The Trouble With Spyware
Spyware is a generic term typically describing software whose purpose is to collect demographic and usage information from your computer, usually for advertising purposes. The term is also used to describe software that 'sneaks' onto the system or performs other activities hidden to the user. Spyware apps are usually bundled as a hidden component in mis-labeled "freeware" and shareware applications 1 downloaded from the Internet--a spyware module may be active on your computer at this moment without your knowledge. These modules are almost always installed on the system secretively, suggesting that spyware companies know how users feel about such software and figure that the best/only way to ensure its widespread use is to prevent the end-user from discovering it.
Consumer Privacy Implications
Advertising-supported software, if done properly, is a unique and viable business model in which software developers can make money without requiring the end-user to pay for the software. However, the key words are if done properly , which is often not the case. While it may come as no surprise that adware uses your 'Net connection to download ads, you would have good reason to be concerned about the large amounts of data flowing in the other direction . Several adware applications have been known to secretly snoop around areas of your computer they don't belong, including your browser history.
As much as current spyware modules do to steal away users' privacy, they have the potential to to even more. Spyware exists as an independent, executable program on your system , and has the capability to do anything any program can do, including monitor keystrokes, arbitrarily scan files on your hard drive, snoop other applications such as word-processors and chat programs, read your cookies, change your default homepage, interface with your default Web browser to determine what Web sites you are visiting, and monitor various aspect of your behaviour, "phoning home" from time to time to report this information back to the spyware's author. It can even notify the spyware company of any attempts to modify or remove it from the system. All the information obtained by the spyware can be used by the spyware author for marketing purposes, or sold to other companies for a profit.
In short, spyware can spy on any aspect of your computer use, and is not limited in the ways Web sites are when it comes to gathering personal data. While a Web site can gather limited demographic and statistical data automatically provided by the Web browser and Internet protocols, and read cookies set by its own domain, spyware can "see" and disclose any data on, entering or exiting your computer. This information can then be used for just about any purpose, even sold to the highest bidder!
Many adware apps install separate advertising components on your system, that run--downloading ads and wasting system resources--even if you're not using the software that installed them. Often, these components remain installed and continue to perform their unsightly duties even after the associated app has been uninstalled! Some adware companies have even gone so far as to create "Advertising Trojan Horses", virus-like software programs that stealthily install themselves on your computer to perform unwanted advertising functions and violate your privacy whether you've installed the advertising-supported software or not . Advertising trojans make clandestine connections to adservers behind your back, consume precious network bandwidth and may compromise the security of your data. The latest versions of these "ad-viruses" operate in full stealth and are nearly impossible to detect without advanced knowledge of the system environment. These include the TimeSink/Conducent TSADBOT and the Aureate advertising trojans. One spyware module has been known to spoof a Windows system process so that it cannot be terminated and does not appear on Windows' End Task (Ctrl-Alt-Del) dialogue.
Spyware modules have been implicated in computer problems including system slowdown, Illegal Operation errors, browser crashes , and even the "Blue Screen Of Death". While normal system stability has usually returned when the interfering spyware modules were deleted, one spyware product in particular will disable your Internet access if you try to delete it!
Potential Violations of Child Protection Laws
Most spyware-infested software is targeted toward adults. However, the user that sits down at the computer can be of any age, and the spyware modules have no good way of knowing who is at the machine and what legal protections are provided to him or her. In particular, laws in the United States prohibit the collection of personal information from children under 13 without the written permission of a parent or guardian. However, most spyware does not make any provisions for users whom they are not legally permitted to collect data from, a huge potential problem when it comes to laws such as the U.S. Child Online Privacy Protection Act ( COPPA ).
Again, since a spyware program is an independent executable program residing on your PC, it will have all the privileges of the user that installed it. On the majority of single-user systems, including Windows 95 and 98, these privileges allow software to read, write and delete files, download and install other software, change the default homepage, interrogate other devices attached to the system, or even format the hard drive. While multi-user systems such as Windows NT can limit the spyware's abilities somewhat, it can still do anything the user who installed it can--a scary thought indeed if an application containing spyware was unknowingly installed by someone with Administrator privileges.
Some spyware modules include a number of insecure features, including so-called AutoInstall or AutoUpdate functions that can secretly download and install ANY arbitrary program on the user's system. This opens the door for further abuse of the system by malicious crackers or additional spyware programs! In particular, competent security experts including Gibson Research Corp. have proven how simple it is for a malicious user to hijack this capability to upload and run ANY program on a user's system!
Software License (dis)Agreement
Some aspects of spyware activity are legally questionable. While software installing a spyware module should disclose this fact to the user and offer the option of refusing, any such disclosure is often buried in a long and densely-worded License Agreement, slipped in among page after page of mind-numbing legal jargon on such topics as copyright, distribution, disassembly, reverse-engineering, government and restricted rights, disclaimer of fitness for a particular purpose, and similar topics of little relevance to the average user 2. Additionally, the actual spyware notice is often written in such a roundabout, flowery and disingenuous manner that a reasonable user would have no reason to take special interest in it 3 . To most users, a phrase such as "may include software that will occasionally notify you of important news" is NOT equivalent to "will place a stealthy Trojan Horse on your system that you can't get rid of, which will collect information about you and send it to us, and allow us to bother you with targeted advertisements all day" . Once the spyware has been "disclosed" and the spyware company can argue that the user has "agreed" with it by continuing beyond the License Agreement, it is much more immune from potential lawsuits from users who accepted the license and installed the software, blissfully unaware of the spy that would now be living on their computers. Some spyware companies do not mention the spyware at all, often pointing the finger at the company whose software utilizes it for not disclosing it. (How convenient!)
1 While the most common culprits are shareware and "freeware" apps, paid-for commercial software has been known to contain spyware as well.
2 The majority of a software License Agreement refers to government users, corporations, distributors and software hackers. It can be safely assumed that a majority of users have no interest in disassembling their software, porting it to other operating systems or hardware architectures, or other such activities extensively droned on about in the License Agreement.
3 See Steve Gibson's explanation and example of "Fine Print Funny Business": http://grc.com/oo/fineprint.htm . (Note that the example Steve gives eventually does, albeit in dense wording, disclose what's going on. Be aware that many spyware agreements are even less forthcoming about the nature of their software!)