Spyware, Adware, and Malware: Research, Testing, Legislation, and Suits

A number of firms currently design and offer so-called “spyware” software — programs that monitor user activities, and transmit user information to remote servers and/or show targeted advertisements. As distinguished from the design model anticipated by whatis.com’s definition of adware (“any software application in which advertising banners are displayed while the program is running”), these spyware programs run continuously and show advertisements specifically responding to the web sites that users visit. Companies making programs in this latter category include Gator (recently renamed Claria), WhenU, and 180Solutions. Other spyware programs include keystroke recorders, screen capture programs, and numerous additional software systems that surreptitiously monitor and/or transmit users’ activities. As programs and practices shift and terms evolve, some practices are more naturally termed “adware” or “malware” — especially if their tracking is secondary to an advertising purpose.

These programs have prompted a number of legal challenges, as described in the pending suits section, below. They have also attracted attention from legislators, who have proposed laws to rein in the problem.

I have followed these developments generally, I have written about the programs and their effects, and I have been retained as an expert in certain of these suits. This page indexes my research and my work in selected cases.

Spyware, Adware, and Malware: Research, Testing, Legislation, and Suits

A Close Reading of the Spyware Control Act

A Close Reading of the Spyware Control Act takes a careful look at the spyware legislation recently passed in Utah and now awaiting the governor’s signature. This legislation requires software that transmits users’ usage data (web sites visited, etc.) to provide appropriate disclosures in a license agreement (in plain language, actually presented to users, etc.), and to provide an uninstall routine.

Seems uncontroversial? That’s what I thought, but the bill has raised opposition from big .COM companies that seem to think the legislation is actually a bad idea — even as they are among the sites most intensively targeted by spyware pop-up ads. Have these companies missed the boat? Or have I? Check out the article — including their letter (PDF) and my paragraph-by-paragraph response — and decide for yourself.

Methods and Effects of Spyware

Methods and Effects of Spyware (PDF) is my written response to the FTC‘s call for comments (PDF), leading up to their April 19 workshop on spyware. In this document, I explain how spyware works, including presenting specific personal information transmitted by both Gator and WhenU. (The WhenU transmissions are particularly notable because these transmissions seem to violate WhenU’s own privacy policy.) Other sections of the document discuss installation methods of spyware (with special consideration of the technical methods used in drive-by downloads), frequency of advertisement display, and performance and security effects of spyware.

I hope to attend the FTC’s April workshop, and I would be particularly pleased to hear from others who will be there or who have comments on this issue.

New Publications about Spyware Legislation and Regulation updated March 19, 2004

Some months have passed since my last work on spyware — Documentation of Gator Advertisements and Targeting (spring 2003) and my expert testimony in the matter of Quicken Loans and Wells Fargo v. WhenU (not available on the web) (summer 2003).

This week I’ve been working on a new subsection of this web site, “Spyware”: Research, Testing, Legislation, and Suits, for which two new entries are now available:

A Close Reading of the Spyware Control Act takes a careful look at the spyware legislation recently passed in Utah and now awaiting the governor’s signature. This legislation requires software that transmits users’ usage data (web sites visited, etc.) to provide appropriate disclosures in a license agreement (in plain language, actually presented to users, etc.), and to provide an uninstall routine. Seems pretty uncontroversial? That’s what I thought, but in fact the bill has raised some opposition from big .COM companies that seem to think the legislation is actually a bad idea — even as they are among the sites most intensively targeted by spyware pop-up ads. Have these companies missed the boat? Or have I? Check out the article — including their letter (PDF) and my paragraph-by-paragraph response — and decide for yourself.

Methods and Effects of Spyware (PDF) is my written response to the FTC‘s call for comments (PDF), leading up to their April 19 workshop on spyware. In this document, I explain how spyware works, including presenting specific personal information transmitted by both Gator and WhenU. (The WhenU transmissions are particularly notable because these transmissions seem to violate WhenU’s own privacy policy.) Other sections of the document discuss installation methods of spyware (with special consideration of the technical methods used in drive-by downloads), frequency of advertisement display, and performance and security effects of spyware.

I hope to attend the FTC’s April workshop, and I would be particularly pleased to hear from others who will be there or who have comments on this issue.

Technical Responses to Unilateral Internet Authority: The Deployment of VeriSign “Site Finder” and ISP Response

 

Technical Responses to Unilateral Internet Authority: The Deployment of VeriSign “Site Finder” and ISP Response. (October 2003) With Jonathan Zittrain.

Much of the day-to-day functioning of the Internet is thought to be “self-governing”: Engineers operating Internet systems at participating institutions (including ISPs) make daily decisions that help keep traffic flowing efficiently, without having to forge formal agreements with each other and without having to adhere to formal rules set out by a governing body. For those functions that are thought to require centralized coordination, organizations like ICANN have come to exist, and ICANN’s proper scope of “jurisdiction” remains in tension with the prior self-governing model. Arguments about the need for, and proper scope of, centralized coordination in part depend on the reliability and effectiveness of these informal self-governing alternatives.

A recent action by the registry of domain names ending in .COM and .NET — the creation of a “Site Finder” service to which Internet users are now directed if they ask for any unassigned name — has provoked reaction by ICANN as well as by individual network engineers and the institutions that employ them. As ICANN’s policy reaction is still unfolding, we sought to find out just how much the summed actions of the Internet engineering community affected Site Finder’s adoption. In the absence of any reaction, Site Finder would function for nearly all users seeking .COM and .NET names. However, as network engineers choose to adopt certain “patches,” Site Finder’s functionality is blocked for users of the corresponding networks. With help from data gathered by Alexa through users of its toolbar browser plug-in, we find that several large networks have already blocked Site Finder and that approximately 9% of users likely therefore no longer receive Site Finder content. We find particular evidence of blocking of Site Finder by networks outside of the United States — most notably, much of China.

 

Sites Blocked by ADL HateFilter with Jonathan Zittrain

Like numerous other Internet filtering programs, the Anti-Defamation League’s HateFilter attempts to prevent users from knowing which specific web sites are deemed off-limits. However, this research presents a method for efficiently determining which specific sites are blocked, and this site reports results. Numerous sites are blocked that no longer offer content meeting ADL’s definitions (if they ever did), including sites now offering other substantive content, sites that offer only error messages, and sites that no longer exist.

Continued: Sites Blocked by ADL HateFilter