<DOC> [108th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:93308.wais] SPYWARE: WHAT YOU DON'T KNOW CAN HURT YOU ======================================================================= HEARING before the SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION of the COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED EIGHTH CONGRESS SECOND SESSION __________ APRIL 29, 2004 __________ Serial No. 108-89 __________ Printed for the use of the Committee on Energy and Commerce Available via the World Wide Web: http://www.access.gpo.gov/congress/ house __________ U.S. GOVERNMENT PRINTING OFFICE 93-308 WASHINGTON : DC ____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800 Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001 ------------------------------ COMMITTEE ON ENERGY AND COMMERCE JOE BARTON, Texas, Chairman W.J. ``BILLY'' TAUZIN, Louisiana JOHN D. DINGELL, Michigan RALPH M. HALL, Texas Ranking Member MICHAEL BILIRAKIS, Florida HENRY A. WAXMAN, California FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts CLIFF STEARNS, Florida RICK BOUCHER, Virginia PAUL E. GILLMOR, Ohio EDOLPHUS TOWNS, New York JAMES C. GREENWOOD, Pennsylvania FRANK PALLONE, Jr., New Jersey CHRISTOPHER COX, California SHERROD BROWN, Ohio NATHAN DEAL, Georgia BART GORDON, Tennessee RICHARD BURR, North Carolina PETER DEUTSCH, Florida ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois CHARLIE NORWOOD, Georgia ANNA G. ESHOO, California BARBARA CUBIN, Wyoming BART STUPAK, Michigan JOHN SHIMKUS, Illinois ELIOT L. ENGEL, New York HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland JOHN B. SHADEGG, Arizona GENE GREEN, Texas CHARLES W. ``CHIP'' PICKERING, KAREN McCARTHY, Missouri Mississippi, Vice Chairman TED STRICKLAND, Ohio VITO FOSSELLA, New York DIANA DeGETTE, Colorado STEVE BUYER, Indiana LOIS CAPPS, California GEORGE RADANOVICH, California MICHAEL F. DOYLE, Pennsylvania CHARLES F. BASS, New Hampshire CHRISTOPHER JOHN, Louisiana JOSEPH R. PITTS, Pennsylvania TOM ALLEN, Maine MARY BONO, California JIM DAVIS, Florida GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois LEE TERRY, Nebraska HILDA L. SOLIS, California MIKE FERGUSON, New Jersey CHARLES A. GONZALEZ, Texas MIKE ROGERS, Michigan DARRELL E. ISSA, California C.L. ``BUTCH'' OTTER, Idaho JOHN SULLIVAN, Oklahoma Bud Albright, Staff Director James D. Barnette, General Counsel Reid P.F. Stuntz, Minority Staff Director and Chief Counsel ______ Subcommittee on Commerce, Trade, and Consumer Protection CLIFF STEARNS, Florida, Chairman FRED UPTON, Michigan JANICE D. SCHAKOWSKY, Illinois ED WHITFIELD, Kentucky Ranking Member BARBARA CUBIN, Wyoming CHARLES A. GONZALEZ, Texas JOHN SHIMKUS, Illinois EDOLPHUS TOWNS, New York JOHN B. SHADEGG, Arizona SHERROD BROWN, Ohio Vice Chairman PETER DEUTSCH, Florida GEORGE RADANOVICH, California BOBBY L. RUSH, Illinois CHARLES F. BASS, New Hampshire BART STUPAK, Michigan JOSEPH R. PITTS, Pennsylvania GENE GREEN, Texas MARY BONO, California KAREN McCARTHY, Missouri LEE TERRY, Nebraska TED STRICKLAND, Ohio MIKE FERGUSON, New Jersey DIANA DeGETTE, Colorado DARRELL E. ISSA, California JIM DAVIS, Florida C.L. ``BUTCH'' OTTER, Idaho JOHN D. DINGELL, Michigan, JOHN SULLIVAN, Oklahoma (Ex Officio) JOE BARTON, Texas, (Ex Officio) (ii) C O N T E N T S __________ Page Testimony of: Baker, David N., Vice President, Law and Public Policy, Earthlink.................................................. 36 Beales, J. Howard, III, Director, Bureau of Consumer Protection, Federal Trade Commission....................... 42 Friedberg, Jeffrey, Director of Windows Privacy, Microsoft... 10 Schwartz, Ari, Associate Director, Center for Democracy and Technology................................................. 47 Thompson, Hon. Mozelle W., Commissioner, Federal Trade Commission................................................. 38 Additional material submitted for the record: Downloading Shared Files Threatens Security, article by Sgt. 1st Class Eric North....................................... 86 Thompson, Roger, Vice President for Product Development, PestPatrol, Inc., prepared statement of.................... 81 Webroot Software, Inc., prepared statement of................ 83 (iii) SPYWARE: WHAT YOU DON'T KNOW CAN HURT YOU ---------- THURSDAY, APRIL 29, 2004 House of Representatives, Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection, Washington, DC. The subcommittee met, pursuant to notice, at 10 a.m., in room 2123, Rayburn House Office Building, Hon. Cliff Stearns (chairman) presiding. Members present: Representatives Stearns, Upton, Shimkus, Shadegg, Bass, Bono, Otter, Barton (ex officio), Schakowsky, and Strickland. Alsp present: Representatives Inslee and Greenwood. Staff present: David L. Cavicke, majority counsel; Chris Leahy, policy coordinator; Shannon Jacquot, majority counsel; Brian McCullough, majority professional staff; Jill Latham, legislative clerk; William Carty, legislative clerk; and Consuela Washington, minority counsel. Mr. Stearns. Good morning. I am pleased to welcome all of you to the Commerce, Trade and Consumer Protection Subcommittee hearing on spyware. Spyware is loosely defined as malicious software, downloaded from the internet that spies on the computer owner or user, usually to provide information to third parties. The Federal Trade Commission has said that spyware is software, that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent or that assert control over a computer without the consumer's knowledge. A spyware relative, known as adware, enables the computer owner or user to receive a stream of ads and other marketing information usually based on data the software has collected about the user. Adware or ad supported software is frequently bundled with free internet software or free ware. Legitimate adware allows the user knowledge and consent about the software and frequently provides an adware free version for purchase. More noxious adware versions, however, can be downloaded without consent or through deceptive means, essentially making them spyware in themselves. My colleagues, as we speak, spyware and adware software programs are growing at a very, very rapid rate. According to the consumer security firm, McAfee, these software programs have grown in number from about 2 million in August 2003 to over 14 million currently. As further proof of the potential scale of this problem, the National Cyber Security Alliance has estimated that over 90 percent of users had some form of adware or software, spyware on their computers and yet, most were unaware of it. In worse cases, the more malicious varieties of spyware can record keystrokes and compromise personal information, including passwords and Social Security Numbers. The simple act of downloading a desired program from the internet can not only open the door on your personal computer and your most private information, but also can allow spies to effectively take up resident in your personal computer. Your personal property, I might add, without your knowledge and without your consent. Then after sneaking into your computer, some of these malicious spyware programs can act as snoop, prying into your private life or thieves, stealing personal information or as pornography dealers, exposing your children to obscene online material. If and when you finally discover the spy lurking in your personal computer, the damage is already done. In the best cases, the technology that enables spyware also can serve as a first line of defense against obscene internet material by tracking website activity and filtering out the garbage. Other forms of the technology, like legitimate adware, are authorized by the consumer and provides businesses a new and efficient means of reaching potential customers with less expensive goods and services. While some would have us to find spyware with technical parameters, others believe that it is not the technology tool that needs to be defined and targeted. It's the unscrupulous individuals preying on the consumer from these programs. Clearly, no matter the definition we create today, it is always reprehensible when someone intentionally downloads secret software into a personal computer that is designed to steal information or trick us into opening the doors into our private lives. To try to address this egregious internet activity, Ms. Bono of California, has introduced legislation to enhance spyware disclosures, root out this deceptive and fraudulent and create accountability. Her bill require the computer users receive clear and conspicuous notice prior to downloading spyware and that all third parties provide their identity. I sincerely commend her for her leadership on this issue. It is my hope that we can reach bipartisan consensus on legislation that will protect consumers from unwittingly being spied upon. With the help of our distinguished panel of witnesses, one of our most important tasks is to try to establish the boundaries of what is clearly legitimate and what is clearly reprehensible. We then need to explore the murky area in the middle where cases aren't so stark and are not so clear-cut, especially in cases where consumers are duped with lengthy and confusing license agreements, website trickery and exploitation of weak, personal computer security. The ultimate challenge, therefore, is to investigate ways industry, consumers and Congress can work together to rid out our online marketplace of the bad apples, while preserving legitimate uses for this software technology. And finally, my colleagues, our panel today will help us understand how spyware and adware programs are distributed in commerce, both legitimate and fraudulent. The scope of the privacy and security risk posed by this software, its effects on economic productivity and the need for Federal legislation. And I think many of you know that the State of Utah has already passed a spyware bill. The State of California and New York are presently looking at that. I welcome our witnesses today and I look forward to their testimony and with that, I call on the ranking member for her opening statement. Ms. Schakowsky. Thank you, Chairman Stearns. One of the great things about this job is that you learn something new every day. So that either indicates that I am way behind the curve here or that perhaps the Congress is getting a grip on an emerging problem. Because increasingly people are finding that their home web pages are changed or their computers are sluggish, we get pop up ads that won't go away no matter how many times they try to close them. They find software on their computer they didn't install and they can't uninstall. Their computers are no longer their own and they can't figure out why. They think that the problem is with their computer, with a program they installed or with their internet service provider, but more and more often, it's becoming clear that they are the unwitting victims of spyware. Because they clicked on the wrong web page or signed an agreement to download one program, spyware has made it on to their computer. While the above examples can be written off by some as merely annoying, there are serious privacy and security issues at stake. The tracking capability of spyware programs can be so powerful that it can record every keystroke computer users enter. It can take pictures of personal computer screens. It can snatch personal information from consumers' hard drives. People can see their bank account numbers, passwords and other personal information stolen because they quite innocently went to a bad website or clicked an agreement they didn't know they shouldn't. While some programs called spyware can have legitimate purposes like allowing for access to online newspapers without having to register every time you want to read it, truly nefarious spyware uses software and applications in ways that cannot be defended. Spyware purveyors engaged in unfair and deceptive practices. They take personal information without permission. They exploit software vulnerabilities and co-op'd others' computers. Fortunately, we do have a number of laws on the books that we can use against spyware. However, there has been virtually no enforcement of the laws. Spyware transmitters know how to cover their tracks and technology changes every day. It makes it very hard to find those who are to blame, but it can be done and we need to pursue enforcement of laws already on the books. And we also need to explore legislation and other responses to deal with the inevitable loopholes that exist in the law because of the ever-evolving nature of technology. That's why I'm glad we're here and glad I'm here today to start discussing the best way we as legislators can address these issues. We also need to get the word out to consumers so that they know what is really wrong with their computers and so that they can protect themselves from online predators. We should build on the consumer awareness efforts of the FTC and Center for Democracy and Technology as a right of their pursuing comments about how spyware has affected people. They have heard from hundreds of consumers concerned about spyware's invasion into their privacy. From these comments and very technical investigative follow-up, the Center for Democracy and Technology has filed complaints with the FTC about two spyware bad actors. I'm quite pleased that we have distinguished witnesses representing the broad spectrum of affected parties and as Chairman Stearns mentioned, we have the industry regulators and consumer groups and I look forward to hearing from all of you. Thank you. Mr. Stearns. I thank my colleague. The distinguished chairman of the full committee, the gentleman from Texas, Mr. Barton. Chairman Barton. Well, thank you, Chairman Stearns, for holding this hearing and I want to thank Congresswoman Bono for introducing this piece of legislation. We checked our committee computers this week and found 167 spyware programs on it. I told that at a meeting breakfast a couple of days ago and the gentleman held up his hand and said he had just checked his computer and had over 200 and then I told the story at dinner last night and somebody held up their hand and said over 400. So there is no more pernicious, intrusive activity going on on the internet today than the subject of this hearing. And I hope that after the hearing, we can come together on a bipartisan basis and decide what to do legislatively about it. I have told Congresswoman Bono that her bill is a starting point, but not the end point and I want to tell all of the members of the committee and the folks in the audience and the people that are watching this on television, if it's being broadcast, that we really intend to do something about this. We do not let people just wander around our homes without our permission. We don't let total strangers just come up to us, encourage us to buy this or buy that or do this or do that. And we certainly when we have guests over, and they overstay their welcome, we encourage them to leave. None of those can we do with these spyware programs that are proliferating on our personal computers and as we found out at the committee this week, our office computers. So I am very, very pleased that Chairman Stearns is holding this hearing and I am very, very hopeful that after the record is developed from this hearing that we can very quickly move to a legislative solution to that to cure this cancer on the internet. And with that, Mr. Chairman, I have an official statement for the record, but I will yield my time back. Mr. Stearns. By unanimous consent, so ordered. Chairman Barton. Thank you. [The prepared statement of Hon. Joe Barton follows:] Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy and Commerce Thank you, Mr. Chairman, for holding this hearing today. It continues this Committee's longstanding work in the area of consumer protection. Spyware may be unfamiliar to many Americans, but unfamiliar does not mean unaffected. I suspect a large number of those in this room are victims of some of these foul abuses. Certainly all of us who use the Internet are threatened by them. And the very nature of the abuse is what keeps everyone threatened by it from seeking relief. It is aptly named spyware. Its installation is often sneaky or deceptive and even when it runs it often goes undetected. And when consumers notice related problems with their systems, those problems are easy to misdiagnose. Even those that are technically savvy and aware of what is on their system, may not be able to uninstall spyware. Much of the recent discussion surrounding spyware has focused on the difficulty in defining what it is. The most pernicious of the software is composed of keystroke loggers and screen-capture utilities. This has both privacy and security issues for consumer Internet use. For example, some software can pick up your sensitive financial information when you use on-line banking, or it could monitor your email traffic and transmit personal information contained in that email. Both could lead to identity theft and other privacy and security abuses. There is also ``adware.'' While adware does not capture keystrokes it often captures information, like websites visited, and sends that information back to a central server for the purpose of delivering targeted advertising. I would be suspicious of someone following me around the shopping mall and popping over to me and offering me a better deal each time I reached a register. I suspect most of us would call the police. But this adware does the very same thing. It follows you around the Internet and just as you are looking at purchases, it invades your computer with related and often unrelated offers. There may be some who would consent to this ``point of sale'' availability of information. It is certainly marketing genius. But, without informed consent, it is a true invasion of privacy. We ran a sweep of a Committee computer earlier this week and discovered there were over 167 ``hits'' for third party cookies and adware. A recent demonstration by an anti-spyware software company showed that most of that software ended up on the computer just by visiting a site. No consent was requested and none was given. If I want someone to come into my home I invite them into my home--if they come in uninvited that is a trespass. And certainly if they take something from inside without authorization it is a burglary. The same should hold true for access to my home and information via my computer. The Internet has been a great boon to society as a tool for information and commerce. But, surfing the web is increasingly becoming a defensive exercise for consumers who wish to protect their privacy and maintain the security of their information. If this dynamic does not change soon, there is a real risk of undermining all the commercial gains the Internet has achieved.I thank our witnesses for their participation today and look forward to their testimony. In particular, I would like to thank Ms. Bono and Mr. Towns for their leadership in introducing legislation to enhance disclosures to consumers concerning spyware. After this hearing I will be working with all Members of the Committee on a legislative solution to this problem. Thank you and I yield back. Mr. Stearns. And I thank the distinguished chairman and at this point we'll have the author of the bill, the gentlelady from California for an opening statement. Ms. Bono. Thank you, Chairman Stearns, and Chairman Barton for your leadership on this issue. I welcome the full weight of the committee chairman and subcommittee chairman behind this legislation. It's also been a pleasure to work with Congressman Ed Towns who apparently caught a flight home today. We introduced H.R. 2929. We called it the Safeguards Against Privacy Invasions Act. I look forward to hearing from all of our witnesses this morning. Spyware is a technological disease that is proliferating each day. It threatens the efficiency of our computers and internet services as well as the security of our personal information and private transactions. Spyware programs can secretly hijack web browsers and collect web surfing patterns, keystrokes, password information, all that without the computer user ever knowing that it has even occurred. In fact, more often than not, computer users have no idea that they have downloaded spyware, nor do they have any idea as to how they obtained it. Yesterday, Harris Interactive released a web at work study which discovered that 92 percent of information technology managers estimate that their organizations have been infected by spyware at some point. However, only approximately 6 percent of the employees who access the internet at work say they have ever visited websites that contain spyware. EarthLink and Webroot Software recently scanned more than 1 million personal computers and reported 23.8 million cookies and approximately 5.7 million adware and spyware programs. Pest Patrol which sells its own spyware remover, estimates that there are more than 78,000 lurking spyware programs. One of the main conduits for the spyware industry is the peer to peer file sharing scheme. Free file sharing services like Grokster and Kazaa which are also centers for illegal copying, usually tie several pieces of adware and spyware to their programs. Kazaa, for example, bundles Gator with its software. Gator, in turn, contracts with companies who want targeted advertisements. For a fee, Gator agrees to disseminate its software so that internet habits can be monitored enabling targeted advertisements. However, spyware is not limited to bundling with other software programs such as Kazaa. In fact, some websites and e- mail messages trick computer users into downloading spyware. One common trick is to alert the computer user that his or her system is vulnerable and he or she must immediately download a security patch. However, the patch only turns out to be spyware or adware. Spyware affects everyone from the most tech savvy computer users to the least tech savvy computer users and certainly unsuspecting teens and kids. Lynn Vaccaro, a manager at Errol Electronics, one of the largest distributors of computer products, was having difficulty with pop up ads, so she tried different pop up stoppers with no avail. She then realized she had spyware on her computer. She download SpyBot Search and Destroy and many other scanner and removal tools. The tools worked so well that they eliminated parts of Internet Explorer as well as Windows. She then had to reload both of them. H.R. 2929 would require that spyware companies give clear, concise and conspicuous notice to computer users about the function of their software as well as the information that may be collected and transmitted through their software. After giving such notice, the computer user would have to agree to the downloading of the software. In other words, under the SPI Act, spyware would no longer be used to spy on unsuspecting computer users. Although Congress has a responsibility to address the issues surrounding spyware, it is equally imperative that the Federal Trade Commission, as well as the technology industry, does all that it can to protect consumers from spyware. Moreover, it is necessary that we collectively educate consumers about the nature and the threats of spyware. I hope this hearing will help all of us learn more about spyware and it will enable us to begin tackling some of the complicated and technical questions that are related to spyware. Thank you, Mr. Chairman. Mr. Stearns. I thank the gentlelady. Mr. Shimkus. Mr. Shimkus. Thank you, Mr. Chairman. I'll be brief. I bought a new Dell. I got Windows XP. I'm disappointed with both of those. My computer is lots more sluggish than it ever was under my own system that had less memory, less capabilities and it's unfortunate and I think it's because I've got programs competing with each other. It's like trying to ride an old Western, you're on that stagecoach and you've got those 16 horses and you've got both reins and you just can't control it. It's tremendously frustrating and I'm not tech savvy at all. So this one of many issues that I think is frustrating the public and I'm glad Mary has seen fit to work Mr. Towns and really address this. This hearing is very, very important. This also gives me the opportunity because of the inability to control our own personal computers any more. It also gives me the chance to advertise once again for .kids.us, the importance of that, if you want to protect kids on the internet and we have a late weekend sale, we're having our hearing. I think next week, Thursday, maybe, so those of you who have not got a site up on .kids.us, you still have time before we have the hearing and start identifying those good entities that are trying to protect kids and those who are still a little negligent and we will continue to try to coerce them. I did receive an e-mail, Mr. Chairman, if I may submit into the record. Mr. Stearns. By unanimous consent, so ordered. Mr. Shimkus. It's from Sergeant First Class on peer to peer issues and it's probably well known in the community. The other issue to this debate is the threat to national security. If these things are on Department of Defense computers and individuals have the ability then to snoop around in our intelligence community, Department of Defense, FBI and the like, this is a really serious national security concern. I think this article highlights that and so I think this is a very timely hearing. I thank you for calling it and I thank my colleague, Mary Bono, for bringing it to our attention. I yield back. Mr. Stearns. I thank the gentleman. The gentleman from Michigan, Mr. Upton. Mr. Upton. Well, thank you, Mr. Chairman. I want to thank my colleague, Ms. Bono, as well, for the great work she's done on this legislation. I might say that I've got a Dell as well at home with an XP in it. At the beginning when you turn