It's sometimes called the "new spam." It slips right through firewalls and antivirus programs, riding the coattails of legitimate programs you've chosen to download from the Internet. In its more common and benign forms, it will send you pop-up ads targeted to your interests and clog your computer's memory. At its most malicious, it can steal your passwords and credit-card numbers, maybe even let a remote user take over your computer.
It's spyware, a broad term for programs that hide on users' computers without their knowledge. It has become so pervasive that both federal and state governments are looking into ways to prevent or at least regulate it.
While it's hard to tell the share of computers that have been infected with spyware, estimates run as high as 95 percent. One popular spyware detection program, Spybot Search and Destroy, lists nearly 800 spyware programs that it can find and remove.
While most of the spyware found on computers appears relatively benign so far, experts suggest users take measures to protect themselves (see list page 17).
Children online can be especially vulnerable because they may have less technical savvy and frequently download so-called peer-to-peer software from the Internet, often called freeware or shareware.
"One of the ways these programs end up on people's computers is that they can be bundled with other free applications they download, which can include file-sharing applications, screen savers, or other kinds of free utilities," says Michael Steffen, a policy analyst at the Center for Democracy and Technology (CDT) in Washington, D.C.
Kazaa, a widely used music- swapping program that has been downloaded 270 million times, has carried at least 12 kinds of hidden spyware at various times over the past two years, according to a recent study at the University of Washington in Seattle.
But with the exception of pop-up ads or slower operations, users may not notice anything happening when spyware programs are present, experts say. And the programs often apply a legal fig leaf by asking for consent to be installed as part of a lengthy EULA (End User License Agreement) that many users OK without reading.
In Congress, a bill to battle spyware sponsored by Sens. Barbara Boxer (D) of California, Ron Wyden (D) of Oregon, and Conrad Burns (R) of Montana recently joined one filed in the House last July by Rep. Mary Bono (R) of California. They aim to ensure that users know when programs are being installed on their computers, so that they can refuse them if they wish, and that spyware that is installed is just as easily removed. The Federal Trade Commission would enforce compliance.
The FTC has already announced that it is holding a spyware workshop in Washington on April 19 to gather information about the problem.
In addition, the Utah legislature has sent a bill regulating spyware to the governor for his signature. Iowa and California have also considered bills to prevent spyware.
"The Internet is a window on the world, but spyware allows virtual Peeping Toms to watch where you go and what you do on the Internet," Senator Wyden said in a statement about the Senate bill, called the Spyblock Act.
"The FTC is beginning to look at the extent to which these applications are unfair and deceptive, and we think that's a really good thing," Mr. Steffen said in phone interview. "We think a lot of these [spyware] programs already represent violations under existing fraud statutes or under other laws."
Although new legislation may have a role to play, Steffen says any solution must also include educating the public, and self-regulation within the industry.
"The spyware and adware stuff comes in from all over, and it's really as dangerous as a virus," says Roger Thompson, vice president for product development at PestPatrol in Carlisle, Pa., a maker of antispyware software.
Along with imposing pop-up ads and collecting data about users, spyware can change computer settings without users' consent, change users' Internet home pages, or send them to counterfeit versions of familiar websites, where they are enticed to give out personal information.
"Keystroke loggers" record and transmit every key hit by the user, which could include such sensitive items as passwords and credit-card numbers. And they may have a "backdoor" capability, that allows an outside party to plant new programs on the computer at any time, Mr. Thompson says in a phone interview.
Perhaps most insidious, some spyware comes attached to programs advertised to remove spyware from a computer. That's why it's important to obtain antispyware programs from a reputable source, experts say. The CDT has sent a letter of complaint to the FTC against one company that it says was using spyware to change computer users' home pages without their consent and then telling users that they should buy an antispyware program to protect themselves.
Spyware is sometimes confused with cookies. Cookies are pieces of data, not an application, used by a website to record information about users' visits. Most browsers on most computers have cookies installed by sites to help them access the sites more easily and quickly, such as remembering login or registration IDs, user preferences, or "shopping cart" information. Cookies can raise privacy issues, but they are not considered spyware.
But even relatively innocent programs that only display ads can be the source of more serious problems. The University of Washington study looked for just four of the most common spyware programs - Gator, Cydoor, SaveNow, and eZula - on 31,303 computers on the university's system. It found that 5.1 percent of the computers had at least one of the four installed on it, despite the fact that the vast majority of the machines were protected by a network firewall intended to keep out viruses and other malicious intruders.
The study also found security flaws in Gator and eZula that meant they could be "hacked" into by a third party to become more malicious and possibly even take control of a computer.
"This potentially means that there are tens of millions of computers with these programs on them that might be vulnerable to ... attacks," says computer scientist Steven Gribble, who helped conduct the study. Gator has since patched its program to prevent such an attack, he says.
"I'm glad the government is getting involved," Gribble says by phone. "I'm optimistic that legislation will help, but I'm pessimistic that it will solve the problem. My suspicion is that it's going to get worse."
Future legislation may help reduce spyware. But computer users can also take action now to protect themselves. Among the suggestions from experts:
• Think before you click. Download software only from sources you trust. Never download programs offered in pop-up ads.
• Understand what you are downloading. Read the End User License Agreement or other explanatory material, which may contain wording that gives your consent to spyware being loaded onto your computer.
• Install and run trustworthy anti-spyware software. Spybot Search and Destroy is one favorite of experts and is free at www.download.com.
Other reliable products such as PestPatrol (www.PestPatrol.com, $40) may cost money (though PestPatrol has a free trial version that will detect, but not remove, spyware). Internet providers such as Earthlink and AOL are also beginning to offer antispyware programs to their users.
• If you encounter spyware that bothers you, report it to the FTC.
SOURCES: CDT, Monitor research