Testimony

• The Honorable Ron Wyden

  United States Senator

  Oregon
  Read statement

  Testimony

  The Honorable Ron Wyden

  Mr. Chairman and Members of the Committee, I welcome the opportunity to share with you my thoughts on the twin cyber-plagues of spyware and its brother, unwanted adware. Millions of consumers and businesses across the country and the world have been in a virtual tug-of-war with spyware over who controls their computers, laptops and web-enabled devices. At the present time and in the absence of a strong legislative solution, consumers and businesses lose ground daily to this software scourge. This committee has been in the forefront of efforts to write the rules of the new economy, and I regret not being able to roll up my sleeves with you on the Commerce Committee to tackle this cyber menace, but I commit to working with you in a bipartisan way to help however I may. I commend you for taking up this issue again, and urge swift action to eliminate these cyber-plagues and restore to consumers and businesses the control they want over their Internet activities. How big is the problem? Last fall, America Online and the National Cybersecurity Alliance found that 80 percent of those surveyed reported spyware or adware on their computers. Much of the spyware and unwanted adware travels as imposters via legitimate Internet advertising. Companies enter into advertising arrangements with legitimate Internet ad buyers who, in turn, go to advertising networks that can use thousands or as many as 70,000 affiliates, some of which are not so legitimate. It is among this array of affiliates, who are paid by the click and therefore have an incentive to rack up the largest number of clicks, where much of the rogue software originates. As described by the Los Angeles Times this Monday, “If an affiliate slips a deceptive piece of software into someone’s personal computer and persuades the owner to buy something, the transaction could be passed through three or four businesses – each taking a cut – before the affiliate network hands off the customer to the merchant.” It should be no surprise then that the twin cyber-plague reached epidemic proportions last year because in 2004, the Interactive Advertising Bureau found spending on Internet ads rose more than 30 percent to almost $9.6 billion. How does it work? These two cyber rogues wreak havoc through practices that surreptitiously place spyware and other unwanted software on consumers’ computers. These are called “drive-by downloads.” By doing such seemingly innocent things as downloading software, like a screensaver or file-trading program, the user unknowingly imports into the computer software that can follow the user from web page to web page, gathering data on the user’s habits or showing hundreds of pop-up ads. The key point is that the consumer does not want the software, does not know the software is there, and does not know what the software is doing. What can be done to stop it? A few states have moved or are moving to try to curb the practice, I believe the inherently interstate nature of the Internet calls for a national solution. There are a few key guideposts that should direct any federal legislative effort.

  • First, each computer user should know and have control over what software resides on his or her computer. That means drive-by downloads should be banned.
  • Second, jumping on a computer should not expose the user to a Coney Island-full of hucksters, where they are tricked into installing software they don’t want or when they can’t identify the source of the ads. Consumers should be informed about who is providing the software and what it will do. Consumers should know if software will track their browsing behavior in order to serve pop-up ads.
  • Third, no software should allow any ad or information collected at one website to travel with the user to another website. When a user leaves a website that should be the end of the road for ads affiliated with that website.
  • Fourth, consumers need to be able to remove or disable any software they don’t want so that when software is installed on a computer, it is not an irreversible act.
  • Fifth, the full weight of law enforcement should be thrown against spyware and unwanted adware, meaning that the Federal Trade Commission as well as state attorneys general should be able to bring action.
  • Finally, companies that act in good faith to help consumers get rid of the twin cyber-plagues should be given protection from liability. They should not be scared out of business by the threat of lawsuits from those whose software gets removed.

  These principles are reflected in a bill that Senator Burns and I sponsored in the last Congress and that we reintroduced in March, with Senators Boxer and Bill Nelson. Our legislation, S. 687, got strong support from this committee last year, it enjoys support among some key industry players and I offer it up as one way to tackle this problem. I understand the House has begun to move legislation, and I know the members of this committee are anxious to get to work on this legislation. I thank the committee for the chance to testify. ###

Witness Panel 2

• Mr. Ari Schwartz

  Associate Director

  Center for Democracy and Technology
  Read statement

  Witness Panel 2

  Mr. Ari Schwartz

  Testimony of
  Ari Schwartz, Associate Director
  Center for Democracy and Technology
  before
  The Senate Committee on Commerce, Science , and
  Transportation
  on
  “Spyware”
  May 11, 2005
  
  Chairman Stevens and Ranking Member Inouye, thank you for holding this hearing on spyware, an issue of serious concern for consumers and businesses alike. CDT is honored to have the opportunity to speak with you today about spyware and the businesses behind it. CDT is a non-profit, public interest organization devoted to promoting privacy, civil liberties, and democratic values online. CDT has been widely recognized as a leader in the policy debate surrounding so-called “spyware” applications. We have been engaged in the legislative, regulatory, and self-regulatory efforts to deal with the spyware problem, and have been active in public education efforts through the press and our own grassroots network. As an organization dedicated both to protecting consumer privacy and to preserving openness and innovation online, CDT has sought to promote responses to the spyware epidemic that provide meaningful protection for users while avoiding overly burdensome regulation of online commerce, software development, and business models. Last year we testified before the Subcommittee on Communications on the issue of spyware, attempting to define the problem and suggest the range of responses required to address it. Since that time, we have worked closely with members of industry, other consumer advocates, legislators, and others in government to more fully understand and begin to address this complex and important issue. We look forward to continuing this effort with members of the Committee and others in Congress and elsewhere. Summary “I figured out a way to install an exe without any user interaction. This is the time to make the $$$ while we can.” These two sentences, the body of an email uncovered by the FTC in its recent case against a network of spyware purveyors, provide a rare window into the heart of the spyware problem. The alarming spread of deceptive download practices and stealthy, nefarious applications is a major threat to Internet users and to the long-term health of the open and decentralized Internet. It is a threat that exists because of the massive quantities of money to be made propagating these applications. Sanford Wallace, the spyware purveyor who wrote the lines above, brought in at least $1.5 million from browser hijacking and deceptive software downloads in 2003 and 2004. As a whole, spyware and its close cousin adware are a many million dollar industry. Deceptive and often clearly illegal software download practices are a regular part of the business of many American companies operating in online commerce. These practices are funded and incentivized through poorly policed download commission programs, programs that, in turn, are funded by large, mainstream advertisers. The entire process is sustained through a nearly impenetrable web of affiliate relationships that is used to deflect accountability and frustrate law enforcement. Many of the companies involved, particularly the advertisers, have no idea what is going on. CDT sees four major areas where action is necessary to combat spyware and stem the disturbing trend toward a loss of control and transparency for Internet users: 1) enforcement of existing law; 2) better consumer education and industry self-regulation; 3) improved anti-spyware technologies; and 4) baseline Internet privacy legislation. Carefully targeted, spyware specific legislation may also have a role to play. However, we hope that such legislation is not seen as an alternative for baseline standards for online privacy, now that many companies have expressed their support for such a goal. Privacy legislation would provide businesses with guidance about their responsibilities as they deploy new technologies and business models that involve the collection of information. It would put in place a framework for addressing issues like spyware before they reach epidemic proportions, rather than legislating reactively. Finally, privacy assurances in law would give consumers some measure of confidence that their privacy is protected as companies roll out new ventures. If we do not begin to think about privacy issues more comprehensively, the same players will be back in front of this Committee in a matter of months to address the next threat to online privacy and user control. We hope that we can address these issue up front, rather than waiting for each new privacy threat to present itself. 1. What is Spyware? No precise definition of spyware exists. The term has been applied to software ranging from “keystroke loggers” that capture every key typed on a particular computer; to advertising applications that track users’ web browsing; to programs that hijack users’ system settings. Much attention has been focused on the surveillance dimension of the spyware issue, though the problem is in fact much broader than that. What the growing array of invasive programs known as “spyware” have in common is a lack of transparency and an absence of respect for users’ ability to control their own computers and Internet connections. In this regard, these programs may be better thought of as trespassware. Among the host of objectionable behaviors for which such nefarious applications can be responsible, are: • “browser hijacking” and other covert manipulation of users’ settings;
  
