'How to detect spyware' guidelines aired

The Anti-Spyware Coalition (ASC) offered up standard guidelines on Thursday for detecting, rating and protecting against unwelcome programs that have plagued internet users in recent years.

The group, composed of software companies and consumer advocates, also finalised its definition of spyware, veering little from the version it proposed in July.

The coalition defines spyware and other potentially unwanted technologies as programs deployed without sufficient user consent or which impair user control over any of the following: privacy, system security and user experience; use of their system resources; or collection, use and distribution of personal information.

Spyware and adware have become widely despised for sneaky distribution tactics, unauthorised data gathering, the eating-up of computer processing power and other annoyances. Although adware makers say there are legitimate uses for their programs, an entire anti-spyware market has been spawned to combat the stuff.

Yet attempts to define spyware and create guidelines are also controversial. Critics fear spyware makers will use the guidelines to avoid getting caught by blocking tools but will find ways to continue bad behaviours.

The ASC acknowledged the concern in one of the documents it published on Thursday. "This is a valid concern that ASC discussed in detail," the group said in a document summarising public comments it had received. "However, it is ASC's contention that the current 'Definitions' has been written with the problem in mind and leaves plenty of room for individual anti-spyware software companies to decide what fits their criteria for detection."

In its proposed spyware detection guidelines, the group said anti-spyware companies should focus on how the programs in question behave and rate them on risk. Among the behaviours the group considers high-risk are programs that replicate themselves via mass emails, worms, viruses and those that install themselves without a user's permission or knowledge, via a security exploit, for example.

Other high-risk programs are those that intercept email or instant messages without user consent, transmit personally identifiable data, or change security settings. Using tracking cookies to collect information or running programs automatically without explicit user consent are considered low risk, according the guidelines.

The ASC is collecting public comment on the document until 27 November and plans to release a final version next year. The group said it expects the guidelines to set the stage for "best practices" for the anti-spyware industry.

Alorie Gilbert writes for CNET News.com