PROTECT COM

Spyware is a class of malware that collects information from a computing system without the
data owner’s consent. This data often includes keystrokes, screenshots, authentication
credentials, personal email addresses, web form field data, Internet usage habits, and other
personal information. Often, the data is delivered to online attackers who sell it to others or use it
themselves to execute financial crimes, identity theft, or use it for marketing or spam.
For a program to qualify as spyware it must collect data without the data owner’s knowledge or
consent and must deliver or make it available in some way to an unauthorized party. Software
installed after the user has viewed and agreed to a clear privacy policy or to an EndUser
License
Agreement (EULA) that describes the data collection activities does not meet the definition of
spyware described in this paper.
Examples of this kind of legitimate software are applications that track online shopping trends
for delivery to a marketing company so that the user can receive targeted coupons or shopping
suggestions. Some users may be receptive to this kind of service, so depending upon whether the
software’s activity is legally disclosed to the affected users, it may or may not qualify as
spyware. If software fully and clearly states its operations, the decision to accept the terms and
install the software typically constitutes an acceptance of personal responsibility for any software
operations.
Reading and understanding these policies and agreements can be difficult. Agreements can be
intentionally vague, difficult to understand, or so lengthy that users eventually agree from sheer
frustration [Edelman 2005]. In some instances, these practices represent a form of social
engineering because the intent is to persuade the user to agree to terms that they might not agree
to if the agreement was clear. Users need to be educated about this point so that instead of
defaulting to agreement, they would instead not agree to terms they don’t understand, no matter
how strong their desire to use a given software application.
Because one of the keys to classifying software as spyware is the lack of knowledge and consent
from the owner of the data collected, multiuser
systems or systems in networked environments
make interesting cases for study. In these situations, software that one user agrees to may collect
data on other system users. One user might agree to the terms, but if another user is logged on
and the software collects data on their usage or other activities, it would meet the definition of
spyware.