Nicholas Stark has spent the past two years fighting "spyware": programs surreptitiously bundled together with popular software downloads for the purpose of delivering advertisements or tracking personal information. His Swedish company, Lavasoft, produces a product called Ad-Aware that searches a computer for hidden spyware, and then asks users if they'd like the program removed.
Spyware is a fast-moving business with new entries arriving by the day. Lavasoft, in collaboration with volunteers all over the world, must constantly update Ad-Aware to take into account clever new technological tricks. But even Stark was caught by surprise at the most recent development: A company in the Slovak Republic called RadLight, which makes a free multimedia player, turned the tables on Lavasoft. In addition to the normal run of spyware that comes with a RadLight download, there was an additional program specifically aimed at removing Ad-Aware.
Hard numbers on how many people might have been affected by this game of spyware vs. anti-spyware are difficult to come by. More than 1 million people have downloaded Ad-Aware, according to Stark, and at least 720,000 people have downloaded RadLight from Download.com since the program first appeared in February, but the extent of the overlap is unknown.
RadLight's counterattack is a classic example of the kind of technological leapfrog always going on in the world of software. But it is also yet another indication of how fraught with complications the search for a business model in the world of free software has become. Parasite programs like spyware are a major income source for the manufacturers of popular free downloads like KaZaA or RadLight. Anti-spyware programs like Ad-Aware aim to cut that revenue source off at the knees.
Does that give RadLight the unilateral right to uninstall programs without directly informing the user? The only notification to RadLight users that Ad-Aware was forbidden came buried in the license statement that most users click through without reading, which stated: "You are not allowed to use any third party program (e.g. Ad-Aware) to uninstall applications bundled with RadLight."
RadLight did not respond to press inquiries. But an individual calling himself "RadScorpion" and claiming to be RadLight's creator posted a message on Lavasoft's message boards Wednesday, stating that the Ad-Aware remover was a fair attempt to make Lavasoft take a taste of its own medicine:
"As I believe that some of the "spyware" are just regular legal programs I really feel for their authors to see how their program is being uninstalled," RadScorpion wrote. "I WANTED ADAWARE TO SEE IT TOO and to revalue their pose to their 'enemies.'"
Salon interviewed Stark via e-mail on the subject of the ever-escalating war between spyware and anti-spyware.
What was your reaction upon discovering that RadLight was targeting Ad-Aware for removal?
Primarily we saw it as a disservice to the users of RadLight, and not against us. Their software silently removed ours without any warning or notice in their license agreement.
At some point, though, a license agreement became part of the download ...
The changes in their license agreement were done after massive protests. The author refused to inform users in the first place.
What about those who downloaded the program after the license appeared? Most people probably didn't realize that they were also downloading anti-Ad-Aware spyware, but isn't it their responsibility to read the license? If they don't agree to the terms, shouldn't they just not download the program?
As for the license agreement, when this was first discovered, the user wasn't presented with the terms of the "contract" until the software had already been installed. So regardless of whether the user actually read the licensing terms, he or she didn't know the terms they were actually agreeing to before they downloaded the software.
Do you think that a license -- in which a user clicks "yes, I agree" at the end -- gives users enough of a warning?
This would involve a drastic change in how software companies relate to their end users. Just imagine the loss of control one would have over [one's] private computers. Or even how this could affect corporate users who would then have no choice about what product solutions they were able to implement. We find the very idea unacceptable and quite impossible to implement.
What do you and Lavasoft plan to do about RadLight's new software?
We have been discussing the possibility of this tactic for quite some time now. What they in effect did was to change their end users software environment without warning. So when our worst case scenario was actually presented to us, we were already prepared. We quickly released a fix for this exploit. As we now consider RadLight's previous offerings to be malicious, we will continue to monitor their subsequent releases for this type of activity.
The battle with RadLight is really just one of many battles that you've waged against spyware. How did you get started in this business? When did you write the code for Ad-Aware and why?
Ad-Aware actually began with a simple Aureate removal tool [Aureate produced one of the first versions of so-called spyware in 2000]. As users became comfortable with it, and confident of its effectiveness, they began to ask for the detection and removal of an ever-increasing number of identified components. Ad-Aware has quite simply been a work in progress as each new reference file and upgrade has been in response to our users' needs. With help from dedicated volunteers, we have even been proactive, identifying components before they were asked for by our users. We don't see an end to our development efforts as there are literally several new advertising schemes being developed every month in response to our product's effectiveness.
How do you make money? Ad-Aware is also free, so what's your business model?
We do offer an enhanced version of Ad-Aware called Ad-Aware Plus, [which costs $15]. But money is not the primary goal and has never been; it's mainly used to pay the server and bandwidth costs. We all have "regular" jobs or are students, and do this in our spare time (although it uses up a lot).
How has the battle developed? Before RadLight, were there other forms of spyware that tried to defeat Ad-Aware? And if so, how did you handle those situations?
For the most part, the developers of these applications have done their best to hide from Ad-Aware. It has been a game of cat and mouse from the beginning. RadLight was the first case of an attempt to defeat our software through removal. This was a scenario we have discussed for a long time, but had felt that the developers would not use it due to the dubious legalities involved. In fact it could be seen as illegal. So we prepared for it, but didn't implement it as we saw it being a remote possibility. Now that RadLight has let the genie out of the bottle, we expect others to attempt this as well. So we will aggressively monitor for this activity and if it is discovered, will quickly counter it and then expose the offending party publicly.
Do you have any plans to sue?
The developers of RadLight have learned a difficult and painful lesson. The public in general, and the privacy and security communities specifically, have shown their company that they are neither blind to, nor tolerant of malicious code distributed by any official software vendor. The outcry was immediate and quite deafening, causing them to reevaluate their tactics. At present, we don't see a need for legal action.
Is there any kind of spyware that you find acceptable? Are those that let people opt in, for example, allowable? Or what about ad software that doesn't collect personal information but just serves extra ads?
It isn't a matter of what Lavasoft will or will not approve of. If our users find the activity unacceptable, then we will meet their needs. In the end, it is the public that will decide what is appropriate. So to this end we have implemented features that will allow the user to choose their own level of comfort. They have the choice to exclude and/or ignore any component targeted by Ad-Aware at their discretion. And when removing the components found, we have supplied them with a backup feature that will restore anything removed by Ad-Aware should they choose to.
But if your program works correctly, it removes the revenue stream for companies that offer their software for free. Some have argued that spyware is a great way to encourage development of new and interesting software because it gives creators a way to distribute their programs to a large crowd while getting compensated for their efforts.
The argument is really irrelevant. If a developer chooses this business model, then that is their right. But in this, the end user also has a right to choose what is or is not installed on their systems. Many of these bundled "ad systems" are poorly written and try to dig themselves so deeply in a user's computer that they are close to impossible for the average user and extremely difficult for the advanced user to find and remove. So to this end, Ad-Aware is needed to ensure that the user always has the choice.
Do you have an alternative plan for developers who want to earn money from their code?
A specific plan? No. However we do have some pertinent advice. Lavasoft began as nothing more than a dream. With hard work and a specific plan for the future, we have been able to achieve the success we now enjoy. We feel that the ad-sponsored model is nothing more than a quick fix. What we would say is that developers need to find a community willing to support their efforts and help them to grow in their art and to learn from experience.
The fight seems to keep changing; whoever writes the last batch of code has an advantage. How do you plan to keep up against so many opponents -- especially in cases when your competition has more money?
Money is an important issue, but not as important as your question would imply. True, we will be busy, and this will only get worse as time goes on. But what your question fails to acknowledge is the character of the people involved. Our core of support has always been dedicated volunteers that take over support functions, do research and beta test so that we can continue the development work. Our users are our strength.