Litigation, legislation, self-regulation and education make a good anti-spyware recipe.
This was the underlying message that resonated at a one-day workshop sponsored by the Anti-Spyware Coalition (ASC) held in Ottawa last month. The event attracted close to 200 attendees from various sectors including policy makers, anti-spyware vendors as well as players in the adware space.
Dubbed Developing International Solutions for Global Spyware Problems, the workshop emphasized the global nature of the spyware issue and called for the establishment of internationally-accepted “norms of minimum accepted behaviours” when it comes to potentially unwanted technologies, said David Fewer, staff counsel for Ottawa-based Canadian Internet Policy and Public Interest Clinic, a member of the ASC.
Participants also discussed the “shortcomings of the law” and the need for drafting legislation aimed at curbing spyware and other potentially unwanted programs. “For example, Canada has a comprehensive privacy law, but the shortcomings of that law with respect to enforcement, with respect to the deterrent effect or the behavioural-shaping effect of the law are questionable,” Fewer said.
While the requirements for legislation and international standards were discussed, the forum also focused on the need for self-regulation as a way of curbing the spyware problem. Fewer said self-regulation applies to all links in the spyware chain where users, for instance, would take responsibility for the protection of their desktop through anti-spyware and anti-virus tools.
Through self-regulation Internet advertisers also take responsibility for ensuring that their ads are placed and used legitimately, with consent from the intended viewer of the advertising, said Fewer.
“One way to do that is by… making sure that their agreements with ad placement agencies include quality of service obligations — that they won’t place ads in non-consensual popup vehicle, for example,” he explained.
Similarly, ad distribution firms could exercise self-regulation by ensuring that they do not use an ad distribution vehicle that’s being used for spyware distribution. The Ottawa workshop was the second anti-spyware forum conducted by the coalition this year. The first was held in Washington in February.
The ASC recently released a document that details measures enterprises can take to protect against spyware to “reduce IT costs, abuse of system resources and productivity loss associated with malicious and commercial spyware.”
Educating employees about computer usage is one way of preventing spyware attacks in the enterprise, said the ASC. Employees should be required to agree to an Acceptable Use Policy that allows administrators to block and remove unauthorized programs, it added.
Gateway proxies or firewalls can also be configured to prevent spyware from reaching networked PCs through a combination of: defining policy to prevent “drive-by” downloads such as non-approved CAB and OCX files; defining policy to prevent executable downloads from known spyware sites and suspected or high-risk sites; scanning files at the gateway for known spyware code; defining policy to block PC communication to known spyware “phone home” sites and report which PCs are likely infected with spyware; analyzing logs of PC communications for unusually high traffic and high frequency destinations; and maintaining a strong anti-spam protection to limit spyware hidden in spam.