March 11, 2005\nSoftware Makers Fight Spyware Blacklist, Murky Definition\nBy MYLENE MANGALINDAN\nStaff Reporter of THE WALL STREET JOURNAL\n\nWary of silent intruders on her personal computer, Joanne Schrock\nrecently used a free program from America Online to scan for "spyware,"\nthe annoying software that can secretly track users' movements around\nthe Internet to do such things as dish up pop-up ads. She quickly\ndeleted all the programs that AOL identified as spyware.\n\nIt wasn't until the next day that Ms. Schrock realized she had erased\nan online bowling game that her daughter likes to play. "I just thought\nAOL says this is spyware ... and I needed to get it off my computer,"\nsays the 38-year-old mother of five in Wakarusa, Ind.\n\nTo computer users' relief, software that finds and eliminates spyware\nis now widely available. But there's a hitch: There is little agreement\non what constitutes spyware, so antispyware software may also wipe out\nprograms that users want to keep.\n\nMost broadly, spyware is software installed on a PC -\- often\nsurreptitiously -\- to gather information, which is relayed to\nadvertisers or merchants. Some spyware programs effectively hijack a\ncomputer, spewing unwanted pop-up ads, clogging the computer's memory\nor redirecting the home page of Internet browsers. More insidious\nprograms can transmit personal information such as passwords to\nidentity thieves. Spyware is incredibly widespread; market researcher\nIDC estimates that two-thirds of consumer PCs harbor some form of it.\n\nBut one person's spyware is someone else's valued tracking tool. So\nmakers of many programs labeled as spyware now are fighting back\nagainst spyware blacklists.\n\nTrekEight LLC is a small San Marcos, Calif., maker of security\nsoftware, including an antispyware program. But TrekEight says its\nantispyware program is itself labeled as spyware by a bigger rival,\nSymantec Corp. TrekEight sued Symantec in U.S. District Court in\nSouthern California last July, claiming that the designation led to\n"significant loss in sales and damage to its reputation."\n\nTrekEight says Symantec deleted the program from users' computers, but\nSymantec says it only flags the suspect software and the user decides\nwhether to delete it. The case is pending. A Symantec spokesman\ndeclined to comment on the case.\n\nSuch disputes are percolating in Washington, where many lawmakers and\nregulators want to clamp down on spyware. U.S. Rep. Mary Bono, a\nCalifornia Republican, this year introduced a measure that would\nrequire clearer disclosures to computer users, and their consent,\nbefore any monitoring program could be installed on their PCs.\nDiscussion of the bill quickly prompted debates over the definition of\nspyware. Ms. Bono recently revised the measure to exempt all "cookies,"\nsnippets of data stored on hard drives that are widely used by Web\nmerchants to recognize returning customers.\n\nOn Monday, the Federal Trade Commission urged the industry to develop a\ncommon definition of spyware, as part of a report labeling spyware a\n"serious and growing problem." Without a solid definition, the\ncommission warned, legislation or regulations to control spyware might\n"inadvertently cover some types of beneficial or benign software."\n\nJoe Davis would agree. Mr. Davis is chief executive of Coremetrics, a\nclosely held San Mateo, Calif., maker of software that analyzes the\neffectiveness of online ad campaigns. Coremetrics' customers include\nWilliams-Sonoma Inc. and Bank of America Corp. But Mr. Davis says that\nhis company's program has been mislabeled as spyware by some companies.\n\nThe debates over how to define spyware are reminiscent of efforts a few\nyears ago to regulate spam, or unsolicited e-mail. Congress ultimately\napproved a law requiring e-mail marketers to allow recipients to remove\ntheir names from distribution lists, but it is generally viewed as\nineffective in slowing the flood of spam. Instead, antispam efforts\nhave fallen primarily to large Internet access providers, state\nattorneys-general and volunteer programmers who have created their own\nlists of spammers.\n\nLikewise, makers of antispyware programs have developed their own lists\nof software they consider suspect. Symantec, of Cupertino, Calif.,\ndefines spyware as any program that can potentially grab private\ninformation. Vincent Weafer, a senior director at the company, says\nSymantec's definition tends to be "more inclusive" than others. Mr.\nWeafer says Symantec plans a new version of its program that will\nidentify troublesome software as high, medium, or low risks, to help\nusers decide whether to delete it.\n\nRobert A. Clyde, Symantec's chief technology officer, says Symantec has\nremoved some programs from its spyware list after investigating\ncomplaints that the programs were mislabeled. "The vast majority [of\ncomplaints] are handled in an amicable fashion," he says.\n\nMr. Clyde says he wouldn't mind some help from the government in\ndefining spyware. "In order to stop it, you have to label it," he says.\n\nAmerica Online, which began offering its free antispyware program last\nMay, has roughly 400 suspect programs on its list. But complaints from\nsoftware vendors included on the list are increasing, says Andrew\nWeinstein, a spokesman for the Time Warner Inc. unit. Mr. Weinstein\nsays AOL's program doesn't automatically delete any programs -\- it\nsimply provides a list to users, who then decide whether to keep or\nreject the software.\n\nIn at least two cases AOL removed programs from its spyware list:\nSideStep Inc., a closely held online travel service that downloads a\nprogram onto users' computers, and market researcher comScore Networks\nInc., which pays Internet users to place its software on their\ncomputers to track their online behavior.\n\nAOL says Ms. Schrock's game requires another program to run and that\nprogram was accidentally included on AOL's recently updated list of\nspyware threats. AOL says it has fixed the mistake. AOL doesn't have\nany guidelines that software makers can follow to prove that they're\nnot spyware. Members of AOL, however, can inform the company that a\nprogram is being mistakenly labeled as spyware.\n\nWild Tangent Inc., the Redmond, Wash., maker of the game favored by Ms.\nSchrock's daughter, says it has appealed to makers of antispyware\nprograms to be removed from their lists. Online games are suspect\nbecause some are used to load spyware onto users' computers. Sean\nVanderdasson, Wild Tangent's vice president of marketing, says his\ncompany's games don't carry spyware, but its pleas are not always\nsuccessful. Makers of antispyware programs like to keep long lists of\nsuspect software, Mr. Vanderdasson says, because "the more fear they\ncreate, the more software they can sell."