Adware is spyware with permission to snoop.

Spyware is adware without the license agreement.

OK, so defining two words as a variation of each other is circular reasoning, but it’s still vastly less convoluted than the definitions that the companies creating this stuff would have the government enact. Those definitions are a mess.

It would be better to have a functional definition that doesn’t imply good or evil. Keystroke monitoring programs are evil as password stealers, and good as monitors for keeping employees honest. Calling a keystroke monitor spyware implies that it is inherently bad–it might be. Most of the time. Not always.

For owners of computers, a functional definition would ignore permissions and conditions of use. A program autoloads, or it doesn’t. If it does, it’s a management issue. Put another way, one cup holder per passenger is a good thing. 426 cupholders is beyond inconvenient; it’s a crash on the way.

All these definitions for what is loosely being called “spyware” are getting out of control. What has been called “spyware” is software whose publishers would prefer any one of these labels instead: adware, sponsored software, value-added software, or possibly even free software. Spyware? Never. But legislating a clear definition of spyware based on behavior makes as much sense as calling a firearm a “gun” when used to shoot at people but “sporting technology” if used for some other purpose. It’s the same (smoking) gun, and the same software. Spyware may (or may not) send information home. Same with adware. Allegedly, adware doesn’t send “personally-identifiable” information, but since all information sent through the internet leaves a trail by IP number, and finding the user system that matches an IP number isn’t rocket science, all adware is spyware. So whether the software in question has broken any laws is not something that can be settled by a label. Maybe it’s just wrong to attempt to use labels for behavior that can’t be discovered, much less proven, without knowing the intentions of a publisher, the contents of a license agreement, and the invisible internal behavior of a product.

At last year’s Federal Trade Commission Spyware workshop, a working definition for spyware was in use, specifically: “software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer’s consent, or asserts control over a computer without the consumer’s knowledge.”

Earlier this year, the FTC, in their report on spyware based on the 2004 workshop, decided that the working definition was good enough, without a formal definition based on new legislation. They can deal with the problem based on existing regulations.

Apparently, the urge to label things is strong–various industry groups have attempted definitions. Some of these groups include publishers of products sometimes self-labeled as adware. Some don’t. Many include publishers of cleanup tools.

Most of the definitions focus on whether or not a program sends out personally-identifiable information. For most computer users, the distinction is pointless. In most cleanups, information stolen is surfing results, and the damage done is theft of service and damage to computer systems. Unless there is also an identity theft, what the computer user wants is for the problems with the computer to go away, and for the computer to return to full speed.

The lawyers can have their legal definitions. Maybe they can come up with something to do with them. Legal definitions have a possible use for avoiding payment of damages to companies causing damages to computers; if a program is defined as spyware by a government-legislated definition, an antispyware cleanup program can remove it without danger of being sued for labeling a commercial product as spyware, or in other words, libeling a product with venture capital and lawyers on staff. But it’s of dubious value whether such a definition would do anything at all for the owner of a computer during an infection.

We need a more practical definition for computer owners and computer technicians. Such a definition will cover all programs installed without permission of the system owners, including silent installations (drive-by downloads), backpack installations of programs bundled with other products, and Trojan horse programs that claim to be something they aren’t.

Starting at the practical end, we need a definition of everything that needs removal. That’s everything that wasn’t installed by the user or as a needed system component. That’s a tricky bit–there are lots of hardware gadgets that include excess software. Now, I really don’t have a big problem, for example, with a program that installs an extra desktop or menu shortcut that will take the user to a value-added service that will provide additional income for the publisher. Such desktop clutter is action on a very fine line between helpful and annoying, but a few icons can be deleted easily enough, and they don’t run at startup–such icons are distracting trivia, but no big deal.

Installed auto-run programs are another matter. Some printers need software running to print, and some don’t. The cheaper printers substitute software for chips, and process fonts in the computer, and send the job to the printer as dots instead of letters and numbers. These brain-dead printers do require an autoplay component to process print jobs, and perhaps to monitor ink usage. By comparison, a traditional printer that works from just a printer driver doesn’t require autostarting software; it sends text and command codes that tell the printer what fonts and page options to use. All right, so cheap printers need one autoplay program to work. So why do some have five? I have yet to hear why a major printer manufacturer’s setup for a photo printer should include web sharing software for photographs and not offer an option to skip installing it, or why there would be four additional autoplay entries, none of which affect printing when they are deleted. Such software is neither spyware or adware. It is, however, a resource hog that slows down computers, installs without permission, and is totally useless for most owners of the hardware. I routinely disable these false drivers.

It’s not just hardware. I’ve found that most CD and DVD-burning software adds autoplay entries. Many are phoning home to check for updates. Here’s a hint for the software vendors: Get a clue. You wouldn’t buy a dozen wall clocks for your office, would you? No, you would use the clock you already have. No autoplay is required for update checks. Just create a task in the Windows Scheduled Tasks list, set it to run an update check every 30 days, and stop adding to the glut of software in memory, and stop inventing your own private task scheduler to run every time the system boots, and then hang around all day waiting for tomorrow to come.

OK, now that’s two types of software that isn’t spyware and should be deleted–accessory “products” for purchased hardware and software, and the general category of “yet another phone home for updates scheduler.” Add spyware, viruses, adware, and trojans, and let’s find a definition and a name. All these items waste computer cycles. Some of them take over, and send information home. Some don’t. They all slow down computers with no benefit to the user.

From a legal standpoint, no definition is needed. Existing privacy laws, and laws on fair trade and competitive practices, give tools to law enforcement agencies for prosecuting spyware producers. Any new definitions for spyware will just give shelter to the enemy as the producers of such products adjust their products to dance on the near side of the very fine line of legality.

On the other hand, consumers need help to determine what is a problem and what isn’t, from a technical standpoint. We need a useful definition. I’ll propose a definition and see what it’s good for: startupware.

start’-up-ware, noun, any software that configures portions of itself to automatically start with the operating system of a computer, or to start with other previously-installed software.

Note that startupware doesn’t judge whether a program is good or evil, useful or destructive. So to take this a step further:

Requested startupware: any autoplaying software whose installation asked for permission for every auto-starting component individually.

Backpack startupware: any autoplaying software whose installation asked permission to install something, but neglected to ask permission for autostarting software. Includes mismatched permissions, such as installing multiple autoplay components after asking permission to install only one.

Trojan startupware: Autoplaying software that claims to be one thing, but is another.

Stealth startupware: Doesn’t ask permission at all before installing startupware. Includes most viruses and worms, and all drive-by downloads.

So are these good or evil? Well, requested startupware is good if it works well at the job that it was described to do, and does nothing else. Stealth startupware is probably bad, most of the time. Backpack startupware is a system slowdown waiting to happen, but may actually have some redeeming value for a minority of users. Should the majority of these startupware programs be allowed on any user’s PC? Generally, no. Are they all evil? No.

Now, are these definitions are more useful than the already tainted word “spyware”? Yes, because there isn’t any question of whether a given product is startupware, and the basic label makes no judgement of good or evil. It can be identified, and the owner of a computer can judge whether to remove it or not. The auxiliary definitions also deal with permissions, not behavior.

Next, what can an antistartupware vendor do with these definitions? If they do a scan, and find startupware, they can create a list of everything running on the system, and categorize it. Program producers can argue with the category of startupware in which they’ve been placed, and provide proof of whether their product is or is not in a group, but overall, a scan for startupware can list everything found, its claimed utility, and then offer to test the system with all startupware disabled except for a private safe list, usually consisting of nothing more than an antivirus product. Most users will stop there, and find some system speed they never knew they had, but a cleanup product could also allow the option of adding back in any identified product for testing, preferably one at a time.

This reverses the current model–remove everything not known to be good. Current products allow everything they don’t recognize to autoplay. This guarantees infection as new products take advantage of newly-found security holes. They are cleanup tools for software known to be evil. An antistartupware tool is a system optimizer that reserves system resources for programs known to be wanted. Anti-spyware says innocent until proven guilty, expressed as software and policy. Anti-startupware is more practical–all new startupware is guilty until proven helpful.

Written by Jerry Stern
Coordinator of Anti-Spyware Operations, Association of Software Professionals

All these definitions for what is loosely being called “spyware” are a problem.

Earlier this year, the Federal Trade Commission decided that a working definition was good enough, without a formal definition based on new legislation. They can deal with the problem based on existing regulations.

Various industry groups have attempted definitions. Some of these groups include publishers of products sometimes self-labeled as adware. Most include publishers of cleanup tools.

Most of the definitions focus on whether or not a program sends out personally-identifiable information. Spyware supposedly sends information that’s trackable back to you, and adware either sends non-identifiable information, or just acts as a server for additional advertising in some fashion. The difference is subtle and pointless, for most consumers–the issue is generally more of regaining system performance than of blocking surfing history. While the information stolen isn’t always significant, the theft of service, or unauthorized use of a computer and connection bandwidth, is generally an invasion, and most of the definitions focus in on trying to place a specific label, rather than using existing privacy laws and existing commercial regulation as approaches to prosecution of offending providers of software and services.

Here is the definition proposed by the Anti-Spyware Coalition:

“Spyware: The term Spyware has been used in two ways.
In its narrow sense, Spyware is a term for Tracking Software deployed without adequate notice, consent, or control for the user.

In its broader sense, Spyware is used as a synonym for what the ASC calls “Spyware and Other Potentially Unwanted Technologies.”

In technical settings, we use the term Spyware only in its narrower sense. However, we understand that it is impossible to avoid the broader connotations of the term in colloquial or popular usage, and we do not attempt to do so. For example, we refer to the group as the Anti-Spyware Coalition and vendors as makers of anti-spyware software, even recognizing that their scope of concern extends beyond tracking software.”

Compare this to the Federal Trade Commission’s definition from their workshop of April 19, 2004, titled “Monitoring Software on Your PC: Spyware, Adware, and Other Software.” For the workshop, the working definition of Spyware is “…software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer’s consent, or asserts control over a computer without the consumer’s knowledge.”

Note the hedge words “such software aides in gathering, and therefore may not actually be doing the gathering alone, or may do something else. It may send information but also may not. This is deliberately vague, and therefore flexible.

A more precise definition would be great for the spyware publishers, and even better for the publishers of adware, who would gain some protection from a legal distinction that shows that their behavior is not automatically labeled as illegal. A definition would also help some of the antispyware companies, temporarily–it would allow them freedom to label a particular ad technology and publisher as illegal, and delete that product with some partial protection from potential legal actions for libel and for removing some other company’s products. Again, that, for a time, would help.

As the industry of spyware (etc) now exists, everything that can be done, is being done, whether it is to deliver targeted ads, to steal information, or to steal bandwidth and processor time. There are no limits. Everything that can be done in the future, will be done. As new security holes are found, they will be exploited. As holes close, others open, and any new legal definition will be obsolete faster than legal action can be brought to stop newly-prohibited behavior.

Some of the definitions, including that of the Anti-Spyware Coalition, attempt to simultaneously show that “spyware” technology can have a legitimate purpose for monitoring the internet activities of children or employees. That’s a big distraction. Monitoring of that type is legal. Using the same technology to monitor which city I’m trying to find a hotel reservation for is not. Any technology-based definition of spyware may be useful for system technicians, but is meaningless for capturing illegal activity, or for proving legal use for de-listing products from a spyware removal database.

The ASC definition, by including “without adequate notice, consent, or control”, continues to include terms that require additional definitions. As such, it’s open to interpretation by the user who doesn’t know where the software came from, by the cleanup product publisher who doesn’t know what to remove, and by the courts, who will have to wrestle with the meaning of “adequate notice” before deciding whether to allow a libel claim to proceed against an antispyware publisher. The existing case law on user licenses will come into effect here; so-called “shrinkwrap licenses” have been used to hide practices just as illegal as spyware, but not quite as blatant.

The temptation to label everything is strong in this industry. Labels add structure, but they also provide innuendo, distortion, and false security. Spyware can be many things, and in the current technological landscape, it will be more varied and more devious than can be predicted with a legal definition. Working definitions can help a technician in triage and cleanup, but once enacted into regulation, precise legal definitions of what is and is not spyware can only damage the industry.

The ASC definition of spyware would be far stronger without the words “deployed without adequate notice, consent, or control.” A spy may still be a spy after the press has published a leak stating their identity. A spy camera doesn’t stop being a spy camera if it’s being used to monitor your babysitter. Screen-scraper software isn’t something else if it’s monitoring your corporate network for illegal behavior. And finally, spyware doesn’t stop being spyware if the publisher asks for permission to snoop.

Yes, that would mean that spyware can be judged on the basis of action instead of apparent intent, and on what information is being transmitted, based on existing privacy laws. That would make the identification and removal of spyware much simpler. Definitions based on intentions and permissions lead to prosecutions based on telepathy and hearsay. Definitions based on feature lists, actions, and information are practical, and can lead to a clear view of what software is useful on a system, and what should be removed.

This article was written on behalf of the Association of Software Professionals.