Policy Post 13.2: Anti-Spyware Coalition Reaches Important Milestone
http://www.cdt.org/publications/policyposts/2007/02
A Briefing On Public Policy Issues Affecting Civil Liberties Online
from The Center For Democracy and Technology
(1) Anti-Spyware Coalition Reaches Important Milestone
(2) Best Practices Document Builds on Previous ASC Work
(3) Conflict Resolution Process A First For Anti-Spyware Industry
_________________________________________________________
(1) Anti-Spyware Coalition Reaches Important Milestone
Last month, the Anti-Spyware Coalition (ASC) unveiled a comprehensive
set of "best practices" for identifying potentially unwanted
technology. Based on more than a year of consultations and building
on all of the coalition's previous work, the Best Practices document
provides the clearest description yet of how anti-spyware companies
determine whether software may be "unwanted." In a related
development, the ASC also issued its Conflict Identification and
Resolution Process, which for the first time offers a uniform, fair
method for resolving software disputes between anti-spyware vendors.
Issuing best practices has been a top priority of the ASC since it was
founded in 2005 with the mission of educating users, establishing a
community for anti-spyware advocates and collaborating to improve the
usefulness of anti-spyware technologies. Coordinated by the Center for
Democracy & Technology, the ASC comprises academics, public interest
advocates and companies active in the anti-spyware space. Its diverse
membership is united by a common goal of making the Internet safer by
educating users and improving the tools available to fight spyware.
Members of the coalition see the best practices a vital tool -- not
only for anti-spyware vendors to use in honing the detection process
-- but also to help software developers avoid publishing products
likely to be unwanted by consumers.
"Best Practices: Factors for Use in the Evaluation of Potentially
Unwanted Technologies" details the process by which anti-spyware
companies review software applications identifying behaviors which
raise red flags as well as behaviors that help to mitigate concerns by
providing real value to users. It relies heavily on the ASC's own
spyware "definitions" document and its Risk-Modeling Description,
which helped to establish a common understanding of spyware and how it
is classified.
The "Conflict Identification and Resolution Process" highlights
possible ways in which anti-spyware tools may conflict with one
another and offers clear steps to resolve those conflicts. In addition
to allowing for better, more structured interactions between
developers, the resolution process will also provide a level of
transparency to consumers who may be affected by such conflicts.
As is the case with all ASC materials, both the Best Practices and the
Conflict Identification and Resolution Process are intended to be
living documents that evolve with the rapidly changing software
environment. ASC is currently holding an open comment period on both
documents.
ASC Documents
http://www.antispywarecoalition.org/documents/index.htm
ASC Comment Form
http://www.antispywarecoalition.org/comments/index.htm
_________________________________________________________
(2) Best Practices Document Builds on Previous ASC Work
The work of the ASC has been methodical, with each document laying the
groundwork for ensuing reports that further define and categorize
technologies and the characteristics that may cause them to be
"unwanted." The best practices document is the product of more than a
year and a half of consultations and is built on the foundation
established by all of the ASC's previous public reports.
In October 2005, the ASC released its Working Report -- Definitions
and Supporting Documents, which defined the term "Spyware (and Other
Potentially Unwanted Technologies)." One of the key tenets underlying
that definition was that it was ultimately up to the user to determine
whether a technology's behavior is wanted or unwanted. A piece of
technology that exhibits behaviors unwanted by users in one context
may offer enough benefits that it becomes wanted by the same users in
another, particularly if the technology in question is offered with
proper notice, consent, and user control. The report documented types
of underlying technologies and short descriptions of reasons why a
certain implementation of an underlying technology may be wanted and
why a different implementation of the same underlying technology may
be unwanted.
In January 2006, the ASC broadened the explanation of what makes
certain technology implementations potentially unwanted with its Risk
Modeling Description, which detailed the criteria by which
anti-spyware companies classify Spyware and other Potentially Unwanted
Technologies. These criteria include both risk factors - those that
increase the potential concern about a technology - and consent
factors, basic notice, consent, and user control - that mitigate the
risks.
While the documents offer a transparent picture of how anti-spyware
vendors and researchers consider negative and positive behaviors, the
membership of the ASC felt that it was important to move past the
current behaviors and to help create a better marketplace. To this
end, the ASC drafted its latest Working Report -- Best Practices:
Factors for Use in the Evaluation of Potentially Unwanted Technologies
to highlight the sorts of technological behaviors that limit the
negative impact of potentially unwanted technologies. This Working
Report is designed for use by anti-spyware vendors, but contains
important insights for many software publishers as well.
The goal of the best practices document is to further explain the
"consent factors" described in the Anti-Spyware Coalition's Risk Model
Report. Consent factors, as defined by the ASC are characteristics
that may help to mitigate the "potentially unwanted" characteristics
of certain software applications. They include providing real value to
users; offering clear notice; granting appropriate consent and
control; insuring security; and offering consumer's appropriate
avenues for redress.
ASC Working Report: Best Practices
http://www.antispywarecoalition.org/documents/BestPractices.htm
_________________________________________________________
(3) Conflict Resolution Process A First For Anti-Spyware Industry
The very nature of anti-spyware tools makes occasional conflicts
inevitable. The ASC created the Conflict Identification and Resolution
Process to establish guidelines for resolving those conflicts in a
fair and orderly manner.
In the early days of the antivirus industry, technical conflicts
resulting from the installation of two or more antivirus products on
the same computer were not uncommon. Typically, such conflicts were
easily identified and resolved in a collegial manner, with little, if
any, formalized process.
As technology has evolved to include more real-time detection
technologies and complex, system-wide removal routines, resolution of
some of these issues has become more complicated. Conflicts can now
involve two programs attempting to use one resource, or attempting to
perform identical functions. In such cases, the widely accepted best
practice has been for products to alert users when technical conflicts
arise, allowing users to decide whether or not to proceed with
installations that could render existing programs unusable, or that
could result in a newly installed product not functioning as expected.
Absent any standard procedure for resolving disputes, many of these
increasingly complex conflicts have simply gone unresolved. Although
there are several industry mailing lists that allow vendor
representatives to raise issues regarding conflicts, technical
constraints made it impossible for some conflicts to be resolved. In
cases where agreement cannot be reached the parties involved in
conflicts have had to simply agree to disagree, to the detriment of
users.
The conflict resolution document offers voluntary guidelines for
companies for resolving these sorts of disputes in the Anti-Spyware
industry. The guidelines propose three main elements: the sharing of
software versions so as to reduce or minimize conflicts, the provision
of accurate information about conflicts to consumers, and the prompt
response and cooperation between vendors to seek to resolve conflicts.
Although aimed at addressing conflicts among members of the
Anti-Spyware Coalition (ASC), these guidelines can be used to address
conflicts between any two anti-spyware vendors.
ASC Working Report: Conflict Resolution
http://www.antispywarecoalition.org/documents/ConflictsResolution.htm
_______________________________________________
Detailed information about online civil liberties issues may be
found at http://www.cdt.org/.
This document may be redistributed freely in full or linked to
http://www.cdt.org/publications/policyposts/2007/02
Excerpts may be re-posted with prior permission of dmcguire@cdt.org
Policy Post 13.2 Copyright 2007 Center for Democracy and Technology
_______________________________________________