Jump to content

Privacy-invasive software: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Added citation in the introduction and re-phrased the definition of the term based on an academic journal article.
m Minor grammar
(30 intermediate revisions by 26 users not shown)
Line 1: Line 1:
{{short description|Computer software ignoring user privacy with a commercial intent}}
{{short description|Computer software ignoring user privacy with a commercial intent}}
{{See also|malware#Grayware|l1=Greyware}}
{{See also|malware#Grayware|l1=Greyware}}
{{Multiple issues|
{{Multiple issues|{{editorial|date=May 2014}}
{{editorial|date=May 2014}}
{{More footnotes needed|date=September 2009}}
{{More footnotes needed|date=September 2009}}
{{tone|date=October 2018}}
{{tone|date=October 2018}}
{{cleanup rewrite|date=April 2024}}
}}
{{copy edit|date=April 2024}}}}


'''Privacy-invasive software''' is software that violates the user's privacy, ranging from legitimate software to malware. <ref>{{Cite journal |last=Boldt |first=Martin |last2=Carlsson |first2=Bengt |date=2006 |title=Privacy-Invasive Software and Preventive Mechanisms |url=https://ieeexplore.ieee.org/abstract/document/4041536 |journal=2006 International Conference on Systems and Networks Communications (ICSNC'06) |pages=21–21 |doi=10.1109/ICSNC.2006.62}}</ref>
'''Privacy-invasive software''' is a category of [[software]] that invades a user's privacy to gather information about the user and their device without prior consent or knowledge. This software can be [[Malware|malicious]] or non-malicious.<ref>{{Cite book |last1=Boldt |first1=Martin |title=2006 International Conference on Systems and Networks Communications (ICSNC'06) |last2=Carlsson |first2=Bengt |date=2006 |isbn=0-7695-2699-3 |pages=21 |chapter=Privacy-Invasive Software and Preventive Mechanisms |doi=10.1109/ICSNC.2006.62 |chapter-url=https://ieeexplore.ieee.org/document/4041536 |s2cid=15389209}}</ref> The data collected is often used commercially such as being sold to advertisers or other third parties.''<ref>{{cite journal |last1=Boldt |first1=Martin |date=2007 |title=Privacy-Invasive Software Exploring Effects and Countermeasures |url=https://www.diva-portal.org/smash/get/diva2:837092/FULLTEXT01.pdf |journal=Blekinge Institute of Technology Licentiate Dissertation Series |volume=01}}</ref>''


== Background ==
== Background ==
On online environments, such as the [[Internet]], a diverse array of privacy threats exists. Defining privacy is subjective, encompassing elements of robust security, [[seclusion]], the concealment of [[Information sensitivity|sensitive information]], [[confidentiality]], and the freedom from interference or intrusion.
In a digital setting, such as the Internet, there are a wide variety of [[data privacy|privacy]] threats. These vary from the [[web tracking|tracking of user activity]] (sites visited, items purchased etc.), to [[mass marketing]] based on the retrieval of personal information ([[spam (electronic)|spam]] offers and [[telemarketing]] calls are more common than ever), to the distribution of information on lethal technologies used for, e.g., acts of [[terrorism|terror]].


Information privacy involves the right to exercise control over the collection and utilization of personal information, specifying who collects or acts upon it. For many individuals, particularly the youth and a significant portion of the current generation, discussions about privacy often revolve around concerns such as [[Electoral fraud|election theft]], [[Data breach|data breaches]] in [[Electronic voting|electronic voting systems]], [[Ransomware|ransomware attacks]] targeting major businesses and stock markets, wearable technology, [[Social engineering (security)|social networking]], and missteps in targeted advertising.{{Citation needed|date=June 2024}} Notable incidents like [[WikiLeaks]] and the [[2010s global surveillance disclosures|Snowden revelations]], along with various [[whistleblowing]] activities and privacy-intrusive actions, including online scams, contribute to the multifaceted landscape of privacy concerns.
Spyware and identity theft are two related topics whereby individuals could use spyware to change the identity or spy on a potential victim. Spyware allows the aggressor and hacker to extract the victim's personal information and behaviours, thus making it easier for him or her to steal the identity of a victim.<ref name=":0" />


These concerns span a spectrum of severity, ranging from tracking user activities (such as visited websites and purchases) to mass marketing based on personal information retrieval, leading to an increase in spam offers and [[telemarketing]] calls. Privacy invasions extend to the dissemination of information related to lethal technologies, employed in acts of terror, espionage, or malicious intent.
Today, software-based privacy-invasions occur in numerous aspects of Internet usage. [[Spyware]] programs set to collect and distribute user information secretly download and execute on users’ workstations. [[Adware]] displays [[advertising|advertisements]] and other commercial content often based on personal information retrieved by spyware programs. System monitors record various actions on computer systems. [[Keylogger]]s record users’ keystrokes in order to monitor user behaviour. Self-replicating malware downloads and spreads disorder in systems and networks. Data-harvesting software programmed to gather [[e-mail]] addresses have become conventional features of the Internet, which among other things results in spam e-mail messages filling networks and computers with unsolicited commercial content. With those threats in mind, privacy-invasive software may be defined as:


Malicious intent is present in practices such as the use of spyware and identity theft. Individuals may leverage spyware to alter their identity or intrusively monitor potential victims with the aim of causing harm, financial loss, or undermining social status. Spyware facilitates the extraction of personal information and behavioral patterns from victims, streamlining identity theft.
== Definition ==
<blockquote>Privacy-invasive software is a category of software that ignores users’ right to be left alone and that is distributed with a specific intent, often of a commercial nature, which negatively affect[s] its users.''<ref>{{cite journal|last1=Boldt|first1=Martin|title=Privacy-Invasive Software Exploring Effects and Countermeasures|journal=Blekinge Institute of Technology Licentiate Dissertation Series|date=2007|volume=01|url=https://www.diva-portal.org/smash/get/diva2:837092/FULLTEXT01.pdf}}</ref></blockquote>


Today, software-based privacy invasions manifest across various facets of internet usage. [[Spyware]] discreetly downloads and executes on users' workstations to collect and distribute user information. [[Adware]], often based on personal data retrieved by spyware, displays commercial content and advertisements. System monitors record diverse actions on computer systems, while [[Keystroke logging|keyloggers]] capture user keystrokes to monitor behavior. [[Computer virus|Self-replicating malware]] spreads haphazardly on systems and networks. Data-harvesting software has become a commonplace feature of the Internet, contributing to the inundation of networks and computers with unsolicited commercial content, using techniques such as collecting [[Email address|email addresses]].
In this context, ''ignoring users’ right to be left alone'' means that the software is unsolicited and that it does not permit users to determine for themselves when, how and to what extent personally identifiable data is gathered, stored or processed by the software. ''Distributed'' means that it has entered the computer systems of users from (often unknown) [[server (computing)|server]]s placed on the [[Internet]] infrastructure. ''Often of a commercial nature'' means that the software (regardless of type or quality) is used as a tool in some sort of a commercial plan to gain revenues.


