Making Up the Rules: Spyware, Adware and Cookies

Over a year ago, I called for some kind of disclosure guidelines that would help advertisers distinguish between the good guys and bad actors in the increasingly popular (and endlessly confusing) adware arena. Since then, behavioral targeting has only grown hotter, and those little text files known as cookies have gotten dragged into the whole spyware debate (when we learned that people were deleting them in droves).

Recently, the Anti-Spyware Coalition (ASC) adopted a standard definition of spyware and introduced a proposed risk model to help achieve consistency among spyware-fighting software makers. This would mean, for example, an adware application one program flagged as low risk wouldn’t be called medium or high risk by another.

Cookies, too, would presumably be universally identified as low risk — helping consumers understand their actual threat level (or lack thereof). This is especially important because of the perceived threat level. A just-completed Dynamic Logic survey shows 45 percent of Internet users believe cookies slow their Internet connections, while 36 percent of respondents believe cookies “generate ads I cannot close.” (Just 21 percent of respondents declined to blame cookies for at least one of the following: slowing their connections, generating unclose-able ads; letting people access their computer without their permission; making it difficult to uninstall software or taking over their computer.)

But the ASC definitions and guidelines were primarily formulated with anti-spyware software makers in mind. Interested parties in the advertising business — advertisers, users of cookies and adware publishers — must take this further. This week, I called around to a variety of people with skin in the game, to ask them their thoughts on where we stood, and what next steps should be. Some important themes emerged.

Adware-Specific Guidelines

People with interests in the adware game — software publishers as well as companies that distribute advertising through these channels — must develop guidelines specific to that application. In the course of my inquiries, I learned that the Network Advertising Initiative (NAI), one of the industry’s most hard-working trade organizations, is making progress on doing just that.

Jean Phillipe Maheu, the new CEO of Direct Revenue, is trying to legitimize the company and distance it from its questionable reputation. In an email exchange, he told me the company — an NAI member — has been working with the NAI “to define and enforce guidelines for self-regulation of adware companies.” The firm is also working with other adware players, such as Claria and WhenU, on defining those guidelines, Maheu said.

Sean Sundwall, a spokesperson for adware player and NAI member 180solutions, said of the NAI guidelines in progress, “It provides a blueprint of rules… It’s actually far more restrictive than what the anti-spyware coalition is coming up with.”

The NAI’s Trevor Hughes wouldn’t discuss the process, but admitted “There’s still a need for best practices and standards for the adware industry, particularly.”

(It should be noted both Direct Revenue, and 180solutions are targets of proposed class-action lawsuits over alleged spyware practices.)

Third-Party Certification

Because of the conflict of interest inherent in any industry self-regulation, many believe a neutral third-party must be brought into the mix. Company spokesperson Sean Sundwall likened self-regulation to “a fox guarding the hen house,” and said a TRUSTe-style certification program would benefit the industry.

“Some kind of rules to play by is going to help everyone out,” said Sundwall. “There’s nothing worse than playing a game that doesn’t have any rules, or where the rules change from day to day. Having rules are in some ways more important than what the rules are.”

Gaude Paez of Yahoo Search Marketing, which has been involved in the ASC’s process, says a third-party certification effort doesn’t go far enough, considering that players can change their tactics after gaining the seal of approval. Yahoo has its own standards for determining who can distribute its text ads, but says it’s tough to ensure compliance.

“It’s very difficult to police the space minute by minute to make sure that these applications providers are complying,” she told me. “[We’re] also working with the industry to develop a better way of policing. We think industry-wide solutions are the way to go.”

Government Regulation

As with the spam situation, players are calling for the passage of federal legislation that will pre-empt the state laws that have sprung up in California and Utah.

Just the Beginning

Might I weigh in on this issue with another column next year? Probably. Discussing the debate over how best to preserve cookies — along with consumer privacy — Safecount‘s Nick Nyhan told me, “We’re just in the middle of this. The decision makers are just coming to the table. I think this is an evolving story. It’s not decided yet. I think we’re going to be talking about these things for another couple of years.”

And, notes Nick, it’s not just about the Web. It’s about mobile and TV and probably other forms of digital media that are just being imagined.

Make that 10 more years.

Related reading

Overhead view of a row of four business people interviewing a young male applicant.