it on, I used to make a joke with my kids there's a lot of little guys inside, the click, click and they run around trying to plug in the old circuits, sort of like the old telephone, but now it's--you need Raid because you find out, in fact, it's not little guys in there. It's spiders. And I've been a victim of spyware as well. I don't know how many hundred, Mr. Barton, that I have, but I have a 12-year-old and a 16-year-old and we had to have the computer doctor come visit and take it away and take it to the ER and it's on life support. Found out it couldn't even deal a deck of cards in Solitaire it was so slow, it was so pathetic. It's bad. It is bad. I think for a lot of Americans when they become victims of this they're a little surprised and they become very alarmed and then they become very angry and bitter that someone would violate their personal space whether it be Kazaa or anybody else and in fact, victimized an entire family, homework and everything else, that a PC provides assistance with. So I think that we need legislation on this. I think we need strong penalties. Some might suggest the death penalty. I don't know that we'll go that far, we'll look for some judiciary help, but I want to thank my colleague, Ms. Bono, for this. I want to thank you, Mr. Chairman, for holding this hearing and hopefully, we will move on a strong bipartisan basis to use the Raid to get those little guys out of there. I yield back my time. Mr. Stearns. I thank the gentleman. The gentleman from New Hampshire, Mr. Bass. Mr. Bass. Thank you, Mr. Chairman, a great hearing. I've all the same issues that everybody else has talked today. I'm eager to hear the witnesses, so I yield back. Mr. Stearns. I thank the gentleman. Mr. Otter? Mr. Otter. Well, thank you, Mr. Chairman, and let me join in this core of folks in showing appreciation to Ms. Bono for her efforts on bringing this to our attention and also holding this hearing and getting some sort of a resolve. Over the last few years, this Congress has debated the privacy issues on many fronts. The passage of the Health Insurance Portability and Accountability Act, created new privacy protection for individuals in the health market. However, Congress also passed the Patriot Act which has caused many, including myself, to carefully evaluate the value we place on personal privacy. I believe many in the public are not aware of the many ways they are being watched online, tracked online and in recent years there have been an increased awareness of identity theft, yet we still hear little about the intrusiveness and the risk associated with spyware. There's no doubt that the function of spyware is to watch, to track, record an individual's internet usage and activity, often without the knowledge of the user. I'm very interested in hearing from the witnesses today on what they believe is an appropriate way to notify users before they download spyware. I'm also very concerned about the websites like Kazaa that infect computers with spyware in exchange for providing user access to stolen goods and then profit from them by selling the information collected by spyware to other advertisers. As an advocate of personal responsibility, I also believe that users who participate in these illegal activities on these sites such as music and movie theft, should expect to be taken advantage of and I have little sympathy for them. If you're going to play with fire, you need to expect to get burned. So if you don't want spyware from Kazaa and other similar sites on your computer, don't participate in these illegal activities. Mr. Chairman, once again, I thank you and I thank Ms. Bono for the opportunity to examine these issues and look for solutions in solving them. I yield back. Mr. Stearns. I thank the gentleman and just for his information, we're going to have a hearing on this Kazaa and the peer to peer later. The gentleman from Arizona, Mr. Shadegg. Mr. Shadegg. Thank you, Mr. Chairman, I am also anxious to hear the witnesses because I think this is an extremely important topic. I similarly want to congratulate our colleague from California, Ms. Bono, on bringing an important issue to the committee. I think this is an issue that we need to be very attentive to and quite frankly, it's an area where I think we need legislation. I want to compliment you on holding the hearing. Mr. Stearns. I thank the gentleman. We also welcome Mr. Inslee from the State of Washington. He is a guest here with the committee. [Additional statement submitted for the record follows:] Prepared Statement of Hon. Barbara Cubin, a Representative in Congress from the State of Wyoming Thank you, Mr. Chairman, for holding this timely hearing. I would also like to thank the distinguished panel of witnesses here today. Today's hearing brings together an assembly of panelists who are recognized experts of various technological industries, and I anticipate their insights to be of unparalleled value as we delve into the issues surrounding spyware. As Americans become increasingly dependent upon computer technology to navigate everyday life, there is a consumer-driven demand for technology to be perpetually updated. Unfortunately, in the continuously expanding domain of computer technology, there also exists the knowledge to utilize software for less desirable results. Today's hearing will educate and warn us all of an emerging, largely undesirable software technology phenomena known as spyware. Today's hearing will foster debate and thought regarding several complex issues surrounding spyware. First and perhaps most gravely is the need to develop a clear and accepted definition of spyware. We must first acknowledge that instances where this type of software can be used by third parties for valid and useful purposes do in fact exist. However, it is when this technology is utilized by unethical and fraudulent purposes that alarm must be raised. While most Americans will never understand how spyware is engineered, it is indisputably unacceptable for someone to secretly download software onto another's computer with the intent of stealing personal information. Therefore, today's debate should be based upon the bad practices and deviant behavior of promulgators of spyware rather than its technological aspects. Aside from the need to apply a definition to spyware, there also exists a need to examine the more complex matter of enforcing punishment of the inappropriate use of this technology. While consumers may not object to receiving advertisements, a line that must be drawn before people are allowed to use spyware for more invasive and intrusive purposes. Today's hearing will reveal what steps software industry leaders are taking to protect consumers from such invasions and increase our understanding of what role Congress should play in this capacity. Most importantly, today we have the opportuniy to help raise consumer awareness of the increasingly dangerous use of spyware. The majority of American consumers have likely been affected by spyware at some level, and I foresee today's hearing as the embarkment of a large- scale campaign to help Americans better educate and protect themselves from the inappropriate use of spyware. Thank you Chairman, and I yield back the balance of my time. Mr. Stearns. We're going to, since the opening statements are complete, we're going to depart from the normal schedule and hearing from the witnesses. We're going to go to a demonstration. I would hope that we would have an actual demonstration of how spyware is used and so with that further ado, we'll have this demonstration. Mr. Friedberg. Actually, it's going to be part of my testimony, so I can do it all at once. Mr. Stearns. We'll let you start and go ahead and do that then. STATEMENTS OF JEFFREY FRIEDBERG, DIRECTOR OF WINDOWS PRIVACY, MICROSOFT; DAVID N. BAKER, VICE PRESIDENT, LAW AND PUBLIC POLICY, EARTHLINK; HON. MOZELLE W. THOMPSON, COMMISSIONER, FEDERAL TRADE COMMISSION; J. HOWARD BEALES III, DIRECTOR, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION; AND ARI SCHWARTZ, ASSOCIATE DIRECTOR, CENTER FOR DEMOCRACY AND TECHNOLOGY Mr. Friedberg. Great. Chairman Stearns, Ranking Member Schakowsky and members of the subcommittee, my name is Jeffrey Friedberg and I am the Director of Windows Privacy at Microsoft Corporation. Thank you for the opportunity to share our views on this growing threat to computer users around the world. I'd like to comment the subcommittee for holding this hearing and its bipartisan approach to this important consumer issue. I'd also like to acknowledge Representatives Bono and Towns for the time and energy they have invested. Spyware and deceptive software share a common theme. They use ambiguity, coercion, deceit and outright trickery to lure and even force users to execute or install unwanted programs. They can be invasive, offensive and even destructive. Our customers complaint that deceptive software degrades their computing experiences, in some cases, making their computers unusable. We have evidence that this software is at least partially responsible for approximately half of the application crashes our customers report to us. It has become a multi-million dollar support issue for computer manufacturers, ISPs and companies like Microsoft. I'm going to show you some examples of how our customers have been tricked. My first slide illustrates what we call a pop-under exploit. We don't have it on the back screen at the moment. Chairman Barton. I think we have spyware infecting our application here. Mr. Friedberg. Great. Mr. Stearns. Do you just want to turn down the lights a little bit? Is that possible to do that? Mr. Friedberg. So in this case a user goes to a website they trust. I've simulated a news website here, may be their favorite site, and after a delay---- Mr. Stearns. Just pull the mic up a little bit more because when you turn your head, we lose you. Mr. Friedberg. Sorry. And after a delay, they get the security warning which is normal which says hey, somebody is trying to download software to you. Now the user thinks this might be coming from the trusted site, but if you watch the screen carefully, you'll notice that it's actually coming from a window underneath, what we call a pop-under window that's just lying in wait, hoping that this can happen in which case the user might think this download is for the trusted site and might click yes. This next one which is one of my favorites is cancel means yes. If you look at this screen, it looks like an official security update or some kind of privacy update. In fact, if you read it carefully, it says this is a security update, a personal privacy protection update and a system update. They've used every buzz word they can imagine and it's provided these okay and cancel buttons and it looks quite bona fide. The reality is is that this is actually just an image and none of these buttons are functional. In fact, if you click on the okay or even the little X in the corner, it will all take you to the site and attempt to download software to your machine. This is quite deceptive. Here's another example of the same kind of trick. The security alert in this window is embedded and again provides the Yes/No cancel buttons, but it's just a picture and people can embed pictures in web pages. This is a normal thing. But it tricks users and they click somewhere on this window and one of these buttons and it still takes them to the site and attempts to download the software. Another thing that bothers me about it is it says ``warning, your computer is being attacked by spyware and adware.'' Well, how do they know that? I mean this is basically just scare tactics in order to get people to download this software. Finally, in the browser there's a security setting. This is one other way that unwanted software can end up on your machine. If you set it to the low setting, it means that all sites you visit are trusted. I call this leaving your front door open. In this case, there's no warning, the software will simply load because you've told the system everything is trusted. We first off have a default which is medium and we recommend to users to leave it at medium or higher. So these slides provide just a sample of the ways users can be tricked. I've included other examples in my written testimony. There is no silver bullet to address the wide range of issues with deceptive software. We believe it will take a comprehensive approach that has four key elements. The first is better consumer education. Today's hearing and last week's FTC workshop heightened consumer awareness of the problems caused by deceptive software. To complement these efforts, Microsoft recently launched a website www.microsoft.com/spyware to help consumers understand, identify, prevent and remove deceptive software. The next element is technology. Microsoft will make available this summer a free update to Windows XP called Service Pack 2. It will include a new pop up blocker and