actual definition of the concept is actually quite difficult. Still, the Anti-Spyware Coalition, consisting of consumer groups, Internet service providers (ISPs), and software companies, is struggling to pin one down. The group released a draft definition this week.


The Coalition, which includes Microsoft, EarthLink, McAfee, and Hewlett-Packard, is accepting comments on its definition (PDF link) now. Spyware, the group says, consists of products that “impair users’ control over material changes that affect their user experience, privacy or system security; use of their system resources, including what programs are installed on their computers; or collection, use and distribution of their personal or otherwise sensitive information.”

Not a bad definition, though it is certainly not perfect. What standard, exactly, does “impair” suggest? Would administrative tools cross the line? Headless distributed computing daemons? What exactly is “personal information”? Is usage data and crash reporting included?

The Coalition answers some of these concerns by including in its report a table that defines common types of malware that are presumptively “spyware.” Further, the group notes that “with proper notice, consent, and control some of these same technologies can provide important benefits.” This goes a long way towards ackowledging the inherant ambiguity of the enterprise, especially in a domain as fast-moving as networked software.

The Coalition has lofty goals for its proposed definition:

The group hopes the definitions will clear the way for anti-spyware legislation and help create a formal, centralized method for companies to dispute or change their software’s classification:The anti-spyware community needs a way to quickly and decisively categorize the new programs spawning at exponential rates across the internet:The lack of standard definitions of spyware and adware has doomed federal and state legislation and hampered collaboration between anti-spyware forces.

Private certification sounds good. Though Ben Edelman, a spyware researcher, “questions whether the new definitions are simply there so that adware companies can find a way to get a stamp of approval for their software,” the value of the Coalition’s reputation should ameliorate this concern, to some extent. If it certifies bogus software, consumers will quickly learn to ignore its seal. Other groups could pick up the slack, or the ad-hoc system that we have now–in which spyware is defined, essentially, by the fiercely competitive and consumer-driven companies that make products to remove it–could continue (as it certainly will in any case. Especially of late, anti-spyware software has become very capable.

But legislation is a different beast altogether. First, as the Coalition acknowledges, its definition includes many activities that do not really constitute “spyware” and, in fact, “provide important benefits.” Also, whether a practice makes a piece of software “spyware” or not may turn on “consent,” which is a difficult thing to prove one way or the other. Is a click-through box consent? Is downloading and installing software consent? Need there be some notification standard? All of these questions have to be asked on a case by case basis. More likely, however, legislation would seek to answer all these questions exhaustively, creating a labyrinth of regulations that anyone writing software would be forced to navigate. Legislation could scare many software entrepreneuers (the competitors of the big businesses creating this definition) away from innovative practices, drive them out of business, or force them to weigh down their software with all manner of intrusive pop-up boxes, click-throughs, etc.

And of course, no set of regulations, no matter how finely detailed, would have much of an effect on gray-market software companies that operate out of Russia and Asia and are responsible for many of the worst computer viruses and much of the most intrusive spyware.

All that said, a voluntary ‘seal of approval’ seems like a good idea, so long as it remains voluntary. Bringing consumers greater information should help them make better choices and should steer software makers in the right direction. With a voluntary seal, companies would face pressure to improve their practices in line with consumer expectations, which is a good thing, without the specter of criminal enforcement should they make even a minor misstep. A voluntary standard may even have some sway in the courts, especially for tort claims, though its worth in any particular case would be, reasonably, a rebuttable presumption. With the weight of industry heavies behind it, such an approach should be more than enough to keep law-abiding software companies honest.

Previous post:

Next post: