The ASC, which is made up of mostly American technology vendors, content providers and public sector interest groups, already has a working definition of what spyware looks like. What’s new for this year is a set of rules of how it acts.
The ASC is referring to these rules, which were compiled through public input and consultation as a “Risk Model Description.” They include: the degree to which a piece of software can be freely uninstalled, propensity for browser hijackings or executing unwarranted user settings, and running program aspects with explicit user consent.
Any software that exhibits these and other qualities may constitute spyware.
The ASC’s working definition of spyware is essentially unchanged, said David Fewer, legal counsel for the Ottawa-based Canadian Internet Policy and Public Interest Clinic, which is one of two Canadian interest groups currently involved with the ASC.
“The big achievement was . . . to come up with a very short definition of what kind of technology constitutes spyware,” said Fewer, given the number of parties that contributed to that definition.
For the ASC, spyware comprises three things: It makes material changes that affect the user’s experience, privacy, or system security; compromise system resources; or that collects or distributes personal or sensitive information. But by having a Risk Model, policy makers can have a better idea of how spyware operates in the wild, said Fewer.
“They understand the ASC definition of spyware . . . but now they want to say, ‘How do we legislate this?’ One of the things they can do here is take a look at all the specific behaviours flagged and understand from their own perspective whether or not we have laws that deal with behaviour,” said Fewer.
The model could also have the unintended effect of allowing adware makers create software products that are as close to spyware without actually crossing that line. A lot of what makes adware legal is how its user licence agreements are phrased, said Jack Sebbag, general manager of McAfee Canada. By clicking the “I agree” button, users effectively consent to having software components installed on their hard drives.
“Any way you cut, having spyware on your system certainly slows your computer where in a lot of cases people just have to completely reinstall their operating system,” said Sebbag. McAfee Canada’s U.S. corporate parent McAfee Inc. is also a member of the ASC.
User licence confusion was another of the Risk Model criteria determined by the ASC.
Content providers may be able to avoid some of the thornier issues around software consent if they are able to consult the Risk Model, said Fewer.
“If Sony BMG had had this document and had incorporated this document into its technology review process before it had released its root kit, it would have saved them a lot of headaches. Certainly, technology vendors should find this document helpful,” he said.
Sony BMG is currently facing lawsuits, including a class-action suit from a Canadian group, over audio CDs that contain DRM technology which users claim is installed without consent.