  • surreptitious installation, including through security holes;
  
  • actively avoiding uninstallation, automatic reinstallation, and otherwise frustrating users’ attempts to remove the programs;
  
  • substantially decreasing system performance and speed, in some cases sufficient to render systems unusable; and
  
  • opening security backdoors on users’ computers that could be used to compromise their computers or the wider network. Each of these behaviors was specifically documented by CDT or reported to us by individual users frustrated by their inability to use their own systems. Although no single behavior of this kind defines “spyware,” together these practices characterize the transparency and control problems common to applications that warrant the “spyware” moniker. 2. The Spyware Business: Theory and Practice While it is exceptionally difficult to obtain precise data on the prevalence of the spyware problem, the best study done to date, conducted by AOL and the Nation CyberSecurity Alliance, found that 80% of broadband and dial-up users had adware or spyware programs running on their computers. Based on consumer complaints we have received and our own research, CDT believes that the prevalence of egregious spyware and clearly unlawful violations has increased dramatically. Of particular concern is the use of security holes in web browsers to silently force software onto users’ computers. Many Internet users may simply be turning off the Internet in response to these threats. At the heart of this problem is the affiliate-marketing business model by which many advertising applications (“adware”) are spread. We want to take the opportunity in our testimony today to highlight and explain this issue, which has not been given sufficient attention to date. Adware companies have a superficially simple business model: they provide a means of support for free software programs similar to the way that commercials support free television. Advertisers pay adware companies a fee to have their advertisements included in the adware program’s rotation. The adware company then passes on a portion of that fee to distributors in exchange for bundling the adware program with other free software—such as gaming programs, screen savers, or peer-to-peer applications. Finally, the consumer downloads the bundle, agreeing to receive the advertising served by the adware program in exchange for the free software. In fact, this simple description of how distribution of adware and other bundled software takes place is often a radical oversimplification. Many adware companies and other software bundlers operate through much more complex networks of affiliate arrangements, which dilute accountability, frustrate law enforcement efforts, and make it nearly impossible for consumers to understand what is going on. The diagram below presents some of the actors and relationships in the online advertising world as it operates in reality. These include:
  
  • product and service vendors, who have contracts with adware vendors and advertising brokers to distribute ads for their offerings;
  
  • adware companies, who have multi-tier affiliate arrangements with other adware companies, software producers, website owners, and advertising brokers;
  
  • software makers and website owners, who enter into bundling and distribution agreements with adware companies and advertising brokers, as well as with other software makers and website owners; and
  
  • advertising brokers, who serve as middlemen in the full array of affiliate arrangements.
  The consequence of ubiquitous affiliate arrangements is that when an advertisement ends up on a user’s computer, it will be many steps removed from the advertiser who paid for it. Similarly, the installation of the adware that is causing the ad may have performed by a company that is far down the chain from the company that actually programmed the software. The existence of this complex network of intermediaries exacerbates the spyware problem in several ways. For example:
  
  • Industry Responsibility – Adware companies, advertising brokers, and others all often disclaim responsibility for deceptive spyware practices, while encouraging these behaviors through their affiliate schemes and doing little to police the networks of affiliates acting on their behalf. Advertisers, too, should be pushed to take greater responsibility for the companies they advertise with.
  
  • Enforcement – Complex webs of affiliate relationships obstruct law enforcement efforts to find the parties responsible for spyware outbreaks. The complexity of these cases puts an extreme strain on enforcement agencies, which struggle to tackle the problem with limited resources.
  
