/** Tools */

29 March 2005

The Legitimisation of Spyware

According to Microsoft's Security at Home site, spyware is defined as:
"software that performs certain tasks on your computer, typically without your consent. This may include giving you advertising or collecting personal information about you."

However, Microsoft don't seem to apply this definition to their own software. Take versions of Microsoft Word which attempt to contact Microsoft via the Internet when the application is started, and which has long been known to phone home when various functions are performed within the program.

Microsoft are not alone in this practice. Version 3 of popular Instant Messaging software Trillian proudly boasts, "no other included software, pop-ups, or spyware", and also attempts to contact the manufacturers each time you start it, just prior to connecting the configured IM accounts. Nero's CD burning software and many other applications do the same thing.

Given that even the simplest packet of data your computer might send out reveals substantial infomation about its origins and, by default, both of the "certain tasks on your computer" described above occur, "typically without your consent", is this 'software' or 'spyware' functionality?

Now, in a further blurring of the fine line between software and spyware, the concept and function of spyware is being used for dubiously legitimate purposes. A company called Remote Approach is utilising the general ignorance and/or acceptance of surreptitious network activity by commonly used applications as the basis for their new PDF tracking tool:
"Every time the PDF is read, it briefly interacts with the reporting repository to record the event.... Some simply wish to know whether their customers actually read or forward a client's PDFs after downloading them from the client's Web site, while others engaged in peer-to-peer marketing want measurable data on whether their available PDF is being effective."
Software manufacturers will claim you signed-up for this sort of surreptitious, non-explicitly-consensual behaviour when you clicked the Accept button for the End User License Agreement, and Microsoft's definition of spyware is fairly standard, so where are users left who don't wish for everyday applications to report back a wealth of information every time they are used? Is electing to read a PDF document explicit consent for the software to let an arbitrary third party know that you've done so?

Even personal firewalls don't necessarily solve the problem. A user with an inclination to rely on a big-name firewall from any one of a number of large software houses with self-serving and mutually beneficial 'trusted computing' initiatives isn't much better protected than a user without a firewall.

Is Norton's personal firewall going to disallow Norton Anti-Virus from contacting the Internet whenever it wants? Unlikely.

Is Microsoft going to set the firewall built-in to Windows XP to prevent Word, Media Player and other Microsoft applications from accessing the Internet whenever they like? Unlikely.

This means you're not going to see a warning when 'trusted' applications surreptitiously access the Internet as spyware functionality is legitimised as a tool for detailed application and data tracking.

Richard Stallman gave this sort of thing a name. He called it Treacherous Computing. It's everywhere, watch out for it.

No comments: