Spyware
- Within this section:
- Summary
- Mechanism
- Comment
- Example Mitigations
| Threat Type: Spyware | Threat To: Public Confidence |
| Potential Impact: Medium | Likelihood: Medium |
Summary
Spyware is software which covertly transmits a user's personal information from his or her computer to some other destination on the Internet.
Mechanism
Spyware ranges from commercial software which requires an online registration, and which passes information about the machine it is installed on back to base; to completely covert "Trojan" programs installed via viruses or hacking attacks, and which monitor keystrokes or passwords and send these out on the Internet. Other programs watch surfing patterns in order to target advertising to the user.
While commercial software providers might object to their products being labelled spyware the fact remains that many such programs require or encourage an online registration during which various information is transmitted across the Internet. It is not in general clear to the user what information he or she is sharing with the program owner.
Some free software and shareware also contains spyware. An example is the popular KaZaA file-sharing program, which as well as sharing files also shares computer resources such as network capacity, CPU cycles and disk space for undescribed purposes under the control of the program owner. This could come as a particular surprise, say, to a parent who was unaware of the existence of KaZaA on their machine.
There is a risk to public perception of the Internet through spyware, as well as the obvious one of the risk to the privacy of information. Spyware can be used to facilitate identity theft.
Comment
There may be an analogy to the development of attitudes on spam. Until recently, many companies maintained that direct email marketing was a completely legitimate tool which they intended to exploit. With the rising volumes of this, and the increasingly extreme and fraudulent messages being sent through spam, most reputable companies have now rejected unsolicited email as a tool.
Spyware has yet, perhaps, to annoy as many people as spam currently does, although there are signs that it is becoming nearly as prevalent. [See, for instance, www.webpronews.com/news/ebusinessnews/wpn-45-20041015DellsSpywareSurvey.html] If it succeeds, companies which use intrusive software registration and monitoring schemes may change their own view on the desirability of these arrangements, fearing guilt by association. The New Zealand Privacy Commissioner recently signed an international declaration [Resolution on Automatic Software Updates, 25th International Conference of Data Protection and Privacy Commissioners, Sydney 2003. ] that software should not transmit any personal information across the Internet without permission.
Example Mitigations
Anti-spyware tools exist which can help identify and remove spyware. (Currently anti-virus tools do not consider spy ware viruses and so do not do this, but may do so eventually.)
Legislation?
PC Maintenance
Privacy Act already makes this unlawful
[ Previous | Next ]
