2008-06-01
Abstract
'The reality is that the distinction between legitimate and malicious software is an ever blurring line.’ Greg Day, McAfee
Copyright © 2008 Virus Bulletin
In April this year I attended the Council of Europe’s (CoE) cooperation against cybercrime conference in Strasbourg (http://www.coe.int/cybercrime). The goals of the event were to review the effectiveness of existing legislation on cybercrime (which is currently signed by 44 countries and ratified by 22 of them) and prepare proposals for improvements to it. A total of 65 countries were represented at the event, the majority of attendees being from either legal, law enforcement or government backgrounds. The CoE does outstanding work in attempting to standardize the laws relating to cybercrime, and trying to reduce the number of countries in which cybercriminals can hide.
One aspect that remains a very significant challenge is that of capture of evidence. During the conference specific focus was given to encouraging Internet Service Providers (ISPs) to work more closely with law enforcement agencies to provide the necessary support. But, within the UK, ISPs have also been feeling pressure from government to monitor and control copyrighted content being downloaded through means such as P2P sharing. Under the Regulation of Investigatory Powers Act (RIPA), ISPs can only inspect data packets when acting under authority, so it would seem that in the UK the greater involvement of ISPs in monitoring Internet use is untenable without additional modifications to the law (http://www.guardian.co.uk/technology/2008/feb/22/filesharing).
Complicating the matter still further for ISPs are the ‘value-add’ services such as smart advertising (e.g. NebuAd, Adzilla and FrontPorch) that businesses are looking to offer to increase their revenue potential. The result is a dichotomy of pressures and requirements to monitor whilst also tracking user behaviour and carefully trying not to infringe on privacy.
Conversely, the criminal elements are attempting to legitimize their software, often hiding behind EULAs and selling their tools under the auspices of ‘for educational purposes only’, thus avoiding the law enforcement radar. The reality is that the distinction between legitimate and malicious software is an ever blurring line, with research teams needing legal expertise as they try to define all the greyware in between.
With all of these factors and new commercial tools we are heading for a collision in the greyware space. Over the last few months there has been much discussion about the boundaries of commercial software, especially in terms of user privacy. McAfee defines spyware as ‘software whose function includes transmitting personal information to a third party without the user’s knowledge or consent,’ continuing: ‘this usage is distinct from the common usage of spyware to represent commercial software that has security or privacy implications.’
In a recent trial of an online advertising system in the UK the media highlighted that users were not notified that a cookie was being installed on their systems (http://news.bbc.co.uk/1/hi/technology/7325451.stm). Some have argued that this pushes the system in question into the category of spyware. The case has been a wakeup call for many, highlighting that the challenge is in how the software is presented to the end user – in other words it is an issue of user awareness and consent. Just as we are given the option to opt in to receiving marketing emails, users should be aware of the software installed on their systems to give them smart advertising.
With further trials planned soon, and increasing numbers of similar tools becoming available, cooperation between ISPs/implementers, vendors and the security industry must ensure that such tools are implemented in a way that guarantees they are classified correctly. Yet, as the boundaries continue to blur, this will remain a hotly debated subject.
As the volume of greyware/potentially unwanted programs continues to grow, I have to wonder how long it will be before we have more lawyers than malware researchers. Indeed, today it can take longer to comprehend the legal stance on a piece of code than it does to perform the analysis. The bad guys will continue to sail close to the wind, and the good guys must be careful!