Devangshu Datta: Cracking down on spyware

TECHNO BEAT

When surfers are polled on pet peeves, spam, viruses and slow connections top the list. Spam's an irritant, viruses are destructive and slow connections test the patience.

But spyware, meaning programs that secretively mine data on infected hard drives and track surfing habits, actually tops everything in terms of quantifiable damage.

Spyware is often directly responsible for slow connections as well; the programs hog bandwidth as they transmit data.

Internet consultancy Webroot did a spyware survey through January-March 2005. Around 87 per cent of the office networks they checked carried some spyware.

Around 88 per cent of the home PCs checked were infected. (The bundling of Alexa with Internet Explorer or IE was not defined as spyware "" or else, every user of an unmodified IE-version would be "infected".)

The "legitimate" spyware industry generated an estimated $ 2 billion-plus in targetted Internet advertising in 2004. The illegitimate variations caused a plague of identity thefts and phishing scams that led to $ 5 billion-plus in electronic frauds across the US financial system.

Also, some variants of spyware, such as remote-administration tools (RATs) and trojans with embedded keystroke-loggers, were used by hackers to create zombie-armies that mounted distributed denial of service (DoS) attacks that crashed entire networks.

Spyware is often installed with "user-consent", along with free file-sharing, download and multimedia utilities. In such cases, the End-user Licensing Agreement (EULA) contains a consent clause buried in the fine print.

Many EULA agreements run to hundreds of screenfuls worth of text: even the most paranoid surfers avoid scrolling through the legalese, before clicking "I agree".

A lot of spyware is, however, installed without even the tenuous legal fiction of user-knowledge/consent when a surfer goes to a site that dumps dirty code on the hard drive. There are so many ways of doing this that even enumerating them would take too much space.

It is not very easy to combat spyware "" as the surveys suggest, just about 12 to 13 per cent of users, including system admins, are savvy enough to manage to avoid infection.

Most anti-spyware utilities do a partial job, and new versions of spyware are written everyday.

A good firewall helps keep systems clean and so does regular monitoring of outgoing traffic.

The US House of Representatives recently passed two anti-spyware Bills that lay down big penalties such as five-year sentences and $ 3 million fines.

The Securely Protect Yourself Against Cyber Trespass Act (SPY), passed by a vote of 393-4, while the Internet Spyware Prevention Act (I-SPY) was passed 395-1.

SPY requires any software to give clear notice before installation, and explicitly forbids keystroke logging, persistent pop-up ads, and computer hijacking. I-SPY seeks to further criminalise spyware tactics, with longer jail terms.

If the Senate clears those Bills, the average user will have a little more legal protection. Since most countries follow the US lead in electronic legislation, similar laws will probably be adopted in other countries.

However, in themselves, these Acts will not be enough, if one looks at the example of the CAN-SPAM Act (2004). Spam has barely reduced since the Act came into play and very few spammers have been proesecuted.

Until users are educated enough to be outraged about the implicit privacy violations of spyware, it will continue to be a popular webtool.

Microsoft, which launched its beta anti-spyware utility in January, has issued a warning against gaps in the Acts. The software giant has legitimate fears about being sued by spyware makers.

Gator, (now Claria) which distributes bundled ad-software with its free download app, sued an anti-spyware-maker for libel, false advertising and "tortuous interference".

Lavasoft, which makes the popular Ad-aware anti-spyware utility, has been sued by New.net. Until the Acts are modified to plug those frivolous lawsuits, anti-spyware makers have reason to go slow.

Frankly, nothing short of a dynamic version of the anti-smoking warnings will work. If spyware had to broadcast a pop-up across say, 10 per cent of the screen whenever active, and log details of data transmitted to the infected hard drives or networks, it might sensitise users.