Andrew Kantor's Place: Sure, if You Define It That Way

Sure, if You Define It That Way

Published 1/24/05

In an article entitled “The Next Plague” in the Chronicle of Higher Education, writer Vincent Kiernan tells us of Kerry McQuade, a public-affairs assistant at Marist College, whose computer was infected with spyware.

Or, at least, what she called spyware.

After she starting having computer problems, the article said,

Marist’s information-technology staff found that her computer was infested with more than 900 pieces of spyware and adware — programs installed without her knowledge, which covertly monitored her Web usage or dispensed pop-up advertisements.

Wow! Nine hundred pieces of spyware! Incredible!

Except that it isn’t true.

Nor is it true later in the article when we’re told that the IT staff later “removed an additional 200 pieces of spyware and adware.”

I’m not saying the reporter was making anything up. Rather, either he (or, more likely, Ms. McQuade) is applying the word “spyware” rather liberally.

I guarantee you that the vast majority of those 900 pieces of spyware were simply cookies. Normal, non-malicious cookies put there by just about every Web site in the world.

See, some ad- and spyware removal software will produce a report that calls every cookie it finds “spyware” so users will think, “Wow, what a great product this is! Look at all the spyware it found!”

Spyware, at least for the moment, has a very clear definition: It’s malicious software put onto a computer without the user’s knowing consent that tracks some aspect of her usage and reports it to someone else.

The classic, scary example is a program that sniffs around a computer seeking financial records, passwords, and the like, then sends those to a thief.

But cookies are, for the most part, not spyware. Most are benign or even helpful — they save you the trouble of logging in to your favorite sites over and over, for example. Others, from companies like DoubleClick that serve ads, make sure you see different ads as you travel from site to site.

And that’s where some cookies do cross the line, or at least seem to. If a company like DoubleClick serves ads on two different sites — say, abcd.com and wxyz.com — and you go to both, the DoubleClick folks know that.

Cookies like DoubleClick’s are “third-party cookies,” meaning that they’re put on your computer by someone other than abcd.com or wxyz.com — in this case, DoubleClick provides the ads you see on both those sites.

If you travel to a lot of sites served by DoubleClick (or a similar company), your surfing habits can be tracked. In fact they are, so that DoubleClick can serve you ads you might be interested in.

Is that spyware? Not really, because it’s just a tracking number on your computer. It doesn’t do anything; it’s not “ware.” Sure, there are privacy issues here, but not spyware ones.

That doesn’t stop people like McQuade from believing that she had 900 pieces of spyware on her computer. After all, the software that removes it probably told her that.

I could be wrong, but my money is on her having one or two kinds of spyware, and 890-something cookies (including “tracking cookies” from services like DoubleClick).

At another point in the article we learn that “the University of Arkansas at Fayetteville estimates that 25 percent of the computers on its residence-hall network are infected.”

Again, I bet that someone is playing fast and loose with the word “infected.”

Of course, writing about someone having “two or three pieces of spyware and a whole lot of cookies” doesn’t sound nearly as good in a story as “900 pieces of spyware,” but sometimes it’s better to aim for accuracy rather that hyperbole.