Adware and Spyware - are they really consensual?

What is this Adware and Spyware stuff anyway?

Adware and Spyware are a class of Malware that some will argue is legal due to the user accepting an end user licensing agreement (EULA.) The basic excuse is that the end user downloaded this really cool game/screensaver/program for free and accepts that the program or another bundled program will make money off the end user in some way. In short, the reason this type of software is legal is because the end user agreed or consented. So what is consent or implied consent and do Adware and Spyware achieve this standard?

To be legal Adware or Spyware must display an agreement sometime during its installation stating at least in general terms what the program does or will do. This display is the EULA that no one ever reads and just clicks "I accept". Now this agreement can state anything that isn't inherently illegal i.e. a contract cannot be created for murder for hire. I'm not going to go into details on all the evils of most EULAs here as there are many other articles on that subject. If you agree to a contract then it's your fault for what happens to you. My focus is on if Adware and Spyware achieves consent and just how strong is this industries house of cards.

Just click - I agree. Come on I dare ya!

So to be legal Adware and Spyware must have had the consent of the end user. Unfortunately, computers are still a relatively new technology and Information Security as a profession still believes their special. Other areas of law have the concept of Informed Consent; that to consent the person must be aware and knowledgeable about the consequences of what can happen. Eventually as computer literate judges enter the workforce Adware and Spyware EULA will be challenged on this concept. In the mean time we must fight these programs on other legal fronts.

Lets get back on the basic premise that the end user has given consent via a click through EULA. Legal consent required:

  1. The EULA was made available to the end user prior to the installation being completed.
  2. The end user accepted the agreement either explicitly by clicking "I accept" or implicitly by continuing to install the program.

3 types of trickery

Adware and Spyware actually come in 3 main flavors of increasing bitterness - Integrated, Bundled, and Trojaned:

  1. Integrated is the most honest of the programs. The Adware or Spyware functionality is built right into the larger program and is usually visible.
  2. Bundled is much more likely to trigger the gag reflex. This refers to a usable free program, here after being referred to as the bait, including a dubious EULA that states other bundled software is required for use. These bundled programs are malicious in nature but still legal at this time do to the consent issue.
  3. Trojaned software may actually be illegal. The general idea is to trick the end user into installing the Adware or Spyware through some third agent. The Adware and Spyware folks try to claim that consent was given due to including a EULA; however, the third agent automates the install and typically hides the display of the EULA. The question now becomes if the EULA isn't displayed and the end user isn't even aware of the existence of the Adware and Spyware, is it still legal?

Types of program distribution or the tough climb to the bottom.

Computer programs are like any other product; the programmer finds a need and then attempts to fulfill it. The problem is that writing programs are about as much work as writing a novel and unless you're already wealthy you need to get paid. So just like the aspiring novelist with book in hand, the programmer sets out to release the program into the world.

The program could be sold through the normal channels of prepackaged store sold goods. Just like the aspiring novelist the programmer has to find and convince a publisher to distribute the work, create all the packaging to distribute the software, and deal with the markup costs in the distribution chain. This is why software costs $50 and up; $10 to the programmer and the rest to Retailmart.

Couldn't find a distributor? How about release it online! Your program or novel is going to be seen by a much larger audience but how do you get paid? How about providing that free taste and then let your customer pay you for the rest ala shareware? The only problem is getting them to pay ...

Can't get your customers to pay? How about giving your program away for free and get paid by a marketing firm to pay you to place ads in your program. Adware isn't that bad, your still liked better than spammers and lawyers. Of course you'll have to rewrite it to display the ads but what's a little work for cold hard cash.

To lazy to rework your own program? Don't worry the Mafiaoso of the world have prepackaged programs that will do the work for you. Just bundle their programs and get paid per install, per add, per identity stolen ... Well you get the point, less work more cash just need to sell your soul; sign right there on the dotted line.

Can't write that American novel or TetrisAttack game? Don't worry! The same people who want you to "bundle" their software don't care how you get their programs installed. Just go out and buy a copy of "Spammers for deadbeats" and annoy the world. For the script kiddies in the audience who need to move out of their parent's basement why not put the wookie costume away and put your leet skilz to work. Script up that virus to do the work for you; you're scum so revel in it!

Surfing at your own risk

Seriously though, I normally don't attempt to stand in the way of anyone making a buck off their hard work. Advertising is actually a good thing because with advertising revenue programmers create programs at a price, even free, that people can afford. The problem is that the current evolution of Adware and Spyware has effectively removed informed consent from the equation. Now I am not talking about all Adware or even Spyware. Advertising that is: visible, integrated into the larger program, and has the fully informed consent of the system owner, is completely fine and even ethical. Even Spyware that meets the above standards could be deemed ethical. I allow individuals to watch me every day as I go about my life; it is when I have not given my permission, obviously attempt to avoid contact, or am tricked into compling that it becomes stalking. The current trend by web advertisers is to provide programs that provide the advertising or tracking functionality to 3rd parties to bundle in their programs. While I am still somewhat willing to give these advertisers the benefit of the doubt, this system is ripe for misuse. What ends up happening is that virus writers sign up for an account with the advertisers and bundle the Adware and Spyware as the viral payload as the following two samples show:
  1. Downloader-AAI
  2. Downloader-VG
There is now a whole class of malware called downloader or multi-dropper thats main effect is to install other programs. The question now becomes, just how innocent are these advertisers? They may be able to claim that they didn't create the malware; they cannot deny that they are profiting from it.

Crossing the line

The questions before the legal community are:
  • Exactly when does an advertiser stop being an innocent bystander and become an accomplice?
  • Where does the burden of proof lie for informed consent when it's proven that consent is being bypassed via malware? Just because a EULA exists doesn't mean that the end user saw it and agreed to it.
Its time we stop calling Adware and Spyware for what it claims to be and call it what it is - Fraudware.

The word on Information Security

Word games

Listed below are two sentences. Read each sentence in turn, close your eyes, and imagine the scene described:
  1. An elderly gentleman waiting patiently.
  2. An old geezer slouching in the corner.
How different were your mental images?
Were they of the same individual?
Who would you want to meet?

It is well known that the words we use have a noticeable effect on how we think and behave. This is generally referred to as marketing, propaganda, or more formally as persuasive writing. Used consciously, these specific word choices aid in conveying the full meaning intended. Compare the following two sentences that describe the same event:

  • The zoo handler was mauled by the mountain lion.
  • The zoo handler was nibbled by the mountain lion.
Of course the next sentence reads “I raised this one since she was a kitten and she always showers me with her affectionate kisses.” Intentionally or not, our word choices add meaning to the information we are attempting to convey. Words have meaning beyond their simple definitions. They have their own histories and double meanings handed down through the ages and we ignore them at our peril.

Let’s play a game.

“A strange game. The only winning move is not to play. How about a nice game of chess?”
- Wargames, 1983

The list below contains a pair of phrases with two possible ways of describing the same action or event. Imagine each event in your mind and think about the different emotional response each phrase evokes. For each pair, determine if your response would be different:

  • Attacker – Criminal
  • Web attack – Vandalism
  • Phishing – Fraud
  • Virus - Vandalism

Welcome to the current state of Information Security. In attempting to grapple with the unattended consequences of the mainstream adoption of a new disruptive technology – computers; we have created an industry specific lexicon of terms to define what we all are tasked to do on a daily basis. Beyond the spouse factor i.e. answering the dreaded “what did you do at work today dear?” question:

“I responded to a spyware outbreak on the corporate LAN and developed a long term risk mitigation strategy.”
Sounds much more impressive than:
“I dealt with a few low budget commodity untrained workers (management) goofing off and told them not to do it again.”
This lexicon of terms allows our industry to communicate about the Internet and the current methods of dealing with the challenges faced. In building this lexicon of terms, we have followed both methods of word invention: we have coined new terms such as the Internet and borrowed other terms such as virus, firewall, and defense in depth. It is my proposition that we have fallen for our own marketing. Let’s talk a bit about how it happened, what its effects have been, and where we can go from here.

Well how did we get here?

Blame it on a college student named Morris and his program that became known as “the Morris worm.” The Morris worm of 1988 had a huge impact to the fledging Internet and acted as a wake up call for securing this great collection of adult oriented graphical content. This sparked the formation of the Computer Emergency Response Team (CERT) by Defense Advanced Research Projects Agency (DARPA) in 1988. DARPA was and is part of the US Department of Defense and as such was greatly influenced by the military lexicon. Fortunately CERT came into existence when people were comparing self replicating code to biological viruses. The use of medical terminology and crisis response (triage) seemed to be a natural fit; this lead to the ideas of containment, virus, inoculation, and quarantine joining our industry lexicon. Those that can - do and then they write about it. It was only natural that our industry gained a split personality of battlefield response and biological foes. History has always belonged to the winners.

