ComScore: Spyware or 'researchware'?

A battle has broken out over the proper definition of "spyware," pitting a Net research provider against critics who see little difference between its software and illicit programs that record personal data without consent.

ComScore Networks' Marketscore application is installed on more than 1 million PCs in the United States, forming the backbone of a well-regarded research service used by Fortune 500 companies, universities and media outlets, including CNET News.com. Now the software is in the privacy spotlight, tied to warnings from some universities and computer security experts about secretive and invasive software, sometimes known as adware or spyware, that can take over a PC with little or no warning.

COMSCORE ( http://www.comscore.com/ ) denies the charges and is preparing to go on the offensive with a lobby campaign aimed at legitimizing data collection products such as Marketscore. A ComScore proposal currently being shopped to security firms and Internet service providers would create a new "researchware" label for its software in order to explicitly distinguish it from badly behaved spyware products.
"There's a small group of people in universities who've taken it upon themselves to take an issue with our software," said Dan Hess, senior vice president of industry analysis at ComScore. "We're trying to make them fully aware of the nature of our (products and services). It's a completely voluntary program."

What's in a name? Quite a bit, it turns out, if you happen to make your living tracking the private lives of millions of consumers over the Web.

Labels such as spyware and adware cut a wide swath, with many gray areas that can spark disagreements among software makers, consumers and security experts over legitimate and illegitimate practices. Now these basic categories are poised for an overhaul, as federal spyware legislation moves forward and companies like ComScore push for finer definitions from the security companies that are largely responsible for classifying specific products one way or the other.

Depending on how these changes are handled, consumers could face an even more bewildering labyrinth of warnings and terminology over little-understood products such as Marketscore and dozens of other products up for grabs on the Web.

WEB ROOT SOFTWARE, ( http://www.webroot.com/ ) an Internet security company that counts Microsoft and EarthLink among its customers, said it plans to unveil a new category of potential threats in the next version of its security software, due out in the next few months.

"We're going to have an 'other' category, where we'll be able to identify things like Marketscore, describe what it does, and give users an option to remove it," said Richard Stiennon, vice president of threat research at Webroot. "It's ironic. When we do focus groups with consumers, they say they have too much information. So they're not going to be happy, but we're going to do it."

Webroot currently identifies Marketscore as a subcategory of spyware, known as a "system monitor," that tracks user behavior for marketing purposes.

Other software programs that are designed to detect and remove spyware and adware applications have warned users off Marketscore, too. Spybot Search and Destroy, for example, labels it spyware, and Ad-Aware dubs it a "data miner" for removal.

In fact, many in the Internet industry want better classifications for spyware and other tracking software because, too often, everything gets lumped together. For example, earlier this year, Webroot and EarthLink estimated that the majority of people have spyware on their computers. But the companies' classification of spyware included "cookies" that can be useful for people's PCs to recall passwords. Even sites like entertainment provider iFilm, which distributes an application for watching movie trailers, has been labeled ( http://www.ifilm.com/ii_install ) as spyware.

That's why security software makers like Symantec plan to improve information they have on the threat level of software circulating the Internet. "Rather than new categories, we're focusing on new classifications for understanding risk, to help people make decisions about what it is they want to block and what it is they are OK with," said Vincent Weafer, director of security software for Symantec.

For ComScore, the data it compiles is used to create reports tracking e-commerce sales trends, Web site traffic and online advertising campaigns, to name a few. In a few years, it has risen from obscurity to challenge larger rivals such as Nielsen/NetRatings.

ComScore freely admits that it tracks the activities of its customers, also called "panelists." But it insists that it fully discloses its practices and protects the privacy of its customers by providing only aggregate data for its reports. It also promises to strip out and discard any information that could connect data back to a particular individual.

"We do capture information, including data that occurs in secure sessions, to get information like what a person buys," said Chris Lin, ComScore's chief privacy officer. "We do that with full disclosure, and we scrub the personally identifiable information."

The company also has had its privacy policy, practices and data security audited by independent accounting firm Ernst & Young.

Despite ComScore's claims that it provides clear disclosure and consent, some privacy experts said controversy over its software highlights gray zones for data collection companies. For example, even companies that fully disclose software behavior may nevertheless undermine public perceptions of notice and consent if their disclosure documentation is overly dense or poorly worded.