About this series: Spyware is quickly replacing worms and viruses as IT managers' biggest worry. In this two-part series, security professionals and others debate spyware detection and who is best qualified to define it.
Joshua Lutz knows the damage spyware can do if left undetected on a network. He keeps track of efforts on Capitol Hill, in virtual communities and elsewhere to define the menace and fight it. But he's not sure any of these entities are up to the task. Not individually, at least.
"The process of defining spyware is already playing out in the online forums, but online forums have no real authority to enact change," Lutz, network analyst for a large Boston law firm, said in an e-mail interview. "Legislatures, as a whole, have the authority but lack the technical acumen to adequately generate realistic definitions of specific, technical applications."
He believes the Internet community needs "a non-governmental intermediary that both the legislators and general public can look to for a technical framework [where] applications can be classified and defined." Ask other IT professionals who they trust to define spyware and they say pretty much the same thing. But they also agree that each entity has a role to play. They may not banish spyware from cyberspace, but collectively they could go a long way toward better defining and fighting it.
For now, there's a movement in the information security community to form the type of intermediary group Lutz envisions. One example is the nonprofit Center for Democracy and Technology teaming with top antispyware companies to hammer out a clearer set of criteria to define spyware.
Legislation won't solve the problem…
According to Boulder, Colo.-based security firm Webroot, legislation to deal with spyware is pending in 27 states. Six states have passed laws.
Meanwhile, U.S. Rep. Mary Bono, R-Palm Springs, has sponsored a bill that would force spyware and adware producers to give users clear notification and get consent before they can download their wares. The bill was passed by the House earlier this week. If it becomes law, it will pre-empt similar laws at the state level.
"Some companies worry this would force them to fundamentally change how they do things and that it would affect their business," said Kimberly Pencille, Bono's press secretary. "That's just not the case. This is simply about notification and consent. In our view, companies that practice notification and consent have more credibility and that's good for business."
Those asked said legislation can only go so far. Ed Skoudis, co-founder of Washington, D.C.-based security consultancy Intel Guardians, said, "I would hate to see [spyware] defined in legislation. You're talking about legislation put together by people who don't understand the technological issues and are under the heavy influence of lobbyists."
The problem with bills like Bono's is that companies can find ways to abuse the notification-consent provision, Skoudis said.
"Yeah, there's notification and consent, but you're talking about a 10-page box that pops up that's full of legalese" that people aren't going to read, he said.…But it can make 'a significant dent'
Eugene Schultz, a principal computer systems engineer in the University of California's Berkeley Lab, agrees with Skoudis that U.S. legislation won't solve the problem because spyware is an international scourge. But he doesn't think you have to be a computer genius to define what spyware is, either.
"I don't think that defining spyware is all that difficult," he said in an e-mail interview. "In my mind
While it wouldn't solve the whole problem, Schultz believes the right legislation could make a positive difference.
"I am confident that U.S. legislation would make a significant dent in the problem because so many Web sites in the U.S. currently inject spyware into systems that visit them," he said. "I am confident that considerably less spyware would get into my systems if there were U.S. legislation that would forbid injecting it into systems and that would also punish individuals who violate the terms of this legislation."
Pencille agreed. "This is a big enough problem for anyone using the Internet that something has to be done," she said. "We can't do anything about offshore sources of spyware, but this legislation would mean a lot more accountability in the United States."
As for concern that the process is under the control of lawmakers who lack technical expertise and are influenced by lobbyists, Pencille said, "This has been a very open process with technical experts involved."Promise and peril in online communities
As Lutz mentioned, the question of how to define spyware is already being played out in a growing list of virtual communities like SpyNet, started by Microsoft as part of its AntiSpyware beta program. The software giant describes SpyNet as a voluntary network of users "that helps uncover new threats quickly to ensure everyone is better protected." Any user can choose to join SpyNet and report potential spyware to Microsoft.
The concern here is that online communities can be poorly moderated and generate even more confusion over what is and isn't spyware.
"Open forums are both a blessing and a curse," Lutz said. "There is often valuable information to be had in an active online forum, but one must sift through the detritus surrounding it. How does the average computer user differentiate between good and bad information?"
Many open forums tend to be self-regulating and members will often point out faulty information, Lutz said. "But then when dealing with questions like 'Is this spyware?'" he added, "the answer is often as varied as the number of people responding to it. You know what they say about opinions."
Skoudis points to another problem: Online communities can also be invaded by spyware pushers, "just like COAST was invaded by 180Solutions."
But SpyNet is an example of how online forums can be helpful in fighting spyware, Mike Panczenko, information systems security officer and chief scientist for Doylestown, Pa.-based Sytex, Inc., said by e-mail.
"I think that Microsoft seems to have a reasonable approach with its SpyNet community," he said. "The fact that users play a key role in determining which programs should be classified as spyware will help minimize any deception attempts on the part of adware vendors and, ultimately, create more robust detection programs."