Applications designed to protect you from outside threats, such as adware and spyware, are becoming so rigid in their default settings that they can block you from accessing useful content online.
Most security software with built-in spyware protection identifies tracking cookies as problematic. While in most cases the security software is doing its job to protect you, the trouble here is that almost every major online portal relies on revenue generated by advertisers that use these third-party cookies.
As a result, people who install the latest spyware-fighting safeguards or who use any of the major Internet security suites often find themselves the unwitting Rapunzels of the Internet, locked away from the outside world by an overprotective caretaker.
"This is caused by the arbitrary manner in which product vendors identity what is a legitimate cookie from what is a potentially harmful spyware code," said Andrew Jaquith, senior analyst at the Yankee Group. "It is way too difficult for antispyware vendors to figure out individual safe cookies so they design their products to kill all of them."
None Shall Pass
For instance, the latest update of Symantec's antispyware software blocks access to legitimate online news publishers because it restricts certain types of tracking cookies used by advertising companies. Similarly, PC Tools, one of the highest-regarded spyware-fighting applications on the market, blocks access to (or issues a warning about) most online news sites because of these cookies.
This reporter has experienced similar restrictive incidents on normally configured desktop and laptop computers running McAfee Internet Security, Microsoft AntiSpyware, Symantec Internet Security, and ZoneLabs Internet Security.
Typically, you buy a security application, install it, and don't bother to adjust the default settings. Those default settings usually can be adjusted to permit access to certain Web sites and allow specific tracking cookies -- in most cases, these cookies are perfectly harmless -- to enter a computer. But some applications do not make it easy for consumers to modify the settings.
This untold secret of the security industry affects potentially millions of consumers. "Clearly, the user doesn't benefit from these default settings," Jaquith said.
Tracking Cookies Galore
No matter where you go on the Internet today, a Web site will place a tracking cookie on your computer. A cookie is nothing more than a small packet of information stored in a text file that a Web site server sends to a Web browser. It contains a few coded characters that identify you to the server.
When you return to a Web site, the cookie alerts the server that you have been there before. These cookies are harmless to the computer. Generally, they contain your preferences and provide you with certain conveniences, such as stored passwords and direct log-on access to restricted pages.
While most of the spyware-blocking software is proactive, there are some software packages that you run on your computer to rid it of infections. Lavasoft's Ad-Aware SE Personal, one such very popular and free program, can find and remove spyware and adware components hidden on hard drives. Ad-Aware presents a list of tracking cookies found in a scan and gives you the option to save them from deletion.
Unlike Ad-Aware and other reactive spyware-fighting programs, most, if not all, of the other anti-intrusion software automatically deletes tracking cookies along with other adware and spyware traces identified in databases of offending codes.
Best of Intentions
Some experts maintain the view that sweeping up cookie crumbs might not be as indiscriminate as it would appear. Natalie Lambert, a security analyst for Forrester Research, said that security software normally detects only the tracking cookies of third-party merchants as a way to protect customers.
"I think that in general, the antispyware vendors are looking out for their customers and customers appreciate that," Lambert said.
Lambert also said that she was unaware of any incidents where Symantec or any other products blocked access to news publishers' Web sites. But if that does happen, she noted, most customers would probably be willing to take the software maker's word for it that what is being blocked is a legitimate threat.
"I see no benefit to antispyware vendors for blocking legitimate Web sites," she said. "So for now, I think that trusting that your antispyware vendor is protecting your computer is a safe assumption. In this particular case, the legitimate site may have been blocked but a tracking cookie was prevented from infecting the user's computer."
According to Richard Stiennon, vice president of threat research for Webroot Software, a maker of a popular spyware-fighting software package, Lambert's assessment of third-party vendors is very much on target. Often, said Stiennon, a third-party service provider or advertiser is responsible for the more insidious tracking code that surreptitiously records Web activity.
"Maybe the fault of removed cookies or blocked access starts with a related third-party used by the Web publisher," said Stiennon.
He rejected theories that antispyware and antivirus vendors are doing anything different in their latest database updates that restricts access to legitimate sites. He said that 99 percent of the software makers employ the same methods they always have used to identify spyware or adware.
If anything, antispyware vendors are treading lightly so as not to cause trouble with other software vendors. Security experts say that antispyware vendors are very mindful about being sued for interfering with any company's legitimate software product.
"The real problem is the unspoken and unholy alliance between Microsoft and other vendors not to stomp too hard on cookies so as not to interfere with their customers," said the Yankee Group's Jaquith. Stiennon agreed, adding, "Some product makers can't risk being sued."
James Whittaker, a computer science professor at the Florida Institute of Technology, said that software vendors have to look beyond stopgap measures to solve the problems of restricted access. "Vendors are bolting on features like a Band-Aid for a bleeding animal. The animal they are trying to heal is still bleeding. So what they are doing is not a solution," he said. "Vendors need to reinvent the wheel to fix their software."
Whittaker said the antispyware segment of the software industry itself is part of the problem. "It is too weak and unreliable," he said. Whittaker also said that hackers only have to find one vulnerability to gain access to a computer. The antispyware vendor, on the other hand, has to plug all the holes.
"Vendors aren't doing anything new. The bad guys install these spyware-detection products to look for access holes," said Whittaker.
Part of the problem is with the way spyware is written, said Webroot's Stiennon. With over 100,000 viruses out there, some antispyware scans are bound to trigger false alarms.
Antispyware programs look for traces and names of files, not just a tell-tale signature string. Sometimes, antispyware scans and antivirus scans conflict with each other, causing nasty results, said Stiennon. "Consumers think that all-in-one programs look for both spyware and viruses together, but that is not really what happens," he said. "Each detection is done with a separate scan using a different scan engine."
The Real Enemy: Browsers
According to Jaquith, most spyware and virus infections enter a computer through the Web browser. In the latest threat report issued by Symantec, the company noted that 70 percent to 80 percent of all spyware is contracted through Web browsers that use ActiveX -- a set of rules for how applications should share information -- and browser-helper objects, which are plug-ins that add functions to Microsoft Internet Explorer.
Jaquith said this vulnerability is one of the biggest arguments in support of dumping IE, which runs on roughly nine out of 10 computers, in favor of alternative browsers.
But if that is not an option, you still can perform a basic adjustment to minimize your browser's vulnerability, Jaquith said. Simply changing the user account status to non-administrator in the Windows XP operating system will go a long way toward safer Web surfing.
"User accounts make it real easy for malware to gain access to the computer," he said. "It's better to run the computer with less access privileges. This will eliminate 70 to 80 percent of the spyware infections before the consumer ever has to run a detection sweep."