Three cheers for Symantec! As I reported recently, malware companies have been on the offensive against anti-malware companies, trying to threaten, cajole, and sweet-talk anti-malware companies into not labeling their wretched products as “adware” and “spyware.”

According to News.com, after months of going ’round and ’round with adware maker Hotbar (whose insidious and unwanted “toolbar” I have removed from more than a few friends’ computers), Symantec finally tired of Hotbar’s bellicose bloviations and filed a lawsuit seeking the right to label Hotbar’s adware as, well, adware.

“We have been talking with (Hotbar) for the last several months, and over the course of that time, they have threatened to sue us on a regular basis,” [Symantec spokesman Cris] Paden said. … Symantec said it is not asking for money, but is seeking an affirmation that Hotbar products are indeed adware and can be treated as security risks. “We are simply asking for the judge to say that we are within our rights to detect Hotbar,” Paden said. The company would then be able to help customers remove the toolbars from their PCs.

The News.com article goes on to discuss several other anti-spyware companies who are also being threatened by the Hotbar hotheads. Meanwhile, Hotbar is apparently unlawfully representing itself as a licensee of the TRUSTe privacy program. When you click on the TRUSTe logo, it says:

www.hotbar.com IS NOT A VALID TRUSTe MEMBER WEB SITE

The unauthorized display of the TRUSTe trustmark is unlawful and violates a TRUSTe trademark. If you clicked on the TRUSTe trustmark or Click to Verify seal to get to this page, the site you are visiting does not have permission to display the seal.

I applaud Symantec for standing up to the petulant twits at Hotbar, and more importantly, for seeking a legal precedent that would potentially establish a legal right to call a spade a spade. Hopefully Symantec’s discovery of a backbone will inspire McAfee and other anti-malware companies to stand up to the malware industry’s Jedi Mind Tricks.

Meanwhile, the message to Hotbar is simple. When you’re in the malware business, you have to expect that when you depend on bullying tactics, one day you’re going to bully somebody bigger than you, and get yourself smacked right back. In my opinion, Hotbar should shut up and take their lumps like a grown-up. Like their cousins in the spam industry, the malware companies need to accept that there are more people gunning for them than there are ethically-challenged marketers to keep hiring them. The tide is shifting, and this market isn’t going to be a hospitable place to peddle that ‘ware for much longer.

Unless you’re prepared to set up shop in China or some other nation where enough money will buy you a secure homebase for businesses built on shaky moral grounds, it’s time for malware vendors to accept that the golden age of malware may be drawing to a close. Certainly we’re not there yet, but as Spyware Warrior notes, vast numbers of people are trying to get rid of malware. If it hasn’t already, the uninstall rate will eventually surpass the install rate of malware, despite the increasingly desperate techniques some malware companies are using.

Sorry Hotbar! You had a good run. But as Symantec knows, there’s more profit to be had in erasing your products than playing word games to protect them.

On Monday, the U. S. House of Representatives passed two separate pieces of “spyware” legislation, only one of which actually promises to do anything to help consumers terrorized by unwanted spyware and adware.

[Author's Note: From this point forward, I'm going to try and use the term "malware" to collectively describe the follies, felonies, and frauds, that constitute much of the behavior of the spyware and adware industries. If you want to know more about why I'm using the term malware, please read my explanation.]

As reported by CNet News.com’s ace DC bureau chief Declan McCullagh (who is apparently moving out here to SF soon; congrats Declan! and yay for us who enjoy his company!), the two bills take a very different tack, and together amount to exactly 200% more spyware legislation than the U.S. Senate managed to approve last year!

The first bill, H.R. 29, sponsored by Rep. Mary Bono (R-Ca.), identifies many of the most annoying and damaging features of “spyware,” “adware,” and anything else that falls into the semantic morass in between. It also focuses on issues of end-user notice and consent, two areas where most adware and spyware have chronic deficiencies. This bill would also empower the Federal Trade Commission to continue looking into malware issues, and require them to create regulations to guide future enforcement.

The second bill, H.R. 744, sponsored by Rep. Bob Goodlatte (R-Va.) and Rep. Zoe Lofgren (D-Ca.), is a far narrower bill, focused primarily on only that software used to steal personal information for the purpose of committing fraud or to intentionally crash someones computer. As such, the bill would offer virtually no protection for those consumers who are besieged by software, whose intention may not be, but whose actual consequences are crashed computers and frustrated end-users.

