Best practices a guiding light for anti-spyware vendors


A U.S. coalition recently unveiled two documents that should help anti-spyware vendors in their ongoing crusade against intrusive technologies.

The Washington-based Anti-Spyware Coalition (ASC) – that includes software companies, academics, and consumer groups – released the ‘Conflict Identification and Resolution’ and ‘Best Practices’ papers earlier this year.

The ASC is a group dedicated to building a consensus on definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies. ‘Conflict Identification and Resolution’ provides voluntary guidelines to avoid and resolve conflicts between different software products.

Often, competing anti-spyware applications will cause problems when they simultaneously try to access the same resources on a PC, says Ross Schulman, program associate at the Center for Democracy & Technology (CDT).

Washington-based CDT is a member of, and coordinates, the ASC. The centre works to build consensus among all parties interested in the future of the Internet and other new communications media.

“We thought it would be good to have a more formalized process,” says Schulman. While an informal process has always been in place to deal with such conflicts, he says the document outlines different ways those conflicts may arise, and offers clear steps to resolving them.

‘Best Practices’ aims to help anti-spyware vendors identify behaviours that characterize unwanted applications, such as automatic download, passive tracking and system modification.

“A user should have control over whether a program is going to start downloading automatically on his or her PC,” says Schulman. The same level of control should apply to uninstalling an application, he adds.

But the document is also meant to assist other enterprise software vendors, who may be in danger of treading on the wrong side of the “spyware/not spyware” line. “Software developers can assess whether the behaviour of their application makes everyone happy,” says Schulman.

The idea, he says, is not to enforce rules on anyone. Rather, the coalition’s approach is to dispense subjective guidelines that vendors can choose to adhere to.

One reason for this, is that the ASC is not a certification body that bestows approval on particular kinds of software, he says. The other reason is the meaning of a guideline may very well differ given individual circumstances.

Sam Curry, vice-president of security management at CA, agrees that dispensing subjective guidelines will benefit the industry in the long run. “The notion of a best practice is that in doing it, we find ways to better it.”

CA, an IT management software vendor based in Islandia, NY., is a member of the ASC.

Curry also believes providing “degrees of correctness” are far better than laying down concrete rules. “Best practices represent a state that companies can achieve without setting the bar at some impossibly high goal [with] no understanding of how to get there.”

Besides preferring subjective guidelines, the coalition’s approach is to maintain “living documents” that may be amended in light of public and industry feedback.

In keeping with that approach, following the documents’ release, there was a one-month consultation period – that has just ended – during which the public could provide feedback on the contents.

The idea of a living document suits the nature of the ever-evolving spyware domain, says Curry. “If someone says they’re going to write a document that will be final and live forever, it’s bound to be obsolete within months.”

While ‘Conflict Identification and Resolution’ received no feedback during the comment period, most reactions surrounding ‘Best Practices’ were critical of the document’s subjective approach, says Schulman.

Respondents felt it would be more useful if the document took an objective approach and let people to discern good from bad by themselves.

Schulman says, the coalition’s approach will be clarified in modifications to the ‘Best Practices’ document. In addition, several certification-focused groups will be listed as references.

People have a natural inclination to want rules and be told whether they’re right or wrong, says Curry. “[The coalition] needs to avoid the temptation [of doing this], because it may result in rules that become obsolete.”

Instead, he says, we need to think of this as a process to follow. View the documents


Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now