acm-header
Sign In

Communications of the ACM

Spyware

Spyware: A View from the (Online) Street


There are indications of late that the use of anti-spyware software is on the rise, with more than 100 million Internet users downloading Lavasoft's free anti-spyware software [2]. Some big-name companies are also beginning to address the spyware issue, including Microsoft, which currently has a beta version of its own anti-spyware available to Microsoft Windows users for download. However, a Gartner survey finds only 10% of respondents were taking sufficiently aggressive steps to minimize spyware infestations [5] and a Forrester survey found that even though 55% of consumers knew what spyware was, only 40% were running anti-spyware programs routinely [7].

Based on the seriousness of the spyware threat and lack of Internet user awareness, several legal initiatives have been pursued. The Federal Trade Commission (FTC) has made the point of defining spyware, the Safeguard Against Privacy Invasion Act (SAPIA) has attempted to define what it means to provide consent to receive spyware and to specifically address what spyware is, and the Software Principles Yielding Better Levels of Consumer Knowledge (SPYBLOCK) Act creates the requirement for all software programs to demonstrate that they have been purposefully installed by the user [8, 9, 10]. Thus, anti-spyware software is more available, current media coverage is discussing spyware more, and more legal initiatives are being adopted to address it.

Given the increase in attention to spyware issues, one might expect Internet users to understand that nature of the security threat and to be motivated to counteract the effects of spyware. In order to assess user perceptions of the threat, a study was executed with America Online (AOL) to examine the perceptions of its users regarding spyware and the need for spyware protection. The survey included 1,006 AOL users whose responses offer valuable insight into their awareness regarding spyware and how spyware works, their level of motivation to address the problem, and their willingness to pay for anti-spyware protection.

Awareness and understanding of spyware. The survey indicates that most users are aware of spyware as a computer security threat. Respondents were asked, "Which, if any, of the following are you aware of?" and were able to select any of 12 listed online security threats (see figure). Of the various threats presented, spyware was the third most highly recognized, following viruses and spam, with 74.9% of users saying they are aware of it. An almost identical number of respondents (74.2%) said they perceived spyware to be a personal threat. However, high awareness and perception of a threat do not equate to comprehension of the threat. When asked, "Do you know what spyware does to computers?" only 49.8% of those surveyed reported they actually understand the specific hazards posed by the security threat.

Motivation to use spyware protection. While most users appear to be aware of spyware, many do not appear to fully comprehend the problems caused by spyware and they either don't know how to respond or simply choose not to deal with these problems. The responses of users who have not yet sought spyware protection regarding their plans to install anti-spyware are provided in Table 1. Some 28% of the respondents did not know whether or not they used spyware protection. This number is similar to the percentage of users who said they were not using spyware protection at all (26.6%).

The users who either did not use or did not know if they used spyware protection were asked two subsequent questions about their comfort level with spyware and their interest in installing spyware protection. When asked, "How comfortable would you say you are with having spyware protection software on your computer?" most say they are comfortable, with 63.9% of the users saying they were at least moderately comfortable the idea. When asked "How interested are you in having spyware protection software installed on your computer?," 62.5% say they were at least somewhat interested. However, they are not motivated to install it. Table 1 shows that 7074% of the respondents say they would like to take protective steps, but have no immediate plans to do so.


Perhaps the most important insight to be gained from this survey is that companies looking to enter the standalone spyware protection market might want to reconsider.


Willingness to pay for anti-spyware. When asked how likely they were to subscribe to an anti-spyware service offered by AOL, the majority (86.9%) of users said they either definitely would; probably would; or at the least might consider subscription spyware protection from the ISP. However, 44.8% of those users were noncommittal about actually entering into a paid subscription to an anti-spyware service, saying they might or might not be interested. Only 12% of users said they would definitely subscribe. The details of how likely users are to subscribe to AOL spyware service are provided in Table 2, Panel A.

Respondents were randomly divided into two groups and asked whether they were interested in subscribing to spyware protection either for a fee, or for no extra charge. The breakdown in responses based upon willingness to pay for anti-spyware is shown in Table 2, Panel B. There was an intriguing difference in the level of interest. In fact, 69% of the users asked about the offer of free service said they would definitely subscribe, yet only 8.6% asked about the provision of service for a nominal fee folded into their monthly Internet charge said they would definitely subscribe.

Commercial impact. Perhaps the most important insight to be gained from this survey is that companies looking to enter the standalone spyware protection market, as compared to companies integrating spyware protection as a part of their normal software offerings, might want to reconsider. In 2004, Gartner predicted the delay in adding anti-spyware into popular Internet security and integrated anti-virus packages being purchased by users had led to a temporary short-term market for standalone spyware protection packages, but that this market probably would not last beyond 2005 [6]. The data presented here indicates there appears to be little desire by Internet users to purchase spyware protection as a specific and unique product, though there is an indication that spyware protection could serve as a highly desirable and differentiating feature of an existing Internet service arrangement.

