NEWS

  • |
12 October 10

Spyware, Adware and User Permission: Meeting CA Anti-Spyware Requirements

Why User Permission is Important

CA Anti-Spyware, and products built with its engine, identify potentially unwanted products as Spyware2 based on a set of criteria that describe behaviors commonly observed in known Spyware products (see the corresponding document "CA Anti-Spyware Scorecard") Many of the criteria include the phrases "user knowledge" and "user permission". The purpose of this document is to define what user permission and knowledge is, and is not, so that the vendors and developers of the products CA Anti-Spyware detects can have a clear understanding of what behaviors and characteristics of their products they need to change in order to be declassified as Spyware. It is important to understand the difference between user permission and knowledge and a lack of user permission and knowledge as sometimes that is the only distinction between a product classified as Spyware and one that is not.

What User Permission is NOT

A recent study3 conducted by America Online and the National Cyber Security Alliance found the following:

  • 80% of all users had known spyware4 installed on their PCs.
  • While 53% of users suspected that they might have spyware installed on their machines, nearly half of the users surveyed, 47%, had no idea that spyware had been installed on their computers.
  • When showed the logs of the spyware identified on their computers, 95% of the users who were infected indicated that they had NOT given permission for the software identified as spyware to be installed on their machines.
  • 90% of the infected users had no idea the software was on their systems, and they had no idea what the programs were or what they did.
  • 86% of the infected users elected to have all of the programs identified removed from their computers at the completion of the survey.

It is clear from this study that the overwhelming majority of computer users have no knowledge of the presence of adware and spyware on their PCs, nor have they knowingly given their consent to install such programs on their machines. Consequently, users are subjected to unwanted and annoying ads, their computer performance is diminished and their privacy is endangered, all without their knowledge or permission.

Interestingly, in many, if not most cases, the vendor of the adware or spyware in question attempted to secure permission from the user before installing their software. Obviously they failed (users can't give permission to something of which they are unaware). Those that do disclose their practices typically do so in an End User License Agreements (EULAs) and/or Privacy Policies. Clearly, computer users are not reading and/or understanding these documents when they install software and thus have no idea of what is being downloaded to their computers and what those programs are doing once installed. Therefore, acceptance or acknowledgement of a product's end-user license agreement (EULA) and/or a Privacy Policy does NOT constitute user permission, user knowledge or user consent.

Requirements for User Permission and User Knowledge
In order for a behavior to occur with "user awareness", at least one the following attributes must be found to always apply to it:

I Offers notice of a behavior

II Behavior is the explicitly stated primary purpose of the program

In order for a behavior to occur with "clear user awareness", all requirements for "user awareness" must be met, and in addition one of the following attributes must be found to always apply to it:

V Choice or notice is clearly labeled

VI Choice or notice is presented in its own separate window

In order for a behavior to occur with "user permission", the following attributes must be found to always apply to it:

III Offers opt-out choice

IV Requires opt-in choice

In order for a behavior to occur with "clear user permission", all requirements for "user permission" must be met, and in addition one of the following attributes must be found to always apply to it:

V Choice or notice is clearly labeled

VI Choice or notice is presented in its own separate, single-purpose window

The requirements for each of the Consent attributes are laid out below:

Consent I: Offers notice of a behavior

  • Notice must be given prior to the first time the behavior in question takes place.
  • If the notice does not clearly indicate that the behavior will recur, notice is required again before the next occurrence of the behavior.
  • Notice must be given apart from the Terms of Service, EULA, privacy policy or other end-user agreement and terms.

Consent II: Behavior is the explicitly stated primary purpose of the program

  • The purpose of the program must be clearly stated at all publicly available distribution points
  • The majority of the functionality of the program must be directed toward the primary purpose
  • Any documentation distributed with the program must clearly and explicitly identify the primary purpose as well.
  • Notice of purpose must be given apart from the Terms of Service, EULA, privacy policy or other end-user agreement and terms.

Consent III: Offers opt-out choice

  • A choice is offered to the user, but is selected by default, or requires a user to take a specific action to avoid the choice being affirmed.
  • Users must be informed of the choice being made outside of the Terms of Service, EULA, privacy policy or other end-user agreement and terms.
  • The choice must be offered prior to the first time the behavior in question takes place.

Consent IV: Requires opt-in choice

  • A choice is offered to the user, but the user must initiate an action that would not otherwise occur, and does not constitute selecting the default action offered by the program in order to choose the behavior in question. All other choices are considered to Consent III: Offers opt-out choice.
  • Users must be informed of the choice being made outside of the Terms of Service, EULA, privacy policy or other end-user agreement and terms.
  • The choice must be offered prior to the first time the behavior in question takes place.

Consent V: Choice or notice is clearly labeled

  • A Consent I, Consent III, or Consent IV attribute is displayed in a clear and concise manner, obviously designed to draw the user's attention to the notice or choice in question.
  • It must also clearly and in an easily understandable manner lay out the behavior to which the notice or choice relates.
  • Consent VI: Choice or notice is presented in a separate, single-purpose window
  • A Consent I, Consent III, or Consent IV attribute is displayed in its own window. This can be a dialog box, a separate pop-up window, or a previously displayed window which has all of its content cleared to make way for the notice or choice.
  • Taskbar tooltips are not considered separate windows for purposes of this attribute.

 

[1]CA reserves the right to revise this document and the requirements it describes at is discretion

[2]Spyware in the context of this document refers to the broad category of non-viral malware, what CA Anti-Spyware refers to as "Pests". It includes all the categories of spyware that Anti-Spyware detects including (but not limited to) adware, spyware, hijackers, keyloggers, etc. . The use of the term Spyware to denote the broad, general category of non-viral malware has become the industry standard description for this type of software. The eTrust Anti-Spyware product also includes a specific pest category called spyware that refers to any product that employs a user's Internet connection in the background without their knowledge, and gathers/transmits info on the user or their behavior. In this document, however, the use of Spyware always refers to the broad category of non-viral malware and not the more narrowly defined spyware pest category.

[3]AOL/NCSA Online Safety Study, Conducted by America Online and the National Cyber Security Alliance. October 2004. The AOL/NCSA Online Safety Study was conducted through in person interviews and technical analyses with a typical sample of 329 dial-up and broadband adult computer users, at least 18 years of age, from September 15 to October 8, 2004. The sample included 194 broadband users (59%) and 135 dial-up users (41%). The margin of error for the survey was +/- 5.4% with a 95% confidence level. After the survey was conducted the subject's computers were examined by technicians using commercially-available products to examine their computers for a number of security related issues, included the presence of Spyware. Participants were selected from 10 different metropolitan areas throughout the United States.

[4]Spyware was defined in AOL/NCSA survey as follows: "Spyware and adware are software programs that quietly sit on our computer and can deliver pop-ups or other advertisements to you based on where you go and what you do online."