Privacy-invasive software

See also: Greyware

Privacy-invasive software is a category of software that invades a user's privacy to gather information about the user and their device without prior knowledge or consent. Such software is sometimes loosely referred to as "spyware" but the information gathering can be malicious or non-malicious.^[1] The collected data is often used commercially such as being sold to advertisers or other third parties.^[2].

Origins

In early 2000, Steve Gibson formulated the first description of spyware after realizing software that stole his personal information had been installed on his computer.^[3]

Spyware is any software that employs a user’s internet connection in the background or "backchannel" without their knowledge or consent.^{[citation needed]}

Despite different interpretations of the definition of spyware; all descriptions include two central aspects, a degree of associated user consent, and the level of negative impact they impart on the user and their computer system (further discussed in Section 2.3 and Section 2.5 in (Boldt 2007a)). Because of the diffuse understanding in the spyware concept, the Anti-Spyware Coalition (ASC), constituted by public interest groups, trade associations, and anti-spyware companies, has come to the conclusion that the term spyware should be used at two different abstraction levels.^[4] At the low level, they use the following definition, which is similar to Steve Gibson's original one:

In its narrow sense, Spyware is a term for tracking software deployed without adequate notice, consent, or control for the user.

However, since this definition does not encompass all of the different types of spyware available, they also provide a wider definition, which is more abstract in its appearance:

In its broader sense, spyware is used as a synonym for what the ASC calls "Spyware (and Other Potentially Unwanted Technologies)". Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

1) Material changes that affect their user experience, privacy, or system security;
2) Use of their system resources, including what programs are installed on their computers; and/or
3) Collection, use, and distribution of their personal or other sensitive information.

Difficulties in defining spyware forced the ASC to define what they call Spyware (and Other Potentially Unwanted Technologies) instead. This includes any software that does not have the users' explicit consent for running on their computers. Another group that has tried to define spyware is StopBadware, which consists of actors such as Harvard Law School, Oxford University, Google, Lenovo, and Sun Microsystems.^[5] StopBadware does not use the term spyware at all, but instead introduced the term badware. Their definition is as follows:^[6]

An application is badware in one of two cases:

1. If the application acts deceptively or irreversibly.
2. If the application engages in potentially objectionable behavior without:
- First, prominently disclosing to the user that it will engage in such behavior, in clear and non-technical language, and
- Then, obtaining the user's affirmative consent to that aspect of the application.

— "Stop Badware Software Guidelines". April 7, 2006. Archived from the original on April 7, 2006.

Distinction

Disagreement among users and organizations on the definition of the term "spyware" has resulted from the subjectivity of the term. What some users regard as legitimate software could be regarded as a spyware by others. As the term "spyware" has gained traction; close synonyms such as trackware, evilware and badware have been created to distinguish the subject from the term spyware. As a result, the term privacy-invasive software was introduced to encapsulate all such software.

A three-by-three matrix classification of privacy-invasive software showing legitimate, spyware and malicious software (Boldt 2010, p. 110)

The work by Warkentiens et al. (described in Section 7.3.1 in (Boldt 2007a)) can be used as a starting point when developing a classification of privacy-invasive software, where privacy-invasive software is classified as a combination between user consent and direct negative consequences. User consent is specified as either low, medium or high, while the degree of direct negative consequences span between tolerable, moderate, and severe. This classification allows developers and users to first make a distinction between legitimate software and spyware, and secondly between spyware and malicious software. All software that has a low user consent, or which impairs severe direct negative consequences should be regarded as malware. While, on the other hand, any software that has high user consent, and which results in tolerable direct negative consequences should be regarded as legitimate software. Under this classification system, spyware constitutes the remaining group of software, i.e. those that have medium user consent, or which impair moderate direct negative consequences. This classification is described in further detail in Chapter 7 in (Boldt 2007a).

This classification system is broken down further with the distinction of direct negative consequences and indirect negative consequences. This distinguishes between any negative behavior a program has been designed to carry out (direct negative consequences) and security threats introduced by just having that software executing on the system (indirect negative consequences). One example of an indirect negative consequence is the exploitation risk of software vulnerabilities in programs that execute on users' systems without their knowledge.^[7]

History

As personal computers and broadband connections became more common, the use of the internet for e-commerce transactions rose.^[8] Early retailers included book dealer Amazon.com and CD retailer CDNOW.com, which both were founded in 1994.^[9] As competition over customers intensified, some e-commerce companies turned to questionable methods to entice customers into completing transactions with them.^[10]

Targeted advertisement

In the search for more effective advertising strategies, companies soon discovered the potential in ads that were targeted towards user interests. Once targeted advertising began to appear online, advertisers began to develop software that became known as spyware that collected users' personal interests through their browsing habits. Spyware brought along reduced system performance and security. The information gathered by spyware was used for constructing user profiles detailing what users could be persuaded to buy. The introduction of online advertisements opened up a new way of funding software development by having the software display advertisements to its users; software developers could offer their software "free of charge", since they were paid by the advertising agency. However, there is a distinction between "free of charge" and a "free gift", differences arising in the fact that a free gift is given without any expectations of future compensation, while something provided free of charge expects something in return. When downloading software described as "free of charge", users had no reason to suspect that it would report their Internet usage so that presented advertisements could be targeted towards their interests.

