Trying to specify in technical terms what should be classified as spyware is, of course, futile -- if nothing else, because the technical reality of tomorrow won't match the technical reality of today.

What you can and should do is legislate against criminal *intent*. If the software maker *intends* to clandestinely transmit information from a user's machine, it's spyware. It's really that simple.

Installing to hidden folders, with names mimicing known system processes is intent.
Hiding the fact that the software contains E.T. functionality at the bottom of a EULA in the clear expectation that it will be missed -- that's intent too.
Collecting data behind a user's back when there's no rational reason to do so for the program to operate is likewise intent.

There's no need to get technical, any more than there's a need to technically specify all the different methods a thief or burglar can use to gain your possessions. There *is*, however, a need to specify that the act of clandestine data collection is a crime.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/266/28573#28573