Final Standards Released from Antispyware Group

The ASC released a draft of the guidelines in the fall (WID Oct 28 p4) and received more than 100 public comments, which were incorporated in the final document. The effort should help consumers understand how antispyware software protects them, and software developers make safer, more consumer-friendly software, said CDT Assoc. Dir. Ari Schwartz. A matrix, at www.antispywarecoalition.org/documents, categorizes software various ways. Its creators said the risk model is “a living document” that will change as behaviors and technologies emerge.

The group had received complaints that the guidelines didn’t fully address spyware or go far enough to protect users. Most of those complaining demanded that no software be granted unauthorized access to their PCs and argued that nearly all of the behaviors laid out in the document should carry a “high risk” rating, ASC said. Some comments zeroed in on the importance of user consent to installation and others expressed the opinion that the risk definitions for installation with minimal consent were too low and should be raised. ASC said those comments didn’t provide many concrete suggestions for modifying its specifications.

Some commenters, many said by ASC to be working with ad firms, worried that the document wasn’t specific enough to provide suitable guidance for antispyware vendors when they create spyware definitions. The ASC emphasized that the risk model document is one part of the coalition’s broader antispyware effort and isn’t intended to “homogenize all vendors’ spyware definitions.” Those calling for a “best practices” document that could provide further guidance to antispyware vendors won’t have to wait long. That’s also on the ASC’s to-do list. But Schwartz warned that achieving a consensus on best practices will be harder to accomplish.

ASC also plans to distribute tips for consumers, particularly targeting parents and teenagers, and wants to find ways for its members to share threat information better, he said. Spyware fighters are looking at the antivirus industry’s information sharing efforts as a model, Schwartz said. A way to swap data hasn’t been agreed on, and it could be tested among a small group of ASC members before being released industrywide, he said.

After a preliminary review, 180solutions Communications Dir. Sean Sundwall told us the document looks pretty solid. The adware firm executive said he is “thrilled to see that ASC has come up with the guidelines” but group members still have “a lot of leeway” in what they deem spyware. He urged the firms move quickly to embrace the standards. “It’s a piece of paper until people implement it,” Sundwall said: “Our outstanding question is ‘Now what?’ Are they all going to start using this as their guide?” He said he’s “cautiously optimistic” that the ASC’s work will have impact.

Spyware expert Ben Edelman said it’s helpful to have an industry consortium of antispyware vendors, but the question remains: What should such vendors do? The ASC’s paper reflects that the participants “tried to make a list of all the factors that they think users don’t like, that they think create an appropriate basis for detection by their antispyware programs,” which at first impression seemed reasonable, he told us. But on further review, Edelman said he’s less sure. “Who exactly benefits from these ’standards?'” he asked, saying he worried that the standards “unduly play into the hand of companies who make programs that users generally call spyware.” In seeking declassification of their programs, those companies can make arguments like “ASC says this is only a ‘medium risk'” or “ASC says this behavior is OK if we get consent,” Edelman said.

The document largely mirrors ASC members’ existing practices, so “what’s the point?” Edelman asked: “Why go to all this trouble merely to restate current practice?” Edelman, a former student fellow at Harvard’s Berkman Center for Internet & Society, said he wants the ASC to tackle tougher problems and “questions about which there is not yet a clear consensus.” The group should examine deceptive installations that “claim to be one thing but actually give something else too,” Edelman said. While he holds ASC members in high regard, he was disappointed “to see them get caught up on easy questions for so many months, without addressing the harder questions for which their leadership would be most useful.”

Formidable questions could crop up at the group’s upcoming workshop. FTC Chmn. Deborah Platt Majoras is set to speak at ASC’s Feb. 9 event, which organizers expect to draw federal regulators, top state technology and law enforcement officials as well as representatives of public interest groups and the nation’s largest Internet companies. Sessions will focus on spyware’s impact on businesses and individuals, increasing awareness through safety tips, tracking spyware across borders and fighting spyware through industry self-regulation.

New Software Rules for Direct Marketers

In related news, the Direct Mktg. Assn. (DMA) said it will begin requiring member organizations to adhere to new guidelines for how marketers should treat downloadable software (WID Jan 9 p7). The 4,000-member group’s board approved the move Fri. The provisions immediately become part of DMA’s ethics guidelines, which already include consumer privacy, safe computing and phone, mail and Internet marketing practices.

“While software technology by itself is neutral, substantial harm, including ‘modem hijacking,’ identity theft and significant decreases in performance can result from deceptive and unethical uses of downloadable software,” said DMA Vp Louis Mastria: “We are committed to taking a strong stand against such practices in order to increase confidence in the online channel.”

Under the guidelines, marketers shouldn’t install, have installed or use software on a computer or similar device that “initiates deceptive practices or interferes with a user’s expectation of the functionality of the computer and its programs.” Spam and viruses, modem hijacking, denial of service attacks and endless loop pop-up ads are included in the guidance, as are programs that deceptively modify or disable security or browser settings or prevent the user from disabling or uninstalling the software, DMA said.

The guidelines also describe what marketers should do when offering software or other similar technology installed on a PC for marketing purposes. The programs must provide “clear and conspicuous notice and choice at the point of joining a service or before the software or other similar technology begins operating on the user’s computer,” DMA said. Marketers are also instructed to always provide an easily accessible link to privacy policies and contact information as well as clear identification of the company making the offer, the group said.