I’m still digesting the final version of the Bono bill and trying to determine what actual effect it might have on protecting end-users from the excesses of the adware and spyware industries. But my initial reading of the Goodlatte-Lofgren bill is that to the extent it prohibits unauthorized access to private data, it offers consumers nothing in the way of new protections over existing law. However, the language does a masterful job of completely avoiding any impact on some of the worst players in the malware business… many of whom I’ve written about extensively in this blog.

Why does the Goodlatte-Lofgren bill completely miss the boat?

First, the bill focuses on anyone who, “intentionally obtains… personal information with the intent to defraud or injure… or cause damage to a protected computer…” Of course, the makers of most spyware and adware don’t “intentionally” crash people’s computers, even though their software routinely does it. Indeed, according to Microsoft’s anti-malware team leader, Jason Garms:

“The primary problem that users have with spyware is that their systems crash or are really slow or don’t behave in the way they expect them to,” Garms said. “We try to figure out how many of the crashes that are reported to us are actually attributable to spyware, and it turns out that at least one-third of those machines had spyware installed on them, so it is a big problem.”

Second, the Goodlatte-Lofgren bill focuses on “intentional” gathering of personal information for purposes of committing fraud (which is already illegal). Most malware companies are proud that they only gather “aggregated” or “anonymous” data while their software is monitoring your Internet activities. They don’t need your Social Security number to cause an annoying pop-up ad; they don’t need your mother’s maiden name to hijack your default search engine. Thus, by limiting the reach of penalties to only those bad guys who are already committing fraud, they have created a loophole through which you can drive the entire malware industry.

So, pound for pound, I think the Bono bill is looking like a better piece of legislation. It doesn’t buy into the adware companies’ word-games and instead focuses on the actual harm visited upon consumers. The Bono bill reads like a laundry list of the annoying, frustrating, and intentionally harmful things that I have personally witnessed while trying to exorcise the demon-spawn of companies like Claria, WhenU, CoolSavings, QooLogic, 180 Solutions, and others, from the computers of my friends and family.

Meanwhile, the semantic battle over “adware” vs. “spyware” has Microsoft seeking protection from the frivolous, harassing lawsuits that have become the stock-in-trade of many of the most notorious malware companies. It seems that whenever malware companies perceive a threat, they try to kill the messenger. CNet pointed out a few of those incidents, such as Claria’s lawsuit against PC Pitstop, New.net’s suit against the maker of Ad-Aware, and threats against the tireless anti-spyware advocate Ben Edelman.

In today’s DMNews, everbody’s favorite television background noise, the Weather Channel (weather.com), announced that it was partnering with adware company CoolSavings to infest the Desktop Weather 4.0 application with offers to “opt in for samples, trial offers, travel brochures and free newsletters from CoolSavings.”

It’s not clear from the marketing-speak what, exactly, the Desktop Weather application will have in it. For example, it may simply be offering links to opt-in emails. But given the history of CoolSavings as purveyors of unwanted adware, I’m not hopeful.

The real news, however, is that many more companies, including some names you should know, are getting into bed with adware companies like CoolSavings. According to DMNews:

The company signed similar arrangements with RealNetworks, for people who download RealPlayer, and with Netscape, for those who download its Netscape Browser, as part of seven distribution agreements it will announce this year.

As I’ve noted previously, the real and growing scandal in the adware and spyware world is not that these companies are becoming more brazen in their activities. The scandal is the disconcerting number of otherwise upstanding, mainstream companies who are getting in bed with some of the most notorious names in the field.

So what’s one to do if you want your local weather information displayed on your computer desktop, but doesn’t want to risk unwanted adware or spyware? Do what I do: use the Weather Widget, which is included in the free download of Konfabulator.

Konfabulator is a free desktop utility that allows you to plug in a wide variety of “widgets” (yes, that’s what they call ‘em) that are created and distributed freely by dozens of dedicated developers the world over. downloads, as easy to install as moving the “.widget” file to your “My Widgets” directory, and let you put lots of useful things right on your desktop. And the “widget” philosophy is one of simple function, simple configuration, and clean and beautiful design.

They have just launched a new version called Konfabulator:2, which is a pay version. But as far as I know you can still use the regular old free version. (Please correct me if I’m wrong…)

I think I’m going to pay for the upgraded version because, a) it’s always the right thing to do to pay for software that you actually use, and b) you have to reward people for making cool stuff… otherwise they might go find other work doing things that you can’t afford! Meanwhile, from what I can tell, the Konfabulator Weather Widget appears to draw its weather data from the same data feeds at Weather.com, and does so without risking installing strange and unwanted adware on your machine.

So give it a try!

