Privacy-Invasive Software : Exploring Effects and Countermeasures

Abstract: As computers are increasingly more integrated into our daily lives, we need aiding mechanisms for separating legitimate software from their unwanted counterparts. We use the term Privacy-Invasive Software (PIS) to refer to such illegitimate software, sometimes loosely labelled as spyware. In this thesis, we include an introduction to PIS, and how it differs from both legitimate and traditionally malicious software. We also present empirical measurements indicating the effects that PIS have on infected computers and networks. An important contribution of this work is a classification of PIS in which we target both the level of user consent, as well as the degree of user consequences associated with PIS. These consequences, affecting both users and their computers, form a global problem that deteriorates a vast number of users’ computer experiences today. As a way to hinder, or at least mitigate, this development we argue for more user-oriented countermeasures that focus on informing users about the behaviour and consequences associated with using a particular software. In addition to current reactive countermeasures, we also need preventive tools dealing with the threat of PIS before it enters users’ computers. Collaborative reputation systems present an interesting way forward towards such preventive and user-oriented countermeasures against PIS. Moving the software reputations from old channels (such as computer magazines or friends’ recommendations) into an instantly fast reputation system would be beneficial for the users when distinguishing unwanted software from legitimate. It is important that such a reputation system is designed to address antagonistic intentions from both individual users and groups thereof, so that users could depend on the reputations. This would allow users to reach more informed decisions by taking the reported consequences into account when deciding whether they want a specific software to enter their computer or not.