Software that can track your moves on the Net, record your keystrokes and use your PC to send that info off to someone else is the latest digital scourge.
By DAVE GUSSOW
Published April 26, 2004
Technology can be a tricky business.
Click "Yes" to download something from the Internet, and the program may include secret functions.
Click "No" to reject an offer from a popup ad, and it may repeatedly reappear on the screen until the user finally accepts it. And, sometimes, doing nothing can cause trouble, too. Just visiting a Web site might get stealth software planted on a computer.
The cause? Spyware, the latest scourge to hit personal computers and the Internet. It's bogging down computers' performance, hijacking functions, presenting users with unwanted popup ads, tracking where people go online and, some say, invading their privacy.
"The bottom line for a lot of spyware authors is there's a lot of money involved," said Andrew Brandt, senior associate editor at PC World magazine. "They just want the money and they're going to do whatever it takes to get it. They don't care about your computer."
The problem has reached a point where Congress is considering legislation to control spyware, Utah has passed a law against it, and the Federal Trade Commission held a workshop last week to talk about it.
The FTC workshop showed how difficult it will be to come to any consensus about what to do. Not only are there differing interpretations of what defines spyware, there also are concerns that any regulations might backfire, as some critics say an antispam law passed by Congress last year did.
Generally, spyware can be broken into broad categories with one main theme: It usually allows someone to get information from a computer without the user's knowledge. It has various flavors, such as adware, which causes popups and other ads to appear on computer screens; monitorware, which tracks surfing habits on a particular PC and sends the information back to companies for marketing purposes; and malware or snoopware, software that can record keystrokes and steal personal information.
"The number of things out there is astounding," said David Loomstein, group product manager for Symantec Security Response. "Anyone who is going out and surfing on the Web is susceptible to this."
An analysis of security scans of more than 1-million PCs by Internet service provider Earthlink and Webroot Software over a three-month period showed an average of 28 spyware programs on each computer.
One of the most troubling aspects about spyware is how easily it gets planted on computers. PC Pitstop, an online diagnostic site, found that 75 percent of users were unaware that spyware had been installed on their machines.
The Center for Democracy and Technology (www.cdt.org) came up with 15 examples of what it called "unfair, deceptive or devious practices" with spyware. Participating in the study were companies such as America Online, Dell, Earthlink and Microsoft, as well as groups such as the Business Software Alliance, Electronic Frontier Foundation and the Network Advertising Initiative.
In the hijacking category, for example, it found programs that installed on computers even when consumers rejected downloads. Under the surreptitious surveillance category, the group found software that contained "keystroke loggers" used to steal passwords and personal information included in downloads but not mentioned in any materials describing the product. And under the inhibiting termination category, it gave examples where people could not delete programs.
It's all adding up to consumer headaches and confusion. Dell Inc. told the FTC hearing that 12 percent of its tech support calls are related to spyware.
Less clear is what, if anything, will be done about the problem. Marketers and Internet ad companies such as WhenU say their techniques are legitimate and accepted by people who want them.
They argue against regulation and have support from an array of officials and groups. FTC commissioner Mozelle Thompson says consumer education, not legislation, is the logical first step. Some officials think current law is adequate, particularly for cases involving fraud and identity theft.
The Electronic Privacy Information Center (www.epic.org) argues that spyware is only a symptom of a bigger problem.
"It makes more sense to attack the general problem of privacy online rather than labeling some collections as legitimate and some as not," said Chris Hoofnagle, associate director of EPIC. "The powerful companies will basically obtain exemptions from the definition of spyware. Companies that are not powerful will be classified as spyware companies."
Roger Thompson, a panelist and vice president of product development at security software company Pest Patrol, says some regulation is needed. If it takes one click to install spyware, he says, it should take only one click to get rid of it.
"It would be much better if there were rules about how they had to tell you what they're doing," Thompson said.
That leaves it to consumers to handle yet another security issue, and help is available. German software developer Patrick Kolla wrote Spybot Search & Destroy, a free utility that finds spyware and cleans it off PCs. It can be found at several sites, including www.pcworld.com/downloads and CNet's Downloads.com. The software has become so popular and the problem so big that it has turned into almost a full-time job for Kolla, who accepts donations from users to keep the project going.
Another popular free program is Ad-aware from Lavasoft (www.lavasoft.de) Symantec, McAfee and sites such as Spywareguide.com, Spywareinfo.com, SpyStomper.com and Spychecker.com have sections that list various forms of spyware.
Brandt of PC World says it's crucial for computer users, even beginners, "to know enough to know when something's going wrong and what to do about it. . . . If they don't take care of their own problems, they could end up becoming a Typhoid Mary to everyone they know. These things have a nasty habit of spreading."
- Information from Times wires was used in this report. Dave Gussow can be reached at firstname.lastname@example.org or 727 771-4328.