To effectively battle spyware, IT departments must first understand what they're dealing with
The technology industry wants to stamp out spyware, but first there's a question of semantics: Just what is it? Everyone agrees spyware is a growing menace--one that has become a security concern for many IT departments--but defining it hasn't been easy. Now, an effort is under way to better understand the pesky programs that are clogging up computers, at the same time IT professionals are hustling to contain them.
"We have to deal with spyware/adware on a weekly basis," Scott Larsen, manager of information systems with group-travel company Groople Inc., says in an E-mail. "From a staffing perspective, the cleanup usually exceeds the time it takes to handle an antivirus infection."
The problem is complicated by the fact that a fuzzy line separates intrusive spyware from legitimate online-marketing programs called adware. Microsoft recently learned how hard it can be to distinguish what's legitimate when a test version of its new Windows AntiSpyware
tool mistakenly treated a Dutch Web site, Startpagina.nl, as a "browser hijacker." Microsoft was forced to issue an apology, along with undisclosed compensation. Last week, Microsoft issued a paper explaining how it classifies spyware and other potentially unwanted software.
Earlier this month, the Federal Trade Commission issued a report, based on an industry workshop it hosted last year, that calls on the business community to come up with a definition of spyware. "Because of the challenges of developing a workable definition of spyware, nearly all panelists expressed the concern that legislation or regulations tied to a definition of the term 'spyware' might define the term so broadly that it would inadvertently cover some types of beneficial or benign software," the FTC observed.
The help desk at the National Center for Missing and Exploited Children was spending all its time fixing corrupted registries, says IT director Gelfound.
Photo by David Deal
Despite the question of definition, the FTC's report says spyware creates substantial privacy and security risks for consumer information. The FTC sees two issues. First, people frequently aren't notified when spyware is placed on their computers. And second, the software they do seek comes bundled with adware they don't want because end-user licensing agreements often aren't clear. "These agreements give a patina of legitimacy by having some form of disclosure," says Tom Pahl, the FTC's assistant director for advertising practices. "But consumers often don't understand the choices they're making."
California and Utah have passed anti-spyware legislation, and several other states are mulling such laws. But no federal law that regulates spyware or adware exists, though several bills to do so are before Congress. One bill--HR 29, which received unanimous approval by the House Commerce and Energy Committee earlier this month--would prohibit the uploading of software that collects personally identifiable information. The bill, now awaiting a House vote, also bans adware unless users agree to its use. Penalties, under certain circumstances, can be as high as $3 million.
End-user license agreements are a big issue. When users download a software program, they should be given a clear choice about accepting or declining other software with it. Spyware doesn't give them that choice, or does so surreptitiously. "You can segment the market into responsible practices and practices that are irresponsible," says Robert Weber, president of Freeze.com LLC, which operates Web sites that distribute adware along with its screen savers and PC wallpaper.
The catch, of course, is that few users actually read the fine print in those license agreements, where "opt out" options are sometimes buried. "Everybody who's in this category needs to do a better job of educating consumers," Weber says.
For IT departments, the distinction between spyware and adware may be moot. "We don't want any of it on or around our network," says Zachary Grant, senior network engineer with health-care company Sun Healthcare Inc. "My opinion is that we're affected more by adware and spyware than we ever were from viruses." Spyware continuously ties up IT-support people as they clean up and rebuild PCs, Grant says. Sun Healthcare tries to limit the amount of spyware and adware that gets onto its PCs using application-control software from SecureWave SA.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.