Spyware v. Malware
Before answering the question, “What is the definition of spyware?,” we need to understand what it isn’t. Many people, including security professionals, tend to lump spyware, viruses, worms, keyloggers, etc. under the umbrella of malware. For example, according to wikipedia.org (2010):
Spyware is a type of malware that is installed on computers and collects information about users without their knowledge.
This is sort of true. Spyware does report user information to a central server. However, it doesn’t do it for malicious purposes. So I don’t like including it in the same drawer with software that does.
I prefer the following definition, which I created for the purpose of this article:
Spyware is any application which, either knowingly or unknowingly, collects information about a user’s habits. It transmits this profile of user behavior to a central server where it is used for marketing and other types of analysis.
So the difference is whether the software is distributed with intended harm to users. Does its use comprise data theft? As we’ll see next, this is a big point of contention with privacy advocates.
Finally, whatever the definition, spyware produces revenue- lot’s of revenue- for the company distributing it.
Illegal, Unethical, or Just a Business Tool?
Distributors of spyware claim they are doing nothing wrong. They are simply collecting information from user systems which help these businesses or their clients provide better products and services. Privacy advocates adamantly argue against this position. They say the collecting of user information for use who-knows-where is a privacy violation and should be illegal. So who is right? Well, that depends.
Many U.S. citizens believe spyware is covered under the Computer Fraud and Abuse Act. The act makes it illegal to access anyone’s computer, for any reason, without their permission. This might work, if users weren’t downloading and installing spyware themselves.
Most spyware is installed after a user is asked to accept a software license or simply respond to a request to do so. In most cases, the target user doesn’t know or understand the consequences of installing the data collection application. In fact, information about what data will be collected and what will be done with it is often deeply buried in a license or software use agreement. Even if it was printed in bold print, underlined, with flashing lights, how many users would actually read it? Not many.
How spyware is viewed also differs between states and between countries. Until spyware is legally defined, with similar laws enacted across all legal jurisdictions, this argument will continue with no real resolution.
Spyware v. Adware
No description of spyware would be complete without explaining how it differs from adware. While spyware may, in addition to collecting user behavior statistics, display unwanted advertisements on a user’s desktop, it usually doesn’t. However, adware’s purpose is to display context-sensitive ads. As with spyware, the end-result is revenue for the adware distributor/controller.
In the next article, we’ll examine how spyware gets on your computer and how it collects your information.
Spyware. (2010). In Wikipedia.org. Retrieved from https://en.wikipedia.org/wiki/Spyware
This post is part of the series: Understanding Spyware
This series of articles explains what spyware is (and is not), how it works, and how to combat it.