SCN: Spyware

[Steve]

x-no-archive: yes

===================


(Damien Cave, Salon)---Nicholas Stark has spent the past two 
years fighting "spyware":  programs surreptitiously bundled 
together with popular software downloads for the purpose of 
delivering advertisements or tracking personal information. His 
Swedish company, Lavasoft, produces a product called Ad-Aware 
that searches a computer for hidden spyware, and then asks users 
if they'd like the program removed.  

Spyware is a fast-moving business with new entries arriving by the 
day. Lavasoft, in collaboration with volunteers all over the world, 
must constantly update Ad-Aware to take into account clever new 
technological tricks. 

But even Stark was caught by surprise at the most recent 
development: A company in the Slovak Republic called RadLight, 
which makes a free multimedia player, turned the tables on 
Lavasoft. In addition to the normal run of spyware that comes with 
a RadLight download, there was an additional program specifically 
aimed at removing Ad-Aware.  

Hard numbers on how many people might have been affected by 
this game of spyware vs. anti-spyware are difficult to come by. 
More than 1 million people have downloaded Ad-Aware, according 
to Stark, and at least 720,000 people have downloaded RadLight 
from Download.com since the program first appeared in February, 
but the extent of the overlap is unknown.  

RadLight's counterattack is a classic example of the kind of 
technological leapfrog always going on in the world of software. 
But it is also yet another indication of how fraught with 
complications the search for a business model in the world of free 
software has become. 

Parasite programs like spyware are a major income source for the 
manufacturers of popular free downloads like KaZaA or RadLight. 
Anti-spyware programs like Ad-Aware aim to cut that revenue 
source off at the knees.  

Does that give RadLight the unilateral right to uninstall programs 
without directly informing the user? The only notification to 
RadLight users that Ad-Aware was forbidden came buried in the 
license statement that most users click through without reading, 
which stated: "You are not allowed to use any third party program 
(e.g. Ad-Aware) to uninstall applications bundled with RadLight."  

RadLight did not respond to press inquiries. But an individual 
calling himself "RadScorpion" and claiming to be RadLight's 
creator posted a message on Lavasoft's message boards 
Wednesday, stating that the Ad-Aware remover was a fair attempt 
to make Lavasoft take a taste of its own medicine:  

"As I believe that some of the "spyware" are just regular legal 
programs I really feel for their authors to see how their program is 
being uninstalled," RadScorpion wrote. "I WANTED ADAWARE TO 
SEE IT TOO and to revalue their pose to their 'enemies.'"  

Salon interviewed Stark via e-mail on the subject of the ever-
escalating war between spyware and anti-spyware.  

What was your reaction upon discovering that RadLight was 
targeting Ad-Aware for removal?  

Primarily we saw it as a disservice to the users of RadLight, and 
not against us. Their software silently removed ours without any 
warning or notice in their license agreement.  

At some point, though, a license agreement became part of the 
download...

The changes in their license agreement were done after massive 
protests. The author refused to inform users in the first place.  

What about those who downloaded the program after the license 
appeared? Most people probably didn't realize that they were also 
downloading anti-Ad-Aware spyware, but isn't it their responsibility 
to read the license? If they don't agree to the terms, shouldn't they 
just not download the program?  

I do not believe that it is legal to bind the usage of their software to 
the removal of an unrelated product. What the RadLight developer 
should have done was to make his software non-functioning 
should the user choose to remove the bundled spyware/adware. 
Or at least put it clearly visible that using his software without 
SaveNow (an ad-serving program that is often bundled with 
freeware) installed violates the terms of use. Everything else is an 
unacceptable act.

As for the license agreement, when this was first discovered, the 
user wasn't presented with the terms of the "contract" until the 
software had already been installed. So regardless of whether the 
user actually read the licensing terms, he or she didn't know the 
terms they were actually agreeing to before they downloaded the 
software.  

Do you think that a license - in which a user clicks "yes, I agree" at 
the end - gives users enough of a warning?  

Absolutely not.  

Why?  

This would involve a drastic change in how software companies 
relate to their end users. Just imagine the loss of control one would 
have over one's private computers. Or even how this could affect 
corporate users who would then have no choice about what 
product solutions they were able to implement. We find the very 
idea unacceptable and quite impossible to implement.  

What do you and Lavasoft plan to do about RadLight's new 
software?  

We have been discussing the possibility of this tactic for quite 
some time now. What they in effect did was to change their end 
users software environment without warning. So when our worst 
case scenario was actually presented to us, we were already 
prepared. We quickly released a fix for this exploit. As we now 
consider RadLight's previous offerings to be malicious, we will 
continue to monitor their subsequent releases for this type of 
activity.  