  • Consumer Notice – Adware companies and their affiliates have been reluctant to clearly disclose their relationships in a way that is transparent to consumers. CDT has suggested specific ways that adware companies could improve branding of their ads to help consumers understand bundling arrangements. For the most part, companies have resisted these changes. Efforts to bring transparency to the full chain of affiliate and distribution arrangements have met with even greater opposition. For these reasons, the affiliate issue has become a central aspect of the spyware epidemic. Finding ways to effectively reform affiliate relationships will remove a linchpin of spyware purveyors’ operations. 3. A Real World Example of the Spyware Business In October of last year, the FTC began the first public enforcement action against purveyors of spyware, a case against Sanford Wallace and his New Hampshire company Seismic Entertainment. The FTC’s lawsuit was based on a complaint filed earlier by CDT. In that complaint, we specifically asked the Commission to investigate the affiliate relationships between the parties involved. We highlighted the problem of affiliate relationship being “exploited by companies to deflect responsibility and avoid accountability.” The FTC pursued financial records and emails in the case, and its investigation has now given us a clear picture of how the adware business model can go very wrong. The facts in the Seismic case, from the consumer’s perspective, were as follows: An Internet user browsing the web would go to any of a variety of online sports, gaming, or other sites that carried banner advertising. The user would see an innocuous seeming banner advertisement, often a public service ad. Unbeknownst to him, however, the banner contained code that would launch pop-ups and change his homepage. The pop-ups and homepage hijacking were triggered when the banner was loaded, whether or not the user clicked on it. The next time the user opened his browser, he would be directed to a full page advertisement for anti-spyware software. This offer to remove unwanted programs and pop-ups (for $30) would appear even as adware programs were being silently installed on the user’s computer. These programs would cause a barrage of pop-ups whenever the user surfed the web, they would add a toolbar and new “favorites” to his browser, and they would deposit icons on his desktop. CDT traced the nefarious banner ads that triggered this whole chain of events back to Seismic Entertainment. Based on CDT’s research and the FTC’s discovery, we now have a partial picture of what was happening behind the scenes in the case. Our current understanding of the network of affiliate arrangements is illustrated above—a map that would be confusing even to many of the companies in it. A. Placing the Spyware-Spreading Ads Once Seismic developed code to change users homepages and stealthily install programs, the company had to find a way to place this code in websites viewed by large numbers of Internet users. To do this, Seismic incorporated the code into innocuous seeming banner ads, often public interest ads as described above. Sesimic would then pay large advertising brokers to incorporate the ads into their rotations. In the cases we know of, this was accomplished through a bait and switch: the ad brokers would be shown one set of normal, uninfected ads. Then at the last minute (and often over the weekend in order to make detection more difficult) the benign ad would be switched with one that looked superficially identical, but contained the infectious spyware code. In this way, the infected ads would appear on sites that had agreements with the ad network, whether sports sites, gaming sites, or other popular online destinations that used ad revenue to support their services. Often Seismic would use a “front man” to further obfuscate the situation. We know that soon after Seismic figured out how to silently install applications, the company contacted a prospective partner, OptInTrade: From: To: jared@optintrade.com Date: Sat, Mar-6-2004 4:51 PM Subject: I DID IT I figured out a way to install an exe without any user interaction. This is the time to make the $$$ while we can. Sesmic and OptInTrade agreed that OptInTrade would deal with the advertising networks. When the networks discovered that the benign advertisements they had approved had been replaced by malicious versions, OptInTrade would feign ignorance and lay the blame on its upstream affiliate. In exchange for playing this role, OptInTrade would receive a portion of Seismic’s revenues from the scheme. One exchange between Seismic and OptInTrade, laying out this strategy, was uncovered by the FTC: From: To: jared@optintrade.com Date: Fri, Nov-28-2003 12:37 PM Subject: strategy I do my sneaky shit with adv.com today through Sunday -- everyone’s off anyway…. You then send an email to your contact early Monday AM saying the advertiser was unethical and pulled a switch and you are no longer doing business with them... Then we stop buying adv.com through you in any way. We know from other emails that this strategy was in fact carried out. One ad network, a company called CyDoor, complained to OptInTrade about the spyware infected ads that it had placed: From: Bob Regular [mailto:bob@cydoor.com] Sent: Sunday, December 21, 2003 12:45 PM To: ‘Jared Lansky’ Subject: Please Terminate OptinTrade Online Pharmacy - Violated Agreementt […] traffic just informed me your launching pops from your banners that force change in you homepage and stall your computer […] I simply do not understand how this could happen again. In response, OptInTrade told CyDoor that the ads were “from a new advertiser” and that they had “no idea how this is happening”: From: Jared Lansky [mailto:jared@optintrade.com] Sent: Sunday, December 21, 2003 9:25 PM To: Bob Regular Subject: RE: Please Terminate OptinTrade Online Pharmacy - Violated Agreementt Hi Bob - The pharmacy campaign was a new advertiser with a new code set. When tested it didn’t launch pops or change my homepage so I approved it to run with you. I have no idea how this is happening […] In fact, OptInTrade knew exactly what was going on. B. Sources of Funding: Adware Companies and Advertisers Seismic’s infected banners made the company a surprising amount of money. Seismic’s revenues came largely from per-install commissions paid by the adware companies. These companies pay a set amount every time one of their affiliates installs their program. Seismic would install the adware applications through its stealth process, and then collect the commissions— hundreds of thousands of dollars worth, based on documents uncovered by the FTC. We know from records uncovered by the FTC and from CDT’s own research that the long list of companies involved in the distribution chain for the adware applications installed by Seismic included LoudMarketing, Integrated Search Technologies, ClearSearch, Mindset Interactive, and 180 Solutions. We do not yet know the exact nature of these companies’ involvement or their level of knowledge about the scheme. We do know, however, that in at least one case, the support for the adware came originally from major online companies. 180 Solutions is paid by large travel sites, online merchants, and others to serve advertisements for their services. In this case, a portion of those revenues were passed onto a 180 Solutions distributor, Mindset Interactive. That company, either directly or through other affiliates, paid Seismic for installations—installations that Seismic would get through its devious infected banner ads. In this way, large legitimate companies came to fund clearly illegal spyware distribution practices. Because of the lengthy and complex chain of affiliates involved, they almost certainly did so unintentionally and unknowingly. 