pop ups is one of the most common ways that people get a proposition for a download through a pop up experience. Pop up blocker shows up in this thing called an information bar in Internet Explorer. It gives people both notice and choice of what's happening to them with the pop ups. They can choose to block them or choose to allow them through or do that by site. I know my financial institution needs pop ups to work, so I would turn up pop ups for that site. Another feature is this new download blocker. It specifically is designed to prevent forced downloads. These are downloads that are unsolicited. You go visit a website and somebody attempts to jam software on your machine. Instead of that happening, you get a little warning in this little information bar that says hey, someone is trying to download some software, what do you want to do? And you don't have to take any action. By having this blocker, you don't have to be interrupted and take action and it's suppressed until you decide on your terms to do something about. This helps with two problems. One is that it prevents the pop-under exploit I mentioned earlier and second, I have small kids and they don't even read and I ended up with some kind of spyware in my system because they clicked yes to some dialog that popped up in the middle of a game. This would prevent that from happening. They won't even see that opportunity to download this kind of software. We've also cleaned up the install prompts. The one on the left is the old one and there's opportunity for some publishers to throw a lot more information there we had wanted originally which makes a very confusing experience. If you've actually looked at the one on the left more carefully, it's almost a miniature license agreement thrown in this experience which is totally inappropriate. The one on the right makes that much more difficult to do and it truncates the line, makes it much easier to spot someone trying to trick you. We also added a new feature called never accept software from a publisher. So you could choose by publisher to say look, I don't want software from you anymore and block that from happening. The last thing, as I mentioned earlier about leaving your front door open, it seems intuitively obvious well look, if low is kind of dangerous for most users, why do you offer it? So now we actually pop an arrow that says look, you really can't set it to low anymore. Expert users can get around this and if they want to lower their settings they can, but for the majority of users, at least we've done something to slow down this accidental way that they leave their doors open. So these improvements, as well as others we are working on, will advance our goal of helping users better understand what software they are running and installing and whether they can trust it. The third element of our approach is industry-wide best practices which we believe will create an incentive for legitimate software publishers to do the right thing. Best practices will also serve as a foundation for programs that certify good actors and thereby enable consumers to make more informed decisions. In the end, we believe self-regulatory measures will best account for the complexities of different software applications and evolve to meet the ever-changing nature of technology. The fourth element is aggressive enforcement of existing laws. Such enforcement could put some of the most insidious violators out of business which would have a significant impact on the amount and the type of deceptive software that is produced and distributed in the United States. Finally, for what is not already illegal under existing law, Federal legislation can help fill in the gaps. That said, any legislation must carefully target deceptive behavior rather than specific features or functionalities. My written testimony provides examples of areas in which legislation can impose ineffective or impractical requirements. As you consider legislating in this area, we urge you to avoid such unintended consequences. In conclusion, we applaud the subcommittee for holding this hearing today and appreciate the opportunity to share our experience and recommendations. We are committed to working with you to thwart the efforts of those who produce industry- deceptive software and to restore choice and control to our customers. Thank you. [The prepared statement of Jeffrey Friedberg follows:] Prepared Statement of Jeffrey Friedberg, Director of Windows Privacy, Microsoft Corporation Chairman Stearns, Ranking Member Schakowsky, and Members of the Subcommittee: My name is Jeffrey Friedberg, and I am the Director of Windows Privacy at Microsoft Corporation. I want to thank you for the opportunity to share with the Subcommittee our views on this burgeoning threat to computer users around the world. Spyware and other deceptive software share a common theme: they use ambiguity, coercion, deceit, and outright trickery to lure or even force users to execute or install unwanted and often invasive programs. Our customers complain that this software degrades their computing experiences--in some cases rendering their computers unusable--and causes them to feel frustrated and out of control. It also compromises their privacy and can make their computers more susceptible to attack. Microsoft applauds Congress and the members of this Subcommittee for their attention to this problem. In particular, we would like to acknowledge Representatives Mary Bono and Ed Towns for the time and energy they have invested. Stopping the spread of deceptive software is one of Microsoft's highest priorities. We are committed to providing consumers with the information and technology that will help protect them against deceptive software. And we are committed to working with you, law enforcement, and others in the industry to identify and penalize the perpetrators of these nefarious programs. Today, I want to describe the nature and nuances of deceptive software, and explain Microsoft's comprehensive strategy for tackling this issue. As with any issue that raises consumer protection concerns, there are a number of ways in which the public and private sectors, working together, can address the problem. These include educating consumers, developing new technology to help protect users and to empower them to make more informed choices, identifying industry standards and best practices, and taking enforcement actions against those engaged in fraudulent, deceptive, and unfair practices. To the degree existing law fails to capture bad actors, legislation could complement this strategy, but we believe it should be carefully crafted to target the bad behavior--not the underlying technology. Overbroad legislation could place an undue burden on legitimate software, and seriously undermine the user experience. What Is Deceptive Software? Let me explain what, exactly, I mean by deceptive software. Deceptive software generally describes programs that gain unauthorized access to a computer--whether to spy on user activities, hijack user configurations, or deliver intrusive and unwanted pop-up advertisements. The common thread that unifies deceptive software programs--and that distinguishes them from legitimate applications--is their lack of notice and choice, and their absence of respect for users' ability to control their own computers. With proper disclosure, user authorization and control, these same features can be an asset: user-approved tracking can lead to personalization; user-approved configuration changes (for example, setting a new search page) can yield a better user experience; and user-approved displaying of advertisements can subsidize the cost of a service (such as e-mail), making it cheaper or even free for consumers. In short, the problem is with bad practices, not the underlying features. There is a spectrum of tricks that cause consumers to load software applications that they may not want. To better understand these tricks, it is useful to first briefly describe a legitimate download experience. I would like to draw your attention to Slide A: ``User Initiates Download.'' This slide represents a typical web site consumers might visit. On the web site is a link for downloading a program (in this example, a program that will display a ``stock ticker''). When users click on the link, the operating system displays a security warning that asks them whether they want to install the program, as shown in Slide B: ``Security Warning Displayed.'' These security warnings are a normal part of the computing experience. In some instances, however, web sites manipulate the download experience in an attempt to mislead users. When users are presented with a download request and security warning, they will often consider the web site they are visiting to decide whether to accept the download. If the web site is one they trust, they may simply accept the download without much thought. Using a deceptive technique we call a pop-under exploit, however, some web sites take advantage of this trust, going out of their way to make it more difficult for users to tell which web site is actually offering the download. For example, on Slide C: ``Pop-Under Exploit--Step 1,'' users who are visiting a legitimate website are presented with a download request that appears to have been generated from that site, which we see on Slide D: ``Pop- Under Exploit--Step 2.'' In fact, the download request was actually launched from a web page that is hidden beneath the legitimate site, as we see on Slide E: ``Pop-Under Exploit--The Trick.'' Launching a download request from a pop-under can result in a confusing or even misleading experience. It is likely that the user, who cannot easily view the underlying web page, will assume that the request came from the legitimate site and may choose to download the software for this reason. Web sites are often compensated for each software download that occurs from their site and in order to increase this volume, some web sites will resort to deceptive practices. For example, a web site might confuse users so that no matter where they click, they are taken to a page that requires a download. In this scenario, shown on Slide F: `` `Cancel' Means `Yes,' '' a user is presented with an image that mimics a security warning or update and appears to provide the user with appropriate choices about downloading certain software. However, even if the user clicks the ``Cancel'' button or the ``[x]'' box to close the window, the web site will attempt to download the software onto the user's machine. This type of trick can also take place through embedded security alerts, as shown on Slide G: ``Faux Security Alert,'' where all buttons in the alert mean ``yes'' and initiate a download experience the user did not want. Perhaps the most nefarious way that software is installed requires no action on the part of the user. In this scenario, bad actors exploit a security hole and covertly install software without any notice to or consent from the user. This practice is illegal under existing law, but bad actors still attempt to deceive users in this fashion. To educate consumers on the steps they can take to minimize this risk, we created a web site, www.microsoft.com/protect, that recommends (1) keeping systems up to date using the free Windows Update service, (2) running up-to-date anti-virus software, and (3) using a firewall like the one included with Windows XP. There is one other way that software can get installed without any action on the part of the user. If a user sets their browser security setting to ``low,'' as illustrated on Slide H: ``Don't Leave Your Front Door Open,'' all sites are assumed to be ``trusted,'' and no security warning will be displayed. This can result in what are called ``drive- by-downloads,'' in which the download silently and automatically occurs by just visiting a web site. Microsoft encourages users to leave their security settings on the default setting of ``medium'' or higher, and in cases where the browser security level must be set on ``low,'' we encourage users to reset security back to a higher level as soon as possible. These slides illustrate just a few of the ways in which users can be tricked into downloading unwanted and sometimes destructive software. Other tricks include limiting users' ability to make a fair choice by repeatedly asking them to make a decision until they say ``yes''; covertly installing software by piggybacking on other software being installed; pretending to uninstall; and re-installing without authorization. Deceptive Software is a Growing Problem for Our Customers Our customers are becoming increasingly frustrated by unwanted and deceptive software. We receive thousands of calls from customers each month directly related to unwanted or deceptive software, and we have evidence that suggests such software is at least partially responsible for approximately one-half of all application crashes that our customers report