Privacy-Invasive Software

As computers are increasingly more integrated into our daily lives we become more dependent on software. This situation is exploited by villainous actors on the Internet that distribute malicious software in search for fast financial gains at the expense of deceived computer users. As a result, computer users need more accurate and aiding mechanisms to assist them when separating legitimate software from its unwanted counterparts. However, such separations are complicated due to a grey zone of software that exists between legitimate and purely malicious software. The software in this grey zone is often vaguely labelled spyware. This work introduces both user-aiding mechanisms and an attempt to clarify the grey zone by introducing the concept of privacy-invasive software (PIS) as a category of software that ignores the users’ right to be left alone. Such software is distributed with a specific intent (often of commercial nature), which negatively affects the users to various degree. PIS is therefore classified with respect to the degree of informed consent and the amount of negative consequences for the users. To mitigate the effects from PIS, two novel mechanisms for safeguarding user consent during software installation are introduced; a collaborative software reputation system; and automated End User License Agreement (EULA) classification. In the software reputation system, users collaborate by sharing experiences of previously used software programs, allowing new users to rely on the collective experience when installing software. The EULA classification generalizes patterns from a set of both legitimate and questionable software EULAs, so that computer users can automatically classify previously unknown EULAs as belonging to legitimate software or not. Both techniques increase user awareness about software program behavior, which allow users to make more informed decisions concerning software installations, which arguably reduces the threat from PIS. We present experimental results showing a set of data mining algorithms ability to perform automated EULA classification. In addition, we also present a prototype implementation of a software reputation system, together with simulation results of the largescale use of the system.