4. Combating Spyware Combating spyware—and the affiliate problems behind it—requires a combination of aggressive law enforcement, private efforts, and legislation. Significant progress has already been made since the spyware issue first began to receive national attention over a year ago, but much ground still remains. A. Law enforcement Much spyware is currently covered by Section 5 of the FTC Act, banning unfair and deceptive trade practices, as well as by the Computer Fraud and Abuse Act or the Electronic Communications Privacy Act. Spyware purveyors are also likely violating a variety of state statutes. The FTC’s case against Seismic et al., described in detail above, represents an admirable first step in the enforcement effort. We applaud the Commission for its work on the case, which has led to an injunction against further exploitative practices by Seismic, and the extensive discovery regarding Seismic’s affiliates that we have described. We hope and expect that the Commission will continue to pursue the web of affiliates in this case and to add defendants as appropriate. In addition, the Attorney General of New York recently brought a case against an L.A.-based company, Intermix Media, alleging that the company had installed a wide range of advertising software on home computers without giving consumers proper notice. CDT applauds the Attorney General’s action, as state enforcement is badly needed in this area to supplement federal cases. Indeed, both the FTC and other national and state level law enforcement agencies must actively pursue further cases. Both the number and frequency of cases must be dramatically increased if law enforcement is to provide a significant deterrent to purveyors of spyware and to serve as a wake-up call to the many upstream companies that are currently partnering with and funding these bad actors. B. Self Regulation and Consumer Education Consumer education and sound best practices for downloadable software are sorely needed. Consumer protection bodies have a crucial role to play in educating consumers. In addition, CDT has been contacting advertisers that are the root source of funding for spyware. We are encouraging advertisers to take a hard look at their policies and affiliate agreements. Companies should be actively creating and endorsing quality control policies for advertising delivery, and they should refuse to partner with adware companies until those companies clean up their acts, ensuring that all the users who get their ads have consented to receive them. C. Anti-Spyware Technologies Spyware blocking and removal tools, and other innovative forms of anti-spyware technology, are a crucial component of consumers’ spyware protection. In order to help advance anti-spyware technology, CDT convened a meeting in March with industry leaders and others to discuss issues facing the anti-spyware industry, including those that impact the industry's ability to ensure user control and empowerment. The participants shared their commitment to ensuring that users maintain control over what is on their computers. The participants also agreed to work together to better educate consumers about available tools and to develop shared terminology and approaches. Participants included: Aluria; AOL; Computer Associates; EarthLink; HP; Lavasoft; McAfee Inc.; Microsoft; Safer-Networking Ltd.; Symantec; Trend Micro; Webroot Software; Yahoo! Inc.; Samuelson Law, Technology & Public Policy Clinic at Boalt Hall School of Law, UC Berkeley; Business Software Alliance; and the Cyber Security Industry Alliance. The group plans to meet again and will invite other consumer groups to join the effort as the members create public working drafts that address the group’s chief goal of helping users and organizations take back control of their computers. D. Legislation CDT has been supportive of legislative efforts against spyware, yet we also want to make clear that there is only so much that new legislation can do. We endorse the idea of calling specific attention to the worst types of deceptive software practices online as most of the spyware bills do. Enforcement will be crucial to any legislative effort. Therefore, we are strongly supportive of including powers for state Attorneys General. In addition, any legislation must take care to ensure that the use of complex affiliate relationships, as outlined above, will not enable responsible parties to avoid liability. Senator Conrad Burns (R-MT), Senator Barbara Boxer (D-CA) and Senator Ron Wyden (D-OR), should be commended for their leadership to accomplish these goals through the new version of the SPYBLOCK Act (S.687). It marks a substantial step forward in addressing many of the concerns of consumer groups and companies. CDT also remains firmly committed to idea that a long-term solution to spyware and other similar issues requires baseline online privacy legislation. Many of the issues raised by spyware may be easier to deal with in this context. This approach will also help us head off similar epidemics in the future, rather than reacting to them legislatively only after the fact. Indeed, CDT hopes that the current effort on spyware can provide a jumping off point for efforts to craft baseline standards for online privacy now that many companies have expressed their support for such a goal. Otherwise, we will simply be back in this same place when we confront the next privacy-invasive technology. 5. Conclusion Users should have control over what programs are installed on their computers and over how their Internet connections are used. They should be able to rely on a predictable web-browsing experience and the ability to determine what programs are on their computer and to keep out those they do not want. The widespread proliferation of invasive software applications takes away this control. Addressing the spyware problem at its root requires understanding and responding to the problem of affiliate marketing. Industry self-policing and aggressive law enforcement by federal and state authorities can help combat this phenomenon. Continued consumer education, and improved anti-spyware tools are also key to giving consumer control back over their online experiences. New laws, if carefully crafted, may also have a role to play. The potential of the Internet will be substantially harmed if the current spyware epidemic continues. We look forward to continued work with this Committee to find creative ways to address this problem through law, technology, public education and industry initiatives. ________________________________________________________ Footnotes
  1. See, e.g., CDT's “Campaign Against Spyware,” http://www.cdt.org/action/spyware/action (calling on users to report their problems with spyware to CDT; since November 2003, CDT has received hundreds of responses). Center for Democracy & Technology, Complaint and Request for Investigation, Injunction, and Other Relief, in the Matter of MailWiper, Inc., and Seismic Entertainment Productions, Inc., Feb. 11, 2004, available at http://www.cdt.org/privacy/20040210cdt.pdf [hereinafter CDT Complaint Against MailWiper and Seismic]. Eye Spyware, CHRISTIAN SCIENCE MONITOR Editorial, Apr. 21, 2004 ("Some computer-focused organizations, like the Center for Democracy and Technology, are working to increase public awareness of spyware and its risks.”). The Spies in Your Computer, N.Y. TIMES Editorial, Feb. 18, 2004 (arguing that “Congress will miss the point [in spyware legislation] if it regulates specific varieties of spyware, only to watch the programs mutate into forms that evade narrowly tailored law. A better solution, as proposed recently by the Center for Democracy and Technology, is to develop privacy standards that protect computer users from all programs that covertly collect information that rightfully belongs to the user.”). John Borland, Spyware and its discontents, CNET.COM, Feb. 12, 2004 (“In the past few months, Ari Schwartz and the Washington, D.C.-based Center for Democracy and Technology have leapt into the front ranks of the Net's spyware-fighters.”)
  
