It should be possible to rate individual products as startupware. Not just good or evil–that’s not it. What’s needed is a measure of how invasive they are, and how hard to remove.

Remember that this stuff isn’t all spyware; it includes antivirus software, overly-ambitious print drivers, and it’s not all evil, although most of it is bad, all of it need managing.

What’s that? Antivirus is never bad? Wrong. If in doubt, install two of them on a clean system, and try to do some work. Be sure to refresh your memory on safe-mode cleanups first, as most combos of this type will turn a computer into a vibrating doorstop. Like all startupware, it’s a management task.

To help consumers decide what products may be allowed on their systems, a scoring method is helpful. Scores skip technobabble–that’s good. They also can cause a blanket reaction of “take out all of it, don’t bother me.” That’s usually OK, but I don’t want the phone call when that breaks the antivirus software.

The basis for using startupware as a management tool for software products and their accumulations of autoplays is that no judgement calls are allowed. Again, here is the definition:

stärt’-up-wãre, noun, any software that configures portions of itself to automatically start with the operating system of a computer, or to start with other previously-installed software.

Now, there are different ways to autostart, and it helps to know if a product cleans up its own mess on removal, so let’s find a way to score a program for startupware.

First, we need to keep track of how many programs are set to run on system startup, and if all of them are removed on uninstallation. If one program is installed, but results in two add/remove program entries, that’s backpackware, which is common in adware and spyware products, as well as simpler trojan horse programs.

Here’s a preliminary formula for Startupware scoring (version 0.1) .

Orphaned programs: 1000 x number of programs installed to autorun but not uninstalled by removing the product that was chosen to be installed. Note that one install program that results in two or more product installations will always result in a high score for deceptive behavior. Exception: One install that offers to run an additional OPTIONAL install program is counted as more than one install program, so that, for example, a camera driver install that offers to install a graphics program is counted and scored as two installations.

Orphaned settings and silent programs: 100 x number of settings changes made, but not uninstalled, and number of programs that run when product isn’t doing work for the user, such as displaying information or being on standby to do or prevent something.

Autorun count: 10 x number of programs installed to autorun.

Settings count: 1x Number of settings changes made.
comma, “version” and number of program, or “tested” and 6-digit date downloaded (yymmdd) if no version number is used.

So for some program categories, it’s impossible to have score of 0, which would be totally non-invasive and non-autoplaying; a screensaver would have a score of 11, minimum, and so would most system tray utilities, because it takes both a program and a setting change to have an autoplaying program. And some actions aren’t counted. There is no count of icons added to the desktop, the quicklaunch area, or to the menus. There is no count of file extensions modified to point to the new program.

Here are some examples: a toolbar program, with no version number, with one program running in the background while the toolbar was not on screen (100 points). It made 12 changes to system settings, and failed to uninstall 1 of them (12 + 100 points). Total 212 points.
Score: 212, tested 050825.

Example 2: a utility program, installs two programs that don’t autoplay and don’t run in the background, changes no settings, leaves no settings or programs behind, version number 2.1.
Score: 0, version 2.1.

Example 3: an application program, version 12.0. Installs 17 programs, 3 autoplaying. Uninstalls all of them. Makes 32 settings changes, removes 12 of them. (Typical big-product sloppyness, in short.) That’s 30 points for autoplays, 32 for settings, 2000 for orphaned settings, and no orphaned programs.
Score: 2062, version 12.0.

Note that spyware won’t always get the highest scores. Startupware is about invasive software that drags down system performance, and not about subtlety or theft.

Example 4: a screensaver, no version number, downloaded Sept 10, 2005. Installs one autoplay program, clean uninstall, one setting change that runs the screensaver.
Score: 11, tested 050910.

Example 5: printer driver, version 18.544. Installed 3 autoplays, left one behind on uninstall, 71 settings changes, 26 left behind. That’s 1000 + 2600 + 30 + 71
Score: 3701, version 18.544.

Example 6: anti-spyware program, bundled with toolbar with no option to install only one, installed with one program but resulting in two entries in add/remove list. That’s backpack startupware, and if no permission was asked first, it’s stealth startupware. Determining Stealth or Backpack isn’t needed–it depends on disclosures and agreements, and doesn’t affect product behavior, and so doesn’t affect scoring. There are 3 autoplays, and the uninstall that matches the downloaded product removes one of them. Settings changes: 15, 10 left behind. That’s 2000 points for orphaned programs, 1000 points for orphaned settings, 30 points for autoplays, and 15 points for settings.
Score: 3045, tested 050901.

Essentially, what we’re trying to achieve is a high score for programs that fail to uninstall themselves completely, or that massively invade the system. In other words, don’t install a program with a score above 50.

Comments? Additions? Modifications?

Adware is spyware with permission to snoop.

Spyware is adware without the license agreement.

OK, so defining two words as a variation of each other is circular reasoning, but it’s still vastly less convoluted than the definitions that the companies creating this stuff would have the government enact. Those definitions are a mess.

It would be better to have a functional definition that doesn’t imply good or evil. Keystroke monitoring programs are evil as password stealers, and good as monitors for keeping employees honest. Calling a keystroke monitor spyware implies that it is inherently bad–it might be. Most of the time. Not always.

For owners of computers, a functional definition would ignore permissions and conditions of use. A program autoloads, or it doesn’t. If it does, it’s a management issue. Put another way, one cup holder per passenger is a good thing. 426 cupholders is beyond inconvenient; it’s a crash on the way.

All these definitions for what is loosely being called “spyware” are getting out of control. What has been called “spyware” is software whose publishers would prefer any one of these labels instead: adware, sponsored software, value-added software, or possibly even free software. Spyware? Never. But legislating a clear definition of spyware based on behavior makes as much sense as calling a firearm a “gun” when used to shoot at people but “sporting technology” if used for some other purpose. It’s the same (smoking) gun, and the same software. Spyware may (or may not) send information home. Same with adware. Allegedly, adware doesn’t send “personally-identifiable” information, but since all information sent through the internet leaves a trail by IP number, and finding the user system that matches an IP number isn’t rocket science, all adware is spyware. So whether the software in question has broken any laws is not something that can be settled by a label. Maybe it’s just wrong to attempt to use labels for behavior that can’t be discovered, much less proven, without knowing the intentions of a publisher, the contents of a license agreement, and the invisible internal behavior of a product.

At last year’s Federal Trade Commission Spyware workshop, a working definition for spyware was in use, specifically: “software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer’s consent, or asserts control over a computer without the consumer’s knowledge.”

Earlier this year, the FTC, in their report on spyware based on the 2004 workshop, decided that the working definition was good enough, without a formal definition based on new legislation. They can deal with the problem based on existing regulations.

Apparently, the urge to label things is strong–various industry groups have attempted definitions. Some of these groups include publishers of products sometimes self-labeled as adware. Some don’t. Many include publishers of cleanup tools.

Most of the definitions focus on whether or not a program sends out personally-identifiable information. For most computer users, the distinction is pointless. In most cleanups, information stolen is surfing results, and the damage done is theft of service and damage to computer systems. Unless there is also an identity theft, what the computer user wants is for the problems with the computer to go away, and for the computer to return to full speed.

The lawyers can have their legal definitions. Maybe they can come up with something to do with them. Legal definitions have a possible use for avoiding payment of damages to companies causing damages to computers; if a program is defined as spyware by a government-legislated definition, an antispyware cleanup program can remove it without danger of being sued for labeling a commercial product as spyware, or in other words, libeling a product with venture capital and lawyers on staff. But it’s of dubious value whether such a definition would do anything at all for the owner of a computer during an infection.

We need a more practical definition for computer owners and computer technicians. Such a definition will cover all programs installed without permission of the system owners, including silent installations (drive-by downloads), backpack installations of programs bundled with other products, and Trojan horse programs that claim to be something they aren’t.

Starting at the practical end, we need a definition of everything that needs removal. That’s everything that wasn’t installed by the user or as a needed system component. That’s a tricky bit–there are lots of hardware gadgets that include excess software. Now, I really don’t have a big problem, for example, with a program that installs an extra desktop or menu shortcut that will take the user to a value-added service that will provide additional income for the publisher. Such desktop clutter is action on a very fine line between helpful and annoying, but a few icons can be deleted easily enough, and they don’t run at startup–such icons are distracting trivia, but no big deal.

Installed auto-run programs are another matter. Some printers need software running to print, and some don’t. The cheaper printers substitute software for chips, and process fonts in the computer, and send the job to the printer as dots instead of letters and numbers. These brain-dead printers do require an autoplay component to process print jobs, and perhaps to monitor ink usage. By comparison, a traditional printer that works from just a printer driver doesn’t require autostarting software; it sends text and command codes that tell the printer what fonts and page options to use. All right, so cheap printers need one autoplay program to work. So why do some have five? I have yet to hear why a major printer manufacturer’s setup for a photo printer should include web sharing software for photographs and not offer an option to skip installing it, or why there would be four additional autoplay entries, none of which affect printing when they are deleted. Such software is neither spyware or adware. It is, however, a resource hog that slows down computers, installs without permission, and is totally useless for most owners of the hardware. I routinely disable these false drivers.

It’s not just hardware. I’ve found that most CD and DVD-burning software adds autoplay entries. Many are phoning home to check for updates. Here’s a hint for the software vendors: Get a clue. You wouldn’t buy a dozen wall clocks for your office, would you? No, you would use the clock you already have. No autoplay is required for update checks. Just create a task in the Windows Scheduled Tasks list, set it to run an update check every 30 days, and stop adding to the glut of software in memory, and stop inventing your own private task scheduler to run every time the system boots, and then hang around all day waiting for tomorrow to come.

OK, now that’s two types of software that isn’t spyware and should be deleted–accessory “products” for purchased hardware and software, and the general category of “yet another phone home for updates scheduler.” Add spyware, viruses, adware, and trojans, and let’s find a definition and a name. All these items waste computer cycles. Some of them take over, and send information home. Some don’t. They all slow down computers with no benefit to the user.

From a legal standpoint, no definition is needed. Existing privacy laws, and laws on fair trade and competitive practices, give tools to law enforcement agencies for prosecuting spyware producers. Any new definitions for spyware will just give shelter to the enemy as the producers of such products adjust their products to dance on the near side of the very fine line of legality.

On the other hand, consumers need help to determine what is a problem and what isn’t, from a technical standpoint. We need a useful definition. I’ll propose a definition and see what it’s good for: startupware.

start’-up-ware, noun, any software that configures portions of itself to automatically start with the operating system of a computer, or to start with other previously-installed software.

Note that startupware doesn’t judge whether a program is good or evil, useful or destructive. So to take this a step further:

Requested startupware: any autoplaying software whose installation asked for permission for every auto-starting component individually.

Backpack startupware: any autoplaying software whose installation asked permission to install something, but neglected to ask permission for autostarting software. Includes mismatched permissions, such as installing multiple autoplay components after asking permission to install only one.

Trojan startupware: Autoplaying software that claims to be one thing, but is another.

Stealth startupware: Doesn’t ask permission at all before installing startupware. Includes most viruses and worms, and all drive-by downloads.

So are these good or evil? Well, requested startupware is good if it works well at the job that it was described to do, and does nothing else. Stealth startupware is probably bad, most of the time. Backpack startupware is a system slowdown waiting to happen, but may actually have some redeeming value for a minority of users. Should the majority of these startupware programs be allowed on any user’s PC? Generally, no. Are they all evil? No.

Now, are these definitions are more useful than the already tainted word “spyware”? Yes, because there isn’t any question of whether a given product is startupware, and the basic label makes no judgement of good or evil. It can be identified, and the owner of a computer can judge whether to remove it or not. The auxiliary definitions also deal with permissions, not behavior.

Next, what can an antistartupware vendor do with these definitions? If they do a scan, and find startupware, they can create a list of everything running on the system, and categorize it. Program producers can argue with the category of startupware in which they’ve been placed, and provide proof of whether their product is or is not in a group, but overall, a scan for startupware can list everything found, its claimed utility, and then offer to test the system with all startupware disabled except for a private safe list, usually consisting of nothing more than an antivirus product. Most users will stop there, and find some system speed they never knew they had, but a cleanup product could also allow the option of adding back in any identified product for testing, preferably one at a time.

This reverses the current model–remove everything not known to be good. Current products allow everything they don’t recognize to autoplay. This guarantees infection as new products take advantage of newly-found security holes. They are cleanup tools for software known to be evil. An antistartupware tool is a system optimizer that reserves system resources for programs known to be wanted. Anti-spyware says innocent until proven guilty, expressed as software and policy. Anti-startupware is more practical–all new startupware is guilty until proven helpful.