to us. In addition, our industry partners who make computers--sometimes referred to as ``Original Equipment Manufacturers'' or OEMs--have indicated that unwanted and deceptive software is one of the top support issues they face, and that it costs many of the larger OEMs millions of dollars per year. Other estimates support the growing threat of the problem. According to the security software firm PC Pitstop, nearly a quarter of personal computers are afflicted with some type of unwanted or deceptive software application. More aggressive estimates place the total at between 80 and 90 percent of all PCs. Indeed, a 2003 study by the National Cyber Alliance found that 91 percent of broadband customers have some form of unwanted or deceptive software on their home computers. What may be most alarming is the growth of these programs over the past year. PestPatrol, which sells spyware detection and removal software, estimates that there are now more than 78,000 separate spyware programs in use. In the past year, PestPatrol identified more than 500 new Trojan horses (which are programs that provide unlimited access to PCs), 500 new key loggers (which monitor and record a user's keystrokes), and nearly 1,300 new forms of programs that display advertisements. The past year has also seen spyware manufacturers gain strides in their ongoing technological battle against anti-spyware removal and detection systems. Over the past six months, the number of ``burrowers''--programs that dig so deeply into an operating system that they cannot be found or removed without major and potentially damaging surgery--has increased from six to more than 40. The explosion in the volume of unwanted and deceptive software has had an enormous impact on Microsoft, as has the accompanying increase in the complexity with which those programs operate and the damage that they do. Many of our customers blame the problems caused by these programs on Microsoft software, believing that their systems are operating slowly, improperly, or not at all because of flaws in our products or other legitimate software. This costs us not only millions of dollars per year in otherwise unnecessary support calls, but also immeasurable damage to our reputation and, most importantly, to our efforts to optimize our customers' computer experiences. Adopting a Comprehensive Strategy To Combat Unwanted and Deceptive Software As I have shown, there is a continuum of behaviors that lead or trick users into downloading unwanted software programs. In the same vein, there is a continuum of solutions that we believe must be part of the strategy to end these behaviors and curb the spread of deceptive software. This strategy has four prongs: widespread customer education; innovative technology solutions; improved industry self-regulation; and aggressive enforcement under existing state and federal laws. As I mentioned previously, new, carefully crafted and narrowly focused legislation can also play a role to the extent that existing laws do not fully address certain deceptive or misleading practices. Addressing the Problem Starts with Consumer Education The first step in the battle against unwanted and deceptive software is better consumer education. Once confined to the back pages of industry journals, the problem is beginning to move to the mainstream of consumer protection issues, as last week's workshop at the Federal Trade Commission and today's hearing demonstrate. These public forums are essential in heightening consumer awareness of the problems caused by deceptive software. To complement those efforts, Microsoft recently launched a website--www.microsoft.com/spyware--with information that is specifically designed to help consumers understand, identify, prevent, and remove unwanted and deceptive software. This website explains what spyware is and why it can be dangerous; tells users how they can protect their machines from being compromised by these unauthorized programs; helps consumers ascertain whether their computers already contain unwanted or deceptive software by describing its symptoms, such as sluggish performance, an increase in random pop-up advertisements, and a hijacked home page; and points users to third-party tools that can detect and remove these programs. Microsoft is committed to working with Congress and the FTC to continue educating consumers about the ways they can prevent unwanted and deceptive software from attacking their PCs. While the Internet is an incredible resource that has enabled--and will continue to enable-- countless and sweeping improvements in communications, commerce, and government, that same power requires that computer users take the same care for their safety and security online as they would offline. As an industry leader, we acknowledge and strive to fulfill our responsibility to educate consumers about these and other related issues. Consumers who take steps to remove or prevent the installation of this software will not only preserve their own privacy, security, and optimum computer experiences, but they will make an important contribution to the larger effort of generally eliminating the problem. The entities that produce these programs will have much less incentive to create and download their products if consumers take steps to block their use--or at least do not respond to the seller on whose behalf the deceptive software purveyor is operating. Industry Is Working on New Technology To Combat Deceptive Software The development of anti-spyware technology should complement the impact of consumer education and awareness. For example, third parties have released anti-spyware programs that enable users to remove or disable many examples of unwanted and deceptive software from their PCs without damaging their existing hardware or legitimate software. These tools are continually being improved to address new variants and scenarios. Microsoft is working on enhancements that will also help address the problem. For example, we will soon be introducing Windows XP Service Pack 2--a free update for all licensed Windows XP users--that includes features designed to block some of the entry points and distribution methods of deceptive software by better informing users in advance about the type of software they will be installing. These enhancements include: A new pop-up blocker, turned on by default, that will reduce a user's exposure to unsolicited downloads (See Slide I: ``New Popup Blocker''); A new download blocker that will suppress unsolicited downloads until the user expresses interest (See Slide J: ``New Download Blocker''); Redesigned security warnings that make it easier for users to understand what software is to be downloaded, make it more obvious when bad practices are used (e.g., multi-line program names), and allow users to choose to never install certain types of software (See Slide K: ``Improved Install Prompts''); A new policy that restricts a user's ability to directly select ``low'' security settings (See Slide L: ``Harder to Leave Your Front Door Open''); and, Tools to help expert users and support professionals understand and disable unwanted functionalities that have been added to the browser. (See Slide M: ``New Add-On Manager.'') Beyond Windows XP Service Pack 2, Microsoft is investing in future technologies that advance our goal of giving users the ability to understand what software they are running and installing, and whether they can trust it. We continue to explore ways that we can better inform consumers in advance about programs that they plan to install, and to provide them with more control over the installation itself. We also are striving to enhance and simplify the ways in which our customers can see what software is running on their computers, and to evaluate what to do with that software based on their preferences. And we are working to advance technologies that can be used by our entire spectrum of customers--from the most sophisticated enterprise to the most novice consumer--because we want them all to have an equally fulfilling computer experience. Industry Best Practices Are an Important Part of the Solution The third important part of our strategy is to develop a set of industry-wide best practices. Developing best practices is critical because they will create an incentive for legitimate software publishers to distinguish themselves from less scrupulous publishers and minimize the risk of being classified with the bad actors that engage in deceptive practices. Best practices will also serve as a foundation for programs that certify and label good actors and thereby enable users to make more informed decisions about the type of software they execute and install on their computers. The first step in this process is developing an understanding of the devious, deceptive, or unfair practices that adversely affect consumers. The Center for Democracy and Technology (CDT) has made great strides in this area through its Consumer Software Working Group, of which we are a member. This group includes public interest organizations, software companies, Internet service providers, and hardware manufacturers, all of whom have worked hard to identify a set of deceptive practices that raise serious concerns. These practices-- many (if not all) of which are illegal under existing law--should help focus regulatory and law enforcement efforts on the truly bad actors. In addition to recognizing bad practices, we think it is equally important to begin to develop best practices in certain scenarios. These scenarios include the collection and transmission of personal information, the display of advertisements, and changes to configuration settings that affect the Internet browser home page or browser search page. The touchstone of these best practices should be appropriate notice and consent. Users should understand what the software will do in these scenarios before it is executed, and they should then have a choice about whether to execute it. In addition, programs with these features that are installed on a user's computer should also be easily uninstalled or disabled--or if that is not possible, the user should be clearly informed of that fact upfront. Microsoft is actively extending its best practices to explicitly include the scenarios highlighted above. We are committed to working with other companies in the industry to ensure that users have high- quality experiences with legitimate software. And we would be happy to share our best practices to the extent they would be helpful in moving the industry forward to this common goal. In the end, self-regulatory measures more than federal requirements will help industry leaders define and implement best practices that account for the complexities of different software applications and can evolve to meet the ever- changing nature of technology. Enforcement Is a Critical Part of the Fight Against Deceptive Software A fourth key weapon to stop the spread of deceptive software is the aggressive enforcement of existing laws. Such enforcement could put some of the most insidious violators out of business, which would have a significant impact on the amount and type of deceptive software that is produced and distributed in the United States. Moreover, a few targeted enforcement actions would serve as a powerful deterrent to other manufacturers of deceptive software. Enforcement actions are possible using existing law. For example, under the Federal Trade Commission Act, the FTC is empowered to challenge unfair and deceptive trade practices, which--by definition-- are at the heart of virtually all deceptive software programs. Many states have similar laws that authorize their own enforcement agencies to prosecute entities that engage in these same types of practices. And the Computer Fraud and Abuse Act provides other law enforcement agencies with the means to address spyware threats that involve hacking into users' computers. Given the growing sophistication, diversity, and proliferation of spyware, the private and public sectors should combine their resources to hold those who publish illegitimate deceptive software accountable for their actions and the damage they perpetrate. Congress Should Proceed Cautiously Microsoft is hopeful that the combination of user education, improved technology, industry best practices, and enforcement of existing laws can effectively combat the growing problem of deceptive software. Although we have seen an increase in the amount and complexity of deceptive software in recent months, it is encouraging to see the stepped-up response of both the public and private sectors. We are open to considering whether federal legislation can provide an additional layer of protection and another weapon in the fight against deceptive software. However, Microsoft offers two important caveats when considering federal legislation. First, as noted above, many deceptive software programs are already either prohibited under existing law--such