  2. Federal Trade Comm’n. Mem. in Support of Leave to Name Additional Def.’s. and File First Am. Compl., Att. A, Federal Trade Comm’n v. Seismic Entertainment Productions, Inc., et al, 04-377 (D. N.H.) [hereinafter FTC Mem.]
  
  3. The FTC found that Wallace received nearly $700,000 from OptInTrade and over $900,000 from Mail Wiper, Inc. and Spy Deleter, Inc. (FTC Mem. at 7, 10).
  
  4. One recent article cites estimates between $500 milliion and $2 billion. We believe these estimates are based research by Esther Dyson and WebRoot, respectively. See Joseph Menn, Big Firms’ Ad Bucks Also Fund Spyware, L.A. TIMES, May 9, 2005.
  
  5. See Menn, Big Firms’ Ad Bucks Also Fund Spyware.
  
  6. Some argue that the term “spyware” should be used exclusively for software that records and transmits consumer information, whereas the broader category of nefarious applications that we use the term to describe should instead be called “malware.” Regardless, the problem consumers face is the same: a flood of unwanted applications, some of which collect information and some of which exhibit other objectionable behaviors.
  
  7. http://www.staysafeonline.info/news/safety_study_v04.pdf
  
  8. When CDT first became involved in the spyware issue, we launched a “Campaign Against Spyware,” calling on Internet users to send us their experiences with these invasive applications, as mentioned in footnote 1 above. We indicated that we would investigate the complaints received and, where we believed appropriate, file complaints with the FTC. In our appearance before the Communications Subcommittee, we testified regarding the dramatic response to our campaign. In the nine months since our last appearance, CDT has continued to receive complaints through our online submission form. Among what are now hundreds of complaints, a total which continues to grow daily, are regular reports of new spyware programs arising. See http://www.cdt.org/action/spyware
  
  9. See, e.g. Joseph Menn, No More Internet for Them, L.A. TIMES, Jan., 14, 2005, at A1.
  
  10. Examples of steps in this direction include public policies by Dell, Major League Baseball, and Verizon setting standards for what software companies they will advertise with. Similarly, Google has drafted a specific public policy on what other applications it will bundle its utilities with. See http://www.google.com/corporate/software_principles.html.
  
  11. Center for Democracy & Technology, Comments to FTC Workshop on File-Sharing Workshop., Nov. 15, 2004.
  
  12. WhenU, one of the large adware companies, recently introduced co-branding for some ads. WhenU is currently the only adware company to co-brand.
  
  13. Federal Trade Comm’n v. Seismic Entertainment Productions, Inc., et al, 04-377 (D. N.H.)
  
  14. CDT Complaint Against MailWiper and Seismic at 2.
  
  15. LoudMarketing, a Canadian company also known as LoudCash, CDT Inc. (no relation to the Center for Democracy and Technology), and a host of other names, was recently purchased by 180 Solutions.
  
  16. The two examples used in our chart, J.P. Morgan Chase and Disney, are taken from Menn, Big Firms’ Ad Bucks Also Fund Spyware. We do not know conclusively (and it would be nearly impossible to determine) whether these two companies were advertising with 180 Solutions during the precise time that 180 Solutions’ products were being covertly installed through Seismic. Rather, they are intended to serve primarily as examples of the many large, mainstream companies that advertise through adware.
  
  17. See http://www.oag.state.ny.us/press/2005/apr/apr28a_05.html
  
  

• Mr. David Moll

  Chief Executive Officer

  Webroot Software, Inc.
  Read statement

  Witness Panel 2

  Mr. David Moll

  SPYWARE
  Hearing before the Senate Committee on
  Commerce, Science and Transportation
  May 11, 2005
  Testimony Submitted by
  C. David Moll
  Chief Executive Officer
  Webroot Software, Inc.
  
  Chairman Stevens, Senator Inouye, and Committee Members, thank you for inviting me to speak to you today. My name is David Moll and I am CEO of Webroot Software, headquartered in Boulder, Colorado. Webroot is a privately held company that is backed by some of the industry’s leading venture capital firms, including Technology Crossover Ventures, Accel Partners and Mayfield. Founded in 1997, Webroot has created innovative privacy, protection and performance solutions used by millions of computer users around the world. Our customers include Fortune 500 companies, Internet service providers, government agencies, higher education institutions, small businesses and individuals. In 2002, our research team, which consisted of just two people, saw a growing pattern of undisclosed downloads that caused numerous problems for computer users. We joined a small band of early activists that began calling these kinds of programs spyware. We introduced a product called Spy Sweeper in February of 2003 to help our customers fight this newly identified problem. When first introduced, Spy Sweeper found around 200 various programs, and easily removed them all. We have been running at breakneck speed to stay a step ahead of spyware ever since. Today, we are a company of 250 professionals focused on combating this problem. Our research team has grown to over 30 people, a good number of whom develop and maintain the automated tools we use to outpace the developments in spyware. Spy Sweeper, has also changed to adopt new weaponry to combat spyware that is increasingly hard to identify, and at times even harder to remove. This week we will introduce Spy Sweeper 4.0, our latest edition, with more than one-half million lines of software code. This our 14th major release of the product in a little more than two years. THE EFFECTS OF SPYWARE Spyware and its ability to access a user’s machine without informed consent for financial gain is an epidemic that threatens the viability of the Internet as a commerce, entertainment, communications and educational tool. Spyware programs can be used to facilitate the unauthorized use of computers for things like spam relay, and distributed denial of service attacks. Spyware programs can also lead to identity theft, and the theft of intellectual property, as well as data leaks, and the degradation of computer performance. Spyware is difficult to detect, and even more difficult (if not impossible) for the average user to completely remove manually. At a high level, there are four primary ways that spyware presents a threat: data security; online privacy; network and computer performance; and Internet commerce broadly. Data Security – Whereas a primary risk of computer viruses is data corruption, spyware poses very real threats to data security. Some of the most at risk data includes:
  
  • national security including defense and homeland security;
  
  • intellectual property and trade secrets;
  
  • financial records;
  
  • customer data;
  
  • personal health information; and,
  
  • other sensitive data such as passwords and account numbers.
  Working with government entities and corporate customers over the past year, we have witnessed breaches involving each of these sensitive kinds of data. There are cases where spyware was used to infiltrate local law enforcement computers, trading and financial systems at financial institutions, payroll systems at Fortune 500 corporations, central databases for school systems, and entire municipal computer operations. In these kinds of environments, even a very small number of system monitors or keyloggers puts highly-sensitive information at risk. Privacy – When placed on a machine without the informed consent of the computer owner, spyware is the cyber-age equivalent of someone trespassing into your home. Some of the types of information collected by spyware programs without the knowledge of the computer owner are:
  
  • browsing habits and sites visited;
  
  • search terms used;
  
  • advertisements clicked on;
  
  • bookmarks and favorites;
  
  • downloaded content;
  
  • applications used;
  
  • email and instant message conversations;
  
  • usernames and passwords; and
  
  • personal information, such as social security numbers.
  
  While few argue about the sanctity of personally identifiable information, we often hear the argument that collecting aggregated browser habits to provide more targeted advertising is not a privacy invasion. We disagree. In our view, it is wrong to download programs or data files without the informed consent of the computer owner for marketing purposes. Such marketing behavior begins the slippery slope of reasoning that leads to more egregious privacy violations by malicious spyware. Think about this in the offline environment. Would it be ok for a marketing firm to go into your home without your knowledge to look at the books on your shelves to decide what to market to you? Would it be ok if they did it to everyone and aggregated the data? Computer and Network Performance – Spyware can seriously impact computer and network performance. At a minimum, it is an undesirable nuisance to have your computing resources used by programs you didn’t install, and do not want. There is also a larger economic impact in terms of the number of support center calls caused by spyware. According to Dell Computer, one of every five customer support calls are related to spyware, adversely affecting the profitability of their consumer business. In corporate environments, where many computers are centrally supported and managed, spyware can drive up the total cost of ownership in the IT system; a leading IT services firm estimates that spyware costs them millions annually in productivity and support costs, and constitutes as much as 70 percent of their internal help desk call volume. In the worst cases, systems can crash from an overload of spyware programs, resulting in the loss of data and computer assets. This part of the spyware threat is too often overlooked or under estimated, yet productivity costs associated with spyware are far greater than spam. Internet commerce – At a macro level, spyware also presents a threat to Internet commerce as a whole. The increasing complexity and security concerns that arise from spyware, and the new uses of spyware, such as phishing and pharming attacks, have created a new level of user concern. Based on our recent research, there are more than 250,000 Web pages that leverage a weakness we call an “exploit” which allows them to contaminate a user’s computer with some form of spyware even when there is no interaction from the user – a practice known as a drive-by download. Quite often these sites hosting drive-by downloads operate using URLs that are commonly misspelled or mistyped alternatives to the URLs of popular sites. For example, just last week, Internet users planning to visit Google’s site who inadvertently mistyped and entered www.googkle.com became the unwitting victims of drive-by downloads. In the consumer world, spyware represents the same potential for fraud that internal spyware infections represent to corporations. For example a leading financial institution working with Webroot determined than 100 percent of the e-commerce fraud experienced by the bank in the past quarter was tied to spyware on end user machines. Spyware, keystroke loggers in particular, that can be installed from drive-by sites or via emails, have become new methods to those harvesting identities and defrauding consumers via the Internet. As more people become aware of these numbers and understand the threat of spyware, we are concerned about an overall negative effect on consumer trust in the online economy. THE GROWTH OF SPYWARE Spyware has become pervasive. Webroot’s survey of more than one million PCs in the last quarter reveals that 88 percent of home computers (64 percent if we exclude tracking cookies) and 87 percent of business computers (55 percent if we exclude tracking cookies) are infected with some form of spyware. The good news is that awareness is increasing, and more people are installing programs, like Webroot’s Spy Sweeper, to prevent and contain spyware from impacting their system. The bad news is that the spyware purveyors are financially motivated, creative and resourceful. Therefore, we face a constant escalation in the amount of spyware we have to fight. To give you an idea about the growth rate of spyware, Webroot identifies between 50 and 100 new pieces of spyware every week, and between 200 to 500 pieces of spyware that have “morphed” to avoid detection and removal. With the help of a spyware research system we call Phileas, which I will explain further later, Spy Sweeper currently detects about 88,000 spyware traces – individual files which make up a piece of spyware. Understanding the growth of spyware requires more than just data about infection rates. It also requires that we understand the impetus behind propagating these programs. Spyware is not like a virus designed by a “script kiddie” who just wants to show off. Spyware is part of a calculated business plan, or a tool used by criminals. In both instances there are clear economic motives behind the proliferation of spyware. In order to effectively fight this problem, it is essential that we have a clear picture of economic drivers, infection rates and trends. Recognizing this need, Webroot began work earlier this year to create a report that would encapsulate all of the key aspects of the issue. The result is the Webroot State of Spyware report which we issued this past week. This is a broad and detailed accounting of spyware today. We continue to compile this data, and we will issue updates to our report quarterly. To ensure that you have all the information we assembled, I’d like to ask that a copy of the report be included in the hearing record as an appendix to my testimony. FIGHTING SPYWARE Until recently, the primary methods for fighting spyware were reactive. Anti-spyware companies concentrated on fixing an already infected machine. That alone presents a significant challenge, because in order for us to do our job correctly, we need to not only detect and quarantine the spyware programs, but we also need to ensure that we do not interfere with any legitimate files in the process. Once we mastered the techniques to accomplish these two things, we worked to figure out a method that would not only cure spyware infections but also prevent them. Last year, we launched the Webroot Phileas Malware Crawler that I referenced earlier. Phileas is the anti-spyware industry’s first automated spyware research system. Phileas deploys hundreds of automated programs -- called bots -- to crawl the Web searching for spyware. In less than an hour, a single Phileas bot completes the equivalent of 10 days of manual research by a trained person. With the speed and scale of the Phileas system, we travel the Internet every day to find spyware before it attacks our customers. We complement systems like Phileas with “shields” built into the Spy Sweeper software which protect users’ systems from the common behaviors of spyware, stopping the threat before it can take hold of a system. Ultimately, we believe that it is best to fight technology with technology, and we remain committed to continuing to provide the very best commercially available technology solutions to fighting spyware. However, we also believe that there is a vital role for legislators, regulatory agencies and law enforcement to play in this fight. As I stated earlier, there are economic motivations behind the growth of spyware. Some of the companies involved in the proliferation are considered legitimate U.S. based companies. The complaint filed by the FTC against Seismic, and the NY Attorney General’s case against Intermix, demonstrate that there are cases that can be pursued under current law in U.S. Courts. We encourage enforcement agencies and Attorneys General to deploy additional resources to join the fight against spyware. Companies need to understand that there will be costs associated with operating in ways that deceive and defraud consumers. In addition to existing law, we at Webroot also anticipate benefits from legislation such as Senator Burns’ bill, S. 687. The bill provides additional clarity and focus to the problems we are seeing, and I hope it will induce additional attention from enforcement agencies. CONCLUSION Again I thank you for inviting me here today. Spyware is something we have spent innumerable hours on over the last two years, and I appreciate the opportunity to come and share with you some of what we have learned. I welcome any questions you have for me. I would also like to offer our assistance to all the Members of the Committee. If, after today’s hearing, any of you have additional questions we can answer or need information we can provide, please do not hesitate to contact us. Based on our attention to this problem, and our unique research capability, we are in a unique position to offer assistance, and welcome the opportunity to help in the formation of policy.

