SCN: Spyware
Steve
steve at advocate.net
Sat Apr 27 09:06:16 PDT 2002
x-no-archive: yes
===================
(Damien Cave, Salon)---Nicholas Stark has spent the past two
years fighting "spyware": programs surreptitiously bundled
together with popular software downloads for the purpose of
delivering advertisements or tracking personal information. His
Swedish company, Lavasoft, produces a product called Ad-Aware
that searches a computer for hidden spyware, and then asks users
if they'd like the program removed.
Spyware is a fast-moving business with new entries arriving by the
day. Lavasoft, in collaboration with volunteers all over the world,
must constantly update Ad-Aware to take into account clever new
technological tricks.
But even Stark was caught by surprise at the most recent
development: A company in the Slovak Republic called RadLight,
which makes a free multimedia player, turned the tables on
Lavasoft. In addition to the normal run of spyware that comes with
a RadLight download, there was an additional program specifically
aimed at removing Ad-Aware.
Hard numbers on how many people might have been affected by
this game of spyware vs. anti-spyware are difficult to come by.
More than 1 million people have downloaded Ad-Aware, according
to Stark, and at least 720,000 people have downloaded RadLight
from Download.com since the program first appeared in February,
but the extent of the overlap is unknown.
RadLight's counterattack is a classic example of the kind of
technological leapfrog always going on in the world of software.
But it is also yet another indication of how fraught with
complications the search for a business model in the world of free
software has become.
Parasite programs like spyware are a major income source for the
manufacturers of popular free downloads like KaZaA or RadLight.
Anti-spyware programs like Ad-Aware aim to cut that revenue
source off at the knees.
Does that give RadLight the unilateral right to uninstall programs
without directly informing the user? The only notification to
RadLight users that Ad-Aware was forbidden came buried in the
license statement that most users click through without reading,
which stated: "You are not allowed to use any third party program
(e.g. Ad-Aware) to uninstall applications bundled with RadLight."
RadLight did not respond to press inquiries. But an individual
calling himself "RadScorpion" and claiming to be RadLight's
creator posted a message on Lavasoft's message boards
Wednesday, stating that the Ad-Aware remover was a fair attempt
to make Lavasoft take a taste of its own medicine:
"As I believe that some of the "spyware" are just regular legal
programs I really feel for their authors to see how their program is
being uninstalled," RadScorpion wrote. "I WANTED ADAWARE TO
SEE IT TOO and to revalue their pose to their 'enemies.'"
Salon interviewed Stark via e-mail on the subject of the ever-
escalating war between spyware and anti-spyware.
What was your reaction upon discovering that RadLight was
targeting Ad-Aware for removal?
Primarily we saw it as a disservice to the users of RadLight, and
not against us. Their software silently removed ours without any
warning or notice in their license agreement.
At some point, though, a license agreement became part of the
download...
The changes in their license agreement were done after massive
protests. The author refused to inform users in the first place.
What about those who downloaded the program after the license
appeared? Most people probably didn't realize that they were also
downloading anti-Ad-Aware spyware, but isn't it their responsibility
to read the license? If they don't agree to the terms, shouldn't they
just not download the program?
I do not believe that it is legal to bind the usage of their software to
the removal of an unrelated product. What the RadLight developer
should have done was to make his software non-functioning
should the user choose to remove the bundled spyware/adware.
Or at least put it clearly visible that using his software without
SaveNow (an ad-serving program that is often bundled with
freeware) installed violates the terms of use. Everything else is an
unacceptable act.
As for the license agreement, when this was first discovered, the
user wasn't presented with the terms of the "contract" until the
software had already been installed. So regardless of whether the
user actually read the licensing terms, he or she didn't know the
terms they were actually agreeing to before they downloaded the
software.
Do you think that a license - in which a user clicks "yes, I agree" at
the end - gives users enough of a warning?
Absolutely not.
Why?
This would involve a drastic change in how software companies
relate to their end users. Just imagine the loss of control one would
have over one's private computers. Or even how this could affect
corporate users who would then have no choice about what
product solutions they were able to implement. We find the very
idea unacceptable and quite impossible to implement.
What do you and Lavasoft plan to do about RadLight's new
software?
We have been discussing the possibility of this tactic for quite
some time now. What they in effect did was to change their end
users software environment without warning. So when our worst
case scenario was actually presented to us, we were already
prepared. We quickly released a fix for this exploit. As we now
consider RadLight's previous offerings to be malicious, we will
continue to monitor their subsequent releases for this type of
activity.
The battle with RadLight is really just one of many battles that
you've waged against spyware. How did you get started in this
business? When did you write the code for Ad-Aware and why?
Ad-Aware actually began with a simple Aureate removal tool
(Aureate produced one of the first versions of so-called spyware in
2000). As users became comfortable with it, and confident of its
effectiveness, they began to ask for the detection and removal of
an ever-increasing number of identified components.
Ad-Aware has quite simply been a work in progress as each new
reference file and upgrade has been in response to our users'
needs. With help from dedicated volunteers, we have even been
proactive, identifying components before they were asked for by
our users. We don't see an end to our development efforts as there
are literally several new advertising schemes being developed
every month in response to our product's effectiveness.
How do you make money? Ad-Aware is also free, so what's your
business model?
We do offer an enhanced version of Ad-Aware called Ad-Aware
Plus, (which costs $15). But money is not the primary goal and has
never been; it's mainly used to pay the server and bandwidth
costs. We all have "regular" jobs or are students, and do this in our
spare time (although it uses up a lot).
How has the battle developed? Before RadLight, were there other
forms of spyware that tried to defeat Ad-Aware? And if so, how did
you handle those situations?
For the most part, the developers of these applications have done
their best to hide from Ad-Aware. It has been a game of cat and
mouse from the beginning.
RadLight was the first case of an attempt to defeat our software
through removal. This was a scenario we have discussed for a
long time, but had felt that the developers would not use it due to
the dubious legalities involved. In fact it could be seen as illegal.
So we prepared for it, but didn't implement it as we saw it being a
remote possibility.
Now that RadLight has let the genie out of the bottle, we expect
others to attempt this as well. So we will aggressively monitor for
this activity and if it is discovered, will quickly counter it and then
expose the offending party publicly.
Do you have any plans to sue?
The developers of RadLight have learned a difficult and painful
lesson. The public in general, and the privacy and security
communities specifically, have shown their company that they are
neither blind to, nor tolerant of malicious code distributed by any
official software vendor. The outcry was immediate and quite
deafening, causing them to reevaluate their tactics. At present, we
don't see a need for legal action.
Is there any kind of spyware that you find acceptable? Are those
that let people opt in, for example, allowable? Or what about ad
software that doesn't collect personal information but just serves
extra ads?
It isn't a matter of what Lavasoft will or will not approve of. If our
users find the activity unacceptable, then we will meet their needs.
In the end, it is the public that will decide what is appropriate.
So to this end we have implemented features that will allow the
user to choose their own level of comfort. They have the choice to
exclude or ignore any component targeted by Ad-Aware at their
discretion. And when removing the components found, we have
supplied them with a backup feature that will restore anything
removed by Ad-Aware should they choose to.
But if your program works correctly, it removes the revenue stream
for companies that offer their software for free. Some have argued
that spyware is a great way to encourage development of new and
interesting software because it gives creators a way to distribute
their programs to a large crowd while getting compensated for their
efforts.
The argument is really irrelevant. If a developer chooses this
business model, then that is their right. But in this, the end user
also has a right to choose what is or is not installed on their
systems.
Many of these bundled "ad systems" are poorly written and try to
dig themselves so deeply in a user's computer that they are close
to impossible for the average user and extremely difficult for the
advanced user to find and remove. So to this end, Ad-Aware is
needed to ensure that the user always has the choice.
Do you have an alternative plan for developers who want to earn
money from their code?
A specific plan? No. However we do have some pertinent advice.
Lavasoft began as nothing more than a dream. With hard work and
a specific plan for the future, we have been able to achieve the
success we now enjoy. We feel that the ad-sponsored model is
nothing more than a quick fix. What we would say is that
developers need to find a community willing to support their efforts
and help them to grow in their art and to learn from experience.
The fight seems to keep changing; whoever writes the last batch of
code has an advantage. How do you plan to keep up against so
many opponents - especially in cases when your competition has
more money?
Money is an important issue, but not as important as your question
would imply. True, we will be busy, and this will only get worse as
time goes on. But what your question fails to acknowledge is the
character of the people involved. Our core of support has always
been dedicated volunteers that take over support functions, do
research and beta test so that we can continue the development
work. Our users are our strength.
Copyright 2002 Salon.com
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list