Standardization is an effort IT administrators pray for and most vendors ostensibly support, but actually getting rivals to coordinate their work and agree on goals is a fraught process. The collapse this week of an antispyware organization offers a cautionary tale, and leaves empty a coordinating role industry vendors say needs to be filled.
Standardization is an effort IT administrators pray for and most vendors ostensibly support, but actually getting rivals to coordinate their work and agree on goals is a fraught process. The collapse this week of an anti-spyware organization offers a cautionary tale, and leaves empty a coordinating role industry vendors say needs to be filled.
The Consortium of Anti-Spyware Technology Vendors (Coast) launched 16 months ago after several security software makers decided to coordinate their research and educational outreach efforts on spyware. With technology changing rapidly and online advertising standards and ethics in flux, simply defining what counts as spyware -- hidden software that gathers and transmits information about users without their knowledge -- can be controversial. Anti-spyware technology developers PestPatrol, Webroot Software and Aluria Software envisioned Coast as a forum and guiding body for their nascent industry, but in the past few days all three companies have resigned from the organization they co-founded.
Each cited a different reason for leaving, but disagreements over the organization's direction played a role in its demise. While Coast's founders are all developers of technologies aimed at quashing spyware, the organization's charter called for a wider membership, so last year, companies that make the kind of software Coast aims to eliminate began joining the consortium. New members had to pass an approval process and agree to work toward complying with Coast's standards, but some existing members found themselves in the uncomfortable position of associating with vendors whose products they distrust.
The bigger problem, former members say, is that as the organization diversified it became harder to accomplish anything. "Coast was a stagnant organization," said Rick Carlson, president of Orlando-based Aluria.
Aluria makes spyware detection technology used by ISPs including America Online, and is eager to see an industry-wide set of criteria for defining spyware. "When we put somebody in our detections, we potentially cause them millions of dollars of damage," Carlson said. "There's definitely a need there for standards."
Aluria, which publishes its own spyware definition criteria on its Web site, "tried to lead by example" but couldn't motivate Coast's membership to prioritize criteria standardization, Carlson said. Frustrated at the group's sluggishness, Aluria decided to resign.
Aluria announced its departure soon after Boulder, Colo., security software maker Webroot filed its own resignation notice. "Of late, we have become concerned that Coast is moving in a direction with which we cannot agree," the company said in a press release on Friday announcing its decision. "We are not comfortable with the idea of Coast as a certification body or as a marketing tool for member companies."
The catalyst igniting the long-simmering tensions appears to be Coast's admission last month of 180solutions, a Bellevue, Wash., marketing company whose search assistant application has been criticized for weak privacy protections and installation notifications. Representatives of Webroot and 180solutions did not return calls seeking comment, but Aluria's Carlson said 180solutions' admission was a troubling sign of Coast's conflicting allegiances.
"There were a lot of companies that saw marketing value in being members of Coast. The adware profiteers would like to be involved," Carlson said. "180solutions was moving in the right direction, but they're nowhere near WeatherBug," he said, referring to Coast's first ad-supported vendor member. Gaithersburg, Maryland-based WeatherBug, which makes an eponymous application bundled with AOL Instant Messenger (AIM), joined Coast in April. (WeatherBug is hardly a favorite among those concerned about security -- its packaging with AIM sparked hundreds of requests for removal instructions on security mailing lists and bulletin boards.)
With Webroot and Aluria pulling up stakes, the consortium's last remaining founder, PestPatrol, faced pressure to also distance itself from what remains of Coast. It announced its resignation from the group on Monday, but did so reluctantly. "I haven't yet seen a really good, tangible reason why anyone is pulling out," said Sam Curry, vice president of eTrust security management at Computer Associates, which bought PestPatrol in August. "CA feels we have to (resign) because we can't sustain it by ourselves. We feel Coast has dropped below a certain critical mass. It's unfortunate, because Coast was the only group of its kind, and the Internet needs it right now."
In retrospect, the seeds of Coast's destruction were present almost from its inception. Less than two months after the group's official launch, one high-profile antispyware developer publicly and scathingly disavowed the group. Swedish software maker Lavasoft, maker of the Ad-Aware detection program, participated in early talks about creating Coast, but in December 2003 it fired off a press release attacking the group.
"The current leadership's overt agenda to concentrate on revenue generation flies in the face of the spirit of the original mission Lavasoft set forth when we founded Coast," it wrote. "Not only do the other vendor members of Coast focus their collective attention on revenue streams, some also engage in some of the worst practices that Lavasoft was first conceived to fight against." Lavasoft's North American spokesman was traveling Tuesday and unavailable for comment.
Coast's executive director, Trey Barnes, did not respond to requests for comment, nor did several remaining members, including WeatherBug. With its most influential members abandoning it, though, the group is essentially being left for dead.
Some in the antispyware industry say that's for the best. Posters on the Spyware Warrior Web site's bulletin board took a gleeful tone as Coast's defections mounted. SpywareInfo, a site that offers removal tips and publishes a weekly newsletter, ran a report by editor Mike Healan on Coast's unraveling. "Coast was never a particularly relevant member of the community," Healan wrote. "I don't think anyone will miss Coast and I don't imagine that very many will attend the funeral."
Aluria's Carlson and CA's Curry both say that however flawed Coast was, it played a necessary role. "Without standards and without groups that actually effect change, our industry can't survive," Curry said. "This is a rallying cry. At CA, we are completely neutral here as to who owns it or who champions it. We plan to see what emerges, and if nothing else emerges, we'll take a leadership role where we have to."
"Coast served its purpose for a long time. We just needed a housecleaning," Carlson said. "The silver lining here is that the vendors all know one another. Forming a new group will be time intensive, but the relationships have been formed and the mistakes have already been made. We're set for our future discussions to be fruitful."