== Problem with the spyware concept ==
== Problem with the spyware concept ==
In early 2000, [[Steve Gibson (computer programmer)|Steve Gibson]] formulated the first description of [[spyware]] after realizing software that stole his personal information had been installed on his computer.<ref name=":0">{{Citation | last=Gibson | title=GRC OptOut -- Internet Spyware Detection and Removal | publisher=[[Gibson Research Corporation]] | url=http://www.grc.com/optout.htm}}</ref> His definition reads as follows:
In early 2000, [[Steve Gibson (computer programmer)|Steve Gibson]] formulated the first description of [[spyware]] after realizing software that stole his personal information had been installed on his computer.<ref name=":0">{{Citation | last=Gibson | title=GRC OptOut -- Internet Spyware Detection and Removal | publisher=[[Gibson Research Corporation]] | url=http://www.grc.com/optout.htm}}</ref>


{{cquote|Spyware is any software which employs a user’s Internet connection in the background (the so-called "backchannel") without their knowledge or explicit permission.}}
{{cquote|Spyware is any software which employs a user’s Internet connection in the background (the so-called "backchannel") without their knowledge or explicit permission.}}


This definition was valid in the beginning of the spyware evolution. However, as the spyware concept evolved over the years it attracted new kinds of behaviours. As these behaviours grew both in number and in diversity, the term spyware became hollowed out. This evolution resulted in that a great number of synonyms sprang up, e.g. thiefware, scumware, trackware, and [[badware]]. It is believed that the lack of a single standard definition of spyware depends on the diversity in all these different views on what really should be included, or as Aaron Weiss put it:<ref>{{Citation | last=Weiss | first=A. | title=Spyware Be Gone | work=ACM netWorker |volume=9 |issue=1 | place=ACM Press, New York, USA | year=2005}}</ref>
Other terms for similar software include thief ware, scum ware, track ware, and [[badware|bad ware]]. It is believed that the lack of a single standard definition of spyware depends on the diversity in all these different views on what really should be included, or as Aaron Weiss put it:<ref name=":1">{{Citation | last=Weiss | first=A. | title=Spyware Be Gone | work=ACM netWorker |volume=9 |issue=1 | place=ACM Press, New York, USA | year=2005}}</ref> "What the old-school intruders have going for them is that they are relatively straightforward to define. Unlike those hay-days, nowadays spyware, in its broadest sense, is harder to pin down."<ref name=":1" />


Despite this vague comprehension of the essence in spyware, all descriptions include two central aspects. The degree of associated user [[consent]], and the level of negative impact they impart on the user and their computer system (further discussed in Section 2.3 and Section 2.5 in {{Harv |Boldt|2007a}}). Because of the diffuse understanding in the spyware concept, recent attempts to define it have been forced into compromises. The Anti-Spyware Coalition (ASC) which is constituted by public interest groups, trade associations, and anti-spyware companies, has come to the conclusion that the term spyware should be used at two different abstraction levels.<ref>{{Cite web | last=ASC | title=Anti-Spyware Coalition | url=http://www.antispywarecoalition.org | date = 2006-10-05}}</ref> At the low level they use the following definition, which is similar to Steve Gibson's original one:
{{cquote|What the old-school intruders have going for them is that they are relatively straightforward to define. Spyware, in its broadest sense, is harder to pin down.

Despite this vague comprehension of the essence in spyware, all descriptions include two central aspects. The degree of associated user [[consent]], and the level of negative impact they impair on the user and their computer system (further discussed in Section 2.3 and Section 2.5 in {{Harv |Boldt|2007a}}). Because of the diffuse understanding in the spyware concept, recent attempts to define it have been forced into compromises. The [[Anti-Spyware Coalition]] (ASC) which is constituted by public interest groups, trade associations, and anti-spyware companies, have come to the conclusion that the term spyware should be used at two different abstraction levels.<ref>{{Cite web | last=ASC | title=Anti-Spyware Coalition | url=http://www.antispywarecoalition.org | date = 2006-10-05}}</ref> At the low level they use the following definition, which is similar to Steve Gibson's original one:


{{cquote|In its narrow sense, Spyware is a term for tracking software deployed without adequate notice, consent, or control for the user.}}
{{cquote|In its narrow sense, Spyware is a term for tracking software deployed without adequate notice, consent, or control for the user.}}


However, since this definition does not capture all the different types of spyware available they also provide a wider definition, which is more abstract in its appearance:
However, since this definition does not capture all the different types of spyware available, they also provide a wider definition, which is more abstract in its appearance:


{{poemquote|In its broader sense, spyware is used as a synonym for what the ASC calls "Spyware (and Other Potentially Unwanted Technologies)". Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:
{{poemquote|In its broader sense, spyware is used as a synonym for what the ASC calls "Spyware (and Other Potentially Unwanted Technologies)". Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:
Line 42: Line 39:
3) Collection, use, and distribution of their personal or other sensitive information.}}
3) Collection, use, and distribution of their personal or other sensitive information.}}


Difficulties in defining spyware, forced the ASC to define what they call ''Spyware (and Other Potentially Unwanted Technologies)'' instead. This includes any software that does not have the users’ appropriate consent for running on their computers. Another group that has tried to define spyware is a group called [[StopBadware|StopBadware.org]], which consists of actors such as [[Harvard Law School]], [[Oxford University]], [[Google]], [[Lenovo]], and [[Sun Microsystems]].<ref>{{Citation | last=StopBadware.org | title=StopBadware.org | url=http://www.stopbadware.org}}</ref> Their result is that they do not use the term spyware at all, but instead introduce the term ''badware''. Their definition thereof span over seven pages, but the essence looks as follows:<ref>{{Citation|last=StopBadware.org Guidelines |title=StopBadware.org Software Guidelines |url=http://www.stopbadware.org/home/guidelines |work=StopBadware.org |url-status=dead |archive-url=https://web.archive.org/web/20070928001515/http://www.stopbadware.org/home/guidelines |archive-date=September 28, 2007 }}</ref>
Difficulties in defining spyware, forced the ASC to define what they call ''Spyware (and Other Potentially Unwanted Technologies)'' instead. This includes any software that does not have the users' appropriate consent for running on their computers. Another group that has tried to define spyware is a group called [[StopBadware|StopBadware.org]], which consists of actors such as [[Harvard Law School]], [[Oxford University]], [[Google]], [[Lenovo]], and [[Sun Microsystems]].<ref>{{Citation | last=StopBadware.org | title=StopBadware.org | url=http://www.stopbadware.org}}</ref> Their result is that they do not use the term spyware at all, but instead introduce the term ''bad ware''. Their definition thereof spans over seven pages, but the essence looks as follows:<ref>{{Citation|last=StopBadware.org Guidelines |title=StopBadware.org Software Guidelines |url=http://www.stopbadware.org/home/guidelines |work=StopBadware.org |url-status=dead |archive-url=https://web.archive.org/web/20070928001515/http://www.stopbadware.org/home/guidelines |archive-date=September 28, 2007 }}</ref>


{{poemquote|An application is badware in one of two cases:
{{poemquote|An application is badware in one of two cases:
Line 52: Line 49:


== Introducing the term "privacy-invasive software"==
== Introducing the term "privacy-invasive software"==
A joint conclusion is that it is important, for both software vendors and users, that a clear separation between acceptable and unacceptable software behaviour is established.<ref>{{Citation | last=Bruce | first=J. | title=Defining Rules for Acceptable Adware | work=Proceedings of the 15th Virus Bulletin Conference | place=Dublin, Ireland | year=2005}}</ref><ref>{{Citation | last=Sipior | first=J.C. | title=A United States Perspective on the Ethical and Legal Issues of Spyware | work=Proceedings of 7th International Conference on Electronic Commerce | place=Xian, China | year=2005 | url=http://www.cs.potsdam.edu/faculty/laddbc/Teaching/Ethics/StudentPapers/2005ipior-AUnitedStatesPerspectiveOnTheEthicalAndLegalIssuesOfSpyware.pdf}}</ref> The reason for this is the subjective nature of many spyware programs included, which result in inconsistencies between different users beliefs, i.e. what one user regards as legitimate software could be regarded as a spyware by others. As the spyware concept came to include increasingly more types of programs, the term got hollowed out, resulting in several synonyms, such as trackware, evilware and badware, all negatively emotive. We therefore choose to introduce the term ''privacy-invasive software'' to encapsulate all such software. We believe this term to be more descriptive than other synonyms without having as negative connotation. Even if we use the word ''invasive'' to describe such software, we believe that an invasion of [[privacy]] can be both desired and beneficial for the user as long as it is fully [[Transparency (humanities)|transparent]], e.g. when implementing specially user-tailored services or when including personalization features in software. [[File:Privacy-Invasive Software Classification.png|thumb|300px|right|A three-by-three matrix classification of privacy-invasive software showing legitimate, spyware and malicious software. {{Harv|Boldt|2010|p=110}}]]
A joint conclusion is that it is important, for both software vendors and users, that a clear separation between acceptable and unacceptable software behavior is established.<ref>{{Citation | last=Bruce | first=J. | title=Defining Rules for Acceptable Adware | work=Proceedings of the 15th Virus Bulletin Conference | place=Dublin, Ireland | year=2005}}</ref><ref>{{Citation | last=Sipior | first=J.C. | title=A United States Perspective on the Ethical and Legal Issues of Spyware | work=Proceedings of 7th International Conference on Electronic Commerce | place=Xian, China | year=2005 | url=http://www.cs.potsdam.edu/faculty/laddbc/Teaching/Ethics/StudentPapers/2005ipior-AUnitedStatesPerspectiveOnTheEthicalAndLegalIssuesOfSpyware.pdf}}</ref> The reason for this is the subjective nature of many spyware programs included, which result in inconsistencies between different users' beliefs, as what one user regards as legitimate software could be regarded as a spyware by others. As the term "spyware" came to include increasingly more programs, the term got hollowed out, resulting in several synonyms, such as track ware, evil ware and bad ware, all negatively emotive. We therefore choose to introduce the term ''privacy-invasive software'' to encapsulate all such software. We believe this term to be more descriptive than other synonyms without having as negative connotation. Even if we use the word ''invasive'' to describe such software, we believe that an invasion of [[privacy]] can be both desired and beneficial for the user as long as it is fully [[Transparency (humanities)|transparent]], e.g. when implementing specially user-tailored services or when including personalization features in software. [[File:Privacy-Invasive Software Classification.png|thumb|300px|right|A three-by-three matrix classification of privacy-invasive software showing legitimate, spyware and malicious software {{Harv|Boldt|2010|p=110}}]]


The work by Warkentins et al. (described in Section 7.3.1 in {{Harv |Boldt|2007a}}) can be used as a starting point when developing a classification of privacy-invasive software, where we classify privacy-invasive software as a combination between ''user consent'' and ''direct negative consequences''. User consent is specified as either ''low'', ''medium'' or ''high'', while the degree of direct negative consequences span between ''tolerable'', ''moderate'', and ''severe''. This classification allows us to first make a distinction between legitimate software and spyware, and secondly between spyware and malicious software. All software that has a low user consent, ''or'' which impairs severe direct negative consequences should be regarded as malware. While, on the other hand, any software that has high user consent, ''and'' which results in tolerable direct negative consequences should be regarded as legitimate software. By this follows that spyware constitutes the remaining group of software, i.e. those that have medium user consent or which impair moderate direct negative consequences. This classification is described in further detail in Chapter 7 in {{Harv |Boldt|2007a}}.
The work by Warkentiens et al. (described in Section 7.3.1 in {{Harv |Boldt|2007a}}) can be used as a starting point when developing a classification of privacy-invasive software, where we classify privacy-invasive software as a combination between ''user consent'' and ''direct negative consequences''. User consent is specified as either ''low'', ''medium'' or ''high'', while the degree of direct negative consequences span between ''tolerable'', ''moderate'', and ''severe''. This classification allows us to first make a distinction between legitimate software and spyware, and secondly between spyware and malicious software. All software that has a low user consent, ''or'' which impairs severe direct negative consequences should be regarded as malware. While, on the other hand, any software that has high user consent, ''and'' which results in tolerable direct negative consequences should be regarded as legitimate software. By this follows that spyware constitutes the remaining group of software, i.e. those that have medium user consent, or which impair moderate direct negative consequences. This classification is described in further detail in Chapter 7 in {{Harv |Boldt|2007a}}.


In addition to the direct negative consequences, we also introduce ''indirect negative consequences''. By doing so our classification distinguishes between any negative behaviour a program has been designed to carry out (direct negative consequences) and security threats introduced by just having that software executing on the system (indirect negative consequences). One example of an indirect negative consequence is the exploitation risk of [[Software vulnerability|software vulnerabilities]] in programs that execute on users’ systems without their knowledge.<ref>{{Citation | last1=Saroiu | first1=S. | last2=Gribble | first2=S.D. | last3=Levy | first3=H.M. | title=Measurement and Analysis of Spyware in a University Environment | work=Proceedings of the 1st Symposium on Networked Systems Design and Implementation (NSDI) | place=San Francisco, USA | year=2004 | url=https://www.usenix.org/events/nsdi0/tech/full_papers/saroiu/saroiu_html}}</ref>
In addition to the direct negative consequences, we also introduce ''indirect negative consequences''. By doing so our classification distinguishes between any negative behavior a program has been designed to carry out (direct negative consequences) and security threats introduced by just having that software executing on the system (indirect negative consequences). One example of an indirect negative consequence is the exploitation risk of [[Software vulnerability|software vulnerabilities]] in programs that execute on users' systems without their knowledge.<ref>{{Citation | last1=Saroiu | first1=S. | last2=Gribble | first2=S.D. | last3=Levy | first3=H.M. | title=Measurement and Analysis of Spyware in a University Environment | work=Proceedings of the 1st Symposium on Networked Systems Design and Implementation (NSDI) | place=San Francisco, USA | year=2004 | url=https://www.usenix.org/events/nsdi0/tech/full_papers/saroiu/saroiu_html}}</ref>


== Comparison to malware ==
== Comparison to malware ==
Line 62: Line 59:


== History ==
== History ==
As personal computers and [[broadband]] connections became more commonplace, the use of the internet for [[e-commerce]] transactions involved considerable amounts of money.<ref>{{Citation |last1=Abhijit |first1=C. |title=E-Business & E-Commerce Infrastructure: Technologies Supporting the E-Business Initiative |year=2002 |place=Columbus, USA |publisher=McGraw Hill |last2=Kuilboer |first2=J.P.}}</ref> Early retailers included book dealer [[Amazon.com]] and CD retailer [[CDNow|CDNOW.com]], which both were founded in 1994.<ref>{{Citation |last=Rosenberg |first=R.S. |title=The Social Impact of Computers |year=2004 |edition=3rd |publisher=Place=Elsevier Academic Press, San Diego CA}}</ref> As competition over customers intensified, some e-commerce companies turned to questionable to entice customers into completing transactions with them.<ref>{{Citation |last=CDT |title=Following the Money |year=2006 |url=https://www.cdt.org/files/privacy/20060320adware.pdf |publisher=Center for Democracy & Technology}}</ref>
=== Internet goes commercial ===
In the mid-1990s, the development of the Internet increased rapidly due to the interest from the general public. One important factor behind this accelerating increase was the 1993 release of the first browser, called [[Mosaic (web browser)|Mosaic]].<ref>{{Citation | last= Andreessen | first=M. | title=NCSA Mosaic Technical Summary | publisher=National Center for Supercomputing Applications | place=USA | year=1993}}</ref> This marked the birth of the graphically visible part of the Internet known as the [[World Wide Web]] (WWW) that was introduced in 1990. Commercial interests became well aware of the potential offered by the WWW in terms of electronic commerce especially because the restrictions on the commercial use of the Internet were removed which opened the space for companies to use the web as a platform to advertise and sell their goods. Thus, shortly after, companies selling goods over the Internet emerged, i.e. pioneers such as book dealer [[Amazon.com]] and CD retailer [[CDNow|CDNOW.com]], which both were founded in 1994.<ref>{{Citation | last= Rosenberg | first=R.S. | title=The Social Impact of Computers | edition=3rd | publisher= Place=Elsevier Academic Press, San Diego CA | year=2004}}</ref>

During the following years, personal computers and [[broadband]] connections to the Internet became more commonplace. Also, the increased use of the Internet resulted in that [[e-commerce]] transactions involved considerable amounts of money.<ref>{{Citation | last1=Abhijit | first1=C. | last2= Kuilboer | first2=J.P. | title=E-Business & E-Commerce Infrastructure: Technologies Supporting the E-Business Initiative | publisher=McGraw Hill | place= Columbus, USA | year=2002}}</ref> As competition over customers intensified, some e-commerce companies turned to questionable methods in their battle to entice customers into completing transactions with them.<ref>{{Citation | last=CDT | title=Following the Money | publisher=Center for Democracy & Technology | url=https://www.cdt.org/files/privacy/20060320adware.pdf | year=2006}}</ref><ref>{{Citation | last1= Shukla | first1=S. | last2=Nah | first2=F.F. | title=Web Browsing and Spyware Intrusion | journal=Communications of the ACM | volume=48 |issue=8 | pages=85 | place=New York, USA | year=2005 | doi = 10.1145/1076211.1076245| s2cid=30403836 }}</ref> This opened ways for illegitimate actors to gain revenues by stretching the limits used with methods for collecting personal information and for propagating commercial advertisements. Buying such services allowed for some e-commerce companies to get an advantage over their competitors, e.g. by using advertisements based on unsolicited commercial messages (also known as [[E-mail spam|spam]]) {{Harv |Jacobsson|2004}}.

=== Commercially motivated adverse software ===
The use of questionable techniques, such as [[Spam (electronic)|Spam]], were not as destructive as the more traditional malicious techniques, e.g. [[computer virus]]es or [[trojan horse (computing)|trojan horses]]. Compared to such malicious techniques the new ones differed in two fundamental ways. First, they were not necessarily illegal, and secondly, their main goal was gaining money instead of creating publicity for the creator by reaping digital havoc. Therefore, these techniques grouped as a “grey”<ref>{{Cite web|last=Fruhlinger|first=Josh|date=2019-05-17|title=What is malware: Definition, examples, detection and recovery|url=https://www.csoonline.com/article/3295877/what-is-malware-viruses-worms-trojans-and-beyond.html|access-date=2021-03-23|website=CSO Online|language=en}}</ref> area next to the already existing “dark”<ref>{{Citation|last1=Jacobsson|first1=Andreas|title=Privacy-Invasive Software in Filesharing Tools|work=Information Security Management, Education and Privacy|pages=281–296|place=Boston|publisher=Kluwer Academic Publishers|isbn=1-4020-8144-8|last2=Boldt|first2=Martin|last3=Carlsson|first3=Bengt|series=IFIP International Federation for Information Processing|year=2004|volume=148|doi=10.1007/1-4020-8145-6_22|doi-access=free}}</ref> side of the Internet.

Behind this development stood advertisers that understood that Internet was a “merchant’s utopia”,{{Citation needed|date=January 2010}} offering huge potential in global advertising coverage at a relatively low cost. By using the Internet as a global notice board, e-commerce companies could market their products through advertising agencies that delivered [[online ads]] to the masses. In 2004, online advertisement yearly represented between $500 million and $2 billion markets, which in 2005 increased to well over $6 billion-a-year.<ref>{{Citation | last=McFedries | first=P. | title=The Spyware Nightmare | publisher=in IEEE Spectrum, Volume 42, Issue 8 | place=Nebraska, USA | year= 2005}}</ref><ref>{{Citation | last=Zhang | first=X. | title=What Do Consumers Really Know About Spyware? | publisher=ACM | journal=Communications of the ACM | volume=48 |issue=8 | pages=44–48 | year=2005 | doi = 10.1145/1076211.1076238| s2cid=35102221 }}</ref> The larger online advertising companies report annual revenues in excess of $50 million each.<ref>{{Citation | last=CNET | title=The Money Game: How Adware Works and How it is Changing | publisher=CNET Anti Spyware Workshop, San Francisco, US | year=2005}}</ref> In the beginning of this development such companies distributed their ads in a [[broadcast]]-like manner, i.e. they were not streamlined towards individual users’ interests. Some of these ads were served directly on Web sites as banner ads, but dedicated programs, called [[adware]], soon emerged. Adware were used to display ads through [[pop-up ad|pop-up]] windows without depending on any Internet access or Web pages.


=== The birth of spyware ===
=== The birth of spyware ===
In the search for more effective advertising strategies, these companies soon discovered the potential in ads that were targeted towards user interests. Once targeted online ads started to appear, the development took an unfortunate turn. Now, some advertisers developed software that became known as [[spyware]], collecting users’ personal interests, e.g. through their [[Internet privacy#Browsing profiles|browsing habits]]. Over the coming years spyware would evolve into a significant new threat to Internet-connected computers, bringing along reduced system performance and security. The information gathered by spyware were used for constructing user profiles, including personal interests, detailing what users could be persuaded to buy. The introduction of online advertisements also opened a new way to fund software development by having the software display advertisements to its users. By doing so the software developer could offer their software “free of charge”, since they were paid by the advertising agency. Unfortunately, many users did not understand the difference between “free of charge” and a “free gift”, where difference is that a free gift is given without any expectations of future compensation, while something provided free of charge expects something in return. A dental examination that is provided free of charge at a dentist school is not a free gift. The school expects gained training value and as a consequence the customer suffers increased risks. As adware were combined with spyware, this became a problem for computer users. When downloading software described as “free of charge” the users had no reason to suspect that it would report on for instance their Internet usage, so that presented advertisements could be targeted towards their interests.
In the search for more effective advertising strategies, these companies soon discovered the potential in ads that were targeted towards user interests. Once [[Targeted advertising]] began to appear online, the development took an unfortunate turn. Some advertisers began to develop software that became known as [[spyware]], collecting users' personal interests, e.g. through their [[Internet privacy#Browsing profiles|browsing habits]]. Over the coming years spyware would evolve into a significant new threat to Internet-connected computers, bringing along reduced system performance and security. The information gathered by spyware were used for constructing user profiles, including personal interests, detailing what users could be persuaded to buy. The introduction of online advertisements also opened a new way to fund software development by having the software display advertisements to its users. By doing so the software developer could offer their software "free of charge", since they were paid by the advertising agency. Unfortunately, many users did not understand the difference between "free of charge" and a "free gift", where difference is that a free gift is given without any expectations of future compensation, while something provided free of charge expects something in return. A dental examination that is provided free of charge at a dentist school is not a free gift. The school expects gained training value and as a consequence the customer suffers increased risks. As adware were combined with spyware, this became a problem for computer users. When downloading software described as "free of charge" the users had no reason to suspect that it would report on for instance their Internet usage, so that presented advertisements could be targeted towards their interests.
Some users probably would have accepted to communicate their browsing habits because of the positive feedback, e.g. “offers” relevant to their interests. However, the fundamental problem was that users were not properly informed about neither the occurrence nor the extent of such monitoring, and hence were not given a chance to decide on whether to participate or not. As advertisements became targeted, the borders between adware and spyware started to dissolve, combining both these programs into a single one, that both monitored users and delivered targeted ads. The fierce competition soon drove advertisers to further “enhance” the ways used for serving their ads, e.g. replacing user-requested content with sponsored messages instead, before showing it to the users.
Some users probably would have accepted to communicate their browsing habits because of the positive feedback, e.g. "offers" relevant to their interests. However, the fundamental problem was that users were not properly informed about neither the occurrence nor the extent of such monitoring, and hence were not given a chance to decide on whether to participate or not. As advertisements became targeted, the borders between adware and spyware started to dissolve, combining both these programs into a single one, that both monitored users and delivered targeted ads. The fierce competition soon drove advertisers to further "enhance" the ways used for serving their ads, e.g. replacing user-requested content with sponsored messages instead, before showing it to the users.


