Spoutin' Off: Spyware news is good, bad

By Michael E. Rau

July 25 2005

You'll find good and bad news in a recent survey regarding spyware and its effects from the folks at the Pew Foundation.

The research was conducted between May 4 and June 6 of this year, with 2,001 adults queried by Princeton Survey Research Associates and has a margin of error of +/- 2.3%. The survey was conducted on behalf of the Pew Internet & American Life Project.

The report is a fascinating read (it's only 17 pages) and can be found at http://www.pewinternet.org/pdfs/PIP_Spyware_Report_July_05.pdf . There's much more insight within the report than can possibly be addressed here.

The good news is that, according to the survey, nine out of 10 Internet users have changed their online behavior and activity patterns in response to various security threats. This means there's a basic awareness out there. We can build on that.

The bad news is that some of the figures indicate a certain degree of acquiescence to the perpetrators of these invasive practices - that malware is a trade-off we can live with.

Nonsense, I say!

The purposeful infection of the Internet with malware is, without question, one of the most malicious criminal activities imaginable.

In the case of spyware and adware, its purpose is to gather your personal information for someone else's profit. Maybe the information gathered is benign enough, but how would you ever know? And since most spyware and adware is inserted on your computer surreptitiously, the issue of invasion of privacy becomes obvious.

Some spyware is so pernicious, the infection into a system so deep, that some IT managers are finding it to be more cost effective to just scrap a system, rather than bear the expense and take the time to try to clean it. In an interview, Lee Rainie, the director of the Pew Internet & American Life Project, characterizes this circumstantially as "a rational response."

In the case of worms and viruses, no profit is generated, while the damage caused is massive. I believe the distributors of such malware are driven only by a compulsion to engage in adolescent, nihilistic destructiveness.

Columnist John Tierney recently highlighted a study by an economist at the University of Rochester named Steve Landsburg. In it, he conducted a cost comparison of the socio-economic benefit of executing murderers and hackers. Lansdburg makes a compelling argument that executing a hacker would result in many times more real cost benefits to society than executing the murderer.

Now, I'm not advocating capital punishment for hackers, but you get the idea.

And then there are tracking cookies. I've addressed this issue before when writing about my own pet peeve - web beacons. The Web sites which employ tracking cookies (and web beacons) generally disclose that such devices are being used, but the disclosure is invariably buried in a bunch of gobbledygook on some sub-page, which of course means you have to visit the site and allow their cookies to be installed before you can even find out whether or not the site uses cookies.

You can, of course, set your browser to reject cookies, but this will render you unable to visit the majority of commercial sites.

Walt Mossberg argues that by any rational definition, tracking cookies should be considered spyware. He says that since the cookies gather personal information and send it back to the tracking company, and since you don't know what information is being gathered or to whom it's being provided, it's spyware.

Software is available to clean all this stuff off of your system, but the practice of removing cookies is upsetting some of the big players in the Internet game. Mossberg points out that, under pressure from online companies which use tracking cookies, Microsoft has chosen to not enable it's new antispyware software to remove tracking cookies. But no matter: There are plenty of other applications out there which will.

In my opinion, a reasonable approach would be for someone to create and maintain a database of Web sites which use tracking cookies, and the types of cookies they use. With this, Web surfers would go to the database site, enter a URL, and learn the number and types of cookies you can expect to be installed. Browsers could then have controls available to specify what types of cookies are acceptable or not. Sites with acceptable cookie policies could then be designated as safe.

This would be a huge project, but would potentially yield so much benefit to consumers as to make it a hugely worthwhile endeavor for a non-profit organization. It might be similar to the database which lists known spammers and exploiters maintained by my friends at SpamHaus.

I have a couple of other ideas which I'd like to contemplate and refine. I'll share them in a future column.

In the meantime, never surrender. If you're complacent and passively give up your online rights and privacy, history shows that your chances of getting them back are slim and none.

Michael E. Rau is a communications consultant in Virginia Beach. To send comments to Mike or view past columns, visit http://dailypress.asoundidea.com/.

Copyright © 2005, Daily Press