In-Depth

Spyware Hampering Compliance Initiatives

Spyware poses a huge threat—yet a recent survey shows that by their own admission, many enterprises have yet to protect their information with suitable anti-spyware software.

• By Mathew Schwartz
• 12/13/2005

Does spyware pose a threat to enterprise compliance initiatives?

In the wake of multiple data-breach disclosures and additional state laws governing such breaches, many companies are surveying the conduits through which sensitive information can escape the enterprise. All told, 19 states have passed customer-notification laws, modeled after California’s SB 1386, and 21 other states are still considering such measures. The most recent law went into effect this week in New York and protects such information as Social Security numbers, driver’s license and bank account numbers, and non-driver ID card numbers. The fine for non-compliance is up to $10 per instance of failed notification.

Spyware can record keystrokes and upload information to an attacker, making it a potent data-breach threat. Indeed, “increasing concern about spyware is at the root of these laws and regulations,” notes a recent report from Webroot, which develops anti-spyware software. “Failure to take spyware seriously may expose an enterprise to substantial risks, including prosecution by the Federal Trade Commission (FTC) or non-compliance with HIPAA or [the] Gramm-Leach-Bliley Act.”

Likewise, in July the FDIC issued a letter to financial institutions, “Best Practices on Spyware Prevention and Detection,” which recommended they implement better spyware defenses to limit any risk of customers’ sensitive information being stolen.

Given such risks, Webroot polled security professionals to gauge their approach to spyware. Overwhelmingly (98 percent), security professionals see spyware as a threat to the enterprise. In addition, “more than 80 percent said the worst kinds of spyware—keyloggers, system monitors, and Trojan horses—that can access confidential records represent an immediate threat,” notes Webroot. Furthermore, 97 percent worry spyware could access confidential employee data or intellectual property. Yet “despite these figures, many corporations surveyed have yet to protect their information with suitable anti-spyware software.”

Spyware Battle Heats Up

While companies weigh the compliance ramifications of (and their response to) spyware, the battle over what is or isn’t spyware—and what to do about it—is heating up. For example, take 180search Assistant, EliteBar, and ISTbar. These three tools made the most recent Webroot list of the top 10 spyware and adware threats, and they also factor in recent lawsuits or enforcement actions.

In November, the FTC shut down the “spyware ring” that ran EliteBar—also known as Search Miracle, Miracle Search, EM Toolbar, and Elite Toolbar—and froze the assets of its creator and distributor, Enternet Media.

The FTC is also investigating ISTbar after the Center for Democracy & Technology (CDT) filed a complaint asking the agency to investigate Integrated Search Technologies, which develops and distributes the technology.

“EliteBar and ISTbar are two particularly deceptive pieces of spyware that have been unfairly profiting off of consumers and enterprises for way too long,” notes Richard Stiennon, vice president of threat research at Webroot Software. “We have become increasingly incensed by the deceptive business practices of EliteBar and ISTbar since we first added them to our ‘top threats’ list, so we are extremely pleased to see the FTC and other government groups taking action against such companies.”

Don’t expect adware and spyware software developers to go down without a fight. For example, 180systems, which develops the 180search Assistant, recently filed a lawsuit against Zone Labs (owned by Check Point Software Technologies) for labeling its software as spyware.

Meanwhile, in September, 180solutions was itself the target of a class action lawsuit on behalf of the residents of the United States and the state of Illinois. The lawsuit alleges 180systems, in effect, lied to consumers about whether it was distributing spyware.

Both cases are still pending.

Related Articles:

Q&A: How Spyware Escapes Definition
http://esj.com/Security/article.aspx?EditorialsID=1497

Is Too Much Anti-Spyware a Bad Thing?
http://www.esj.com/Security/article.aspx?EditorialsID=1460