Inside IT: Push for mobile mail
Governments and companies are gearing up to deal with spyware but, writes Mary Branscombe, the biggest security problem is usually sitting at the keyboard
Thursday October 28, 2004
If your PC starts crashing or slows down, or suddenly starts taking you to strange web pages, don't just blame Microsoft: blame spyware. You have probably fallen victim to some malicious programs, which you might have agreed to download to visit a website (or to get away from one), or installed with free software that sounded useful. Even Bill Gates suffers from spyware on his home PC, and Microsoft is promising to help stamp it out.
As the name suggests, spyware spies on where you go and what you do online. It can use this information to deluge you with adverts, or just clog up your PC.
When Jeffrey Friedberg, Microsoft's director of Windows privacy, told the US government earlier this year that spyware is a growing threat, he blamed it for being "at least partially responsible for approximately half the application crashes our customers report to us". Gates thinks the industry is making headway against viruses but "this malware thing is so bad; now that's the one that has us really needing to jump in". Microsoft is planning to produce software to detect spyware, and to keep it up to date. This will not be easy, given the multiplying numbers of intrusive programs.
In the US, legislators are planning to make spyware illegal, and the Federal Trade Commission (FTC) is taking notorious spammer Sanford Wallace to court over spyware it alleges his websites were distributing. But just how much of a problem is it?
According to Webroot, a software house that produces programs to find and remove spyware, the 3.2m PCs its tools have checked had an average of 26 bits of spyware installed. However, its measurements include third-party cookies from legitimate websites such as Guardian Unlimited, which don't cause PC problems and can be blocked by increasing your browser's privacy settings. Take those cookies away and it looks more like 18m infections than 83m - around six problem programs per PC.
There is much confusion about what constitutes spyware and how it gets on to a PC, as well as some argument about how to deal with it.
One approach is to tackle the people making money out of it. In the US, the FTC has asked the courts to shut down a series of websites that it says add insult to injury by infecting visitors with spyware ... and then selling them software that claims to remove it. "Consumers don't deserve to be pestered and spied on by people who illegally hijack their computers," said Lydia Parnes, from the FTC's Bureau of Consumer Protection.
Long-time spam sufferers may remember the name of Wallace, once nicknamed Spamford. His company, CyberPromotions, was processing 30m spam emails a day when debts of $3m - mostly legal settlements from anti-spam lawsuits - forced it out of business in 1998. The FTC claims sites built by his new companies, Seismic Entertainment Productions and SmartBot, used security flaws in Internet Explorer to download and install spyware on visitors' PCs.
The spyware changed their home page and search engine settings, installed yet more spyware, then triggered "a barrage of pop-up ads". Infected PCs slowed down or crashed. The spyware would open the PC's CD-Rom drive, then tell users that they needed to spend $30 on Spy Wiper or Spy Deleter software to clean up their system. These sales earned Seismic commissions.
Ari Schwartz, associate director of the Center for Democracy and Technology, which complained to the FTC about the sites, calls it extortion. He says the government needs to be involved because it is often hard to find who is responsible for spyware. "The government can gain access to records that can be blocked in a normal civil suit. That is important in a spyware case because there are so many parties involved," says Schwartz. "Based on our research, we believed that Seismic was the centre of the chain here, but there are others involved. The FTC has the means to find out who."
Wallace claims the sites didn't collect any information without asking permission, He dismisses the suit as a political move which, he says, is "attempting to enforce federal laws that have yet to be enacted".
Last month, California passed a law banning spyware techniques such as logging what users type, changing security settings or sending unauthorised emails from PCs, but the US government is still working on a similar federal law, the Spy Act.
Laws with teeth will make it easier to deal with the people who distribute spyware but, as with many security issues, the first steps need to be taken nearer to home.
Most companies have security policies that should keep out spyware but, according to Symantec, less than 5% train their users on what that means in practice. The security improvements in Service Pack 2 for Windows XP go a long way towards protecting users, as long as they never say yes to a download without knowing what it is.
However, in a recent US survey carried out by the National Cyber Security Alliance, 30% of people thought they were more likely to be struck by lightning, get audited by the tax man or win the lottery than run into security problems with their PCs. It is time to be a lot more suspicious online.
Privacy on the internet
Parliamentary Office of Science of Technology report on electronic privacy (pdf)
Electronic Privacy Information Centre
Foundation for Information Policy Research
Cyber Rights and Cyber Liberties
The privacy site
Printable version | Send it to a friend | Save story