For the second of its SpyAudit Reports into spyware - a type of software that secretly forwards information about a computer user's on-line activities to another individual or company - Earthlink scanned around 1.5 million PCs, and discovered an average of 27.5 pieces of spyware on each PC.
According to the ISP, spyware typically arrives on a PC bundled with freeware or shareware (but see Editor's Note below), through e-mail or instant message, or by someone with access to a user's computer. Once on a hard drive, spyware begins reporting the next time the user goes on-line. Unlike most software applications, spyware is difficult to detect and can be difficult to remove.
The company defines spyware as a collective term for adware, adware cookies, system monitors and Trojan horses.
Adware is any software application in which advertising banners are displayed while the program is running and then sends data back to a third party without permission. Adware cookies are a mechanism that allows a web site or software to record a user's surfing habits without their knowledge or consent.
System monitors are designed to keep track of a consumer's computer activity and can record virtually everything a user does on-line. Keystroke loggers, a type of system monitor, record each user's keystroke, possibly exposing the user to risk of information and identity theft.
Trojans are applications that appear as harmless programs, but instead facilitate theft of computer data by permitting hackers to gain unrestricted access to computers while web surfers are on-line.
"Consumers should be aware of the applications and files residing and running on their machines," stated Matt Cobb, EarthLink vice president of core applications. "While certain types of spyware are malicious, other programs can be used to improve their internet experience.
"When internet users discover harmful spyware, they need to immediately immobilise or remove the programs that they don't want on their machines," Cobb added.
As public awareness of the problem grows, so does the pressure on lawmakers to do something about it. A proposed bill, the "Securely Protect Yourself Against Cyber Trespass Act", or SPY ACT, is currently working its way through Congress, and on Thursday was approved by the House Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection.
"Passage of the SPY ACT today represents a cooperative effort to bring commonsense legislation forward to protect consumers from the threat of spyware," said bill sponsor Congresswoman Mary Bono. "We are one step closer to restoring safety, confidence and control to consumers when using their own computers."
According to Bono, the bill protects individuals from unknowingly downloading spyware by requiring that consumers receive a clear and conspicuous notice prior to downloading spyware.
A recent amendment to the bill also includes provisions to prohibit unfair or deceptive behaviour such as keystroke logging, computer hijacking and the display of advertisements that cannot be closed.
The SPY ACT, which is co-sponsored by Congressman Ed Towns, is due to be considered by the full House Energy and Commerce Committee shortly, before going to the floor of the House of Representatives for final passage.
A companion bill was recently introduced in the US Senate by Senators Burns, Wyden, and Boxer and is currently under consideration in the Senate Commerce Committee.
Editor's Note: Earthlink's inclusion of shareware among its example sources of spyware has been criticised by the Association of Shareware Professionals.
The Association comprises over 1,300 independent software developers, marketers and vendors. It explained in an e-mail to OUT-LAW.COM that it has fought for years to disentangle what it calls "the erroneous association of properly obtained software, that happens to be marketed as shareware, with harmful computer code such as viruses and spy ware."
The Association's Ed Pulliam explained:
"In general, software marketed via shareware channels and commercial software is normally virus-free. Indeed, the basis of shareware marketing is TBYB [try-before-you-buy]. Some of the world's largest software companies, such as Symantec and Microsoft, have adopted the try-before-you-buy concept for the distribution of some of their products, even if they do not choose to use the word 'shareware' in their product promotion."
Pulliam argues that those companies that integrate the shareware marketing method in their core business model would no more want to distribute a virus or Trojan than companies distributing by other channels. He concludes:
"The try-before-you-buy nature of software marketed as shareware means that our members work very hard at closing a sale with each user by impressing them with how good the product that they're trying is. Distributing software problems and malware invaders doesn't result in a good relationship with our best potential customers."