Spyware – Part II

5 Spyware and Business

5.1A Profitable Industry


Spyware is now a “many million dollar industry”(cited in Schwartz 2005, 2). As a major type of spyware, Adware has become a truly big business with between US $500 million and $2 billion a year in sales, reported by the Los Angeles Times (cited in McFedries 2005) in May 2005. Now even fortune 500 companies including Sony, Mercedes-Benz, Sprint and the others use adware to advertise (Gormley 2005).


Companies like to do business with spyware, and buy advertising spyware vendors. spyware is an important player in the online advertising market. It could contribute to almost 25 percent of the entire online advertising industry based on statistical data from the Internet Advertising Bureau (cited in Hines 2005b).


Spyware also attracts investors. It can explain that spyware become such a booming business. Ben Edelman (www.benedelman.org), a Harvard Ustudent law graduate and top spyware researcher, finds out that “the biggest, richest venture capital firms” are investing in the spyware business. The big company names like American Express, Disney, Expedia, and so on are on the list of investors (cited in McCullagh 2005).

5.2 Spyware Business Model

5.2.1 The Profit Motivation for Spyware Spyware VS legitimate software

In the traditional software business, software developers and companies make money out of their products by selling them. Customers buy software because it can satisfy their all kinds of needs for their studies, work and entertainments. However, in the Internet era, computer users have a tendency to look for free stuff on the Internet, and it has evolved into an Internet culture (Klang 2004, 197).


So many users get used to search no-cost software on the Internet, but it is important for software manufacturers to get financing or even profit in order to continue their work and pay for their staffs if giving away their products for free. To most open source projects, they rely on limited government, corporation or even self funding, harmless advertising, users’ donations and selling CDs and gifts. And many freeware companies are running in this way too.


In contrast to the legitimate software, spyware benefits its creators and vendors and do no good to the users. Help in distribution of spyware and paid advertising is how some freeware providers, like Sharman Networks which owns Kazaa, make money. The spyware purveyors are only motivated by profit. Spyware VS Virus

One of reasons for creating virus could be that it can demonstrate makers’ talents and satisfy their egos, and they usually work alone. By contrast, spyware writers just work for profit (Smith 2005).


According to a study from a security expert (Perry 2004, 14), it has taken fifteen years to have just 1,100 viruses in the wild. On the other hand, there are more than twenty thousand spyware in less than two years. That is the difference the profit motivation makes.


5.2.2 Affiliate Program

Affiliate marketing is a key method adopted in spyware business helping the distribution of spyware. Commonly, this method is used in e-commerce business to promote its products or services. An affiliate of a web-based business can get rewarded if it can contribute to the visits to the business’ website or sales of the products or services. In spyware business, the biggest sponsors create the affiliate programs using this method to attract software makers and website owners joining their distribution network. The affiliate taking part in the program will get paid for per installation of computer programs, which are bundled with spyware, or per visit of website having embedded spyware code.


5.2.3 Revenue Source

Even free computer applications are given away, or free services are provided on a website, but the spyware that comes with the free stuffs generates the profit for those spyware writers, freeware companies and free content websites.


Apparently, the business model of spyware vendors is to exploit some Internet user’s ignorance of technology knowledge and their trust. Roughly, the source of their “revenue” can be categorized as follows:


Financial Fraud

That is the main source of revenue for the international criminal organizations – the crime maker that hire programmers and website owners to create and spread spyware for them. The financial loss of the banks all over the world could be directly the revenue of those criminal organizations.


Of course the spyware makers alone can make money from identity theft (cite some loss)

But this is not part of spyware business, because it is illegal.


Some companies that have on-line business would like pay spyware big money to advertise. They are the source of the “Spyware food chain”, and that is mainly how most spyware vendors can keep profitable.


Therefore, Advertising brokers or advertisers themselves pays the makers of popular games, utilities, and other software programs a small fee to bundle Adware with programmer’s applications through affiliate programs.



Commission is the soul of the affiliate programs. Many affiliate programs are “pay-per-install”, meaning the affiliate gets paid a few cents for each installation of the software (Turner 2005).  Keizer (2005) reported that a Russian company would pay website owners 6 cents for each machine they infected with its spyware.


Moreover, the brokers also can benefit from this kind of affiliate program. Some affiliate programs offer money to people who can refer other webmasters to their programs. As it is claimed, Cash4Toolbar.com (2006) will pay somebody 10% of all commission made by webmasters she/he refer to Cash 4 Toolbar.


Any affiliate of the affiliate program can get commissions from legitimate ad networks that pay these “affiliates” every time an ad is redirected.



Behaviour technology companies use spyware like Claria (formerly Gator) as marketing tool, and they can have a bunch of lucrative contracts from many big companies for the service they provide. The information like user’s activities on the Internet gathered through spyware values, and attracts advertisers.


The result of behaviour analysis derived from the consumers’ information can serve for many purposes. Those companies holding this kind of information database can serve their clients who need effective target advertising, because they have clear knowledge of consumer online preference and behaviour, furthermore they can deliver advertisements to the targeted computer system directly. Also they can re-sell the information to other third-party organizations for profit.


