Spy vs. Spy

Bill Day wants a second chance.

Day is chief executive of WhenU.com Inc., a New York advertising company that used to smuggle its ''spyware" computer programs onto millions of Internet computers. Spyware programs have long infuriated Internet users by installing themselves without permission, generating a flood of unwanted pop-up advertisements, and even preventing users from uninstalling the offending programs.

''That's the legacy that we're trying to overcome," Day said. Battered by public outrage, WhenU hired Day in late 2004 to chart a new course for the company.

Spyware is a $2 billion industry, according to Internet infrastructure and security company VeriSign Inc. But the enemies of spyware are on the march, and Day and some of his competitors say that Internet advertising companies have a small window of opportunity to change, or die.

Congress is working on legislation to crack down on spyware, while outraged citizens and officials like New York Attorney General Eliot Spitzer have sued major spyware vendors.

Meanwhile StopBadware.org, a consortium formed by Harvard's Berkman Center for Internet and Society and the Internet Institute at Britain's Oxford University, has launched a high-profile effort at consumer education on spyware. The organization, funded by several major technology companies, including Google Inc. and the giant Chinese computer maker Lenovo, tests suspected spyware, then issues detailed reports explaining exactly how the programs work and how they can be modified to make them less offensive.

''We think of it as a neighborhood watch," said StopBadware cofounder John Palfrey, a Harvard law professor.

The pressure seems to be working, as firms like WhenU.com have begun reforming their business practices. ''The company has explicitly stated a strategy of turning over a new leaf," said Palfrey. ''I give them a lot of credit."

Spyware, also known as adware, became a plague in the late 1990s, as millions of people began using the Internet and businesses sought new ways to advertise to them. Some began offering free software that included embedded advertisements. Other companies took this a step further, writing software that would make the ads pop up whenever the user was working on the computer. Adware became known as spyware, because many of the programs track a person's Internet use and relay the data to the advertising company, which then displays relevant ads on people's computers. Many people consider that kind of monitoring to be an invasion of privacy, and resentment grew as the pop-up ads interrupted their work and slowed down computer performance.

But as consumers rebelled, ad companies created ever more intrusive spyware. They developed websites that would install spyware on any computer that visited, without warning the user -- a practice known as ''drive-by downloading." They also designed spyware that hides itself on a computer so it can't be uninstalled. The spyware vendors developed a symbiotic relationship with companies that create free software, such as screen savers and search toolbars. The free software companies bundle the spyware with their products, in exchange for a fee. One of the biggest sources of spyware is the popular file-swapping software Kazaa, used by people around the world to illegally download free music.

Instead of dealing directly with free software providers, spyware makers sometimes sign contracts with third-party distributors, who may share their programs with a host of unsavory clients.

''They have back-room deals with all kinds of strange companies," including pornographers, said Dave Methvin, chief technology officer of PCPitstop.com, a popular Internet security website.

Spyware vendor 180Solutions Inc. of Bellevue, Wash., recently came under fire when its software was found on a site that included child pornography. ''We immediately cut ties with this company," said 180Solutions spokesman Steve Stratz. ''We've reported this incident to the appropriate authorities."

York Baur, 180Solutions' executive vice president of business development, said his company is working hard to overhaul its image. Baur said that 180Solutions now deals directly with the companies that bundle its software, to avoid a repetition of the child-porn incident. He also said that the software flashes a warning to users before it's installed, and afterward. Uninstalling the program is easy, said Baur, and the program doesn't collect any personal information about the user -- just generic data about Web-surfing habits that is uses to select the appropriate ads.

WhenU has gone even further, Day said. Its software doesn't transmit any information about the user at all. Instead, a piece of software on the Internet user's computer tracks his or her surfing style and decides what kinds of ads to display. The program then requests the right ads from the WhenU server.

''All the information about you stays on your computer," Day said.

Methvin thinks that the changes are a matter of survival for spyware vendors. According to the Internet Advertising Bureau, online ad revenue hit $12.5 billion last year, much of it from major consumer products companies. These world-class firms won't do business with advertising companies with a reputation for tacky ads that consumers hate.

''The only way you're going to attract name-brand advertisers," said Methvin, ''is to have a squeaky-clean reputation."

But Methvin also predicted that the companies that really clean up are doomed, because if people have a choice, they'll usually refuse to install advertising software.

Day doesn't buy it. ''Having users in there who don't want the software is of no use to me," he said.

Day said he thinks advertisers will be happy to reach a smaller group of Web surfers who actually want to see their ads.

In any case, said 180Solutions' Baur, it's just a matter of time before federal and state governments outlaw old-school spyware.

Antispyware laws are on the books in California, Arizona, and Utah. The US House has passed two bills to ban software that secretly installs itself and collects personal information without permission. The Senate has passed legislation to help the Federal Trade Commission take action against spyware companies located outside the United States.

''What's happening right now is Darwinism in action," Baur said. ''The people who aren't doing this right are being weeded out."

Hiawatha Bray can be reached at bray@globe.com.