Problems arose due to users not being informed about neither the occurrence nor the extent of such monitoring, and were not given a chance to decide on whether to participate or not. As advertisements became targeted, the borders between adware and spyware started to dissolve, it started to both monitor users and deliver targeted ads.

The arms-race between spyware vendors

As the chase for faster financial gains intensified, several competing advertisers turned to more nefarious methods in an attempt to stay ahead of their competitors. As a result, this created a gray area between conventional ads that people chose to see, such as ads from subscription services, ads pushed on users through "pop-ups" and downloaded ads displayed in a program itself.^[11] This practice pushed online advertising closer to the dark side of spam and other types of invasive, privacy compromising advertising.^[12] During this development, users experienced infections from unsolicited software that crashed their computers by accident, changed application settings, harvested personal information, and deteriorated their computer experience.^[13] Over time, these problems led to the introduction of countermeasures in the form of anti-spyware tools.

Anti-spyware has become a new area of online vending with fierce competition. These tools purported to clean computers from spyware, adware, and any other type of shady software located in that same gray area. This type of software can lead to false positives as some types of legitimate software came to be branded by some users as "Spyware" (i.e. Spybot: Search & Destroy identifies the Scan Spyware program as a Spybot.) These tools were designed similarly to anti-malware tools, such as antivirus software. Anti-spyware tools identify programs using signatures (semantics, program code, or other identifying attributes). The process only works on known programs, which can lead to the false positives mentioned earlier and leave previously unknown spyware undetected. To further aggravate the situation, some shady companies distributed fake anti-spyware tools in their search for a larger piece of the online advertising market. These fake tools claimed to remove spyware, but instead installed their own share of adware and spyware on unsuspecting users' computers. Sometimes, this software would also remove adware and spyware from competing vendors.

New spyware programs are constantly being released in what seems to be a never-ending stream, although the increase has leveled out somewhat over the last few years. According to developers of anti-spyware programs, the fight against spyware is more complicated than the fight against viruses, trojan horses, and worms.^[14] There is still no consensus on a definition or classification system of spyware, which negatively affects the accuracy of anti-spyware tools resulting in some spyware programs being able to remain undetected on users' computers.^[15][16]

Predicted future development

There are several trends integrating computers and software into people's daily lives. One example is traditional media-oriented products which are being integrated into a single device, called media centers. These media centers include the same functionality as conventional television, DVD players, and stereo equipment, but combined with an internet connected computer. In a foreseeable future, these media centers are anticipated to reach vast consumer impact.^[17][18] In this setting, spyware could monitor and surveil what television channels are being watched, when/why users change channel or what DVDs users have purchased and watched. This information is highly attractive for any advertising or media-oriented corporation. This will most likely result in scenario where spyware is tailored towards these new platforms.

Another interesting area for spyware vendors is the increase of mobile device use. Distributors of advertisements have already turned their eyes to these devices. So far, this development has not utilized the geographic position data stored in these devices. However, companies are currently working on GPS-guided ads and coupons tailored to mobile phones and hand-held devices.^[19] In other words, the development of geographical tracking spyware allows advertisers to gain access to personal geographical data for the purpose of serving geographically targeted ads and coupons to their customers. Once such geographic data has been harvested and correlated with previously collected data, another privacy barrier has been crossed.