• Mr. Trevor Hughes

  Executive Director

  Network Advertising Initiative
  Read statement

  Witness Panel 2

  Mr. Trevor Hughes

  Network Advertising Initiative
  Testimony
  Hearing on Spyware
  J. Trevor Hughes, Executive Director
  Network Advertising Initiative
  Committee on Commerce, Science, and Transportation
  United States Senate
  May 11, 2005
  
  Executive Summary The NAI is a cooperative group of online companies dedicated to addressing public policy concerns related to privacy and emerging technologies. In the past, the NAI has successfully launched self-regulatory solutions to online ad targeting, the use of web beacons, and email marketing. The NAI has now turned its focus to the growing problem of spyware. Spyware has become a legitimate concern for consumers and businesses alike. Consumers have become increasingly aware of the effect spyware can have on the speed and reliability of their computer equipment. Indeed, many consumers have their computer systems rendered inoperable through the surreptitious and malicious presence of spyware. Businesses are also finding employee computers mired in programs that have been installed through deception and fraud. The erosion of consumer trust in the wake of the spyware problem is a serious problem for all companies in the online marketplace. Put simply, spyware threatens the economic foundations of ecommerce. In response to the spyware problem, legislation has been proposed and technologies have emerged to combat the menace. The NAI supports strong legislative and technological action against spyware. Our members cannot thrive in an environment where consumers do not (or cannot) trust the businesses and websites they encounter on the web. However, our members have found that many of the spyware solutions that have emerged are creating troubling collateral damage. In other words, some of the solutions to spyware have harmed the very thing we are trying to protect: the power, depth, and free content of the Internet. Our responses to spyware must carefully balance our need to aggressively meet the threat, while protecting the continued legitimate use of a channel that is beginning to show its true promise. The members of the NAI strongly support federal preemptive spyware legislation. We clearly need stronger responses to the growing scourge of spyware. And the crazy quilt of state spyware legislation is creating a daunting compliance challenge for legitimate businesses. Federal legislation that preempts state laws and creates a single, uniform national standard will both respond to the threat of spyware and provide a clearer set of standards for the online marketplace. But federal spyware legislation must carefully balance the need for aggressive responses against overbroad solutions that harm a growing online economy. One danger of broadly drafted spyware legislation is that it will prevent legitimate businesses from being able to effectively operate online. Under some of the bills that have been introduced, ubiquitous and important tools like cookies and web beacons are affected. Other bills have gone far beyond the immediate concerns associated with spyware and have proposed standards for online advertising that will be very harmful to the primary economic support for the vast quantities of free online media. We must also be wary of spyware legislation that inappropriately includes online privacy standards. Federal spyware legislation should focus carefully on fraudulent and deceptive practices. Technological solutions are another promising option in the fight against spyware. Indeed, consumers have been appropriately advised to purchase and maintain anti-spyware software on their computers. Many of these programs have proven to be invaluable in recognizing and removing harmful programs. However, some anti-spyware technologies are inappropriately alarming consumers by flagging (and in some cases, deleting) legitimate technologies such as cookies. Cookies are not spyware, and any technological solutions must be carefully tailored to recognize and leave intact legitimate tools used by companies engaged in the online economy. The NAI feels strongly that solutions to the spyware problem must be advanced. Spyware is a real and growing threat to the public’s confidence and trust in ecommerce and, as such, represents a dire problem for online businesses. However, in pursuing spyware, we should be careful to protect legitimate uses of technology and ecommerce. Failure to do so may unnecessarily harm the online economy. Federal preemptive legislation, aggressive enforcement of existing laws, rational and targeted technological solutions, and industry self regulation can all work effectively towards eradicating fraudulent and deceptive practices online. Testimony Mr. Chairman and Members of the Committee, I want to thank you for inviting me to testify. My name is Trevor Hughes, and I am the Executive Director of the Network Advertising Initiative (NAI). The Network Advertising Initiative (“NAI”) is a trade association representing companies concerned about issues of privacy, consumer protection, and online technologies. In this role, the NAI has taken a leadership position on issues of cookies, online advertising, spam, web beacons, the Platform for Privacy Preferences (P3P), and privacy legislation. The group has now turned its focus to the growing problem of spyware and the related concern of unintended consequences for legitimate technologies and business models. The extent of the spyware problem has been reported extensively in the media. In many ways, spyware has become one of the most compelling consumer issues in the ecommerce and online world. Spyware can cause serious problems, and even cripple computer systems. There is ample anecdotal evidence of spyware substantially impairing the speed of consumers’ computers. The fraudulent and deceptive nature of spyware has resulted in legitimate consumer outcry. Businesses also struggle under the onslaught of spyware. Employees’ systems can be seriously compromised by spyware. This raises serious concerns about productivity, security, and corporate intellectual property. Untold hours of customer service support are being spent in response to spyware problems on consumer and employee desktops. But the erosion of consumer trust in online activities and ecommerce is perhaps the most economically damaging effect of spyware. Billions of dollars have been spent in realizing the promise of ecommerce. Nearly every industry now uses online tools – including email, instant messaging, internet telephony, and ecommerce generally – to transact business within companies and with customers. These investments are at peril if consumers distrust the very medium through which they are transacting business. There have been numerous surveys and polls taken to determine whether the threat of spyware and other deceptive practices has influenced consumer confidence with the Internet. In August 2004, Greenfield Online conducted a poll regarding Internet user’s concerns and perceptions regarding Internet security issues. According to the results, 80% are concerned about online identity theft, 72% would bank online for the first time if security was improved, and 90% of existing online bankers would utilize higher value services if there was better protection from identity theft. In a September 2004 Dell and IEF poll, almost 4 of every 10 people polled felt less secure using computers than a year earlier. The results seem to show that consumers are becoming weary, and wary. When considered with the growing problems of phishing, ID theft, viruses, and general online fraud, the spyware problem exemplifies an increasing crisis in consumer confidence in the online channel. If spyware is allowed to proliferate, we will be left with a distinctly dystopian future in which the web is so polluted with fraud and deception as to be unusable by the public. In such a scenario, everyone loses. Industry and public policy solutions to the spyware problem have been quick to arise. Clearly, companies engaged in the online economy have a strong incentive to eradicate spyware. But any legislative and technological solutions must be carefully crafted to ensure that we do not throw the proverbial baby out with the bathwater. We must be sure to protect benign technologies and legitimate businesses models as we pursue the purveyors