For security vendors, one of the toughest aspects of fighting spyware has been trying to distinguish sinister software from legitimate programs. The Washington-based Anti-Spyware Coalition (ASC) was founded in 2005 to deal with that problem and build a consensus on the definitions and best practices surrounding spyware and other potentially unwanted programs.
The organization finalized its best practices documents for the antispyware community earlier this month, saying the content is a critical tool to help consumers and software developers identify unwanted software.
The first of the two documents is "Best Practices: Guidelines to Consider in the Evaluation of Potentially Unwanted Technologies," detailing the process by which antispyware companies should review software applications for potentially insidious behavior. It relies heavily on the ASC's own spyware definitions document and its risk model description.
City of North Vancouver IT manager Craig Hunter said the guidelines needed more language geared toward corporate IT environments.
"Overall it is only slanted toward the individual user," he said in an email interview. "It doesn't bring in the corporate IT view."
As an example, he pointed to a section on page 12 that reads: "Tracking software is generally installed with the consent of the party initiating the surveillance, but not necessarily the consent of the party being monitored. This can lead to an invasion of privacy and even illegal activity … It is vitally important that users are aware of surveillance."
To better capture the corporate point of view, Hunter said "consent of the party" should be tweaked to say "consent of the party or corporation." And in the introduction, he said "up to the user" should instead read "up to the user or the corporation."
Despite the perceived shortcomings, IT professionals still see plenty of value in the coalition's work.
Jay Wessel, vice president of technology for the Boston Celtics, has had his share of spyware-induced heartburn and agrees with Hunter that the document is tilted more toward individual users than enterprise IT environments. But in the big picture, he believes it is a step in the right direction.
"I think this document makes a lot of sense and generally the points are quite valid," he said via email.
The second document, "Conflict Identification and Resolution Process," highlights possible ways in which antispyware tools may conflict with one another and offers steps to resolve those conflicts. In addition to allowing for better, more structured interactions between developers, the resolution process will also provide a level of transparency to consumers who may be affected by such conflicts, the ASC said.
Paul Schmehl, an adjunct information security officer for the University of Texas at Dallas, said the documents may also help IT professionals explain needed antispyware procedures to their bosses.
"The benefit I can see is clear definitions of terminology, which may help those who develop policies to obtain approval from superiors," he said in an email exchange.