FTC Takes Aim At Spyware

Spyware, software that collects personal information about Web-surfing habits or application usage, is a growing concern. Opponents say the software violates privacy rights and can bog down Internet and computer performance. At its worst, spyware can usurp private information, including passwords and banking information.

The Federal Trade Commission is taking notice; it's holding a full-day workshop in Washington on the topic Monday.

Spyware typically is installed on a user's computer without his or her consent. Or, if a software maker is up-front about its presence, the fact that it exists is so deeply embedded in the software license agreement that most users don't know they've agreed to be watched when they click "I Agree."

What most people call spyware today is actually adware--small applications installed on PCs from Web sites or peer-to-peer file-sharing programs to track a user's interests and Web-surfing habits. The software is used to display targeted advertisements. But the FTC is concerned that hackers may start using the technology to steal personal information, such as bank account and Social Security numbers, to conduct fraud and identity theft.

There may be something to be concerned about. Last week, EarthLink and desktop privacy and security company Webroot Software Inc. released a survey of 1 million Internet users. They found that those systems averaged 28 spyware applications each. Of the 29 million spyware applications they spotted, the majority were largely benign-but-annoying adware. More disturbing, they found more than 300,000 programs running on the 1 million systems surveyed designed to steal personal information and even potentially give attackers access to users' systems.

The survey also found more than 30% of all systems scanned were infected with Trojan horses or system-monitoring applications.

Experts say the explosion in malicious code infections isn't just about Internet worms and E-mail mass-mailer viruses anymore. A big part of the problem is the number of people using popular file-sharing networks. Late last year, Bruce Hughes, director of malicious-code research at TruSecure Corp.'s ICSA Labs, conducted an experiment on these types of malicious apps residing where file-sharers dare to tread.

Hughes set up a crawler program on Kazaa and other peer-to-peer networks, scanning for popular file types using keywords such as sex and antivirus. Hughes says 45% of the files he downloaded contained malicious applications. "If you're downloading files from these networks, you're going to get infected with something," he warned.

The FTC workshop will focus on defining spyware and how it differs from adware; how spyware is distributed, and how peer-to-peer file-sharing networks contribute to spyware infections; how spyware affects both privacy and the performance impact on infected systems; and how government, consumers, and the IT industry can best combat spyware.