Check out my May column for eSecurityPlanet.com, part of the Jupiter Media family of news sites. This column is a revision and update to a recent blog posting right here on PrivacyClue.com! Yes, yes, my content recycling continues. But trust me, it’s even better the second time around! ;)

Also, I’m on The David Lawrence Show tonight, instead of the usual Tuesday night. Listen live via the web, or download the audio afterwards for only a measly quarter.

On tonight’s David Lawrence Show, we talked Claria, Google, and sundry other things. The full hour in crystal clear MP3 audio, available for download for only 25¢. (Cheap at twice the price!)

Leading adware manufacturer Claria (formerly known as Gator) announced today that computer security software maker McAfee has rescinded its January 2005 declaration that Claria’s GAIN adware/spyware was a “malicious threat.”

In yet another triumph of semantics over substance, McAfee appears to have succumbed to Claria’s Jedi Mind Trick, wherein company representatives get their targets to repeat the language of Claria’s privacy policies, hoping they fail to notice the surreptitious installation of software under people’s noses.

The reason why McAfee listed Claria’s GAIN software as malicious is no mystery: almost no one ever asks to have Claria’s software installed on their computer, yet it somehow finds its way on there, without the user’s explicit knowledge or consent, generating unwanted pop-up ads, hogging memory, and generally making the day-to-day lives of its hapless victims more miserable.

Claria insists that the installation of its software is clearly disclosed, and that people are always fully aware when, and why, the software is being installed. Claria’s representatives and PR flacks will dutifully point to page four, sub-section 27(a), of the End User License Agreement — those long screens of gobbledygook that nobody reads when they install software — in which the presence and functions of the GAIN software are generally disclosed.

Never mind, of course, the extensive evidence that thousands (maybe even millions) of consumers haven’t asked for Claria’s software to be installed on their computers. Never mind the evidence of malicious “drive-by” downloading by Claria’s paid “affiliates.” And never mind the fact that, for many hapless users, Claria’s software remains difficult to detect, identify, and remove.

So why did McAfee change its position? It could be that Claria threatened another lawsuit, such as the one it launched to censor PC Pitstop’s criticisms. Indeed, litigation is not new for Claria.

Some readers may be familiar with my work as an expert witness against Claria in a collection of nearly a dozen lawsuits that were consolidated into one massive multidistrict case. Claria managed to buy its way out of most of those suits, leaving unresolved the fundamental issues raised in the cases. Unfortunately, much of my work in that case is still covered by a court-imposed protective order, so I can’t write about all the juicy details I learned during that case. Suffice to say, I was not surprised that Claria went to great lengths to make those suits go away quietly.

But Claria has taken a recent turn away from litigation that suggest a new-found preference for pumping sweetness and light, instead of the usual brimstone and bullshit. Beginning with the hiring of my old acquantance Reed Freeman as Chief Privacy Officer in April of 2004, Claria has continued to wage a masterful campaign to rehabilitate its reputation.

That reputation, which had been qualitatively equivalent to the foul-smelling muck in which its former swamp-dwelling namesake preferred to remain submerged, could only have improved. Thus, through the deft usage of political connections, and the liberal use of cold, hard cash, Claria is on its way to being even more highly regarded than MCI (nee Worldcom), Altria (nee Phillip Morris), and even Mary Mallon (you’re on your own for that one… ;-) ).

As a measure of success, Reed Freeman was recently appointed to the U.S. Department of Homeland Security’s privacy advisory board. Claria also continues to get mileage out of its recent appointment of a self-styled “dream team” of “privacy, security, public policy and consumer protection law experts” to assist its PR white-washing efforts.

Claria’s not the only company buying a squeegee to scrape the crap off its reputation. Others in the same line of business — namely, the business of causing ads to pop-up on people’s computers whether they’re wanted or not — have followed similar courses and are successfully insinuating themselves into the corporate and public policy mainstream. Just recently, spyware maker 180 Solutions joined as Silver Sponsor of the International Association of Privacy Professionals.

Claria has earned a well-deserved negative perception in the minds of those consumers whose Internet experience has been made more problematic by Claria’s troublesome software. But through obfuscation and glad-handing, they will slowly continue to recast the company’s image. And now McAfee’s software will help, through the cunning usage of namby-pamby language that will make it more difficult for McAfee users to understand the problems that Claria’s pop-up ad software can pose.

But all the PR whitewashing cannot change the underlying facts: Claria’s software remains a scourge for too many unsuspecting users. As I continue to say: there are two kinds of people — those who hate adware and spyware, and those who will. It’s only a matter of time.