Despite the fact that Internet users are generally aware of spyware as a potential security threat, they do not appear to be greatly motivated to pursue or pay for commercial solutions. AOL has been featuring the free download of anti-spyware software to users at their main Web page log-in, and it appears the current market for spyware protection at the commercial level is as a value-added feature for differentiation purposes of an existing commercial Internet service.

User impact. AOL users are typically seen as the "everyman" of the Internet; since the ISP leads the market, it tends to the highly visible face of the market for commercial consumer Internet access services. As such, they represent the user population at the "street level." Prior studies of AOL users asked the customers to rate themselves on their perceived level of Internet experience, and it was found that 35% of participants classified themselves as "novices," while 23% classified themselves as "high-end novices" [1]. Hence, basic users of Internet services demonstrate that the Internet "street" knows that spyware is a problem and would like to protect themselves but, due either to lack of perceived technical skills or perhaps lack of recognition of the severity of the computer security threat that spyware represents, they are not aggressive in their plans to take protective steps, particularly if such steps cost money.

It seems as if the new AOL spyware protection service is prized as a value-added service enhancement, but not as a standalone product that can command an appreciable separate revenue stream. To the extent that service offerings such as the AOL spyware protection enhancement are valued, they seem best situated as an enhancement of current services. The greatest value to a company like AOL in offering add-on services of this nature is probably in maintaining competitive advantage, as opposed to opening new revenue sources through subscription sales. Thus, not only should AOL be offering free downloads of anti-spyware software to its users, but should continue to integrate the feature into the user interface, while at the same time work to emphasize the seriousness of actively pursuing protection against the spyware threat. Less savvy Internet users understand the threat of spyware but must be educated about the need to aggressively protect themselves against this threat. Companies providing anti-spyware software should focus on helping street-level users understand the urgency and immediacy of taking action against unwanted spyware activities and guide them in the steps to take and tools to use in protecting themselves.

Back to Top

References

1. America Online/National Cyber Security Alliance. AOL/NCSA online safety study. (Oct. 2004); www.staysafeonline.info/news/safety_study_v04.pdf (accessed Apr. 13, 2005).

2. Beith, M. Spyware vs. anti-spyware. Newsweek 1 (Jan. 2005), 30.

3. Earthlink. Most dangerous types of spyware increasing, states SpyAudit survey. (Feb. 2, 2005); www.earthlink.net/spyaudit/press/ (accessed Apr. 6, 2005).

4. Federal Trade Commission. Complaint for injunction and other equitable relief. (Oct. 2004); www.ftc.gov/os/caselist/0423142/041012comp0423142.pdf.

5. Girard, J. A field guide to spyware variations. Gartner Research (July 9, 2004), ID # TU-23-1453; www.gartner.com (accessed Apr. 6, 2005).

6. Leong, L. and Schroder, N. Stand-alone spyware blockers won't become separate market. Gartner Research (July 27, 2004), ID # DF-27-3133; www.gartner.com (accessed Apr. 13, 2005).

7. Lopez, M.D. and Charron, C. Spyware threat goes unchecked. Forrester Research, (Apr. 1, 2005); www.forrester.com/Research/Document/Excerpt/0,7211,36641,00.html (accessed Apr. 6, 2005).

8. Stafford, T.F. and Urbaczewski, A. Spyware: The ghost in the machine. Commun. AIS 14, (2004), 291306.

9. Urbach, R.R. and Kibel, G.A. Adware/spyware: An update regarding pending litigation and legislation. Intellectual Property & Technology Law J. 16, 7 (2004), 1216.

10. Volkmer, C.J. Should adware and spyware prompt Congressional action? J. of Internet Law 7, 11 (2004), 18.

Back to Top

Authors

Robin Poston (rposton@memphis.edu) is an assistant professor of MIS in the Fogelman College of Business and Economics at the University of Memphis, TN.

Thomas F. Stafford (tstaffor@memphis.edu) is an assistant professor of MIS in the Fogelman College of Business and Economics at the University of Memphis, TN.

Amy Hennington (ahharris@memphis.edu) is a doctoral candidate in MIS in the Fogelman College of Business and Economics at the University of Memphis, TN.

Back to Top

Figures

UF1Figure. Percentage of users reporting awareness of online security threats.

Back to Top

Tables

T1Table 1. Users' plans to install spyware protection.

T2Table 2. Users' subscribing to AOL spyware service.

Back to top


©2005 ACM  0001-0782/05/0800  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2005 ACM, Inc.