July 6, 2005

Spyware

Part 1. Introduction

Consumers are receiving a crash course on security.

Over the past few years, many internet users have received a crash course about online security issues. Some have learned the hard way about how to deal with an invading virus or why they might want to monitor a family member’s computer file-downloading habits. Once-obscure terms like “cookies” and “firewall” have become more commonplace. Complaints pour into technology companies’ help lines about consumers’ Web browsers being “hijacked” so that they are forced to visit certain sites. Millions of computers are becoming overwhelmed with unwanted software programs that slow performance. Many individuals have had the experience of getting alarmist pop-up ads on their computers that warn about the dangers of viruses and tout the virtues of programs that they should purchase in order to keep computer scourges at bay. Public officials have responded by introducing legislation and suing companies which allegedly exploit consumer ignorance about surveillance and online tracking mechanisms.1

Concurrently, businesses have developed “contextual” and “online behavior” marketing techniques that respond to consumers’ interest in personally relevant advertising and product suggestions.2 Internet users may be more familiar with the outcome of such techniques, such as product suggestions based on past purchases or searches, than with the technical details of how those suggestions are formulated. But tools for tracking user behavior are ubiquitous online. “Adware” or software that is downloaded to a consumer’s computer, does exactly this and is often bundled with free software such as a screensaver or file-sharing program, so the recipient may be unaware of its installation on his computer. This software is then used to communicate that person’s interests to a network of advertisers. For instance, when users install the free version of “ScreenScenes” screensavers, they also install the GAIN AdServer software that comes along with it and begin seeing ads on their computer screens that are labeled as part of the GAIN network of advertisers.3

The definitions of “spyware” and “adware” are in some dispute. Indeed, one of the core problems lawmakers are encountering as they ponder new legislation is how to define those terms – and thus determine which kinds of companies should be covered by new laws. Both types of software are associated to some degree with tracking internet users’ online activities, which automatically raises concerns for many people. Still, the differences between adware and spyware are important.

Although significantly simplified, the following are definitions we used for the purpose of providing context for this report. For more in-depth information, please go to the Federal Trade Commission’s information page on e-commerce and the internet.4

Spyware is software that is placed secretly on a computer in order to track a user’s behavior and report back to a central source. Spyware’s reputation is like that of a peeping tom or, at worst, a thief. It is almost universally derided and despised. It seems that no user wants to have spyware on her computer and few companies want to be associated with it.

Adware, on the other hand, is software that comes bundled as a package with programs that consumers download. In some cases, internet users check off on a “user agreement” before the download begins, though our survey shows that in many cases people are not paying much attention to those agreements (see discussion on page 6). In any event, the adware is installed during the download, much the way a “friend of a friend” might tag along to a barbecue. While an extra guest at a party may end up being welcomed, he might also end up being an unwanted pest.

Either way, adware is used to serve up targeted advertising based on the user’s online behavior, much like a personal assistant who accompanies you in your online travels, making suggestions about what you might like or where you might find a bargain elsewhere. Hundreds of companies are involved in the adware business, either as advertisers or as purveyors of the software.

The Pew Internet & American Life Project set out to measure the impact of the recent wave of online activity related to adware and spyware. We wanted to know: Do average internet users understand the basic concepts? How many are dealing with the problems commonly associated with unwanted software programs? And are they taking steps to prevent software intrusions? Survey questions were developed in consultation with consumer advocates, adware company executives, and security experts.5 Interviews with 1,336 internet users were conducted May 4 – June 7, 2005.

This survey finds that the threat of unwanted software programs is making people more cautious online. Most internet users think symptoms of spyware are serious problems rather than simply minor annoyances. Millions of internet users have first-hand experience with computer problems related to software intrusions and while many express confidence and knowledge of the issues, most think more should be done to guard against spyware and to notify people about adware.  

  1. See: Internet Spyware (I-SPY) Prevention Act of 2005 http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h.r.00744:; SPY BLOCK Act http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s.02145:; New York v. Intermix Media, Inc. http://www.oag.state.ny.us/press/2005/apr/apr28a_05.html; FTC v. Seismic Entertainment Productions, Inc. http://www.ftc.gov/opa/2004/10/spyware.htm.
  2. A 2004 Ponemon Institute survey found that 66% of consumers said they would welcome personalized banner ads, but do not want Web sites to collect personally identifiable information. (See http://www.mediapost.com/PrintFriend.cfm?articleId=268191)
  3. See www.screenscenes.com
  4. See http://www.ftc.gov/bcp/menu-internet.htm
  5. See Acknowledgments for a full list of consultants.