The clash of motivations: different players in the field

(Text status: main ideas are here, but the text needs further work)

Intro
Karl Marx, one of the controversal thinkers of human history, has used the concept of 'the unity and struggle of opposites'. While not in its exact philosophical sense, something similar can be seen in security context. Here it means two adversary sides of security keepers/providers and breachers: yet the "security industry" cannot exist without breachers. Or to quote Freddie Mercury - I can't live with you, I can't live without you...

Another dimension is often added by need for privacy. More often than not, privacy and security are two extremes of the same scale - total security equals no privacy and vice versa. The main point is to acquire the optimal balance of the two factors for any given situation. On the other hand, the principle "good security is invisible" applies nearly everywhere, including the online world.

Thus, we can see many contradicting interests and different factions in this field.

Malware makers
Starting from around 2000, spyware (software that will forward information about the host computer and its user to third parties without the users' consent) has gradually replaced viruses as the prime threat to security and privacy in the Internet. Spyware has gradually intertwined with adware (advertisement software), many spyware specimens contain advertisement modules as a part of their "business model". In more modest cases, the 'spying' features focus only on recording the web pages that the user visits (however, these may also be forwarded to the software authors) and the data is used to display relevant advertisements - e.g. if someone regularly visits websites dedicated to hunting, s/he will get ads on outdoor goods, hunting rifles, maps etc.

Gradually, this relatively innocent spying made way to more serious business as some of today's spyware will target sensitive information stored in the host computer. These include keyloggers, password catchers and sniffers - see the Spyware Encyclopedia for lots of examples. Note that this is 99,9% Windows-specific phenomenon - combining the widest distribution and the questionable quality of the system, plus the most uneducated user base.

Ordinary Windows users are more than often in blissful ignorance, until the machine starts to slow down. There have been cases when people are buying new computers due to the old one 'becoming too slow'... It is common that incompetently managed computers have got literally thousands of instances of spyware installed, which will seriously hamper its performance.

The most troubling aspect of the problem is the exponential growth trend - what started as a nasty pastime of disillusioned programmers (the early virus era) has gradually grown into a full-fledged business (or organised crime - depending on the point of view). A thorough analysis of 'spyware business' can be found from the testimony of Ari Schwartz. 

Security business
There is a joke about two doctors, father and son. Once a long-time patient of the father goes to the son, and in two months, gets rid of his problem. The son goes proudly to the father: "Dad, you treated Mr. Smith for seven years. I solved his problem in two months!". The father replies: "Son, I used his money to pay for your education."

Of course, security as business subject is not the product of the information age. From the early days of mankind, people have paid others to keep them safe. Kings had their guard, countries had their armies. In modern times, we have police and security firms. And probably already the earliest security specialists realised that a) security is about selling a safe feeling, and b) it is wise to keep potential threats at bay, not eliminate them - thus ensuring that there is work for tomorrow as well.

Even if we speak about security of bits and bytes, the main things remain largely the same. The large companies offering a wide variety of computer security solutions benefit a lot from the chaotic situation in the Net. One might argue that the day when all malware and spam will be gone from the Net will be an unhappy one for McAfee, Sophos, Kaspersky, F-Secure... These firms would not like the day when everyone would use Mac or Linux either.

The Big Brother
While there are countries where govermental violations of citizens' privacy have been established policy for long (former Eastern Europe, China, Cuba, North Korea), the near future has raised increasing concern over privacy in the so-called democratic countries, especially the US. The countermeasures following the September 11, 2001 attacks introduced a number of developments which substantially reduced privacy. But in fact, similar facilities existed already before 9/11.

One of these was the Carnivore project (initially named Omnivore) which was started in 1997 and which effectively allowed eavesdropping on network communications (e-mail and others). Technically, it was a packet sniffer system, not unlike those used by both malicious users and network security specialists. By 2005, the mainstream tools were developed to comparable level and FBI ended the project, switching to commercial solutions.

The FBI also developed their own keylogger software called Magic Lantern, which allowed catching keystrokes on a host machine. While this kind of software is abundant among malware, this was one of the first documented cases of governmental use. It also raised an interesting concern among the 'security industry' - whether security software should detect the 'governmental malware' or not. According to Ted Bridis' 2001 article in the Washington Post (which is now removed from the official site, but a number of copies are available elsewhere), some companies contacted the FBI in order to ensure that their products would not detect the software... 

Privacy / human rights organisations
These organisations have an increasing role of balancing the field, especially due to
 * politically motivated privacy violations by governments
 * economically motivated violations by various business and quasi-business (RIAA, BSA) organisations

For discussion

 * Would you rather invest in a fully specialised anti-malware company or a company which has malware fighting as a smaller part of their business?
 * To what extent is the governmental surveillance justified? Try to bring arguments for both sides.
 * What can NGO's and citizen initiatives do to counter governmental and business surveillance?

Links

 * What's In a Name? - from the F-Secure Weblog; a very good example of rogue 'anti-spyware' programs which are in fact spyware themselves.
 * Electronic Privacy Information Center
 * Electronic Frontier Foundation