Using our battlefield response technique, the early industry pioneers launched Operation Sun Devil in May 1990 as the opening attack on the hacker army. Cities were invaded, children were captured at gun point, and lives were ruined. In the end this cyber-Vietnam changed nothing because there was no vast enemy to conquer. Realizing you can’t invade Detroit Michigan every time some 16 year old learns to program; military style response quickly became unpopular. Just ask Steve Jackson games:

“More than three years later, a federal court awarded damages and attorneys' fees to the game company, ruling that the raid had been careless, illegal, and completely unjustified. Electronic civil-liberties advocates hailed the case as a landmark. It was the first step toward establishing that online speech IS speech, and entitled to Constitutional protection...”
- Electronic Freedom Foundation, http://www.eff.org/legal/cases/SJG/.

Sticks and stone may break my bones ….

But the words we use define us. Our industry lexicon has been defined by the backgrounds of the security pioneers and I believe we have fallen for our own propaganda. We have defined the issues we face in military and medical terms without being faced by a foreign army or contagion. There is no vast army of pimply faced 16 year old hackers charging our defenses or biological weapons of mass destruction hiding inside our web browsers. These terms are not only inaccurate and degrading in and of themselves; they also lead us to find military or medical style solutions to deal these imaginary adversaries. Then we wonder why we seem to be losing … So what are we here for? Let’s start with Information Security.
Information - data: a collection of facts from which conclusions may be drawn; "statistical data" Security - measures taken as a precaution against theft or espionage or sabotage etc.
Or how about Risk Management?
Risk - expose to a chance of loss or damage. Management - the act of managing something.
So in avoiding all industry specific terms, let’s look at what we are actually supposed to be doing. Our job is to:
  1. Protect stuff from bad things
  2. Continually work to make it easier to do step 1.

Honest officer the virus did it …

Ok now we are getting somewhere! Lets look up step one again and dig a little deeper. So we are in the protection racket and we attempt to stop bad things from happening. We also try to reduce the chance that bad things happen. What are these bad things? Is it even a what, could it be who, how, where, or when? Using our current lexicon we protect stuff from: attackers, hackers, crackers, spyware, malware, adware, viruses, worms, terrorists, pirates, warez operators, script kiddies, etc. Take the term malware incident for example:
Malware - programming or files that are developed for the purpose of doing harm. Thus, malware includes computer viruses, worms, and Trojan horses.
Incident - an undesired event which under slightly different circumstances could result in harm to people, damage to property, loss to process, or harm to the environment.
So we diligently develop response plans to deal with malware incidents or “outbreaks” and track for trend analysis malware as a category, possibly with sub categories of spyware, adware, virus, etc. Can you see how the military and medical basis of our lexicon has come to haunt us? How valuable is our trend analysis? Can it be used to predict future events? Is all malware created equal? Should we define some global severity to malware incidents? What is an incident anyway? Is it a crime, accident, or random event? Again, our job is to protect.
Protect - shield from danger, injury, destruction, or damage.
So if our #1 goal is to protect stuff, then does the category malware incident work? Let’s replace the word "malware" with "guns" and look at a current headline:
Microsoft to protect users against malware with Windows OneCare.
Gets changed to:
Microsoft to protect users against guns with Windows OneCare.

Who’s on first

The obvious question becomes shouldn’t we protect our users from the bad person holding the gun? The problem is that the use of the term malware removes the source of the incident - the individual(s) who caused the incident. Malware is a program and a program is nothing more than instructions that a computer follows. It exists to serve the purpose of its creator. Is “virus” even the appropriate word? The current leading science theory states that a biological virus is a random result of evolution, unless used in a weapon of mass destruction, that has no intent. A computer virus has a creator who has a definite purpose. There is intent and that intent matters. By combining all replicating code incidents into a single category called “virus,” we lose the ability to measure the threat landscape. Our categories must be based on intent to allow the understanding of the current threat landscape.

When faced with a new technology we assume that we need new tools, terminology, and techniques to deal with it. This has been our failure. Our terminology assumed that a new tool somehow changed human behavior when in fact we are dealing with the same old greed, malice, envy, and violence. The answer is so simple and obvious we missed it. Computers are just a tool that allows the same old human nature to be expressed more efficiently. So our job is to protect stuff from crime committed by criminals. To move forward as a profession, Information Security needs to define its terms with a firm foundation that captures human intent.