of spyware. We must also recognize the value of effective industry self regulation in the online economy. Legislative and technological responses frequently do not provide the fine tuning necessary to proscribe the boundaries of acceptable corporate practices online. There are many examples of strong self regulatory efforts in ecommerce that should be applauded and encouraged as a meaningful tool to address public policy concerns. The Legislative Response Over the past two years, many legislative proposals have been introduced in response to the spyware problem. Currently, there are at least 3 bills in Congress, and over 30 bills in the states. Four states have passed spyware legislation. It is possible, if not probable, that we will have over a dozen spyware laws at the state level by the close of this year. As these laws proliferate, the challenges for legitimate businesses to comply with the myriad of state standards increase significantly. The members of the NAI feel strongly that federal preemptive legislation is currently needed. We recognize, perhaps more than most other companies, the serious challenge presented by the growing gauntlet of state spyware laws. In the United States today, we have 4 spyware laws on the books (one is currently enjoined under a constitutional challenge) and over 30 bills proposed. If the trend towards state spyware legislation continues, we will end up with a crazy quilt of standards that makes compliance overly burdensome for legitimate business. In such a scenario, preemptive federal legislation is necessary to set a common platform for the nation. But spyware legislation at the federal level should not be passed only to create a common standard for the nation. Rather, the primary focus of the legislation should be to address the dire threat posed by pernicious behavior online. Spyware is fundamentally an act of deception. And federal spyware legislation should focus carefully on the fraudulent and deceptive behaviors associated with the problem. The NAI therefore strongly supports legislative efforts the target those acts associated with spyware that are fraudulent and deceptive in their very nature. But how do we know what is fraudulent online? In spring of 2004, the Consumer Software Working Group (CSWG), a group formed under the leadership of Ari Schwartz from the Center for Democracy and Technology, recognized the growing concern over spyware and worked to compile a list of devious practices in downloaded applications (spyware). The CSWG categorized the practices into three areas, hijacking, surreptitious surveillance, and inhibiting termination. The CSWG list of devious practices is a valuable tool for identifying the fraudulent and deceptive practices that exist online. And the influence of the effort can be readily seen in Section 2 of HR 29, a leading spyware bill in the House of Representatives. The NAI participated in the development of the CSWG devious practices list and applauds Mr. Schwartz and the CDT for their leadership on this important issue. Our members feel that Section 2 of HR 29 represents an important tool for combating fraud and deception in spyware. Unfortunately, many of the legislative proposals currently under consideration go far beyond fraud and deception. Indeed, HR 29, while providing meaningful responses in Section 2 (dealing with deceptive practices) goes too far by proscribing many online advertising practices. The NAI does not support legislative standards that endeavor to place limits on the use of online advertising. Online advertising is the primary economic force that creates the enormous amount of free content we enjoy online today. Proscribing online advertising will compromise that economic model, and may threaten the availability of free resources online. Further, many legislative proposals confuse the spyware debate with online privacy. While there are definitely privacy violations that are occurring through spyware, a broad online privacy response that covers all online activities is not warranted. Online privacy should be considered separately from spyware. Another approach that has been seen in response to spyware is to limit the technologies that the purveyors use to perpetrate their fraud. But this response is flawed. Spyware is not caused by technology. Indeed, in many cases the technology is irrelevant to the practice involved. If legislation were to limit a certain technology, the purveyors of spyware would simply move to, or develop, other technologies to continue their activities. Prohibiting or proscribing technologies is not good public policy. A good example of a technology that has been implicated in the spyware debate is cookies. Put simply, a cookie is a mechanism that allows a web site to recognize a particular computer as it visits that site. Cookies power a huge number of critical web functions today – preference management, shopping baskets, advertising, auditing and analytics all use cookies. There have been privacy concerns related to the use of cookies, and these issues are valid and important. As a result, cookies been thoroughly vetted through public policy channels. Cookies are not spyware. They have been thoroughly reviewed and managed through technology, regulation, and self regulation. Any further standards create very real threats to the reinvigorated online economy. Ecommerce, online advertising, and free online content all pivot upon the use of cookies. Any legislation addressing spyware must make it clear that cookies are not spyware. A legislative approach that focuses of behavior (fraud and deception) and not technology will achieve this result. Another issue that has arisen in the legislative debate over spyware is whether companies engaged in the technological responses to spyware (anti-spyware technologies) should be provided protections under the law. The members of the NAI feel strongly that all companies in the online world should be accountable for their actions. Providing a “good Samaritan” safe harbor for anti-spyware companies would remove the necessary checks and balances that encourage such companies to provide solutions that are carefully targeted at actual spyware. We therefore do not support such provisions. Conclusion The NAI feels strongly that spyware is a critical threat to ecommerce and online advertising. We applaud and support legislative efforts that are narrowly tailored to offer better tools to pursue fraud and deception. We stand together with advocates, consumers, and public policy leaders in demanding accountability for the nefarious actions of the purveyors of spyware. However, much of the current discussion regarding spyware has inappropriately included limits on online advertising, privacy standards, and benign technologies such as cookies. Limits on online advertising and broad online privacy mandates are inappropriate in a spyware bill. And technological proscriptions may hinder the use of fundamental tools of ecommerce. Any restrictions on these technologies could have devastating consequences for the online economy. The NAI therefore urges public policymakers to carefully draft any spyware standards to narrowly focus on fraud and deception. Legislation should be inherently technology-neutral and not impair the continued growth of the online advertising market. But legislative solutions are not enough to solve the spyware problem. We need to have effective, and accountable, technologies to respond to the pollution on consumers’ desktops. And industry self regulation must be supported to provide strong guidance for the legitimate actors in the online economy. Mr. Chairman, on behalf of the members of the NAI, I pledge our efforts to continue to work on this issue and to support the important work of this committee in fighting spyware. Spyware is a complex problem, and our responses must be thoughtful, robust and comprehensive. Thank you. I look forward to your questions. ________________________________________________ Footnotes
  
  1. Survey Finds Identity Theft Negatively Impacting Consumer Use of the Internet, October 19, 2004, http://biz.yahoo.com/prnews/041019/datu019_1.html
  
  2. IED-Dell Survey conducted between September 17-19, 2004 by Ipsos-Public Affairs. Results also mentioned in the Washington Post article “Dell Joins Spyware Fight,” October 18, 2004, http://www.washingtonpost.com/wp-dyn/articles/A41629-2004Oct18.html