References

Citations

1. Boldt, Martin; Carlsson, Bengt (2006). "Privacy-Invasive Software and Preventive Mechanisms". 2006 International Conference on Systems and Networks Communications (ICSNC'06). p. 21. doi:10.1109/ICSNC.2006.62. ISBN 0-7695-2699-3. S2CID 15389209.
2. Boldt, Martin (2007). "Privacy-Invasive Software Exploring Effects and Countermeasures" (PDF). Blekinge Institute of Technology Licentiate Dissertation Series. 01.
3. Gibson, GRC OptOut -- Internet Spyware Detection and Removal, Gibson Research Corporation
4. ASC (2006-10-05). "Anti-Spyware Coalition".
5. StopBadware.org, StopBadware.org
6. StopBadware.org Guidelines, "StopBadware.org Software Guidelines", StopBadware.org, archived from the original on September 28, 2007
7. Saroiu, S.; Gribble, S.D.; Levy, H.M. (2004), "Measurement and Analysis of Spyware in a University Environment", Proceedings of the 1st Symposium on Networked Systems Design and Implementation (NSDI), San Francisco, USA
8. Abhijit, C.; Kuilboer, J.P. (2002), E-Business & E-Commerce Infrastructure: Technologies Supporting the E-Business Initiative, Columbus, USA: McGraw Hill
9. Rosenberg, R.S. (2004), The Social Impact of Computers (3rd ed.), Place=Elsevier Academic Press, San Diego CA
10. CDT (2006), Following the Money (PDF), Center for Democracy & Technology
11. Vincentas (11 July 2013). "Privacy Invasive Software in SpyWareLoop.com". Spyware Loop. Archived from the original on 9 April 2014. Retrieved 27 July 2013.
12. Görling, S. (2004), An Introduction to the Parasite Economy, Luxemburg: In Proceedings of EICAR
13. Pew, Internet (2005), "The Threat of Unwanted Software Programs is Changing the Way People use the Internet" (PDF), PIP Spyware Report July 05, Pew Internet & American Life Project, archived from the original (PDF) on July 13, 2007
14. Webroot (2006), "Differences between Spyware and Viruses", Spysweeper.com, Webroot Software, archived from the original on 2007-10-01
15. Good, N.; et al. (2006), "User Choices and Regret: Understanding Users' Decision Process About Consensually Acquired Spyware", I/S: A Journal of Law and Policy for the Information Society, vol. 2, no. 2
16. MTL (2006), AntiSpyware Comparison Reports, Malware-Test Lab, archived from the original on 2007-11-02, retrieved 2007-09-29
17. CES, International Consumer Electronics Association, archived from the original on 2010-02-08, retrieved 2007-09-28
18. Newman, M.W. (2006), "Recipes for Digital Living", IEEE Computer, vol. 39, no. 2
19. Business 2.0 Magazine (October 26, 2006), 20 Smart Companies to Start Now {{citation}}: |last= has generic name (help)

General sources

• Boldt, M. (2007a), Privacy-Invasive Software - Exploring Effects and Countermeasures (PDF), School of Engineering, Blekinge Institute of Technology, Sweden: Licentiate Thesis Series No. 2007:01, archived from the original (PDF) on 2011-07-16, retrieved 2007-09-28.
• Boldt, M. (2010), Privacy-Invasive Software (PDF), Blekinge, Sweden: School of Computing, Blekinge Institute of Technology, archived from the original (PDF) on 2014-04-08, retrieved 2013-03-15
• Boldt, M.; Carlsson, B.; Larsson, T.; Lindén, N. (2007b), Preventing Privacy-Invasive Software using Online Reputations (PDF), Springer Verlag, Berlin Germany: in Lecture Notes in Computer Science series, Volume 4721, archived from the original (PDF) on 2011-07-16, retrieved 2007-09-28.
• Boldt, M.; Carlsson, B. (2006a), Privacy-Invasive Software and Preventive Mechanisms (PDF), Papeete French, Polynesia: in Proceedings of IEEE International Conference on Systems and Networks Communications (ICSNC 2006), archived from the original (PDF) on 2011-07-16, retrieved 2007-09-28.
• Boldt, M.; Carlsson, B. (2006b), "Analysing Privacy-Invasive Software Countermeasures", Proceedings of IEEE International Conference on Systems and Networks Communications (ICSEA 2006), Papeete, French Polynesia.
• Boldt, M.; Jacobsson, A.; Carlsson, B. (2004), "Exploring Spyware Effects" (PDF), Proceedings of the Eighth Nordic Workshop on Secure IT Systems (NordSec2004), Helsinki, Finland, archived from the original (PDF) on 2007-02-03, retrieved 2007-09-28.
• Jacobsson, A. (2007), Security in Information Networks - from Privacy-Invasive Software to Plug and Play Business, School of Engineering, Blekinge Institute of Technology, Sweden: Doctoral Thesis.
• Jacobsson, A. (2004), Exploring Privacy Risks in Information Networks, School of Engineering, Blekinge Institute of Technology, Sweden: Licentiate Thesis Series No. 2004:11.
• Jacobsson, A.; Boldt, M.; Carlsson, B. (2004), Privacy-Invasive Software in File-Sharing Tools (PDF), Dordrecht NL: Kluwer Academic Publishers, archived from the original (PDF) on 2007-04-12, retrieved 2007-09-28.