RealTime IT News

Ganging Up on Badware

Good neighbors keep an eye on each other and spread the word on dodgy lurkers on the corner. Sun Microsystems , Google and Lenovo want to do the same on the Internet.

They're backing Harvard Law School's Berkman Center for Internet & Society and Oxford University's Oxford Internet Institute in StopBadware.org, an initiative that aims to act as a "Neighborhood Watch" campaign for consumers to guard against dangerous.

But some think they're trying to reinvent the wheel.

StopBadware.org will be an information clearinghouse dedicated to fighting badware, defined as … well, that's one of the first things the group plans to figure out.

It will write standards and testing procedures to define what badware is, a topic of much contention.

In September 2005, independent spyware consultant Ben Edelman accused Yahoo of funding spyware by distributing search marketing ads to Claria, eXact and DirectRevenue. These companies provide software that shows ads based on the Web sites a user visits. Edelman categorizes those companies as spyware distributors because he's documented cases in which their applications have been downloaded without user consent.

The three companies say they follow privacy guidelines, and any surreptitious downloads are the work of affiliate distributors that they can't control.

Edelman also accused Google of failing to fix a flaw in the coding of its Blogger blogging platform that made its blogs a haven for spyware and adware.

Once it defines badware, StopBadware.org will even call out what it considers the worst offenders in monthly reports it plans to publish.

"We believe if we publish this data and work with larger communities to generate more, we'll have opportunities to try new and different things," said Luis Villa, senior technical analyst for the Berkman Center and project manager for StopBadware.org. "All the current models for spyware rely on you trusting a single source and their assessment of whether something is spyware."

Harvard Law professor John Palfrey, executive director of the Berkman Center, and Jonathan Zittrain, a professor at Harvard Law and Oxford University, are StopBadware.org co-directors. Consumer Reports WebWatch is serving as an unpaid special advisor, and the advisory board includes Esther Dyson, editor of the "Release 1.0" technology newsletter, and Vint Cerf, one of the developers of the TPC/IP protocol, chair of the Internet Corporation for Assigned Names and Numbers (ICANN) and Google's Internet evangelist.

Ultimately, the group wants to preserve personal choice in software, avoiding government regulation.

In an e-mail, Cerf told internetnews.com, "All consumers must be in control of their experiences when they browse the Internet, and the mass proliferation of badware threatens this control. We cannot allow that to continue. In order to stem the unimpeded growth of badware, we must develop a better understanding of the avenues by which this abusive behavior is conducted in order to inhibit its effects -- and I believe that this Initiative will help with that."

In 2004, California enacted an anti-spyware bill that privacy activists called "worse than nothing."

The U.S. Congress also is developing legislation to stem the tide of malware.

A statement posted on the StopBadware.org Web site reads, "We believe that if badware and similar problems continue their explosive growth, governments and software manufacturers will be tempted to start making decisions about what you can and can't run on your computer. If that happens, we'll all be impacted."

But there are already other approaches to the problem.

Edelman is working with SiteAdvisor, a soon-to-launch provider of a browser plug-in to protect Internet users from spyware, adware, spam, viruses, browser-based attacks, phishing, online fraud and identity theft. SiteAdvisor uses a system of Web crawlers and virtual machines to analyze sites and find the ones that install spyware. The plug-in shows a red balloons when users visit risky pages, also providing annotations on search engine results pages.

"Automated analysis is probably the better way to figure out what Web sites are hostile. Robots are just staggeringly more efficient at these tasks," said Edelman.

TRUSTe, a non-profit that certifies and monitors Web sites' privacy and e-mail policies and practices, is taking a software centric approach with its TRUSTed Download program, launching in March. TRUSTed Download, sponsored by CNET, Yahoo, Computer Associates, Verizon and AOL, will certify consumer downloadable software.

The idea is to provide market incentives for adware and other software companies to be clear about what they'll install and what it does, as well as to obtain informed consent prior to download.

Fran Maier, executive director of TRUSTe, said the certification program would allow companies to recognize what software is meeting the standards, so that they could make informed decisions about whether to distribute their software or advertising to them.

"The advertising incentive will make companies change their practices," she said.

Comparing TRUSTed Download to StopBadware.org's approach of compiling a list of bad actors, Maier, said, "Theirs is a bad list, our is essentially a white list. Theirs is guidelines, ours is criteria. By having a certification program for good behavior, we think that will change the behavior of software overall."

Villa responded, "As independent nonprofits and .edus and, in the case of 'Consumer Reports,' a long tradition of independence, we feel we can offer data that's more trustworthy and less conflicted, less susceptible to commercial pressures from providers of adware and software."