Research and Advances
Computing Applications Spyware

The Deceptive Behaviors that Offend US Most About Spyware

Before effective legislation against spyware can be drawn, lawmakers and vendors must understand what users find most deceptive and offensive about this stealth software.
  1. Introduction
  2. Types of Spyware Behaviors
  3. Expected Results
  4. Methodology and Data
  5. Results
  6. Discussion
  7. Conclusion
  8. References
  9. Authors
  10. Figures
  11. Tables

“One of the biggest challenges a computer owner can face is getting rid of spyware…”—Reuters, Feb. 9, 2004

Spyware is a rapidly growing threat in our society. In fact, the National Cyber Security Alliance estimated two years ago that 90% of Internet-connected PCs are infected with spyware. And according to a 2004 WebSense survey 92% of corporate IT managers atcompanies of 100 or more employees claim to have had a “major” spyware problem. The paradox of this situation, however, is that while most Internet users are familiar with slothful PC performance, the increased amount of pop-up ads, and the mysterious search results caused by spyware; most of these users are not aware of the presence of the underlying spyware application until well after the spyware has been installed on their computer. This hidden nature of spyware can be quite dangerous.

The use of software programs to gather and transmit information about end users began in the late 1990s and became increasingly prevalent after the dot-com bubble burst in the early 2000s. The term “spyware” generally refers to software programs that act as data sensors and illicitly collect and transmit information about end users, and then send it back to a third party [1, 7]. Spyware poses several types of risk to computer owners, some more conspicuous than others.

“Spyware … has gone completely over to the dark side, scanning your hard drive for personal information or attempting to link your surfing habits to your name or email address.”—PC World, July 23, 2003.

The U.S. Army Corps of Engineers was the victim of a major spyware attack by a group of Russian hackers in the late 1990s. Since then, several U.S. government groups have become increasingly concerned with the threat of spyware. However, a major difficulty in drafting legislation against spyware developers is the lack of formal definitions of spyware applications and the behaviors they exhibit [4].

This study seeks to aid in the definition of spyware by classifying the types of deceptive behaviors exhibited by spyware programs and quantifying the relative offensiveness of these various behaviors. Our goal is to offer insight to legislators and corporations alike as to the types of deceptive behaviors exhibited by spyware applications and the degree to which these behaviors are considered offensive by end users.

If lawmakers were to outlaw just the installation of software without consent, the bundling of unwarranted software, and the unauthorized changing of end-users’ settings, it would address three of the four significant deceptive behaviors contributing to spyware offensiveness.

Back to Top

Types of Spyware Behaviors

While academic research on the topic of spyware is still in its infancy, previous studies have examined the extent of other Internet security threats, such as self-propagating worms. Building upon this literature, Saroiu, Gribble, and Levy [7] categorized spyware as a potential threat of comparable size and scope to these fast-spreading worms. Researchers of peer-to-peer file sharing have noted that PC users are often not informed of spyware residing on their computers because companies that provide file- sharing software will bundle spyware with the download, unbeknownst to the end user [11].

Spyware is classified in [7] into the following six categories: Cookies and Web bugs; browser hijackers; keyloggers; tracks/spybots; adware; and malware. Our classification scheme takes a different perspective on spyware; we attempt to identify the behaviors spyware programs can exhibit. Following the findings in [11] regarding the covert installation of spyware, we classify the behaviors that spyware applications may exhibit into two major categories—conspicuous and inconspicuous. Conspicuous behaviors are clearly evident to the user, for example, pop-up advertisements or the significant slowing of the end-user’s computer. Inconspicuous behaviors include bundling spyware applications with legitimate downloads, or installation them without user consent. As such, we identified the six most common types of deceptive behavior exhibited by spyware applications and divide them into these two categories:

Three conspicuous behaviors:

  • Online advertising;
  • Change in end-user computer settings; and
  • Slowing of the end user’scomputer

Three inconspicuous behaviors:

  • Installation without user consent/drive-by download;
  • Spyware bundled with legitimate download; and
  • Inability to uninstall/remove.

Back to Top

Expected Results

Knowledge has been shown to be a determinant of perceived control [12]. Previous research has shown that Internet usage may be constrained by the perceived need for additional knowledge and understanding of the medium [5]. For example, the fact that many PC users, especially novices, will install software if prompted by a security warning dialog box under the belief the software is required in order to fully view the Web site they are visiting [3]. It is not until the user begins to experience some spyware-related behaviors that they realize they installed such an application. Because the information presented misled users into false beliefs, they feel a lack of perceived control of the situation.

For this reason, it is our expectation that PC users will find these hidden deceptive behaviors especially offensive, as they will feel they have purposely been duped and betrayed. In addition, it is our expectation that deceptive behaviors of spyware applications that revoke control and therefore break the trust of the end user will be the most offensive. Some spyware software will install on an end-user’s computer, even if the user denied consent [5]. As such, we expect the user to feel most violated by the spyware upon visibly experiencing a breach of trust as well as an ultimate lack of control due to the application’s effects on his or her computer.