as the Computer Fraud and Abuse Act--or are subject to the FTC's jurisdiction over unfair and deceptive trade practices. Any additional federal legislation deemed necessary to outlaw deceptive software must be carefully crafted to supplement the existing legal framework only where gaps are identified. Second, any legislation should target deceptive behavior, rather than specific features or functionalities, to avoid imposing unworkable requirements on legitimate programs and negatively impacting computer users. Examples of some unintended consequences of well-intentioned legislation include the following: Disruptive User Experience. Many legitimate software programs contain an information-gathering activity to perform properly, including error reporting applications, troubleshooting and maintenance programs, security protocols, and Internet browsers. Imposing notice and consent requirements every time these legitimate programs collect and transmit a piece of information would disrupt the computing experience, because users would be flooded with constant, non-bypassable warnings-- making it impossible to perform routine Internet functions (such as connecting to a web page) without intolerable delay and distraction. Compromised Consent Experience. ``One size fits all'' notice and consent requirements may not give users sufficient context to make informed decisions. For example, requiring notice and consent at the time of installation ignores the importance of a technique we refer to as ``just in time'' consent, which delays the notice and consent experience until the time most relevant to the user--just before the feature is executed. If a program crashes, for instance, Windows Error Reporting functionality will ask the user whether he or she would like to send crash information to Microsoft. At this time, the user is able to examine the type of information that will be sent to Microsoft and to assess the actual privacy impact, if any, of transmitting such information in light of the potential benefit of receiving a possible fix for the problem. In this case, the user understands the costs and benefits of the proposition being made and is able to make an informed choice. Presenting the notice and choice experience at the time of installation, on the other hand, would lack this critical context. Unrealistic Uninstall Requirements. Requiring standardized uninstall practices for all software would be unworkable in many circumstances. For example, there are cases where a full and complete uninstall is neither technically possible nor desirable, such as with a software component that is in use and shared by other programs. In addition, there are other cases where an uninstall may be technically possible, but the cost to provide such functionality would be prohibitive, such as with complex software systems that may require the entire software system to be removed. Finally, there are situations where requiring uninstall could actually comprise the security of the system, such as backing out security upgrades or removing critical services. There are many other areas in which legislation could fall into similar traps, imposing ineffective or impracticable requirements, or even threatening PC security and usability. We therefore encourage Congress to focus its attention on the devious practices of deceptive software, including those identified by CDT and its Consumer Software Working Group; to legislate only to the extent such practices are not already illegal under existing law; and to engage industry experts in understanding the complexities of software, thereby ensuring appropriate due diligence to avoid unintended consequences. Unwanted and deceptive software is a growing problem, and we believe that a multi-faceted approach is needed: improved consumer education; new technology solutions; a comprehensive set of industry best practices; and aggressive enforcement of existing laws against violators. This approach will enable consumers to make more informed decisions about installing software; help distinguish good actors from bad ones; and make being bad an expensive proposition. We commend the Subcommittee for holding this hearing today and thank you for extending us an invitation to share our experience and recommendations with you. Microsoft is committed to working with you to thwart the efforts of those who produce and distribute these deceptive programs, and to restoring choice and control back where it belongs--in the hands of consumers. [GRAPHIC] [TIFF OMITTED] T3308.001 [GRAPHIC] [TIFF OMITTED] T3308.002 [GRAPHIC] [TIFF OMITTED] T3308.003 [GRAPHIC] [TIFF OMITTED] T3308.004 [GRAPHIC] [TIFF OMITTED] T3308.005 [GRAPHIC] [TIFF OMITTED] T3308.006 [GRAPHIC] [TIFF OMITTED] T3308.007 [GRAPHIC] [TIFF OMITTED] T3308.008 [GRAPHIC] [TIFF OMITTED] T3308.009 [GRAPHIC] [TIFF OMITTED] T3308.010 [GRAPHIC] [TIFF OMITTED] T3308.011 [GRAPHIC] [TIFF OMITTED] T3308.012 [GRAPHIC] [TIFF OMITTED] T3308.013 [GRAPHIC] [TIFF OMITTED] T3308.014 [GRAPHIC] [TIFF OMITTED] T3308.015 [GRAPHIC] [TIFF OMITTED] T3308.016 [GRAPHIC] [TIFF OMITTED] T3308.017 Mr. Stearns. I thank you for your demonstration. Mr. David Baker, who is Vice President, Law and Public Policy with Earthlink. We welcome you. STATEMENT OF DAVID N. BAKER Mr. Baker. Mr. Chairman Stearns, Ranking Member Schakowsky, ladies and gentlemen of the committee, thank you for inviting me here today. I'm Dave Baker, Vice President for Law and Public Policy with Earthlink, headquartered in Atlanta. Earthlink is the Nation's third largest internet service provider, serving over 5 million customers nationwide with dial-up, broadband, web posting and wireless internet services. Earthlink is always striking to improve its customers online experience. To that end, we appreciate the attention this committee is paying to the growing problem of spyware. We may be at the point in time with regard to the development and proliferation of spyware that we were just a year or 2 ago with spam. In other words, spyware is just now being noticed by many consumers, yet threatens to grow to the point where it could soon compromise their online experience and security if it does not do so already. As the Wall Street Journal noted just this past Monday, April 26, ``indeed spyware, small programs that install themselves on computers to serve up advertising, monitor web surfing and other computer activities and carry out other orders is quickly replacing spam as the online annoyance computer users most complain about.'' Also like spam, we must fight spyware on several fronts, using legislation, enforcement, customer education and technology solutions. To this end, we applaud the efforts of Congresswoman Bono, Congressman Towns, other members and this committee to introduce legislation such as H.R. 2929, the Safeguard Against Privacy Invasions or SPI Act, prohibiting the installation of software without consent, requiring uninstall capability, establishing requirements for transmission pursuant to license agreements and requiring notices for collection of personally identifiable information, intent to advertise, and modification of user settings are all steps that will empower consumers and keep them in control of their computers and their online experience. As a leading internet provider, EarthLink is on the front lines in combating spyware. EarthLink makes available to both its customers and the general public technology solutions to spyware such as EarthLink Spy Audit powered by Webroot. Spy Audit is a free service that allows users to quickly examine his or her computer and detect spyware. A free download of Spy Audit is available at our website and a screen shot of this web page is attached as Exhibit A to my testimony. EarthLink members also have access to Spyware Blocker which disabled all common forms of spyware including adware, system monitors, key loggers and Trojans. EarthLink Spyware Blocker is available free for EarthLink members as a part of Total Access 2004, our internet access software and a screen shot with information on Spyware Blocker is attached as Exhibit B to my testimony. We include useful tools such as spamBlocker, Pop-Up Blocker, Virus Blocker, Privacy Tools and Parental Controls in addition to Spyware Blocker and we will soon be introducing Scam Blocker which will help users detect and avoid nefarious fisher sites. On April 15, 2004, EarthLink and Webroot announced the results of their Spyware Audit report. Over 1 million Spy Audit scans performed from January 1 through March 31st of this found over 29.5 million instances of spyware. This represents almost 28 instances of spyware per scanned PC. While approximately 23.8 million of these installations were mostly harmless adware cookies, the scans revealed over 5.3 million installations of adware and more seriously, over 184,000 system monitors, and almost 185,000 Trojans. A copy of the EarthLink/Webroot press release detailing these findings is attached as Exhibit C to my testimony. Spyware is thus a growing problem that demands the attention of Congress, the FTC, consumers and industry alike. Through the efforts of Congress to introduce legislation like the SPI Act, the FTC to investigate the issue at its recent spyware workshop and through industry development of anti-ware tools, we can all help protect consumers against a threat that is often unseen, but very much real. Thank you for having me here today. [The prepared statement of David N. Baker follows:] Prepared Statement of David N. Baker, VP, Law & Public Policy, EarthLink, Inc. Mr. Chairman, Ladies and Gentlemen of the Committee, thank you for inviting me here today. I am Dave Baker, Vice President for Law and Public Policy with EarthLink. Headquartered in Atlanta, EarthLink is the nation's 3rd largest Internet Service Provider (ISP), serving over 5 million customers nationwide with dial-up, broadband (DSL, cable and satellite), web hosting and wireless Internet services. EarthLink is always striving to improve its customers' online experience. To that end, we appreciate the attention this committee is paying to the growing problem of spyware. Spyware: The Next Spam? We may be at a point in time with regard to the development and proliferation of spyware that we were just a year or two ago with spam. In other words, spyware is just now being noticed by many consumers yet threatens to grow to the point where it could soon compromise their online experience and security, if it does not do so already. As the Wall Street Journal noted just this past Monday, April 26, ``Indeed, spyware--small programs that install themselves on computers to serve up advertising, monitor Web surfing and other computer activities, and carry out other orders--is quickly replacing spam as the online annoyance computer users most com-plain about.'' Also like spam, we must fight spyware on several fronts, using legislation, enforcement, customer education and technology solutions. To this end, we applaud the efforts of Congress and this committee to introduce legislation such as H.R. 2929, the Safeguard Against Privacy Invasions (SPI) Act. Prohibiting the installation of software without consent, requiring uninstall capability, establishing requirements for transmission pursuant to license agreements, and requiring notices for collection of personally identifiable information, intent to advertise and modification of user settings are all steps that will empower consumers and keep them in control of their computers and their online experience. EarthLink Experience As a leading Internet provider, EarthLink is on the front lines in combating spyware. EarthLink makes available to both its customers and the general public technology solutions to spyware such as EarthLink Spy Audit powered by Webroot (``Spy Audit''). Spy Audit is a free service that allows a user to quickly examine his or her computer and detect spyware. A free download of Spy Audit is available at www.earthlink.net/spyaudit. (See Exhibit A, attached hereto.) EarthLink members also have access to EarthLink Spyware Blocker, which disables all common forms of spyware including adware, system monitors, key loggers and Trojans. EarthLink Spyware Blocker is available free for EarthLink members as part of Total Access 2004, our Internet access software. See www.earthlink.net/home/software/spyblocker (Exhibit B, attached hereto). Total Access 2004 includes useful tools such as spamBlocker, Pop-Up Blocker, Virus Blocker, Privacy Tools and Parental Controls in addition to Spyware Blocker. On April 15, 2004, EarthLink and Webroot announced the results of their Spy Audit report. Over 1 million Spy Audit scams performed from January 1, 2004 to March 31, 2004 found over 29,500,000 instances of spyware. This represents almost 28 instances of spyware per scanned PC. While approximately 23.8 million of these installations were mostly harmless adware cookies, the scans revealed over 5.3 million installations of adware, and more