Introduction to Spyware
Software to observe user behavior to collect information under users' noses is often called spyware. These systems have become central to a heated debate regarding online privacy, prompting the U.S. Congress to consider several bills.1 In addition, the very nature of such systems--the collection of data that would not otherwise be available outside of corporate firewalls--raises questions about how companies can remain compliant with privacy-oriented regulation like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLBA).
What is Spyware?
In its most simple form, spyware is software designed to collect information from computer system users without their knowledge. Typically, spyware can be classified as a type of trojan horse, which is a type of technology-based security incident, allowing for information security policy violation. Figure 1 shows where spyware fits within the broader context of policy enforcement.
Figure 1: Where Spyware Fits