Back to Top

Methodology and Data

One can find a plethora of Internet forums denouncing the nuisances of spyware and offering advice for the removal of various spyware applications. Some Web sites, including the ones used in this research, provide detailed lists of spyware applications, the names of the vendors, the types of deceptive behaviors, and proposed removal solutions.

Some 40 known spyware applications were compiled for this analysis from various online spyware communities gathered from the 2004 Spyware Guide ( Each spyware application was then researched at the three most frequently cited spyware sites, according to Yahoo! Anti-Spy Community (Nov. 2004):,, and All 40 applications were analyzed using the information provided at each of the top three spyware Web sites. Each spyware application was then assigned a “1” if, according to the given spyware Web site, the software did exhibit the deceptive behavior in question, and a “0” if the spyware application did not exhibit the given deceptive behavior.

An individual worksheet was created for each of the three resource Web sites. Results were complied, and checked against one another, and if discrepancies were found across the three Web sites for the classification of any of the 40 applications, the behavior was not counted unless two of the three reference Web sites were in agreement. Table 1 presents the majority consensus of which deceptive behaviors were exhibited by which spyware applications.

The application names were then searched for along with the word “remove” on seven well-known search engines, including:;;;; and The number of search results returned from each search engine was then recorded as negative hits. The use of search engine total results as a means of measuring positive and/or negative word-of-mouth has been used in prior literature [9] and thus, we adopt such a measurement technique in this study. The measure of offensiveness/negative word of mouth is based on the assumption the name of the spyware application referenced with the word “remove” is necessarily negative, and that a higher number of Web sites returning that hit indicates a higher level of dissatisfaction with the application.

The results of this online word-of-mouth assessment across six search engines are shown in Table 2.

Back to Top


The goal of this study was to identify the deceptive behaviors exhibited by spyware application that users react to most negatively. Since spyware is often installed without the end user’s consent, we expected users will be most offended by its inconspicuous, covert behaviors. Indeed, these inconspicuous behaviors cause the greatest breach of end-user trust by revoking their perceived control.

The accompanying figure demonstrates the relative impact of the four deceptive behaviors that were significant in the underlying regression equation based on their standardized coefficients. The analysis was performed using the measure of offensiveness as the dependent variable. The underlying regression equation uses the six deceptive behaviors as predictors and the log (negative hits) as the dependent variable (the log is necessary to normalize the negative hits variable, as well as to stabilize the variance of the negative hits variable). The independent variables are all binary variables that indicate whether or not the given spyware application exhibited the given deceptive behavior (based on consensus across two of the three referenced spyware sites).

As the figure illustrates, four of the six deceptive behaviors were significantly associated with spyware offensiveness; interestingly, two of the significant behaviors were conspicuous behaviors (change in settings and slowing/computer crashes) and two were inconspicuous behaviors (installation without user consent/drive-by download and bundled). Change in settings accounts for the largest percentage of negative hits followed by inconspicuous installation/drive-by download; bundled ranked third in regards to offensiveness. Slowing/computer crashes was also a significantly offensive behavior, however, it is interesting to note it ranks as the least offensive relative to the other three significant deceptive behaviors, despite being one of the more visible control-revoking behaviors. Table 3 lists the deceptive behaviors in rank order of contribution to negative word of mouth.

A central element of consumer comfort online is trust; end users take offense when they lose a degree of perceived control over their PC environment.

Back to Top


It is not surprising that the change in settings variable produced the largest jump in negative hits. Applications that modify the user’s browser settings, such as home page, favorites list, and toolbars rob end users of something very important—the control they expect to have over their computer. Previous research suggests that issues of control are essential in creating a favorable consumer predisposition toward an online firm [10]. Thus, when an online vendor relinquishes users’ control over their own personal system, consumers quickly develop a negative disposition to the firm and the application.

Installation without user consent/drive-by download, the practice of discreetly installing applications onto an end-user’s computer through methods of ActiveX commands, browser security holes, and parasite programs ranked second highest on the offensiveness scale. Installation without user consent may not initially produce the level of angst created by more visible practices because end users (particularly novices) are unaware of the method in which the spyware application came to reside on their computer. However, when end users realize that spyware was installed they take great offense.

Similarly, bundled spyware packaged with a legitimate software application, the third most offensive spyware deceptive behavior, ranked above the more visible behavior of slowing/computer crashes in the offensiveness ranking. Consumer satisfaction with an online firm is based upon trust and credibility [8]. When consumers chose to purchase or download software from a company they consider credible, they are placing a level of trust in that company. Thus, when the end user realizes the company considered credible actually installed spyware, that trust is breeched, and the users strongly vocalize their dissatisfaction.

