Policy Post 13.2: Anti-Spyware Coalition Reaches Important Milestone
(1) Anti-Spyware Coalition Reaches Important Milestone (2) Best Practices Document Builds on Previous ASC Work (3) Conflict Resolution Process A First For Anti-Spyware Industry _________________________________________________________
(1) Anti-Spyware Coalition Reaches Important Milestone
Last month, the Anti-Spyware Coalition (ASC) unveiled a comprehensive set of "best practices" for identifying potentially unwanted technology. Based on more than a year of consultations and building on all of the coalition's previous work, the Best Practices document provides the clearest description yet of how anti-spyware companies determine whether software may be "unwanted." In a related development, the ASC also issued its Conflict Identification and Resolution Process, which for the first time offers a uniform, fair method for resolving software disputes between anti-spyware vendors.
Issuing best practices has been a top priority of the ASC since it was founded in 2005 with the mission of educating users, establishing a community for anti-spyware advocates and collaborating to improve the usefulness of anti-spyware technologies. Coordinated by the Center for Democracy & Technology, the ASC comprises academics, public interest advocates and companies active in the anti-spyware space. Its diverse membership is united by a common goal of making the Internet safer by educating users and improving the tools available to fight spyware.
Members of the coalition see the best practices a vital tool -- not only for anti-spyware vendors to use in honing the detection process
-- but also to help software developers avoid publishing products likely to be unwanted by consumers.
"Best Practices: Factors for Use in the Evaluation of Potentially Unwanted Technologies" details the process by which anti-spyware companies review software applications identifying behaviors which raise red flags as well as behaviors that help to mitigate concerns by providing real value to users. It relies heavily on the ASC's own spyware "definitions" document and its Risk-Modeling Description, which helped to establish a common understanding of spyware and how it is classified.
The "Conflict Identification and Resolution Process" highlights possible ways in which anti-spyware tools may conflict with one another and offers clear steps to resolve those conflicts. In addition to allowing for better, more structured interactions between developers, the resolution process will also provide a level of transparency to consumers who may be affected by such conflicts.
As is the case with all ASC materials, both the Best Practices and the Conflict Identification and Resolution Process are intended to be living documents that evolve with the rapidly changing software environment. ASC is currently holding an open comment period on both documents.
ASC Documents
(2) Best Practices Document Builds on Previous ASC Work
The work of the ASC has been methodical, with each document laying the groundwork for ensuing reports that further define and categorize technologies and the characteristics that may cause them to be "unwanted." The best practices document is the product of more than a year and a half of consultations and is built on the foundation established by all of the ASC's previous public reports.
In October 2005, the ASC released its Working Report -- Definitions and Supporting Documents, which defined the term "Spyware (and Other Potentially Unwanted Technologies)." One of the key tenets underlying that definition was that it was ultimately up to the user to determine whether a technology's behavior is wanted or unwanted. A piece of technology that exhibits behaviors unwanted by users in one context may offer enough benefits that it becomes wanted by the same users in another, particularly if the technology in question is offered with proper notice, consent, and user control. The report documented types of underlying technologies and short descriptions of reasons why a certain implementation of an underlying technology may be wanted and why a different implementation of the same underlying technology may be unwanted.
In January 2006, the ASC broadened the explanation of what makes certain technology implementations potentially unwanted with its Risk Modeling Description, which detailed the criteria by which anti-spyware companies classify Spyware and other Potentially Unwanted Technologies. These criteria include both risk factors - those that increase the potential concern about a technology - and consent factors, basic notice, consent, and user control - that mitigate the risks.
While the documents offer a transparent picture of how anti-spyware vendors and researchers consider negative and positive behaviors, the membership of the ASC felt that it was important to move past the current behaviors and to help create a better marketplace. To this end, the ASC drafted its latest Working Report -- Best Practices: Factors for Use in the Evaluation of Potentially Unwanted Technologies to highlight the sorts of technological behaviors that limit the negative impact of potentially unwanted technologies. This Working Report is designed for use by anti-spyware vendors, but contains important insights for many software publishers as well.
The goal of the best practices document is to further explain the "consent factors" described in the Anti-Spyware Coalition's Risk Model Report. Consent factors, as defined by the ASC are characteristics that may help to mitigate the "potentially unwanted" characteristics of certain software applications. They include providing real value to users; offering clear notice; granting appropriate consent and control; insuring security; and offering consumer's appropriate avenues for redress.
ASC Working Report: Best Practices
The very nature of anti-spyware tools makes occasional conflicts inevitable. The ASC created the Conflict Identification and Resolution Process to establish guidelines for resolving those conflicts in a fair and orderly manner.
In the early days of the antivirus industry, technical conflicts resulting from the installation of two or more antivirus products on the same computer were not uncommon. Typically, such conflicts were easily identified and resolved in a collegial manner, with little, if any, formalized process.
As technology has evolved to include more real-time detection technologies and complex, system-wide removal routines, resolution of some of these issues has become more complicated. Conflicts can now involve two programs attempting to use one resource, or attempting to perform identical functions. In such cases, the widely accepted best practice has been for products to alert users when technical conflicts arise, allowing users to decide whether or not to proceed with installations that could render existing programs unusable, or that could result in a newly installed product not functioning as expected.
Absent any standard procedure for resolving disputes, many of these increasingly complex conflicts have simply gone unresolved. Although there are several industry mailing lists that allow vendor representatives to raise issues regarding conflicts, technical constraints made it impossible for some conflicts to be resolved. In cases where agreement cannot be reached the parties involved in conflicts have had to simply agree to disagree, to the detriment of users.
The conflict resolution document offers voluntary guidelines for companies for resolving these sorts of disputes in the Anti-Spyware industry. The guidelines propose three main elements: the sharing of software versions so as to reduce or minimize conflicts, the provision of accurate information about conflicts to consumers, and the prompt response and cooperation between vendors to seek to resolve conflicts.
Although aimed at addressing conflicts among members of the Anti-Spyware Coalition (ASC), these guidelines can be used to address conflicts between any two anti-spyware vendors.
ASC Working Report: Conflict Resolution