The battle with RadLight is really just one of many battles that 
you've waged against spyware. How did you get started in this 
business? When did you write the code for Ad-Aware and why?  

Ad-Aware actually began with a simple Aureate removal tool 
(Aureate produced one of the first versions of so-called spyware in 
2000). As users became comfortable with it, and confident of its 
effectiveness, they began to ask for the detection and removal of 
an ever-increasing number of identified components. 

Ad-Aware has quite simply been a work in progress as each new 
reference file and upgrade has been in response to our users' 
needs. With help from dedicated volunteers, we have even been 
proactive, identifying components before they were asked for by 
our users. We don't see an end to our development efforts as there 
are literally several new advertising schemes being developed 
every month in response to our product's effectiveness.  

How do you make money? Ad-Aware is also free, so what's your 
business model?  

We do offer an enhanced version of Ad-Aware called Ad-Aware 
Plus, (which costs $15). But money is not the primary goal and has 
never been; it's mainly used to pay the server and bandwidth 
costs. We all have "regular" jobs or are students, and do this in our 
spare time (although it uses up a lot).  

How has the battle developed? Before RadLight, were there other 
forms of spyware that tried to defeat Ad-Aware? And if so, how did 
you handle those situations?  

For the most part, the developers of these applications have done 
their best to hide from Ad-Aware. It has been a game of cat and 
mouse from the beginning. 

RadLight was the first case of an attempt to defeat our software 
through removal. This was a scenario we have discussed for a 
long time, but had felt that the developers would not use it due to 
the dubious legalities involved. In fact it could be seen as illegal. 
So we prepared for it, but didn't implement it as we saw it being a 
remote possibility. 

Now that RadLight has let the genie out of the bottle, we expect 
others to attempt this as well. So we will aggressively monitor for 
this activity and if it is discovered, will quickly counter it and then 
expose the offending party publicly.  

Do you have any plans to sue?  

The developers of RadLight have learned a difficult and painful 
lesson. The public in general, and the privacy and security 
communities specifically, have shown their company that they are 
neither blind to, nor tolerant of malicious code distributed by any 
official software vendor. The outcry was immediate and quite 
deafening, causing them to reevaluate their tactics. At present, we 
don't see a need for legal action.  

Is there any kind of spyware that you find acceptable? Are those 
that let people opt in, for example, allowable? Or what about ad 
software that doesn't collect personal information but just serves 
extra ads?  

It isn't a matter of what Lavasoft will or will not approve of. If our 
users find the activity unacceptable, then we will meet their needs. 
In the end, it is the public that will decide what is appropriate. 

So to this end we have implemented features that will allow the 
user to choose their own level of comfort. They have the choice to 
exclude or ignore any component targeted by Ad-Aware at their 
discretion. And when removing the components found, we have 
supplied them with a backup feature that will restore anything 
removed by Ad-Aware should they choose to.  

But if your program works correctly, it removes the revenue stream 
for companies that offer their software for free. Some have argued 
that spyware is a great way to encourage development of new and 
interesting software because it gives creators a way to distribute 
their programs to a large crowd while getting compensated for their 
efforts.  

The argument is really irrelevant. If a developer chooses this 
business model, then that is their right. But in this, the end user 
also has a right to choose what is or is not installed on their 
systems. 

Many of these bundled "ad systems" are poorly written and try to 
dig themselves so deeply in a user's computer that they are close 
to impossible for the average user and extremely difficult for the 
advanced user to find and remove. So to this end, Ad-Aware is 
needed to ensure that the user always has the choice.  

Do you have an alternative plan for developers who want to earn 
money from their code?  

A specific plan? No. However we do have some pertinent advice. 
Lavasoft began as nothing more than a dream. With hard work and 
a specific plan for the future, we have been able to achieve the 
success we now enjoy. We feel that the ad-sponsored model is 
nothing more than a quick fix. What we would say is that 
developers need to find a community willing to support their efforts 
and help them to grow in their art and to learn from experience.  

The fight seems to keep changing; whoever writes the last batch of 
code has an advantage. How do you plan to keep up against so 
many opponents - especially in cases when your competition has 
more money?  

Money is an important issue, but not as important as your question 
would imply. True, we will be busy, and this will only get worse as 
time goes on. But what your question fails to acknowledge is the 
character of the people involved. Our core of support has always 
been dedicated volunteers that take over support functions, do 
research and beta test so that we can continue the development 
work. Our users are our strength.  


Copyright 2002 Salon.com





* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *