[Senate Hearing 110-1178]
[From the U.S. Government Publishing Office]
S. Hrg. 110-1178
IMPACT AND POLICY IMPLICATIONS OF
SPYWARE ON CONSUMERS AND BUSINESSES
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
__________
JUNE 11, 2008
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
U.S. GOVERNMENT PRINTING OFFICE
76-328 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
DANIEL K. INOUYE, Hawaii, Chairman
JOHN D. ROCKEFELLER IV, West TED STEVENS, Alaska, Vice Chairman
Virginia JOHN McCAIN, Arizona
JOHN F. KERRY, Massachusetts KAY BAILEY HUTCHISON, Texas
BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine
BARBARA BOXER, California GORDON H. SMITH, Oregon
BILL NELSON, Florida JOHN ENSIGN, Nevada
MARIA CANTWELL, Washington JOHN E. SUNUNU, New Hampshire
FRANK R. LAUTENBERG, New Jersey JIM DeMINT, South Carolina
MARK PRYOR, Arkansas DAVID VITTER, Louisiana
THOMAS R. CARPER, Delaware JOHN THUNE, South Dakota
CLAIRE McCASKILL, Missouri ROGER F. WICKER, Mississippi
AMY KLOBUCHAR, Minnesota
Margaret L. Cummisky, Democratic Staff Director and Chief Counsel
Lila Harper Helms, Democratic Deputy Staff Director and Policy Director
Christine D. Kurth, Republican Staff Director and General Counsel
Paul Nagle, Republican Chief Counsel
C O N T E N T S
----------
Page
Hearing held on June 11, 2008.................................... 1
Statement of Senator Nelson...................................... 2
Statement of Senator Pryor....................................... 1
Statement of Senator Vitter...................................... 2
Witnesses
Butler, Arthur A., Attorney, Ater Wynne LLP, on behalf of
Americans for Fair Electronic Commerce Transactions (AFFECT)... 12
Prepared statement........................................... 13
Cerasale, Jerry, Senior Vice President, Government Affairs,
Direct Marketing Association, Inc.............................. 16
Prepared statement........................................... 18
Edelman, Benjamin G., Assistant Professor, Business
Administration, Harvard Business School........................ 29
Prepared statement........................................... 31
Harrington, Eileen, Deputy Director, Bureau of Consumer
Protection, Federal Trade Commission........................... 3
Prepared statement........................................... 4
Rotenberg, Marc, Executive Director, Electronic Privacy
Information Center (EPIC)...................................... 23
Prepared statement........................................... 24
Weafer, Vincent, Vice President, Security Response, Symantec
Corporation, on behalf of the Business Software Alliance (BSA). 35
Prepared statement........................................... 36
Appendix
Letter dated June 24, 2008, from John P. Tomaszewski, Esq., Vice
President, Legal, Policy and Compliance, TRUSTe, to Hon. Mark
Pryor.......................................................... 49
Letter dated June 25, 2008, to Hon. Mark Pryor from Arthur A.
Butler, Attorney, Ater Wynne LLP; on behalf of Americans for
Fair Electronic Commerce Transactions (AFFECT)................. 52
Response to written questions submitted by Hon. David Vitter to
Eileen Harrington.............................................. 55
IMPACT AND POLICY IMPLICATIONS OF SPYWARE ON CONSUMERS AND BUSINESSES
----------
WEDNESDAY, JUNE 11, 2008
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 3:07 p.m. in room
SR-253, Russell Senate Office Building, Hon. Mark Pryor,
presiding.
OPENING STATEMENT OF HON. MARK PRYOR,
U.S. SENATOR FROM ARKANSAS
Senator Pryor. Someone out there told me, don't start being
like the airlines, being late on everything. So we won't do
that. I'm sorry that I was a few minutes late, but I got caught
in a previous meeting.
I want to thank Chairman Inouye and Vice Chairman Stevens
for holding this hearing to review the efforts by industry, the
Federal Trade Commission, and Congress, to combat spyware and
its effects on consumers. Specifically, this hearing will look
at the impact of spyware on computer performance, along with
privacy and security risks associated with this software.
In particular, the hearing will consider a bill that I
filed, S. 1625, the Counter Spy Act, and that I introduced with
Senator Bill Nelson and Senator Boxer. Also, just to let other
Senators and other staff know, we thought we'd have this
hearing and sit down with our bill and see if we can get some
other cosponsors and help us think through some issues there.
So I want to thank all the witnesses today for being part of
that process.
Spyware is a pervasive problem that really I believe
demands swift action by Congress to protect American consumers
from very significant privacy and security risks. There are
very few, if any that I can determine, legitimate reasons for
this practice of having spyware in the first place, and there
are numbers of reasons why we should do something to try to
stop spyware.
Basically, I think our bill needs to do two very important
things. One is we need a good workable definition of spyware.
It's hard to define, but we need to come up with a Federal
definition where there's a standard.
The second thing is we need to come up with some civil
penalties in the event that someone is out there using spyware
in an unauthorized manner. We need to have a civil penalty
regime so that the FTC knows exactly what they need to do and
what steps they need to take.
I guess the other part that's kind of implicit in both of
those is that we need to make sure that whatever we pass is
very consumer-friendly, so consumers know that when spyware is
present on their system or asking to be loaded or whatever the
case may be, that the consumers have a chance to stop it from
being added to their computers in the first place.
So with that, what I would like to do is ask Senator Vitter
if you have an opening statement.
STATEMENT OF HON. DAVID VITTER,
U.S. SENATOR FROM LOUISIANA
Senator Vitter. Thank you, Mr. Chairman. I'll be very
brief. Thank you for this hearing. This is an extremely
important topic. I agree with you that it's a really serious
problem that we should move absolutely as quickly as possible
to address. I certainly want to be part of the discussions and
the solution.
That's the easy part. The tough part is how we do that
effectively. I think the biggest challenge in so many of these
issues is to come up with legislation that isn't outpaced or
becomes outdated by technology in a month or a year. So I
believe we should focus on passing legislation against improper
activity and not be too technologically specific, because I
think that's going to end up getting us in trouble, having
unintended consequences, or just being outdated relatively
soon.
So I'm very interested in legislation. Some of the things I
want to avoid is to enact things that would be technology
mandates, to enact things that might unintentionally hamper the
ability of the FTC and law enforcement to adopt a technology
and that could be interpreted so broadly that it would extend
beyond unwanted spyware to affect all web pages or to affect
online transactions that folks do want and get some convenience
out of.
So thank you again for this hearing. I look forward to
hearing from the witnesses and asking questions with the goal
of helping develop that sort of bipartisan legislation.
Senator Pryor. Thank you.
Senator Nelson, I'll call on you for an opening statement
if you'd like to make one and then ask you to introduce the
first witness.
STATEMENT OF HON. BILL NELSON,
U.S. SENATOR FROM FLORIDA
Senator Nelson. Mr. Chairman, you have to go back to a
conference committee?
Senator Pryor. Yes.
Senator Nelson. So I will await your return.
Senator Pryor. Thank you.
Senator Nelson [presiding]. Consumer Reports in a recent
edition had a survey and of the 2,000 people surveyed, one in
eleven reported a major spyware infection on their computer.
These infections are costly, may well cost over $100 to fix,
and the overall calculated impact on the economy is $1.7
billion. That's a figure that's only going to increase.
So that's why we filed this legislation. We also hope that
the Federal Trade Commission and other law enforcement agencies
are going to take further action to pursue to the maximum
extent possible foreign spyware developers.
Now, in another arena, in the intelligence arena, in the
defense arena, we have a particular concern which is not the
subject of the discussion here today. But clearly that overlays
the problem that we're talking about on consumers today.
So we are delighted to have Ms. Eileen Harrington, Deputy
Director of the Bureau of Consumer Protection at the FTC. So,
Ms. Harrington, your presentation, please. Your lengthy
statement will be a part of the record, so if you would just
summarize, and then we'll get right into the questions. Thank
you.
STATEMENT OF EILEEN HARRINGTON, DEPUTY DIRECTOR, BUREAU OF
CONSUMER PROTECTION, FEDERAL TRADE COMMISSION
Ms. Harrington. Thank you very much, Senator Nelson and
Chairman Pryor and Members of the Committee. I am Eileen
Harrington.
Spyware and other malware causes substantial harm to
consumers and to the Internet as a medium of communication and
commerce. Protecting consumers from this harm is a priority for
the Federal Trade Commission and we thank you for giving us the
opportunity to appear here today to talk about the FTC's
activity in this area and to comment on S. 1625, the Counter
Spy Act, which was introduced by Senator Pryor, Senator Boxer,
and Senator Nelson.
Since 2004 the FTC has brought 11 spyware-related law
enforcement actions and, while we certainly haven't solved the
spyware problem, our law enforcement efforts have, we believe,
had an effect and have reduced the prevalence of pop-up ads
generated by nuisance adware. Our spyware law enforcement
actions reaffirmed three key principles.
The first is that a consumer's computer belongs to him or
her, not to the software distributor, and it must be the
consumer's choice whether or not to install software. This
principle reflects the basic common sense notion that Internet
businesses are not free to help themselves to the resources of
a consumer's computer.
The second principle articulated in our enforcement work is
that buried disclosures of material information necessary to
correct an otherwise misleading impression are not sufficient,
just as they have never been sufficient in more traditional
areas of commerce. Specifically, burying material information
in an End User License Agreement will not shield a spyware
purveyor from Section 5 liability.
The third principle underscored by our work is that if a
distributor puts a program on a computer that the consumer does
not want the consumer should be able to uninstall or disable
it.
As in so many other areas, cooperation among law
enforcement agencies is vital to successful enforcement in the
spyware area. Many of the worst abuses connected with spyware
are criminal activity in nature and we at the FTC coordinate
very closely with our colleagues at the Department of Justice
to see to it that these criminals are prosecuted. The FTC also
coordinates closely with State law enforcement partners who
bring enforcement actions against spyware distributors.
Now, in addition to engaging in law enforcement and
coordinating with others in the enforcement community, the FTC
has made consumer education a priority. In September 2005, the
FTC formed a partnership with other Federal agencies in the
technology industry to launch a multimedia interactive consumer
education initiative, OnGuard Online. The OnguardOnline.gov
website now attracts over 350,000 unique visits each month and
many organizations have taken the OnGuard Online materials for
their own security training. The comprehensive website has
general information on online safety as well as sections with
specific information on a range of topics, including spyware.
Turning to the bill under discussion, S. 1625, we would
make two points. First, although we have successfully used
Section 5 of the FTC Act to challenge conduct related to
spyware distribution under Section 5, legislation authorizing
the Commission to seek civil penalties in spyware cases would
provide a welcome addition to remedies available to us.
Currently under Section 13(b) of the FTC Act we have authority
to file actions in Federal district court and to obtain
injunctive and equitable monetary relief in the form of
consumer redress or disgorgement. In spyware cases, however,
restitution or disgorgement may be neither appropriate nor
sufficient remedies because consumers often have not purchased
a product or a service from the defendants, the harm to
consumers may be very difficult to quantify, or the defendant's
profits may be slim or difficult to calculate with certainty.
In such cases a civil penalty may be a far better remedy and
serve as a stronger deterrent.
Second, under general consumer protection principles and
traditional Section 5 jurisprudence, the Commission need not
show knowledge or intent in order to obtain injunctive relief,
but several sections of S. 1625 impose an overarching knowledge
or intent threshold for enforcement that could create a higher
and more difficult evidentiary burden for the FTC in obtaining
injunctions in civil spyware cases.
Section 5(m)(1) of the FTC Act already requires that the
Commission prove knowledge in any civil penalty action.
Eliminating the knowledge or intent threshold from S. 1625
would not change the Commission's elevated burden regarding
civil penalties, but it would maintain the ordinary burden that
we have to meet in order to obtain injunctive relief. So we
would recommend that change.
I thank you for focusing your attention on this important
issue and giving us the opportunity to discuss the Commission's
enforcement record. Thank you.
[The prepared statement of Ms. Harrington follows:]
Prepared Statement of Eileen Harrington, Deputy Director,
Bureau of Consumer Protection, Federal Trade Commission
I. Introduction
Chairman Pryor and members of the Committee on Commerce, Science,
and Transportation, I am Eileen Harrington, Deputy Director of the
Bureau of Consumer Protection of the Federal Trade Commission
(``Commission'' or ``FTC'').\1\ Spyware and other malware can cause
substantial harm to consumers and to the Internet as a medium of
communication and commerce. Protecting consumers from such harm is a
priority for the Commission, and the agency thanks this Committee for
the opportunity to describe what the FTC is doing in this area and to
provide input on S. 1625, the ``Counter Spy Act'' introduced by
Senators Pryor, Boxer, and Nelson.
---------------------------------------------------------------------------
\1\ The written statement presents the views of the Federal Trade
Commission. Oral statements and responses to questions reflect the
views of the speaker and do not necessarily reflect the views of the
Commission or any Commissioner.
---------------------------------------------------------------------------
This written statement provides background on the Commission's
active program to address concerns about spyware and other malware,
which includes law enforcement actions and consumer education efforts.
First, it discusses the Commission's three key principles related to
spyware as illustrated by the eleven spyware-related law enforcement
actions the agency has initiated to date. Second, the statement
highlights the Commission's consumer education efforts on spyware.
Third, the statement offers the Commission's views on the proposed
legislation, S. 1625.
The Commission has a broad mandate to prevent unfair methods of
competition and unfair or deceptive acts or practices in or affecting
commerce.\2\ Although it is often challenging to locate and apprehend
the perpetrators, the FTC has successfully challenged the distribution
of spyware that causes injury to consumers online.
---------------------------------------------------------------------------
\2\ 15 U.S.C. � 45.
---------------------------------------------------------------------------
Spyware and other malware that is downloaded without authorization
can cause a range of problems for computer users, from nuisance adware
that delivers pop-up ads, to software that causes sluggish computer
performance, to keystroke loggers that capture sensitive information.
As described below, the Commission has an active program to address
concerns about spyware and other malware, including law enforcement and
consumer education. Since 2004, the Commission has initiated eleven
spyware-related law enforcement actions.\3\ While the problem of
spyware has not been solved, our cases have had a significant effect
and, based on our investigative experience, we believe the prevalence
of pop-up ads generated by nuisance adware has been dramatically
reduced.
---------------------------------------------------------------------------
\3\ Detailed information regarding each of these law enforcement
actions is available at
http://www.ftc.gov/bcp/edu/microsites/spyware/law_enfor.htm.
---------------------------------------------------------------------------
II. Spyware Law Enforcement
A. FTC Cases
The Commission's spyware law enforcement actions reaffirm three key
principles. The first is that a consumer's computer belongs to him or
her, not to the software distributor, and it must be the consumer's
choice whether or not to install software. This principle reflects the
basic common-sense notion that Internet businesses are not free to help
themselves to the resources of a consumer's computer. For example, in
FTC v. Seismic Entertainment Inc.,\4\ and FTC v. Enternet Media,
Inc.,\5\ the Commission alleged that the defendants unfairly downloaded
spyware to users' computers without the users' knowledge, in violation
of Section 5 of the FTC Act. Stipulated permanent injunctions were
entered against the defendants in both matters, and defendants were
ordered to disgorge more than $6 million, combined.
---------------------------------------------------------------------------
\4\ FTC v. Seismic Entertainment, Inc., No. 04-377-JD, 2004 U.S.
Dist. LEXIS 22788 (D.N.H. Mar. 22, 2006), available at http://
www.ftc.gov/os/caselist/0423142/0423142.shtm.
\5\ FTC v. Enternet Media, Inc., CV 05-7777 CAS (C.D. Cal., Aug.
22, 2006), available at
http://www.ftc.gov/os/caselist/0523135/0523135.shtm.
---------------------------------------------------------------------------
The second principle is that buried disclosures of material
information necessary to correct an otherwise misleading impression are
not sufficient, just as they have never been sufficient in more
traditional areas of commerce. Specifically, burying material
information in an End User License Agreement will not shield a spyware
purveyor from Section 5 liability. This principle was illustrated in
FTC v. Odysseus Marketing, Inc.\6\ and Advertising.com, Inc.\7\ In
these two cases, the Commission's complaint alleged (among other
violations) that the defendants failed to disclose adequately that the
free software they were offering was bundled with harmful software
programs. The orders entered in both cases require the defendants to
disclose properly the effects of software programs that they offer in
the future.
---------------------------------------------------------------------------
\6\ FTC v. Odysseus Marketing, Inc., No. 05-CV-330 (D.N.H. Oct. 24,
2006) (stipulated permanent injunction), available at http://
www.ftc.gov/os/caselist/0423205/0423205.shtm.
\7\ In the Matter of Advertising.com, Inc., FTC Dkt. No. C-4147
(Sept. 12, 2005) (consent order), available at http://www.ftc.gov/os/
caselist/0423196/0423196.shtm.
---------------------------------------------------------------------------
The third principle is that, if a distributor puts a program on a
computer that the consumer does not want, the consumer should be able
to uninstall or disable it. This principle is underscored by cases
against Zango, Inc.\8\ and DirectRevenue LLC.\9\ These companies
allegedly provided advertising programs, or adware, that monitored
consumers' Internet use and displayed frequent, targeted pop-up ads--
over 6.9 billion pop-ups by Zango alone. According to the Commission's
complaints, the companies deliberately made these adware programs
difficult for consumers to identify, locate, and remove from their
computers, thus thwarting consumer efforts to end the intrusive pop-
ups. Among other relief, the consent orders require Zango and
DirectRevenue to provide a readily identifiable means to uninstall any
adware that is installed in the future, as well as to disgorge $3
million and $1.5 million, respectively.
---------------------------------------------------------------------------
\8\ In the Matter of Zango, Inc. f/k/a 180 Solutions, Inc., FTC
Dkt. No. C-4186 (Mar. 7, 2007), available at http://www.ftc.gov/os/
caselist/0523130/index.shtm.
\9\ In the Matter of DirectRevenue LLC, FTC Dkt. No. C-4194 (June
26, 2007), available at http://www.ftc.gov/os/caselist/0523131/
index.shtm.
---------------------------------------------------------------------------
Similarly, in FTC v. Digital Enterprises, Inc.,\10\ the Commission
alleged that the defendants installed software onto consumers'
computers that repeatedly launched text and video pop-ups that
consumers could not close or minimize. These pop-ups demanded payment
for access to the defendants' purported entertainment websites. Among
other relief, the September 2007 stipulated permanent injunction
requires the defendants to provide a way for consumers to remove the
software, bars future downloads without consumer consent, and requires
the defendants to pay more than $500,000 for consumer redress.
---------------------------------------------------------------------------
\10\ FTC v. Digital Enterprises, Inc. d/b/a Movieland.com, CV06-
4923 (C.D. Cal. Sept. 5, 2007), available at http://www.ftc.gov/os/
caselist/0623008/index.shtm.
---------------------------------------------------------------------------
In addition, the agency's law enforcement efforts have alerted the
Commission to novel spyware-related consumer protection issues such as
the marketing of bogus anti-spyware programs. For example, in FTC v.
MaxTheater, Inc.\11\ and FTC v. Trustsoft, Inc.,\12\ the FTC alleged
that the defendants made false claims to consumers about the existence
of spyware on their machines and then used these false claims to
convince consumers to conduct free ``scans'' of their computers. These
scans would identify innocuous software as spyware, helping to persuade
consumers to purchase the defendants' spyware removal products at a
cost of between $30 and $40. Moreover, the FTC alleged, the defendants
claimed their spyware removal products could effectively uninstall many
different types of known spyware programs, but the defendants' products
did not perform as promised. In both cases, courts entered stipulated
permanent injunctions prohibiting the claims and requiring the
defendants to disgorge a total of nearly $2 million.
---------------------------------------------------------------------------
\11\ FTC v. MaxTheater, Inc., No. 05-CV-0069 (E.D. Wa. Dec. 6,
2005), available at
http://www.ftc.gov/os/caselist/0423213/0423213.shtm.
\12\ FTC v. Trustsoft, Inc., No. H-05-1905 (S.D. Tex. Nov. 30,
2005), available at
http://www.ftc.gov/os/caselist/0523059/0523059.shtm.
---------------------------------------------------------------------------
B. Cooperation with Department of Justice and State Law Enforcement
As in so many other areas, cooperation among law enforcement
agencies is vital to successful law enforcement in the spyware arena.
Many of the worst abuses connected with spyware are criminal,\13\ and,
in appropriate cases, the Commission coordinates closely with the
Department of Justice. For example, in FTC v. ERG Ventures, LLC,\14\
the FTC's complaint alleged that the defendants secretly downloaded
multiple malevolent software programs, including spyware, onto millions
of computers without consumers' consent. The defendants also allegedly
tricked consumers into downloading harmful software by hiding the
malicious programs within seemingly innocuous free software. The U.S.
Attorney's Office for the District of Columbia launched a parallel
criminal investigation, and executed search warrants simultaneously
with the filing of the FTC's civil case.\15\
---------------------------------------------------------------------------
\13\ See, e.g., Department of Justice, Computer Crime &
Intellectual Property Section, Computer Crime News Releases, available
at http://www.usdoj.gov/criminal/cybercrime/ccnews.html.
\14\ FTC v. ERG Ventures, LLC, 3:06-CV-00578-LRH-VPC (D. Nev. Oct.
3, 2007), available at http://www.ftc.gov/os/caselist/0623192/
index.shtm. Pursuant to the stipulated order entered by the court in
the FTC action, the defendants must disgorge $330,000. A permanent
injunction also bars the defendants from downloading software onto
consumers' computers without disclosing its function and obtaining
consumers' consent prior to installation, bars them from downloading
software that interferes with consumers' computer use, and bars false
or misleading claims.
\15\ See FTC News Release, Court Shuts Down Media Motor Spyware
Operation (Nov. 13, 2006), available at http://www.ftc.gov/opa/2006/11/
mediamotor.shtm.
---------------------------------------------------------------------------
The Commission also coordinates with state partners who bring their
own law enforcement actions against spyware distributors. The FTC has
established a Federal-state spyware law enforcement task force to
discuss issues and trends in spyware law enforcement. The task force
consists of representatives from agencies such as the Department of
Justice and state attorneys general. Federal criminal and state law
enforcement actions are a critical complement to the FTC's law
enforcement actions.
III. Education
In addition to engaging in law enforcement, the FTC has made
consumer education a priority. In September 2005, the Commission and a
partnership of other Federal agencies and the technology industry
launched a multimedia, interactive consumer education initiative,
OnGuard Online, along with a Spanish-language version, AlertaenLinea.
The OnGuardOnline.gov site now attracts over 350,000 unique visits each
month, and many organizations have adapted the OnGuard Online materials
for their own security training. The comprehensive website has general
information on online safety, as well as sections with specific
information on a range of topics, including spyware. The spyware module
includes up-to-date information, as well as interactive features like
quizzes and videos. As part of the OnGuard Online initiative, the FTC
also has distributed a million copies of the brochure and two million
copies of the bookmark, ``Stop Think Click: 7 Practices for Safer
Computing,'' with information on spyware and other computer safety
topics. The FTC also has issued a Consumer Alert on spyware, as well as
Alerts addressing other online security issues such as viruses and
peer-to-peer file sharing.\16\
---------------------------------------------------------------------------
\16\ See. e.g., P2P File-Sharing: Evaluate the Risks (Feb. 2008),
available at http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/
alt128.shtm; Botnets and Hackers and Spam (Oh, My!) (June 2007),
available at http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/
alt132.shtm, Spyware (July 2005), available at http://www.ftc.gov/bcp/
conline/pubs/alerts/spywarealrt.shtm:, Detect, Protect, Dis-infect:
Consumers Online Face Wide Choices in Security Products (Sept. 2004),
available at http://www.ftc.gov/bcp/conline/pubs/alerts/idsalrt.shtm;
see generally http://www.ftc.gov/bcp/menus/consumer/tech/privacy.shtm.
---------------------------------------------------------------------------
IV. Legislative Steps to Address Spyware
Although the FTC has successfully challenged conduct related to
spyware dissemination under Section 5, legislation authorizing the
Commission to seek civil penalties in spyware cases could add a potent
remedy to those otherwise available to the Commission. Currently, under
Section 13(b) of the FTC Act, the Commission has the authority to file
actions in Federal district court and to obtain injunctive relief and
equitable monetary relief in the form of consumer redress or
disgorgement. It has been the agency's experience in spyware cases,
however, that restitution or disgorgement may not be appropriate or
sufficient remedies because consumers often have not purchased a
product or service from the defendants, the harm to consumers may be
difficult to quantify, or the defendants' profits may be slim or
difficult to calculate with certainty. In such cases, a civil penalty
may be the most appropriate remedy and serve as a strong deterrent.
Accordingly, the Commission is pleased that S. 1625 provides the
Commission this valuable law enforcement tool.
Last June, FTC staff provided this Committee with technical
comments to S. 1625. Of the various suggestions respectfully made by
staff, one important aspect of the bill relating to both injunctive
relief and civil penalties stands out. Under general consumer
protection principles and traditional Section 5 jurisprudence, the
Commission need not show knowledge or intent in order to obtain
injunctive relief: that is, for stopping the violative conduct itself.
But, several sections of S. 1625 impose an overarching knowledge or
intent threshold for enforcement that could create an additional--and
often very challenging--evidentiary burden for the FTC in obtaining
injunctions in civil cases. Moreover, Section 5(m)(1) of the FTC Act
already requires the Commission to prove knowledge in any action where
civil penalties are sought. Eliminating the knowledge or intent
threshold from the bill would not change the Commission's elevated
burden regarding civil penalties, while maintaining the ordinary burden
for obtaining injunctive relief.\17\ The agency looks forward to
working with the Committee regarding the knowledge and intent aspects
of the legislation, as well as any of the other important
considerations raised by staff's technical comments.
---------------------------------------------------------------------------
\17\ Indeed, removing the knowledge or intent requirements from S.
1625 would be consistent, for example, with the approach in the CAN-
SPAM Act. See 15 U.S.C. � 7706(e) (granting the FTC authority to seek
cease-and-desist orders and injunctive relief without alleging or
proving knowledge). Spam raises similar enforcement issues to spyware
regarding quantifying consumer injury and defendants' profits.
---------------------------------------------------------------------------
V. Conclusion
The FTC will continue its aggressive law enforcement and innovative
consumer education programs in the spyware arena. The FTC thanks this
Committee for focusing attention on this important issue, and for the
opportunity to discuss the Commission's law enforcement program.
Senator Nelson. Senator Vitter?
Senator Vitter. Thank you, Mr. Chairman.
Thank you very much for your testimony. In October 2005,
then Chairman Majoras had a discussion with Senator Allen about
these issues and I believe Senator Allen asked if new notice
and consent requirements would help combat spyware. The then
Chair testified that she didn't think that it would do so
because studies showed the more consumers are bombarded with
disclosure and consent requirements the more they don't read
them and sort of let them pass by and ignore them. What's your
reaction to that question?
Ms. Harrington. I think probably our view has not changed,
but, more importantly, I think the nature of the spyware
problem has shifted some, from the sort of pervasive pop-up and
nuisance ads that adware brought us, to far more malicious and
malevolent consequences from spyware.
I think that it's very unlikely that criminals using
spyware to take over consumers' computers and cause them to do
bad things would comply with notice requirements. These are
criminals and their stock in trade is to sneak around.
Senator Vitter. OK. What do you think our general approach
should be in terms of how technology specific we have to be or
to what extent we can avoid that?
Ms. Harrington. Well, we certainly know from what is really
a very brief period of time during which the Internet has
operated as a principal method of commerce that the technology
shifts very quickly. To the extent that the Congress chooses to
legislate in this area, I recommend staying away from specific
technology and favoring broad principles like those that are
found in Section 5 of the FTC Act, which as an enforcement tool
has proven over the decades to be a marvelously flexible and
resilient statute. The FTC Act was adopted in the earlier part
of the 20th century and it has stood us very well. It is the
statute that we have used to stop spyware purveyors in 11
enforcement actions. That kind of flexibility in a statute is
very helpful when the technology changes virtually overnight.
Senator Vitter. OK, that's all I have right now, Mr.
Chairman.
Senator Nelson. Ms. Harrington, you note that one of the
Commission's spyware enforcement principles is a consumer
should be able to uninstall or disable unwanted spyware. In the
Zango and DirectRevenue consent orders, this principle was
interpreted requiring those parties to provide a readily
identifiable means to uninstall. How is that readily
identifiable means identified? How is it defined?
Ms. Harrington. The order sets the standard. The test is
whether a reasonable consumer having the experience of having
that software loaded onto his or her computer can readily see
how it is that it can be uninstalled. It's really a reasonable
consumer standard that's incorporated in those orders.
Senator Nelson. So it's not a case by case analysis?
Ms. Harrington. Well, do you mean for purposes of complying
with that order, Senator, or across the board?
Senator Nelson. Of defining it.
Ms. Harrington. Well, we would always look case by case to
see whether--but employing the reasonable consumer standard.
That is how the Commission proceeds also in using Section 5 as
an enforcement tool and it is how the courts have interpreted
Section 5 and ordered relief.
Senator Nelson. Do you need to include an operating system
toolbar?
Ms. Harrington. Do you need to?
Senator Nelson. Does the readily identifiable means need to
include an operating system toolbar?
Ms. Harrington. I'm going to turn to one of our lawyers
who's right behind me who worked on that case.
Senator Nelson. Does the----
Ms. Harrington. I don't want to give a wrong answer.
Senator Nelson. OK, come on up.
Ms. Harrington. It doesn't necessarily require a toolbar,
Senator, but we would generally think that the consumer would
look to the add-remove function to find and remove the
software. Or there could be a link that the consumer could use
to get to the add-remove.
Senator Nelson. And if it's another kind of spyware, there
would be another kind of toolbar to remove?
Ms. Harrington. Any software that would be loaded onto the
consumer's computer would need to be easily found and removed.
I think generally we would expect that it would be very
apparent when the add-remove function is chosen. But a link
would work as well.
Senator Nelson. Do you think some clear rules or
definitions might be helpful to consumers so that they would
know where to look for this uninstall tool?
Ms. Harrington. I think that generally, that the standard
that requires that it be readily apparent and useable would be
a better standard in a situation where the technology and
format are changing frequently. So I would be concerned about
tying by rule to a particular technique for removal. I think
that the better approach would be to require that it be readily
apparent and accessible to consumers, and we would assume that
over time what that means would change; in very specific terms
what it means would change with the technology.
Senator Nelson. What if the spyware is a keystroke logger
and it's capturing all of the keystrokes that the computer user
uses, such as it is trying to get passwords or personal
information?
Ms. Harrington. Well, that's criminal.
Senator Nelson. It is. But what about a toolbar to remove
that? How would you go about that?
Ms. Harrington. How would I go about that? I think that it
would be unlikely, frankly, that someone installing a keystroke
logger would willingly put a clear and apparent tool right
before the consumer to alert him or her to the fact that the
keystroke logger has been loaded on and to allow them to remove
it. The whole purpose of that kind of software is to
surreptitiously steal information from consumers.
Senator Nelson. So how does the consumer clean his computer
of that spyware?
Ms. Harrington. It may be that the consumer's security
program that presumably includes a scan function that can be
regularly run, will identify that program. Typically, when you
run those kinds of scans you get a box with a report that tells
you what you have and it's really easy to remove.
If the software can't be detected by those kinds of
programs, and the really bad stuff that we're talking about
oftentimes flies under that radar, the consumer may not be able
to discern its presence on his or her computer until something
really bad happens, and then the consumer has to backtrack to
try to figure out how his or her information fell into the
hands of bad guys. It may be very tough for consumers to know
that they have that kind of software on their computer.
Senator Nelson. What percentage of the spyware do you think
currently originates outside of the United States?
Ms. Harrington. We don't have a way of measuring that, but
we certainly know that there are problems with malevolent
software that shows up through spyware, through e-mail on
people's computers. We know that there are big problems with
that kind of material originating outside of the United States.
But we don't have a way of measuring it, just as we don't have
a way of measuring the totality of spyware that's loaded onto
consumers' computers, whether it comes from within or outside
of the United States.
Senator Nelson. Do we need to give the FTC new tools to go
after these foreign bad actors?
Ms. Harrington. Well, we're very grateful to the Congress
for having given us some new tools a couple of years ago in the
U.S. SAFE WEB Act. We have enhanced authority now to share
information with foreign counterparts and obtain information
from them, and we are using it in nonpublic investigations all
the time, and we're most appreciative of the Congress for
giving us those authorities.
Senator Nelson. So we have enough? We don't need more?
Ms. Harrington. We're in good shape now, thank you.
Senator Nelson. How well do commercial anti-spyware
applications work?
Ms. Harrington. Well, some work well and some don't work
well. Some anti-spyware applications are actually hawked by
crooks to put more spyware on your computer instead of taking
it off. So there's quite a spectrum of performance. But the
reputable software companies that are selling anti-virus and
security software sell reasonably good products, and if you
visit our OnGuardOnline website, we recommend that everyone
make sure to have good security programs on their computer and
run them regularly.
Senator Nelson. Well, the government and the commercial
anti-spyware providers seem to have been talking for quite a
while now and still the message isn't getting out to a lot of
consumers. How can we do it better?
Ms. Harrington. Well, first of all, we would urge everyone,
every government and commercial entity that cares about this to
have a link to OnGuardOnline right on their website. It is a
very consumer-friendly site with really easy-to-understand and
use directions about how to protect your computer from a host
of bad things and how to prevent oneself from experiencing bad
experiences in the online environment.
So help us get the message out. I think that to the extent
that the manufacturers of anti-spyware software and other
security products can continue to make these products very user
friendly, anything that we can do to encourage movement in that
direction is a good thing. These products have become far more
user friendly. I know, I can actually use them reasonably well
myself now and I used to find them to be quite difficult.
Senator Nelson. Yesterday's New York Times carried a story
about the Attorney General of New York going after child
pornography and it seemed like an inventive way that he was
doing it, by going and holding the people who convey the
information accountable. First of all, would you comment on
what it is, explain it, and then tell us what you think about
it?
Ms. Harrington. Well, I've read the same press accounts
that you have. That's what I know about this. But my
understanding is that the agreement that the attorney general
of New York entered into is with three large ISPs, and the ISPs
have agreed to block their users from accessing sites that have
been identified as containing child pornography material.
This is an agreement or a settlement. I don't know what the
underlying legal theory is. I noted in some of the press
accounts that I read this morning that some are raising First
Amendment concerns. Beyond that, I really don't know more about
that agreement.
Stepping back, there are certainly times when companies
that operate portals or control the means of access have been
able to step up and use that influence and leverage to shut off
or discourage bad activity. That's not a new approach. I really
don't know about this particular settlement and how effective
it will be at eliminating the problem that they're seeking to
address.
Senator Nelson. Senator Vitter?
Senator Vitter. I'm fine. Thank you, Mr. Chairman.
Senator Nelson. Well, Ms. Harrington, thank you very much
for your testimony.
Ms. Harrington. Thank you, Senator.
Senator Nelson. We would ask the second panel to please
come up.
We are very pleased to have Mr. Arthur Butler, who is with
the Americans for Fair Electronic Commerce Transactions; Mr.
Jerry Cerasale, who is Senior Vice President, Government
Affairs with Direct Marketing Association; Mr. Marc Rotenberg,
Executive Director, the Electronic Privacy Information Center;
Dr. Benjamin Edelman, who is at the Harvard Business School;
Mr. Vincent ``WAE-fer''----
Mr. Weafer. ``WEE-fer.''
Senator Nelson. ``WEE-fer,'' who is Vice President, in
Security Response with the Symantec Corporation, and on behalf
also of the Business Software Alliance.
We'll start in the order that you are listed on the agenda.
Mr. Butler. And what I want you to do, I don't want you to sit
here and read a statement to us. We're going to take your
printed statements. That's going to be a part of the record. So
what we want you to do is talk to us.
So, Mr. Butler.
STATEMENT OF ARTHUR A. BUTLER, ATTORNEY, ATER WYNNE LLP, ON
BEHALF OF AMERICANS FOR FAIR ELECTRONIC COMMERCE TRANSACTIONS
(AFFECT)
Mr. Butler. Good afternoon. My name is Art Butler. I'm an
attorney with the Ater Wynne law firm in Seattle, Washington,
and I'm here today on behalf of AFFECT, which is a diverse
group of nonprofits and commercial entities, including consumer
groups, who are firmly committed to promoting the growth of
fair and competitive transactions in software and other digital
products.
I first wanted to commend Senator Pryor and the other
cosponsors of the Counter Spy Act for introducing what we think
is a very important piece of legislation and for holding this
hearing, because you, like the members of AFFECT, are very
worried about the privacy and security issues that are
presented by spyware.
As our long statement indicates, we firmly support S. 1625
because we believe that spyware is an insidious problem that
desperately needs to be addressed. The sad fact is that every
computer in the United States is under attack from numerous
sources that are trying to surreptitiously install or prevent
the removal of spyware programs that will allow the spies to
intercept or gain partial control of the user's interaction
with his or her computer without obtaining the user's informed
consent.
Often the spyware that is introduced contains what are
called back doors, which essentially are ways in which a
computer spy can get around normal authentication and remotely
gain control over the computer and avoid detection. Once
someone gains control of your computer, they can install all
kinds of different devices to compromise the security of that
computer. In fact, it is generally agreed that spyware
represents a significant threat to the security of any user's
computer system and data.
While we support the bill, we do have a major concern with
the exceptions section of the bill. That is due to, one, the
fact that really we don't see that any of the exceptions that
are listed there are really needed or justified. But we're
particularly concerned about the exception in subsection
6(a)(10) which would permit a provider to monitor or interact
with a computer in order to prevent or detect the unauthorized
use of software, fraudulent or other illegal activities.
We think this language is overly broad and it would in
effect permit or protect activities which could be harmful to
computer users in direct opposition to the objective of the
bill. It would in effect allow a software vendor to freely
monitor everything that's on a user's computer, essentially
setting them up as an ad hoc police force to conduct
warrantless searches and seizures. We don't think that private
entities should be allowed to engage in law enforcement
activities.
The most troubling fact to us is the fact that that
language would permit a software vendor to unilaterally
remotely disable the software on a computer or to disable a
network connection or service. Often the question about whether
use is unlawful or fraudulent or illegal is subject to
legitimate dispute, and it really merits some judicial
consideration before you allow a software vendor to
unilaterally employ such a drastic remedy as remote
disablement.
This is a major concern to our members and we have in our
long statement given examples of cases where you have seen
software purveyors unilaterally decide that they didn't get an
adequate license payment and then just go in and shut down
someone's computer, causing some very significant negative
consequences for the computer user.
But it's also important to realize that a lot of these
disputes never make it to the courthouse steps because the
balance of harm that's caused by someone unilaterally shutting
down your computer is so far against the computer user that the
mere threat that that can be used will cause the user to
essentially cave in to the demands of a vendor.
We are particularly concerned about what happens when
someone remotely accesses a computer and attempts to disable it
because that act alone can cause damage to other files owned by
the computer user and the simple fact is that the existence of
that code that allows remote access and disablement can present
a vulnerability that will allow security breaches by hackers,
by saboteurs, by industrial and foreign government spies, and
by terrorists.
This is a major issue for our group, for both the smaller
users and the large users. We have a suggestion for an
amendment to subsection 6(a)(10) that would essentially limit
that to the detection or prevention of fraudulent or other
illegal activities as prohibited by the Act, which we think is
the appropriate limitation there.
Thank you. I'd be glad to respond to any questions.
[The prepared statement of Mr. Butler follows:]
Prepared Statement of Arthur A. Butler, Attorney, Ater Wynne LLP, on
Behalf of Americans for Fair Electronic Commerce Transactions (AFFECT)
Good afternoon. My name is Art Butler. I am an attorney with Ater
Wynne LLP in Seattle, Washington. I am very pleased to appear before
you today on behalf of AFFECT (Americans for Fair Electronic Commerce
Transactions) at this important hearing on the impact and policy
implications of spyware on consumers and businesses. AFFECT is a
national coalition of consumer representatives, retail and
manufacturing businesses, insurance institutions, financial
institutions, technology professionals, librarians, and public interest
organizations committed to promoting the growth of fair and competitive
commerce in software and other digital products.
We commend you, Chairman Pryor, and all the sponsors of the Counter
Spy Act (S. 1625), for introducing this important bill because, like
you, our members are very worried about the privacy and security risks
associated with spyware. AFFECT strongly supports S. 1625. However, we
are very concerned with the exception provision and believe it is
overly broad. In our view, it could in fact be construed to protect
wrongful acts that can result in great harm to computer users. We
believe this section is in direct opposition to the laudable purpose of
the bill and hope very much that you will consider the amendment which
we propose today.
AFFECT's Concerns with Spyware
AFFECT has been active in representing the interests of software
consumers in the debates about the appropriate language to be included
in anti-spyware legislation in several states and has advocated
strenuously that these legislatures not adopt exception language so
broad that it swamps the prohibitions that are designed to protect
computer users. Since AFFECT began actively educating legislators in
the states of the potential for damage, creation of security
vulnerabilities, and for invasion of privacy and unauthorized search
and seizure in relation to consumers' computers due to the exception
language in question--the language has failed to pass in even one state
legislature.
The sad fact is that every computer in the United States is under
attack from numerous sources trying to surreptitiously install or
prevent removal of spyware that will allow the spy to intercept or take
partial control over the user's interaction with the computer, without
the user's informed consent.
While the term ``spyware'' suggests software that secretly monitors
the user's behavior, the functions of spyware extend well beyond simple
monitoring. Spyware can collect various types of personal information,
interfere with the user's control of the computer, change computer
settings, result in slow connection speeds, loss of Internet or other
programs, disable software firewalls and anti-virus software, and/or
reduce browser security settings, thus opening the system to further
infections. It can enable identity theft and fraud.
Often spyware will contain a ``backdoor,'' which is a method of
bypassing normal authentication, securing remote access to a computer
and obtaining access to plaintext, while attempting to remain
undetected. Someone who has gained access to your computer can install
many types of devices to compromise security, including operating
system modifications, software worms, key loggers, and covert listening
devices. Some backdoors, such as the Sony/BMG rootkit \1\ distributed
silently on millions of music CDs through late 2005, are intended as
digital rights management (DRM) measures and, in that case, as data
gathering agents, since both surreptitious programs they installed
routinely contacted central servers. The copy prevention software Sony/
BMG included on its CDs was automatically installed on Windows desktop
computers when customers tried to play the CDs. The software interferes
with the normal way in which the Microsoft Windows operating system
plays CDs, opening security holes that allow viruses to break in, and
causing other problems.\2\
---------------------------------------------------------------------------
\1\ A ``rootkit'' is a program designed to take fundamental control
of a computer system, without authorization by the system's owners and
legitimate managers. Typically, rootkits act to obscure their presence
on the system through subversion or evasion of standard operating
system security mechanisms. Often, they are also Trojans as well,
fooling users into believing they are safe to run on their systems.
\2\ As a result, a number of parties filed lawsuits against Sony/
BMG; the company eventually recalled all the affected CDs.
---------------------------------------------------------------------------
It is generally agreed that spyware represents a significant threat
to the security of any computer owner's data. Even for large
enterprises spyware represents a serious threat to the integrity of
intellectual property, confidential data, and personally identifiable
information of employees and customers. Accordingly, AFFECT supports
legislative efforts, like S. 1625, that are designed to curb the use of
harmful spyware.\3\
---------------------------------------------------------------------------
\3\ S. 1625 (Pryor), introduced in June 2007, would protect against
the unauthorized installation of software that is used to take control
of a computer in order to cause damage, collect personal information
without consent, or otherwise enable identity theft.
---------------------------------------------------------------------------
AFFECT's Concerns with the Exception Provision of S. 1625
AFFECT has concerns with the exception section of S. 1625, section
6, which is overly broad and could be construed to protect wrongful
acts that can result in great harm to computer users in direct
opposition to the purpose of the bill.
We are particularly concerned about Subsection 6(a)(10), which
would permit a provider to monitor or interact with an individual's
computer, or Internet or other network connection or service for the
``detection or prevention of the unauthorized use of software
fraudulent or other illegal activities.'' The reference to
``unauthorized'' is too vague and raises a number of questions.
``Authorized'' by whom? What is the process for authenticating the
identity of the person using the software? And what are the standards
for determining whether that person has the authority to perform a
certain operation, and who decides?
This language would allow a software vendor to surreptitiously
download code onto a user's computer and freely violate the user's
privacy by monitoring everything on his or her computer, as long as it
did so under the guise of looking for unauthorized use, fraudulent, or
illegal activities. It would allow the provider to set itself up as an
ad hoc police force to conduct warrantless searches and to act as judge
and jury to conduct unilateral seizures. Private entities do not and
should not have the right to conduct law enforcement activities.
More troubling is the fact that the language of Subsection 6(a)(10)
would effectively allow a software provider to unilaterally decide to
remotely shut down the user's computer or Internet or other network
connection or service. But whether the use of a particular software is
``unauthorized,'' ``fraudulent,'' or ``illegal'' is often subject to
legitimate dispute and merits some judicial consideration before a
provider is allowed to unilaterally employ a drastic remedy like remote
disablement.
Permitting unilateral remote disablement is simply bad public
policy. Unilateral remote disablement can cause great harm to any
computer owner who depends on access to and use of that computer,
connection or service. For example, the shutdown of an owner's system
can cause great harm to:
a teacher using a computer to prepare for classroom
lectures;
an insurer depending on a computer system to pay claims;
a manufacturer trying to deliver its products to meet
contractual commitments; or
the public's access to online library materials.
That harm can be significantly larger than the harm to the software
vendor (not getting a license fee).
Even large enterprises are concerned about the threat of remote
disablement. There have been a number of reported cases where software
developers unilaterally determined that licensees didn't make
appropriate payments and simply shut down the computer programs.\4\ The
most widely reported was a case where a small software developer,
Logisticon, Inc., installed malware within warehouse-management
software delivered to cosmetic company, Revlon Inc. When the parties
got into a dispute over whether the software had bugs and didn't
perform as promised, Revlon withheld payment. Logisticon then tapped
into Revlon's computers and disabled the program, which paralyzed
Revlon's shipping operations for 3 days. Losses to Revlon were about
$20 million. Revlon sued, charging extortion. Logisticon claimed this
was simply ``electronic repossession.'' The case was settled out of
court.
---------------------------------------------------------------------------
\4\ Other cases include the following: In 1998 in Franks & Sons,
Inc. v. Information Solutions, Inc., the software developer installed a
``drop-dead'' code in the program. When the customer failed to pay as
promised, the developer activated the drop-dead code, which prevented
the customer from accessing the software as well as any stored
information. The customer didn't know about the drop-dead code, and the
court found that it would be unconscionable to allow the software
developer to hold the licensee ransom as it did.
In 1991, in American Computer Trust Leasing v. Jack Farrell
Implement Co., 763 F. Supp. 1473 (D. Minn. 1991), the software
developer, in a dispute over payment for the software, remotely
deactivated the software. The contract provided that the developer, who
owned the software, could remotely access the licensee's computer in
order to service the software and that, if the licensee defaulted, the
agreement was canceled. When the licensee didn't pay, the developer
told the licensee that it was going to deactivate the program, which it
promptly did. The licensee sued for damages, but the court ruled in
favor of the developer on the grounds that the deactivation was
``merely an exercise of [the developer's] rights under the software
license agreement . . .''
There have been many other cases involving software developers
either putting drop-dead code in their products or remotely disabling
code when they thought the other party was in breach. For example, a
Dallas medical device software developer was sued in 1989 for using a
phone line to deactivate software that compiled patients' lab results.
The case was settled. In 1990, during a dispute about the performance
of a piece of code, the developer simply logged in and removed the
code, until the licensee released the developer from any liability. The
licensee claimed that the general release was signed under duress,
since he was being held economic hostage. Art Stone Theatrical Corp. v.
Technical Programming & Support Systems, Inc., 549 N.Y.S. 2d 789 (App.
Div. 1990).
In 1991, in Clayton X-Ray Co. v. Professional Systems Corp., 812
S.W.2d 565 (Mo. Ct. App. 1991), a company involved in a payment dispute
logged into the licensee's computer and disabled the software. When the
licensee tried to log on to see its files, all it saw was a copy of the
unpaid bill. A jury awarded the licensee damages.
In Werner, Zaroff, Slotnick, Stern & Askenazy v. Lewis, 588 N.Y.S.
2d 960 (Civ. Ct. 1992), a law firm contracted with a company to develop
billing and insurance software. When the software reached a certain
number bills, and when the developer decided it had not been paid
sufficiently, it shut down the software disabling access to the law
firm's files. The law firm sued successfully.
---------------------------------------------------------------------------
Clearly many disputes never make it to the courthouse steps because
the balance of harm to be done via exercise of remote disablement is so
overwhelmingly against the computer user that the mere threat of its
use puts the user in an unfair position, and it must cave to the
demands of the software vendor. The ability to unilaterally disable a
user's computer or critical software running on it provides the
software, network, or service provider undue leverage in a dispute even
if the remedy is not exercised. Faced with a crippling and possibly
even fatal disruption of its business, a user could be intimidated into
relinquishing its rights and setting up precedents for its further
disadvantage. This is because the risk to the provider that it will be
held to have acted improperly is indefinite and its potential liability
severely limited. Even if a provider wrongly exercises the remote
disablement, it is unlikely the injured user will be able to recover
money damages for the harm resulting from this action, including losses
to the user's business attributable to the wrongful act, because
providers routinely disclaim consequential damages in their licensee
agreements; in fact, they routinely limit recoverable damages to the
amount of the license fee.
Moreover, in reaching into an individual's computer remotely to
disable software residing on that computer, the software provider may
not only violate privacy rights, but also damage the computer owner's
other files. And the monitoring and remote disablement of software on
an owner's computer by an outsider may compromise private information
of employees, confidential and proprietary information of the owner,
and, in some cases, national security information. As a result, it is
possible that they could put an owner into breach of obligations it has
under other laws (e.g., Health Insurance Portability and Accountability
Act).
The simple fact is that the code used to remotely enter a computer
and disable the software or the network connection makes the computer
vulnerable to security breaches by hackers, saboteurs, industrial and
foreign governmental spies, and terrorists. The consequences of a
successful intentional or even accidental misuse of a computer system
range from loss of confidentiality to loss of system integrity, which
may lead to more serious concerns, like data theft or loss, or, in the
case of a business, significant financial losses or worse. When there
is an opportunity to negotiate, many enterprises, including
governmental entities, will insist that their software license
agreements contain a warranty prohibiting any ``self-help code'' or
other software routing designed to disable a computer program
automatically or that is under the positive control of a person other
than the licensee of the software. Unfortunately, with mass market
licenses individual consumers and businesses are not able to negotiate
for a ``no self-help code'' warranty.
Proposed Amendment
S. 1625 is a commendable piece of legislation that addresses a real
problem faced by computer users throughout this country. AFFECT
supports it, but strongly recommends that the exception provision of S.
1625 should only limit liability for interaction with a network,
service, or computer that is undertaken to detect or prevent fraudulent
or other illegal activities as prohibited by the act itself. Therefore,
AFFECT proposes that Section 6(a)(10) of the bill be amended as
follows:
``(10) detection or prevention of the unauthorized use of
software fraudulent or other illegal activities as prohibited
by this Act.''
Conclusion
On behalf of AFFECT, thank you very much for the opportunity to
appear before you today and for your consideration of our concerns. I
would be happy to answer any questions you might have.
Senator Nelson. Mr. Cerasale?
STATEMENT OF JERRY CERASALE, SENIOR VICE PRESIDENT, GOVERNMENT
AFFAIRS, DIRECT MARKETING ASSOCIATION, INC.
Mr. Cerasale. Senator Nelson, Members of the Committee:
Thank you for the opportunity to appear here today. I'm Jerry
Cerasale, Senior Vice President for Government Affairs for the
Direct Marketing Association, an association of 3,600 marketers
who present offers and services to consumers directly.
It is important in that kind of a business model that we
have trust, that the consumer trust the marketer, but the
consumer also has to trust the channel of marketing, and that's
what we're here talking about today. In the past 3 years we
have moved quite a ways in trying to prevent spyware, and I
think we have to praise quite a few groups. One is Congress for
constantly looking at this and putting pressure on us.
The second are the software vendors, one of whom is sitting
here on the table with me, for producing excellent products to
go after and being able to remove objectionable software.
Third, organizations, TRUSTe and even DMA, for setting up
guidelines and establishing education. DMA has worked with,
partnered with, the Federal Trade Commission and OnGuard
Online.
Finally but not least, law enforcement, looking at the
Federal Trade Commission, the Department of Justice, and the
State Attorneys General, pursuing bad actors.
DMA supports removal of objectionable software and the
means to do that. Our guidelines that we produce that all our
members have to follow--and it's attached to my larger
testimony--bans or prohibits putting on software that takes
over someone's computer. It requires for installing other
software that there be notes, that there be an easy means to
uninstall or disable the program, that there be contact
information concerning the organization that put the software
on the computer so that the consumer can contact them, and that
there be an easy, identifiable link to the privacy policy of
that organization.
So we have taken these steps and will continue to look at
it more, and we had to write these guidelines in looking at it
being not technologically, not focused on one technology, but
to try and be broader so that as we get changes tomorrow and
the next day, that we do not have to go back and rewrite our
guidelines.
We have a few specific comments concerning S. 1625. As we
look at Section 4(b)(2) of the bill, we think also that this
can be read very broadly and can in fact be used to cover
legitimate advertising practices, those same practices that
have helped create Cyber Monday to be a larger shopping day
than Black Friday or support the great amount of free content
on the Internet.
We think, our suggestion is, in the previous Congress
Section 4(b)(2) had an additional provision in it dealing with
bad acts, and we think that that is a suggestion we have for
Section 4(b)(2).
As we look on, and I have to comment on Section 6(a)(10),
one of the things to be careful about when looking at
legislation or regulation in anti-fraud arenas is that we have,
many of our members have anti-fraud provisions and those are
out there to protect users from identity theft, and they have
been fairly successful and successful in stopping credit card
fraud and so forth. So as you look at things looking at the
exceptions in 6(a)(10) is to make sure that we don't have
unintended consequences there.
Finally, 6(a)(8) and (9), giving limited liability. Our
concern here is that it will remove accountability for software
vendors. We think that this is very important, to have this
accountability. Objectionable software is a subjective term and
you can disagree on it. Many DMA members have written to and
contacted software vendors whose software has removed their
particular software on someone's computer and they have been
able to work it out, very, very reputable organizations.
Sometimes there has not been a resolution, and where do you go
if there's not a resolution on this subjective term?
Finally, there are some software vendors who don't answer
phone calls, who don't respond to letters, and who don't
respond to e-mails. If you have this kind of argument on a
subjective issue, where do you go? So we're very concerned that
you, Congress not eliminate accountability.
Thank you very much.
[The prepared statement of Mr. Cerasale follows:]
Prepared Statement of Jerry Cerasale, Senior Vice President,
Government Affairs, Direct Marketing Association, Inc.
I. Introduction and Summary
Good morning, Mr. Chairman and Members of the Committee. I am Jerry
Cerasale, Senior Vice President for Government Affairs of the Direct
Marketing Association, and I thank you for the opportunity to appear
before the Committee as it examines S. 1625 and the spyware issue in
general.
The Direct Marketing Association, Inc. (``DMA'') (www.the-dma.org)
is the leading global trade association of businesses and nonprofit
organizations using and supporting multichannel direct marketing tools
and techniques. DMA advocates industry standards for responsible
marketing, promotes relevance as the key to reaching consumers with
desirable offers, and provides cutting-edge research, education, and
networking opportunities to improve results throughout the end-to-end
direct marketing process. Founded in 1917, DMA today represents more
than 3,600 companies from dozens of vertical industries in the U.S. and
50 other nations, including a majority of the Fortune 100 companies, as
well as nonprofit organizations. Included are catalogers, financial
services, book and magazine publishers, retail stores, industrial
manufacturers, Internet-based businesses, and a host of other segments,
as well as the service industries that support them.
DMA and our members appreciate the Committee's outreach to the
business community on this important issue. I note at the outset that
this is a complicated issue. In part due to congressional attention,
over the past several years there have been significant developments
that have fundamentally improved the consumer experience as it relates
to spyware. Where once, just three short years ago, invasive pop-up
ads, drive-by downloads, and software that hijacked computers were on
the rise, consumers in 2008 experience fewer such unwanted practices.
Industry guidelines for legitimate software downloads, strong self-
regulation, major technological improvements, and Federal Trade
Commission (``FTC'') and state Attorney General enforcement have all
contributed to the current, significantly improved environment where
the prevalence of spyware has been vastly reduced. While DMA supports
the Committee's interest in combating spyware, given that the
marketplace has evolved considerably since previous Congresses
considered this issue, we believe that a statutory approach that would
cover a broad range of software downloads and online marketing might
not achieve the desired purpose of limiting spyware, but might have the
unintended effect of interfering with important e-commerce and
marketing functionalities.
Internet growth over the past 10 years has been nothing short of
remarkable, and this growth is fueled by the seamlessness of
interactions of content, software, advertising, and other services. The
dramatic rise of the Internet is evident in the dollar amounts
consumers spend purchasing products through Internet sales. Last year,
on Cyber Monday, the busiest Internet shopping day of the year,
shoppers spent more than $733 million online.\1\ This represents an
increase of 21 percent from the same day the previous year and is more
than the amount shoppers spent on Black Friday.\2\
---------------------------------------------------------------------------
\1\ Cyber Monday is the first Monday following Thanksgiving. In
2007, Cyber Monday fell on November 26. The Friday after Thanksgiving
Day is known as Black Friday and is traditionally the largest brick and
mortar shopping day of the year.
\2\ See http://www.comscore.com/press/release.asp?press=1921.
---------------------------------------------------------------------------
Additional statistics demonstrate the staggering growth in e-
commerce. The U.S. Census Bureau, which releases quarterly retail e-
commerce statistics, recently reported that estimated retail e-commerce
sales for the 1st quarter of 2008 were $33.8 billion, an increase of
13.6 percent from the 1st quarter of 2007. The Census Bureau also noted
that 1st quarter e-commerce sales accounted for 3.4 percent of total
sales.\3\
---------------------------------------------------------------------------
\3\ U.S. Census Bureau, Quarterly Retail E-commerce Sales, 1st
Quarter 2008, May 15, 2008. See http://www.census.gov/mrts/www/data/
pdf/08Q1.pdf.
---------------------------------------------------------------------------
As these and similar figures suggest, the Internet revolution has
had a tremendous impact on economic growth. The Internet has become a
preferred mechanism of commerce for many consumers, and a key part of
multi-channel sales efforts for businesses. This phenomenon has changed
the way products and services reach the market, and enables consumers
to shop in an environment that knows no restrictions on time or place.
II. Strong Guidelines, Technology, and Enforcement Have Reduced the
Need for Legislation
The combination of strong industry guidelines, anti-spyware
technologies, and enforcement of existing laws over the past 3 years
has limited pernicious software downloads, reducing spyware's threat to
the positive consumer experience online. Together, we are winning the
battle against such malicious practices. That said, this battle will be
ongoing. Today's solutions and remedies may be obsolete tomorrow. As
technology continues to evolve rapidly, so too will the challenges
posed by spyware and related bad practices.
A. Industry Guidelines
DMA has long been a leader in establishing comprehensive self-
regulatory guidelines for its members on important issues related to
privacy and e-commerce, among many others. DMA and its member companies
have a major stake in the success of electronic commerce and Internet
marketing and advertising, and are among those benefiting from its
growth. Our members understand that their success on the Internet is
dependent on consumers' confidence in the online medium, and they
support efforts that enrich a user's experience while fostering
consumer trust in online channels. Understanding the importance of
standards and best practices in building consumer confidence, DMA,
working with its members, in 2006 developed and adopted standards for
software downloads as part of our Guidelines for Ethical Business
Practice (``Guidelines''), to specifically discourage illegitimate
software download practices that threaten to undermine electronic
commerce and Internet advertising.\4\ In our experience, industry
guidelines are the most effective way to address concerns that arise in
the continuously changing technological landscape. Such guidelines are
flexible and adaptable in a timely manner so as to cover bad practices
and not unintentionally or unnecessarily cover legitimate actors. These
software guidelines and an analysis of their requirements are attached.
---------------------------------------------------------------------------
\4\ Use of Software or Other Similar Technology Installed on a
Computer or Similar Device, DMA Guidelines for Ethical Business
Practice, at 21 (attached) (available at http://www.the-dma.org/
guidelines/EthicsGuidelines.pdf).
---------------------------------------------------------------------------
B. Current Law Enforcement Efforts
Technology, self-regulation, and enforcement of existing laws are
adequately addressing the problems caused by spyware. In the past
couple of years, law enforcement officials have been using existing
enforcement tools to pursue sources of spyware. The FTC has
aggressively pursued adware companies engaging in improper business
practices. Since 2004, the Commission has brought more than 10 such
cases under its deceptive and unfair practices authority.\5\ In
addition, the Department of Justice (``DOJ'') is actively combating
spyware under the Computer Fraud and Abuse Act and the Wiretap Act,
also with more than 10 cases to date.\6\ The states have been an
important part of the enforcement efforts in this area as well, with
state attorneys general using their fraud and consumer protection laws
to target distributors of spyware.\7\ Strong enforcement of existing
laws, combined with industry self-policing and innovative technologies,
thus, have drastically slowed the spread of spyware and its effects. As
these efforts indicate, continued dedication of resources to
enforcement has proven an effective response to spyware.
---------------------------------------------------------------------------
\5\ See, e.g., In the Matter of DirectRevenue LLC, FTC File No.
052-3131 (filed Feb. 16, 2007); In the Matter of Sony BMG Music
Entertainment, FTC File No. 062-3019 (filed Jan. 30, 2007); FTC v. ERG
Ventures, LLC, FTC File No. 062-3192 (filed Nov. 29, 2006); In the
Matter of Zango, Inc. f/k/a 180solutions, Inc., FTC File No. 052-3130
(filed Nov. 3, 2006).
\6\ CFAA, 18 U.S.C. � 1030; Wiretap Act, 18 U.S.C � 2511. See,
e.g., U.S. v. Jerome T. Heckenkamp, http://www.usdoj.gov/criminal/
cybercrime/heckenkampSent.htm; U.S. v. Christopher Maxwell, http://
www.usdoj.gov/criminal/cybercrime/maxwellPlea.htm.
\7\ For example, New York attorneys general over the past few
years, as well as other attorneys general, have been actively pursuing
cases against companies for deceptive practices in connection with
spyware and adware. See New York Attorney General settlement with
online advertisers, http://www.oag.state.ny.us/press/2007/jan/
jan29b_07.html; settlement with DirectRevenue, http://
www.oag.state.ny.us/press/2006/apr/apr04ab_06.html.
---------------------------------------------------------------------------
C. Marketplace Technology Has Adapted to Combat Spyware
The technological tools available to consumers to prevent spyware
also have seen significant improvement in their effectiveness. These
tools are highly sophisticated, user friendly, and widely available,
and in many instances are available at no cost to the consumer. For
instance, today's anti-spyware software is proactive in detecting
malware before it can penetrate a consumer's personal computer, thereby
eliminating frustrations of spyware by preventing it from ever being
downloaded. Consumers also have access to new web browsers with
stronger security features and better warning features. In addition, as
spyware became a problem, industry responded by installing anti-spyware
software onto personal computers before shipping them to customers.
This service provides personal computers with an early vaccination
against spyware.
III. Specific Concerns about S. 1625
I would like to take this opportunity to discuss specific comments
regarding S. 1625, which is pending before the Committee. We believe
that the significant developments described warrant reevaluation of
certain provisions of this legislation by the Committee, which we hope
that the sponsors of this bill and the members of the Committee will
consider.
DMA is concerned that Section 4(b)(2) of the bill could create
compliance uncertainty, which could, in turn, limit current and future
critical e-commerce functions designed to make the Internet browsing
experience seamless. For this reason, DMA believes that Section 4(b)(2)
should be tailored to specifically target ``bad practices,'' rather
than create the regulation of many legitimate information practices
resulting from software. The current language in Section 4(b)(2) could
be interpreted to extend well beyond regulating ``surreptitious
surveillance'' practices. We recommend that any restriction on data
collected and correlated with a user's online history be narrowed, as
this bill did the last time it was considered and approved by this
Committee by adding the language contained in the previous bill. Our
suggestion would apply only if the computer software was installed in a
manner designed to conceal from a computer user the fact that the
software was being installed and would perform an information
collection function. This type of approach would make clear that the
bill targets deceptive acts--which should be the objective of any such
legislation--and does not restrain legitimate practices.
DMA also is concerned about Sections 6(a)(8) and (9), the
provisions that would bestow limited liability on a business that
removes ``objectionable content'' or software used in violation of the
Act. While on its face, the authority to remove ``objectionable
content'' may appear reasonable, the term ``objectionable'' is not
defined and, as a consequence, section 6(a)(8) would allow any anti-
spyware entity to act unilaterally, and without review, to block any
material that it defines as ``objectionable.'' Under this authority,
for example, an anti-spyware tool would be free to identify and remove
anti-fraud software from a computer, with no liability for doing so, or
for fraudulent activities that may then be perpetrated, or it could use
the unfettered discretion provided for in this subsection to block a
competitor's access even if that competitor has the specific consent of
the user. Moreover, it could do so without any notice whatsoever to the
user. We are, therefore, concerned that this provision would grant full
immunity to a business that oversteps its power to remove legitimate
content and causes harm to another business or the user. This type of
broad immunity would have negative consequences for consumers by
undermining their personalized Internet experience. For instance, what
may be ``objectionable content'' to an anti-spyware entity may be a
consumer's valued tool bar or personalized cookie.
For similar reasons, DMA has concerns about Section 6(a)(9), which
would permit a business to remove software used in violation of
sections 3, 4, or 5 the Act. In previous versions of this bill, this
type of immunity has been referred to as a ``Good Samaritan''
provision. We are concerned that providing limited liability to
providers acting under ``Good Samaritan'' protection may also have
unintended consequences for consumers and businesses. DMA supports a
provider's ability to remove or disable a program employed to
perpetrate a bad act. However, we are concerned that a provision as
broad as Section 6(a)(9) would allow a provider to remove legitimate
software without consequence. The current framework, under which
existing laws are used to hold anti-spyware companies liable for
removal of legitimate software, has served as an important check on
overreaching by such providers and should be preserved.
In addition, the policy goal underlying a ``Good Samaritan''
exemption is unclear. This type of protection would limit liability for
violations for providers of anti-spyware software that remove spyware
from a computer. The operative provisions of Sections 3, 4, and 5
impose liability for causing the installation of software on a machine,
not removing software. Thus, it is unclear why a provision limiting
liability for ``removal'' of software is even necessary. Given the fact
that it would limit liability where none exists in the first instance,
DMA suggests that this provision be deleted.
Finally, DMA recommends that the exemption provided in the
definition of ``software'' (Section 12(14)) be modified to include
``cookies and any other software that performs a similar or identical
function or functions.'' By limiting the exemption solely to cookies,
the bill is essentially regulating technology rather than conduct. As a
result, the bill would foreclose the inclusion of new and innovative
technologies that perform a similar or identical function as a cookie.
This type of limitation would stifle innovation.
IV. Conclusion
In summary, the combination of advances in industry self-
regulation, enforcement, and technology, coupled with concerns about
interfering with legitimate uses of software for marketing purposes,
necessitates that certain sections of S. 1625 be revisited. If
regulation is necessary, and we believe that it is unclear that a need
for legislation remains in light of recent technological innovations,
it should be drafted in manner that does not undermine current efforts
or upset consumers' expectations regarding the types of available,
legitimate online marketing.
I thank you for your time and the opportunity to speak before your
Committee. I look forward to your questions and to working with the
Committee on this legislation.
Attachment 1
Analysis of DMA Guidelines
The Direct Marketing Association requires member organizations to
adhere to its Guideline on Use of Software or Other Similar Technology
Installed on a Computer or Similar Device, which encourages members to
provide notice and choice regarding software that may be downloaded
onto a consumer's personal computer or similar devices (attached). This
Guideline clearly states that marketers should not install, have
installed, or use, software or other similar technology on a computer
or similar device that initiates deceptive practices or interferes with
a user's expectation of the functionality of the computer and its
programs. Such practices include software that takes control of a
computer, modem hijacking, denial of service attacks, and endless loop
pop-up advertisements. This Guideline also is clear that businesses
should not deploy programs that deceptively modify or disable security
or browser settings or prevent the user's efforts to disable or
uninstall the software. DMA's Ethics Policy Committee evaluates
compliance with its guidelines and regularly publishes summaries of
outcomes of matters considered. Penalties can include removal from
membership, referral to the Federal Trade Commission, and public
disclosure of concern.
This Guideline also details responsible practices for marketers
offering software or other similar technology that is installed on a
computer used to further legitimate marketing purposes. Specifically,
such programs must provide a user with clear and conspicuous notice and
choice at the point of joining a service or before the software or
other similar technology begins operating on the user's computer,
including notice of significant effects of having the software or other
similar technology installed. Marketers also must give the user an easy
means to uninstall the technology and/or disable all functionality.
Finally, marketers should always provide an easily accessible link to
privacy policies and contact information, as well as clear
identification of the company making the offer.
Given the rapid evolution of technology, DMA believes that self-
regulation is the most effective means for setting business standards
for legitimate marketing. Guidelines like those published by DMA and
TRUSTe condemn deceptive practices, strive to protect consumers, and
foster legitimate Internet advertising and marketing. Guidelines are
flexible and adaptable to changes in markets, business practices, and
advances in technology.
Another issue that DMA has sought to address through self-
regulatory best practices is the role of advertisers in ensuring that
their advertisements are being disseminated responsibly. In some
instances, there may be advertisers with good intentions who do not
understand where their ads are appearing online. To help address some
of these issues, DMA adopted best practices regarding online
advertising networks and affiliate marketing.\8\ These best practices
state, among other things, that marketers should obtain assurances that
their partners will comply with legal requirements and DMA's Guidelines
for Ethical Business Practice, undertake due diligence in entering into
these partnerships, define parameters for ad placement, and develop a
monitoring system for online advertising and affiliate networks. These
should limit the appearance of advertisements related to spyware.
---------------------------------------------------------------------------
\8\ See DMA Best Practices for Online Advertising Networks and
Affiliate Marketing (attached) (available at http://www.the-dma.org/
guidelines/onlineadvertisingandaffiliatenetworkBP.pdf).
---------------------------------------------------------------------------
Attachment 2
Excerpt from the DMA Guidelines for Ethical Business Practice
Use of Software or Other Similar Technology Installed on a Computer or
Similar Device
Article #40
Marketers should not install, have installed, or use, software or
other similar technology on a computer or similar device that initiates
deceptive practices or interferes with a user's expectation of the
functionality of the computer and its programs. Such practices include,
but are not limited to, software or other similar technology that:
Takes control of a computer (e.g., relaying spam and
viruses, modem hijacking, denial of service attacks, or endless
loop pop-up advertisements)
Deceptively modifies or deceptively disables security or
browser settings or
Prevents the user's efforts to disable or uninstall the
software or other similar technology
Anyone that offers software or other similar technology that is
installed on a computer or similar device for marketing purposes
should:
Give the computer user clear and conspicuous notice and
choice at the point of joining a service or before the software
or other similar technology begins operating on the user's
computer, including notice of significant effects* of having
the software or other similar technology installed
Give the user an easy means to uninstall the software or
other similar technology and/or disable all functionality
Give an easily accessible link to your privacy policy and
Give clear identification of the software or other similar
technology's name and company information, and the ability for
the user to contact that company
* Determination of whether there are significant effects includes,
for example:
Whether pop-up advertisements appear that are
unexpected by the consumer
Whether there are changes to the computer's home page
or tool bar
Whether there are any changes to settings in security
software, such as a firewall, to permit the software to
communicate with the marketer or the company deploying the
software, or
Whether there are any other operational results that
would inhibit the user's expected functionality
Cookies or other passive means of data collection, including web
beacons, are not governed by this Guideline. Article #37 provides
guidance regarding cookies and other passive means of data collection.
Attachment 3
June 2006
DMA's Internet Marketing Advisory Board (IMAB) Best Practices for
Online Advertising Networks and Affiliate Marketing
Online marketers using advertising and affiliate networks should:
1. Obtain assurances that the online advertising and affiliate
network is in full compliance with state law, Federal law, and
the DMA Guidelines for Ethical Business Practice.
2. Perform due diligence on prospective network advertising
partners and make sure you are working with reputable firms.
Additionally (if possible), obtain a sample list of current
advertising clients. Due diligence should also include either:
(1) asking for a full disclosure of eligible sites, or (2) a
review of processes to limit access to unwanted sites or
channels. When partnering with an aggregate site online
advertising and affiliate networks should provide the marketer
with a sampling of sites that are in their network. Due
diligence should encompass the entire process from the marketer
to the end consumer.
3. Always utilize a written contract/agreement. This will
provide you the greatest possible control over your ad
placement. This will also be the mechanism by which you devise
and enforce formulas and/or guidelines for where and how online
ads will be placed.
4. Include specific parameters that must be employed to
determine placement of your online ads in written agreements.
Altering of offer by an advertising or affiliate network is
prohibited. If laws, guidelines or set standards are violated
your contract with the violating advertising or affiliate
network should be terminated.
5. Develop a system to routinely monitor your ad placements as
well as your contract with any online advertising or affiliate
network.
Senator Nelson. Mr. Rotenberg?
STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER (EPIC)
Mr. Rotenberg. Thank you very much, Senator, and thank you
for the opportunity to testify today. The Electronic Privacy
Information Center has a long-term interest in the ability of
the Federal Trade Commission to police business practices that
impact American consumers. We have worked with the FTC now for
almost a decade to try to ensure that the Section 5 authority
is used to protect consumers because if consumers do not have
trust and confidence in the electronic marketplace clearly it's
not good for consumers or businesses.
Of course, the concerns about spyware are very real and the
costs are very real. For consumers it's not only their privacy
and personal information, it's also the risk that financial
details of bank account information, checking account
information will be disclosed to others. It's the risk of
identity thieves. It's the risk frankly simply of the hassle of
having to monitor your personal computer to make sure that
there's no improper surveillance taking place on your private
activity.
So we see a real urgency in addressing the spyware issue
and ensuring that the Federal Trade Commission has the
authority, has the necessary tools to crack down on these
activities.
Now, since you've asked us to make some brief remarks and
because my full statement will be entered into the hearing
record, I thought it might be helpful to place this bill a
little bit in the context of where we've been and where I think
we may be going. This bill addresses the specific problem of
products, applications and techniques that are placed on the
consumer's computer that surreptitiously take information from
the user or exploit vulnerabilities on the computer's system.
Clearly these are bad practices. They should be prohibited.
I think there are some changes that could be made in terms of
scope and definition that might make the bill a little bit more
effective. But I also think it's important to understand that
this is simply one category of spyware and that there are other
types of activities which I think you need to be aware of.
We have concerns, for example, about Internet service
providers that now view the opportunity to intercept
communications, the routine Internet traffic of their
customers, for advertising purposes. From our perspective
that's a form of spyware and if it's not addressed in this
legislation perhaps it could be addressed somewhere else.
We're concerned about similar techniques that might be
deployed against mobile telephones. A lot of information,
personal information, is available on phones. These phones are
becoming more sophisticated. They're essentially mobile
computers and many of the same concerns about privacy
protection and spyware exist there as well. Even the
advertising techniques on social networking sites such as
Facebook which make it possible for third party developers to
get access to a lot of detailed personal information they don't
really need access to is another issue we hope the Committee
will consider.
Again, it may not be possible to get to all these issues
with this legislation, and we do think this legislation is a
step in the right direction. But I think it is important as the
Committee thinks broadly about evolving business practices to
be aware of these threats.
Now, to speak specifically about some of the
recommendations that we would make for S. 1625, which we do
favor--it's an important bill--we think it is clearly important
to expand the FTC authority in this area so that when they do
pursue these investigations we think it's important that the
FTC authority not preempt State authority. We already have very
important examples. In Washington State, for example, the State
attorney general was able to go after a company that actually
claimed it was offering a product to help people with spyware.
The way it did it was to put up advertising on the user's
computer which said: Oh, we've detected spyware on your
computer; you need to purchase our product.
Well, the State attorney general was able to go after that
company and reached a million dollar settlement. We think those
types of innovative investigations and prosecutions are very
important.
There is an issue with the exclusion for liability. A
company under one provision in the bill would be given very
broad authority to install spyware and we think that really
needs to be reined in a bit and it is an exception. I don't
think it's too difficult to deal with.
Finally, the category of information that the bill
protects, what we think of as personally identifiable
information, of course is changing very rapidly. Ten years ago
we might have said, well, it's a person's telephone number and
maybe their Social Security number. Now we need to think about
their identity or user number on a Facebook or social
networking service, because that's also a unique identifier
that makes it possible to identify someone.
Even a person's password information, the person's Internet
protocol address that's uniquely linked to a computer, is a
type of personally identifiable information. We think those
changes could be made in the bill as well.
But it is important legislation. It takes on part of the
problem and I hope the Committee will be able to act favorably
on it.
[The prepared statement of Mr. Rotenberg follows:]
Prepared Statement of Marc Rotenberg, Executive Director,
Electronic Privacy Information Center (EPIC)
Senator Pryor, Chairman Inouye, Senator Stevens and members of the
Committee, thank you for the opportunity to testify today on the topic
of spyware and S. 1625, the Counter Spy Act. My name is Marc Rotenberg
and I am Executive Director of the Electronic Privacy Information
Center. EPIC is a non-partisan research organization based in
Washington, D.C. EPIC was founded in 1994 to focus public attention on
emerging civil liberties issues and to protect privacy, the First
Amendment, and constitutional values. EPIC recently filed a complaint
at the Federal Trade Commission on the specific problem of commercial
spyware.\1\
Spyware, adware, and other information collection techniques are a
growing threat to the privacy of Internet users. Computer users have
noticed the effects. Ninety percent of users say they have adjusted
their online behavior out of fear of falling victim to software
intrusions.\2\ The Webroot automated threat research tool has
identified more than half a million different potential malware sites
since January 2005.\3\ Spyware can cause significant degradation in
system performance, result in loss of Internet access and impose
substantial costs on consumers and businesses.\4\ Spyware can assert
control over the operation of computers.\5\ The privacy risks of
spyware include the theft of private information, monitoring of
communications and tracking of an individual's online activity.\6\
Importantly, privacy threats are growing not just in numbers, but
also in type. Traditional spyware, adware and tracking cookies are now
joined by other threats such as mobile device spyware,\7\
``stalkerware,'' and the potential for social networking applications
to function as spyware. Spyware comes from several sources including
online attackers, organized crime, marketing organizations and trusted
insiders.\8\
A new motivation for the cyber criminal is that spyware has become
a profitable business.\9\ Individuals can also deploy spyware against
each other.\10\ Some ISP's have also begun to install their own
spyware-like services.\11\
These threats require vigorous policy response. Policy must be able
to innovate to recognize new challenges while substantively protecting
consumer privacy.
Notice and Consent Schemes Do Not Adequately Protect User Information
Ultimately, users must be able to control how and when information
about them is used, disclosed and held. Solutions which rely on simple
notice and consent will not adequately protect users. A recent survey
of California consumers showed that they fundamentally misunderstand
their online privacy rights.\12\ In two separate surveys almost 60
percent of consumers incorrectly believed that the presence of
``privacy policy'' meant that their privacy was protected.\13\ In a
different survey, 55 percent of participants incorrectly believed that
the presence of a privacy policy meant that websites could not sell
their address and purchase information.
Users also routinely click through notices. The Pew Internet and
American Life Project found that 73 percent of users do not always read
agreements, privacy statements or other disclaimers before downloading
or installing programs.\14\ In such an environment, merely giving
notice to users before the collection of sensitive information from
their computers fails to adequately protect privacy in the way
consumers expect.
Consumer data should instead receive substantive protection.
Information should be kept securely, and users should have the ability
to know what data about them is being kept, who it has been shared
with, and to withdraw consent for the holding of this data. Further,
data should only be collected and kept for specified purposes.
Important security information should also receive protection, even
if it does not identify a user. The Counter Spy Act places conditions
on software that collects information such as the user's Social
Security number and driver's license number. It also protects as
``sensitive personal information'' information such as financial
account numbers when combined with passwords or other security
codes.\15\ Password and access information to other accounts, such as
e-mail or social networking, are not included.
EPIC recommends that strict protection be afforded to security
information, such as username/password pairs, encryption keys,
biometric data, or other access control information. The mining of this
information may not lead directly to identity theft and other financial
harm, but facilitates its spread. Gaining access to a user's non-
financial accounts allows further information to be collected and
further crimes perpetrated. Compromised accounts may have valuable
information stored in them or be used to originate further malware
attacks, including by impersonating the compromised account.
Privacy Requires Strong and Innovative Enforcement
EPIC supports giving the FTC the ability to seek treble fines and
penalize pattern or practice violations, as section 7 of the Counter
Spy Act does. These changes will improve the FTC's effectiveness in
pursuing repeat offenders, and also change the economic incentives and
disincentives for purveyors of spyware.
Several states are using innovative policies to protect their
citizens' privacy. Spyware legislation has been passed in several
states, including Alaska,\16\ Arizona,\17\ California,\18\ Florida,\19\
Georgia,\20\ Illinois,\21\ Indiana,\22\ Iowa,\23\ Louisiana,\24\
Nevada,\25\ New Hampshire,\26\ Rhode Island,\27\ Texas,\28\ Utah,\29\
and Washington.\30\ The Utah statute, for example, makes provision for
a private cause of action which may be brought by a mark owner who does
business in Utah and is directly and adversely affected by the
violation.\31\ In such a suit a mark owner may recover the greater of
$500 per each ad displayed or actual damages.\32\
State Attorneys General have pursued spyware providers under state
spyware laws. Washington State successfully applied the Washington
State Computer Spyware Act \33\ (Spyware Act) to stop Secure Computer's
use of their free computer scan that always detects spyware leading to
instructions to buy their Spyware Cleaner product in a $1,000,000
settlement.\34\ The State alleged violations under the state's Spyware
Act, Federal and state spam laws, and the state Consumer Protection
Act.\35\ The Attorney General's Office accused the company of ``falsely
claiming computers were infected with spyware'' to entice the consumer
to pay for their program that claimed to remove it.\36\ The settlement
required the company to inform consumers of their right to a refund and
pay a $1,000,000 judgment.
For these reasons EPIC recommends that the Counter Spy act not
preempt state laws and state enforcement actions, as section 11(b)
does. Federal law should set a baseline of privacy protection. It
should not cap it.
EPIC recommends that the limitation in section 6(a)(10) be removed.
The Counter Spy Act's liability limitations broadly permit monitoring
of users' computers and personal information for the ``detection or
prevention of the unauthorized use of software fraudulent or other
illegal activities.'' \37\ These limitations should be scaled back. The
determination of whether uses are unauthorized, fraudulent or illegal
may be complicated.
Privacy Threats Beyond Traditional Spyware Programs
Information collection online is not performed solely with spyware
programs executed on user's computers. Third-party and opt-out cookies
present growing threats. The proliferation of mobile devices means a
potential new place for spyware to act. Internet service providers are
begging to deploy their own adware and profiling services in ways which
users will find difficult, if not impossible, to detect. Important user
information is leaving the desktops and instead is residing on online
social networking profiles. This information includes sensitive
personal information such as contact information, one's social and
business relationships, political interests, sexual orientation, as
well as the contents of communications. Further, online social
networking sites are increasing their own information collection
practices.
A ``cookie'' is information about a particular user's identity and
browsing behavior that web servers store on his computer, typically
without his consent.\38\ Cookies permit a user to customize his
interface with a particular website, for example by automatically
entering his username and password.\39\ However, since cookies can
match an individual user to his interests and browsing habits, they are
increasingly placed, gathered, and exploited by advertisers and others
with a commercial interest in precisely targeting ads and services.\40\
Anyone with access to that user's cookies can track his browsing
history and gather information about his behavior and identity.\41\ As
a result, Internet users who are concerned about privacy are widely
encouraged to routinely purge the cookies they have accumulated or to
refuse cookies from websites that require them.\42\
The recent Google/Doubleclick merger raises significant privacy
issues because of the planned merger of the Google search engine
database with Doubleclick's extensive data collection accomplished with
third-party cookies.\43\ EPIC filed a complaint with the FTC urging the
Commission to impose privacy protections upon the merger, concluding:
Google's proposed acquisition of DoubleClick will give one
company access to more information about the Internet
activities of consumers than any other company in the world.
Moreover, Google will operate with virtually no legal
obligation to ensure the privacy, security, and accuracy of the
personal data that it collects. At this time, there is simply
no consumer privacy issue more pressing for the Commission to
consider than Google's plan to combine the search histories and
website visit records of Internet users.\44\
In November 2007 Facebook launched its Beacon service.\45\ Beacon
collects information from Facebook users when engaged in actions on
other websites. Facebook then uses this information to broadcast
advertisements to that user's friends on Facebook, alerting them of the
actions that the user took on these other websites. Initially, Facebook
only provided a brief opportunity for an opt-out. Facebook later added
an opt-in system, and the option to globally opt out of Beacon. Shortly
after Beacon's launch, security researchers showed that Facebook is
receiving information even from those who are not logged in to Facebook
and are not Facebook members.\46\
Users of social networking sites are also exposed to the
information collection practices of third party social networking
applications. On Facebook, installing applications grants this third
party application provider access to nearly all of a user's
information.\47\ Significantly, third party applications do not only
access the information about a given user that has added the
application. Applications by default get access to much of the
information about that user's friends and network members that the user
can see. This level of access is often not necessary. Researchers at
the University of Virginia found that 90 percent of applications are
given more access privileges than they need.\48\
These features may be exploited and the information used for other
purposes. Investigators at the BBC took 3 hours to write an application
that collected information that had been marked as unable to be shared
with friends.\49\ Facebook, as part of its response, cautioned that
users should ``employ the same precautions while downloading software
from Facebook applications that they use when downloading software on
their desktop.'' \50\
Mobile device spyware also presents a future privacy threat, with
unique features due to the mobile environment. In December 2006, McAfee
reported on a new kind of mobile phone spyware, called SymbOS/
Mobispy.A.\51\ SymbOS/Mobispy.A installed on phones and recorded
incoming and outgoing SMS messages.\52\ It also tracked the phone
numbers of all dialed and received calls. Mobile tracking presents
unique dangers because it allows the tracker to determine the user's
location. While the data may be able to follow users anonymously it may
also easily identify them--they are likely at home in the evenings.
Location information should receive significant protection from
tracking applications.
A new more insidious form of adware has been tested in the United
Kingdom, and at least one U.S. company has announced it will also use
the system.\53\ British Telecom contracted with the former adware
company Phorm to create secret profiles of its users.\54\ Users'
traffic was routed via Phorm boxes, which replaced ads on the pages
users were visiting with its own targeted ads. In the U.S., Charter
communications announced that it will monitor consumers' browsing in
order to serve them targeted ads.\55\ Charter sent several of its users
cryptic notices of an ``enhancement'' to their web browsing
experiences.\56\ The letter pointed users to a website with more
details, including the claim that ``[t]here is no application
downloaded onto a user's computer and, therefore, there is no
``adware'' or ``spyware'' on your computer from Charter in this
enhanced service.'' \57\ Thus a system that is functionally equivalent
to spyware, and more dangerous due to its undetectability, is touted as
safer because it does not reside on the victim's computer.
Finally, some companies market spyware directly for consumers to
use for stalking and other criminal activities. These technologies are
promoted to consumers to spy on e-mail and instant message exchanges,
record websites visited, and capture passwords and logins. EPIC has
filed a complaint with the FTC against such ``Stalker spyware,''
highlighting the unfair and deceptive practices used to market this
software.\58\ These practices include the promotion of illegal
surveillance targets, the promotion of ``Trojan Horse'' e-mail attacks,
and the failure to warn purchasers of the legal consequences of illegal
use.
We hope the FTC will take action on this complaint and take action
against these firms.
Conclusion
Privacy online continues to face many threats, both from criminal
entities as well as intrusive commercial ventures. Substantive consumer
protections and innovative enforcement strategies are necessary to
protect consumers from the evolving threat of information collection
online. These threats include not just traditional spyware, but also
the merger of online consumer databases, new social networking
features, mobile spyware and stalker spyware.
EPIC recommends passage of Counter Spy Act in line with the changes
pointed out above. The Counter Spy Act should not preempt state law or
enforcement; it should protect important security information like
username/login pairs; and the liability limitations should be narrowed.
Congress should also be aware of other developing threats to privacy
beyond traditional spyware programs.
Footnotes
\1\ Complaint, Request for Investigation, Injunction and Other
Relief, In the Matter of Awarenesstech.com, et al., (March 6, 2008),
http://epic.org/privacy/dv/spy_software.pdf.
\2\ Pew Internet & American Life Project, Spyware: The Threat of
Unwanted Software Programs is Changing the way People use the Internet,
2 (July 2005), available at http://pewinternet.org/pdfs/
PIP_Spyware_Report_July_05.pdf [hereinafter PEW Spyware Report].
\3\ Webroot, State of Spyware Report Q2, (2006), available at
http://www.webroot.com/pdf/2006-q2-sos-US.pdf.
\4\ Fed. Trade Comm'n, Spyware Workshop--Monitoring Software on
your PC: Spyware, Adware, and other software, 8 (Mar. 2005) available
at http://www.ftc.gov/os/2005/03/050307spywarerpt.pdf.
\5\ Id. at 9.
\6\ Id.
\7\ Joseph De Avila, Do Hackers Pose a Threat to Smart Phones?, The
Wall Street Journal, D1, May 27, 2008, available at http://
online.wsj.com/article/SB121184343416921215
.html?mod=todays_us_personal_journal.
\8\ Aaron Hackworth USCERT, Spyware, 3 (2005) available at http://
www.uscert.gov/reading_room/spyware.pdf.
\9\ See Guillaume Lovet, Dirty Money on the Wires: The Business
Models of Cyber Criminals, (2006), available at http://
www.momindum.com/ressources/produits/fortinetFlash/content/_libraries/
_documents/index1/GL_Business_Models_of_Cybercriminals.pdf.
\10\ EPIC, Personal Surveillance Technologies (May 2008), http://
epic.org/privacy/dv/personal_surveillance.html.
\11\ Saul Hansell, Charter Will Monitor Customer's Web Surfing to
Target Ads, The New York Times, May 14, 2008, http://
bits.blogs.nytimes.com/2008/05/14/charter-will-monitor-customers-web-
surfing-to-target-ads/.
\12\ Joseph Turow, Deirdre Mulligan, and Chris Jay Hoofnagle,
Consumers Fundamentally Misunderstand the Online Advertising
Marketplace (Oct. 2007), available at http://groups
.ischool.berkeley.edu/samuelsonclinic/files/
annenberg_samuelson_advertising.pdf.
\13\ Id. at 1.
\14\ Pew Spyware Report, supra note 2, at 6.
\15\ S. 1625, 110th Cong. � 12(13)(B) (2008).
\16\ Alaska Stat. �� 45.45.792, 45.45.794, 45.45.798, 45.45.471
(2007).
\17\ Ariz. Rev. Stat. � 44-7301 to -7304 (2008).
\18\ Cal. Bus. & Prof. Code � 22947 (2008).
\19\ Fla. Stat. � 934.02, .03, .06 (2008).
\20\ Ga. Code Ann. � 16-9-152, -157 (2008).
\21\ 720 Ill. Comp. Stat. 5/16D-3 (2008).
\22\ Ind. Code. � 24-4.8-1 to -3 (2008).
\23\ Iowa Code � 715 (2008).
\24\ La. Rev. Stat. Ann. � 51:2006-14 (2008).
\25\ Nev. Rev. Stat. Ann. � 205.4737 (2007).
\26\ N.H. Rev. Stat. Ann. � 359-H:1-6 (2008).
\27\ R.I. Gen. Laws � 11-52.2-7 (2008).
\28\ Tex. Bus. & Com. Code � 48.001-4, .051-057 (2008); Tex. Bus. &
Com. Code � 324.001-7, .051-055, .101-.102 (2008).
\29\ Utah Code Ann. � 13-40-101 to -401 (2008).
\30\ Wash. Rev. Code � 19.270.010-.080,.900 (2008).
\31\ Utah Code Ann. � 13-40-301.
\32\ Id.
\33\ Wash. Rev. Code � 19.270.010-.080,.900.
\34\ State of Washington v. Secure Computer, LLC, No. C06-0126RSM
(W.D. Wash. Nov. 30, 2006) (Consent Decree as to Defendants Secure
Computer, LLC and Paul E. Burke), http://www.atg.wa.gov/uploadedFiles/
Another/News/Press_Releases/2006/SecureComputerConsentDecree112906.pdf.
\35\ Press Release, Washington State Office of the Attorney
General, Attorney General McKenna Announces $1M Settlement in
Washington's First Spyware Suit (Dec. 4, 2006), available at http://
www.atg.wa.gov/pressrelease.aspx?id=5926.
\36\ Id.
\37\ S. 1625, 110th Cong. � 6(a)(10) (2008).
\38\ Cookiecentral.com, The Cookie Concept, http://
www.cookiecentral.com/c_concept.htm (last visited June 6, 2008).
\39\ Cookiecentral.com, Purpose of Cookies: The Cookie Controversy,
http://www.cookie
central.com/ccstory/cc2.htm (last visited June 6, 2008).
\40\ Id.
\41\ EPIC, Cookies, http://epic.org/privacy/internet/cookies/.
\42\ EPIC, Does AskEraser Really Erase?, http://epic.org/privacy/
ask/default.html.
\43\ See EPIC, Privacy? Proposed Google/DoubleClick Deal, http://
epic.org/privacy/ftc/google/
\44\ EPIC Complaint, In the Matter of Google Inc. and DoubleClick
Inc., 10 (April 20, 2007), http://epic.org/privacy/ftc/google/
epic_complaint.pdf.
\45\ Facebook Beacon, http://www.facebook.com/business/?beacon.
\46\ CA Security Advisor, Facebook's Misrepresentation ofBeacon's
Threat to Privacy: Tracking Users Who Opt Out or Are Not Logged In,
(Dec 3, 2007), http://community.ca.com/blogs/securityadvisor/archive/
2007/11/29/facebook-s-misrepresentation-of-beacon-s-threat-to-privacy-
tracking-users-who-opt-out-or-are-not-loggedin.aspx.
\47\ EPIC, Facebook Privacy, http://epic.org/privacy/facebook/.
\48\ Privacy Protection for Social Networking APIs, http://
www.cs.virginia.edu/felt/privacy/ (last visited June 6, 2008).
\49\ Press Release, BBC, Facebook's loophole places personal
profile data at risk--BBC investigation (May 1, 2008), http://
www.bbc.co.uk/pressoffice/pressreleases/stories/2008/05_may/01/
click.shtml.
\50\ Q&A: Facebook Response, BBC, May 1, 2008, http://
news.bbc.co.uk/2/hi/programmes/click_online/7375891.stm.
\51\ McAfee Avert Labs Blog, http://www.avertlabs.com/research/
blog/?p=145 (last visited June 5, 2008).
\52\ Id.
\53\ See EPIC, Deep Packet Inspection and Privacy, http://epic.org/
privacy/dpi/.
\54\ Chris Williams, BT and Phorm secretly tracked 18,000 customers
in 2006, The Register, April 1, 2008, http://www.theregister.co.uk/
2008/04/01/bt_phorm_2006m_trial/.
\55\ Saul Hansell, Charter Will Monitor Customers' Web Surfing to
Target Ads, The New York Times, May 14, 2008, http://
bits.blogs.nytimes.com/2008/05/14/charter-will-monitor-customers
web-surfing-to-target-ads/.
\56\ Charter Letter, available at http://www.epic.org/privacy/dpi/
subscriber_ltr.pdf.
\57\ Charter Communications, Enhanced Online Experience Frequently
Asked Questions, http://connect.charter.com/landing/op1.html#6.
\58\ Complaint, Request for Investigation, Injunction and Other
Relief, In the Matter of Awarenesstech.com, et al., (March 6, 2008),
http://epic.org/privacy/dv/spy_software.pdf.
Senator Pryor [presiding]. Dr. Edelman?
STATEMENT OF BENJAMIN G. EDELMAN,
ASSISTANT PROFESSOR, BUSINESS ADMINISTRATION,
HARVARD BUSINESS SCHOOL
Dr. Edelman. Thank you, Senator Pryor, Senator Nelson,
Members of the Committee.
Senator Pryor, I want to structure my remarks around your
initial question about the proper definition of spyware and
Senator Vitter's response immediately thereafter, concerned
about both the risk of being over-inclusive and the risk of
being under-inclusive, either of which would be a serious
problem in making the legislation as effective as the Committee
hopes.
I spend perhaps too much of my time in my lab testing
spyware, going to the sorts of sites where users get infected,
infecting my computer over and over, measuring the effects on
it, figuring out how it gets infected and what it would take to
clean the infections off. Well, two examples that I've seen in
the past months I think are instructive for identifying
potential under-inclusiveness of this legislation and then in
rethinking alternative approaches that might help the Committee
be that much more effective.
So here's one that I saw just 2 weeks ago in fact. A pop-up
ad promised that it could, quote, ``stop spam.'' Upon clicking
on the pop-up, I received a long text, several hundred words,
center-aligned. Part of the text was off screen. It was very
hard to read, in short.
But if you read it carefully, you would find that it says
it will show special offers in pop-up windows. OK, so it's
saying it's going to show pop-up ads, but it's in a small font.
The word ``pop-up'' is actually off-screen, so you'd have to
scroll around to find it.
If you press ``yes'' the software will track the websites
that you visit and the search terms that you enter and then,
sure enough, it will show you pop-up ads, quite a few of them.
So what about that program vis a vis this legislation? Can
you point to a clause of this legislation that that program
violates? It's awfully hard to do actually. The program tracks
some of the websites you visit, but when you look in Section 4,
it needs to track those websites in a very particular way in
order to fall afoul of that clause of Section 4. The underlying
deception of having the tricky disclosure that's hard to read,
you won't find anything about that in this legislation.
Here's another one: a program that tracks a user's name,
street address, and all of the web searches that they do, then
sends that to their server for a variety of purposes, market
research, perhaps some kind of marketing. There too, it's hard
to point to the clause in this legislation that the program
violates. When you read through the specific data elements that
are prohibited under Section 4, you don't see the data that I
listed that the program copies.
I think members of this committee would be concerned to
have that sort of software on their computers, and would want
it removed if they found it there and certainly the public
shares that view, but it seems that this legislation wouldn't
cover at least those two examples.
So what do we make of that? Well, Senator Pryor, as you and
Senator Vitter immediately recognized, practices change
quickly, and at our peril do we make a list of all the specific
practices that ought to be prohibited, because the next day
there will be more practices that we didn't think of, despite
our best efforts.
So coming back to Ms. Harrington's remarks, I think she's
absolutely right to emphasize the effectiveness on a long-term
basis of the FTC Act. By prohibiting acts that have a tendency
to deceive, that tend to be unfair to consumers--that is the
sort of language that can prevent these one-sided bargains,
where they show you pop-up ads and you don't get anything in
return, or they track you in great detail without telling you.
That is an approach that has lasted for decades and will serve
us well going forward.
So what could this legislation do that would be helpful?
Well, one, it seems the FTC lacks the statutory authority to
get quite as large penalties as they ought to be able to
receive. Imagine the settlement discussions between the FTC and
a so-called adware maker. The adware maker is sitting there
realizing that all the FTC can get is disgorgement of ill-
gotten gains, and the company managed not to make a profit last
year. So what's the disgorgement? The disgorgement is zero. How
much of a penalty can the FTC really extract under those
circumstances?
Consider a statutory grant of greater authority, of bigger
penalties, of liquidated damages perhaps or some amount certain
as a floor. ``Even if you didn't manage to make money, well,
we're going to make certain you lost money if you went around
causing the kind of harm that's at issue.'' That could be very
helpful. So I think that's an approach the Committee might want
to consider, avoiding attempting to define spyware because we
have enough of that under the FTC Act, but instead granting
greater statutory protections in the form of increased
liability.
My written remarks flag two other issues I hope the
Committee will consider. For one, preemption of State law
doesn't seem to me a good idea, given that there's more than
enough work to go around to keep everyone busy and some
innovative statutory approaches. Second, the Committee should
avoid legislation that doesn't quite fill the field and makes
it too easy for a vendor to claim to not be spyware. A vendor
might claim: ``We are federally certified good software; we
passed Senator Pryor's standard and therefore we must be
good.'' But in fact that vendor could still be pretty sneaky
and could continue to cause users substantial harm.
So I'd caution the Committee at setting low standards. We
need to be tough on spyware for the protection of all the users
counting on this committee and this legislation for protection
going forward.
Thank you for your interest in this matter.
[The prepared statement of Dr. Edelman follows:]
Prepared Statement of Benjamin G. Edelman, Assistant Professor,
Harvard Business School
Chairman Inouye, Senator Pryor, Members of the Committee:
My name is Benjamin Edelman. I am an Assistant Professor at the
Harvard Business School, where my research focuses on the design of
electronic marketplaces, including designing online marketplaces to
assure safety, reliability, and efficiency. My full biography and
publication list are at http://www.benedelman.org/bio and http://
www.benedelman.org/publications.
Today the Committee considers the important problems of Internet
spyware and deceptive adware--scourges that threaten the reliability,
trustworthiness, and overall utility of many users' Internet's access.
My bottom line:
Despite some recent progress, spyware and adware continue to
present substantial harms to Internet users and to the Internet as a
whole.
Many improper practices are already prohibited under existing
statutes including the FTC Act, state consumer protection statutes, and
state anti-spyware legislation. These statutes have given rise to a
series of cases, both public and private, that have somewhat reined in
the problems of spyware and adware.
Tough Federal legislation could assist in bringing spyware and
adware purveyors to justice, and in further deterring creation and
support of this noxious software.
But the bill at hand addresses only a portion of the problem, while
in some ways reducing the effectiveness of existing efforts. By
prohibiting specific individual practices, the bill invites
perpetrators to comply with the letter of the law while continuing to
harm and deceive consumers. Moreover, perpetrators are likely to boast
of compliance--despite offering software no reasonable user would want.
These loopholes are inevitable in the bill's ``laundry list'' approach,
which unavoidably omits deceptive schemes not yet invented.
Pages five and six set out my detailed suggestions for revision. I
favor a rewrite that emphasizes consumer protection fundamentals such
as a consumer's right to know what software runs on his PC, and to
grant or deny consent to each program that asks to be installed. But
the FTC has already established these principles through its existing
anti-spyware litigation. Thanks to existing legislation plus the FTC's
work to date, this bill can accomplish its apparent purpose without
adding new prohibitions. Instead, this bill can grant the FTC
discretion to seek increased penalties under existing statutes--sparing
this committee the challenging task of deciding exactly what practices
to prohibit.
The Consumer Victims of Spyware and Adware
Discussion of spyware and adware typically seeks, in the first
instance, to attempt to protect the users who receive such software.
After all, a computer with spyware or adware is often virtually
crippled--filled with so many popups that doing other work is
impossible or impractical, and slowed so dramatically that it is
unappealing to use the computer for ordinary purposes. Legislation and
enforcement can help prevent such damage.
Adware vendors often claim their software arrives on users'
computers only after users agree. As a threshold matter, my hands-on
testing has repeatedly proven that adware can become installed without
a user's consent.\1\ But even if a user did accept the software, adware
popups can nonetheless present substantial concern. For example, some
adware popups are sexually-explicit--sometimes appearing without any
obvious way to close the resulting windows to remove the explicit
images.\2\ Other adware popups resort to deception to try to sell their
wares--combining the interruption of popups with the trickery of false
advertising.\3\ Moreover, adware popups appear separate from the
programs that caused them--making it hard for users to understand where
the ads came from, why they're there, and how to make them stop.
---------------------------------------------------------------------------
\1\ See e.g., ``Who Profits from Security Holes?'' http://
www.benedelman.org/news/111804-1.html. See also ``Nonconsensual 180
Installations Continue . . .'' http://www.benedelman.org/news/022006-
1.html. See also ``Spyware Installation Methods.'' http://
www.benedelman.org/spyware/installations/.
\2\ ``Spyware Showing Unrequested Sexually-Explicit Images.''
http://www.benedelman.org/news/062206-1.html.
\3\ See e.g., ``Zango Practices Violating Zango's Recent Settlement
with the FTC'' (heading ``Zango Ads for Bogus Sites that Attempt to
Defraud Users''). http://www.benedelman.org/spyware/zango-violations/.
---------------------------------------------------------------------------
Users face a variety of costs in restoring a computer to good
working order after an infection of spyware and/or adware. Some users
hire technicians to make appropriate repairs. Others buy anti-spyware
software. Furthermore, during the period in which spyware or adware
impair a computer's operation, the user loses some or all access to the
system he or she has paid for. These are real and troubling costs--out-
of-pocket expense, lost time, and reduced productivity.
These harms are not outweighed by any countervailing benefits. Rare
is the user who receives anything of genuine value from spyware or
adware. Some vendors claim their software is useful, e.g., letting a
user ``participate in a market research community'' or ``access premium
content.'' But these claims rarely survive scrutiny. For example, it is
hard to see a benefit in being tracked for market research, when
standard practice is to pay participants to allow their behavior to be
tracked. Moreover, when a vendor promises ``premium content'' in
exchange for popups, it turns out the supposed premium material is
often readily available elsewhere for free, and/or material the vendor
lacks proper license to redistribute.\4\
---------------------------------------------------------------------------
\4\ See e.g., ``Debunking Zango's `Content Economy.' '' http://
www.benedelman.org/news/052808-1.html.
---------------------------------------------------------------------------
The harms caused by spyware and adware fall within the general
realm of anti-consumer practices addressed by decades of consumer
protection law. For example, just as other industries resorted to fine
print to hide the unsavory aspects of their products,\5\ so too do
adware vendors often turn to lengthy texts, scroll boxes, or euphemisms
to ``disclose'' key effects of their software.\6\ Similarly, just as
door-to-door salesmen made misleading claims to get consumers to let
them in--literally, to ``get a foot in the door'' \7\--so too do adware
vendors invoke deceptive campaigns to try to attract interest in their
products.\8\ That the truth is (in some way) made known prior to
purchase (or installation) is no defense: Once a vendor has resorted to
deception, caselaw indicates that the deception cannot be cured through
a (supposed) corrective disclosure. Legislation ought to consider these
myriad deceptive practices--including anticipating that practices will
continue to change as tricksters find new ways to deceive unsuspecting
users.
---------------------------------------------------------------------------
\5\ See e.g., Haagen-Dazs Co., 119 F.T.C. 762 (1995) (challenging
effectiveness of fine-print footnote modifying ``98 percent fat free''
claim for frozen yogurt products that were not low in fat).
\6\ See e.g., ``Gator's EULA Gone Bad.'' http://www.benedelman.org/
news/112904-1.html.
\7\ See e.g., Encyclopedia Britannica, 87 F.T.C. 421 (1976), aff'd,
605 P.2d 964 (7th Cir. 1979), cert. denied, 445 U.S. 934 (1980)
(rejecting ``deceptive door opener'' sales pitches).
\8\ See e.g., ``Zango Practices Violating Zango's Recent Settlement
with the FTC'' (heading ``Widespread Zango Banner-Based Installations
without Unavoidable, Prominent Disclosure of Material Terms (XP SP2)'')
(supra).
---------------------------------------------------------------------------
The Deeper Problem: Imposing Negative Externalities on Others
In my view, spyware and adware legislation should also consider the
substantial negative externalities that such programs impose on others.
For example, spyware and adware impose large costs on ISPs,
computer makers, and software developers. In practice, users often turn
to their ISPs and/or computer makers for assistance with problems
caused by spyware and adware. Meanwhile, independent software makers
must consider how their software interacts with spyware or adware
unexpectedly on a user's computer--adding additional complexity and
unpredictability.
Spyware and adware cause further harm to the Internet's
infrastructure and to Internet users generally--even users who are not
themselves infected with spyware or adware. As much as half of spam now
comes from ``zombie'' infections.\9\ Even if you keep your computer
clean, others may not--and their computers may be used to send you
spam.
---------------------------------------------------------------------------
\9\ Xie et al., ``How Dynamic Are IP Addresses?'' http://
research.microsoft.com/projects/sgps/sigcomm2007.pdf.
---------------------------------------------------------------------------
Furthermore, spyware and adware often attempt to defraud online
advertisers--typically by claiming to show ads that were never actually
shown, or by showing ads that users never agreed to receive. My
research has uncovered spyware and adware performing click fraud--
automatically activating pay-per-click advertisement links where
advertisers are only supposed to pay if a user specifically and
intentionally clicks such links.\10\ Spyware and adware even interfere
with advertising strategies widely perceived to present a lower risk of
fraud. For example, some advertisers pay advertising commissions only
upon a user's purchase--protecting against click fraud.\11\ But pay-
per-purchase advertisers can nonetheless be tricked by spyware and
adware. For example, spyware and adware popups sometimes claim
commissions on purchases they actually did nothing to facilitate.\12\
---------------------------------------------------------------------------
\10\ ``The Spyware--Click-Fraud Connection.'' http://
www.benedelman.org/news/040406-1.html.
\11\ These pay-per-purchase advertising systems are also known as
cost-per-acquisition or ``CPA.''
\12\ See e.g., ``Spyware Still Cheating Merchants . . .'' http://
www.benedelman.org/news/052107-1.html.
---------------------------------------------------------------------------
In short, spyware and adware make the Internet a place where ISPs
and computer makers incur unexpected costs they must ultimately pass
back to customers; where even those who keep their computers safe
nonetheless suffer from the infections that plague others; where
advertisers cannot feel confident in the leads they pay to receive. The
resulting costs make the Internet a weaker platform on which to do
business, to all our detriment.
How to Stop the Problems of Spyware and Adware
Unlike the viruses of prior decades, spyware and adware tend to be
created by business enterprises--groups that design this unwanted
software, foist it onto users' computers, and reap the rewards. The
appropriate response: Find the perpetrators and hold them accountable.
The past 4 years have brought considerable progress in identifying
spyware and adware purveyors, and holding them accountable for what
they have done. The New York Attorney General's office brought the
first major case against a spyware vendor, Intermix, whose KeenValue,
IncrediFind, and other programs were widely installed on users'
computers without any consent at all, and also without meaningful,
informed consent. Subsequent litigation has pursued a variety of other
vendors, with cases brought by the FTC, the City of Los Angeles, and
Attorneys General in New York, South Carolina, Texas, and Washington.
Several class actions have also challenged nonconsensual and deceptive
installations.\13\
---------------------------------------------------------------------------
\13\ See e.g., Sotelo v. DirectRevenue LLC, No. 05 C 2562 (N.D.
Ill. Aug. 29, 2005).
---------------------------------------------------------------------------
The prospect of similar litigation has pushed some spyware and
adware vendors to substantially cease operations. For example, in the
face of litigation against several of its competitors, Manhattan-based
eXact Advertising shut its ``adware'' business, thereby ceasing the
nonconsensual installation of its software that had previously been so
prevalent.
Yet litigation has not stopped the deceptive practices of all
vendors. Consider the actions of Bellevue, Washington-based Zango, Inc.
During an FTC investigation of its practices, Zango stopped its
partners from placing its software on users' computers without first
obtaining user consent. But despite its settlement with the FTC, Zango
continues installations that are predicated on deception. For example,
Zango continues to solicit installations via fake-user interface banner
advertisements which deceptively masquerade as bona fide messages from
software already on a user's computer.\14\ Moreover, despite a
settlement requirement that every Zango advertisement be ``clearly and
prominently'' identified with the name of the program that delivered
that ad, some Zango advertising toolbars still lack the required
label.\15\
---------------------------------------------------------------------------
\14\ See e.g., ``Zango Practices Violating . . .'' (heading
``Widespread Zango Banner-Based Installations without Unavoidable,
Prominent Disclosure of Material Terms (XP SP2)'') (supra). More recent
(May 2008) proof on file.
\15\ See e.g., ``Zango Practices Violating Zango's Recent
Settlement with the FTC'' (heading ``Unlabeled Ads--Toolbars, Desktop
Icons, and Pop-Ups''). http://www.benedelman.org/spyware/zango-
violations/. May 2008 proof on file.
---------------------------------------------------------------------------
More generally, experience and economic intuition confirm the need
for tough litigation to adequately deter sophisticated corporate
wrongdoers. At present, FTC actions typically seek disgorgement of ill-
gotten gains. But effective deterrence requires a penalty that exceeds
disgorgement, since investigation and litigation are less than certain.
(Otherwise, a rational perpetrator would proceed in expectation of
sometimes getting to keep the proceeds.) Experience shows inadequate
deterrence to be a real problem. Consider the FTC's $1.5 million
settlement with DirectRevenue--letting the company's principals retain
$20 million of ill-gotten gains. As FTC Commissioner Leibowitz pointed
out in his dissent to that settlement, spyware purveyors ought not reap
windfalls from their deceit. To that end, I support the bill's granting
of a fine of three times the amount otherwise available. (Sec.
7(b)(1).)
Increasingly, purveyors of spyware and adware are not major U.S.
companies that investigators can easily locate. Instead, surviving
vendors tend to reside abroad, or at least tend to attempt to hide
their true location. Despite their far-flung location, these vendors
sometimes cause even more harm than American counterparts--seemingly
taking greater liberties with users' computers on the view that they
are beyond prosecutorial reach. Legislation ought to seek to disrupt
these businesses and limit the harm they cause. In my view, the most
promising approach comes through financial investigations: Although
they're off-shore, these vendors still want to make money, and their
primary revenue sources remain U.S. advertisers and ad networks. The
New York Attorney General has already pursued selected advertisers that
intentionally purchased large amounts of ``adware'' advertising.\16\ It
would be little stretch to pursue advertisers and ad networks that
intentionally fund remaining spyware vendors.
---------------------------------------------------------------------------
\16\ Assurances of Discontinuance--Cingular, Priceline,
Travelocity. http://www.oag.state.ny.us
/press/2007/jan/adware-scannedAODs.pdf.
---------------------------------------------------------------------------
Specific Concerns in the Legislation at Hand
Let me now turn to S. 1625, my specific suggestions, and some areas
of concern.
S. 1625 Risks Setting Low Standards that Do Little to Protect Against
Remaining ``Adware''
S. 1625 rightly prohibits a range of outrageous and extreme
behaviors. For example, it would be hard to defend the ``endless loop
popups'' prohibited by Sec. 3(1)(D).
But it is possible to skirt the bill's prohibitions while causing
consumers substantial harm and continuing the same practices
traditionally associated with spyware and adware. Rather than showing
so many popups that a user ``cannot close the advertisements without
turning off the computer'' (Sec. 3(1)(D)), a program might show one
popup per minute--still a substantial intrusion, yet nowhere proscribed
by S. 1625 as it stands. Similarly, rather than tracking the specific
information prohibited under Sec. 4(a), a program might monitor
``only'' a user's name, street address, phone number, and all web
searches conducted. Although remarkably intrusive, such tracking is
seemingly permitted under Sec. 4. Thus, S. 1625's approach creates a
serious risk that spyware and adware vendors can continue business
substantially as usual.
Moreover, spyware and adware vendors are likely to attempt to use
any Federal legislation as a ``shield'' to deflect criticism of their
practices. Indeed, Zango already invokes its settlement with the FTC as
a supposed indicator of endorsement. Last year, Zango staff wrote to
security vendors to say Zango has received ``certification with the
FTC.'' \17\ More recently, Zango claimed that security vendors ought
not block or remove Zango software because if Zango's software were
harmful, ``the FTC would not have entered into a consent agreement
permitting Zango to market that software.'' \18\ Far from setting a
minimum standard that vendors will aspire to exceed, this bill thus
risks creating a new supposed ``certification'' (or other low standard)
that vendors may invoke as a defense against allegations of
impropriety. As a result, weak legislation could actually make the
spyware and adware problem worse.
---------------------------------------------------------------------------
\17\ Forwarded e-mail on file in my possession.
\18\ Reply Brief of Appellant. Zango, v. Kaspersky Lab. U.S. Court
of Appeals for the Ninth Circuit. No. 07-35800.
---------------------------------------------------------------------------
Prohibiting the full spectrum of deceptive adware would require
substantial reworking of S. 1625. Rather than prohibiting a lengthy
list of specific bad acts, a rewrite would probably begin with basic
consumer protection fundamentals, e.g., that software must only be
installed on a user's computer after clear and prominent disclosure as
well as meaningful consent.
If S. 1625 is to retain its present approach, a partially-
responsive revision would add a preface or other comment to explicitly
confirm the Committee's intention--that compliance with S. 1625, in and
of itself, does not assure that software is ethical, effective,
desirable, or even useful. I realize that such an addition may seem
vacuous--for of course the bill does not aspire to define what software
is desirable or useful. But as the bill stands, adware vendors are
virtually certain to attempt to invoke S. 1625 defensively--claiming
that their software must be desirable since it meets the bill's
requirements. An appropriate preface could prevent that unwelcome
strategy.
S. 1625 Should Protect Security Vendors Assisting Users
Security vendors face a barrage of complaints and, in some
instances, litigation claiming that security firms err in removing
harmful or deceptive software from users' computers. See e.g. Zango,
Inc. v. Kaspersky Lab, Inc. and New.net v. Lavasoft. Federal anti-
spyware legislation offers a natural context in which to grant Good
Samaritan protection to computer security software--immunizing the
efforts of bona fide security vendors, in the ordinary course of
business, to identify, block, and/or remove software users reasonably
view as objectionable. S. 1625 could and should include such an
immunization.
S. 1625 Should Not Preempt Tougher State Laws
As it stands, S. 1625 preempts tougher state laws. Given S. 1625's
limited prohibitions--a list of some specific bad acts, rather than a
comprehensive framework for effective notice and consent--such
preemption seems unwarranted.
In particular, S. 1625 leaves ample room for states to do more to
protect their consumers. For example, states could identify additional
specific bad acts that ought not be permitted. Alternatively, states
could identify alternative methods of enforcement--perhaps private
litigation by those who are harmed (be they consumers, websites,
computer makers, advertisers, ad networks, or otherwise). With so much
room for innovation to further address these important problems, I see
no proper basis for preemption of state legislation.
A Simplified Bill Could Increase Penalties while Avoiding Other
Questions
A simplification of S. 1625 would strike all language except
authorization of increased penalties. The treble fine in Sec. 7(b)
would apply to all FTC actions under existing legislation, pertaining
to software installed on a user's computer that tracks user
characteristics or activities, or that shows advertising. This dramatic
simplification would relieve the Committee from the challenging
questions of what specific behaviors to prohibit, and would side-step
all the concerns identified in my testimony. Yet this revision would
offer major benefits--letting the FTC better sanction and deter
perpetrators. I urge the Committee to consider this approach.
Senator Pryor. Thank you.
Mr. Weafer?
STATEMENT OF VINCENT WEAFER, VICE PRESIDENT,
SECURITY RESPONSE, SYMANTEC CORPORATION, ON BEHALF
OF THE BUSINESS SOFTWARE ALLIANCE (BSA)
Mr. Weafer. Mr. Chairman, Members of the Committee: Thank
you very much for the opportunity to testify.
Let me start with a question that was raised earlier, which
is how large is the problem. If we look at spyware and
malicious code in general, there is about 1.8 million pieces of
unique code. Now, that's a large number, but if you remember
that about 800,000 of those malicious codes came in all of last
year, so if you look at all the previous years last year
represented the vast majority of those pieces of spyware and
malicious code. In the first 6 months of this year, we've
already surpassed what we saw last year, in 2007.
Looking another way, we did a survey of people's machines
where we looked and we found about 57,000 unique pieces of
files on their machine--Office, Windows, operating system
files. 65 percent of those files were deemed to be potentially
malicious or spyware on their machines.
The Organization for Economic Cooperation and Development
has estimated that something like 95 million U.S. people are
sitting with spyware on their machines. It's a large problem
and it's still growing. Now, this includes not just the grey
actors, but also the black actors, the criminalization that's
occurring very much at the moment as well.
In terms of S. 1625, one of the areas we definitely want to
focus on is on the focus of behavior, not technologies. So we
certainly want to prohibit bad conduct rather than pick certain
technologies and say this act is good or this is bad, because
that frequently forms a low bar for companies that try and
target or simply raise themselves to that minimum level and
say: We're certified.
Second, we do want to include our support for the
legislation, the so-called Good Samaritan portion. So a Federal
court recently ruled in the Kaspersky case that the
Communications Decency Act gives such protection to providers
of anti-spyware solutions.
Now, we're not seeking unlimited protection. In fact, we
believe the legislative codification of Kaspersky could include
language requiring good faith as well as a fair and effective
dispute resolution process. There should be a process, it
should be fair, it should be open. That's what we're looking
for as part of this provision.
We also want to commend you for including in your bill a
provision for allowing perfectly legitimate activities, such as
the detection and prevention of unauthorized use of the
software. This is essential to our industry, the software
industry, because fraud or piracy also includes almost $50
billion in damage every year. So we believe this is also an
important part.
I'll keep my remarks short and just thank you very much for
your time.
[The prepared statement of Mr. Weafer follows:]
Prepared Statement of Vincent Weafer, Vice President, Security
Response, Symantec Corporation on Behalf of the Business Software
Alliance (BSA)
Mr. Chairman, Mr. Ranking Member, Members of the Committee, good
afternoon. Thank you very much for the opportunity to testify here
today. My name is Vincent Weafer and I am Vice President of Security
Response at Symantec Corporation. I will be testifying today on behalf
of the Business Software Alliance (BSA).
Symantec is one of the world's leading software companies. We are
headquartered in Cupertino, California, operate in 40 countries
worldwide and have more than 17,500 employees. Symantec's mission is to
help individuals and enterprises assure the security, availability, and
integrity of their electronic information. As the global leader in
information security, we protect more people from online threats than
anyone in the world. Symantec offers our customers products that detect
and remove spyware and harmful adware, and our Norton brand of products
is the worldwide leader in consumer security and problem-solving
solutions.
The Business Software Alliance (www.bsa.org) \1\ is the foremost
organization dedicated to promoting a safe and legal digital world. BSA
is the voice of the world's commercial software industry and its
hardware partners before governments and in the international
marketplace. Its members represent one of the fastest growing
industries in the world. BSA programs foster technology innovation
through education and policy initiatives that promote copyright
protection, cyber security, trade and e-commerce.
---------------------------------------------------------------------------
\1\ BSA members include Adobe, Apple, Autodesk, Avid, Bentley
Systems, Borland, CA, Cadence Design Systems, Cisco Systems, CNC
Software/Mastercam, Corel, Dell, EMC, HP, IBM, Intel, McAfee,
Microsoft, Monotype Imaging, PTC, Quark, Quest Software, SAP, Siemens
PLM Software, SolidWorks, Sybase, Symantec, Synopsys, and The
MathWorks.
---------------------------------------------------------------------------
It is a pleasure to be here today to discuss the serious issue of
cyber security: protecting millions of computer users from those who
maliciously install software on computers to compromise and steal
sensitive, personal information. Such software goes by the name of
``spyware.'' Mr. Chairman, I commend you and your colleagues, Senator
Boxer and Senator Nelson for your leadership in addressing this
invasive and deceptive practice through the Counter Spy Act (S. 1625).
Today, I would like to make three points:
First, spyware and harmful adware represent a critical threat
to security and privacy on the Internet. It is a threat that
must be met and defeated.
Second, legislation can and should play an important role. We
urge the Committee to consider language which focuses on the
malicious intent behind this reprehensible behavior, not
``bad'' technological tools like computers, software and the
Internet. We want to work with you to ensure that anti-spyware
legislation moving through Congress targets reprehensible
behavior and avoids the trap of defining ``good'' or ``bad''
technology.
Third, we believe that legislation should contain specific
provisions to ensure that developers of anti-spyware tools can
protect their customers without fear of threats and legal
harassment.
And fourth, we commend you for including in your bill a
provision clarifying that security and anti-piracy activities
are not in fact spyware.
What Threat Are We Facing?
Mr. Chairman, we commend you for your leadership in addressing the
real threat and grave threat of spyware and harmful adware.
Spyware and harmful adware are stand-alone programs that can
monitor system activity and either relay the information back to
another computer or hold it for subsequent retrieval.
Spyware programs are placed on a user's system--often times without
the knowledge of the user--in order to steal confidential information,
such as usernames, passwords and credit card details. This can be done
through keystroke logging, or capturing e-mail and instant messaging
traffic. Spyware is of particular concern because of its potential for
use in identity theft and fraud.
A growing type of spyware is rogue anti-spyware/anti-virus
applications. They deceive users by displaying scary warnings about the
computer being infected with a large number of fake threats, and then
ask the user to buy the software to fix the problems. Another recent
trend is programs that attempt to use the license agreement to prevent
the end-user from sending any portion of the spyware program to anti-
spyware companies.
Harmful adware programs capture information about the computer
usage and Internet browsing habits of the user (such as websites
visited and e-commerce purchases made). They generate a deluge of
disruptive ads, usually in the form of pop-up windows, on the
computer's screen. This represents a potential violation of privacy,
and degrades user experience and computer performance by bogging down a
computer's normal functions.
How prevalent is the problem of spyware and harmful adware?
Symantec publishes twice a year the Internet Security Threat Report
(ISTR), a comprehensive compilation of Internet threat data, which
gives us a unique perspective on the prevalence of spyware. The ISTR
includes analysis of network-based attacks, a review of known
vulnerabilities, and highlights of malicious code and additional
security risks. We compile our data from more than 24,000 sensors
monitoring network activity in over 180 countries, as well as
information compiled from over 120 million client, server and gateway
systems that have deployed our antivirus products, and through the 25
million e-mail messages we filter for our customers everyday.
According to our most recent Internet Security Threat Report,
spyware continues to be a serious security risk for consumers. The
latest Internet Security Threat Report released by Symantec in April
2008 reveals that Attackers have adopted stealth tactics that prey on
end-users on individual computers via the World Wide Web, rather than
attempting high-volume broadcast attacks to penetrate networks. This
may be because enterprise network attacks are now more likely to be
discovered and shut down, whereas specifically targeted malicious
activity on end-user computers and/or websites is less likely to be
detected. Site-specific vulnerabilities are perhaps the most telling
indication of this trend. During the last 6 months of 2007, there were
11,253 site-specific cross-site scripting vulnerabilities = Cyber
criminals continue to refine their attack methods in an attempt to
remain undetected and to create global, cooperative networks to support
the ongoing growth of criminal activity.
Adware and spyware continue to propagate, according to the ISTR. At
the beginning of June 2008, there are over 1.8 million known malware
and security risks with the majority of these being discovered in the
past 18 months. In the last 6 months of 2007, threats to confidential
information made up 68 percent of the volume of the top malicious code
samples. Malicious code can expose confidential information in a
variety of ways, including exporting user and system data, exporting e-
mail addresses, recording keystrokes and allowing remote malicious
access to a computer. At the same time, today's attacks are more
surreptitious than ever before, less likely to be detected rapidly, and
more likely to have a direct impact on a user's finances.
As an illustration of the scale of the problem, a recent report by
the Organization for Economic Cooperation and Development (OECD),
estimates that 59 million users in the U.S. have spyware or other types
of malware on their computers.
In summary, spyware and harmful adware are, quite simply, a
critical threat to our online security and privacy. It is wrong and it
must be stopped.
Ban Bad Behavior, not Technology
Fortunately, the marketplace is responding to the need to address
this challenge.
Cyber security companies are investing heavily in newer generations
of classification, behavioral detection and white listing technologies
to handle the increasing volume and variety of spyware and malicious
code threats. For example, Symantec creates security programs that
watch out for known malicious threats, as well as unknown software that
exhibits suspicious characteristics. Symantec products classify and
categorize programs according to functionality. This allows a user to
select an acceptable risk level and detect only programs that fall
outside the user's own acceptable limits We continually add new
definitions and new defenses to address the ever evolving dangers in
the Internet threat landscape such as worms, spyware, spam, and
phishing.
In addition, critical technologies such as web browsers are being
revamped with more security, as they increasingly become a focus for
attacks. Web browser security is particularly important because
browsers come in contact with more untrusted or potentially hostile
content than most other applications.
We believe however that, in addition to the response of the
marketplace, legislation can and should play a role. Spyware is a
serious online threat to the public interest. As you have recognized,
Mr. Chairman, this threat requires Congress to empower Federal agencies
to enforce prohibitions that will help curb the scourge of spyware and
harmful adware.
We want to work with you to ensure that legislation moving through
Congress targets reprehensible behavior, rather than attempts to define
``good'' or ``bad'' technology.
We believe that legislation should not prohibit specific
technologies. Computers, software and the Internet are tools that are
used in thousands of ways to enhance how we work, study, communicate
and live. These tools are an indispensable part of our daily lives. The
fact that a number of bad actors have figured out how to use these
tools for illegitimate purposes does not mean the tools themselves are
the cause of the harm.
If technology was to be constrained or regulated, we would lose
much of the richness and power that computing has brought to our modern
lives.
Let me put it a different way. We don't ban crowbars because some
people use them to break into houses. We don't ban cars because some
people use them to flee from the scene of a crime.
Prohibiting conduct, rather than technology, avoids the danger of
dictating the design and operation of computer software and hardware.
Congress has wisely avoided imposing a number of technology mandates to
maintain the U.S. technology industry as the envy of the world. It has
been responsible for incredible improvements in productivity, millions
of jobs, billions of dollars in exports, and immense benefits to every
consumer. Government intervention that replaces marketplace solutions
with governmental decisions endangers America's technology leadership.
It hurts users of technology products by stifling innovation, freezing
in place particular technologies, impairing product performance, and
increasing consumer costs.
Mr. Chairman, Symantec and other BSA member companies want to work
with you and your staff to ensure that S. 1625 focuses even more
clearly on harmful activities, rather than on the technology that is
misused to perform these activities.
Currently, S. 1625 includes a few provisions that risk affecting
legitimate software and Internet functionalities, and thus compromise
the operations of today's computers--as well as the direction of future
technology. Let me give you just a few examples:
Section 3(1)(A) prohibits the installation of software that
transmits or relays commercial electronic mail. This would
constrain the development and use of legitimate and innovative
methods to generate and send electronic communications;
Section 3(3)(B) regulates how software that is installed on
a computer must be named and where it must be located, and how
it can be uninstalled. Again, this would constrain how
legitimate software is deployed and operates.
We believe the problems inherent in such an approach can be avoided
if Congress instead focuses directly on the behavior we are trying to
stop: the use of unfair or deceptive means to install software on
computers, as well as the unauthorized acquisition, use or
commercialization of information from individuals. This is for example
what section 2 and section 4(a) of your bill do. We commend you for the
inclusion of such provisions, which strike at the heart of the spyware
and harmful adware problem and which we believe would be useful tools
in the hands of enforcement agencies.
Such an approach significantly mitigates the risk that legislation
may hamper or constrain the development and use of technology, while
achieving your objective of protecting computer users. In addition,
while products can be moved offshore and out of reach of our laws, the
collection of information from computers within our borders is a
problem that we can more easily and effectively address.
Enable Anti-Spyware Companies to Continue to Best Protect Computer
Users
Developers of anti-spyware solutions are providing effective
protection to computer users against online threats. Unfortunately,
they are threatened with lawsuits for defamation and interference with
their business by spyware and harmful adware companies. These spurious
threats force anti-spyware companies to divert precious resources to
fight to protect themselves in Court. This is intended to disrupt and
deter the development of tools that empower consumers to stop unwanted
software from being put on their computers.
BSA supports including in anti-spyware legislation what is often
called a ``Good Samaritan'' provision. This would limit remedies
against developers of anti-spyware tools. This would be far from
unprecedented. In fact, Congress has repeatedly legislated targeted
protection for a host of similarly beneficial activities, such as
charitable food donations, the use of Automated External
Defibrillators, or liability arising from sharing information about the
Y2K problem.\2\ Last but not least, in June of last year the House of
Representatives supported, by an overwhelming majority of 368 to 48,
H.R. 964, the Spy Act. The Spy Act includes such a Good Samaritan
provision for anti-spyware activities.
---------------------------------------------------------------------------
\2\ The Bill Emerson Good Samaritan Food Donation Act (42 U.S.C.
1791) precludes civil and criminal liability arising from food donated
in good faith, except in cases of gross negligence or intentional
misconduct. The Cardiac Arrest Survival Act of 2000 (42 U.S.C. 238q)
precludes civil liability arising from any harm resulting from the use
of an Automated External Defibrillator, except where there was no
proper notification of emergency personnel, maintenance of the
defibrillator or employee training. The Year 2000 Information and
Readiness Disclosure Act (15 U.S.C. 1) precludes liability arising from
statements and disclosures regarding the Y2K problem, except in cases
of recklessness or intent to deceive.
---------------------------------------------------------------------------
Mr. Chairman, I want to bring to your attention an important
Federal court case, Zango v. Kaspersky. In August 2007, the U.S.
District Court for the Western District of Washington ruled that the
protection afforded by section 230(c)(2) of the Communications Decency
Act (CDA) of 1996 (47 U.S.C. 230), to providers of solutions that
filter objectionable content, covers providers of anti-spyware
solutions.\3\
---------------------------------------------------------------------------
\3\ Zango has appealed the ruling and BSA, as well as several other
online consumer protection organizations such as the AntiSpyware
Coalition (ASC), the Center for Democracy and Technology (CDT) and the
Electronic Frontier Foundation (EFF), have filed an Amicus Brief asking
the Court of Appeals for the Ninth Circuit to affirm the District
Court's decision.
---------------------------------------------------------------------------
Mr. Chairman, we understand why a former Attorney General like
yourself would exercise caution in limiting judicial remedies. In fact,
we are not seeking unlimited protection. We fully agree that good faith
and due process must be applied by an anti-spyware provider when his
product targets a software application for removal by the computer
user.
We believe that the protection provided by Congress in section
230(c)(2) of the CDA can only extend to software providers who are
truly seeking to empower users to exercise control over objectionable
content received over the Internet. This protection does not apply if
they are pursuing, for example, fraudulent or anti-competitive
objectives (such as an anti-spyware company's product blocking the
installation of a competitor's security solution.)
Mr. Chairman, BSA believes that legislative codification of the
Kaspersky ruling, including language that requires good faith and fair
and effective dispute resolution would in fact exceed the safeguards
provided by the House when it passed H.R. 964 last year. It would thus
provide a strong foundation for the Senate to work with the House
toward enactment of legislation, which is a priority that BSA shares
with you.
Security and Anti-Piracy Activities Are Not Spyware
Mr. Chairman, before I conclude my testimony, I would like to
commend you for including in section 6(a) of your bill a provision
allowing legitimate security and anti-piracy activities.
This exemption has been supported at the Federal and state levels
by a host of technology industry organizations representing telecom
providers, cable companies, software producers, and Internet service
providers. The activities in question are perfectly legitimate, such as
diagnostics, network or computer security, repairs, network management,
etc. All these activities are conducted by network administrators to
maintain and secure their systems.
Section 6(a) also covers the detection and prevention of the
unauthorized use of software. This is essential to our industry's
ability to protect our products against theft. Software piracy results
in almost $50 billion in losses to the software industry each year,
including more than $8 billion in the U.S. alone. Given these massive
losses, it is absolutely critical that companies that engage in
otherwise lawful conduct to detect or prevent piracy or other unlawful
acts are not unwittingly subject to liability under anti-spyware laws.
Section 6(a) is narrowly and carefully drafted to address this
important goal.
Certain interest groups may seek to drastically weaken or delete
this provision. They may claim that it creates a license to snoop on
people's computers, shut down their IT networks, or circumvent state
consumer protection, privacy, and contract laws. This is patently
false. The provision does not go beyond limiting liability under your
bill, and it limits liability under your bill only. Anyone who engages
in an act that violates any other Federal or state law is and will
remain fully liable under those laws. The purpose of weakening this
provision is not to protect against spyware, but to make it harder for
legitimate companies to fight piracy, or other fraudulent or illegal
activities. The laudable anti-spyware goals of the Act should not be
subverted for this purpose.
Thank you again for this opportunity to comment on the issue of
spyware and the Counter Spy Act. I would be happy to answer any
question you may have.
Senator Pryor. Well, thank you.
Let me go ahead and start with you, Mr. Weafer, because I
assume that your company has a working definition of spyware.
Do you have a definition of spyware?
Mr. Weafer. Yes, we do.
Senator Pryor. And as I understand it, the Federal Trade
Commission does not have an adequate definition of spyware; is
that right?
Mr. Weafer. That's right. There are different definitions
out there. One thing we have done as an industry is come
together to try and create a common definition of spyware. So
we're part of a coalition, the Anti-Spyware Coalition. We have
posted what we believe is a shared and fair assessment of what
spyware is.
Even within that definition, there is some degree of what
is included, what is considered personally identifiable
information. We do believe there are fairly good standards
relating to what is spyware and why the concern is there.
Senator Pryor. So is there then an industry consensus on
what spyware is and what it's not?
Mr. Weafer. We believe there is, even though there is
probably some differences or subtleties in the language
themselves.
Senator Pryor. Do we have that definition? Have you
provided that to the Committee?
Mr. Weafer. If we haven't, we will provide.
Senator Pryor. That would be great because I think that
would be helpful for us.
If I may, Mr. Edelman, it sounds like you spend a lot of
time trying to figure out what's out there and you know how it
infects people's computers and what it does. Tell me what
you're seeing out there, two or three of the most prevalent
forms of spyware that are currently infiltrating people's
computers?
Dr. Edelman. Well, it's easy to be complacent and think
that the problem of unwanted pop-up ads is over. That's not
what I see in testing the sorts of websites where users get
infected. I still see plenty of websites that will fill your
computer with pop-ups and make money from those pop-ups through
the biggest American ad networks out there. Maybe I shouldn't
name any names today, but you can imagine the sort of
advertising intermediaries who fund all kinds of behavior on
the web and, remarkably, continue to fund the pop-ups that
users so despise.
Separate from that, there are so-called market research
companies that track users' behavior in great detail--every
website you visit, every search you make, every product you
buy, every product you look at but don't buy. That's a little
spooky to me, frankly. I'm not sure I want those records about
me kept anywhere. What if it gets hacked? You know, what if
that goes on the web somewhere and everyone can see it?
Beyond that, I do see serious criminal enterprises taking
over users' computers, using them to send spam. I have to
defend my computer so that when I allow my computer to be
infected by spyware, it doesn't go around sending spam. So
there's a little bit of complication even for me just in safely
testing the software.
Denial of service attacks. Often you'll see programs that
take over a user's computer and use it to attack some other
computer.
All of these behaviors still remain prevalent, the same
kinds of problems we were talking about 2 years ago, 3 years
ago, 4 years ago still occurring, albeit some of them somewhat
harder to track down.
Senator Pryor. You mentioned that you go to the types of
websites that will contain spyware. What types of websites
typically expose people to spyware?
Dr. Edelman. Well, it can happen anywhere. You know,
historically there have been examples even of mainstream news
sites being hacked so that they would distribute spyware. But
the sites that I find the most reliable tend to be second-tier
entertainment sites. There's a wrestling site that is awfully
effective at giving me spyware, with no offense intended to
those who like professional wrestling, but this site isn't the
one to go to. Again, I'll leave it unnamed.
Sites and programs that provide assistance in downloading
copyrighted music and videos, sometimes massive copyright
infringement frankly. You go to a site that purports to provide
assistance in that regard and then you might or might not get
the copyrighted material you were seeking, but in any event
your computer would be destroyed, which certainly wasn't part
of the bargain that you were expecting.
But again, it can happen anywhere and so we should not
paint a picture of victims as somehow having brought this on
themselves. Maybe in a few instances that's the case, but as a
general rule that's really not true.
Senator Pryor. Mr. Edelman, in your experience and in your
opinion, is there any legitimate use for spyware?
Dr. Edelman. The programs that people call spyware are such
a broad swath of programs, it's hard even to answer the
question crisply. Is there any legitimate use for a program
that takes over a user's computer and uses it to send
unsolicited commercial e-mail to a variety of recipients who
never asked for it, without telling the user that their
computer would be so used? Absolutely not. How about a program
that monitors what you're doing and shows pop-up ads? You know,
some marketers say that that could be useful. You didn't know
that American Airlines existed until you went to United.com and
up came an ad for American Airlines, which, to be clear, they
would never do because they are good advertisers and are
actually very careful about that sort of thing.
In principle, it could be good for competition, I guess, to
have pop-ups telling users about alternatives. But in practice
I'm pretty suspicious. I think these pop-ups tend to promote
software and services that users don't really want. If they
want them they already know about them and no one wants to be
interrupted by that sort of thing. So I don't see a lot of use
for it.
Senator Pryor. Mr. Cerasale, are there legitimate purposes,
legitimate uses for spyware?
Mr. Cerasale. Well, again the term ``spyware'' means lots
of things. Clearly, taking over someone's computer and so
forth, is just not allowed. That's spyware, bad stuff. But
certain toolbars, plug-ins, and web browsers, those types of
things going on people's computers clearly are things that
individuals want and so forth.
Looking at the definition of trying to be any kind of
software, you even have requirements for e-mail notices. There
are things called web beacons that are computer code, software
code, to tell people whether or not an e-mail has been opened.
Some of those things are used, for example, if there is a
compelled e-mail notice to ensure that you have informed
individuals of this notification. Those kinds of web beacons
and things of that sort are definitely helpful and helpful to
meet legal requirements.
So the definition--as you look at definition of what is
spyware, and actually as you go down further, the definition of
what is software, becomes very, very complicated. We have to be
careful with that. If you look at the attachment to my
testimony, the DMA Guidelines, we have a thing on the bottom,
this does not include cookies or similar types of software,
because we had difficulty trying to define this.
As we go further along with new technology, I think just
defining software becomes a major problem. There are things
that go on people's computers that can be easily defined as
software, that are advantageous to them. Now, our guidelines
would say you've got to allow me to take it off if I suddenly
don't want it. But that's the kind of thing that we think is--
there are some legitimate uses for.
There are major, major illegitimate uses for it that are
already illegal. Many of the things that have been said here
are already under Section 5 of the FTC Act, would be barred in
its own right.
Senator Pryor. Does the Direct Marketing Association have a
good and working definition of spyware?
Mr. Cerasale. We do not. If you look at that, the
attachment to my testimony, we just talk about computer
software, ``install software or other similar technology,''
because we don't know what's coming next, and then define some
of the bad practices. So that's what we've done, and then
defining if you're going to put this software or similar
technology on someone's computer with notice, easy to
uninstall, you have to let them know who it is and the privacy
policy. That's the way we had to go. We felt that trying to
define software would in essence--was first of all very
difficult to try and discern; but technology is going to change
the definition of software as we move forward, and we want to--
and I think that our decision was to focus more on the acts and
try and stop that, no matter what means was used for it.
Senator Pryor. Mr. Butler, do you have a good working
definition of spyware? Do you differentiate spyware from adware
and other types of software?
Mr. Butler. To us, spyware is software that is
surreptitiously installed on someone's computer, that allows
the outsider to intercept or to seize even partial control over
the user's interaction with the computer, without that user's
informed consent. Anything that meets that definition we think
is spyware.
Senator Pryor. Mr. Cerasale, you just heard his definition.
You said the DMA doesn't differentiate between different types
of software, but based on that definition you just heard, are
you aware of any legitimate purpose for that type of software,
surreptitiously installed, et cetera, et cetera, like he said?
Mr. Cerasale. As our guidance says, surreptitiously
installed would violate our guidelines. So yes, that clearly
fits within where DMA is. I think the one exception might be in
an area where Mr. Butler and I would disagree, in areas of
trying to look at anti-fraud areas, that that might be
something where there may be an exception here. But not talking
about that, looking at it from that score, his definition,
surreptitiously put on, would violate our guidelines, so even
without our definition.
Senator Pryor. Let me ask this also if I may, Mr. Cerasale.
That is, a couple of the witnesses either in their written
testimony or what they said here today encouraged us to focus
on behavior, not technology.
Mr. Cerasale. Correct.
Senator Pryor. Is that where the direct marketers are as
well?
Mr. Cerasale. I believe so, yes.
Senator Pryor. Because the technology will change, but we
know that the type behavior that we want to prevent, presumably
we know the type of behavior we want to prevent, but the
technology--there are lots of different ways to get there; is
that fair?
Mr. Cerasale. That's fair, and it may be tomorrow it will
be something new.
Senator Pryor. Mr. Butler, do you agree with that?
Mr. Butler. I think so.
Senator Pryor. Because I think what Senator Vitter said was
that he was concerned about the definition and I think the
idea, if I'm hearing the panel correctly, is that if you have a
definition that's really based on a technology or a specific
process of some sort, that could change because some programmer
out there could change that tomorrow and the law we pass today
could be obsolete. But if we focus on, I guess, the end result
and the behavior that we're trying to prevent, then regardless
of what technology gets us there, I think that gets us what
we're trying to do.
Do you agree with that, Mr. Edelman?
Dr. Edelman. I think that's fine as far as it goes, but
it's still possible to be both over-inclusive and under-
inclusive as to behaviors. So it's possible to write a list of
20 bad behaviors and miss three other behaviors that either the
Committee didn't notice or they haven't started yet, but will
start next week.
Similarly, it's possible for there to be some behavior for
which the behavior itself is neither good nor bad; it's the
deceptive practice of that behavior, doing it in a way that has
a tendency to deceive, based on the totality of the
circumstances, the context, the method in which it is promoted,
the nature of the disclosure, the nature of the consent
procedure.
So the suggestion that behavior versus technology is the
magic bullet that solves the bill's problems, I'm not sure it
gets you all the way there.
Senator Pryor. Mr. Rotenberg?
Mr. Rotenberg. Senator, I've worked on quite a lot of
privacy bills over the years and I just want to say I very much
support your approach. By way of example, the Federal Privacy
Act, the legislation that protects the privacy of citizens with
respect to their records held by Federal agencies, was passed
more than 30 years ago. It actually said almost nothing about
technology. It spoke about the collection and use of personal
data, who would have access to it, how you could obtain it, and
what the penalties would be. It still works today.
By comparison, the privacy provisions in the Cable
Communications Act of 1984, which are very good privacy
provisions, was actually quite specific about the type of
industry that would be covered. In 1984 there was a clear
understanding of what the cable industry looked like, what
interactive television looked like, and what privacy protection
would require.
Well, today we have a great deal of interactive media, but
those provisions from 1984 no longer apply because they were
too technologically specific. So I think we need to focus on
the activity, and of course I think it's possible by means of
committee report or other means to give some examples. You can
say with respect to current business practice, we want to
prohibit surreptitious collection of a person's personal data
without their consent, and an example might be, and then we can
talk about some of the things that are taking place right now.
Senator Pryor. Well, I would hope that all the panelists
here would help us as we work on this bill and help us make
sure we get it right, because, assuming the Senate passes this
and the House passes it and the President signs it, we are
trying to address this problem, and a wrong definition or a
wrong section in the bill could totally undermine the purpose
of what we're trying to do.
So I'd love to have all of you help us draft this. You all
raise good points.
Let me ask, if I may, let me ask Mr. Weafer about the cost
associated with a consumer having spyware on his computer and
having to do something to get rid of that infection. What does
it typically cost John Q. Public out there when he's on his
computer? What does it typically cost him to get rid of the
spyware once it has infected his computer?
Mr. Weafer. There is two parts to that answer. One is the
actual physical damage, for example having to go in and remove
pop-ups, unwanted software, which can range in terms of dollars
from hundreds of dollars to thousands depending on how many
machines, whether it's to be completely re-imaged, and who's
doing the work.
The bigger, greater cost is really on the personal privacy.
If data has been exposed or is assumed to be exposed, then the
cost in terms of cleaning up their identity, their privacy,
going after that, actually is very difficult to calculate. But
I think that's the greater concern and the greater danger to a
lot of users.
Senator Pryor. Will a software product sold by Symantec
stop spyware from being added in the first place or does it
remove it once it's on there, or both?
Mr. Weafer. It tries to do both. So first of all, we're
really just trying to give the tools to the end-users to
identify what's on their machine. We classify according to
large spyware, which is a general category of software,
including actual spyware, remote access programs, tracking
tools, hacking tools, and information, preventing them getting
on. They're deemed to be high risk or low risk, to help the
user. Then if they are on the system, helping them remove them
from the system itself.
In some cases we can actually work with the vendors. If
they've got a reasonable uninstaller, we can actually just call
that and that becomes the uninstallation. For some of the more
malicious, insidious programs, we have to do it ourselves.
Senator Pryor. Symantec has a number of competitors out
there that are offering spyware protection as well, right?
Mr. Weafer. That is correct.
Senator Pryor. About how many are in that marketplace right
now that are offering anti-spyware programs or software of some
sort?
Mr. Weafer. There is at least 20 major vendors who are
offering similar programs.
Senator Pryor. Which ones are the best?
[Laughter.]
Mr. Weafer. Symantec. I'm a little bit biased toward the
Norton brand.
Senator Pryor. I just couldn't resist that one.
But nonetheless, there may be some ways for some computer
users to get anti-spyware software free, but a lot of people
have to pay for it as well. It kind of depends on your
situation. So definitely there's a lot of cost associated with
this, not just to the machine but also to your personal
situation.
Mr. Cerasale, you said in your testimony that you think the
industry--you prefer self-regulation, is that right?
Mr. Cerasale. That's correct.
Senator Pryor. Well, when I hear the numbers of some of the
statistics, I get the very distinct impression that self-
regulation isn't working. So do you disagree with me on that?
Mr. Cerasale. I do. What we heard a lot of today and a lot
of the statistics are basically criminal activity, activity
that is deceptive, activity that already violates Section 5 of
the Act or other criminal codes. Self-regulation requires law
enforcement to stop criminal activities. Self-regulation is not
there and cannot be there to prevent criminal activity.
I think the area we're looking at and the area that we're
concerned in is going after the bad guys, the criminals, and
being careful to protect the legitimate uses on the Internet
that foster commerce. And I think in that arena self-regulation
works well, for DMA members to have to follow our guidelines,
the ability for us to quickly change guidelines, to take a look
at new technologies when they come up. We have our own ethics
procedure to go after and try and stop certain activities.
I think in that arena it works. It does not work in the
criminal arena and we don't intend it to, and we want you to
give the FTC as much money as they can to go out and try and
enforce it.
Senator Pryor. I do think one of the shortcomings of self-
regulation is something you alluded to, and that is I think you
have a lot of members who are acting responsibly and are out
there trying to do the right thing and they're legitimate
companies trying to be in this for the long term. But not all
direct marketers are members of the DMA and a lot of them don't
acknowledge or recognize or even consider your guidelines that
you lay out.
So this may be one of those situations where the good
actors out there may have to undergo some additional regulation
to try to get the bad actors out of the marketplace.
Mr. Cerasale. We have supported legislation in the past,
such as CAN-SPAM and in other areas, where we felt that self-
regulation didn't work, and we pledge and have in the past and
continue to work with you on this legislation, with you and the
Committee on this legislation, and others in this area.
Our biggest concern is unintended consequences hurting
legitimate business and that's where we want to work.
Senator Pryor. Mr. Weafer, let me ask another question of
you, and that is--we have heard some statistics today that are
helpful, but I'm curious about, from your company's standpoint
and just from your personal research and your experience, is
spyware a growing problem? Is it becoming more prevalent or
less prevalent?
Mr. Weafer. In my opinion, the broader aspect of spyware is
actually becoming more prevalent. We're seeing more and more
spyware. Now, most of this is driven by the underground
economy. A lot of it is the criminalization of this. We're
certainly seeing in many cases up to 500 percent year over year
increases in the amount and variety of this type of spyware
coming out.
We are continuing to see the shady commercialization as
well, which are programs which are continuing to drive pop-ups,
programs which are continuing to be fraudulent, programs which
are still not giving users control, consent, and notification.
So we do applaud the self-regulation, but we want to see
additional remedies on top of that.
Senator Pryor. Well, I agree with you. I think that that's
what you're seeing out there. I just know really anecdotally
from talking to people--just as an example, not too long ago I
was talking to someone about their computer and they were
getting all these pop-ups. They were getting a new toolbar,
they were getting all this stuff, and they didn't know where it
came from or how it came on there.
It's very frustrating for people. For most people, like for
home use, your personal computer is your personal property and
you don't want it to be infected and somehow damaged by other
people, and certainly you don't want your personal information
out there going to people that you don't want to have it.
So this is a serious problem. We do have this piece of
legislation. All of you pointed out your thoughts on the
legislation, even some of the shortcomings of the legislation.
We appreciate that. We take all of that as constructive
criticism.
What we're going to do is we're going to take our
legislation, we're going to talk to the Members of the
Committee, and we're going to see if we can help shape it and
get it in the type of form where it's ready to move and move
through the system. And hopefully some time in the next, I
don't know, several months, maybe the next year, we'll have a
very, very strong piece of legislation, very bipartisan, to try
to make a big difference in the marketplace.
So I just want you to know you've been a very important
part of this process and we appreciate you. Like I said, we
definitely would appreciate your input as we go along, and
always feel free to share your opinions or give us your
insights because we don't claim the expertise here. We know who
the experts are.
So with that, what I'm going to do is I'm going to adjourn
the hearing here in just 1 minute. But first let me say that
we're going to keep the record open and Senators may have
additional questions or follow-up questions. So we'll get those
to you and we'd love for you to get those back to us. We'll try
to leave the record open for 2 weeks, so if you could get those
back to us as quickly as you can.
Also, if there are documents--I think someone mentioned a
study or some statistics or whatever it may be. If there are
documents that you want to submit for the record, again the
record will be open for 2 weeks and just get that to Committee
staff and they'll distribute it as it should be.
So we appreciate your time, we appreciate you looking at
the legislation, and we appreciate your being here today. With
that, we're going to adjourn the hearing, and just say thank
you.
[Whereupon, at 4:28 p.m., the hearing was adjourned.]
A P P E N D I X
TRUSTe
San Francisco, CA, June 24, 2008
Hon. Mark Pryor,
Chairman,
Subcommittee on Consumer Affairs, Insurance, and Automotive Safety,
U.S. Senate,
Washington, DC.
Dear Chairman Pryor,
I am writing to respectively request that this letter be added to
the official record of the Senate Commerce Committee's hearing on June
11, 2008 entitled ``The Impact and Policy Implications of Spyware on
Consumers and Businesses.''
I am the Vice President in charge of legal policy and compliance
matters for TRUSTe. We are an independent, nonprofit organization with
the mission of advancing privacy and trust for a networked world.
Through long-term supportive relationships with our licensees,
extensive interactions with consumers in our Watchdog Dispute
Resolution program, and with the support and guidance of many
established companies and industry experts, TRUSTe has earned a
reputation as the leader in promoting privacy policy disclosures,
informed user consent, and consumer education.
TRUSTe applauds the Committee's work on the issue of spyware. We
have long articulated a public policy for privacy protection that
incorporates the strength of government oversight, the discipline of
industry self-governance, and the innovation of privacy-enhancing
technology.
In his testimony before the Committee on June 11, Jerry Cerasale,
senior vice president of government affairs for the Direct Marketing
Association, referenced the self regulatory work underway to develop
standards for downloadable software. He spoke of the work that TRUSTe
has undertaken to develop a program of best practices. I would like to
tell the Committee a little more about our Trusted Download Program.
TRUSTe has partnered with major online consumer portals and other
industry leaders to develop the Trusted Download Program, a standards
and a certification program for downloadable consumer desktop
applications.
Program objectives:
Empower consumers to make informed decisions.
Establish the leading industry-wide standards for developers
of downloadable applications.
Identify and elevate trustworthy consumer applications for
distributors and marketers.
Protect the valued brands of online advertisers by enabling
them to know which applications are trustworthy and which are
not.
The Trusted Download Program certification combines strict
standards, thorough review, ongoing monitoring, enforcement mechanisms
and powerful market incentives.
The Program elevates those applications that meet the certification
requirements through a whitelist, thereby providing consumer portals
and other businesses a tool to distinguish responsible software
applications. For downloadable desktop software developers, the program
provides guidance on responsible behavior. A Trusted Download Seal at
the point of download allows consumers to recognize applications that
provide improved disclosures, more explicit control mechanisms, easier
uninstall, and more respect for their personal information.
Trusted Download Sponsors and Advisory Committee Members are CNET
download.com, Microsoft, Yahoo!, and the Center for Democracy and
Technology (CDT).
Incentives for Compliance
TRUSTe serves a ``whitelist'' of certified applications to
advertisers, distributors, consumer portals and other interested
parties. In a market where the conduct of partners can be as important
as the conduct of your own organization, businesses are turning to
TRUSTe to help determine which applications they want to be affiliated
with. The Program's whitelist is regularly used to influence
decisionmaking in advertising buys, bundling and distribution
opportunities, and to resolve errant blacklistings.
The whitelist, provides an economic incentive for software
providers to achieve and maintain certification. In addition, the
Trusted Download Seal at the point of download reassures consumers and
increases downloads, providing a direct economic benefit to software
developers.
Scope
While there are exceptions, the program is aimed at consumer
downloadable desktop software applications. It does not cover software
downloaded exclusively to handheld devices (i.e., mobile phones). While
there are additional specific requirements for advertising and tracking
software, many requirements also apply to all consumer downloadable
applications. Advertising and tracking software providers will likely
need to significantly change current practices to earn certification.
In addition, the program will provide standards for all applications to
offer consumers enhanced disclosures, easier uninstall and other
benefits.
Certification
Application providers submit to TRUSTe a contract and a completed
questionnaire including questions about how the application is
distributed. TRUSTe conducts a thorough evaluation of the downloadable
applications against the program standards to ensure they do not
involve activities that are prohibited by the Program. Additional
compliance assurance is being provided by AppLabs, a third party
software testing lab that will evaluate the application's relay of
information and interaction with the recipient's operating system.
Key Program Elements
The Program outlines certain requirements for all software and
specifies additional requirements for advertising and tracking
software. This approach ensures that the Program addresses practices
that historically have created consumer confusion and anxiety. However,
all software must meet specific program requirements and is tested for
monitoring, relays, and behaviors that have historically been
considered deceptive.
Notice
The Program imposes a layered approach, via a primary notice and
reference notices such as the End User License Agreement, EULA, and the
privacy statement. The primary notice must explain functionalities that
impact the consumer experience and must be unavoidable, to ensure that
users understand what they are downloading. EULAs and ``opt-out''
mechanisms are insufficient for providing such notice or obtaining
consent. For example, unavoidable notice of any material changes to
certain specified consumer settings is required for ail software.
Further, all ads delivered in certified advertising software must be
labeled, and unavoidable notice of certain ad features must be
provided.
Consent to Install is Required
Consumers must be offered notice and an opportunity to consent that
is described in plain language and is as prominently displayed as the
option to not install, Consent to install may not be obtained with a
pre-selected option.
Easy Uninstall
Instructions for uninstallation must be easy to find and easy to
understand, and methods for uninstalling must be available in places
where consumers are accustomed to finding them, such as the Add/Remove
Programs feature in the Windows Control Panel, or the Add-On management
menus in browsers for browser Add-Ons. Uninstallation must remove all
software associated with the particular application being uninstalled
(with a few specific exceptions carved out in the Program
Requirements), and cannot be contingent on a consumer's providing
Personally Identifiable Information, unless that information is
required for account verification.
Prohibited Activities
No company can have an application certified if any of its
applications exhibits a behavior listed in the Program's Prohibited
Activities section.
Examples of prohibited activities include:
Taking control of a consumer's computer.
Modifying security or other settings of the computer to
cause damage or harm.
Spyware tactics for surveillance and tracking, such as
keystroke logging.
Preventing reasonable efforts to block installation or to
uninstall.
Allowing a certified application to be bundled with any
application currently engaging in any of the prohibited
activities.
Special Protections for Children
Companies in the Program must prevent the distribution of their
advertising or tracking software on children's websites--including by
prohibiting their distribution partners and affiliates from such
distribution.
Affiliate Controls
Since many advertising and tracking applications are distributed
through second and third-party affiliates and/or bundled with other
programs; relationships must be disclosed in attestations. Certified
software is subject to random testing on instances found wherever an
individual might encounter them.
Prior Behavior
The Program includes provisional certification for companies that
have previously engaged in prohibited activities or other behaviors
that call into question the Participant's ability to comply with the
Program Requirements on an ongoing basis. In order to be certified,
these companies will be subject to additional oversight including
enhanced monitoring and a requirement to go back to all users who
downloaded an uncertified version of the software application and
obtain their opt-in consent.
Segregated Ad Inventory
Companies in the Program must maintain segregated ad inventory in
certified versus uncertified applications. The application provider
must be able to serve ads to users from whom consent was obtained
versus users from whom consent has not been acceptably obtained.
Monitoring
Certified applications are monitored by TRUSTe for ongoing
compliance with the Program's strict standards. A company risks
termination from the program if any one of its certified applications
violates the standards.
Enforcement
If monitoring uncovers suspected non-compliance, an application, or
in some cases all of a company's applications, will be subjected to
enforcement procedures by TRUSTe. Depending on severity and the results
of a TRUSTe investigation, an application may be temporarily suspended
or permanently removed from the program whitelist. In certain cases, a
company or application may be terminated from the Program and the fact
of its termination made public.
I have attached a copy * of the Trusted Download Program
certification requirements to this letter and request that it also be
included in the Committee's spyware hearing record.
---------------------------------------------------------------------------
\*\ This document is retained in the Committee files.
---------------------------------------------------------------------------
TRUSTe appreciates your work in this area and would be pleased to
serve as a resource should you or your staff have any questions. If you
have any questions, please do not hesitate to contact me.
Sincerely,
John P. Tomaszewski, Esq.
Vice President, Legal, Policy & Compliance.
______
Americans for Fair Electronic Commerce Transactions
(AFFECT)
June 25, 2008
Hon. Mark Pryor,
U.S. Senate Committee on Commerce, Science, and Transportation,
Washington, DC.
Re: Follow-up Comments for the Record of the Hearing on the
``Impact and Policy Implications of Spyware on Consumers and
Businesses''
Dear Senator Pryor:
Thank you for the opportunity to submit additional comments on
behalf of AFFECT (Americans for Fair Electronic Commerce Transactions)
on the impact and policy implications of spyware on consumers and
businesses and on the Counter Spy Act (S. 1625).
As I stated in my testimony during the June 11, 2008 hearing,
AFFECT is concerned about the exception section of the Counter Spy Act,
Section 6(a). That section says that the list of prohibited acts in
Sections 3, 4, and 5 of the bill ``do not apply to any monitoring of or
interaction with, a subscriber's Internet or other network connection
or service, or a protected computer, by or at the direction of a
telecommunications carrier, cable operator, computer hardware arc or
software provider, financial institution or provider of information
services or interactive computer service . . .''
These entities have immunity under the Counter Spy Act when what
they're doing is done for a number of innocuous-sounding purposes. The
first nine of these liability exemptions include network or computer
security, diagnostics, technical support, repair, network management,
authorized updates of software or system firmware, authorized remote
system management, authorized provision of protection for users of the
computer from objectionable content, and authorized scanning for
computer software used in violation of sections 3, 4, or 5 for removal
by an authorized user.
As I said at the hearing, AFFECT sees no legitimate reason why any
of these nine activities would need an exemption from the actions
prohibited by the bill because:
none of them justifies an outside entity in installing
zombies, engaging in modern hijacking for the purpose of
causing damage to the computer or causing the authorized user
to incur unauthorized financial charges, causing a denial of
service attack for the purpose of causing damage, causing
endless loop pop-up ads (Section 3(1));
none of them justifies an outside entity in modifying an
authorized user's security settings for the purpose of stealing
the user's sensitive personal information, or disabling
security settings for the purpose of causing damage to the
computer or another computer, or through unfair or deceptive
means modifying browser settings (Section 3(2));
none of them justifies, without authorization, an outside
entity in preventing a user's reasonable efforts to block
installation, to disable, or to uninstall software by unfair or
deceptive means (Section 3(3));
none of them justifies an outsider in installing software
that collects sensitive personal information from an authorized
computer user without that user's informed consent, logs
keystrokes, collects and correlates personal information with a
history of websites visited, extracts the substantive contents
of files or communications, or prevents an authorized user from
uninstalling or disabling software (Section 4); and,
none of them justifies an outsider in installing adware that
conceals its operation (Section 5).
An exemption from the prohibited activities listed in the bill is
simply not needed to allow or protect any legitimate activity.
AFFECT is particularly concerned about Subsection 6(a)(10). That
tenth and final exemption would be granted when the otherwise
prohibited acts are done for: ``detection or prevention of the
unauthorized use of software fraudulent or other illegal activities.''
The troubling questions raised by 6(a)(10) were pointed out in my
written testimony, namely that the exemption would allow a software
vendor to surreptitiously download code onto a user's computer and
freely violate their privacy. It would allow the provider to set itself
up as an ad hoc police force to conduct warrantless searches and to act
as judge and jury to conduct unilateral seizures. Private entities do
not and should not have the right to conduct law enforcement
activities.
More troubling is the fact that the language of Subsection 6(a)(10)
would effectively allow a software provider to unilaterally decide to
remotely shut down the user's computer or Internet or other network
connection or service. But whether the use of a particular software is
``unauthorized,'' ``fraudulent,'' or ``illegal'' is often subject to
legitimate dispute and merits some judicial consideration before a
provider is allowed to unilaterally employ a drastic remedy like remote
disablement.
In his written testimony, Vincent Weafer, the Symantec vice
president who was representing the Business Software Alliance (BSA) at
the hearing, praised Section 6(a)(10) as ``essential to our industry's
ability to protect our products against theft. Software piracy results
in almost $50 billion in losses to the software industry each year,
including more than $8 billion in the U.S. alone. Given these massive
losses, it is absolutely critical that companies that engage in
otherwise lawful conduct to detect or prevent piracy or other unlawful
acts are not unwittingly subject to liability under anti-spyware
laws.''
Contrary to Mr. Wearer's statement, exemption from the prohibited
actions listed in the bill is neither essential to a software vendor's
legitimate efforts to protect against piracy, nor is it essential to
protect legitimate activities from liability under the bill. Software
vendors have a variety of legal remedies to attack piracy. If a
software contract, for example, an End User License Agreement (EULA),
is breached, the vendor would have the right to sue and collect
damages. It could seek an injunction against further use. In addition,
statutes, like the U.S. Copyright Act, or international copyright laws,
may grant other rights and remedies, including access to Federal court
and statutory damages, perhaps even enforcement by the FBI. In
addition, the BSA itself is a well-known and very effective enforcement
arm of the software industry.
Further, there is no reason the software industry can't employ
technological approaches to combating piracy without remotely accessing
software resident on the user's computer and unilaterally shutting it
down. For example, the agreement between the software vendor and the
user could clearly provide for a limited period of use and a ``time
bomb'' built into the software that disables its operation at the
expiration of the named period of time. The parties then could agree
that the period of limited use could be renewed by the user obtaining a
``key'' from the vendor or sending a ``validation'' to continue the
use.
It is not necessary to reach into a user's computer, to poll the
machine, extract data, and phone home. It is not necessary to build in
a ``backdoor'' which will make the computer vulnerable to exploitation
by spies, hackers, saboteurs, or terrorists. And, there is no
legitimate reason why a software vendor, network provider, or other
outside entity should be allowed to unilaterally decide to remotely
shut down the user's computer or Internet or other network connection
or service. At a minimum, a software vendor who thinks it has not been
paid, should be required to give notice, an opportunity to cure, and
obtain a court order before employing remote disablement.
The Business Software Alliance appears to want to use Section 6 of
your bill to gain the approval of policymakers for their use of
electronic self-help. The fact of the matter is that this is an anti-
spyware bill, not a bill designed to address tools for dealing with
piracy.
During the hearing on June 11, you specifically asked for
suggestions about how to define spyware. AFFECT offered the following
definition: Spyware is computer software that is surreptitiously
installed on a computer that allows an outsider to intercept or take
partial control over the user's interaction with the computer, without
the user's informed consent. We believe this definition is broad enough
to cover technologies that arc deployed without appropriate user
consent or are implemented in ways that impair user control over
material changes that affect their experience, privacy, or system
security; their use of their system resources, including what software
is installed on their computers; and the collection, use, and
distribution of their personal or other sensitive information. We also
believe it should cover all of the prohibited behaviors currently
listed in the bill.
AFFECT also sees the merit in the suggestions of spyware expert Ben
Edelman, who advocated for a simplification of the approach of S. 1625
that would focus on increasing the penalties such as a treble fine in
FTC actions. That approach was also expressed by the FTC in its
testimony.
Finally, I want to express AFFECT's support for the three key
principles expressed by Ms. Eileen Harrington, Deputy Director of the
Bureau of Consumer Protection of the FTC, in her written and oral
statements: (1) a consumer's computer belongs to him or her, not to the
software distributor, and it must be the consumer's choice whether or
not to install software; (2) burying in an End User License Agreement
(EULA) material disclosures necessary to correct an otherwise
misleading impression should not be sufficient to allow a spyware
purveyor to escape liability; and (3) a consumer should be able to
uninstall or disable any program he or she does not want on a computer.
AFFECT has long favored a competitive and fair marketplace. A
cornerstone of AFFECT's efforts was the creation of ``12 Principles for
Fair Commerce in Software and Other Digital Products'' (http://
www.ucita.com/pdf/AFFECTbrochure2-05.pdf). Two of those key principles
are that: (1) customers are entitled to control their own computer
systems; and (2) customers arc entitled to control their own data. We
believe these two principles are consistent with the three expressed by
Ms. Harrington and should guide the Committee and the Congress in
shaping its approach to dealing with the insidious problem of spyware.
Thank you very much for the opportunity to submit these additional
comments for the hearing record. AFFECT remains willing and interested
in working with the Committee on S. 1625 and will be glad to be of
whatever help we can.
Sincerely,
Arthur A. Butler,
Attorney, Ater Wynne LLP.
______
Americans for Fair Electronic Commerce Transactions (AFFECT) Concerns
with S. 1625, Section 6(a)(10)
Americans for Fair Electronic Commerce Transactions (AFFECT) is a
national coalition of consumers, retail and manufacturing businesses,
insurance institutions, financial institutions, technology
professionals and librarians committed to promoting the growth of fair
and competitive commerce in software and other digital products.
S. 1625 (Pryor), introduced in June 2007, would protect against the
unauthorized installation of software that is used to take control of a
computer in order to cause damage, collect personal information without
consent, or otherwise enable identity theft.
AFFECT strongly supports S. 1625's purpose to curb the use of
harmful spyware. However, it has great concerns with S. 1625 (6), the
exception section, which is overly broad and could be construed to
protect wrongful acts that can result in great harm to computer users--
which is in direct opposition to the purpose of S. 1625.
AFFECT strongly recommends that the exception provision of S. 1625
should only limit liability for interaction with a network, service, or
computer that is undertaken to detect or prevent fraudulent or other
illegal activities as prohibited by the act itself. Therefore, AFFECT
proposes that Section 6(a)(10) of the bill be amended as follows:
(10) detection or prevention of fraudulent or other illegal
activities as prohibited by this Act.
Subsection 6(a)(10), as it is currently written, would permit a
provider to monitor or interact with an individual's computer or
Internet or other network connection or service for the ``detection or
prevention of the unauthorized use of software for fraudulent or other
illegal activities.'' This would allow the provider to unilaterally
decide to remotely shut down the user's computer or Internet or other
network connection or service. But whether the use of a particular
software is ``unauthorized,'' ``fraudulent,'' or ``illegal'' is often
subject to legitimate dispute and merits some judicial consideration
before a provider is allowed to unilaterally employ a drastic remedy
like remote disablement.
Permitting unilateral remote disablement is bad public policy. It
allows the provider to set itself up as an ad hoc police force to
conduct warrantless searches and to act as judge and jury to conduct
unilateral seizures in the name of protecting against piracy, fraud, or
other illegal activities. Private entities do not and should not have
the right to conduct law enforcement activities.
Also, remote disablement can cause great harm to the owner who
depends on access to and use of that computer, connection or service.
For example, the shutdown of an owner's system can cause
great harm to:
a teacher using a computer to prepare for classroom
lectures;
an insurer depending on a computer system to pay
claims;
a manufacturer trying to deliver its products to meet
contractual commitments; or
the public's access to online library materials.
In reaching into an individual's computer remotely to
disable software residing on his computer, the provider may not
only violate privacy rights, but also damage his other files.
The monitoring and remote disablement of software on an
owner's computer by a provider may compromise private
information of employees, confidential and proprietary
information of the owner, and, in some cases, national security
information.
The code used to remotely enter a computer and disable the
software or the network connection (often called ``black
holes'') make the computer vulnerable to security breaches by
hackers and terrorists. When there is an opportunity to
negotiate, many enterprises, including governmental entities,
will insist that their software license agreements contain a
warranty prohibiting any ``self-help code'' or other software
routing designed to disable a computer program automatically or
that is under the positive control of a person other than the
licensee of the software. Unfortunately, with mass market
licenses individual consumers and businesses are not able to
negotiate for a ``no self-help code.''
It is important to recognize that these harms that can result from
permitting remote disablement can be significantly larger than the harm
to a software vendor in not getting a license fee.
______
Response to Written Questions Submitted by Hon. David Vitter to
Eileen Harrington \1\
---------------------------------------------------------------------------
\1\ As with my responses to the Committee's questions at the
hearing, these answers present my personal views and do not necessarily
represent the views of the Federal Trade Commission or of any
Commissioner.
---------------------------------------------------------------------------
Question 1. Who do you think would define ``objectionable'' in S.
1625 section 6(a)(8), and what does that term mean?
Answer. The term ``objectionable content'' is left undefined by the
Counter Spy Act, S. 1625. Absent a clear definition in the bill,
``objectionable content'' will need to be interpreted by the courts. As
drafted, however, ``objectionable content'' is sufficiently broad that
it might include content or software (such as advertising software,
toolbars, etc.) about whose value reasonable people may disagree.
Accordingly, a covered party could have considerable discretion under
the bill to identify and remove software as ``objectionable'' without
giving specific notice to, and perhaps against the intentions of, the
consumer.
Question 2. Under section 6(a)(9) of S. 1625, would a consumer's
purchase and use of a computer with pre-loaded operating system and
anti-spyware software be sufficient ``authorization'' to allow some
software to remove or disable other software on the computer without
notifying the computer user or obtaining her consent?
Answer. The Commission and the courts would need to approach
scenarios like the one posed by Question 2 on a case-by-case basis,
weighing the nature of the software and its potential for harm against
the nature and timing of notice and consent--if any--provided. In the
case of pre-installed anti-spyware software, we would need to know how
much notice the consumer is given regarding the existence and function
of the software, and whether the consumer is given notice before the
anti-spyware software removes or disables other software on the
computer. If any pre-installed software caused the type of harms
outlined in sections 3, 4, or 5 of S. 1625, it is doubtful that the
Commission would deem the mere acts of buying and turning on a computer
to be sufficient ``authorization.''
Linking exemptions and immunity in section 6(a) to particular
functions that are purportedly ``authorized'' poses the risk of
creating a safe harbor based on unknowing authorization. For example, a
software provider, an information services provider, or an ISP might
argue that a provision buried deep in an End User License Agreement or
privacy policy provides sufficient authorization for much of the
conduct prohibited by the bill.
Question 3. Should we be careful when providing (broad) exemptions
or immunity for software removal, given the FTC actions against
companies that might represent their software as legitimate ``anti-
spyware'' in order to scam consumers?
Answer. Yes. I share Senator Vitter's concern that there is a need
for caution in providing broad exemptions and immunity for software
removal when addressing the problems of spyware. If not carefully
drafted, these broad exemptions can create safe harbor loopholes that
can be exploited by clever spyware and malware purveyors. Under the
bill as drafted, virtually any ``software provider'' or ``provider of
information services'' who can muster some plausible pretense of the
list of the enumerated services will raise the exemption as a defense
to enforcement.
Take the example of a purveyor of what has been termed ``rogue
anti-spyware'' software. Rogue anti-spyware software is usually sold
via deceptive tactics. A broad ``anti-spyware'' exemption may shield
the rogue anti-spyware sellers from liability for their deceptive
tactics. Moreover, it could potentially permit the seller to download
other harmful software, such as a keylogger, if that seller can
convince a court that the other harmful software in any way could be
used to provide functions enumerated by sections 6(a)(1) through (10).
If the main purpose of including section 6(a) is to limit liability
among and between civil litigants regarding questions about what is
``authorized,'' or what is ``objectionable'' (e.g., where an anti-
spyware company is sued by a software provider whose product is deemed
objectionable), it is misplaced because S. 1625 does not provide a
private right of action. Accordingly, such broad exemptions from law
enforcement in this legislation are unnecessary. At bottom, the broad
scope of section 6(a)'s limitations on liability--both in terms of the
number of exempted parties as well as the breadth of the exempted
conduct--may make the FTC's job more challenging and potentially do
more harm than good in terms of effective spyware law enforcement.