=== The arms-race between spyware vendors ===
=== The arms-race between spyware vendors ===
As the chase for faster financial gains intensified, several competing advertisers turned to use even more illegitimate methods in an attempt to stay ahead of their competitors. This targeted advertising accelerated the whole situation and created a “gray” between conventional adds that people chose to see, such as subscribing to an Internet site & adds pushed on users through "pop-up adds" or downloaded adds displayed in a program itself.
As the chase for faster financial gains intensified, several competing advertisers turned to use even more illegitimate methods in an attempt to stay ahead of their competitors. This targeted advertising accelerated the whole situation and created a "gray" between conventional adds that people chose to see, such as subscribing to an Internet site & adds pushed on users through "pop-up adds" or downloaded adds displayed in a program itself.<ref name=AAA>{{cite news|url=http://www.spywareloop.com/news/privacy-invasive-software |title=Privacy Invasive Software in SpyWareLoop.com |author=Vincentas |newspaper=Spyware Loop |date=11 July 2013 |access-date=27 July 2013 |url-status=dead |archive-url=https://web.archive.org/web/20140409013525/http://www.spywareloop.com/news/privacy-invasive-software |archive-date=9 April 2014 }}</ref>
This practice pushed Internet advertising closer to the "dark" side of Spam & other types of invasive, privacy compromising advertising.<ref>{{Citation | last=Görling | first=S. | title=An Introduction to the Parasite Economy | publisher=In Proceedings of EICAR | place=Luxemburg | year=2004}}</ref> During this development, users experienced infections from unsolicited software that crashed their computers by accident, change application settings, harvested personal information, and deteriorated their computer experience.<ref>{{Citation|last=Pew |first=Internet |title=The Threat of Unwanted Software Programs is Changing the Way People use the Internet |work=PIP Spyware Report July 05 |publisher=Pew Internet & American Life Project |url=http://www.pewinternet.org/pdfs/PIP_Spyware_Report_July_05.pdf |year=2005 |url-status=dead |archive-url=https://web.archive.org/web/20070713160443/http://www.pewinternet.org/pdfs/PIP_Spyware_Report_July_05.pdf |archive-date=July 13, 2007 }}</ref> Over time these problems led to the introduction of countermeasures in the form of anti-spyware tools.
<ref name=AAA>{{cite news|url=http://www.spywareloop.com/news/privacy-invasive-software |title=Privacy Invasive Software in SpyWareLoop.com |author=Vincentas |newspaper=Spyware Loop |date=11 July 2013 |access-date=27 July 2013 |url-status=dead |archive-url=https://web.archive.org/web/20140409013525/http://www.spywareloop.com/news/privacy-invasive-software |archive-date=9 April 2014 }}</ref>
This practice pushed Internet advertising closer to the “dark” side of Spam & other types of invasive, privacy compromising advertising.<ref>{{Citation | last=Görling | first=S. | title=An Introduction to the Parasite Economy | publisher=In Proceedings of EICAR | place=Luxemburg | year=2004}}</ref> During this development, users experienced infections from unsolicited software that crashed their computers by accident, change application settings, harvested personal information, and deteriorated their computer experience.<ref>{{Citation|last=Pew |first=Internet |title=The Threat of Unwanted Software Programs is Changing the Way People use the Internet |work=PIP Spyware Report July 05 |publisher=Pew Internet & American Life Project |url=http://www.pewinternet.org/pdfs/PIP_Spyware_Report_July_05.pdf |year=2005 |url-status=dead |archive-url=https://web.archive.org/web/20070713160443/http://www.pewinternet.org/pdfs/PIP_Spyware_Report_July_05.pdf |archive-date=July 13, 2007 }}</ref> Over time these problems led to the introduction of countermeasures in the form of anti-spyware tools.


These tools purported to clean computers from spyware, adware, and any other type of shady software located in that same “gray” area. This type of software can lead to false positives as some types of legitimate software came to be branded by some users as "Spyware" (i.e. Spybot: Search & Destroy identifies the ScanSpyware program as a Spybot.) These tools were designed similarly to anti-[[malware]] tools, such as [[antivirus software]]. Anti-spyware tools identify programs using signatures (semantics, program code, or other identifying attributes). The process only works on known programs, which can lead to the false positives mentioned earlier & leave previously unknown spyware undetected. To further aggravate the situation, a few especially illegitimate companies distributed fake anti-spyware tools in their search for a larger piece of the online advertising market. These fake tools claimed to remove spyware, but instead installed their own share of adware and spyware on unwitting users’ computers. Sometimes even accompanied by the functionality to remove adware and spyware from competing vendors. Anti-Spyware has become a new area of online vending with fierce competition.
These tools purported to clean computers from spyware, adware, and any other type of shady software located in that same "gray" area. This type of software can lead to false positives as some types of legitimate software came to be branded by some users as "Spyware" (i.e. Spybot: Search & Destroy identifies the Scan Spyware program as a Spybot.) These tools were designed similarly to anti-[[malware]] tools, such as [[antivirus software]]. Anti-spyware tools identify programs using signatures (semantics, program code, or other identifying attributes). The process only works on known programs, which can lead to the false positives mentioned earlier & leave previously unknown spyware undetected. To further aggravate the situation, a few especially illegitimate companies distributed fake anti-spyware tools in their search for a larger piece of the online advertising market. These fake tools claimed to remove spyware, but instead installed their own share of adware and spyware on unwitting users' computers. Sometimes even accompanied by the functionality to remove adware and spyware from competing vendors. Anti-Spyware has become a new area of online vending with fierce competition.


New spyware programs are being added to the setting in what seems to be a never-ending stream, although the increase has levelled out somewhat over the last years. However, there still does not exist any consensus on a common spyware definition or classification, which negatively affects the accuracy of anti-spyware tools. As mentioned above, some spyware programs remain undetected on users' computers.<ref>{{Citation | last=Good | first=N. | title=User Choices and Regret: Understanding Users' Decision Process About Consensually Acquired Spyware |url=https://scholarlycommons.law.case.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=1620&context=faculty_publications | work=I/S: A Journal of Law and Policy for the Information Society |volume=2 |issue=2 | year=2006 |display-authors=etal}}</ref><ref>{{Citation | last=MTL | title=AntiSpyware Comparison Reports | publisher=Malware-Test Lab | url=http://www.malware-test.com/antispyware.html | year=2006 | access-date=2007-09-29 | archive-date=2007-11-02 | archive-url=https://web.archive.org/web/20071102170303/http://www.malware-test.com/antispyware.html | url-status=dead }}</ref> Developers of anti-spyware programs officially state that the fight against spyware is more complicated than the fight against [[computer virus|viruses]], [[trojan horse (computing)|trojan horses]], and [[computer worm|worms]].<ref>{{Citation |last=Webroot |title=Differences between Spyware and Viruses |publisher=Webroot Software |work=Spysweeper.com |url=http://research.spysweeper.com/differences.html |year=2006 |url-status=dead |archive-url=https://web.archive.org/web/20071001180224/http://research.spysweeper.com/differences.html |archive-date=2007-10-01 }}</ref>
New spyware programs are being added to the setting in what seems to be a never-ending stream, although the increase has levelled out somewhat over the last years. However, there still does not exist any consensus on a common spyware definition or classification, which negatively affects the accuracy of anti-spyware tools. As mentioned above, some spyware programs remain undetected on users' computers.<ref>{{Citation | last=Good | first=N. | title=User Choices and Regret: Understanding Users' Decision Process About Consensually Acquired Spyware |url=https://scholarlycommons.law.case.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=1620&context=faculty_publications | work=I/S: A Journal of Law and Policy for the Information Society |volume=2 |issue=2 | year=2006 |display-authors=etal}}</ref><ref>{{Citation | last=MTL | title=AntiSpyware Comparison Reports | publisher=Malware-Test Lab | url=http://www.malware-test.com/antispyware.html | year=2006 | access-date=2007-09-29 | archive-date=2007-11-02 | archive-url=https://web.archive.org/web/20071102170303/http://www.malware-test.com/antispyware.html | url-status=dead }}</ref> Developers of anti-spyware programs officially state that the fight against spyware is more complicated than the fight against [[computer virus|viruses]], [[trojan horse (computing)|trojan horses]], and [[computer worm|worms]].<ref>{{Citation |last=Webroot |title=Differences between Spyware and Viruses |publisher=Webroot Software |work=Spysweeper.com |url=http://research.spysweeper.com/differences.html |year=2006 |url-status=dead |archive-url=https://web.archive.org/web/20071001180224/http://research.spysweeper.com/differences.html |archive-date=2007-10-01 }}</ref>


