Defining spyware is only the first step in combating unwanted technologies, an effort that could require filling holes in Canadian privacy legislation, a public interest group said Tuesday.
A collection of security software firms, schools and government organizations that comprise
the Anti-Spyware Coalition (ASC) released a nine-page document that attempts to create a taxonomy for software that could infiltrate PCs. The result of three months’ effort, the ACS document also included a consumer tip-sheet and a draft dispute resolution structure to mediate disputes between software vendors and companies whose applications have been tagged as “spyware.”
The ASC defines “spyware and other potentially unwanted technologies” as “technologies implemented in ways that impair users’ control over: material changes that affect their user experience, privacy, or system security; use of their system resources, including what programs are installed on their computers; collection, use, and distribution of their personal or otherwise sensitive information.
“These are items that users will want to be informed about, and which the user, with appropriate authority from the owner of the system, should be able to easily remove or disable,” the definition says.
The Canadian Internet Policy and Public Interest Clinic (CIPPIC) was the sole Canadian member of the ASC. Other members include Microsoft, McAfee and Ad-Aware maker Lavasoft.
CIPPIC staff counsel David Fewer said the challenge was creating a definition that was accurate and vendor neutral but still helpful to those grappling with spyware at home or in the enterprise. Forrester Research, for example, conducted a survey earlier this year in which 44 per cent of respondents said they were dealing with help desk calls about spyware, and 61 per cent estimated more than 17 per cent of their PCs were infected.
Fewer said the process to come up with definition was highly collaborative, but doesn’t necessarily take into account the differences in the way spyware could be dealt with in Canada versus the United States.
“It wasn’t necessarily jurisdiction-specific. In the next phase of this we’ll be looking at laws, potentially,” he said. “Do our current laws address the problems that the ASC has identified? We’ll definitely be looking at that with our Canadian goggles on.”
The U.S. has made several attempts to legislate against spyware, Fewer noted, most of which he said lacked an adequate understanding of the challenges these technologies pose. Portions of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), on the other hand, have specific rules around how data can be collected, used and disclosed. In some cases, however, the issue of consent could still be up for debate, he said.
“There are misleading downloads, drive-by downloads, where consumers are tricked into downloading something. They think they’re downloading some screensaver software, but bundled in there could be an advertising server,” he said.
Michael Berg, a consultant with MDB based in Abbotsford, B.C. who helps clients remove spyware, said the definition probably wouldn’t help consumers who opt in to offers that seem legitimate – such as a banner ad that offers to remove spyware from their PC.
“That kind of thing could be implied as asking for some kind of consent,” he said. “The average public out there, the average user out there doesn’t have the same level of education. They click on it, and there’s your consent.”
Fewer said ASC will also be exploring best practices around spyware, such as what kind of notice or consent is sufficient when marketing to users. CIPPIC is also examining the extent to which Canada is a source of spyware.
“Our investigation is somewhat incomplete – this is not easy to track down – but the early indication is that there is a substantial Canadian connection here,” he said, adding that writing the definition may have been the easy part. “Things will get interesting now. Are we talking about best practices from the consumer’s perspective, or are we talking about sufficient practices from the software vendor’s perspective?”
The ASC said it is looking for feedback on the definition before it begins the next stage of its agenda.