seriously, over 184,000 system monitors, and almost 185,000 Trojans. A copy of the EarthLink/Webroot press release detailing these findings is attached hereto as Exhibit C. Conclusion Spyware is thus a growing problem that demands the attention of Congress, the FTC, consumers and industry alike. Through the efforts of Congress to introduce legislation like the SPI Act, the FTC to investigate the issue at its recent spyware workshop, and through industry development of anti-spyware tools, we can all help protect consumers against a threat that is often unseen, but very much real. Thank you for your time today. Mr. Stearns. I thank the gentleman. I'm going to go to the Honorable Mozelle Thompson, Commissioner, Federal Trade Commission and welcome you. STATEMENT OF HON. MOZELLE W. THOMPSON Mr. Thompson. Thank you, Mr. Chairman and Ranking Member Schakowsky, members of the committee and subcommittee. It's good to see you. As you know, I'm Commissioner at the FTC and I wish to thank the committee for holding this hearing on the important subject of spyware. I also appreciate the opportunity to appear before you today. As you know--well, first, let me begin by telling you the views I express here are my own and not necessarily those of the Commission. As you know, the FTC has long been involved with internet issues like online privacy, identity theft, cross border fraud and spam. And our experience has given us a unique vantage point to view developments in the consumer marketplace and identify issues that warrant public attention. Last week, the Commission held a 1-day public workshop on one of those topics, the distribution and effects of software commonly referred to as spyware. We began our workshop by asking participants to define what spyware is. As the chairman noted, spyware commonly refers to software that essentially monitors consumers' computing habits and as such, it necessarily raises privacy issues. This software can offer consumers and businesses various benefits, including a streamline interactive online experience and updates and can allow businesses to more effectively communicate with their customers. However, spyware can also be used as secret software that surreptitiously gathers information and transmits it to third parties without the subject's knowledge or consent. Sometimes these uses can result in identity theft and other types of fraud and in some cases can interfere with the computer's operability. These activities undermine consumer confidence in the marketplace and can also impose extra costs on good actors who are forced to compete against those willing to engage in deception, fraud or worse. I used our workshop as an opportunity to challenge industry to promptly develop a set of best practices with respect to spyware. These practices should contain several critical elements including meaningful notice and choice so the consumers can make informed decisions about whether or not they wish to deal with an online business that uses monitoring spyware or partners with companies that do. I also asked industry to develop a public campaign to educate consumers and businesses about what spyware is and how it operates. This public campaign should also discuss the array of technological tools that are available for consumer use. Finally, I called upon industry to establish a mechanism that will allow businesses and consumers to maintain a continuing dialog on how government can take action against those who do wrong and undermine consumer confidence through the misuse of spyware. Now some Members of Congress, including Representative Bono and Towns, are calling for spyware legislation. I commend you for bringing important public attention to this issue. And I understand the desire to take action before the problems associated with spyware grow worse and injure more consumers and businesses, but I do not believe legislation is the answer at this time. Instead, I respectfully submit that we should give industry an opportunity to respond to my challenge. My experience working on issues like online privacy and spam tells me that in approaching such problems any solution must at the very least be based on transparency, adequate notice and consumer choice. So I've used my challenge as a way to set out what I consider to be the critical elements that should form a baseline for any industry response. If the self-regulatory response is not timely or is inadequate, another perhaps legislative approach might be appropriate. In any event, whatever is done in this area should work in conjunction with existing laws like the FTC Act which allows the Commission to take action against deceptive or unfair practices. I make this suggestion with some circumspection, recognizing that there are many who would like Congress to act now. But absent a comprehensive data privacy law in the United States and recognizing the challenge posed by defining spyware because it has beneficial and not beneficial uses, I believe that self-regulation, combined with enforcement of existing laws will help address many of the issues raised in this area. I am also aware that States might be anxious to legislate here, but I ask them to be cautious as well because a patchwork of differing and inconsistent State approaches might be confusing to industry and consumers alike. Now finally, as I mentioned, spyware raises important privacy concerns and several years ago I appeared before Congress and suggested that a Federal law incorporating fair information practices might be an acceptable legislative response. I believe it may still be, but I don't think it will be the most effective in addressing the problems posed by spyware. For the time being, however, a strong, responsible and prompt industry self-regulatory response may provide an effective solution for the problems that spyware poses for both consumers and industry. Thank you very much. [The prepared statement of Hon. Mozelle W. Thompson follows:] Prepared Statement of The Federal Trade Commission Mr. Chairman and members of the Committee, the Federal Trade Commission (``Commission'' or ``FTC'') appreciates this opportunity to provide the Commission's views on ``spyware.'' <SUP>1</SUP> --------------------------------------------------------------------------- \1\ The written statement presents the views of the Federal Trade Commission. Oral statements and responses to questions reflect the views of the speaker and do not necessarily reflect the views of the Commission or any other Commissioner. --------------------------------------------------------------------------- The FTC has a broad mandate to prevent unfair competition and unfair or deceptive acts or practices in the marketplace. Section 5 of the Federal Trade Commission Act gives the agency the authority to challenge acts and practices in or affecting commerce that are unfair or deceptive.<SUP>2</SUP> The Commission's law enforcement activities against unfair or deceptive acts and practices are generally designed to promote informed consumer choice. This statement will discuss the FTC's activities related to spyware, including our recent workshop and potential law enforcement actions. --------------------------------------------------------------------------- \2\ 15 U.S.C. 45. --------------------------------------------------------------------------- FTC SPYWARE WORKSHOP For nearly a decade, the FTC has addressed online privacy and security issues affecting consumers. Through a series of workshops and hearings, the Commission has sought to understand the online marketplace and its information practices, to assess the impact of these practices on consumers, and to challenge industry leaders to develop and implement meaningful self-regulatory programs.<SUP>3</SUP> --------------------------------------------------------------------------- \3\ See, e.g., Workshop: Technologies for Protecting Personal Information, The Consumer Experience (May 14, 2003); Workshop: Technologies for Protecting Personal Information, The Business Experience (June 4, 2003); Consumer Information Security Workshop (May 20, 2002). --------------------------------------------------------------------------- The most recent example of this approach is the workshop entitled ``Monitoring Software on Your PC: Spyware, Adware, and Other Software'' that was held last week. The workshop was designed to provide us with information about the nature and extent of problems related to spyware, and possible responses to those problems. Specifically, the workshop focused on four main topics: (1) defining ``spyware'' and exploring how it is distributed (including the role of peer-to-peer file-sharing software and whether spyware may differ from ``adware''); (2) examining spyware's general effects on consumers and competition; (3) exploring spyware's potential security and privacy risks; and (4) identifying technological solutions, industry initiatives, and governmental responses (including consumer education) related to spyware. Underscoring the importance of this issue both FTC Commissioners Orson Swindle and Mozelle Thompson personally participated in the workshop. To encourage broad-based participation, the FTC issued a Federal Register Notice announcing the workshop and requesting public comment.<SUP>4</SUP> The Commission received approximately 200 comments, and the record will remain open until May 21, 2004, for submission of additional comments. At the workshop, a wide range of panelists engaged in a spirited debate concerning spyware, including what government, industry, and consumers ought to do to respond to the risks associated with spyware. --------------------------------------------------------------------------- \4\ 69 Fed. Reg. 8538 (Feb. 24, 2004), <www.ftc.gov/os/2004/02/ --------------------------------------------------------------------------- Although the agency is continuing to receive information on this important issue, the record at the workshop leads to some preliminary conclusions. First, perhaps the most challenging task is to carefully and clearly define the issue. ``Spyware'' is an elastic and vague term that has been used to describe a wide range of software.<SUP>5</SUP> Some definitions of spyware could be so broad that they cover software that is beneficial or benign; software that is beneficial but misused; or software that is just poorly written or has inefficient code. Indeed, there continues to be considerable debate regarding whether ``adware'' should be considered spyware. Given the risks of defining spyware too broadly, some panelists at our workshop argued that the more prudent course is to focus on the harms caused by misuse or abuse of software rather than on the definition of spyware. --------------------------------------------------------------------------- \5\ For the purposes of the workshop, the FTC Staff tentatively described spyware as ``software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer's consent, or asserts control over a computer without the consumer's knowledge.'' 69 Fed. Reg. 8538 (Feb. 24, 2004), <www.ftc.gov/os/2004/02/ --------------------------------------------------------------------------- Panelists described a number of harms caused by spyware. These include invasions of privacy, security risks, and functionality problems for consumers. For example, spyware may harvest personally identifiable information from consumers through monitoring computer use without consent. Spyware also may facilitate identity theft by surreptitiously planting a keystroke logger on a consumer's personal computer. It may create security risks if it exposes communication channels to hackers. Spyware also may adversely affect the operation of personal computers, including slowing processing time and causing crashes, browser hijacking, home page resetting, installing dialers, and the like. These harms are problems in themselves, and could lead to a loss in consumer confidence in the Internet as a medium of communication and commerce. Many of the panelists discussed how spyware may cause problems for businesses. Companies may incur costs as they seek to block and remove spyware from the computers of their employees. Employees will be less productive if spyware causes their computers to crash or they are distracted from their tasks by a barrage of pop-up ads. Spyware that captures the keystrokes of employees could be used to obtain trade secrets and other confidential information from businesses. In addition, representatives from companies such as ISPs, PC manufacturers, anti-virus providers, and an operating system manufacturer indicated that they spend substantial resources responding to customer inquiries when PCs or Internet browsers do not work as expected due to the presence of spyware. As such, these companies also may suffer injury to their reputations and lose good will. Because of the relatively recent emergence of spyware, there has been little empirical data regarding the prevalence and magnitude of these problems for consumers and businesses. Given how broadly spyware can be distributed and the severity of some of its potential risks, government, industry, and consumers should treat the threats to privacy, security, and functionality posed by spyware as real and significant problems. At the workshop, we heard that substantial efforts are currently underway to address spyware. Industry is deploying new technologies as well as distributing educational materials to assist consumers in addressing the problems associated with spyware. Similarly, at the workshop, industries involved with the dissemination of software reported that they are developing best practices. Consumers and businesses are becoming more aware of the capabilities of spyware, and they are responding by installing anti- spyware products and taking other measures to minimize these risks. Government and industry-sponsored education programs, and industry self-regulation, could be instrumental in making users more aware of the risks of spyware, thereby assisting them in taking actions to protect themselves (such as running anti-spyware programs).