== Predicted future development ==
== Predicted future development ==
There are several trends integrating computers and software into people's daily lives. One example is traditional media-oriented products which are being integrated into a single device, called [[Home theater PC|media centres]]. These media centres include the same functionality as conventional television, [[DVD]]-players, and stereo equipment, but combined with an Internet connected computer. In a foreseeable future these media centres are anticipated to reach vast consumer impact.<ref>{{Citation | last=CES | title=International Consumer Electronics Association | url=http://www.cesweb.org}}</ref><ref>{{Citation | last=Newman | first=M.W. | title=Recipes for Digital Living | work=IEEE Computer |volume=39 |issue=2 | year=2006}}</ref> In this setting, spyware could monitor and surveillance for instance what television channels are being watched, when/why users change channel or what [[DVD]] movies users have purchased and watch. This is information that is highly attractive for any advertising or media-oriented corporation to obtain. This presents us with a probable scenario where spyware is tailored towards these new platforms; the technology needed is to a large extent the same as is used in spyware today.
There are several trends integrating computers and software into people's daily lives. One example is traditional media-oriented products which are being integrated into a single device, called [[Home theater PC|media centers]]. These media centers include the same functionality as conventional television, [[DVD]] players, and stereo equipment, but combined with an Internet connected computer. In a foreseeable future these media centers are anticipated to reach vast consumer impact.<ref>{{Citation | last=CES | title=International Consumer Electronics Association | url=http://www.cesweb.org/ | access-date=2007-09-28 | archive-date=2010-02-08 | archive-url=https://web.archive.org/web/20100208034010/http://www.cesweb.org/ | url-status=dead }}</ref><ref>{{Citation | last=Newman | first=M.W. | title=Recipes for Digital Living | work=IEEE Computer |volume=39 |issue=2 | year=2006}}</ref> In this setting, spyware could monitor and surveillance for instance what television channels are being watched, when/why users change channel or what DVD movies users have purchased and watch. This is information that is highly attractive for any advertising or media-oriented corporation to obtain. This presents us with a probable scenario where spyware is tailored towards these new platforms; the technology needed is to a large extent the same as is used in spyware today.


Another interesting area for spyware vendors is the increasing amount of mobile devices being shipped. Distributors of advertisements have already turned their eyes to these devices. So far this development have not utilized the geographic position data stored in these devices. However, during the time of this writing companies are working on [[GPS]]-guided ads and coupons destined for mobile phones and hand-held devices.<ref>{{Citation | last=Business 2.0 Magazine | title=20 Smart Companies to Start Now | url=https://money.cnn.com/magazines/business2/business2_archive/2006/09/01/8384349/index.htm | date=October 26, 2006}}</ref> In other words, development of [[location-based advertising|location-based marketing]] that allow advertising companies to get access to personal geographical data so that they can serve geographically dependent ads and coupons to their customers. Once such geographic data is being harvested and correlated with already accumulated personal information, another privacy barrier has been crossed.
Another interesting area for spyware vendors is the increasing number of mobile devices being shipped. Distributors of advertisements have already turned their eyes to these devices. So far, this development has not utilized the geographic position data stored in these devices. However, during the time of this writing companies are working on [[GPS]]-guided ads and coupons destined for mobile phones and hand-held devices.<ref>{{Citation | last=Business 2.0 Magazine | title=20 Smart Companies to Start Now | url=https://money.cnn.com/magazines/business2/business2_archive/2006/09/01/8384349/index.htm | date=October 26, 2006}}</ref> In other words, development of [[location-based advertising|location-based marketing]] that allow advertising companies to get access to personal geographical data so that they can serve geographically dependent ads and coupons to their customers. Once such geographic data is being harvested and correlated with already accumulated personal information, another privacy barrier has been crossed.


== References ==
== References ==
Line 104: Line 92:
* {{cite conference |mode=cs2 | last1=Boldt | first1=M. | last2=Jacobsson | first2=A. | last3=Carlsson | first3=B. | title=Exploring Spyware Effects |book-title=Proceedings of the Eighth Nordic Workshop on Secure IT Systems (NordSec2004) | url=http://www.bth.se/tek/aps/mbo.nsf/(WebFiles)/CAF6E79168D11036C125710D00419F45/$FILE/NordSec2004-BoldtJacobssonCarlsson.pdf | place=Helsinki, Finland | year=2004 | access-date=2007-09-28 | archive-url=https://web.archive.org/web/20070203054637/http://www.bth.se/tek/aps/mbo.nsf/(WebFiles)/CAF6E79168D11036C125710D00419F45/$FILE/NordSec2004-BoldtJacobssonCarlsson.pdf | archive-date=2007-02-03 | url-status=dead }}.
* {{cite conference |mode=cs2 | last1=Boldt | first1=M. | last2=Jacobsson | first2=A. | last3=Carlsson | first3=B. | title=Exploring Spyware Effects |book-title=Proceedings of the Eighth Nordic Workshop on Secure IT Systems (NordSec2004) | url=http://www.bth.se/tek/aps/mbo.nsf/(WebFiles)/CAF6E79168D11036C125710D00419F45/$FILE/NordSec2004-BoldtJacobssonCarlsson.pdf | place=Helsinki, Finland | year=2004 | access-date=2007-09-28 | archive-url=https://web.archive.org/web/20070203054637/http://www.bth.se/tek/aps/mbo.nsf/(WebFiles)/CAF6E79168D11036C125710D00419F45/$FILE/NordSec2004-BoldtJacobssonCarlsson.pdf | archive-date=2007-02-03 | url-status=dead }}.
* {{Citation | last=Jacobsson | first=A. | title=Security in Information Networks - from Privacy-Invasive Software to Plug and Play Business | publisher=Doctoral Thesis | place=School of Engineering, Blekinge Institute of Technology, Sweden | year=2007}}.
* {{Citation | last=Jacobsson | first=A. | title=Security in Information Networks - from Privacy-Invasive Software to Plug and Play Business | publisher=Doctoral Thesis | place=School of Engineering, Blekinge Institute of Technology, Sweden | year=2007}}.
* {{Citation | last=Jacobsson | first=A. | title=Exploring Privacy Risks in Information Networks | publisher=Licentiate Thesis Series No. 2004:11 | place=School of Engineering, Blekinge Institute of Technology, Sweden | year=2004 | url=https://www.researchgate.net/profile/Andreas-Jacobsson/publication/30499062_Exploring_Privacy_Risks_in_Information_Networks/links/00b7d52319d4e27f0c000000/Exploring-Privacy-Risks-in-Information-Networks.pdf}}.
* {{Citation | last=Jacobsson | first=A. | title=Exploring Privacy Risks in Information Networks | publisher=Licentiate Thesis Series No. 2004:11 | place=School of Engineering, Blekinge Institute of Technology, Sweden | year=2004 | url=https://www.researchgate.net/publication/30499062}}.
* {{Citation | last1=Jacobsson | first1=A. | last2=Boldt | first2=M. | last3=Carlsson | first3=B. | title=Privacy-Invasive Software in File-Sharing Tools |url=http://www.bth.se/tek/aps/mbo.nsf/(WebFiles)/8355BACE15A7A600C125710D00418AC5/$FILE/WCC2004-JacobssonBoldtCarlsson.pdf | place=Dordrecht NL |publisher=Kluwer Academic Publishers |date=2004 | access-date=2007-09-28 | archive-url=https://web.archive.org/web/20070412093551/http://www.bth.se/tek/aps/mbo.nsf/(WebFiles)/8355BACE15A7A600C125710D00418AC5/$FILE/WCC2004-JacobssonBoldtCarlsson.pdf | archive-date=2007-04-12}}.
* {{Citation | last1=Jacobsson | first1=A. | last2=Boldt | first2=M. | last3=Carlsson | first3=B. | title=Privacy-Invasive Software in File-Sharing Tools |url=http://www.bth.se/tek/aps/mbo.nsf/(WebFiles)/8355BACE15A7A600C125710D00418AC5/$FILE/WCC2004-JacobssonBoldtCarlsson.pdf | place=Dordrecht NL |publisher=Kluwer Academic Publishers |date=2004 | access-date=2007-09-28 | archive-url=https://web.archive.org/web/20070412093551/http://www.bth.se/tek/aps/mbo.nsf/(WebFiles)/8355BACE15A7A600C125710D00418AC5/$FILE/WCC2004-JacobssonBoldtCarlsson.pdf | archive-date=2007-04-12}}.
{{refend}}
{{refend}}

Revision as of 22:04, 11 August 2024

Privacy-invasive software is a category of software that invades a user's privacy to gather information about the user and their device without prior consent or knowledge. This software can be malicious or non-malicious.[1] The data collected is often used commercially such as being sold to advertisers or other third parties.[2]

Background

On online environments, such as the Internet, a diverse array of privacy threats exists. Defining privacy is subjective, encompassing elements of robust security, seclusion, the concealment of sensitive information, confidentiality, and the freedom from interference or intrusion.

Information privacy involves the right to exercise control over the collection and utilization of personal information, specifying who collects or acts upon it. For many individuals, particularly the youth and a significant portion of the current generation, discussions about privacy often revolve around concerns such as election theft, data breaches in electronic voting systems, ransomware attacks targeting major businesses and stock markets, wearable technology, social networking, and missteps in targeted advertising.[citation needed] Notable incidents like WikiLeaks and the Snowden revelations, along with various whistleblowing activities and privacy-intrusive actions, including online scams, contribute to the multifaceted landscape of privacy concerns.

These concerns span a spectrum of severity, ranging from tracking user activities (such as visited websites and purchases) to mass marketing based on personal information retrieval, leading to an increase in spam offers and telemarketing calls. Privacy invasions extend to the dissemination of information related to lethal technologies, employed in acts of terror, espionage, or malicious intent.

Malicious intent is present in practices such as the use of spyware and identity theft. Individuals may leverage spyware to alter their identity or intrusively monitor potential victims with the aim of causing harm, financial loss, or undermining social status. Spyware facilitates the extraction of personal information and behavioral patterns from victims, streamlining identity theft.

Today, software-based privacy invasions manifest across various facets of internet usage. Spyware discreetly downloads and executes on users' workstations to collect and distribute user information. Adware, often based on personal data retrieved by spyware, displays commercial content and advertisements. System monitors record diverse actions on computer systems, while keyloggers capture user keystrokes to monitor behavior. Self-replicating malware spreads haphazardly on systems and networks. Data-harvesting software has become a commonplace feature of the Internet, contributing to the inundation of networks and computers with unsolicited commercial content, using techniques such as collecting email addresses.

Problem with the spyware concept

In early 2000, Steve Gibson formulated the first description of spyware after realizing software that stole his personal information had been installed on his computer.[3]

Spyware is any software which employs a user’s Internet connection in the background (the so-called "backchannel") without their knowledge or explicit permission.

Other terms for similar software include thief ware, scum ware, track ware, and bad ware. It is believed that the lack of a single standard definition of spyware depends on the diversity in all these different views on what really should be included, or as Aaron Weiss put it:[4] "What the old-school intruders have going for them is that they are relatively straightforward to define. Unlike those hay-days, nowadays spyware, in its broadest sense, is harder to pin down."[4]

Despite this vague comprehension of the essence in spyware, all descriptions include two central aspects. The degree of associated user consent, and the level of negative impact they impart on the user and their computer system (further discussed in Section 2.3 and Section 2.5 in (Boldt 2007a)). Because of the diffuse understanding in the spyware concept, recent attempts to define it have been forced into compromises. The Anti-Spyware Coalition (ASC) which is constituted by public interest groups, trade associations, and anti-spyware companies, has come to the conclusion that the term spyware should be used at two different abstraction levels.[5] At the low level they use the following definition, which is similar to Steve Gibson's original one:

In its narrow sense, Spyware is a term for tracking software deployed without adequate notice, consent, or control for the user.

However, since this definition does not capture all the different types of spyware available, they also provide a wider definition, which is more abstract in its appearance:

In its broader sense, spyware is used as a synonym for what the ASC calls "Spyware (and Other Potentially Unwanted Technologies)". Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

1) Material changes that affect their user experience, privacy, or system security;
2) Use of their system resources, including what programs are installed on their computers; and/or
3) Collection, use, and distribution of their personal or other sensitive information.

Difficulties in defining spyware, forced the ASC to define what they call Spyware (and Other Potentially Unwanted Technologies) instead. This includes any software that does not have the users' appropriate consent for running on their computers. Another group that has tried to define spyware is a group called StopBadware.org, which consists of actors such as Harvard Law School, Oxford University, Google, Lenovo, and Sun Microsystems.[6] Their result is that they do not use the term spyware at all, but instead introduce the term bad ware. Their definition thereof spans over seven pages, but the essence looks as follows:[7]

An application is badware in one of two cases:

1) If the application acts deceptively or irreversibly.
2) If the application engages in potentially objectionable behaviour without: first, prominently disclosing to the user that it will engage in such behaviour, in clear and non-technical language, and then obtaining the user's affirmative consent to that aspect of the application.

Both definitions from ASC and StopBadware.org show the difficulty with defining spyware. We therefore regard the term spyware at two different abstraction levels. On the lower level it can be defined according to Steve Gibsons original definition. However, in its broader and in a more abstract sense the term spyware is hard to properly define, as concluded above.

Introducing the term "privacy-invasive software"

A joint conclusion is that it is important, for both software vendors and users, that a clear separation between acceptable and unacceptable software behavior is established.[8][9] The reason for this is the subjective nature of many spyware programs included, which result in inconsistencies between different users' beliefs, as what one user regards as legitimate software could be regarded as a spyware by others. As the term "spyware" came to include increasingly more programs, the term got hollowed out, resulting in several synonyms, such as track ware, evil ware and bad ware, all negatively emotive. We therefore choose to introduce the term privacy-invasive software to encapsulate all such software. We believe this term to be more descriptive than other synonyms without having as negative connotation. Even if we use the word invasive to describe such software, we believe that an invasion of privacy can be both desired and beneficial for the user as long as it is fully transparent, e.g. when implementing specially user-tailored services or when including personalization features in software.

A three-by-three matrix classification of privacy-invasive software showing legitimate, spyware and malicious software (Boldt 2010, p. 110)

The work by Warkentiens et al. (described in Section 7.3.1 in (Boldt 2007a)) can be used as a starting point when developing a classification of privacy-invasive software, where we classify privacy-invasive software as a combination between user consent and direct negative consequences. User consent is specified as either low, medium or high, while the degree of direct negative consequences span between tolerable, moderate, and severe. This classification allows us to first make a distinction between legitimate software and spyware, and secondly between spyware and malicious software. All software that has a low user consent, or which impairs severe direct negative consequences should be regarded as malware. While, on the other hand, any software that has high user consent, and which results in tolerable direct negative consequences should be regarded as legitimate software. By this follows that spyware constitutes the remaining group of software, i.e. those that have medium user consent, or which impair moderate direct negative consequences. This classification is described in further detail in Chapter 7 in (Boldt 2007a).

In addition to the direct negative consequences, we also introduce indirect negative consequences. By doing so our classification distinguishes between any negative behavior a program has been designed to carry out (direct negative consequences) and security threats introduced by just having that software executing on the system (indirect negative consequences). One example of an indirect negative consequence is the exploitation risk of software vulnerabilities in programs that execute on users' systems without their knowledge.[10]

Comparison to malware

The term privacy-invasive software is motivated in that software types such as adware and spyware are essentially often defined according to their actions instead of their distribution mechanisms (as with most malware definitions, which also rarely correspond to motives of, e.g., business and commerce). The overall intention with the concept of privacy-invasive software is consequently to convey the commercial aspect of unwanted software contamination. The threats of privacy-invasive software consequently do not find their roots in totalitarianism, malice or political ideas, but rather in the free market, advanced technology and the unbridled exchange of electronic information. By the inclusion of purpose in its definition, the term privacy-invasive software is a contribution to the research community of privacy and security.

History

As personal computers and broadband connections became more commonplace, the use of the internet for e-commerce transactions involved considerable amounts of money.[11] Early retailers included book dealer Amazon.com and CD retailer CDNOW.com, which both were founded in 1994.[12] As competition over customers intensified, some e-commerce companies turned to questionable to entice customers into completing transactions with them.[13]

The birth of spyware

In the search for more effective advertising strategies, these companies soon discovered the potential in ads that were targeted towards user interests. Once Targeted advertising began to appear online, the development took an unfortunate turn. Some advertisers began to develop software that became known as spyware, collecting users' personal interests, e.g. through their browsing habits. Over the coming years spyware would evolve into a significant new threat to Internet-connected computers, bringing along reduced system performance and security. The information gathered by spyware were used for constructing user profiles, including personal interests, detailing what users could be persuaded to buy. The introduction of online advertisements also opened a new way to fund software development by having the software display advertisements to its users. By doing so the software developer could offer their software "free of charge", since they were paid by the advertising agency. Unfortunately, many users did not understand the difference between "free of charge" and a "free gift", where difference is that a free gift is given without any expectations of future compensation, while something provided free of charge expects something in return. A dental examination that is provided free of charge at a dentist school is not a free gift. The school expects gained training value and as a consequence the customer suffers increased risks. As adware were combined with spyware, this became a problem for computer users. When downloading software described as "free of charge" the users had no reason to suspect that it would report on for instance their Internet usage, so that presented advertisements could be targeted towards their interests.

Some users probably would have accepted to communicate their browsing habits because of the positive feedback, e.g. "offers" relevant to their interests. However, the fundamental problem was that users were not properly informed about neither the occurrence nor the extent of such monitoring, and hence were not given a chance to decide on whether to participate or not. As advertisements became targeted, the borders between adware and spyware started to dissolve, combining both these programs into a single one, that both monitored users and delivered targeted ads. The fierce competition soon drove advertisers to further "enhance" the ways used for serving their ads, e.g. replacing user-requested content with sponsored messages instead, before showing it to the users.

The arms-race between spyware vendors

As the chase for faster financial gains intensified, several competing advertisers turned to use even more illegitimate methods in an attempt to stay ahead of their competitors. This targeted advertising accelerated the whole situation and created a "gray" between conventional adds that people chose to see, such as subscribing to an Internet site & adds pushed on users through "pop-up adds" or downloaded adds displayed in a program itself.[14] This practice pushed Internet advertising closer to the "dark" side of Spam & other types of invasive, privacy compromising advertising.[15] During this development, users experienced infections from unsolicited software that crashed their computers by accident, change application settings, harvested personal information, and deteriorated their computer experience.[16] Over time these problems led to the introduction of countermeasures in the form of anti-spyware tools.

These tools purported to clean computers from spyware, adware, and any other type of shady software located in that same "gray" area. This type of software can lead to false positives as some types of legitimate software came to be branded by some users as "Spyware" (i.e. Spybot: Search & Destroy identifies the Scan Spyware program as a Spybot.) These tools were designed similarly to anti-malware tools, such as antivirus software. Anti-spyware tools identify programs using signatures (semantics, program code, or other identifying attributes). The process only works on known programs, which can lead to the false positives mentioned earlier & leave previously unknown spyware undetected. To further aggravate the situation, a few especially illegitimate companies distributed fake anti-spyware tools in their search for a larger piece of the online advertising market. These fake tools claimed to remove spyware, but instead installed their own share of adware and spyware on unwitting users' computers. Sometimes even accompanied by the functionality to remove adware and spyware from competing vendors. Anti-Spyware has become a new area of online vending with fierce competition.

New spyware programs are being added to the setting in what seems to be a never-ending stream, although the increase has levelled out somewhat over the last years. However, there still does not exist any consensus on a common spyware definition or classification, which negatively affects the accuracy of anti-spyware tools. As mentioned above, some spyware programs remain undetected on users' computers.[17][18] Developers of anti-spyware programs officially state that the fight against spyware is more complicated than the fight against viruses, trojan horses, and worms.[19]

Predicted future development

There are several trends integrating computers and software into people's daily lives. One example is traditional media-oriented products which are being integrated into a single device, called media centers. These media centers include the same functionality as conventional television, DVD players, and stereo equipment, but combined with an Internet connected computer. In a foreseeable future these media centers are anticipated to reach vast consumer impact.[20][21] In this setting, spyware could monitor and surveillance for instance what television channels are being watched, when/why users change channel or what DVD movies users have purchased and watch. This is information that is highly attractive for any advertising or media-oriented corporation to obtain. This presents us with a probable scenario where spyware is tailored towards these new platforms; the technology needed is to a large extent the same as is used in spyware today.

Another interesting area for spyware vendors is the increasing number of mobile devices being shipped. Distributors of advertisements have already turned their eyes to these devices. So far, this development has not utilized the geographic position data stored in these devices. However, during the time of this writing companies are working on GPS-guided ads and coupons destined for mobile phones and hand-held devices.[22] In other words, development of location-based marketing that allow advertising companies to get access to personal geographical data so that they can serve geographically dependent ads and coupons to their customers. Once such geographic data is being harvested and correlated with already accumulated personal information, another privacy barrier has been crossed.

References

Citations

  1. ^ Boldt, Martin; Carlsson, Bengt (2006). "Privacy-Invasive Software and Preventive Mechanisms". 2006 International Conference on Systems and Networks Communications (ICSNC'06). p. 21. doi:10.1109/ICSNC.2006.62. ISBN 0-7695-2699-3. S2CID 15389209.
  2. ^ Boldt, Martin (2007). "Privacy-Invasive Software Exploring Effects and Countermeasures" (PDF). Blekinge Institute of Technology Licentiate Dissertation Series. 01.
  3. ^ Gibson, GRC OptOut -- Internet Spyware Detection and Removal, Gibson Research Corporation
  4. ^ a b Weiss, A. (2005), "Spyware Be Gone", ACM netWorker, vol. 9, no. 1, ACM Press, New York, USA
  5. ^ ASC (2006-10-05). "Anti-Spyware Coalition".
  6. ^ StopBadware.org, StopBadware.org
  7. ^ StopBadware.org Guidelines, "StopBadware.org Software Guidelines", StopBadware.org, archived from the original on September 28, 2007
  8. ^ Bruce, J. (2005), "Defining Rules for Acceptable Adware", Proceedings of the 15th Virus Bulletin Conference, Dublin, Ireland
  9. ^ Sipior, J.C. (2005), "A United States Perspective on the Ethical and Legal Issues of Spyware" (PDF), Proceedings of 7th International Conference on Electronic Commerce, Xian, China
  10. ^ Saroiu, S.; Gribble, S.D.; Levy, H.M. (2004), "Measurement and Analysis of Spyware in a University Environment", Proceedings of the 1st Symposium on Networked Systems Design and Implementation (NSDI), San Francisco, USA
  11. ^ Abhijit, C.; Kuilboer, J.P. (2002), E-Business & E-Commerce Infrastructure: Technologies Supporting the E-Business Initiative, Columbus, USA: McGraw Hill
  12. ^ Rosenberg, R.S. (2004), The Social Impact of Computers (3rd ed.), Place=Elsevier Academic Press, San Diego CA
  13. ^ CDT (2006), Following the Money (PDF), Center for Democracy & Technology
  14. ^ Vincentas (11 July 2013). "Privacy Invasive Software in SpyWareLoop.com". Spyware Loop. Archived from the original on 9 April 2014. Retrieved 27 July 2013.
  15. ^ Görling, S. (2004), An Introduction to the Parasite Economy, Luxemburg: In Proceedings of EICAR
  16. ^ Pew, Internet (2005), "The Threat of Unwanted Software Programs is Changing the Way People use the Internet" (PDF), PIP Spyware Report July 05, Pew Internet & American Life Project, archived from the original (PDF) on July 13, 2007
  17. ^ Good, N.; et al. (2006), "User Choices and Regret: Understanding Users' Decision Process About Consensually Acquired Spyware", I/S: A Journal of Law and Policy for the Information Society, vol. 2, no. 2
  18. ^ MTL (2006), AntiSpyware Comparison Reports, Malware-Test Lab, archived from the original on 2007-11-02, retrieved 2007-09-29
  19. ^ Webroot (2006), "Differences between Spyware and Viruses", Spysweeper.com, Webroot Software, archived from the original on 2007-10-01
  20. ^ CES, International Consumer Electronics Association, archived from the original on 2010-02-08, retrieved 2007-09-28
  21. ^ Newman, M.W. (2006), "Recipes for Digital Living", IEEE Computer, vol. 39, no. 2
  22. ^ Business 2.0 Magazine (October 26, 2006), 20 Smart Companies to Start Now {{citation}}: |last= has generic name (help)CS1 maint: numeric names: authors list (link)

General sources