5.3 Spyware Ecosystem

5.3.1 Spyware Food Chain



Spyware Writers/Manufacturers/




Figure 1: Spyware Food Chain


5.3.2 Components of the Spyware Food Chain


Basically, main components in the spyware business food chain are:

  • Criminal Individual /Organizations
  • Advertisers
  • Data Mining Agencies/Marketing organizations
  • Spyware Writers/Manufacturers/Vendors/Purveyors
  • Distribution Agents (software makers and website owners)
  • End Users


Their relationships are interdependent like the producers and consumers, and the predators and prey. They make up a complete food chain of a million dollar business. It needs to be noted that law enforcement and other spyware users like parents are not in this business, so they are not part of this food chain.


As it can been seen from the above chart of food chain, end users are at the bottom of food chain. They support the whole spyware business, and they are the only preys in the chain. Crime makers, advertisers and marketing organizations are at the top of this food chain. They are the largest predators, also the producers. They are supporting the spyware makers to produce spyware, and funding their affiliates to deliver it to the end users. Spyware writers and website owners are spyware producers in this chain. They may be those programmers who want to make money from their popular software, or those website owners who want to be rich through their web business. While end users are consuming the fancy free screensavers, the convenience of file-sharing utilities and other free stuff, privacy is the price they to pay for their free meals. The information gathered from the end users, or the advertisements popped up by spyware will generate revenue for the predators eventually.


6 Legal Issues

6.1 Overview

Since the development and advancement of technology is much faster than legislation and forming public ethics, it gives time gaps and opportunities for spyware purveyors to create and spread their scumware without punishment and condemnation. However, it does not mean the spyware is legal and it does not have ethical issues.


Of course in some cases, the usages of spyware are legal: law enforcement uses it with a court’s warrant; employers, parents and individual install spyware on their own properties. The Surveillance Devices Act of Australia past in 2004 allows law enforcement officials to use various spyware applications to collect evidences in some criminal investigations (Bangeman 2004). Even thought it still gives rise to some privacy problems. In addition, it should be illegal for a person or an organization to implant software on people’s computers without permission, but some spyware vendors just do that without punishment and “sees these technologies as a tool to improve their products and reach new customers” (cited in Kalvass and Singh 2004, 6)


In past several years, spyware has already provoked a lot of legal and ethical concerns. And public starts to realize the importance of protecting their privacy and personal information. A spyware fighter, Ari Schwartz (2005, 1) gave his testimony in front of The Senate Committee to address the spyware issues. As it is known so far from the available online information, just United State government is taking steps to enact federal laws against spyware (Bulter 2006).


6.2Legal Issues

6.2.1End User License Agreement (EULA) Arguments

It is generally believed that clicking “I accept” button of EULA in a software installation process means signing a contract with the software dealer, indicating the acceptance of the terms and conditions with the dealer. If that software is from a spyware vendor, then the EULA mean the spyware can retrieve information and do advertisements as the creator wants.


Obviously, the accepting EULA thing is not a fair play game, since some spyware vendors deliberately hide their “spying” statements in somewhere hard to be noticed, and the EULA probably has hundreds of pages long. Given the current facts, it is appropriate to state that users would not read the EULA carefully or just skip it, as it is impossible that their lawyers read it for them to make sure they are aware of any possible consequences before downloading or installing a simple application for entertainment purpose only. Additionally, it dose not make sense that users need to spend hours to finish reading a EULA before they can find out whether the software is suitable for them or not.


Furthermore, when users are suspicious of the system being infected by spyware, then they should have rights to use anti-spyware applications to remove it from their computers. However, some spyware vendors can threat to sue rubbish-cleaning companies because anti-spyware applications classify their “legal” software as spyware, and the users have accepted the EULA otherwise the software would not be installed in the computers. Of course, the anti-spyware firms do not think so.


6.2.2 Current Legislation

In Australia, the spyware problems are just in a stage of being discussed and observed. A report wrote by Kristyn Maslog-Levis on ZDnet.com.au in 2005 said Department of Communications, Information Technology and the Arts of Australia thought no new legislation was required because the items in a proposed legislation by Democrats was already covered by existing Australian laws.


Treating spyware differently, most states of United State have passed anti-spyware laws to control spyware threats (Edelman 2005b). According to the laws, spyware is prohibited to conduct fraud and collect personal or business information. A recent effort in fighting spyware is SPY Act (H.R. 29), but Ben Edelman (2005a) still thought the law was not tough enough.


6.2.3Real Cases


Case 1: In United States, a law suit was filed against Zhijian Chen of Portland, Oregon who was sued for marketing fake anti-spyware software through deceptive means, and Chen was penalized under Washington’ new computer spyware act and will pay nearly $84,000 in fines and consumer restitution, according office of the Attorney General of Washington State (2006). From Attorney General’s investigation, Chen made huge mount of money in helping the sales of the bogus anti-spyware application called “Spyware Cleaner” which was advertised in the invasive spam emails sent out by Chen. People were tricked into believing that their computers were infected by spyware, and “Spyware Cleaner” could help.
Case 2:  Los Angeles-based Intermix Media, Inc., the owner of community site Myspace.com was accused of being a source of distributing spyware by New York Attorney General Eliot Spitzer. According to Wikipedia (2006b), Intermix’s spyware was spread via drive-by download, and deliberately installed in ways of being difficult to be removed. On June 14 2005, Intermix reached a tentative settlement with Eliot Spitzer, agreeing to pay US$7.5 million and to stop distributing spyware (Wilson Sonsini Goodrich & Rosati 2005). The suit was described as “the most sweeping case to date involving programs that redirect Web addresses, add toolbars and deliver pop-up ads” (cited in Hines 2005a).

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *