Is Microsoft’s Definition of Spyware Acceptable to Security Experts?

On June 15, 2006

According to Microsoft “Broadly speaking, spyware is deceptive software that is installed on a user’s computer without the user’s consent and has some malicious purpose.”

Brian Livingston of WindowsSecrets.com disagrees with Microsoft definition. He states that “This is patently absurd. Many spyware programs, such as peer-to-peer file sharing applications, are knowingly installed with the user’s consent. The user downloads the software to get music, a screen saver, or whatever other benefit is promised. What makes a program spyware, among other things, is that it operates in ways that aren’t clearly disclosed before installation and it reports data back to a central server. Furthermore, this activity needn’t be malicious. Many spyware programs do nothing more than serving up targeted advertising or tracking anonymous marketing behavior. If a user wants such tracking functions, they might be fine. But if the user wasn’t clearly made aware of this, whether or not such software has a malicious purpose, it’s still spyware.”

The majority of security experts will agree with Brian Livingston’s argument that spyware does not have to be installed without the user’s consent and spyware does not have to have a malicious purpose. Here are some of the definitions of “spyware” that you’ll find on the Web.

Webopedia.com: Any software that covertly gathers user information through the user’s Internet connection without his or her knowledge, usually for advertising purposes.
Wikipedia.org: In simpler terms, spyware is a type of program that watches after what users do with their computer and then send this information to a hacker over the Internet.
CNET: One generally agreed upon definition of spyware states that it is software that tracks personal information about you and transmits that information to third parties.
Dictionary.com: Any software that covertly gathers information about a user while he/she navigates the Internet and transmits the information to an individual or company that uses it for marketing or other purposes.

Finally, The Anti-Spyware Coalition (ASC), headed by the Center for Democracy & Technology with support from industry giants America Online Inc., EarthLink Inc., Microsoft Corp., and Yahoo Inc. among others, has released a document designed to establish definitions that will bring clarity to anti-spyware vendors. The ASC is a group dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies.

ASC has two definitions of spyware. According to ASC, in its narrow sense, spyware is a term for Tracking Software deployed without adequate notice, consent, or control for the user. In its broader sense, Spyware is used as a synonym for what the ASC calls “Spyware and Other Potentially Unwanted Technologies.” In technical settings, ASC uses the term spyware only in its narrower sense and always marks it as such [spyware(narrow)]. However, the term spyware, when used generally in an ASC document always refers to the broader colloquial usage. This is how ASC defines spyware in the more common “broader sense.”

Spyware and other potentially unwanted technologies are described as those that “impair users’ control over: material changes that affect their user experience, privacy, or system security; use of their system resources, including what programs are installed on their computers; or collection, use, and distribution of their personal or otherwise sensitive information.”

All this debate about spyware definition leads to the privacy issues that most people are concerned about. I’ve written a couple of articles on privacy issues that you might be interested in.