Tuesday, July 12, 2005

the importance of good definitions

Techdirt has an article on the recent attempts by a group of organizations to come up with an agreed upon set of definitions for spyware and adware... predictably, Techdirt gets it all horribly, horribly wrong...

the author feels that what the software does or doesn't do is immaterial - that any unwanted application that got on one's machine by unknown means should be classified as spyware... he's not the only one who feels that way but there's a BIG problem with this line of reasoning...

the problem is that classifying instances of software on the basis of how they make some nebulous real world group of users feel (which is essentially what the author's position boils down to) is ridiculously difficult on a number of levels... not only will countless millions be spent on navel-gazing exercises trying to divine whether a particular instance of software in a particular software bundle is going to be unwanted and unnoticed at install time by some fictional average computer user or one if his/her 3.2 kids, but countless millions more will be spent defending against a deluge of specious lawsuits on the grounds that each classification was arbitrary and prejudicial - ultimately leading to a system where the courts, rather than the industry decide which program is spyware and which isn't..

we're computer scientists, not mind readers - we don't deal with this eye of the beholder crap unless we absolutely have to - and in this case we don't have to... we already have an umbrella term for all bad software - it's "malware"... if we're going to classify software for anti-whatever purposes we need to do it based on functional definitions (definitions based on what functions the software performs rather than definitions based on guessing how users will react to it)... we already have one malware classification saddled with an eye of the beholder definition, it's known as the "trojan", and that non-functional catch-all definition has been the bane of anti-trojan detection for years and is probably the reason we've had to make so many other classifications because it's proven totally unworkable as a classification that people can agree upon... classification based on eye of the beholder type criteria excludes widespread agreement by definition...

functional definitions, on the other hand, are much more reasonable... no guessing is involved and legal defense is practically a non-issue - define something based on it's function and it becomes much more feasible to demonstrate that a particular thing belongs or doesn't belong in that class...

on reading the actual document that the group of organizations (the anti-spyware coalition) came up with i think that for the most part the definitions are reasonable but a little on the wordy side... adware, for example could be much more simply defined as any software that advertizes a product or service other than itself... likewise spyware can be defined as any software that surreptitiously collects information from the user's system and sends it back to a remote 3rd party...

they did miss the mark on rootkits again, but the most notable problem is their adoption of spyware as an umbrella term for just about all bad software... they justify this by saying that the public at large is calling it that but this is foolish; 2 years ago the public at large was calling all bad software viruses, 2 years in the future they'll be using yet another term... how will this system cope with that? better to ignore the foibles of the unwashed masses and simply strive for internal consistency... trying to accomodate terminology misuse by people who don't know what they're talking about will never work because the people who don't know what they're talking about will not be consistent over time - leaving those of us who do know what we're talking about having to guess what they're talking about regardless of how accomodating we try to be...

EDIT (07/19/2005): i retract what i said about their definition of rootkits - i don't know what i was looking at before but now it looks fine... turning spyware into an umbrella term is still bad though...

0 comments: