[Senate Hearing 110-1178] [From the U.S. Government Publishing Office] S. Hrg. 110-1178 IMPACT AND POLICY IMPLICATIONS OF SPYWARE ON CONSUMERS AND BUSINESSES ======================================================================= HEARING before the COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION UNITED STATES SENATE ONE HUNDRED TENTH CONGRESS SECOND SESSION __________ JUNE 11, 2008 __________ Printed for the use of the Committee on Commerce, Science, and Transportation U.S. GOVERNMENT PRINTING OFFICE 76-328 WASHINGTON : 2012 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION ONE HUNDRED TENTH CONGRESS SECOND SESSION DANIEL K. INOUYE, Hawaii, Chairman JOHN D. ROCKEFELLER IV, West TED STEVENS, Alaska, Vice Chairman Virginia JOHN McCAIN, Arizona JOHN F. KERRY, Massachusetts KAY BAILEY HUTCHISON, Texas BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine BARBARA BOXER, California GORDON H. SMITH, Oregon BILL NELSON, Florida JOHN ENSIGN, Nevada MARIA CANTWELL, Washington JOHN E. SUNUNU, New Hampshire FRANK R. LAUTENBERG, New Jersey JIM DeMINT, South Carolina MARK PRYOR, Arkansas DAVID VITTER, Louisiana THOMAS R. CARPER, Delaware JOHN THUNE, South Dakota CLAIRE McCASKILL, Missouri ROGER F. WICKER, Mississippi AMY KLOBUCHAR, Minnesota Margaret L. Cummisky, Democratic Staff Director and Chief Counsel Lila Harper Helms, Democratic Deputy Staff Director and Policy Director Christine D. Kurth, Republican Staff Director and General Counsel Paul Nagle, Republican Chief Counsel C O N T E N T S ---------- Page Hearing held on June 11, 2008.................................... 1 Statement of Senator Nelson...................................... 2 Statement of Senator Pryor....................................... 1 Statement of Senator Vitter...................................... 2 Witnesses Butler, Arthur A., Attorney, Ater Wynne LLP, on behalf of Americans for Fair Electronic Commerce Transactions (AFFECT)... 12 Prepared statement........................................... 13 Cerasale, Jerry, Senior Vice President, Government Affairs, Direct Marketing Association, Inc.............................. 16 Prepared statement........................................... 18 Edelman, Benjamin G., Assistant Professor, Business Administration, Harvard Business School........................ 29 Prepared statement........................................... 31 Harrington, Eileen, Deputy Director, Bureau of Consumer Protection, Federal Trade Commission........................... 3 Prepared statement........................................... 4 Rotenberg, Marc, Executive Director, Electronic Privacy Information Center (EPIC)...................................... 23 Prepared statement........................................... 24 Weafer, Vincent, Vice President, Security Response, Symantec Corporation, on behalf of the Business Software Alliance (BSA). 35 Prepared statement........................................... 36 Appendix Letter dated June 24, 2008, from John P. Tomaszewski, Esq., Vice President, Legal, Policy and Compliance, TRUSTe, to Hon. Mark Pryor.......................................................... 49 Letter dated June 25, 2008, to Hon. Mark Pryor from Arthur A. Butler, Attorney, Ater Wynne LLP; on behalf of Americans for Fair Electronic Commerce Transactions (AFFECT)................. 52 Response to written questions submitted by Hon. David Vitter to Eileen Harrington.............................................. 55 IMPACT AND POLICY IMPLICATIONS OF SPYWARE ON CONSUMERS AND BUSINESSES ---------- WEDNESDAY, JUNE 11, 2008 U.S. Senate, Committee on Commerce, Science, and Transportation, Washington, DC. The Committee met, pursuant to notice, at 3:07 p.m. in room SR-253, Russell Senate Office Building, Hon. Mark Pryor, presiding. OPENING STATEMENT OF HON. MARK PRYOR, U.S. SENATOR FROM ARKANSAS Senator Pryor. Someone out there told me, don't start being like the airlines, being late on everything. So we won't do that. I'm sorry that I was a few minutes late, but I got caught in a previous meeting. I want to thank Chairman Inouye and Vice Chairman Stevens for holding this hearing to review the efforts by industry, the Federal Trade Commission, and Congress, to combat spyware and its effects on consumers. Specifically, this hearing will look at the impact of spyware on computer performance, along with privacy and security risks associated with this software. In particular, the hearing will consider a bill that I filed, S. 1625, the Counter Spy Act, and that I introduced with Senator Bill Nelson and Senator Boxer. Also, just to let other Senators and other staff know, we thought we'd have this hearing and sit down with our bill and see if we can get some other cosponsors and help us think through some issues there. So I want to thank all the witnesses today for being part of that process. Spyware is a pervasive problem that really I believe demands swift action by Congress to protect American consumers from very significant privacy and security risks. There are very few, if any that I can determine, legitimate reasons for this practice of having spyware in the first place, and there are numbers of reasons why we should do something to try to stop spyware. Basically, I think our bill needs to do two very important things. One is we need a good workable definition of spyware. It's hard to define, but we need to come up with a Federal definition where there's a standard. The second thing is we need to come up with some civil penalties in the event that someone is out there using spyware in an unauthorized manner. We need to have a civil penalty regime so that the FTC knows exactly what they need to do and what steps they need to take. I guess the other part that's kind of implicit in both of those is that we need to make sure that whatever we pass is very consumer-friendly, so consumers know that when spyware is present on their system or asking to be loaded or whatever the case may be, that the consumers have a chance to stop it from being added to their computers in the first place. So with that, what I would like to do is ask Senator Vitter if you have an opening statement. STATEMENT OF HON. DAVID VITTER, U.S. SENATOR FROM LOUISIANA Senator Vitter. Thank you, Mr. Chairman. I'll be very brief. Thank you for this hearing. This is an extremely important topic. I agree with you that it's a really serious problem that we should move absolutely as quickly as possible to address. I certainly want to be part of the discussions and the solution. That's the easy part. The tough part is how we do that effectively. I think the biggest challenge in so many of these issues is to come up with legislation that isn't outpaced or becomes outdated by technology in a month or a year. So I believe we should focus on passing legislation against improper activity and not be too technologically specific, because I think that's going to end up getting us in trouble, having unintended consequences, or just being outdated relatively soon. So I'm very interested in legislation. Some of the things I want to avoid is to enact things that would be technology mandates, to enact things that might unintentionally hamper the ability of the FTC and law enforcement to adopt a technology and that could be interpreted so broadly that it would extend beyond unwanted spyware to affect all web pages or to affect online transactions that folks do want and get some convenience out of. So thank you again for this hearing. I look forward to hearing from the witnesses and asking questions with the goal of helping develop that sort of bipartisan legislation. Senator Pryor. Thank you. Senator Nelson, I'll call on you for an opening statement if you'd like to make one and then ask you to introduce the first witness. STATEMENT OF HON. BILL NELSON, U.S. SENATOR FROM FLORIDA Senator Nelson. Mr. Chairman, you have to go back to a conference committee? Senator Pryor. Yes. Senator Nelson. So I will await your return. Senator Pryor. Thank you. Senator Nelson [presiding]. Consumer Reports in a recent edition had a survey and of the 2,000 people surveyed, one in eleven reported a major spyware infection on their computer. These infections are costly, may well cost over $100 to fix, and the overall calculated impact on the economy is $1.7 billion. That's a figure that's only going to increase. So that's why we filed this legislation. We also hope that the Federal Trade Commission and other law enforcement agencies are going to take further action to pursue to the maximum extent possible foreign spyware developers. Now, in another arena, in the intelligence arena, in the defense arena, we have a particular concern which is not the subject of the discussion here today. But clearly that overlays the problem that we're talking about on consumers today. So we are delighted to have Ms. Eileen Harrington, Deputy Director of the Bureau of Consumer Protection at the FTC. So, Ms. Harrington, your presentation, please. Your lengthy statement will be a part of the record, so if you would just summarize, and then we'll get right into the questions. Thank you. STATEMENT OF EILEEN HARRINGTON, DEPUTY DIRECTOR, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION Ms. Harrington. Thank you very much, Senator Nelson and Chairman Pryor and Members of the Committee. I am Eileen Harrington. Spyware and other malware causes substantial harm to consumers and to the Internet as a medium of communication and commerce. Protecting consumers from this harm is a priority for the Federal Trade Commission and we thank you for giving us the opportunity to appear here today to talk about the FTC's activity in this area and to comment on S. 1625, the Counter Spy Act, which was introduced by Senator Pryor, Senator Boxer, and Senator Nelson. Since 2004 the FTC has brought 11 spyware-related law enforcement actions and, while we certainly haven't solved the spyware problem, our law enforcement efforts have, we believe, had an effect and have reduced the prevalence of pop-up ads generated by nuisance adware. Our spyware law enforcement actions reaffirmed three key principles. The first is that a consumer's computer belongs to him or her, not to the software distributor, and it must be the consumer's choice whether or not to install software. This principle reflects the basic common sense notion that Internet businesses are not free to help themselves to the resources of a consumer's computer. The second principle articulated in our enforcement work is that buried disclosures of material information necessary to correct an otherwise misleading impression are not sufficient, just as they have never been sufficient in more traditional areas of commerce. Specifically, burying material information in an End User License Agreement will not shield a spyware purveyor from Section 5 liability. The third principle underscored by our work is that if a distributor puts a program on a computer that the consumer does not want the consumer should be able to uninstall or disable it. As in so many other areas, cooperation among law enforcement agencies is vital to successful enforcement in the spyware area. Many of the worst abuses connected with spyware are criminal activity in nature and we at the FTC coordinate very closely with our colleagues at the Department of Justice to see to it that these criminals are prosecuted. The FTC also coordinates closely with State law enforcement partners who bring enforcement actions against spyware distributors. Now, in addition to engaging in law enforcement and coordinating with others in the enforcement community, the FTC has made consumer education a priority. In September 2005, the FTC formed a partnership with other Federal agencies in the technology industry to launch a multimedia interactive consumer education initiative, OnGuard Online. The OnguardOnline.gov website now attracts over 350,000 unique visits each month and many organizations have taken the OnGuard Online materials for their own security training. The comprehensive website has general information on online safety as well as sections with specific information on a range of topics, including spyware. Turning to the bill under discussion, S. 1625, we would make two points. First, although we have successfully used Section 5 of the FTC Act to challenge conduct related to spyware distribution under Section 5, legislation authorizing the Commission to seek civil penalties in spyware cases would provide a welcome addition to remedies available to us. Currently under Section 13(b) of the FTC Act we have authority to file actions in Federal district court and to obtain injunctive and equitable monetary relief in the form of consumer redress or disgorgement. In spyware cases, however, restitution or disgorgement may be neither appropriate nor sufficient remedies because consumers often have not purchased a product or a service from the defendants, the harm to consumers may be very difficult to quantify, or the defendant's profits may be slim or difficult to calculate with certainty. In such cases a civil penalty may be a far better remedy and serve as a stronger deterrent. Second, under general consumer protection principles and traditional Section 5 jurisprudence, the Commission need not show knowledge or intent in order to obtain injunctive relief, but several sections of S. 1625 impose an overarching knowledge or intent threshold for enforcement that could create a higher and more difficult evidentiary burden for the FTC in obtaining injunctions in civil spyware cases. Section 5(m)(1) of the FTC Act already requires that the Commission prove knowledge in any civil penalty action. Eliminating the knowledge or intent threshold from S. 1625 would not change the Commission's elevated burden regarding civil penalties, but it would maintain the ordinary burden that we have to meet in order to obtain injunctive relief. So we would recommend that change. I thank you for focusing your attention on this important issue and giving us the opportunity to discuss the Commission's enforcement record. Thank you. [The prepared statement of Ms. Harrington follows:] Prepared Statement of Eileen Harrington, Deputy Director, Bureau of Consumer Protection, Federal Trade Commission I. Introduction Chairman Pryor and members of the Committee on Commerce, Science, and Transportation, I am Eileen Harrington, Deputy Director of the Bureau of Consumer Protection of the Federal Trade Commission (``Commission'' or ``FTC'').\1\ Spyware and other malware can cause substantial harm to consumers and to the Internet as a medium of communication and commerce. Protecting consumers from such harm is a priority for the Commission, and the agency thanks this Committee for the opportunity to describe what the FTC is doing in this area and to provide input on S. 1625, the ``Counter Spy Act'' introduced by Senators Pryor, Boxer, and Nelson. --------------------------------------------------------------------------- \1\ The written statement presents the views of the Federal Trade Commission. Oral statements and responses to questions reflect the views of the speaker and do not necessarily reflect the views of the Commission or any Commissioner. --------------------------------------------------------------------------- This written statement provides background on the Commission's active program to address concerns about spyware and other malware, which includes law enforcement actions and consumer education efforts. First, it discusses the Commission's three key principles related to spyware as illustrated by the eleven spyware-related law enforcement actions the agency has initiated to date. Second, the statement highlights the Commission's consumer education efforts on spyware. Third, the statement offers the Commission's views on the proposed legislation, S. 1625. The Commission has a broad mandate to prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.\2\ Although it is often challenging to locate and apprehend the perpetrators, the FTC has successfully challenged the distribution of spyware that causes injury to consumers online. --------------------------------------------------------------------------- \2\ 15 U.S.C. 45. --------------------------------------------------------------------------- Spyware and other malware that is downloaded without authorization can cause a range of problems for computer users, from nuisance adware that delivers pop-up ads, to software that causes sluggish computer performance, to keystroke loggers that capture sensitive information. As described below, the Commission has an active program to address concerns about spyware and other malware, including law enforcement and consumer education. Since 2004, the Commission has initiated eleven spyware-related law enforcement actions.\3\ While the problem of spyware has not been solved, our cases have had a significant effect and, based on our investigative experience, we believe the prevalence of pop-up ads generated by nuisance adware has been dramatically reduced. --------------------------------------------------------------------------- \3\ Detailed information regarding each of these law enforcement actions is available at http://www.ftc.gov/bcp/edu/microsites/spyware/law_enfor.htm. --------------------------------------------------------------------------- II. Spyware Law Enforcement A. FTC Cases The Commission's spyware law enforcement actions reaffirm three key principles. The first is that a consumer's computer belongs to him or her, not to the software distributor, and it must be the consumer's choice whether or not to install software. This principle reflects the basic common-sense notion that Internet businesses are not free to help themselves to the resources of a consumer's computer. For example, in FTC v. Seismic Entertainment Inc.,\4\ and FTC v. Enternet Media, Inc.,\5\ the Commission alleged that the defendants unfairly downloaded spyware to users' computers without the users' knowledge, in violation of Section 5 of the FTC Act. Stipulated permanent injunctions were entered against the defendants in both matters, and defendants were ordered to disgorge more than $6 million, combined. --------------------------------------------------------------------------- \4\ FTC v. Seismic Entertainment, Inc., No. 04-377-JD, 2004 U.S. Dist. LEXIS 22788 (D.N.H. Mar. 22, 2006), available at http:// www.ftc.gov/os/caselist/0423142/0423142.shtm. \5\ FTC v. Enternet Media, Inc., CV 05-7777 CAS (C.D. Cal., Aug. 22, 2006), available at http://www.ftc.gov/os/caselist/0523135/0523135.shtm. --------------------------------------------------------------------------- The second principle is that buried disclosures of material information necessary to correct an otherwise misleading impression are not sufficient, just as they have never been sufficient in more traditional areas of commerce. Specifically, burying material information in an End User License Agreement will not shield a spyware purveyor from Section 5 liability. This principle was illustrated in FTC v. Odysseus Marketing, Inc.\6\ and Advertising.com, Inc.\7\ In these two cases, the Commission's complaint alleged (among other violations) that the defendants failed to disclose adequately that the free software they were offering was bundled with harmful software programs. The orders entered in both cases require the defendants to disclose properly the effects of software programs that they offer in the future. --------------------------------------------------------------------------- \6\ FTC v. Odysseus Marketing, Inc., No. 05-CV-330 (D.N.H. Oct. 24, 2006) (stipulated permanent injunction), available at http:// www.ftc.gov/os/caselist/0423205/0423205.shtm. \7\ In the Matter of Advertising.com, Inc., FTC Dkt. No. C-4147 (Sept. 12, 2005) (consent order), available at http://www.ftc.gov/os/ caselist/0423196/0423196.shtm. --------------------------------------------------------------------------- The third principle is that, if a distributor puts a program on a computer that the consumer does not want, the consumer should be able to uninstall or disable it. This principle is underscored by cases against Zango, Inc.\8\ and DirectRevenue LLC.\9\ These companies allegedly provided advertising programs, or adware, that monitored consumers' Internet use and displayed frequent, targeted pop-up ads-- over 6.9 billion pop-ups by Zango alone. According to the Commission's complaints, the companies deliberately made these adware programs difficult for consumers to identify, locate, and remove from their computers, thus thwarting consumer efforts to end the intrusive pop- ups. Among other relief, the consent orders require Zango and DirectRevenue to provide a readily identifiable means to uninstall any adware that is installed in the future, as well as to disgorge $3 million and $1.5 million, respectively. --------------------------------------------------------------------------- \8\ In the Matter of Zango, Inc. f/k/a 180 Solutions, Inc., FTC Dkt. No. C-4186 (Mar. 7, 2007), available at http://www.ftc.gov/os/ caselist/0523130/index.shtm. \9\ In the Matter of DirectRevenue LLC, FTC Dkt. No. C-4194 (June 26, 2007), available at http://www.ftc.gov/os/caselist/0523131/ index.shtm. --------------------------------------------------------------------------- Similarly, in FTC v. Digital Enterprises, Inc.,\10\ the Commission alleged that the defendants installed software onto consumers' computers that repeatedly launched text and video pop-ups that consumers could not close or minimize. These pop-ups demanded payment for access to the defendants' purported entertainment websites. Among other relief, the September 2007 stipulated permanent injunction requires the defendants to provide a way for consumers to remove the software, bars future downloads without consumer consent, and requires the defendants to pay more than $500,000 for consumer redress. --------------------------------------------------------------------------- \10\ FTC v. Digital Enterprises, Inc. d/b/a Movieland.com, CV06- 4923 (C.D. Cal. Sept. 5, 2007), available at http://www.ftc.gov/os/ caselist/0623008/index.shtm. --------------------------------------------------------------------------- In addition, the agency's law enforcement efforts have alerted the Commission to novel spyware-related consumer protection issues such as the marketing of bogus anti-spyware programs. For example, in FTC v. MaxTheater, Inc.\11\ and FTC v. Trustsoft, Inc.,\12\ the FTC alleged that the defendants made false claims to consumers about the existence of spyware on their machines and then used these false claims to convince consumers to conduct free ``scans'' of their computers. These scans would identify innocuous software as spyware, helping to persuade consumers to purchase the defendants' spyware removal products at a cost of between $30 and $40. Moreover, the FTC alleged, the defendants claimed their spyware removal products could effectively uninstall many different types of known spyware programs, but the defendants' products did not perform as promised. In both cases, courts entered stipulated permanent injunctions prohibiting the claims and requiring the defendants to disgorge a total of nearly $2 million. --------------------------------------------------------------------------- \11\ FTC v. MaxTheater, Inc., No. 05-CV-0069 (E.D. Wa. Dec. 6, 2005), available at http://www.ftc.gov/os/caselist/0423213/0423213.shtm. \12\ FTC v. Trustsoft, Inc., No. H-05-1905 (S.D. Tex. Nov. 30, 2005), available at http://www.ftc.gov/os/caselist/0523059/0523059.shtm. --------------------------------------------------------------------------- B. Cooperation with Department of Justice and State Law Enforcement As in so many other areas, cooperation among law enforcement agencies is vital to successful law enforcement in the spyware arena. Many of the worst abuses connected with spyware are criminal,\13\ and, in appropriate cases, the Commission coordinates closely with the Department of Justice. For example, in FTC v. ERG Ventures, LLC,\14\ the FTC's complaint alleged that the defendants secretly downloaded multiple malevolent software programs, including spyware, onto millions of computers without consumers' consent. The defendants also allegedly tricked consumers into downloading harmful software by hiding the malicious programs within seemingly innocuous free software. The U.S. Attorney's Office for the District of Columbia launched a parallel criminal investigation, and executed search warrants simultaneously with the filing of the FTC's civil case.\15\ --------------------------------------------------------------------------- \13\ See, e.g., Department of Justice, Computer Crime & Intellectual Property Section, Computer Crime News Releases, available at http://www.usdoj.gov/criminal/cybercrime/ccnews.html. \14\ FTC v. ERG Ventures, LLC, 3:06-CV-00578-LRH-VPC (D. Nev. Oct. 3, 2007), available at http://www.ftc.gov/os/caselist/0623192/ index.shtm. Pursuant to the stipulated order entered by the court in the FTC action, the defendants must disgorge $330,000. A permanent injunction also bars the defendants from downloading software onto consumers' computers without disclosing its function and obtaining consumers' consent prior to installation, bars them from downloading software that interferes with consumers' computer use, and bars false or misleading claims. \15\ See FTC News Release, Court Shuts Down Media Motor Spyware Operation (Nov. 13, 2006), available at http://www.ftc.gov/opa/2006/11/ mediamotor.shtm. --------------------------------------------------------------------------- The Commission also coordinates with state partners who bring their own law enforcement actions against spyware distributors. The FTC has established a Federal-state spyware law enforcement task force to discuss issues and trends in spyware law enforcement. The task force consists of representatives from agencies such as the Department of Justice and state attorneys general. Federal criminal and state law enforcement actions are a critical complement to the FTC's law enforcement actions. III. Education In addition to engaging in law enforcement, the FTC has made consumer education a priority. In September 2005, the Commission and a partnership of other Federal agencies and the technology industry launched a multimedia, interactive consumer education initiative, OnGuard Online, along with a Spanish-language version, AlertaenLinea. The OnGuardOnline.gov site now attracts over 350,000 unique visits each month, and many organizations have adapted the OnGuard Online materials for their own security training. The comprehensive website has general information on online safety, as well as sections with specific information on a range of topics, including spyware. The spyware module includes up-to-date information, as well as interactive features like quizzes and videos. As part of the OnGuard Online initiative, the FTC also has distributed a million copies of the brochure and two million copies of the bookmark, ``Stop Think Click: 7 Practices for Safer Computing,'' with information on spyware and other computer safety topics. The FTC also has issued a Consumer Alert on spyware, as well as Alerts addressing other online security issues such as viruses and peer-to-peer file sharing.\16\ --------------------------------------------------------------------------- \16\ See. e.g., P2P File-Sharing: Evaluate the Risks (Feb. 2008), available at http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/ alt128.shtm; Botnets and Hackers and Spam (Oh, My!) (June 2007), available at http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/ alt132.shtm, Spyware (July 2005), available at http://www.ftc.gov/bcp/ conline/pubs/alerts/spywarealrt.shtm:, Detect, Protect, Dis-infect: Consumers Online Face Wide Choices in Security Products (Sept. 2004), available at http://www.ftc.gov/bcp/conline/pubs/alerts/idsalrt.shtm; see generally http://www.ftc.gov/bcp/menus/consumer/tech/privacy.shtm. --------------------------------------------------------------------------- IV. Legislative Steps to Address Spyware Although the FTC has successfully challenged conduct related to spyware dissemination under Section 5, legislation authorizing the Commission to seek civil penalties in spyware cases could add a potent remedy to those otherwise available to the Commission. Currently, under Section 13(b) of the FTC Act, the Commission has the authority to file actions in Federal district court and to obtain injunctive relief and equitable monetary relief in the form of consumer redress or disgorgement. It has been the agency's experience in spyware cases, however, that restitution or disgorgement may not be appropriate or sufficient remedies because consumers often have not purchased a product or service from the defendants, the harm to consumers may be difficult to quantify, or the defendants' profits may be slim or difficult to calculate with certainty. In such cases, a civil penalty may be the most appropriate remedy and serve as a strong deterrent. Accordingly, the Commission is pleased that S. 1625 provides the Commission this valuable law enforcement tool. Last June, FTC staff provided this Committee with technical comments to S. 1625. Of the various suggestions respectfully made by staff, one important aspect of the bill relating to both injunctive relief and civil penalties stands out. Under general consumer protection principles and traditional Section 5 jurisprudence, the Commission need not show knowledge or intent in order to obtain injunctive relief: that is, for stopping the violative conduct itself. But, several sections of S. 1625 impose an overarching knowledge or intent threshold for enforcement that could create an additional--and often very challenging--evidentiary burden for the FTC in obtaining injunctions in civil cases. Moreover, Section 5(m)(1) of the FTC Act already requires the Commission to prove knowledge in any action where civil penalties are sought. Eliminating the knowledge or intent threshold from the bill would not change the Commission's elevated burden regarding civil penalties, while maintaining the ordinary burden for obtaining injunctive relief.\17\ The agency looks forward to working with the Committee regarding the knowledge and intent aspects of the legislation, as well as any of the other important considerations raised by staff's technical comments. --------------------------------------------------------------------------- \17\ Indeed, removing the knowledge or intent requirements from S. 1625 would be consistent, for example, with the approach in the CAN- SPAM Act. See 15 U.S.C. 7706(e) (granting the FTC authority to seek cease-and-desist orders and injunctive relief without alleging or proving knowledge). Spam raises similar enforcement issues to spyware regarding quantifying consumer injury and defendants' profits. --------------------------------------------------------------------------- V. Conclusion The FTC will continue its aggressive law enforcement and innovative consumer education programs in the spyware arena. The FTC thanks this Committee for focusing attention on this important issue, and for the opportunity to discuss the Commission's law enforcement program. Senator Nelson. Senator Vitter? Senator Vitter. Thank you, Mr. Chairman. Thank you very much for your testimony. In October 2005, then Chairman Majoras had a discussion with Senator Allen about these issues and I believe Senator Allen asked if new notice and consent requirements would help combat spyware. The then Chair testified that she didn't think that it would do so because studies showed the more consumers are bombarded with disclosure and consent requirements the more they don't read them and sort of let them pass by and ignore them. What's your reaction to that question? Ms. Harrington. I think probably our view has not changed, but, more importantly, I think the nature of the spyware problem has shifted some, from the sort of pervasive pop-up and nuisance ads that adware brought us, to far more malicious and malevolent consequences from spyware. I think that it's very unlikely that criminals using spyware to take over consumers' computers and cause them to do bad things would comply with notice requirements. These are criminals and their stock in trade is to sneak around. Senator Vitter. OK. What do you think our general approach should be in terms of how technology specific we have to be or to what extent we can avoid that? Ms. Harrington. Well, we certainly know from what is really a very brief period of time during which the Internet has operated as a principal method of commerce that the technology shifts very quickly. To the extent that the Congress chooses to legislate in this area, I recommend staying away from specific technology and favoring broad principles like those that are found in Section 5 of the FTC Act, which as an enforcement tool has proven over the decades to be a marvelously flexible and resilient statute. The FTC Act was adopted in the earlier part of the 20th century and it has stood us very well. It is the statute that we have used to stop spyware purveyors in 11 enforcement actions. That kind of flexibility in a statute is very helpful when the technology changes virtually overnight. Senator Vitter. OK, that's all I have right now, Mr. Chairman. Senator Nelson. Ms. Harrington, you note that one of the Commission's spyware enforcement principles is a consumer should be able to uninstall or disable unwanted spyware. In the Zango and DirectRevenue consent orders, this principle was interpreted requiring those parties to provide a readily identifiable means to uninstall. How is that readily identifiable means identified? How is it defined? Ms. Harrington. The order sets the standard. The test is whether a reasonable consumer having the experience of having that software loaded onto his or her computer can readily see how it is that it can be uninstalled. It's really a reasonable consumer standard that's incorporated in those orders. Senator Nelson. So it's not a case by case analysis? Ms. Harrington. Well, do you mean for purposes of complying with that order, Senator, or across the board? Senator Nelson. Of defining it. Ms. Harrington. Well, we would always look case by case to see whether--but employing the reasonable consumer standard. That is how the Commission proceeds also in using Section 5 as an enforcement tool and it is how the courts have interpreted Section 5 and ordered relief. Senator Nelson. Do you need to include an operating system toolbar? Ms. Harrington. Do you need to? Senator Nelson. Does the readily identifiable means need to include an operating system toolbar? Ms. Harrington. I'm going to turn to one of our lawyers who's right behind me who worked on that case. Senator Nelson. Does the---- Ms. Harrington. I don't want to give a wrong answer. Senator Nelson. OK, come on up. Ms. Harrington. It doesn't necessarily require a toolbar, Senator, but we would generally think that the consumer would look to the add-remove function to find and remove the software. Or there could be a link that the consumer could use to get to the add-remove. Senator Nelson. And if it's another kind of spyware, there would be another kind of toolbar to remove? Ms. Harrington. Any software that would be loaded onto the consumer's computer would need to be easily found and removed. I think generally we would expect that it would be very apparent when the add-remove function is chosen. But a link would work as well. Senator Nelson. Do you think some clear rules or definitions might be helpful to consumers so that they would know where to look for this uninstall tool? Ms. Harrington. I think that generally, that the standard that requires that it be readily apparent and useable would be a better standard in a situation where the technology and format are changing frequently. So I would be concerned about tying by rule to a particular technique for removal. I think that the better approach would be to require that it be readily apparent and accessible to consumers, and we would assume that over time what that means would change; in very specific terms what it means would change with the technology. Senator Nelson. What if the spyware is a keystroke logger and it's capturing all of the keystrokes that the computer user uses, such as it is trying to get passwords or personal information? Ms. Harrington. Well, that's criminal. Senator Nelson. It is. But what about a toolbar to remove that? How would you go about that? Ms. Harrington. How would I go about that? I think that it would be unlikely, frankly, that someone installing a keystroke logger would willingly put a clear and apparent tool right before the consumer to alert him or her to the fact that the keystroke logger has been loaded on and to allow them to remove it. The whole purpose of that kind of software is to surreptitiously steal information from consumers. Senator Nelson. So how does the consumer clean his computer of that spyware? Ms. Harrington. It may be that the consumer's security program that presumably includes a scan function that can be regularly run, will identify that program. Typically, when you run those kinds of scans you get a box with a report that tells you what you have and it's really easy to remove. If the software can't be detected by those kinds of programs, and the really bad stuff that we're talking about oftentimes flies under that radar, the consumer may not be able to discern its presence on his or her computer until something really bad happens, and then the consumer has to backtrack to try to figure out how his or her information fell into the hands of bad guys. It may be very tough for consumers to know that they have that kind of software on their computer. Senator Nelson. What percentage of the spyware do you think currently originates outside of the United States? Ms. Harrington. We don't have a way of measuring that, but we certainly know that there are problems with malevolent software that shows up through spyware, through e-mail on people's computers. We know that there are big problems with that kind of material originating outside of the United States. But we don't have a way of measuring it, just as we don't have a way of measuring the totality of spyware that's loaded onto consumers' computers, whether it comes from within or outside of the United States. Senator Nelson. Do we need to give the FTC new tools to go after these foreign bad actors? Ms. Harrington. Well, we're very grateful to the Congress for having given us some new tools a couple of years ago in the U.S. SAFE WEB Act. We have enhanced authority now to share information with foreign counterparts and obtain information from them, and we are using it in nonpublic investigations all the time, and we're most appreciative of the Congress for giving us those authorities. Senator Nelson. So we have enough? We don't need more? Ms. Harrington. We're in good shape now, thank you. Senator Nelson. How well do commercial anti-spyware applications work? Ms. Harrington. Well, some work well and some don't work well. Some anti-spyware applications are actually hawked by crooks to put more spyware on your computer instead of taking it off. So there's quite a spectrum of performance. But the reputable software companies that are selling anti-virus and security software sell reasonably good products, and if you visit our OnGuardOnline website, we recommend that everyone make sure to have good security programs on their computer and run them regularly. Senator Nelson. Well, the government and the commercial anti-spyware providers seem to have been talking for quite a while now and still the message isn't getting out to a lot of consumers. How can we do it better? Ms. Harrington. Well, first of all, we would urge everyone, every government and commercial entity that cares about this to have a link to OnGuardOnline right on their website. It is a very consumer-friendly site with really easy-to-understand and use directions about how to protect your computer from a host of bad things and how to prevent oneself from experiencing bad experiences in the online environment. So help us get the message out. I think that to the extent that the manufacturers of anti-spyware software and other security products can continue to make these products very user friendly, anything that we can do to encourage movement in that direction is a good thing. These products have become far more user friendly. I know, I can actually use them reasonably well myself now and I used to find them to be quite difficult. Senator Nelson. Yesterday's New York Times carried a story about the Attorney General of New York going after child pornography and it seemed like an inventive way that he was doing it, by going and holding the people who convey the information accountable. First of all, would you comment on what it is, explain it, and then tell us what you think about it? Ms. Harrington. Well, I've read the same press accounts that you have. That's what I know about this. But my understanding is that the agreement that the attorney general of New York entered into is with three large ISPs, and the ISPs have agreed to block their users from accessing sites that have been identified as containing child pornography material. This is an agreement or a settlement. I don't know what the underlying legal theory is. I noted in some of the press accounts that I read this morning that some are raising First Amendment concerns. Beyond that, I really don't know more about that agreement. Stepping back, there are certainly times when companies that operate portals or control the means of access have been able to step up and use that influence and leverage to shut off or discourage bad activity. That's not a new approach. I really don't know about this particular settlement and how effective it will be at eliminating the problem that they're seeking to address. Senator Nelson. Senator Vitter? Senator Vitter. I'm fine. Thank you, Mr. Chairman. Senator Nelson. Well, Ms. Harrington, thank you very much for your testimony. Ms. Harrington. Thank you, Senator. Senator Nelson. We would ask the second panel to please come up. We are very pleased to have Mr. Arthur Butler, who is with the Americans for Fair Electronic Commerce Transactions; Mr. Jerry Cerasale, who is Senior Vice President, Government Affairs with Direct Marketing Association; Mr. Marc Rotenberg, Executive Director, the Electronic Privacy Information Center; Dr. Benjamin Edelman, who is at the Harvard Business School; Mr. Vincent ``WAE-fer''---- Mr. Weafer. ``WEE-fer.'' Senator Nelson. ``WEE-fer,'' who is Vice President, in Security Response with the Symantec Corporation, and on behalf also of the Business Software Alliance. We'll start in the order that you are listed on the agenda. Mr. Butler. And what I want you to do, I don't want you to sit here and read a statement to us. We're going to take your printed statements. That's going to be a part of the record. So what we want you to do is talk to us. So, Mr. Butler. STATEMENT OF ARTHUR A. BUTLER, ATTORNEY, ATER WYNNE LLP, ON BEHALF OF AMERICANS FOR FAIR ELECTRONIC COMMERCE TRANSACTIONS (AFFECT) Mr. Butler. Good afternoon. My name is Art Butler. I'm an attorney with the Ater Wynne law firm in Seattle, Washington, and I'm here today on behalf of AFFECT, which is a diverse group of nonprofits and commercial entities, including consumer groups, who are firmly committed to promoting the growth of fair and competitive transactions in software and other digital products. I first wanted to commend Senator Pryor and the other cosponsors of the Counter Spy Act for introducing what we think is a very important piece of legislation and for holding this hearing, because you, like the members of AFFECT, are very worried about the privacy and security issues that are presented by spyware. As our long statement indicates, we firmly support S. 1625 because we believe that spyware is an insidious problem that desperately needs to be addressed. The sad fact is that every computer in the United States is under attack from numerous sources that are trying to surreptitiously install or prevent the removal of spyware programs that will allow the spies to intercept or gain partial control of the user's interaction with his or her computer without obtaining the user's informed consent. Often the spyware that is introduced contains what are called back doors, which essentially are ways in which a computer spy can get around normal authentication and remotely gain control over the computer and avoid detection. Once someone gains control of your computer, they can install all kinds of different devices to compromise the security of that computer. In fact, it is generally agreed that spyware represents a significant threat to the security of any user's computer system and data. While we support the bill, we do have a major concern with the exceptions section of the bill. That is due to, one, the fact that really we don't see that any of the exceptions that are listed there are really needed or justified. But we're particularly concerned about the exception in subsection 6(a)(10) which would permit a provider to monitor or interact with a computer in order to prevent or detect the unauthorized use of software, fraudulent or other illegal activities. We think this language is overly broad and it would in effect permit or protect activities which could be harmful to computer users in direct opposition to the objective of the bill. It would in effect allow a software vendor to freely monitor everything that's on a user's computer, essentially setting them up as an ad hoc police force to conduct warrantless searches and seizures. We don't think that private entities should be allowed to engage in law enforcement activities. The most troubling fact to us is the fact that that language would permit a software vendor to unilaterally remotely disable the software on a computer or to disable a network connection or service. Often the question about whether use is unlawful or fraudulent or illegal is subject to legitimate dispute, and it really merits some judicial consideration before you allow a software vendor to unilaterally employ such a drastic remedy as remote disablement. This is a major concern to our members and we have in our long statement given examples of cases where you have seen software purveyors unilaterally decide that they didn't get an adequate license payment and then just go in and shut down someone's computer, causing some very significant negative consequences for the computer user. But it's also important to realize that a lot of these disputes never make it to the courthouse steps because the balance of harm that's caused by someone unilaterally shutting down your computer is so far against the computer user that the mere threat that that can be used will cause the user to essentially cave in to the demands of a vendor. We are particularly concerned about what happens when someone remotely accesses a computer and attempts to disable it because that act alone can cause damage to other files owned by the computer user and the simple fact is that the existence of that code that allows remote access and disablement can present a vulnerability that will allow security breaches by hackers, by saboteurs, by industrial and foreign government spies, and by terrorists. This is a major issue for our group, for both the smaller users and the large users. We have a suggestion for an amendment to subsection 6(a)(10) that would essentially limit that to the detection or prevention of fraudulent or other illegal activities as prohibited by the Act, which we think is the appropriate limitation there. Thank you. I'd be glad to respond to any questions. [The prepared statement of Mr. Butler follows:] Prepared Statement of Arthur A. Butler, Attorney, Ater Wynne LLP, on Behalf of Americans for Fair Electronic Commerce Transactions (AFFECT) Good afternoon. My name is Art Butler. I am an attorney with Ater Wynne LLP in Seattle, Washington. I am very pleased to appear before you today on behalf of AFFECT (Americans for Fair Electronic Commerce Transactions) at this important hearing on the impact and policy implications of spyware on consumers and businesses. AFFECT is a national coalition of consumer representatives, retail and manufacturing businesses, insurance institutions, financial institutions, technology professionals, librarians, and public interest organizations committed to promoting the growth of fair and competitive commerce in software and other digital products. We commend you, Chairman Pryor, and all the sponsors of the Counter Spy Act (S. 1625), for introducing this important bill because, like you, our members are very worried about the privacy and security risks associated with spyware. AFFECT strongly supports S. 1625. However, we are very concerned with the exception provision and believe it is overly broad. In our view, it could in fact be construed to protect wrongful acts that can result in great harm to computer users. We believe this section is in direct opposition to the laudable purpose of the bill and hope very much that you will consider the amendment which we propose today. AFFECT's Concerns with Spyware AFFECT has been active in representing the interests of software consumers in the debates about the appropriate language to be included in anti-spyware legislation in several states and has advocated strenuously that these legislatures not adopt exception language so broad that it swamps the prohibitions that are designed to protect computer users. Since AFFECT began actively educating legislators in the states of the potential for damage, creation of security vulnerabilities, and for invasion of privacy and unauthorized search and seizure in relation to consumers' computers due to the exception language in question--the language has failed to pass in even one state legislature. The sad fact is that every computer in the United States is under attack from numerous sources trying to surreptitiously install or prevent removal of spyware that will allow the spy to intercept or take partial control over the user's interaction with the computer, without the user's informed consent. While the term ``spyware'' suggests software that secretly monitors the user's behavior, the functions of spyware extend well beyond simple monitoring. Spyware can collect various types of personal information, interfere with the user's control of the computer, change computer settings, result in slow connection speeds, loss of Internet or other programs, disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further infections. It can enable identity theft and fraud. Often spyware will contain a ``backdoor,'' which is a method of bypassing normal authentication, securing remote access to a computer and obtaining access to plaintext, while attempting to remain undetected. Someone who has gained access to your computer can install many types of devices to compromise security, including operating system modifications, software worms, key loggers, and covert listening devices. Some backdoors, such as the Sony/BMG rootkit \1\ distributed silently on millions of music CDs through late 2005, are intended as digital rights management (DRM) measures and, in that case, as data gathering agents, since both surreptitious programs they installed routinely contacted central servers. The copy prevention software Sony/ BMG included on its CDs was automatically installed on Windows desktop computers when customers tried to play the CDs. The software interferes with the normal way in which the Microsoft Windows operating system plays CDs, opening security holes that allow viruses to break in, and causing other problems.\2\ --------------------------------------------------------------------------- \1\ A ``rootkit'' is a program designed to take fundamental control of a computer system, without authorization by the system's owners and legitimate managers. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. Often, they are also Trojans as well, fooling users into believing they are safe to run on their systems. \2\ As a result, a number of parties filed lawsuits against Sony/ BMG; the company eventually recalled all the affected CDs. --------------------------------------------------------------------------- It is generally agreed that spyware represents a significant threat to the security of any computer owner's data. Even for large enterprises spyware represents a serious threat to the integrity of intellectual property, confidential data, and personally identifiable information of employees and customers. Accordingly, AFFECT supports legislative efforts, like S. 1625, that are designed to curb the use of harmful spyware.\3\ --------------------------------------------------------------------------- \3\ S. 1625 (Pryor), introduced in June 2007, would protect against the unauthorized installation of software that is used to take control of a computer in order to cause damage, collect personal information without consent, or otherwise enable identity theft. --------------------------------------------------------------------------- AFFECT's Concerns with the Exception Provision of S. 1625 AFFECT has concerns with the exception section of S. 1625, section 6, which is overly broad and could be construed to protect wrongful acts that can result in great harm to computer users in direct opposition to the purpose of the bill. We are particularly concerned about Subsection 6(a)(10), which would permit a provider to monitor or interact with an individual's computer, or Internet or other network connection or service for the ``detection or prevention of the unauthorized use of software fraudulent or other illegal activities.'' The reference to ``unauthorized'' is too vague and raises a number of questions. ``Authorized'' by whom? What is the process for authenticating the identity of the person using the software? And what are the standards for determining whether that person has the authority to perform a certain operation, and who decides? This language would allow a software vendor to surreptitiously download code onto a user's computer and freely violate the user's privacy by monitoring everything on his or her computer, as long as it did so under the guise of looking for unauthorized use, fraudulent, or illegal activities. It would allow the provider to set itself up as an ad hoc police force to conduct warrantless searches and to act as judge and jury to conduct unilateral seizures. Private entities do not and should not have the right to conduct law enforcement activities. More troubling is the fact that the language of Subsection 6(a)(10) would effectively allow a software provider to unilaterally decide to remotely shut down the user's computer or Internet or other network connection or service. But whether the use of a particular software is ``unauthorized,'' ``fraudulent,'' or ``illegal'' is often subject to legitimate dispute and merits some judicial consideration before a provider is allowed to unilaterally employ a drastic remedy like remote disablement. Permitting unilateral remote disablement is simply bad public policy. Unilateral remote disablement can cause great harm to any computer owner who depends on access to and use of that computer, connection or service. For example, the shutdown of an owner's system can cause great harm to:a teacher using a computer to prepare for classroom lectures; an insurer depending on a computer system to pay claims; a manufacturer trying to deliver its products to meet contractual commitments; or the public's access to online library materials. That harm can be significantly larger than the harm to the software vendor (not getting a license fee). Even large enterprises are concerned about the threat of remote disablement. There have been a number of reported cases where software developers unilaterally determined that licensees didn't make appropriate payments and simply shut down the computer programs.\4\ The most widely reported was a case where a small software developer, Logisticon, Inc., installed malware within warehouse-management software delivered to cosmetic company, Revlon Inc. When the parties got into a dispute over whether the software had bugs and didn't perform as promised, Revlon withheld payment. Logisticon then tapped into Revlon's computers and disabled the program, which paralyzed Revlon's shipping operations for 3 days. Losses to Revlon were about $20 million. Revlon sued, charging extortion. Logisticon claimed this was simply ``electronic repossession.'' The case was settled out of court. --------------------------------------------------------------------------- \4\ Other cases include the following: In 1998 in Franks & Sons, Inc. v. Information Solutions, Inc., the software developer installed a ``drop-dead'' code in the program. When the customer failed to pay as promised, the developer activated the drop-dead code, which prevented the customer from accessing the software as well as any stored information. The customer didn't know about the drop-dead code, and the court found that it would be unconscionable to allow the software developer to hold the licensee ransom as it did. In 1991, in American Computer Trust Leasing v. Jack Farrell Implement Co., 763 F. Supp. 1473 (D. Minn. 1991), the software developer, in a dispute over payment for the software, remotely deactivated the software. The contract provided that the developer, who owned the software, could remotely access the licensee's computer in order to service the software and that, if the licensee defaulted, the agreement was canceled. When the licensee didn't pay, the developer told the licensee that it was going to deactivate the program, which it promptly did. The licensee sued for damages, but the court ruled in favor of the developer on the grounds that the deactivation was ``merely an exercise of [the developer's] rights under the software license agreement . . .'' There have been many other cases involving software developers either putting drop-dead code in their products or remotely disabling code when they thought the other party was in breach. For example, a Dallas medical device software developer was sued in 1989 for using a phone line to deactivate software that compiled patients' lab results. The case was settled. In 1990, during a dispute about the performance of a piece of code, the developer simply logged in and removed the code, until the licensee released the developer from any liability. The licensee claimed that the general release was signed under duress, since he was being held economic hostage. Art Stone Theatrical Corp. v. Technical Programming & Support Systems, Inc., 549 N.Y.S. 2d 789 (App. Div. 1990). In 1991, in Clayton X-Ray Co. v. Professional Systems Corp., 812 S.W.2d 565 (Mo. Ct. App. 1991), a company involved in a payment dispute logged into the licensee's computer and disabled the software. When the licensee tried to log on to see its files, all it saw was a copy of the unpaid bill. A jury awarded the licensee damages. In Werner, Zaroff, Slotnick, Stern & Askenazy v. Lewis, 588 N.Y.S. 2d 960 (Civ. Ct. 1992), a law firm contracted with a company to develop billing and insurance software. When the software reached a certain number bills, and when the developer decided it had not been paid sufficiently, it shut down the software disabling access to the law firm's files. The law firm sued successfully. --------------------------------------------------------------------------- Clearly many disputes never make it to the courthouse steps because the balance of harm to be done via exercise of remote disablement is so overwhelmingly against the computer user that the mere threat of its use puts the user in an unfair position, and it must cave to the demands of the software vendor. The ability to unilaterally disable a user's computer or critical software running on it provides the software, network, or service provider undue leverage in a dispute even if the remedy is not exercised. Faced with a crippling and possibly even fatal disruption of its business, a user could be intimidated into relinquishing its rights and setting up precedents for its further disadvantage. This is because the risk to the provider that it will be held to have acted improperly is indefinite and its potential liability severely limited. Even if a provider wrongly exercises the remote disablement, it is unlikely the injured user will be able to recover money damages for the harm resulting from this action, including losses to the user's business attributable to the wrongful act, because providers routinely disclaim consequential damages in their licensee agreements; in fact, they routinely limit recoverable damages to the amount of the license fee. Moreover, in reaching into an individual's computer remotely to disable software residing on that computer, the software provider may not only violate privacy rights, but also damage the computer owner's other files. And the monitoring and remote disablement of software on an owner's computer by an outsider may compromise private information of employees, confidential and proprietary information of the owner, and, in some cases, national security information. As a result, it is possible that they could put an owner into breach of obligations it has under other laws (e.g., Health Insurance Portability and Accountability Act). The simple fact is that the code used to remotely enter a computer and disable the software or the network connection makes the computer vulnerable to security breaches by hackers, saboteurs, industrial and foreign governmental spies, and terrorists. The consequences of a successful intentional or even accidental misuse of a computer system range from loss of confidentiality to loss of system integrity, which may lead to more serious concerns, like data theft or loss, or, in the case of a business, significant financial losses or worse. When there is an opportunity to negotiate, many enterprises, including governmental entities, will insist that their software license agreements contain a warranty prohibiting any ``self-help code'' or other software routing designed to disable a computer program automatically or that is under the positive control of a person other than the licensee of the software. Unfortunately, with mass market licenses individual consumers and businesses are not able to negotiate for a ``no self-help code'' warranty. Proposed Amendment S. 1625 is a commendable piece of legislation that addresses a real problem faced by computer users throughout this country. AFFECT supports it, but strongly recommends that the exception provision of S. 1625 should only limit liability for interaction with a network, service, or computer that is undertaken to detect or prevent fraudulent or other illegal activities as prohibited by the act itself. Therefore, AFFECT proposes that Section 6(a)(10) of the bill be amended as follows: ``(10) detection or prevention of the unauthorized use of software fraudulent or other illegal activities as prohibited by this Act.'' Conclusion On behalf of AFFECT, thank you very much for the opportunity to appear before you today and for your consideration of our concerns. I would be happy to answer any questions you might have. Senator Nelson. Mr. Cerasale? STATEMENT OF JERRY CERASALE, SENIOR VICE PRESIDENT, GOVERNMENT AFFAIRS, DIRECT MARKETING ASSOCIATION, INC. Mr. Cerasale. Senator Nelson, Members of the Committee: Thank you for the opportunity to appear here today. I'm Jerry Cerasale, Senior Vice President for Government Affairs for the Direct Marketing Association, an association of 3,600 marketers who present offers and services to consumers directly. It is important in that kind of a business model that we have trust, that the consumer trust the marketer, but the consumer also has to trust the channel of marketing, and that's what we're here talking about today. In the past 3 years we have moved quite a ways in trying to prevent spyware, and I think we have to praise quite a few groups. One is Congress for constantly looking at this and putting pressure on us. The second are the software vendors, one of whom is sitting here on the table with me, for producing excellent products to go after and being able to remove objectionable software. Third, organizations, TRUSTe and even DMA, for setting up guidelines and establishing education. DMA has worked with, partnered with, the Federal Trade Commission and OnGuard Online. Finally but not least, law enforcement, looking at the Federal Trade Commission, the Department of Justice, and the State Attorneys General, pursuing bad actors. DMA supports removal of objectionable software and the means to do that. Our guidelines that we produce that all our members have to follow--and it's attached to my larger testimony--bans or prohibits putting on software that takes over someone's computer. It requires for installing other software that there be notes, that there be an easy means to uninstall or disable the program, that there be contact information concerning the organization that put the software on the computer so that the consumer can contact them, and that there be an easy, identifiable link to the privacy policy of that organization. So we have taken these steps and will continue to look at it more, and we had to write these guidelines in looking at it being not technologically, not focused on one technology, but to try and be broader so that as we get changes tomorrow and the next day, that we do not have to go back and rewrite our guidelines. We have a few specific comments concerning S. 1625. As we look at Section 4(b)(2) of the bill, we think also that this can be read very broadly and can in fact be used to cover legitimate advertising practices, those same practices that have helped create Cyber Monday to be a larger shopping day than Black Friday or support the great amount of free content on the Internet. We think, our suggestion is, in the previous Congress Section 4(b)(2) had an additional provision in it dealing with bad acts, and we think that that is a suggestion we have for Section 4(b)(2). As we look on, and I have to comment on Section 6(a)(10), one of the things to be careful about when looking at legislation or regulation in anti-fraud arenas is that we have, many of our members have anti-fraud provisions and those are out there to protect users from identity theft, and they have been fairly successful and successful in stopping credit card fraud and so forth. So as you look at things looking at the exceptions in 6(a)(10) is to make sure that we don't have unintended consequences there. Finally, 6(a)(8) and (9), giving limited liability. Our concern here is that it will remove accountability for software vendors. We think that this is very important, to have this accountability. Objectionable software is a subjective term and you can disagree on it. Many DMA members have written to and contacted software vendors whose software has removed their particular software on someone's computer and they have been able to work it out, very, very reputable organizations. Sometimes there has not been a resolution, and where do you go if there's not a resolution on this subjective term? Finally, there are some software vendors who don't answer phone calls, who don't respond to letters, and who don't respond to e-mails. If you have this kind of argument on a subjective issue, where do you go? So we're very concerned that you, Congress not eliminate accountability. Thank you very much. [The prepared statement of Mr. Cerasale follows:] Prepared Statement of Jerry Cerasale, Senior Vice President, Government Affairs, Direct Marketing Association, Inc. I. Introduction and Summary Good morning, Mr. Chairman and Members of the Committee. I am Jerry Cerasale, Senior Vice President for Government Affairs of the Direct Marketing Association, and I thank you for the opportunity to appear before the Committee as it examines S. 1625 and the spyware issue in general. The Direct Marketing Association, Inc. (``DMA'') (www.the-dma.org) is the leading global trade association of businesses and nonprofit organizations using and supporting multichannel direct marketing tools and techniques. DMA advocates industry standards for responsible marketing, promotes relevance as the key to reaching consumers with desirable offers, and provides cutting-edge research, education, and networking opportunities to improve results throughout the end-to-end direct marketing process. Founded in 1917, DMA today represents more than 3,600 companies from dozens of vertical industries in the U.S. and 50 other nations, including a majority of the Fortune 100 companies, as well as nonprofit organizations. Included are catalogers, financial services, book and magazine publishers, retail stores, industrial manufacturers, Internet-based businesses, and a host of other segments, as well as the service industries that support them. DMA and our members appreciate the Committee's outreach to the business community on this important issue. I note at the outset that this is a complicated issue. In part due to congressional attention, over the past several years there have been significant developments that have fundamentally improved the consumer experience as it relates to spyware. Where once, just three short years ago, invasive pop-up ads, drive-by downloads, and software that hijacked computers were on the rise, consumers in 2008 experience fewer such unwanted practices. Industry guidelines for legitimate software downloads, strong self- regulation, major technological improvements, and Federal Trade Commission (``FTC'') and state Attorney General enforcement have all contributed to the current, significantly improved environment where the prevalence of spyware has been vastly reduced. While DMA supports the Committee's interest in combating spyware, given that the marketplace has evolved considerably since previous Congresses considered this issue, we believe that a statutory approach that would cover a broad range of software downloads and online marketing might not achieve the desired purpose of limiting spyware, but might have the unintended effect of interfering with important e-commerce and marketing functionalities. Internet growth over the past 10 years has been nothing short of remarkable, and this growth is fueled by the seamlessness of interactions of content, software, advertising, and other services. The dramatic rise of the Internet is evident in the dollar amounts consumers spend purchasing products through Internet sales. Last year, on Cyber Monday, the busiest Internet shopping day of the year, shoppers spent more than $733 million online.\1\ This represents an increase of 21 percent from the same day the previous year and is more than the amount shoppers spent on Black Friday.\2\ --------------------------------------------------------------------------- \1\ Cyber Monday is the first Monday following Thanksgiving. In 2007, Cyber Monday fell on November 26. The Friday after Thanksgiving Day is known as Black Friday and is traditionally the largest brick and mortar shopping day of the year. \2\ See http://www.comscore.com/press/release.asp?press=1921. --------------------------------------------------------------------------- Additional statistics demonstrate the staggering growth in e- commerce. The U.S. Census Bureau, which releases quarterly retail e- commerce statistics, recently reported that estimated retail e-commerce sales for the 1st quarter of 2008 were $33.8 billion, an increase of 13.6 percent from the 1st quarter of 2007. The Census Bureau also noted that 1st quarter e-commerce sales accounted for 3.4 percent of total sales.\3\ --------------------------------------------------------------------------- \3\ U.S. Census Bureau, Quarterly Retail E-commerce Sales, 1st Quarter 2008, May 15, 2008. See http://www.census.gov/mrts/www/data/ pdf/08Q1.pdf. --------------------------------------------------------------------------- As these and similar figures suggest, the Internet revolution has had a tremendous impact on economic growth. The Internet has become a preferred mechanism of commerce for many consumers, and a key part of multi-channel sales efforts for businesses. This phenomenon has changed the way products and services reach the market, and enables consumers to shop in an environment that knows no restrictions on time or place. II. Strong Guidelines, Technology, and Enforcement Have Reduced the Need for Legislation The combination of strong industry guidelines, anti-spyware technologies, and enforcement of existing laws over the past 3 years has limited pernicious software downloads, reducing spyware's threat to the positive consumer experience online. Together, we are winning the battle against such malicious practices. That said, this battle will be ongoing. Today's solutions and remedies may be obsolete tomorrow. As technology continues to evolve rapidly, so too will the challenges posed by spyware and related bad practices. A. Industry Guidelines DMA has long been a leader in establishing comprehensive self- regulatory guidelines for its members on important issues related to privacy and e-commerce, among many others. DMA and its member companies have a major stake in the success of electronic commerce and Internet marketing and advertising, and are among those benefiting from its growth. Our members understand that their success on the Internet is dependent on consumers' confidence in the online medium, and they support efforts that enrich a user's experience while fostering consumer trust in online channels. Understanding the importance of standards and best practices in building consumer confidence, DMA, working with its members, in 2006 developed and adopted standards for software downloads as part of our Guidelines for Ethical Business Practice (``Guidelines''), to specifically discourage illegitimate software download practices that threaten to undermine electronic commerce and Internet advertising.\4\ In our experience, industry guidelines are the most effective way to address concerns that arise in the continuously changing technological landscape. Such guidelines are flexible and adaptable in a timely manner so as to cover bad practices and not unintentionally or unnecessarily cover legitimate actors. These software guidelines and an analysis of their requirements are attached. --------------------------------------------------------------------------- \4\ Use of Software or Other Similar Technology Installed on a Computer or Similar Device, DMA Guidelines for Ethical Business Practice, at 21 (attached) (available at http://www.the-dma.org/ guidelines/EthicsGuidelines.pdf). --------------------------------------------------------------------------- B. Current Law Enforcement Efforts Technology, self-regulation, and enforcement of existing laws are adequately addressing the problems caused by spyware. In the past couple of years, law enforcement officials have been using existing enforcement tools to pursue sources of spyware. The FTC has aggressively pursued adware companies engaging in improper business practices. Since 2004, the Commission has brought more than 10 such cases under its deceptive and unfair practices authority.\5\ In addition, the Department of Justice (``DOJ'') is actively combating spyware under the Computer Fraud and Abuse Act and the Wiretap Act, also with more than 10 cases to date.\6\ The states have been an important part of the enforcement efforts in this area as well, with state attorneys general using their fraud and consumer protection laws to target distributors of spyware.\7\ Strong enforcement of existing laws, combined with industry self-policing and innovative technologies, thus, have drastically slowed the spread of spyware and its effects. As these efforts indicate, continued dedication of resources to enforcement has proven an effective response to spyware. --------------------------------------------------------------------------- \5\ See, e.g., In the Matter of DirectRevenue LLC, FTC File No. 052-3131 (filed Feb. 16, 2007); In the Matter of Sony BMG Music Entertainment, FTC File No. 062-3019 (filed Jan. 30, 2007); FTC v. ERG Ventures, LLC, FTC File No. 062-3192 (filed Nov. 29, 2006); In the Matter of Zango, Inc. f/k/a 180solutions, Inc., FTC File No. 052-3130 (filed Nov. 3, 2006). \6\ CFAA, 18 U.S.C. 1030; Wiretap Act, 18 U.S.C 2511. See, e.g., U.S. v. Jerome T. Heckenkamp, http://www.usdoj.gov/criminal/ cybercrime/heckenkampSent.htm; U.S. v. Christopher Maxwell, http:// www.usdoj.gov/criminal/cybercrime/maxwellPlea.htm. \7\ For example, New York attorneys general over the past few years, as well as other attorneys general, have been actively pursuing cases against companies for deceptive practices in connection with spyware and adware. See New York Attorney General settlement with online advertisers, http://www.oag.state.ny.us/press/2007/jan/ jan29b_07.html; settlement with DirectRevenue, http:// www.oag.state.ny.us/press/2006/apr/apr04ab_06.html. --------------------------------------------------------------------------- C. Marketplace Technology Has Adapted to Combat Spyware The technological tools available to consumers to prevent spyware also have seen significant improvement in their effectiveness. These tools are highly sophisticated, user friendly, and widely available, and in many instances are available at no cost to the consumer. For instance, today's anti-spyware software is proactive in detecting malware before it can penetrate a consumer's personal computer, thereby eliminating frustrations of spyware by preventing it from ever being downloaded. Consumers also have access to new web browsers with stronger security features and better warning features. In addition, as spyware became a problem, industry responded by installing anti-spyware software onto personal computers before shipping them to customers. This service provides personal computers with an early vaccination against spyware. III. Specific Concerns about S. 1625 I would like to take this opportunity to discuss specific comments regarding S. 1625, which is pending before the Committee. We believe that the significant developments described warrant reevaluation of certain provisions of this legislation by the Committee, which we hope that the sponsors of this bill and the members of the Committee will consider. DMA is concerned that Section 4(b)(2) of the bill could create compliance uncertainty, which could, in turn, limit current and future critical e-commerce functions designed to make the Internet browsing experience seamless. For this reason, DMA believes that Section 4(b)(2) should be tailored to specifically target ``bad practices,'' rather than create the regulation of many legitimate information practices resulting from software. The current language in Section 4(b)(2) could be interpreted to extend well beyond regulating ``surreptitious surveillance'' practices. We recommend that any restriction on data collected and correlated with a user's online history be narrowed, as this bill did the last time it was considered and approved by this Committee by adding the language contained in the previous bill. Our suggestion would apply only if the computer software was installed in a manner designed to conceal from a computer user the fact that the software was being installed and would perform an information collection function. This type of approach would make clear that the bill targets deceptive acts--which should be the objective of any such legislation--and does not restrain legitimate practices. DMA also is concerned about Sections 6(a)(8) and (9), the provisions that would bestow limited liability on a business that removes ``objectionable content'' or software used in violation of the Act. While on its face, the authority to remove ``objectionable content'' may appear reasonable, the term ``objectionable'' is not defined and, as a consequence, section 6(a)(8) would allow any anti- spyware entity to act unilaterally, and without review, to block any material that it defines as ``objectionable.'' Under this authority, for example, an anti-spyware tool would be free to identify and remove anti-fraud software from a computer, with no liability for doing so, or for fraudulent activities that may then be perpetrated, or it could use the unfettered discretion provided for in this subsection to block a competitor's access even if that competitor has the specific consent of the user. Moreover, it could do so without any notice whatsoever to the user. We are, therefore, concerned that this provision would grant full immunity to a business that oversteps its power to remove legitimate content and causes harm to another business or the user. This type of broad immunity would have negative consequences for consumers by undermining their personalized Internet experience. For instance, what may be ``objectionable content'' to an anti-spyware entity may be a consumer's valued tool bar or personalized cookie. For similar reasons, DMA has concerns about Section 6(a)(9), which would permit a business to remove software used in violation of sections 3, 4, or 5 the Act. In previous versions of this bill, this type of immunity has been referred to as a ``Good Samaritan'' provision. We are concerned that providing limited liability to providers acting under ``Good Samaritan'' protection may also have unintended consequences for consumers and businesses. DMA supports a provider's ability to remove or disable a program employed to perpetrate a bad act. However, we are concerned that a provision as broad as Section 6(a)(9) would allow a provider to remove legitimate software without consequence. The current framework, under which existing laws are used to hold anti-spyware companies liable for removal of legitimate software, has served as an important check on overreaching by such providers and should be preserved. In addition, the policy goal underlying a ``Good Samaritan'' exemption is unclear. This type of protection would limit liability for violations for providers of anti-spyware software that remove spyware from a computer. The operative provisions of Sections 3, 4, and 5 impose liability for causing the installation of software on a machine, not removing software. Thus, it is unclear why a provision limiting liability for ``removal'' of software is even necessary. Given the fact that it would limit liability where none exists in the first instance, DMA suggests that this provision be deleted. Finally, DMA recommends that the exemption provided in the definition of ``software'' (Section 12(14)) be modified to include ``cookies and any other software that performs a similar or identical function or functions.'' By limiting the exemption solely to cookies, the bill is essentially regulating technology rather than conduct. As a result, the bill would foreclose the inclusion of new and innovative technologies that perform a similar or identical function as a cookie. This type of limitation would stifle innovation. IV. Conclusion In summary, the combination of advances in industry self- regulation, enforcement, and technology, coupled with concerns about interfering with legitimate uses of software for marketing purposes, necessitates that certain sections of S. 1625 be revisited. If regulation is necessary, and we believe that it is unclear that a need for legislation remains in light of recent technological innovations, it should be drafted in manner that does not undermine current efforts or upset consumers' expectations regarding the types of available, legitimate online marketing. I thank you for your time and the opportunity to speak before your Committee. I look forward to your questions and to working with the Committee on this legislation. Attachment 1 Analysis of DMA Guidelines The Direct Marketing Association requires member organizations to adhere to its Guideline on Use of Software or Other Similar Technology Installed on a Computer or Similar Device, which encourages members to provide notice and choice regarding software that may be downloaded onto a consumer's personal computer or similar devices (attached). This Guideline clearly states that marketers should not install, have installed, or use, software or other similar technology on a computer or similar device that initiates deceptive practices or interferes with a user's expectation of the functionality of the computer and its programs. Such practices include software that takes control of a computer, modem hijacking, denial of service attacks, and endless loop pop-up advertisements. This Guideline also is clear that businesses should not deploy programs that deceptively modify or disable security or browser settings or prevent the user's efforts to disable or uninstall the software. DMA's Ethics Policy Committee evaluates compliance with its guidelines and regularly publishes summaries of outcomes of matters considered. Penalties can include removal from membership, referral to the Federal Trade Commission, and public disclosure of concern. This Guideline also details responsible practices for marketers offering software or other similar technology that is installed on a computer used to further legitimate marketing purposes. Specifically, such programs must provide a user with clear and conspicuous notice and choice at the point of joining a service or before the software or other similar technology begins operating on the user's computer, including notice of significant effects of having the software or other similar technology installed. Marketers also must give the user an easy means to uninstall the technology and/or disable all functionality. Finally, marketers should always provide an easily accessible link to privacy policies and contact information, as well as clear identification of the company making the offer. Given the rapid evolution of technology, DMA believes that self- regulation is the most effective means for setting business standards for legitimate marketing. Guidelines like those published by DMA and TRUSTe condemn deceptive practices, strive to protect consumers, and foster legitimate Internet advertising and marketing. Guidelines are flexible and adaptable to changes in markets, business practices, and advances in technology. Another issue that DMA has sought to address through self- regulatory best practices is the role of advertisers in ensuring that their advertisements are being disseminated responsibly. In some instances, there may be advertisers with good intentions who do not understand where their ads are appearing online. To help address some of these issues, DMA adopted best practices regarding online advertising networks and affiliate marketing.\8\ These best practices state, among other things, that marketers should obtain assurances that their partners will comply with legal requirements and DMA's Guidelines for Ethical Business Practice, undertake due diligence in entering into these partnerships, define parameters for ad placement, and develop a monitoring system for online advertising and affiliate networks. These should limit the appearance of advertisements related to spyware. --------------------------------------------------------------------------- \8\ See DMA Best Practices for Online Advertising Networks and Affiliate Marketing (attached) (available at http://www.the-dma.org/ guidelines/onlineadvertisingandaffiliatenetworkBP.pdf). --------------------------------------------------------------------------- Attachment 2 Excerpt from the DMA Guidelines for Ethical Business Practice Use of Software or Other Similar Technology Installed on a Computer or Similar Device Article #40 Marketers should not install, have installed, or use, software or other similar technology on a computer or similar device that initiates deceptive practices or interferes with a user's expectation of the functionality of the computer and its programs. Such practices include, but are not limited to, software or other similar technology that: Takes control of a computer (e.g., relaying spam and viruses, modem hijacking, denial of service attacks, or endless loop pop-up advertisements) Deceptively modifies or deceptively disables security or browser settings or Prevents the user's efforts to disable or uninstall the software or other similar technology Anyone that offers software or other similar technology that is installed on a computer or similar device for marketing purposes should: Give the computer user clear and conspicuous notice and choice at the point of joining a service or before the software or other similar technology begins operating on the user's computer, including notice of significant effects* of having the software or other similar technology installed Give the user an easy means to uninstall the software or other similar technology and/or disable all functionality Give an easily accessible link to your privacy policy and Give clear identification of the software or other similar technology's name and company information, and the ability for the user to contact that company * Determination of whether there are significant effects includes, for example: Whether pop-up advertisements appear that are unexpected by the consumer Whether there are changes to the computer's home page or tool bar Whether there are any changes to settings in security software, such as a firewall, to permit the software to communicate with the marketer or the company deploying the software, or Whether there are any other operational results that would inhibit the user's expected functionality Cookies or other passive means of data collection, including web beacons, are not governed by this Guideline. Article #37 provides guidance regarding cookies and other passive means of data collection. Attachment 3 June 2006 DMA's Internet Marketing Advisory Board (IMAB) Best Practices for Online Advertising Networks and Affiliate Marketing Online marketers using advertising and affiliate networks should: 1. Obtain assurances that the online advertising and affiliate network is in full compliance with state law, Federal law, and the DMA Guidelines for Ethical Business Practice. 2. Perform due diligence on prospective network advertising partners and make sure you are working with reputable firms. Additionally (if possible), obtain a sample list of current advertising clients. Due diligence should also include either: (1) asking for a full disclosure of eligible sites, or (2) a review of processes to limit access to unwanted sites or channels. When partnering with an aggregate site online advertising and affiliate networks should provide the marketer with a sampling of sites that are in their network. Due diligence should encompass the entire process from the marketer to the end consumer. 3. Always utilize a written contract/agreement. This will provide you the greatest possible control over your ad placement. This will also be the mechanism by which you devise and enforce formulas and/or guidelines for where and how online ads will be placed. 4. Include specific parameters that must be employed to determine placement of your online ads in written agreements. Altering of offer by an advertising or affiliate network is prohibited. If laws, guidelines or set standards are violated your contract with the violating advertising or affiliate network should be terminated. 5. Develop a system to routinely monitor your ad placements as well as your contract with any online advertising or affiliate network. Senator Nelson. Mr. Rotenberg? STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER (EPIC) Mr. Rotenberg. Thank you very much, Senator, and thank you for the opportunity to testify today. The Electronic Privacy Information Center has a long-term interest in the ability of the Federal Trade Commission to police business practices that impact American consumers. We have worked with the FTC now for almost a decade to try to ensure that the Section 5 authority is used to protect consumers because if consumers do not have trust and confidence in the electronic marketplace clearly it's not good for consumers or businesses. Of course, the concerns about spyware are very real and the costs are very real. For consumers it's not only their privacy and personal information, it's also the risk that financial details of bank account information, checking account information will be disclosed to others. It's the risk of identity thieves. It's the risk frankly simply of the hassle of having to monitor your personal computer to make sure that there's no improper surveillance taking place on your private activity. So we see a real urgency in addressing the spyware issue and ensuring that the Federal Trade Commission has the authority, has the necessary tools to crack down on these activities. Now, since you've asked us to make some brief remarks and because my full statement will be entered into the hearing record, I thought it might be helpful to place this bill a little bit in the context of where we've been and where I think we may be going. This bill addresses the specific problem of products, applications and techniques that are placed on the consumer's computer that surreptitiously take information from the user or exploit vulnerabilities on the computer's system. Clearly these are bad practices. They should be prohibited. I think there are some changes that could be made in terms of scope and definition that might make the bill a little bit more effective. But I also think it's important to understand that this is simply one category of spyware and that there are other types of activities which I think you need to be aware of. We have concerns, for example, about Internet service providers that now view the opportunity to intercept communications, the routine Internet traffic of their customers, for advertising purposes. From our perspective that's a form of spyware and if it's not addressed in this legislation perhaps it could be addressed somewhere else. We're concerned about similar techniques that might be deployed against mobile telephones. A lot of information, personal information, is available on phones. These phones are becoming more sophisticated. They're essentially mobile computers and many of the same concerns about privacy protection and spyware exist there as well. Even the advertising techniques on social networking sites such as Facebook which make it possible for third party developers to get access to a lot of detailed personal information they don't really need access to is another issue we hope the Committee will consider. Again, it may not be possible to get to all these issues with this legislation, and we do think this legislation is a step in the right direction. But I think it is important as the Committee thinks broadly about evolving business practices to be aware of these threats. Now, to speak specifically about some of the recommendations that we would make for S. 1625, which we do favor--it's an important bill--we think it is clearly important to expand the FTC authority in this area so that when they do pursue these investigations we think it's important that the FTC authority not preempt State authority. We already have very important examples. In Washington State, for example, the State attorney general was able to go after a company that actually claimed it was offering a product to help people with spyware. The way it did it was to put up advertising on the user's computer which said: Oh, we've detected spyware on your computer; you need to purchase our product. Well, the State attorney general was able to go after that company and reached a million dollar settlement. We think those types of innovative investigations and prosecutions are very important. There is an issue with the exclusion for liability. A company under one provision in the bill would be given very broad authority to install spyware and we think that really needs to be reined in a bit and it is an exception. I don't think it's too difficult to deal with. Finally, the category of information that the bill protects, what we think of as personally identifiable information, of course is changing very rapidly. Ten years ago we might have said, well, it's a person's telephone number and maybe their Social Security number. Now we need to think about their identity or user number on a Facebook or social networking service, because that's also a unique identifier that makes it possible to identify someone. Even a person's password information, the person's Internet protocol address that's uniquely linked to a computer, is a type of personally identifiable information. We think those changes could be made in the bill as well. But it is important legislation. It takes on part of the problem and I hope the Committee will be able to act favorably on it. [The prepared statement of Mr. Rotenberg follows:] Prepared Statement of Marc Rotenberg, Executive Director, Electronic Privacy Information Center (EPIC) Senator Pryor, Chairman Inouye, Senator Stevens and members of the Committee, thank you for the opportunity to testify today on the topic of spyware and S. 1625, the Counter Spy Act. My name is Marc Rotenberg and I am Executive Director of the Electronic Privacy Information Center. EPIC is a non-partisan research organization based in Washington, D.C. EPIC was founded in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. EPIC recently filed a complaint at the Federal Trade Commission on the specific problem of commercial spyware.\1\ Spyware, adware, and other information collection techniques are a growing threat to the privacy of Internet users. Computer users have noticed the effects. Ninety percent of users say they have adjusted their online behavior out of fear of falling victim to software intrusions.\2\ The Webroot automated threat research tool has identified more than half a million different potential malware sites since January 2005.\3\ Spyware can cause significant degradation in system performance, result in loss of Internet access and impose substantial costs on consumers and businesses.\4\ Spyware can assert control over the operation of computers.\5\ The privacy risks of spyware include the theft of private information, monitoring of communications and tracking of an individual's online activity.\6\ Importantly, privacy threats are growing not just in numbers, but also in type. Traditional spyware, adware and tracking cookies are now joined by other threats such as mobile device spyware,\7\ ``stalkerware,'' and the potential for social networking applications to function as spyware. Spyware comes from several sources including online attackers, organized crime, marketing organizations and trusted insiders.\8\ A new motivation for the cyber criminal is that spyware has become a profitable business.\9\ Individuals can also deploy spyware against each other.\10\ Some ISP's have also begun to install their own spyware-like services.\11\ These threats require vigorous policy response. Policy must be able to innovate to recognize new challenges while substantively protecting consumer privacy. Notice and Consent Schemes Do Not Adequately Protect User Information Ultimately, users must be able to control how and when information about them is used, disclosed and held. Solutions which rely on simple notice and consent will not adequately protect users. A recent survey of California consumers showed that they fundamentally misunderstand their online privacy rights.\12\ In two separate surveys almost 60 percent of consumers incorrectly believed that the presence of ``privacy policy'' meant that their privacy was protected.\13\ In a different survey, 55 percent of participants incorrectly believed that the presence of a privacy policy meant that websites could not sell their address and purchase information. Users also routinely click through notices. The Pew Internet and American Life Project found that 73 percent of users do not always read agreements, privacy statements or other disclaimers before downloading or installing programs.\14\ In such an environment, merely giving notice to users before the collection of sensitive information from their computers fails to adequately protect privacy in the way consumers expect. Consumer data should instead receive substantive protection. Information should be kept securely, and users should have the ability to know what data about them is being kept, who it has been shared with, and to withdraw consent for the holding of this data. Further, data should only be collected and kept for specified purposes. Important security information should also receive protection, even if it does not identify a user. The Counter Spy Act places conditions on software that collects information such as the user's Social Security number and driver's license number. It also protects as ``sensitive personal information'' information such as financial account numbers when combined with passwords or other security codes.\15\ Password and access information to other accounts, such as e-mail or social networking, are not included. EPIC recommends that strict protection be afforded to security information, such as username/password pairs, encryption keys, biometric data, or other access control information. The mining of this information may not lead directly to identity theft and other financial harm, but facilitates its spread. Gaining access to a user's non- financial accounts allows further information to be collected and further crimes perpetrated. Compromised accounts may have valuable information stored in them or be used to originate further malware attacks, including by impersonating the compromised account. Privacy Requires Strong and Innovative Enforcement EPIC supports giving the FTC the ability to seek treble fines and penalize pattern or practice violations, as section 7 of the Counter Spy Act does. These changes will improve the FTC's effectiveness in pursuing repeat offenders, and also change the economic incentives and disincentives for purveyors of spyware. Several states are using innovative policies to protect their citizens' privacy. Spyware legislation has been passed in several states, including Alaska,\16\ Arizona,\17\ California,\18\ Florida,\19\ Georgia,\20\ Illinois,\21\ Indiana,\22\ Iowa,\23\ Louisiana,\24\ Nevada,\25\ New Hampshire,\26\ Rhode Island,\27\ Texas,\28\ Utah,\29\ and Washington.\30\ The Utah statute, for example, makes provision for a private cause of action which may be brought by a mark owner who does business in Utah and is directly and adversely affected by the violation.\31\ In such a suit a mark owner may recover the greater of $500 per each ad displayed or actual damages.\32\ State Attorneys General have pursued spyware providers under state spyware laws. Washington State successfully applied the Washington State Computer Spyware Act \33\ (Spyware Act) to stop Secure Computer's use of their free computer scan that always detects spyware leading to instructions to buy their Spyware Cleaner product in a $1,000,000 settlement.\34\ The State alleged violations under the state's Spyware Act, Federal and state spam laws, and the state Consumer Protection Act.\35\ The Attorney General's Office accused the company of ``falsely claiming computers were infected with spyware'' to entice the consumer to pay for their program that claimed to remove it.\36\ The settlement required the company to inform consumers of their right to a refund and pay a $1,000,000 judgment. For these reasons EPIC recommends that the Counter Spy act not preempt state laws and state enforcement actions, as section 11(b) does. Federal law should set a baseline of privacy protection. It should not cap it. EPIC recommends that the limitation in section 6(a)(10) be removed. The Counter Spy Act's liability limitations broadly permit monitoring of users' computers and personal information for the ``detection or prevention of the unauthorized use of software fraudulent or other illegal activities.'' \37\ These limitations should be scaled back. The determination of whether uses are unauthorized, fraudulent or illegal may be complicated. Privacy Threats Beyond Traditional Spyware Programs Information collection online is not performed solely with spyware programs executed on user's computers. Third-party and opt-out cookies present growing threats. The proliferation of mobile devices means a potential new place for spyware to act. Internet service providers are begging to deploy their own adware and profiling services in ways which users will find difficult, if not impossible, to detect. Important user information is leaving the desktops and instead is residing on online social networking profiles. This information includes sensitive personal information such as contact information, one's social and business relationships, political interests, sexual orientation, as well as the contents of communications. Further, online social networking sites are increasing their own information collection practices. A ``cookie'' is information about a particular user's identity and browsing behavior that web servers store on his computer, typically without his consent.\38\ Cookies permit a user to customize his interface with a particular website, for example by automatically entering his username and password.\39\ However, since cookies can match an individual user to his interests and browsing habits, they are increasingly placed, gathered, and exploited by advertisers and others with a commercial interest in precisely targeting ads and services.\40\ Anyone with access to that user's cookies can track his browsing history and gather information about his behavior and identity.\41\ As a result, Internet users who are concerned about privacy are widely encouraged to routinely purge the cookies they have accumulated or to refuse cookies from websites that require them.\42\ The recent Google/Doubleclick merger raises significant privacy issues because of the planned merger of the Google search engine database with Doubleclick's extensive data collection accomplished with third-party cookies.\43\ EPIC filed a complaint with the FTC urging the Commission to impose privacy protections upon the merger, concluding: Google's proposed acquisition of DoubleClick will give one company access to more information about the Internet activities of consumers than any other company in the world. Moreover, Google will operate with virtually no legal obligation to ensure the privacy, security, and accuracy of the personal data that it collects. At this time, there is simply no consumer privacy issue more pressing for the Commission to consider than Google's plan to combine the search histories and website visit records of Internet users.\44\ In November 2007 Facebook launched its Beacon service.\45\ Beacon collects information from Facebook users when engaged in actions on other websites. Facebook then uses this information to broadcast advertisements to that user's friends on Facebook, alerting them of the actions that the user took on these other websites. Initially, Facebook only provided a brief opportunity for an opt-out. Facebook later added an opt-in system, and the option to globally opt out of Beacon. Shortly after Beacon's launch, security researchers showed that Facebook is receiving information even from those who are not logged in to Facebook and are not Facebook members.\46\ Users of social networking sites are also exposed to the information collection practices of third party social networking applications. On Facebook, installing applications grants this third party application provider access to nearly all of a user's information.\47\ Significantly, third party applications do not only access the information about a given user that has added the application. Applications by default get access to much of the information about that user's friends and network members that the user can see. This level of access is often not necessary. Researchers at the University of Virginia found that 90 percent of applications are given more access privileges than they need.\48\ These features may be exploited and the information used for other purposes. Investigators at the BBC took 3 hours to write an application that collected information that had been marked as unable to be shared with friends.\49\ Facebook, as part of its response, cautioned that users should ``employ the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop.'' \50\ Mobile device spyware also presents a future privacy threat, with unique features due to the mobile environment. In December 2006, McAfee reported on a new kind of mobile phone spyware, called SymbOS/ Mobispy.A.\51\ SymbOS/Mobispy.A installed on phones and recorded incoming and outgoing SMS messages.\52\ It also tracked the phone numbers of all dialed and received calls. Mobile tracking presents unique dangers because it allows the tracker to determine the user's location. While the data may be able to follow users anonymously it may also easily identify them--they are likely at home in the evenings. Location information should receive significant protection from tracking applications. A new more insidious form of adware has been tested in the United Kingdom, and at least one U.S. company has announced it will also use the system.\53\ British Telecom contracted with the former adware company Phorm to create secret profiles of its users.\54\ Users' traffic was routed via Phorm boxes, which replaced ads on the pages users were visiting with its own targeted ads. In the U.S., Charter communications announced that it will monitor consumers' browsing in order to serve them targeted ads.\55\ Charter sent several of its users cryptic notices of an ``enhancement'' to their web browsing experiences.\56\ The letter pointed users to a website with more details, including the claim that ``[t]here is no application downloaded onto a user's computer and, therefore, there is no ``adware'' or ``spyware'' on your computer from Charter in this enhanced service.'' \57\ Thus a system that is functionally equivalent to spyware, and more dangerous due to its undetectability, is touted as safer because it does not reside on the victim's computer. Finally, some companies market spyware directly for consumers to use for stalking and other criminal activities. These technologies are promoted to consumers to spy on e-mail and instant message exchanges, record websites visited, and capture passwords and logins. EPIC has filed a complaint with the FTC against such ``Stalker spyware,'' highlighting the unfair and deceptive practices used to market this software.\58\ These practices include the promotion of illegal surveillance targets, the promotion of ``Trojan Horse'' e-mail attacks, and the failure to warn purchasers of the legal consequences of illegal use. We hope the FTC will take action on this complaint and take action against these firms. Conclusion Privacy online continues to face many threats, both from criminal entities as well as intrusive commercial ventures. Substantive consumer protections and innovative enforcement strategies are necessary to protect consumers from the evolving threat of information collection online. These threats include not just traditional spyware, but also the merger of online consumer databases, new social networking features, mobile spyware and stalker spyware. EPIC recommends passage of Counter Spy Act in line with the changes pointed out above. The Counter Spy Act should not preempt state law or enforcement; it should protect important security information like username/login pairs; and the liability limitations should be narrowed. Congress should also be aware of other developing threats to privacy beyond traditional spyware programs. Footnotes \1\ Complaint, Request for Investigation, Injunction and Other Relief, In the Matter of Awarenesstech.com, et al., (March 6, 2008), http://epic.org/privacy/dv/spy_software.pdf. \2\ Pew Internet & American Life Project, Spyware: The Threat of Unwanted Software Programs is Changing the way People use the Internet, 2 (July 2005), available at http://pewinternet.org/pdfs/ PIP_Spyware_Report_July_05.pdf [hereinafter PEW Spyware Report]. \3\ Webroot, State of Spyware Report Q2, (2006), available at http://www.webroot.com/pdf/2006-q2-sos-US.pdf. \4\ Fed. Trade Comm'n, Spyware Workshop--Monitoring Software on your PC: Spyware, Adware, and other software, 8 (Mar. 2005) available at http://www.ftc.gov/os/2005/03/050307spywarerpt.pdf. \5\ Id. at 9. \6\ Id. \7\ Joseph De Avila, Do Hackers Pose a Threat to Smart Phones?, The Wall Street Journal, D1, May 27, 2008, available at http:// online.wsj.com/article/SB121184343416921215 .html?mod=todays_us_personal_journal. \8\ Aaron Hackworth USCERT, Spyware, 3 (2005) available at http:// www.uscert.gov/reading_room/spyware.pdf. \9\ See Guillaume Lovet, Dirty Money on the Wires: The Business Models of Cyber Criminals, (2006), available at http:// www.momindum.com/ressources/produits/fortinetFlash/content/_libraries/ _documents/index1/GL_Business_Models_of_Cybercriminals.pdf. \10\ EPIC, Personal Surveillance Technologies (May 2008), http:// epic.org/privacy/dv/personal_surveillance.html. \11\ Saul Hansell, Charter Will Monitor Customer's Web Surfing to Target Ads, The New York Times, May 14, 2008, http:// bits.blogs.nytimes.com/2008/05/14/charter-will-monitor-customers-web- surfing-to-target-ads/. \12\ Joseph Turow, Deirdre Mulligan, and Chris Jay Hoofnagle, Consumers Fundamentally Misunderstand the Online Advertising Marketplace (Oct. 2007), available at http://groups .ischool.berkeley.edu/samuelsonclinic/files/ annenberg_samuelson_advertising.pdf. \13\ Id. at 1. \14\ Pew Spyware Report, supra note 2, at 6. \15\ S. 1625, 110th Cong. 12(13)(B) (2008). \16\ Alaska Stat. 45.45.792, 45.45.794, 45.45.798, 45.45.471 (2007). \17\ Ariz. Rev. Stat. 44-7301 to -7304 (2008). \18\ Cal. Bus. & Prof. Code 22947 (2008). \19\ Fla. Stat. 934.02, .03, .06 (2008). \20\ Ga. Code Ann. 16-9-152, -157 (2008). \21\ 720 Ill. Comp. Stat. 5/16D-3 (2008). \22\ Ind. Code. 24-4.8-1 to -3 (2008). \23\ Iowa Code 715 (2008). \24\ La. Rev. Stat. Ann. 51:2006-14 (2008). \25\ Nev. Rev. Stat. Ann. 205.4737 (2007). \26\ N.H. Rev. Stat. Ann. 359-H:1-6 (2008). \27\ R.I. Gen. Laws 11-52.2-7 (2008). \28\ Tex. Bus. & Com. Code 48.001-4, .051-057 (2008); Tex. Bus. & Com. Code 324.001-7, .051-055, .101-.102 (2008). \29\ Utah Code Ann. 13-40-101 to -401 (2008). \30\ Wash. Rev. Code 19.270.010-.080,.900 (2008). \31\ Utah Code Ann. 13-40-301. \32\ Id. \33\ Wash. Rev. Code 19.270.010-.080,.900. \34\ State of Washington v. Secure Computer, LLC, No. C06-0126RSM (W.D. Wash. Nov. 30, 2006) (Consent Decree as to Defendants Secure Computer, LLC and Paul E. Burke), http://www.atg.wa.gov/uploadedFiles/ Another/News/Press_Releases/2006/SecureComputerConsentDecree112906.pdf. \35\ Press Release, Washington State Office of the Attorney General, Attorney General McKenna Announces $1M Settlement in Washington's First Spyware Suit (Dec. 4, 2006), available at http:// www.atg.wa.gov/pressrelease.aspx?id=5926. \36\ Id. \37\ S. 1625, 110th Cong. 6(a)(10) (2008). \38\ Cookiecentral.com, The Cookie Concept, http:// www.cookiecentral.com/c_concept.htm (last visited June 6, 2008). \39\ Cookiecentral.com, Purpose of Cookies: The Cookie Controversy, http://www.cookie central.com/ccstory/cc2.htm (last visited June 6, 2008). \40\ Id. \41\ EPIC, Cookies, http://epic.org/privacy/internet/cookies/. \42\ EPIC, Does AskEraser Really Erase?, http://epic.org/privacy/ ask/default.html. \43\ See EPIC, Privacy? Proposed Google/DoubleClick Deal, http:// epic.org/privacy/ftc/google/ \44\ EPIC Complaint, In the Matter of Google Inc. and DoubleClick Inc., 10 (April 20, 2007), http://epic.org/privacy/ftc/google/ epic_complaint.pdf. \45\ Facebook Beacon, http://www.facebook.com/business/?beacon. \46\ CA Security Advisor, Facebook's Misrepresentation ofBeacon's Threat to Privacy: Tracking Users Who Opt Out or Are Not Logged In, (Dec 3, 2007), http://community.ca.com/blogs/securityadvisor/archive/ 2007/11/29/facebook-s-misrepresentation-of-beacon-s-threat-to-privacy- tracking-users-who-opt-out-or-are-not-loggedin.aspx. \47\ EPIC, Facebook Privacy, http://epic.org/privacy/facebook/. \48\ Privacy Protection for Social Networking APIs, http:// www.cs.virginia.edu/felt/privacy/ (last visited June 6, 2008). \49\ Press Release, BBC, Facebook's loophole places personal profile data at risk--BBC investigation (May 1, 2008), http:// www.bbc.co.uk/pressoffice/pressreleases/stories/2008/05_may/01/ click.shtml. \50\ Q&A: Facebook Response, BBC, May 1, 2008, http:// news.bbc.co.uk/2/hi/programmes/click_online/7375891.stm. \51\ McAfee Avert Labs Blog, http://www.avertlabs.com/research/ blog/?p=145 (last visited June 5, 2008). \52\ Id. \53\ See EPIC, Deep Packet Inspection and Privacy, http://epic.org/ privacy/dpi/. \54\ Chris Williams, BT and Phorm secretly tracked 18,000 customers in 2006, The Register, April 1, 2008, http://www.theregister.co.uk/ 2008/04/01/bt_phorm_2006m_trial/. \55\ Saul Hansell, Charter Will Monitor Customers' Web Surfing to Target Ads, The New York Times, May 14, 2008, http:// bits.blogs.nytimes.com/2008/05/14/charter-will-monitor-customers web-surfing-to-target-ads/. \56\ Charter Letter, available at http://www.epic.org/privacy/dpi/ subscriber_ltr.pdf. \57\ Charter Communications, Enhanced Online Experience Frequently Asked Questions, http://connect.charter.com/landing/op1.html#6. \58\ Complaint, Request for Investigation, Injunction and Other Relief, In the Matter of Awarenesstech.com, et al., (March 6, 2008), http://epic.org/privacy/dv/spy_software.pdf. Senator Pryor [presiding]. Dr. Edelman? STATEMENT OF BENJAMIN G. EDELMAN, ASSISTANT PROFESSOR, BUSINESS ADMINISTRATION, HARVARD BUSINESS SCHOOL Dr. Edelman. Thank you, Senator Pryor, Senator Nelson, Members of the Committee. Senator Pryor, I want to structure my remarks around your initial question about the proper definition of spyware and Senator Vitter's response immediately thereafter, concerned about both the risk of being over-inclusive and the risk of being under-inclusive, either of which would be a serious problem in making the legislation as effective as the Committee hopes. I spend perhaps too much of my time in my lab testing spyware, going to the sorts of sites where users get infected, infecting my computer over and over, measuring the effects on it, figuring out how it gets infected and what it would take to clean the infections off. Well, two examples that I've seen in the past months I think are instructive for identifying potential under-inclusiveness of this legislation and then in rethinking alternative approaches that might help the Committee be that much more effective. So here's one that I saw just 2 weeks ago in fact. A pop-up ad promised that it could, quote, ``stop spam.'' Upon clicking on the pop-up, I received a long text, several hundred words, center-aligned. Part of the text was off screen. It was very hard to read, in short. But if you read it carefully, you would find that it says it will show special offers in pop-up windows. OK, so it's saying it's going to show pop-up ads, but it's in a small font. The word ``pop-up'' is actually off-screen, so you'd have to scroll around to find it. If you press ``yes'' the software will track the websites that you visit and the search terms that you enter and then, sure enough, it will show you pop-up ads, quite a few of them. So what about that program vis a vis this legislation? Can you point to a clause of this legislation that that program violates? It's awfully hard to do actually. The program tracks some of the websites you visit, but when you look in Section 4, it needs to track those websites in a very particular way in order to fall afoul of that clause of Section 4. The underlying deception of having the tricky disclosure that's hard to read, you won't find anything about that in this legislation. Here's another one: a program that tracks a user's name, street address, and all of the web searches that they do, then sends that to their server for a variety of purposes, market research, perhaps some kind of marketing. There too, it's hard to point to the clause in this legislation that the program violates. When you read through the specific data elements that are prohibited under Section 4, you don't see the data that I listed that the program copies. I think members of this committee would be concerned to have that sort of software on their computers, and would want it removed if they found it there and certainly the public shares that view, but it seems that this legislation wouldn't cover at least those two examples. So what do we make of that? Well, Senator Pryor, as you and Senator Vitter immediately recognized, practices change quickly, and at our peril do we make a list of all the specific practices that ought to be prohibited, because the next day there will be more practices that we didn't think of, despite our best efforts. So coming back to Ms. Harrington's remarks, I think she's absolutely right to emphasize the effectiveness on a long-term basis of the FTC Act. By prohibiting acts that have a tendency to deceive, that tend to be unfair to consumers--that is the sort of language that can prevent these one-sided bargains, where they show you pop-up ads and you don't get anything in return, or they track you in great detail without telling you. That is an approach that has lasted for decades and will serve us well going forward. So what could this legislation do that would be helpful? Well, one, it seems the FTC lacks the statutory authority to get quite as large penalties as they ought to be able to receive. Imagine the settlement discussions between the FTC and a so-called adware maker. The adware maker is sitting there realizing that all the FTC can get is disgorgement of ill- gotten gains, and the company managed not to make a profit last year. So what's the disgorgement? The disgorgement is zero. How much of a penalty can the FTC really extract under those circumstances? Consider a statutory grant of greater authority, of bigger penalties, of liquidated damages perhaps or some amount certain as a floor. ``Even if you didn't manage to make money, well, we're going to make certain you lost money if you went around causing the kind of harm that's at issue.'' That could be very helpful. So I think that's an approach the Committee might want to consider, avoiding attempting to define spyware because we have enough of that under the FTC Act, but instead granting greater statutory protections in the form of increased liability. My written remarks flag two other issues I hope the Committee will consider. For one, preemption of State law doesn't seem to me a good idea, given that there's more than enough work to go around to keep everyone busy and some innovative statutory approaches. Second, the Committee should avoid legislation that doesn't quite fill the field and makes it too easy for a vendor to claim to not be spyware. A vendor might claim: ``We are federally certified good software; we passed Senator Pryor's standard and therefore we must be good.'' But in fact that vendor could still be pretty sneaky and could continue to cause users substantial harm. So I'd caution the Committee at setting low standards. We need to be tough on spyware for the protection of all the users counting on this committee and this legislation for protection going forward. Thank you for your interest in this matter. [The prepared statement of Dr. Edelman follows:] Prepared Statement of Benjamin G. Edelman, Assistant Professor, Harvard Business School Chairman Inouye, Senator Pryor, Members of the Committee: My name is Benjamin Edelman. I am an Assistant Professor at the Harvard Business School, where my research focuses on the design of electronic marketplaces, including designing online marketplaces to assure safety, reliability, and efficiency. My full biography and publication list are at http://www.benedelman.org/bio and http:// www.benedelman.org/publications. Today the Committee considers the important problems of Internet spyware and deceptive adware--scourges that threaten the reliability, trustworthiness, and overall utility of many users' Internet's access. My bottom line: Despite some recent progress, spyware and adware continue to present substantial harms to Internet users and to the Internet as a whole. Many improper practices are already prohibited under existing statutes including the FTC Act, state consumer protection statutes, and state anti-spyware legislation. These statutes have given rise to a series of cases, both public and private, that have somewhat reined in the problems of spyware and adware. Tough Federal legislation could assist in bringing spyware and adware purveyors to justice, and in further deterring creation and support of this noxious software. But the bill at hand addresses only a portion of the problem, while in some ways reducing the effectiveness of existing efforts. By prohibiting specific individual practices, the bill invites perpetrators to comply with the letter of the law while continuing to harm and deceive consumers. Moreover, perpetrators are likely to boast of compliance--despite offering software no reasonable user would want. These loopholes are inevitable in the bill's ``laundry list'' approach, which unavoidably omits deceptive schemes not yet invented. Pages five and six set out my detailed suggestions for revision. I favor a rewrite that emphasizes consumer protection fundamentals such as a consumer's right to know what software runs on his PC, and to grant or deny consent to each program that asks to be installed. But the FTC has already established these principles through its existing anti-spyware litigation. Thanks to existing legislation plus the FTC's work to date, this bill can accomplish its apparent purpose without adding new prohibitions. Instead, this bill can grant the FTC discretion to seek increased penalties under existing statutes--sparing this committee the challenging task of deciding exactly what practices to prohibit. The Consumer Victims of Spyware and Adware Discussion of spyware and adware typically seeks, in the first instance, to attempt to protect the users who receive such software. After all, a computer with spyware or adware is often virtually crippled--filled with so many popups that doing other work is impossible or impractical, and slowed so dramatically that it is unappealing to use the computer for ordinary purposes. Legislation and enforcement can help prevent such damage. Adware vendors often claim their software arrives on users' computers only after users agree. As a threshold matter, my hands-on testing has repeatedly proven that adware can become installed without a user's consent.\1\ But even if a user did accept the software, adware popups can nonetheless present substantial concern. For example, some adware popups are sexually-explicit--sometimes appearing without any obvious way to close the resulting windows to remove the explicit images.\2\ Other adware popups resort to deception to try to sell their wares--combining the interruption of popups with the trickery of false advertising.\3\ Moreover, adware popups appear separate from the programs that caused them--making it hard for users to understand where the ads came from, why they're there, and how to make them stop. --------------------------------------------------------------------------- \1\ See e.g., ``Who Profits from Security Holes?'' http:// www.benedelman.org/news/111804-1.html. See also ``Nonconsensual 180 Installations Continue . . .'' http://www.benedelman.org/news/022006- 1.html. See also ``Spyware Installation Methods.'' http:// www.benedelman.org/spyware/installations/. \2\ ``Spyware Showing Unrequested Sexually-Explicit Images.'' http://www.benedelman.org/news/062206-1.html. \3\ See e.g., ``Zango Practices Violating Zango's Recent Settlement with the FTC'' (heading ``Zango Ads for Bogus Sites that Attempt to Defraud Users''). http://www.benedelman.org/spyware/zango-violations/. --------------------------------------------------------------------------- Users face a variety of costs in restoring a computer to good working order after an infection of spyware and/or adware. Some users hire technicians to make appropriate repairs. Others buy anti-spyware software. Furthermore, during the period in which spyware or adware impair a computer's operation, the user loses some or all access to the system he or she has paid for. These are real and troubling costs--out- of-pocket expense, lost time, and reduced productivity. These harms are not outweighed by any countervailing benefits. Rare is the user who receives anything of genuine value from spyware or adware. Some vendors claim their software is useful, e.g., letting a user ``participate in a market research community'' or ``access premium content.'' But these claims rarely survive scrutiny. For example, it is hard to see a benefit in being tracked for market research, when standard practice is to pay participants to allow their behavior to be tracked. Moreover, when a vendor promises ``premium content'' in exchange for popups, it turns out the supposed premium material is often readily available elsewhere for free, and/or material the vendor lacks proper license to redistribute.\4\ --------------------------------------------------------------------------- \4\ See e.g., ``Debunking Zango's `Content Economy.' '' http:// www.benedelman.org/news/052808-1.html. --------------------------------------------------------------------------- The harms caused by spyware and adware fall within the general realm of anti-consumer practices addressed by decades of consumer protection law. For example, just as other industries resorted to fine print to hide the unsavory aspects of their products,\5\ so too do adware vendors often turn to lengthy texts, scroll boxes, or euphemisms to ``disclose'' key effects of their software.\6\ Similarly, just as door-to-door salesmen made misleading claims to get consumers to let them in--literally, to ``get a foot in the door'' \7\--so too do adware vendors invoke deceptive campaigns to try to attract interest in their products.\8\ That the truth is (in some way) made known prior to purchase (or installation) is no defense: Once a vendor has resorted to deception, caselaw indicates that the deception cannot be cured through a (supposed) corrective disclosure. Legislation ought to consider these myriad deceptive practices--including anticipating that practices will continue to change as tricksters find new ways to deceive unsuspecting users. --------------------------------------------------------------------------- \5\ See e.g., Haagen-Dazs Co., 119 F.T.C. 762 (1995) (challenging effectiveness of fine-print footnote modifying ``98 percent fat free'' claim for frozen yogurt products that were not low in fat). \6\ See e.g., ``Gator's EULA Gone Bad.'' http://www.benedelman.org/ news/112904-1.html. \7\ See e.g., Encyclopedia Britannica, 87 F.T.C. 421 (1976), aff'd, 605 P.2d 964 (7th Cir. 1979), cert. denied, 445 U.S. 934 (1980) (rejecting ``deceptive door opener'' sales pitches). \8\ See e.g., ``Zango Practices Violating Zango's Recent Settlement with the FTC'' (heading ``Widespread Zango Banner-Based Installations without Unavoidable, Prominent Disclosure of Material Terms (XP SP2)'') (supra). --------------------------------------------------------------------------- The Deeper Problem: Imposing Negative Externalities on Others In my view, spyware and adware legislation should also consider the substantial negative externalities that such programs impose on others. For example, spyware and adware impose large costs on ISPs, computer makers, and software developers. In practice, users often turn to their ISPs and/or computer makers for assistance with problems caused by spyware and adware. Meanwhile, independent software makers must consider how their software interacts with spyware or adware unexpectedly on a user's computer--adding additional complexity and unpredictability. Spyware and adware cause further harm to the Internet's infrastructure and to Internet users generally--even users who are not themselves infected with spyware or adware. As much as half of spam now comes from ``zombie'' infections.\9\ Even if you keep your computer clean, others may not--and their computers may be used to send you spam. --------------------------------------------------------------------------- \9\ Xie et al., ``How Dynamic Are IP Addresses?'' http:// research.microsoft.com/projects/sgps/sigcomm2007.pdf. --------------------------------------------------------------------------- Furthermore, spyware and adware often attempt to defraud online advertisers--typically by claiming to show ads that were never actually shown, or by showing ads that users never agreed to receive. My research has uncovered spyware and adware performing click fraud-- automatically activating pay-per-click advertisement links where advertisers are only supposed to pay if a user specifically and intentionally clicks such links.\10\ Spyware and adware even interfere with advertising strategies widely perceived to present a lower risk of fraud. For example, some advertisers pay advertising commissions only upon a user's purchase--protecting against click fraud.\11\ But pay- per-purchase advertisers can nonetheless be tricked by spyware and adware. For example, spyware and adware popups sometimes claim commissions on purchases they actually did nothing to facilitate.\12\ --------------------------------------------------------------------------- \10\ ``The Spyware--Click-Fraud Connection.'' http:// www.benedelman.org/news/040406-1.html. \11\ These pay-per-purchase advertising systems are also known as cost-per-acquisition or ``CPA.'' \12\ See e.g., ``Spyware Still Cheating Merchants . . .'' http:// www.benedelman.org/news/052107-1.html. --------------------------------------------------------------------------- In short, spyware and adware make the Internet a place where ISPs and computer makers incur unexpected costs they must ultimately pass back to customers; where even those who keep their computers safe nonetheless suffer from the infections that plague others; where advertisers cannot feel confident in the leads they pay to receive. The resulting costs make the Internet a weaker platform on which to do business, to all our detriment. How to Stop the Problems of Spyware and Adware Unlike the viruses of prior decades, spyware and adware tend to be created by business enterprises--groups that design this unwanted software, foist it onto users' computers, and reap the rewards. The appropriate response: Find the perpetrators and hold them accountable. The past 4 years have brought considerable progress in identifying spyware and adware purveyors, and holding them accountable for what they have done. The New York Attorney General's office brought the first major case against a spyware vendor, Intermix, whose KeenValue, IncrediFind, and other programs were widely installed on users' computers without any consent at all, and also without meaningful, informed consent. Subsequent litigation has pursued a variety of other vendors, with cases brought by the FTC, the City of Los Angeles, and Attorneys General in New York, South Carolina, Texas, and Washington. Several class actions have also challenged nonconsensual and deceptive installations.\13\ --------------------------------------------------------------------------- \13\ See e.g., Sotelo v. DirectRevenue LLC, No. 05 C 2562 (N.D. Ill. Aug. 29, 2005). --------------------------------------------------------------------------- The prospect of similar litigation has pushed some spyware and adware vendors to substantially cease operations. For example, in the face of litigation against several of its competitors, Manhattan-based eXact Advertising shut its ``adware'' business, thereby ceasing the nonconsensual installation of its software that had previously been so prevalent. Yet litigation has not stopped the deceptive practices of all vendors. Consider the actions of Bellevue, Washington-based Zango, Inc. During an FTC investigation of its practices, Zango stopped its partners from placing its software on users' computers without first obtaining user consent. But despite its settlement with the FTC, Zango continues installations that are predicated on deception. For example, Zango continues to solicit installations via fake-user interface banner advertisements which deceptively masquerade as bona fide messages from software already on a user's computer.\14\ Moreover, despite a settlement requirement that every Zango advertisement be ``clearly and prominently'' identified with the name of the program that delivered that ad, some Zango advertising toolbars still lack the required label.\15\ --------------------------------------------------------------------------- \14\ See e.g., ``Zango Practices Violating . . .'' (heading ``Widespread Zango Banner-Based Installations without Unavoidable, Prominent Disclosure of Material Terms (XP SP2)'') (supra). More recent (May 2008) proof on file. \15\ See e.g., ``Zango Practices Violating Zango's Recent Settlement with the FTC'' (heading ``Unlabeled Ads--Toolbars, Desktop Icons, and Pop-Ups''). http://www.benedelman.org/spyware/zango- violations/. May 2008 proof on file. --------------------------------------------------------------------------- More generally, experience and economic intuition confirm the need for tough litigation to adequately deter sophisticated corporate wrongdoers. At present, FTC actions typically seek disgorgement of ill- gotten gains. But effective deterrence requires a penalty that exceeds disgorgement, since investigation and litigation are less than certain. (Otherwise, a rational perpetrator would proceed in expectation of sometimes getting to keep the proceeds.) Experience shows inadequate deterrence to be a real problem. Consider the FTC's $1.5 million settlement with DirectRevenue--letting the company's principals retain $20 million of ill-gotten gains. As FTC Commissioner Leibowitz pointed out in his dissent to that settlement, spyware purveyors ought not reap windfalls from their deceit. To that end, I support the bill's granting of a fine of three times the amount otherwise available. (Sec. 7(b)(1).) Increasingly, purveyors of spyware and adware are not major U.S. companies that investigators can easily locate. Instead, surviving vendors tend to reside abroad, or at least tend to attempt to hide their true location. Despite their far-flung location, these vendors sometimes cause even more harm than American counterparts--seemingly taking greater liberties with users' computers on the view that they are beyond prosecutorial reach. Legislation ought to seek to disrupt these businesses and limit the harm they cause. In my view, the most promising approach comes through financial investigations: Although they're off-shore, these vendors still want to make money, and their primary revenue sources remain U.S. advertisers and ad networks. The New York Attorney General has already pursued selected advertisers that intentionally purchased large amounts of ``adware'' advertising.\16\ It would be little stretch to pursue advertisers and ad networks that intentionally fund remaining spyware vendors. --------------------------------------------------------------------------- \16\ Assurances of Discontinuance--Cingular, Priceline, Travelocity. http://www.oag.state.ny.us /press/2007/jan/adware-scannedAODs.pdf. --------------------------------------------------------------------------- Specific Concerns in the Legislation at Hand Let me now turn to S. 1625, my specific suggestions, and some areas of concern. S. 1625 Risks Setting Low Standards that Do Little to Protect Against Remaining ``Adware'' S. 1625 rightly prohibits a range of outrageous and extreme behaviors. For example, it would be hard to defend the ``endless loop popups'' prohibited by Sec. 3(1)(D). But it is possible to skirt the bill's prohibitions while causing consumers substantial harm and continuing the same practices traditionally associated with spyware and adware. Rather than showing so many popups that a user ``cannot close the advertisements without turning off the computer'' (Sec. 3(1)(D)), a program might show one popup per minute--still a substantial intrusion, yet nowhere proscribed by S. 1625 as it stands. Similarly, rather than tracking the specific information prohibited under Sec. 4(a), a program might monitor ``only'' a user's name, street address, phone number, and all web searches conducted. Although remarkably intrusive, such tracking is seemingly permitted under Sec. 4. Thus, S. 1625's approach creates a serious risk that spyware and adware vendors can continue business substantially as usual. Moreover, spyware and adware vendors are likely to attempt to use any Federal legislation as a ``shield'' to deflect criticism of their practices. Indeed, Zango already invokes its settlement with the FTC as a supposed indicator of endorsement. Last year, Zango staff wrote to security vendors to say Zango has received ``certification with the FTC.'' \17\ More recently, Zango claimed that security vendors ought not block or remove Zango software because if Zango's software were harmful, ``the FTC would not have entered into a consent agreement permitting Zango to market that software.'' \18\ Far from setting a minimum standard that vendors will aspire to exceed, this bill thus risks creating a new supposed ``certification'' (or other low standard) that vendors may invoke as a defense against allegations of impropriety. As a result, weak legislation could actually make the spyware and adware problem worse. --------------------------------------------------------------------------- \17\ Forwarded e-mail on file in my possession. \18\ Reply Brief of Appellant. Zango, v. Kaspersky Lab. U.S. Court of Appeals for the Ninth Circuit. No. 07-35800. --------------------------------------------------------------------------- Prohibiting the full spectrum of deceptive adware would require substantial reworking of S. 1625. Rather than prohibiting a lengthy list of specific bad acts, a rewrite would probably begin with basic consumer protection fundamentals, e.g., that software must only be installed on a user's computer after clear and prominent disclosure as well as meaningful consent. If S. 1625 is to retain its present approach, a partially- responsive revision would add a preface or other comment to explicitly confirm the Committee's intention--that compliance with S. 1625, in and of itself, does not assure that software is ethical, effective, desirable, or even useful. I realize that such an addition may seem vacuous--for of course the bill does not aspire to define what software is desirable or useful. But as the bill stands, adware vendors are virtually certain to attempt to invoke S. 1625 defensively--claiming that their software must be desirable since it meets the bill's requirements. An appropriate preface could prevent that unwelcome strategy. S. 1625 Should Protect Security Vendors Assisting Users Security vendors face a barrage of complaints and, in some instances, litigation claiming that security firms err in removing harmful or deceptive software from users' computers. See e.g. Zango, Inc. v. Kaspersky Lab, Inc. and New.net v. Lavasoft. Federal anti- spyware legislation offers a natural context in which to grant Good Samaritan protection to computer security software--immunizing the efforts of bona fide security vendors, in the ordinary course of business, to identify, block, and/or remove software users reasonably view as objectionable. S. 1625 could and should include such an immunization. S. 1625 Should Not Preempt Tougher State Laws As it stands, S. 1625 preempts tougher state laws. Given S. 1625's limited prohibitions--a list of some specific bad acts, rather than a comprehensive framework for effective notice and consent--such preemption seems unwarranted. In particular, S. 1625 leaves ample room for states to do more to protect their consumers. For example, states could identify additional specific bad acts that ought not be permitted. Alternatively, states could identify alternative methods of enforcement--perhaps private litigation by those who are harmed (be they consumers, websites, computer makers, advertisers, ad networks, or otherwise). With so much room for innovation to further address these important problems, I see no proper basis for preemption of state legislation. A Simplified Bill Could Increase Penalties while Avoiding Other Questions A simplification of S. 1625 would strike all language except authorization of increased penalties. The treble fine in Sec. 7(b) would apply to all FTC actions under existing legislation, pertaining to software installed on a user's computer that tracks user characteristics or activities, or that shows advertising. This dramatic simplification would relieve the Committee from the challenging questions of what specific behaviors to prohibit, and would side-step all the concerns identified in my testimony. Yet this revision would offer major benefits--letting the FTC better sanction and deter perpetrators. I urge the Committee to consider this approach. Senator Pryor. Thank you. Mr. Weafer? STATEMENT OF VINCENT WEAFER, VICE PRESIDENT, SECURITY RESPONSE, SYMANTEC CORPORATION, ON BEHALF OF THE BUSINESS SOFTWARE ALLIANCE (BSA) Mr. Weafer. Mr. Chairman, Members of the Committee: Thank you very much for the opportunity to testify. Let me start with a question that was raised earlier, which is how large is the problem. If we look at spyware and malicious code in general, there is about 1.8 million pieces of unique code. Now, that's a large number, but if you remember that about 800,000 of those malicious codes came in all of last year, so if you look at all the previous years last year represented the vast majority of those pieces of spyware and malicious code. In the first 6 months of this year, we've already surpassed what we saw last year, in 2007. Looking another way, we did a survey of people's machines where we looked and we found about 57,000 unique pieces of files on their machine--Office, Windows, operating system files. 65 percent of those files were deemed to be potentially malicious or spyware on their machines. The Organization for Economic Cooperation and Development has estimated that something like 95 million U.S. people are sitting with spyware on their machines. It's a large problem and it's still growing. Now, this includes not just the grey actors, but also the black actors, the criminalization that's occurring very much at the moment as well. In terms of S. 1625, one of the areas we definitely want to focus on is on the focus of behavior, not technologies. So we certainly want to prohibit bad conduct rather than pick certain technologies and say this act is good or this is bad, because that frequently forms a low bar for companies that try and target or simply raise themselves to that minimum level and say: We're certified. Second, we do want to include our support for the legislation, the so-called Good Samaritan portion. So a Federal court recently ruled in the Kaspersky case that the Communications Decency Act gives such protection to providers of anti-spyware solutions. Now, we're not seeking unlimited protection. In fact, we believe the legislative codification of Kaspersky could include language requiring good faith as well as a fair and effective dispute resolution process. There should be a process, it should be fair, it should be open. That's what we're looking for as part of this provision. We also want to commend you for including in your bill a provision for allowing perfectly legitimate activities, such as the detection and prevention of unauthorized use of the software. This is essential to our industry, the software industry, because fraud or piracy also includes almost $50 billion in damage every year. So we believe this is also an important part. I'll keep my remarks short and just thank you very much for your time. [The prepared statement of Mr. Weafer follows:] Prepared Statement of Vincent Weafer, Vice President, Security Response, Symantec Corporation on Behalf of the Business Software Alliance (BSA) Mr. Chairman, Mr. Ranking Member, Members of the Committee, good afternoon. Thank you very much for the opportunity to testify here today. My name is Vincent Weafer and I am Vice President of Security Response at Symantec Corporation. I will be testifying today on behalf of the Business Software Alliance (BSA). Symantec is one of the world's leading software companies. We are headquartered in Cupertino, California, operate in 40 countries worldwide and have more than 17,500 employees. Symantec's mission is to help individuals and enterprises assure the security, availability, and integrity of their electronic information. As the global leader in information security, we protect more people from online threats than anyone in the world. Symantec offers our customers products that detect and remove spyware and harmful adware, and our Norton brand of products is the worldwide leader in consumer security and problem-solving solutions. The Business Software Alliance (www.bsa.org) \1\ is the foremost organization dedicated to promoting a safe and legal digital world. BSA is the voice of the world's commercial software industry and its hardware partners before governments and in the international marketplace. Its members represent one of the fastest growing industries in the world. BSA programs foster technology innovation through education and policy initiatives that promote copyright protection, cyber security, trade and e-commerce. --------------------------------------------------------------------------- \1\ BSA members include Adobe, Apple, Autodesk, Avid, Bentley Systems, Borland, CA, Cadence Design Systems, Cisco Systems, CNC Software/Mastercam, Corel, Dell, EMC, HP, IBM, Intel, McAfee, Microsoft, Monotype Imaging, PTC, Quark, Quest Software, SAP, Siemens PLM Software, SolidWorks, Sybase, Symantec, Synopsys, and The MathWorks. --------------------------------------------------------------------------- It is a pleasure to be here today to discuss the serious issue of cyber security: protecting millions of computer users from those who maliciously install software on computers to compromise and steal sensitive, personal information. Such software goes by the name of ``spyware.'' Mr. Chairman, I commend you and your colleagues, Senator Boxer and Senator Nelson for your leadership in addressing this invasive and deceptive practice through the Counter Spy Act (S. 1625). Today, I would like to make three points: First, spyware and harmful adware represent a critical threat to security and privacy on the Internet. It is a threat that must be met and defeated. Second, legislation can and should play an important role. We urge the Committee to consider language which focuses on the malicious intent behind this reprehensible behavior, not ``bad'' technological tools like computers, software and the Internet. We want to work with you to ensure that anti-spyware legislation moving through Congress targets reprehensible behavior and avoids the trap of defining ``good'' or ``bad'' technology. Third, we believe that legislation should contain specific provisions to ensure that developers of anti-spyware tools can protect their customers without fear of threats and legal harassment. And fourth, we commend you for including in your bill a provision clarifying that security and anti-piracy activities are not in fact spyware. What Threat Are We Facing? Mr. Chairman, we commend you for your leadership in addressing the real threat and grave threat of spyware and harmful adware. Spyware and harmful adware are stand-alone programs that can monitor system activity and either relay the information back to another computer or hold it for subsequent retrieval. Spyware programs are placed on a user's system--often times without the knowledge of the user--in order to steal confidential information, such as usernames, passwords and credit card details. This can be done through keystroke logging, or capturing e-mail and instant messaging traffic. Spyware is of particular concern because of its potential for use in identity theft and fraud. A growing type of spyware is rogue anti-spyware/anti-virus applications. They deceive users by displaying scary warnings about the computer being infected with a large number of fake threats, and then ask the user to buy the software to fix the problems. Another recent trend is programs that attempt to use the license agreement to prevent the end-user from sending any portion of the spyware program to anti- spyware companies. Harmful adware programs capture information about the computer usage and Internet browsing habits of the user (such as websites visited and e-commerce purchases made). They generate a deluge of disruptive ads, usually in the form of pop-up windows, on the computer's screen. This represents a potential violation of privacy, and degrades user experience and computer performance by bogging down a computer's normal functions. How prevalent is the problem of spyware and harmful adware? Symantec publishes twice a year the Internet Security Threat Report (ISTR), a comprehensive compilation of Internet threat data, which gives us a unique perspective on the prevalence of spyware. The ISTR includes analysis of network-based attacks, a review of known vulnerabilities, and highlights of malicious code and additional security risks. We compile our data from more than 24,000 sensors monitoring network activity in over 180 countries, as well as information compiled from over 120 million client, server and gateway systems that have deployed our antivirus products, and through the 25 million e-mail messages we filter for our customers everyday. According to our most recent Internet Security Threat Report, spyware continues to be a serious security risk for consumers. The latest Internet Security Threat Report released by Symantec in April 2008 reveals that Attackers have adopted stealth tactics that prey on end-users on individual computers via the World Wide Web, rather than attempting high-volume broadcast attacks to penetrate networks. This may be because enterprise network attacks are now more likely to be discovered and shut down, whereas specifically targeted malicious activity on end-user computers and/or websites is less likely to be detected. Site-specific vulnerabilities are perhaps the most telling indication of this trend. During the last 6 months of 2007, there were 11,253 site-specific cross-site scripting vulnerabilities = Cyber criminals continue to refine their attack methods in an attempt to remain undetected and to create global, cooperative networks to support the ongoing growth of criminal activity. Adware and spyware continue to propagate, according to the ISTR. At the beginning of June 2008, there are over 1.8 million known malware and security risks with the majority of these being discovered in the past 18 months. In the last 6 months of 2007, threats to confidential information made up 68 percent of the volume of the top malicious code samples. Malicious code can expose confidential information in a variety of ways, including exporting user and system data, exporting e- mail addresses, recording keystrokes and allowing remote malicious access to a computer. At the same time, today's attacks are more surreptitious than ever before, less likely to be detected rapidly, and more likely to have a direct impact on a user's finances. As an illustration of the scale of the problem, a recent report by the Organization for Economic Cooperation and Development (OECD), estimates that 59 million users in the U.S. have spyware or other types of malware on their computers. In summary, spyware and harmful adware are, quite simply, a critical threat to our online security and privacy. It is wrong and it must be stopped. Ban Bad Behavior, not Technology Fortunately, the marketplace is responding to the need to address this challenge. Cyber security companies are investing heavily in newer generations of classification, behavioral detection and white listing technologies to handle the increasing volume and variety of spyware and malicious code threats. For example, Symantec creates security programs that watch out for known malicious threats, as well as unknown software that exhibits suspicious characteristics. Symantec products classify and categorize programs according to functionality. This allows a user to select an acceptable risk level and detect only programs that fall outside the user's own acceptable limits We continually add new definitions and new defenses to address the ever evolving dangers in the Internet threat landscape such as worms, spyware, spam, and phishing. In addition, critical technologies such as web browsers are being revamped with more security, as they increasingly become a focus for attacks. Web browser security is particularly important because browsers come in contact with more untrusted or potentially hostile content than most other applications. We believe however that, in addition to the response of the marketplace, legislation can and should play a role. Spyware is a serious online threat to the public interest. As you have recognized, Mr. Chairman, this threat requires Congress to empower Federal agencies to enforce prohibitions that will help curb the scourge of spyware and harmful adware. We want to work with you to ensure that legislation moving through Congress targets reprehensible behavior, rather than attempts to define ``good'' or ``bad'' technology. We believe that legislation should not prohibit specific technologies. Computers, software and the Internet are tools that are used in thousands of ways to enhance how we work, study, communicate and live. These tools are an indispensable part of our daily lives. The fact that a number of bad actors have figured out how to use these tools for illegitimate purposes does not mean the tools themselves are the cause of the harm. If technology was to be constrained or regulated, we would lose much of the richness and power that computing has brought to our modern lives. Let me put it a different way. We don't ban crowbars because some people use them to break into houses. We don't ban cars because some people use them to flee from the scene of a crime. Prohibiting conduct, rather than technology, avoids the danger of dictating the design and operation of computer software and hardware. Congress has wisely avoided imposing a number of technology mandates to maintain the U.S. technology industry as the envy of the world. It has been responsible for incredible improvements in productivity, millions of jobs, billions of dollars in exports, and immense benefits to every consumer. Government intervention that replaces marketplace solutions with governmental decisions endangers America's technology leadership. It hurts users of technology products by stifling innovation, freezing in place particular technologies, impairing product performance, and increasing consumer costs. Mr. Chairman, Symantec and other BSA member companies want to work with you and your staff to ensure that S. 1625 focuses even more clearly on harmful activities, rather than on the technology that is misused to perform these activities. Currently, S. 1625 includes a few provisions that risk affecting legitimate software and Internet functionalities, and thus compromise the operations of today's computers--as well as the direction of future technology. Let me give you just a few examples: Section 3(1)(A) prohibits the installation of software that transmits or relays commercial electronic mail. This would constrain the development and use of legitimate and innovative methods to generate and send electronic communications; Section 3(3)(B) regulates how software that is installed on a computer must be named and where it must be located, and how it can be uninstalled. Again, this would constrain how legitimate software is deployed and operates. We believe the problems inherent in such an approach can be avoided if Congress instead focuses directly on the behavior we are trying to stop: the use of unfair or deceptive means to install software on computers, as well as the unauthorized acquisition, use or commercialization of information from individuals. This is for example what section 2 and section 4(a) of your bill do. We commend you for the inclusion of such provisions, which strike at the heart of the spyware and harmful adware problem and which we believe would be useful tools in the hands of enforcement agencies. Such an approach significantly mitigates the risk that legislation may hamper or constrain the development and use of technology, while achieving your objective of protecting computer users. In addition, while products can be moved offshore and out of reach of our laws, the collection of information from computers within our borders is a problem that we can more easily and effectively address. Enable Anti-Spyware Companies to Continue to Best Protect Computer Users Developers of anti-spyware solutions are providing effective protection to computer users against online threats. Unfortunately, they are threatened with lawsuits for defamation and interference with their business by spyware and harmful adware companies. These spurious threats force anti-spyware companies to divert precious resources to fight to protect themselves in Court. This is intended to disrupt and deter the development of tools that empower consumers to stop unwanted software from being put on their computers. BSA supports including in anti-spyware legislation what is often called a ``Good Samaritan'' provision. This would limit remedies against developers of anti-spyware tools. This would be far from unprecedented. In fact, Congress has repeatedly legislated targeted protection for a host of similarly beneficial activities, such as charitable food donations, the use of Automated External Defibrillators, or liability arising from sharing information about the Y2K problem.\2\ Last but not least, in June of last year the House of Representatives supported, by an overwhelming majority of 368 to 48, H.R. 964, the Spy Act. The Spy Act includes such a Good Samaritan provision for anti-spyware activities. --------------------------------------------------------------------------- \2\ The Bill Emerson Good Samaritan Food Donation Act (42 U.S.C. 1791) precludes civil and criminal liability arising from food donated in good faith, except in cases of gross negligence or intentional misconduct. The Cardiac Arrest Survival Act of 2000 (42 U.S.C. 238q) precludes civil liability arising from any harm resulting from the use of an Automated External Defibrillator, except where there was no proper notification of emergency personnel, maintenance of the defibrillator or employee training. The Year 2000 Information and Readiness Disclosure Act (15 U.S.C. 1) precludes liability arising from statements and disclosures regarding the Y2K problem, except in cases of recklessness or intent to deceive. --------------------------------------------------------------------------- Mr. Chairman, I want to bring to your attention an important Federal court case, Zango v. Kaspersky. In August 2007, the U.S. District Court for the Western District of Washington ruled that the protection afforded by section 230(c)(2) of the Communications Decency Act (CDA) of 1996 (47 U.S.C. 230), to providers of solutions that filter objectionable content, covers providers of anti-spyware solutions.\3\ --------------------------------------------------------------------------- \3\ Zango has appealed the ruling and BSA, as well as several other online consumer protection organizations such as the AntiSpyware Coalition (ASC), the Center for Democracy and Technology (CDT) and the Electronic Frontier Foundation (EFF), have filed an Amicus Brief asking the Court of Appeals for the Ninth Circuit to affirm the District Court's decision. --------------------------------------------------------------------------- Mr. Chairman, we understand why a former Attorney General like yourself would exercise caution in limiting judicial remedies. In fact, we are not seeking unlimited protection. We fully agree that good faith and due process must be applied by an anti-spyware provider when his product targets a software application for removal by the computer user. We believe that the protection provided by Congress in section 230(c)(2) of the CDA can only extend to software providers who are truly seeking to empower users to exercise control over objectionable content received over the Internet. This protection does not apply if they are pursuing, for example, fraudulent or anti-competitive objectives (such as an anti-spyware company's product blocking the installation of a competitor's security solution.) Mr. Chairman, BSA believes that legislative codification of the Kaspersky ruling, including language that requires good faith and fair and effective dispute resolution would in fact exceed the safeguards provided by the House when it passed H.R. 964 last year. It would thus provide a strong foundation for the Senate to work with the House toward enactment of legislation, which is a priority that BSA shares with you. Security and Anti-Piracy Activities Are Not Spyware Mr. Chairman, before I conclude my testimony, I would like to commend you for including in section 6(a) of your bill a provision allowing legitimate security and anti-piracy activities. This exemption has been supported at the Federal and state levels by a host of technology industry organizations representing telecom providers, cable companies, software producers, and Internet service providers. The activities in question are perfectly legitimate, such as diagnostics, network or computer security, repairs, network management, etc. All these activities are conducted by network administrators to maintain and secure their systems. Section 6(a) also covers the detection and prevention of the unauthorized use of software. This is essential to our industry's ability to protect our products against theft. Software piracy results in almost $50 billion in losses to the software industry each year, including more than $8 billion in the U.S. alone. Given these massive losses, it is absolutely critical that companies that engage in otherwise lawful conduct to detect or prevent piracy or other unlawful acts are not unwittingly subject to liability under anti-spyware laws. Section 6(a) is narrowly and carefully drafted to address this important goal. Certain interest groups may seek to drastically weaken or delete this provision. They may claim that it creates a license to snoop on people's computers, shut down their IT networks, or circumvent state consumer protection, privacy, and contract laws. This is patently false. The provision does not go beyond limiting liability under your bill, and it limits liability under your bill only. Anyone who engages in an act that violates any other Federal or state law is and will remain fully liable under those laws. The purpose of weakening this provision is not to protect against spyware, but to make it harder for legitimate companies to fight piracy, or other fraudulent or illegal activities. The laudable anti-spyware goals of the Act should not be subverted for this purpose. Thank you again for this opportunity to comment on the issue of spyware and the Counter Spy Act. I would be happy to answer any question you may have. Senator Pryor. Well, thank you. Let me go ahead and start with you, Mr. Weafer, because I assume that your company has a working definition of spyware. Do you have a definition of spyware? Mr. Weafer. Yes, we do. Senator Pryor. And as I understand it, the Federal Trade Commission does not have an adequate definition of spyware; is that right? Mr. Weafer. That's right. There are different definitions out there. One thing we have done as an industry is come together to try and create a common definition of spyware. So we're part of a coalition, the Anti-Spyware Coalition. We have posted what we believe is a shared and fair assessment of what spyware is. Even within that definition, there is some degree of what is included, what is considered personally identifiable information. We do believe there are fairly good standards relating to what is spyware and why the concern is there. Senator Pryor. So is there then an industry consensus on what spyware is and what it's not? Mr. Weafer. We believe there is, even though there is probably some differences or subtleties in the language themselves. Senator Pryor. Do we have that definition? Have you provided that to the Committee? Mr. Weafer. If we haven't, we will provide. Senator Pryor. That would be great because I think that would be helpful for us. If I may, Mr. Edelman, it sounds like you spend a lot of time trying to figure out what's out there and you know how it infects people's computers and what it does. Tell me what you're seeing out there, two or three of the most prevalent forms of spyware that are currently infiltrating people's computers? Dr. Edelman. Well, it's easy to be complacent and think that the problem of unwanted pop-up ads is over. That's not what I see in testing the sorts of websites where users get infected. I still see plenty of websites that will fill your computer with pop-ups and make money from those pop-ups through the biggest American ad networks out there. Maybe I shouldn't name any names today, but you can imagine the sort of advertising intermediaries who fund all kinds of behavior on the web and, remarkably, continue to fund the pop-ups that users so despise. Separate from that, there are so-called market research companies that track users' behavior in great detail--every website you visit, every search you make, every product you buy, every product you look at but don't buy. That's a little spooky to me, frankly. I'm not sure I want those records about me kept anywhere. What if it gets hacked? You know, what if that goes on the web somewhere and everyone can see it? Beyond that, I do see serious criminal enterprises taking over users' computers, using them to send spam. I have to defend my computer so that when I allow my computer to be infected by spyware, it doesn't go around sending spam. So there's a little bit of complication even for me just in safely testing the software. Denial of service attacks. Often you'll see programs that take over a user's computer and use it to attack some other computer. All of these behaviors still remain prevalent, the same kinds of problems we were talking about 2 years ago, 3 years ago, 4 years ago still occurring, albeit some of them somewhat harder to track down. Senator Pryor. You mentioned that you go to the types of websites that will contain spyware. What types of websites typically expose people to spyware? Dr. Edelman. Well, it can happen anywhere. You know, historically there have been examples even of mainstream news sites being hacked so that they would distribute spyware. But the sites that I find the most reliable tend to be second-tier entertainment sites. There's a wrestling site that is awfully effective at giving me spyware, with no offense intended to those who like professional wrestling, but this site isn't the one to go to. Again, I'll leave it unnamed. Sites and programs that provide assistance in downloading copyrighted music and videos, sometimes massive copyright infringement frankly. You go to a site that purports to provide assistance in that regard and then you might or might not get the copyrighted material you were seeking, but in any event your computer would be destroyed, which certainly wasn't part of the bargain that you were expecting. But again, it can happen anywhere and so we should not paint a picture of victims as somehow having brought this on themselves. Maybe in a few instances that's the case, but as a general rule that's really not true. Senator Pryor. Mr. Edelman, in your experience and in your opinion, is there any legitimate use for spyware? Dr. Edelman. The programs that people call spyware are such a broad swath of programs, it's hard even to answer the question crisply. Is there any legitimate use for a program that takes over a user's computer and uses it to send unsolicited commercial e-mail to a variety of recipients who never asked for it, without telling the user that their computer would be so used? Absolutely not. How about a program that monitors what you're doing and shows pop-up ads? You know, some marketers say that that could be useful. You didn't know that American Airlines existed until you went to United.com and up came an ad for American Airlines, which, to be clear, they would never do because they are good advertisers and are actually very careful about that sort of thing. In principle, it could be good for competition, I guess, to have pop-ups telling users about alternatives. But in practice I'm pretty suspicious. I think these pop-ups tend to promote software and services that users don't really want. If they want them they already know about them and no one wants to be interrupted by that sort of thing. So I don't see a lot of use for it. Senator Pryor. Mr. Cerasale, are there legitimate purposes, legitimate uses for spyware? Mr. Cerasale. Well, again the term ``spyware'' means lots of things. Clearly, taking over someone's computer and so forth, is just not allowed. That's spyware, bad stuff. But certain toolbars, plug-ins, and web browsers, those types of things going on people's computers clearly are things that individuals want and so forth. Looking at the definition of trying to be any kind of software, you even have requirements for e-mail notices. There are things called web beacons that are computer code, software code, to tell people whether or not an e-mail has been opened. Some of those things are used, for example, if there is a compelled e-mail notice to ensure that you have informed individuals of this notification. Those kinds of web beacons and things of that sort are definitely helpful and helpful to meet legal requirements. So the definition--as you look at definition of what is spyware, and actually as you go down further, the definition of what is software, becomes very, very complicated. We have to be careful with that. If you look at the attachment to my testimony, the DMA Guidelines, we have a thing on the bottom, this does not include cookies or similar types of software, because we had difficulty trying to define this. As we go further along with new technology, I think just defining software becomes a major problem. There are things that go on people's computers that can be easily defined as software, that are advantageous to them. Now, our guidelines would say you've got to allow me to take it off if I suddenly don't want it. But that's the kind of thing that we think is-- there are some legitimate uses for. There are major, major illegitimate uses for it that are already illegal. Many of the things that have been said here are already under Section 5 of the FTC Act, would be barred in its own right. Senator Pryor. Does the Direct Marketing Association have a good and working definition of spyware? Mr. Cerasale. We do not. If you look at that, the attachment to my testimony, we just talk about computer software, ``install software or other similar technology,'' because we don't know what's coming next, and then define some of the bad practices. So that's what we've done, and then defining if you're going to put this software or similar technology on someone's computer with notice, easy to uninstall, you have to let them know who it is and the privacy policy. That's the way we had to go. We felt that trying to define software would in essence--was first of all very difficult to try and discern; but technology is going to change the definition of software as we move forward, and we want to-- and I think that our decision was to focus more on the acts and try and stop that, no matter what means was used for it. Senator Pryor. Mr. Butler, do you have a good working definition of spyware? Do you differentiate spyware from adware and other types of software? Mr. Butler. To us, spyware is software that is surreptitiously installed on someone's computer, that allows the outsider to intercept or to seize even partial control over the user's interaction with the computer, without that user's informed consent. Anything that meets that definition we think is spyware. Senator Pryor. Mr. Cerasale, you just heard his definition. You said the DMA doesn't differentiate between different types of software, but based on that definition you just heard, are you aware of any legitimate purpose for that type of software, surreptitiously installed, et cetera, et cetera, like he said? Mr. Cerasale. As our guidance says, surreptitiously installed would violate our guidelines. So yes, that clearly fits within where DMA is. I think the one exception might be in an area where Mr. Butler and I would disagree, in areas of trying to look at anti-fraud areas, that that might be something where there may be an exception here. But not talking about that, looking at it from that score, his definition, surreptitiously put on, would violate our guidelines, so even without our definition. Senator Pryor. Let me ask this also if I may, Mr. Cerasale. That is, a couple of the witnesses either in their written testimony or what they said here today encouraged us to focus on behavior, not technology. Mr. Cerasale. Correct. Senator Pryor. Is that where the direct marketers are as well? Mr. Cerasale. I believe so, yes. Senator Pryor. Because the technology will change, but we know that the type behavior that we want to prevent, presumably we know the type of behavior we want to prevent, but the technology--there are lots of different ways to get there; is that fair? Mr. Cerasale. That's fair, and it may be tomorrow it will be something new. Senator Pryor. Mr. Butler, do you agree with that? Mr. Butler. I think so. Senator Pryor. Because I think what Senator Vitter said was that he was concerned about the definition and I think the idea, if I'm hearing the panel correctly, is that if you have a definition that's really based on a technology or a specific process of some sort, that could change because some programmer out there could change that tomorrow and the law we pass today could be obsolete. But if we focus on, I guess, the end result and the behavior that we're trying to prevent, then regardless of what technology gets us there, I think that gets us what we're trying to do. Do you agree with that, Mr. Edelman? Dr. Edelman. I think that's fine as far as it goes, but it's still possible to be both over-inclusive and under- inclusive as to behaviors. So it's possible to write a list of 20 bad behaviors and miss three other behaviors that either the Committee didn't notice or they haven't started yet, but will start next week. Similarly, it's possible for there to be some behavior for which the behavior itself is neither good nor bad; it's the deceptive practice of that behavior, doing it in a way that has a tendency to deceive, based on the totality of the circumstances, the context, the method in which it is promoted, the nature of the disclosure, the nature of the consent procedure. So the suggestion that behavior versus technology is the magic bullet that solves the bill's problems, I'm not sure it gets you all the way there. Senator Pryor. Mr. Rotenberg? Mr. Rotenberg. Senator, I've worked on quite a lot of privacy bills over the years and I just want to say I very much support your approach. By way of example, the Federal Privacy Act, the legislation that protects the privacy of citizens with respect to their records held by Federal agencies, was passed more than 30 years ago. It actually said almost nothing about technology. It spoke about the collection and use of personal data, who would have access to it, how you could obtain it, and what the penalties would be. It still works today. By comparison, the privacy provisions in the Cable Communications Act of 1984, which are very good privacy provisions, was actually quite specific about the type of industry that would be covered. In 1984 there was a clear understanding of what the cable industry looked like, what interactive television looked like, and what privacy protection would require. Well, today we have a great deal of interactive media, but those provisions from 1984 no longer apply because they were too technologically specific. So I think we need to focus on the activity, and of course I think it's possible by means of committee report or other means to give some examples. You can say with respect to current business practice, we want to prohibit surreptitious collection of a person's personal data without their consent, and an example might be, and then we can talk about some of the things that are taking place right now. Senator Pryor. Well, I would hope that all the panelists here would help us as we work on this bill and help us make sure we get it right, because, assuming the Senate passes this and the House passes it and the President signs it, we are trying to address this problem, and a wrong definition or a wrong section in the bill could totally undermine the purpose of what we're trying to do. So I'd love to have all of you help us draft this. You all raise good points. Let me ask, if I may, let me ask Mr. Weafer about the cost associated with a consumer having spyware on his computer and having to do something to get rid of that infection. What does it typically cost John Q. Public out there when he's on his computer? What does it typically cost him to get rid of the spyware once it has infected his computer? Mr. Weafer. There is two parts to that answer. One is the actual physical damage, for example having to go in and remove pop-ups, unwanted software, which can range in terms of dollars from hundreds of dollars to thousands depending on how many machines, whether it's to be completely re-imaged, and who's doing the work. The bigger, greater cost is really on the personal privacy. If data has been exposed or is assumed to be exposed, then the cost in terms of cleaning up their identity, their privacy, going after that, actually is very difficult to calculate. But I think that's the greater concern and the greater danger to a lot of users. Senator Pryor. Will a software product sold by Symantec stop spyware from being added in the first place or does it remove it once it's on there, or both? Mr. Weafer. It tries to do both. So first of all, we're really just trying to give the tools to the end-users to identify what's on their machine. We classify according to large spyware, which is a general category of software, including actual spyware, remote access programs, tracking tools, hacking tools, and information, preventing them getting on. They're deemed to be high risk or low risk, to help the user. Then if they are on the system, helping them remove them from the system itself. In some cases we can actually work with the vendors. If they've got a reasonable uninstaller, we can actually just call that and that becomes the uninstallation. For some of the more malicious, insidious programs, we have to do it ourselves. Senator Pryor. Symantec has a number of competitors out there that are offering spyware protection as well, right? Mr. Weafer. That is correct. Senator Pryor. About how many are in that marketplace right now that are offering anti-spyware programs or software of some sort? Mr. Weafer. There is at least 20 major vendors who are offering similar programs. Senator Pryor. Which ones are the best? [Laughter.] Mr. Weafer. Symantec. I'm a little bit biased toward the Norton brand. Senator Pryor. I just couldn't resist that one. But nonetheless, there may be some ways for some computer users to get anti-spyware software free, but a lot of people have to pay for it as well. It kind of depends on your situation. So definitely there's a lot of cost associated with this, not just to the machine but also to your personal situation. Mr. Cerasale, you said in your testimony that you think the industry--you prefer self-regulation, is that right? Mr. Cerasale. That's correct. Senator Pryor. Well, when I hear the numbers of some of the statistics, I get the very distinct impression that self- regulation isn't working. So do you disagree with me on that? Mr. Cerasale. I do. What we heard a lot of today and a lot of the statistics are basically criminal activity, activity that is deceptive, activity that already violates Section 5 of the Act or other criminal codes. Self-regulation requires law enforcement to stop criminal activities. Self-regulation is not there and cannot be there to prevent criminal activity. I think the area we're looking at and the area that we're concerned in is going after the bad guys, the criminals, and being careful to protect the legitimate uses on the Internet that foster commerce. And I think in that arena self-regulation works well, for DMA members to have to follow our guidelines, the ability for us to quickly change guidelines, to take a look at new technologies when they come up. We have our own ethics procedure to go after and try and stop certain activities. I think in that arena it works. It does not work in the criminal arena and we don't intend it to, and we want you to give the FTC as much money as they can to go out and try and enforce it. Senator Pryor. I do think one of the shortcomings of self- regulation is something you alluded to, and that is I think you have a lot of members who are acting responsibly and are out there trying to do the right thing and they're legitimate companies trying to be in this for the long term. But not all direct marketers are members of the DMA and a lot of them don't acknowledge or recognize or even consider your guidelines that you lay out. So this may be one of those situations where the good actors out there may have to undergo some additional regulation to try to get the bad actors out of the marketplace. Mr. Cerasale. We have supported legislation in the past, such as CAN-SPAM and in other areas, where we felt that self- regulation didn't work, and we pledge and have in the past and continue to work with you on this legislation, with you and the Committee on this legislation, and others in this area. Our biggest concern is unintended consequences hurting legitimate business and that's where we want to work. Senator Pryor. Mr. Weafer, let me ask another question of you, and that is--we have heard some statistics today that are helpful, but I'm curious about, from your company's standpoint and just from your personal research and your experience, is spyware a growing problem? Is it becoming more prevalent or less prevalent? Mr. Weafer. In my opinion, the broader aspect of spyware is actually becoming more prevalent. We're seeing more and more spyware. Now, most of this is driven by the underground economy. A lot of it is the criminalization of this. We're certainly seeing in many cases up to 500 percent year over year increases in the amount and variety of this type of spyware coming out. We are continuing to see the shady commercialization as well, which are programs which are continuing to drive pop-ups, programs which are continuing to be fraudulent, programs which are still not giving users control, consent, and notification. So we do applaud the self-regulation, but we want to see additional remedies on top of that. Senator Pryor. Well, I agree with you. I think that that's what you're seeing out there. I just know really anecdotally from talking to people--just as an example, not too long ago I was talking to someone about their computer and they were getting all these pop-ups. They were getting a new toolbar, they were getting all this stuff, and they didn't know where it came from or how it came on there. It's very frustrating for people. For most people, like for home use, your personal computer is your personal property and you don't want it to be infected and somehow damaged by other people, and certainly you don't want your personal information out there going to people that you don't want to have it. So this is a serious problem. We do have this piece of legislation. All of you pointed out your thoughts on the legislation, even some of the shortcomings of the legislation. We appreciate that. We take all of that as constructive criticism. What we're going to do is we're going to take our legislation, we're going to talk to the Members of the Committee, and we're going to see if we can help shape it and get it in the type of form where it's ready to move and move through the system. And hopefully some time in the next, I don't know, several months, maybe the next year, we'll have a very, very strong piece of legislation, very bipartisan, to try to make a big difference in the marketplace. So I just want you to know you've been a very important part of this process and we appreciate you. Like I said, we definitely would appreciate your input as we go along, and always feel free to share your opinions or give us your insights because we don't claim the expertise here. We know who the experts are. So with that, what I'm going to do is I'm going to adjourn the hearing here in just 1 minute. But first let me say that we're going to keep the record open and Senators may have additional questions or follow-up questions. So we'll get those to you and we'd love for you to get those back to us. We'll try to leave the record open for 2 weeks, so if you could get those back to us as quickly as you can. Also, if there are documents--I think someone mentioned a study or some statistics or whatever it may be. If there are documents that you want to submit for the record, again the record will be open for 2 weeks and just get that to Committee staff and they'll distribute it as it should be. So we appreciate your time, we appreciate you looking at the legislation, and we appreciate your being here today. With that, we're going to adjourn the hearing, and just say thank you. [Whereupon, at 4:28 p.m., the hearing was adjourned.] A P P E N D I X TRUSTe San Francisco, CA, June 24, 2008 Hon. Mark Pryor, Chairman, Subcommittee on Consumer Affairs, Insurance, and Automotive Safety, U.S. Senate, Washington, DC. Dear Chairman Pryor, I am writing to respectively request that this letter be added to the official record of the Senate Commerce Committee's hearing on June 11, 2008 entitled ``The Impact and Policy Implications of Spyware on Consumers and Businesses.'' I am the Vice President in charge of legal policy and compliance matters for TRUSTe. We are an independent, nonprofit organization with the mission of advancing privacy and trust for a networked world. Through long-term supportive relationships with our licensees, extensive interactions with consumers in our Watchdog Dispute Resolution program, and with the support and guidance of many established companies and industry experts, TRUSTe has earned a reputation as the leader in promoting privacy policy disclosures, informed user consent, and consumer education. TRUSTe applauds the Committee's work on the issue of spyware. We have long articulated a public policy for privacy protection that incorporates the strength of government oversight, the discipline of industry self-governance, and the innovation of privacy-enhancing technology. In his testimony before the Committee on June 11, Jerry Cerasale, senior vice president of government affairs for the Direct Marketing Association, referenced the self regulatory work underway to develop standards for downloadable software. He spoke of the work that TRUSTe has undertaken to develop a program of best practices. I would like to tell the Committee a little more about our Trusted Download Program. TRUSTe has partnered with major online consumer portals and other industry leaders to develop the Trusted Download Program, a standards and a certification program for downloadable consumer desktop applications. Program objectives: Empower consumers to make informed decisions. Establish the leading industry-wide standards for developers of downloadable applications. Identify and elevate trustworthy consumer applications for distributors and marketers. Protect the valued brands of online advertisers by enabling them to know which applications are trustworthy and which are not. The Trusted Download Program certification combines strict standards, thorough review, ongoing monitoring, enforcement mechanisms and powerful market incentives. The Program elevates those applications that meet the certification requirements through a whitelist, thereby providing consumer portals and other businesses a tool to distinguish responsible software applications. For downloadable desktop software developers, the program provides guidance on responsible behavior. A Trusted Download Seal at the point of download allows consumers to recognize applications that provide improved disclosures, more explicit control mechanisms, easier uninstall, and more respect for their personal information. Trusted Download Sponsors and Advisory Committee Members are CNET download.com, Microsoft, Yahoo!, and the Center for Democracy and Technology (CDT). Incentives for Compliance TRUSTe serves a ``whitelist'' of certified applications to advertisers, distributors, consumer portals and other interested parties. In a market where the conduct of partners can be as important as the conduct of your own organization, businesses are turning to TRUSTe to help determine which applications they want to be affiliated with. The Program's whitelist is regularly used to influence decisionmaking in advertising buys, bundling and distribution opportunities, and to resolve errant blacklistings. The whitelist, provides an economic incentive for software providers to achieve and maintain certification. In addition, the Trusted Download Seal at the point of download reassures consumers and increases downloads, providing a direct economic benefit to software developers. Scope While there are exceptions, the program is aimed at consumer downloadable desktop software applications. It does not cover software downloaded exclusively to handheld devices (i.e., mobile phones). While there are additional specific requirements for advertising and tracking software, many requirements also apply to all consumer downloadable applications. Advertising and tracking software providers will likely need to significantly change current practices to earn certification. In addition, the program will provide standards for all applications to offer consumers enhanced disclosures, easier uninstall and other benefits. Certification Application providers submit to TRUSTe a contract and a completed questionnaire including questions about how the application is distributed. TRUSTe conducts a thorough evaluation of the downloadable applications against the program standards to ensure they do not involve activities that are prohibited by the Program. Additional compliance assurance is being provided by AppLabs, a third party software testing lab that will evaluate the application's relay of information and interaction with the recipient's operating system. Key Program Elements The Program outlines certain requirements for all software and specifies additional requirements for advertising and tracking software. This approach ensures that the Program addresses practices that historically have created consumer confusion and anxiety. However, all software must meet specific program requirements and is tested for monitoring, relays, and behaviors that have historically been considered deceptive. Notice The Program imposes a layered approach, via a primary notice and reference notices such as the End User License Agreement, EULA, and the privacy statement. The primary notice must explain functionalities that impact the consumer experience and must be unavoidable, to ensure that users understand what they are downloading. EULAs and ``opt-out'' mechanisms are insufficient for providing such notice or obtaining consent. For example, unavoidable notice of any material changes to certain specified consumer settings is required for ail software. Further, all ads delivered in certified advertising software must be labeled, and unavoidable notice of certain ad features must be provided. Consent to Install is Required Consumers must be offered notice and an opportunity to consent that is described in plain language and is as prominently displayed as the option to not install, Consent to install may not be obtained with a pre-selected option. Easy Uninstall Instructions for uninstallation must be easy to find and easy to understand, and methods for uninstalling must be available in places where consumers are accustomed to finding them, such as the Add/Remove Programs feature in the Windows Control Panel, or the Add-On management menus in browsers for browser Add-Ons. Uninstallation must remove all software associated with the particular application being uninstalled (with a few specific exceptions carved out in the Program Requirements), and cannot be contingent on a consumer's providing Personally Identifiable Information, unless that information is required for account verification. Prohibited Activities No company can have an application certified if any of its applications exhibits a behavior listed in the Program's Prohibited Activities section. Examples of prohibited activities include: Taking control of a consumer's computer. Modifying security or other settings of the computer to cause damage or harm. Spyware tactics for surveillance and tracking, such as keystroke logging. Preventing reasonable efforts to block installation or to uninstall. Allowing a certified application to be bundled with any application currently engaging in any of the prohibited activities. Special Protections for Children Companies in the Program must prevent the distribution of their advertising or tracking software on children's websites--including by prohibiting their distribution partners and affiliates from such distribution. Affiliate Controls Since many advertising and tracking applications are distributed through second and third-party affiliates and/or bundled with other programs; relationships must be disclosed in attestations. Certified software is subject to random testing on instances found wherever an individual might encounter them. Prior Behavior The Program includes provisional certification for companies that have previously engaged in prohibited activities or other behaviors that call into question the Participant's ability to comply with the Program Requirements on an ongoing basis. In order to be certified, these companies will be subject to additional oversight including enhanced monitoring and a requirement to go back to all users who downloaded an uncertified version of the software application and obtain their opt-in consent. Segregated Ad Inventory Companies in the Program must maintain segregated ad inventory in certified versus uncertified applications. The application provider must be able to serve ads to users from whom consent was obtained versus users from whom consent has not been acceptably obtained. Monitoring Certified applications are monitored by TRUSTe for ongoing compliance with the Program's strict standards. A company risks termination from the program if any one of its certified applications violates the standards. Enforcement If monitoring uncovers suspected non-compliance, an application, or in some cases all of a company's applications, will be subjected to enforcement procedures by TRUSTe. Depending on severity and the results of a TRUSTe investigation, an application may be temporarily suspended or permanently removed from the program whitelist. In certain cases, a company or application may be terminated from the Program and the fact of its termination made public. I have attached a copy * of the Trusted Download Program certification requirements to this letter and request that it also be included in the Committee's spyware hearing record. --------------------------------------------------------------------------- \*\ This document is retained in the Committee files. --------------------------------------------------------------------------- TRUSTe appreciates your work in this area and would be pleased to serve as a resource should you or your staff have any questions. If you have any questions, please do not hesitate to contact me. Sincerely, John P. Tomaszewski, Esq. Vice President, Legal, Policy & Compliance. ______ Americans for Fair Electronic Commerce Transactions (AFFECT) June 25, 2008 Hon. Mark Pryor, U.S. Senate Committee on Commerce, Science, and Transportation, Washington, DC. Re: Follow-up Comments for the Record of the Hearing on the ``Impact and Policy Implications of Spyware on Consumers and Businesses'' Dear Senator Pryor: Thank you for the opportunity to submit additional comments on behalf of AFFECT (Americans for Fair Electronic Commerce Transactions) on the impact and policy implications of spyware on consumers and businesses and on the Counter Spy Act (S. 1625). As I stated in my testimony during the June 11, 2008 hearing, AFFECT is concerned about the exception section of the Counter Spy Act, Section 6(a). That section says that the list of prohibited acts in Sections 3, 4, and 5 of the bill ``do not apply to any monitoring of or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by or at the direction of a telecommunications carrier, cable operator, computer hardware arc or software provider, financial institution or provider of information services or interactive computer service . . .'' These entities have immunity under the Counter Spy Act when what they're doing is done for a number of innocuous-sounding purposes. The first nine of these liability exemptions include network or computer security, diagnostics, technical support, repair, network management, authorized updates of software or system firmware, authorized remote system management, authorized provision of protection for users of the computer from objectionable content, and authorized scanning for computer software used in violation of sections 3, 4, or 5 for removal by an authorized user. As I said at the hearing, AFFECT sees no legitimate reason why any of these nine activities would need an exemption from the actions prohibited by the bill because: none of them justifies an outside entity in installing zombies, engaging in modern hijacking for the purpose of causing damage to the computer or causing the authorized user to incur unauthorized financial charges, causing a denial of service attack for the purpose of causing damage, causing endless loop pop-up ads (Section 3(1)); none of them justifies an outside entity in modifying an authorized user's security settings for the purpose of stealing the user's sensitive personal information, or disabling security settings for the purpose of causing damage to the computer or another computer, or through unfair or deceptive means modifying browser settings (Section 3(2)); none of them justifies, without authorization, an outside entity in preventing a user's reasonable efforts to block installation, to disable, or to uninstall software by unfair or deceptive means (Section 3(3)); none of them justifies an outsider in installing software that collects sensitive personal information from an authorized computer user without that user's informed consent, logs keystrokes, collects and correlates personal information with a history of websites visited, extracts the substantive contents of files or communications, or prevents an authorized user from uninstalling or disabling software (Section 4); and, none of them justifies an outsider in installing adware that conceals its operation (Section 5). An exemption from the prohibited activities listed in the bill is simply not needed to allow or protect any legitimate activity. AFFECT is particularly concerned about Subsection 6(a)(10). That tenth and final exemption would be granted when the otherwise prohibited acts are done for: ``detection or prevention of the unauthorized use of software fraudulent or other illegal activities.'' The troubling questions raised by 6(a)(10) were pointed out in my written testimony, namely that the exemption would allow a software vendor to surreptitiously download code onto a user's computer and freely violate their privacy. It would allow the provider to set itself up as an ad hoc police force to conduct warrantless searches and to act as judge and jury to conduct unilateral seizures. Private entities do not and should not have the right to conduct law enforcement activities. More troubling is the fact that the language of Subsection 6(a)(10) would effectively allow a software provider to unilaterally decide to remotely shut down the user's computer or Internet or other network connection or service. But whether the use of a particular software is ``unauthorized,'' ``fraudulent,'' or ``illegal'' is often subject to legitimate dispute and merits some judicial consideration before a provider is allowed to unilaterally employ a drastic remedy like remote disablement. In his written testimony, Vincent Weafer, the Symantec vice president who was representing the Business Software Alliance (BSA) at the hearing, praised Section 6(a)(10) as ``essential to our industry's ability to protect our products against theft. Software piracy results in almost $50 billion in losses to the software industry each year, including more than $8 billion in the U.S. alone. Given these massive losses, it is absolutely critical that companies that engage in otherwise lawful conduct to detect or prevent piracy or other unlawful acts are not unwittingly subject to liability under anti-spyware laws.'' Contrary to Mr. Wearer's statement, exemption from the prohibited actions listed in the bill is neither essential to a software vendor's legitimate efforts to protect against piracy, nor is it essential to protect legitimate activities from liability under the bill. Software vendors have a variety of legal remedies to attack piracy. If a software contract, for example, an End User License Agreement (EULA), is breached, the vendor would have the right to sue and collect damages. It could seek an injunction against further use. In addition, statutes, like the U.S. Copyright Act, or international copyright laws, may grant other rights and remedies, including access to Federal court and statutory damages, perhaps even enforcement by the FBI. In addition, the BSA itself is a well-known and very effective enforcement arm of the software industry. Further, there is no reason the software industry can't employ technological approaches to combating piracy without remotely accessing software resident on the user's computer and unilaterally shutting it down. For example, the agreement between the software vendor and the user could clearly provide for a limited period of use and a ``time bomb'' built into the software that disables its operation at the expiration of the named period of time. The parties then could agree that the period of limited use could be renewed by the user obtaining a ``key'' from the vendor or sending a ``validation'' to continue the use. It is not necessary to reach into a user's computer, to poll the machine, extract data, and phone home. It is not necessary to build in a ``backdoor'' which will make the computer vulnerable to exploitation by spies, hackers, saboteurs, or terrorists. And, there is no legitimate reason why a software vendor, network provider, or other outside entity should be allowed to unilaterally decide to remotely shut down the user's computer or Internet or other network connection or service. At a minimum, a software vendor who thinks it has not been paid, should be required to give notice, an opportunity to cure, and obtain a court order before employing remote disablement. The Business Software Alliance appears to want to use Section 6 of your bill to gain the approval of policymakers for their use of electronic self-help. The fact of the matter is that this is an anti- spyware bill, not a bill designed to address tools for dealing with piracy. During the hearing on June 11, you specifically asked for suggestions about how to define spyware. AFFECT offered the following definition: Spyware is computer software that is surreptitiously installed on a computer that allows an outsider to intercept or take partial control over the user's interaction with the computer, without the user's informed consent. We believe this definition is broad enough to cover technologies that arc deployed without appropriate user consent or are implemented in ways that impair user control over material changes that affect their experience, privacy, or system security; their use of their system resources, including what software is installed on their computers; and the collection, use, and distribution of their personal or other sensitive information. We also believe it should cover all of the prohibited behaviors currently listed in the bill. AFFECT also sees the merit in the suggestions of spyware expert Ben Edelman, who advocated for a simplification of the approach of S. 1625 that would focus on increasing the penalties such as a treble fine in FTC actions. That approach was also expressed by the FTC in its testimony. Finally, I want to express AFFECT's support for the three key principles expressed by Ms. Eileen Harrington, Deputy Director of the Bureau of Consumer Protection of the FTC, in her written and oral statements: (1) a consumer's computer belongs to him or her, not to the software distributor, and it must be the consumer's choice whether or not to install software; (2) burying in an End User License Agreement (EULA) material disclosures necessary to correct an otherwise misleading impression should not be sufficient to allow a spyware purveyor to escape liability; and (3) a consumer should be able to uninstall or disable any program he or she does not want on a computer. AFFECT has long favored a competitive and fair marketplace. A cornerstone of AFFECT's efforts was the creation of ``12 Principles for Fair Commerce in Software and Other Digital Products'' (http:// www.ucita.com/pdf/AFFECTbrochure2-05.pdf). Two of those key principles are that: (1) customers are entitled to control their own computer systems; and (2) customers arc entitled to control their own data. We believe these two principles are consistent with the three expressed by Ms. Harrington and should guide the Committee and the Congress in shaping its approach to dealing with the insidious problem of spyware. Thank you very much for the opportunity to submit these additional comments for the hearing record. AFFECT remains willing and interested in working with the Committee on S. 1625 and will be glad to be of whatever help we can. Sincerely, Arthur A. Butler, Attorney, Ater Wynne LLP. ______ Americans for Fair Electronic Commerce Transactions (AFFECT) Concerns with S. 1625, Section 6(a)(10) Americans for Fair Electronic Commerce Transactions (AFFECT) is a national coalition of consumers, retail and manufacturing businesses, insurance institutions, financial institutions, technology professionals and librarians committed to promoting the growth of fair and competitive commerce in software and other digital products. S. 1625 (Pryor), introduced in June 2007, would protect against the unauthorized installation of software that is used to take control of a computer in order to cause damage, collect personal information without consent, or otherwise enable identity theft. AFFECT strongly supports S. 1625's purpose to curb the use of harmful spyware. However, it has great concerns with S. 1625 (6), the exception section, which is overly broad and could be construed to protect wrongful acts that can result in great harm to computer users-- which is in direct opposition to the purpose of S. 1625. AFFECT strongly recommends that the exception provision of S. 1625 should only limit liability for interaction with a network, service, or computer that is undertaken to detect or prevent fraudulent or other illegal activities as prohibited by the act itself. Therefore, AFFECT proposes that Section 6(a)(10) of the bill be amended as follows: (10) detection or prevention of fraudulent or other illegal activities as prohibited by this Act. Subsection 6(a)(10), as it is currently written, would permit a provider to monitor or interact with an individual's computer or Internet or other network connection or service for the ``detection or prevention of the unauthorized use of software for fraudulent or other illegal activities.'' This would allow the provider to unilaterally decide to remotely shut down the user's computer or Internet or other network connection or service. But whether the use of a particular software is ``unauthorized,'' ``fraudulent,'' or ``illegal'' is often subject to legitimate dispute and merits some judicial consideration before a provider is allowed to unilaterally employ a drastic remedy like remote disablement. Permitting unilateral remote disablement is bad public policy. It allows the provider to set itself up as an ad hoc police force to conduct warrantless searches and to act as judge and jury to conduct unilateral seizures in the name of protecting against piracy, fraud, or other illegal activities. Private entities do not and should not have the right to conduct law enforcement activities. Also, remote disablement can cause great harm to the owner who depends on access to and use of that computer, connection or service. For example, the shutdown of an owner's system can cause great harm to: a teacher using a computer to prepare for classroom lectures; an insurer depending on a computer system to pay claims; a manufacturer trying to deliver its products to meet contractual commitments; or the public's access to online library materials. In reaching into an individual's computer remotely to disable software residing on his computer, the provider may not only violate privacy rights, but also damage his other files. The monitoring and remote disablement of software on an owner's computer by a provider may compromise private information of employees, confidential and proprietary information of the owner, and, in some cases, national security information. The code used to remotely enter a computer and disable the software or the network connection (often called ``black holes'') make the computer vulnerable to security breaches by hackers and terrorists. When there is an opportunity to negotiate, many enterprises, including governmental entities, will insist that their software license agreements contain a warranty prohibiting any ``self-help code'' or other software routing designed to disable a computer program automatically or that is under the positive control of a person other than the licensee of the software. Unfortunately, with mass market licenses individual consumers and businesses are not able to negotiate for a ``no self-help code.'' It is important to recognize that these harms that can result from permitting remote disablement can be significantly larger than the harm to a software vendor in not getting a license fee. ______ Response to Written Questions Submitted by Hon. David Vitter to Eileen Harrington \1\ --------------------------------------------------------------------------- \1\ As with my responses to the Committee's questions at the hearing, these answers present my personal views and do not necessarily represent the views of the Federal Trade Commission or of any Commissioner. --------------------------------------------------------------------------- Question 1. Who do you think would define ``objectionable'' in S. 1625 section 6(a)(8), and what does that term mean? Answer. The term ``objectionable content'' is left undefined by the Counter Spy Act, S. 1625. Absent a clear definition in the bill, ``objectionable content'' will need to be interpreted by the courts. As drafted, however, ``objectionable content'' is sufficiently broad that it might include content or software (such as advertising software, toolbars, etc.) about whose value reasonable people may disagree. Accordingly, a covered party could have considerable discretion under the bill to identify and remove software as ``objectionable'' without giving specific notice to, and perhaps against the intentions of, the consumer. Question 2. Under section 6(a)(9) of S. 1625, would a consumer's purchase and use of a computer with pre-loaded operating system and anti-spyware software be sufficient ``authorization'' to allow some software to remove or disable other software on the computer without notifying the computer user or obtaining her consent? Answer. The Commission and the courts would need to approach scenarios like the one posed by Question 2 on a case-by-case basis, weighing the nature of the software and its potential for harm against the nature and timing of notice and consent--if any--provided. In the case of pre-installed anti-spyware software, we would need to know how much notice the consumer is given regarding the existence and function of the software, and whether the consumer is given notice before the anti-spyware software removes or disables other software on the computer. If any pre-installed software caused the type of harms outlined in sections 3, 4, or 5 of S. 1625, it is doubtful that the Commission would deem the mere acts of buying and turning on a computer to be sufficient ``authorization.'' Linking exemptions and immunity in section 6(a) to particular functions that are purportedly ``authorized'' poses the risk of creating a safe harbor based on unknowing authorization. For example, a software provider, an information services provider, or an ISP might argue that a provision buried deep in an End User License Agreement or privacy policy provides sufficient authorization for much of the conduct prohibited by the bill. Question 3. Should we be careful when providing (broad) exemptions or immunity for software removal, given the FTC actions against companies that might represent their software as legitimate ``anti- spyware'' in order to scam consumers? Answer. Yes. I share Senator Vitter's concern that there is a need for caution in providing broad exemptions and immunity for software removal when addressing the problems of spyware. If not carefully drafted, these broad exemptions can create safe harbor loopholes that can be exploited by clever spyware and malware purveyors. Under the bill as drafted, virtually any ``software provider'' or ``provider of information services'' who can muster some plausible pretense of the list of the enumerated services will raise the exemption as a defense to enforcement. Take the example of a purveyor of what has been termed ``rogue anti-spyware'' software. Rogue anti-spyware software is usually sold via deceptive tactics. A broad ``anti-spyware'' exemption may shield the rogue anti-spyware sellers from liability for their deceptive tactics. Moreover, it could potentially permit the seller to download other harmful software, such as a keylogger, if that seller can convince a court that the other harmful software in any way could be used to provide functions enumerated by sections 6(a)(1) through (10). If the main purpose of including section 6(a) is to limit liability among and between civil litigants regarding questions about what is ``authorized,'' or what is ``objectionable'' (e.g., where an anti- spyware company is sued by a software provider whose product is deemed objectionable), it is misplaced because S. 1625 does not provide a private right of action. Accordingly, such broad exemptions from law enforcement in this legislation are unnecessary. At bottom, the broad scope of section 6(a)'s limitations on liability--both in terms of the number of exempted parties as well as the breadth of the exempted conduct--may make the FTC's job more challenging and potentially do more harm than good in terms of effective spyware law enforcement.