Spyware: The Next Spam?

Spyware is fast becoming the next generation of spam. It is software that installs onto a computer or local network, monitors computing habits and delivers the information to third parties. Usually, the user is unaware that the software exists on his or her computer.

Much like spam, spyware is becoming more than just a nuisance; it’s raising major red flags with privacy and security experts alike. At best, spyware activity monitors computer habits. The worst of the spyware breeds steal personal information and can contribute to an entire network being taken over.

A major indicator pointing to this trend is legislation aimed at curbing spyware. Two states — Utah and California — are considering their own spy-blocking acts while federal authorities ponder the merits of a spyware version of the recently enacted Can-Spam Act.

How much damage is spyware causing? A lot more than privacy invasion, said Edward English, CEO of InterMute, which makes SpySubtract, Spam Subtract and AdSubtract.

“At a minimum, peeping Toms are all over our computers. Spyware software, once resident on a PC, can do almost anything. E-mail addresses and personal information like credit cards can be monitored, captured and transmitted. The sky is the limit as to what damage can be done.”

Federal Legislation Options

Congress is pursuing several bills that attempt to follow on the heels of the Can-Spam Act to regulate what tactics software vendors might legally use in placing spyware products on computers. Two bills are especially noteworthy.

Senate Bill S.2145, introduced in March as the SpyBlock Act, is “a bill to regulate the unauthorized installation of computer software, to require clear disclosure to computer users of certain computer software features that may pose a threat to user privacy, and for other purposes.” It is cosponsored by senators Conrad Burns (R-Montana), Barbara Boxer (D-California), Hillary Rodham Clinton (D-New York) and Ron Wyden (D-Oregon).

The proposed law would prohibit the installation of software on somebody else’s computer without notice and consent. It also would require reasonable uninstall procedures for all downloadable software.

Rep. Jay Inslee (D-Washington) in April introduced a similar bill after his legislative office computers were inundated with spyware. Inslee’s legislation confronts spyware by requiring a computer user’s notice and consent before the execution of certain software functions on his or her computer, including the collection of personal information, modification of computer settings and display of advertising.

His bill would require computer users to consent before certain software functions could be executed on their computers. These functions would include the collection of personal information, modification of computer settings and display of advertising.

“Most computer users will tell you that spyware pops up and multiplies like cicadas,” said Inslee in a prepared statement. “But spyware is not a natural event. It is purposefully inflicted.”

His legislation targets people who distribute spyware. He said it would help stamp out privacy violations but would not harm legitimately beneficial consumer functions. The bill, if it becomes law, will require adware distributors to get computer users’ consent before executing hard-to-remove software.

States Seek Local Protection

The California Anti-Spyware Legislation, California Senate Bill 1436, recently won approval by the state’s Judiciary Committee. Dubbed the Consumer Protection Against Computer Spyware Act, it is mirrored in the companion proposal of California Assembly Bill 2787. The Assembly version prohibits the downloading of spyware to any computer in California. It, too, received the approval of the Judiciary Committee.

Utah’s legislators are considering a bill that prohibits spyware from delivering advertisements to a computer under certain circumstances. The bill requires spyware to provide removal procedures and allows a Web site, trademark or copyright owner to bring an action to enforce the legal requirements. It also requires the Division of Consumer Protection to collect complaints about spyware violations.

“Spyware is a nationally important issue because it relates to a state’s right to regulate the Internet, as well as the spyware itself,” said Peter Jaffe, an attorney in Gibson, Dunn & Crutcher’s D.C. office. That law firm was involved in the Utah spyware legislation proposal.

“Look at what New York Sate Attorney General Elliot Spitzer is doing when it comes to the SEC’s failure to regulate the securities industry. Utah is doing the same thing when it comes to Congress’ failure to act quickly to put an end to dangerous behavior. Federal regulation would be best, but if the federal government won’t act to protect consumers, states are bound to step in to protect their citizens,” Jaffe told TechNewsWorld.

The Menace Spreads

Spyware is evolving into a monster that might soon become more vicious than e-mail spam and virus attacks combined. Even if individual states and federal legislation provide new protections within the United States, foreign purveyors of spyware will remain out of reach.

“There have been more new iterations of spyware the first quarter of this year than all of last year,” Roger Thompson told TechNewsWorld. He is the spyware research expert for PestPatrol, who provides detection and removal products for spyware, adware, Trojans, hacker tools and other pests that antivirus, firewall and other security software can miss.

Thompson draws an analogy between the early stages of e-mail spam and what is happening now with spyware. Just as spam is interfering with the usefulness of e-mail, spyware is a much worse development, interfering with computing in general.

“Three or four years ago, spam was just an annoyance. Now spyware can make computers unusable,” he said. “There are no rules for regulating spyware, which is driven by profit.”

Spyware creators will improve their malicious activities and bring the problem to new levels of concern. According to Thompson, spyware has a business model like any other business operation. So far, the spyware masters “just don’t have it down right yet,” he said.

New Laws Not the Cure-All

InterMute’s English isn’t holding his breath for the proposed Spyblock Act to solve the problem soon. “The Spyblock Act is less likely to work than Can Spam, which seems not to have slowed the flood of spam at all,” English said.

One major legal point so far gives spyware companies the upper hand. Many of the companies distributing spyware products have lengthy end-user license agreements. These are legal contracts. Some of these user agreements exceed 20 pages and contain hyperlinked references to additional terms and conditions.

For example, said English, buried in the middle of the document in fine print, the license agreement could state, “and, furthermore we can do whatever we please to your computer.”

Is the government really going to create and fund a commission of hundreds of lawyers to read, review and challenge the slippery, changeable language found in spyware license agreements? English doubts it.

“As it is with spam, spyware is a technology problem. Users need a strong technology defense to combat it,” said English.

Legal Approach Flawed From the Start

English is also critical of the proposed legislation’s ability to regulate spyware adequately. In fact, he said it is not very likely that it will be able to regulate spyware at all. “The flawed concept of not installing software on someone’s computer without their informed consent misses a large source of spyware infection: kids,” he said. “Often kids and their friends will use a parent’s computer to download software or play online games. The kids do not own the computer, and they may well click through any sort of ‘informed consent’ to install the program they want to use.”

By the time the parents use their computer, the spyware might already be resident, thus bypassing the requirement for owner’s consent. Robert Stephens, the founder and chief inspector of The Geek Squad, doesn’t place much hope on laws alone to curtail the spread of spyware. The Geek Squad is an IT task force that plans to offer security advice to consumers who visit a major electronic discount chain by year’s end. His network of tech “agents” also will do computer house calls.

“You can’t trust the government to regulate spyware,” he told TechNewsWorld. Instead, consumers have to protect themselves. “Vigilance is the best medicine. Spyware makers are going to continue to adapt,” he said.

Stephens sees the fight against spyware much the same as public service announcements that hawk the need to “take a bite out of crime.” As consumers become more cautious about avoiding and detecting spyware, protections will improve. “Like fighting crime in your own neighborhood, computer users have to be responsible for locking their own doors,” said Stephens.

Innovative Protection Fights Spyware

Many of the existing spyware-detection-and-removal products work like antivirus programs. The head of Finjan Software, maker of enterprise and retail computer security suites, sees that approach as hindering the maintenance of privacy.

Shlomo Touboul, founder and CEO of Finjan Software, told TechNewsWorld that proactive protection prevents spyware from lingering on computers until they are discovered. Detection products typically require periodic updating of their spyware signature detection databases.

Deduction must await the discovery of new spyware strains. Until the detection programs are updated, the spyware code remains at work hidden to existing detection tools. Instead, Touboul’s software products monitor all code activity in real time.

He said that spyware can modify firewall settings and e-mail settings to disable both hardware and software protection devices. Two Finjan products address this spyware problem: SurfinShield Corporate, an enterprise desktop solution, and SurfinGuard Pro, a home desktop solution. The spyware protection is rolled into the entire product offering for both these products.

Both products use a “sandboxing” technology. Programs and applications are launched in a virtual environment to monitor any potential malicious activity. Spyware attempting to install itself onto a computer is blocked.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Security

Technewsworld Channels