A new report out from Pew Internet and American Life Project (available as a PDF) has found that 48 percent of the respondents have stopped visiting certain Web sites, 28 percent have stopped downloading music or video files from shared networks, and 18 percent have started using a browser other than Internet Explorer out of fear of contracting spyware on their PCs. Overall, 91 percent of the 2,001 adults aged 18 and older who responded to the survey said they had made some changes to their surfing habits because of the dangers presented by spyware. But after meeting with several antispyware vendors recently, I'm perhaps more discouraged than ever about the possibility that we'll start to see this epidemic subside anytime soon. Unlike viruses (which, for a variety of reasons, are no longer our top concern), there's too much money to be made in spyware--both in creating it and in selling the software used to prevent it.

Five and a half years ago, I sometimes saw up to two moderate- or high-level computer virus threats a day being reported by the antivirus vendors. Today, large-scale attacks such as the Sasser worm are rare. I think that's due to a number of factors, including better antivirus software, better software in general, better education on the part of the end user, and the lure of money for virus writers to do other nasty things online. There was never any money to be made in virus writing--although new viruses such as Sober exist mostly to spread spam. But there's more money to be made creating spyware.

The trouble is we really don't know that for sure. We're not sure of the size of the threat we're up against. Unlike with viruses, no one has offered the public a complete catalog of spyware threats. And until that happens, we're left with a lot of hype and fear instead of facts and solutions. In short, despite all the antispyware apps being produced these days, we're no closer to eradicating the spyware problem.

The antivirus software model
Within the antivirus research community, there are about two dozen primary antivirus researchers in the world, and they all know each other well. Whenever there's a new virus, the discoverer passes a virus sample along to the others; then it's up to each vendor's research team to design an antivirus signature to stop the virus on machines protected by their software. Should a company decide to hang on to a new virus specimen too long, there's peer pressure and public admonishment from the others not to do that again in the future. And now there are so many different ways to report new viruses (subscribers can report them, and virus writers most often send their latest creations themselves) that if a company keeps a new virus secret, another company will step forward and claim bragging rights as its discoverer, including the right to name the new virus.

This gentleman's agreement has grown out of more than 20 years of cooperative antivirus research. Sharing data on known viruses allows antivirus vendors to improve their respective software and design competing preventive technologies. It also allows for the antivirus vendors to be judged by independent organizations, such as VirusBulletin (free registration required) and Checkvir.com (no registration required). By having a common testing base (called a zoo or a wild list), independent bodies test different antivirus products objectively.

Antispyware is too new?
At present, no such system exists among antispyware vendors, and from what I hear from the players involved, it won't anytime soon. I mentioned the lack of a common spyware database recently to several antispyware vendors, and the response was pretty much the same: Why should we share our list with our competitors? Why, indeed.

Antispyware vendors currently draw upon three types of databases. A community-borne database is drawn from subscribers who report suspected spyware that's in the wild and infecting widely. For example, Microsoft uses Skynet, a public site, for its spyware collection. A proprietary-created database is culled by technologies developed by one company and often includes spyware that exists but isn't infecting too many people. For example, Webroot (makers of SpySweeper) primarily uses its Phileas Technology to crawl all over the Internet and find new examples of spyware. Finally, there are hybrid databases, combining the above two methods.

Safety in numbers
Yet when any one antispyware vendor starts rattling off the number of spyware apps within its given database, I zone out. Truthfully, there are either 5,000 or 30,000 variations of spyware afoot today. Which is it? Companies that try to impress me with the sheer size of their antispyware databases alone often count minute variations as separate signatures in their databases, while other companies simply roll them into a single family of spyware and count the family once.

Surprisingly, efforts to come together and quantify what is and what is not spyware have so far not worked. The Consortium of Anti-Spyware Technology vendors (COAST) was a group founded by PestPatrol (now part of Computer Associates), Webroot (makers of SpySweeper), and Aluria (makers of Spyware Eliminator), but the group ceased to exist a few months ago after vicious in-fighting regarding the very definition of spyware. In its place are new coalitions or working groups, but I think these too are doomed to fail.

Big money for them, little profit for us
As I write this, Microsoft has expressed interest in purchasing Claria (formerly Gator). Not surprisingly, Microsoft Antispyware (beta) just downgraded its recommendation to remove suspected spyware files produced by Claria. Are these files no longer a threat to your personal privacy online? Can Microsoft's conclusion be reproduced by an independent third party? Or does Microsoft have its own interests at heart?

As long as we have no common metric regarding how many serious spyware threats exist, we'll remain in the dark regarding the true nature of the spyware problem. Until antispyware vendors stop worrying about their respective financial outlooks and start learning to share what they know with each other, I'm afraid we're all stuck with even more spyware in the foreseeable future. It's no wonder that people are changing their Web habits. You really do have to look out for yourself these days.

Is the end in the sight for spyware, or will we continue to battle this as long as we have the Internet? TalkBack to me.