It is interesting to note the three most offensive behaviors—change in settings, installation without user consent, and bundled—can be viewed as cyber trespassing, as they change an aspect of the end-user’s computer without consent. These behaviors likely evoke such a negative reaction because they endanger a user’s fundamental sense of perceived control. Thus, a simple change by the software maker requesting the user’s permission to change settings, or install their software, would likely result in a much more favorable reaction by the end user.

The least influential of the significant deceptive behaviors was slowing/causing crashes, which denotes frequent error messages and processing speed degradation. This behavior may rank as the least offensive due somewhat to confounding factors. Indeed, computers crash for many reasons, thus end users may not clearly correlate computer crashes as an effect of spyware. For this reason, the slowing/causing crashes behavior is the most difficult to legislate; it is very difficult to isolate spyware as the culprit. However, the behavior is still significant, suggesting that significant productivity losses result from the slowing behavior brought about by spyware.

The first three items are very definable and therefore very actionable by legislation. If lawmakers were to outlaw just the installation of software without consent, the bundling of unwarranted software, and the unauthorized changing of end-users’ settings, it would address three of the four significant deceptive behaviors contributing to spyware offensiveness. In addition, by using legislation to counteract these first three significant deceptive behaviors, less spyware will be installed on end-users’ computers, and therefore less slowing/causing crashes will be felt by users, consequently enhancing productivity.

Back to Top


Spyware is a growing concern across our digital society. It affects computer functions and can pose security risks, including collection and transmittal of information to third parties. As a result, there is a growing body of legislation aimed at combating spyware. However, lawmakers are finding it difficult to build effective legislation because of a universal lack of clearly defined deceptive behaviors exhibited by spyware applications. Our study addressed this difficulty by identifying and classifying various deceptive spyware-based behaviors as well as examined the correlation between these behaviors and the application that exhibits these behaviors measured by negative online word of mouth.

We found that a central element of consumer comfort online is trust; end users take offense when they lose a degree of perceived control over their PC environment. Consequently, changes in user settings (which visibly takes control away from the user and puts it in the hands of the spyware application), installation without user consent, and bundling of spyware (which breaches the end-user’s trust in the online firm), proved to be the most offensive behaviors exhibited by spyware.

To protect users from spyware, legislations must focus on those deceptive behaviors that are definable, actionable, and that users find most offensive. By using legislation to counteract the three significant deceptive behaviors identified here, will indirectly address the fourth factor as less spyware will be installed on PCs, and users will then experience less slowing and crashing of their machines.

Lastly, spyware development firms should realize that by breaching end-user trust, and threatening their sense of perceived control, they are losing customers, and ultimately affecting their bottom line—clearly, a lose-lose situation.

Back to Top

Back to Top

Back to Top


UF1 Figure. Relative impact of deceptive behaviors on negative hits.

Back to Top


T1 Table 1. Deceptive behaviors exhibited by spyware applications.

T2 Table 2. Spyware negative word of mouth.

T3 Table 3. Offensive ranking.

Back to top

    1. Cohen, J.E. DRM and privacy. Commun. ACM 46, 4 (Apr. 2003), 46–49.

    2. Denning, D. Information Warfare and Security. ACM Press, 1999.

    3. Edelman, B. Methods and effects of spyware. Response to FTC Call for Comments on Spyware, Mar. 2004.

    4. Kenyon, H.S. Spyware stymies network operators. Armed Forces Communications and Electronics Association 58, 12 (Aug. 2004), 47–48

    5. Klobas, J.E. and Clyde, L.A. Adults learning to use the Internet: A longitudinal study of attitudes and other factors associated with intended Internet use. Library and Information Science Research 22, 1 (2000), 5–34.

    6. Reed-Freeman Jr., D. Federal and state governments turn their attention to spyware and adware. E-Commerce Law and Strategy 21, 4 (Aug. 30, 2004), 1.

    7. Saroiu, S., Gribble, S.D., and Levy, H.M. Measurement and analysis of spyware in a university environment. In Proceedings of the ACM/USENIX Symposium on Networked Systems Design and Implementation (San Francisco, CA, Mar. 2004).

    8. Schoenbachler, D.D. and Gordon, G. Trust and customer willingness to provide information in database-driven relationship marketing. J. Interactive Marketing 16, 3 (2002), 2–16.

    9. Smith, M.D., Bailey, J.P., Brynjolfsson, E. Understanding digital markets: Review and assessment. Understanding the Digital Economy. E. Brynjolfsson and B. Kahin, Eds. MIT Press, Cambridge, MA, 2000.

    10. Stewart, K.A. and Segars, A.H. An empirical examination of the concern for information privacy instrument. Information Systems Research 13, 1 (2002), 36–49.

    11. Tsiavos, P., Whitley, E.A., and Hosein, I. An exploration of the emergence, development and evolution of regulatory characteristics of information systems. In Proceedings of the 23rd International Conference on Information Systems (Barcelona, Spain, 2002), 813–816.

    12. Wortman, C. Some determinants of perceived control. J. Personality and Social Psychology 31 (1975), 282–294.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More