Untitled

Sidebar: The Cost of Freeware

News Story by Robert L. Mitchell

MAY 03, 2004 (COMPUTERWORLD) - The spyware problem is unlikely to go away anytime soon, because the bundling of spyware and adware programs is the established revenue model for distributors of free software programs on the Web.

In some cases, users are clearly informed that adware is the price of admission when using a freeware program. In other cases, the information is hidden deep within the license agreement text or not included at all.

For example, the Kazaa Media Desktop, the popular file-sharing program from Sharman Networks Ltd., includes multiple adware programs including Cydoor and GAIN Network, which it describes as "mandatory" and "integral" to the free version of its software (an adware-free version is available for $30). According to Sharman's privacy statements, information gathered includes "web surfing behavior" and "other criteria." Sharman's statement also absolves the company of any responsibility for the data practices of its spyware, stating that it "shall not be liable for any losses, damages or injuries arising therefrom."

But other vendors are less forthcoming in disclosing the existence or functions of spyware within their programs. Even when the user is asked to click on an end-user license agreement before installing the program, information on accompanying spyware may be buried at the bottom of a lengthy document. But that's beside the point, IT administrators say, since end users shouldn't be installing any unauthorized and untested software on corporate machines.

"Users are consenting to an end-user license agreement ... that blows a big hole in your security policies," says Pete Simpson, ThreatLab manager at e-mail gateway vendor Clearswift Ltd. Yet regulations such as the Sarbanes-Oxley Act make corporations liable for information that leaves the company.

"At home, you can accept that risk. You're not obligated to keep multimillion-dollar machines operational," says Bernie Donnelly, vice president of quality assurance at the Philadelphia Stock Exchange. His company uses SurfControl, a Web content filter that blocks Web sites that offer spyware-laden freeware and monitors users' Web activity. "We have a code of conduct. We have a list of sites you can't go to. We block as many of those as we can," he says.

Thor Larholm, senior security researcher at network security tool vendor PivX Solutions LLC, says keeping such programs off PCs in the first place is critical. "Spyware in the corporation is all about lack of control. You have applications on user desktops that you have no knowledge of. And you don't know what data they're monitoring," he says.