<SUP>6</SUP> --------------------------------------------------------------------------- \6\ Panelists at the workshop noted that consumers need to be very careful to obtain anti-spyware programs from legitimate providers because some purported anti-spyware programs in fact disseminate spyware. --------------------------------------------------------------------------- FTC LAW ENFORCEMENT As the nation's primary consumer protection agency, the Commission also has a law enforcement role to play in connection with unfair or deceptive acts or practices involved in the distribution or use of spyware.<SUP>7</SUP> At the workshop, FTC and DOJ staff members noted that many of the more egregious spyware practices described at the workshop may be subject to attack under existing Federal and State laws, and the workshop concluded with a request that industry and consumer groups notify the FTC staff of problematic practices. --------------------------------------------------------------------------- \7\ The Commission will find deception if there is a material representation, omission, or practice that is likely to mislead consumers acting reasonably in the circumstances, to their detriment. See Federal Trade Commission, Deception Policy Statement, appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984) (``Deception Statement''). An act or practice is ``unfair'' if it causes or is likely to cause substantial injury to consumers, that injury is not outweighed by any countervailing benefits to consumers and competition, and consumers could not have reasonably avoided the injury. 15 U.S.C. 45(n). --------------------------------------------------------------------------- The Commission is conducting non-public investigations related to the dissemination of spyware. As discussed at the workshop, however, investigating and prosecuting acts and practices related to spyware, particularly the more pernicious programs, pose substantial law enforcement challenges. Given the surreptitious nature of spyware, it often is difficult to ascertain from whom, from where, and how such products are disseminated. Consumer complaints, for instance, are less likely to lead directly to targets than in other law enforcement investigations, because consumers often do not know that spyware has caused the problems or, even if they do, they may not know the source of the spyware.<SUP>8</SUP> Indeed, computer manufacturers stated at our workshop that they believe an increasing number of service calls are spyware-related and spyware-related issues are difficult to diagnose. Similarly, search engine providers testified that consumers complain to them, not realizing that the spyware (not the search engine) is causing their dissatisfaction with their search engine. --------------------------------------------------------------------------- \8\ Identifying the source of spyware is especially difficult when consumers were not even aware that the spyware had been installed. --------------------------------------------------------------------------- The Commission has long been active in challenging unfair or deceptive acts or practices on the Internet, and spyware cases are not fundamentally different. Over the course of nearly a decade, we have brought approximately 300 cases challenging Internet practices involving substantial consumer harms, including harms similar to those posed by some examples of spyware. Most recently, in D Squared Solutions, LLC, the defendants allegedly exploited an operating system feature to harm consumers. The Windows operating system uses ``Messenger Service'' windows to allow network administrators to provide instant information to network users, for example, a message to let users know that a print job has been completed. The defendants in D Squared exploited this feature to send Messenger Service pop-up ads to consumers, advertising software that supposedly would block such ads in the future. Consumers would receive these pop-up ads as often as every ten minutes. The Commission filed a complaint in federal court alleging that the defendants unfairly interfered with consumers' use of their computers and tried to coerce consumers into buying software to block pop-up ads.<SUP>9</SUP> --------------------------------------------------------------------------- \9\ FTC v. D Squared Solutions, LLC, No. 03-CV-3108 (D. Md. 2003). The case is currently in litigation. --------------------------------------------------------------------------- The Commission brought several cases challenging the surreptitious distribution of dialer programs. A paper submitted at the workshop by the Computer Software Working Group <SUP>10</SUP> identified surreptitious downloads as an example of one of the problematic practices of some spyware programs. Past Commission actions have attacked similar programs that secretly disconnect consumers from their Internet Service Providers, reconnect them to another network, and charge them exorbitant fees for long distance telephone service or entertainment services delivered over the telephone line.<SUP>11</SUP> We also have challenged the practice of ``pagejacking'' consumers and then ``mousetrapping'' them at pornographic web sites.<SUP>12</SUP> These cases demonstrate that the Commission has the authority under Section 5 of the FTC Act to take action to prevent harms to consumers similar to those that spyware allegedly causes. --------------------------------------------------------------------------- \10\ The Consumer Software Working Group is comprised of public interest groups, software companies, Internet Service Providers, hardware manufacturers, and others. Available at <http://www.cdt.org/ privacy/spyware/2 \11\ See, e.g., FTC v. Alyon Technologies, Inc., No. 1:03-CV-1297 (N.D. Ga. 2003); FTC v. BTV Indus., No. CV-S-02-0437-LRH-PAL (D. Nev. 2003); FTC v. Anderson, No. C00-1843P (W.D. Wash. 2000); FTC v. RJB Telcom, Inc., No. 002017 PHX EHC (D. Az. 2000); FTC v. Sheinkin, No. 2- 00-3636 18 (D.S.C. 2000); FTC v. Verity Int'l, Ltd., No. 00 Civ. 7422 (LAK) (S.D.N.Y. 2000); FTC v. Audiotex Connection, Inc., No. CV-97- 00726 (E.D.N.Y. 1997); see also Beylen Telecom, Ltd., FTC Docket No. C- 3782 (final consent Jan. 23, 1998). \12\ See, e.g., FTC v. Zuccarini, No. 01-CV-4854 (E.D. Pa. 2002); FTC v. Carlos Pereira d/b/a atariz.com, No. 99-1367-A (E.D.N.Y. 1999). --------------------------------------------------------------------------- CONCLUSION Spyware appears to be a new and rapidly growing practice that poses a risk of serious harm to consumers. The Commission is learning more about this practice, so that government responses to spyware will be focused and effective. We are continuing to pursue law enforcement investigations. The FTC thanks this Committee for focusing attention on this important issue, and for giving us an opportunity to present the preliminary results from our workshop. We look forward to further discussions with the Subcommittee on this issue. Mr. Stearns. Thank you, Commissioner. Mr. Howard Beales, Director of Bureau of Consumer Protection. STATEMENT OF HON. J. HOWARD BEALES III Mr. Beales. Thank you, Mr. Chairman, and members of the subcommittee. I'd like to thank you for providing the Federal Trade Commission with this opportunity to submit testimony. The written testimony represents the views of the Federal Trade Commission and my oral comments do not necessarily reflect the views of the Commission or any individual Commissioner. We're here today to discuss spyware, a subject of growing concern to consumers. Loosely defined, spyware is software that aids in gathering information about a person or organization without their knowledge and it may send such information to another entity without the consumers consent. Other spyware may assert control over a computer without the consumer's knowledge. As in many cases of the new internet issues, the question is how to proceed against practices that are clearly abusive without interfering with the benefits that the internet provides to consumers. As Commissioner Thompson has described, we've accomplished this task through a series of workshops and hearings where the Commission has sought to understand the online marketplace and its information practices, to assess the impact of these practices on consumers, and to challenge industry leaders to deal with consumers in a straight forward and responsible manner. Our most recently application of this approach was last week's workshop, monitoring software on your PC, spyware, adware and other software. It seems clear from the workshop's discussion that spyware may harvest personally identifiable information from consumers through monitoring computer use without consent. It also may facilitate identity theft by surreptitiously planting a keystroke logger on a user's personal computer. Spyware may create security risks if it exposes communications' channels to hackers. It also may affect the operation of personal computers, causing crashes, browser hijacking, home page resetting and the like. These harms are problems in themselves and could lead to a loss in consumer confidence in the internet as a medium of communication and commerce. Second, many of the panelists discussed how spyware may cause problems for businesses too. Companies may incur costs as they seek to block and remove spyware from computers of their employees or their customers. Employees will also be less productive if spyware causes their computers to crash or if they're distracted from their tasks by a barrage of popup ads. Spyware that captures the keystrokes of employees could be used to obtain trade secrets and confidential information from businesses. We also heard that substantial efforts are currently underway to address spyware. In response to market forces, industry is developing and deploying new technologies to assist consumers. Consumers and businesses are becoming more aware of the risks of spyware and they're responding by installing anti- spyware products and other measures. Certain industry representatives indicated that they would explore best practices and consumer education on issues related to spyware. All of these efforts are very encouraging. Another key theme of our workshop was the need to define the problem carefully and clearly. Defining a class of software that causes problems is a difficult task. Spyware is an elastic and vague term that's been used to describe a wide range of software. A vague definition of software could be so broad that it covers software that is beneficial or benign, software that is harmful, software that is beneficial or benign, but misused, and software that is just poorly written or inefficient code. Such imprecise definitions would treat these types of software in the same manner. We need to determine whether there is a definable class of software that can truly be called spyware. The easiest way to start drawing lines is through case by case law enforcement. The Commission has law enforcement authority to challenge unfair or deceptive practices involved in the distribution or use of spyware. At the workshop, FTC and DOJ staff members noted that many of the more egregious spyware practices described at the workshop are subject to attack under existing Federal and State laws including Section 5 of the FTC Act. We have nonpublic investigations related to the dissemination of spyware. However, investigating and prosecuting acts and practices related to spyware, particularly the more pernicious programs pose law enforcement challenges. Given the surreptitious nature of spyware, it is often difficult to ascertain from whom, from where and how such products are dissemination. Consumer complaints are less likely to lead directly to targets that are in other law enforcement investigations because consumers often do not know that spyware has caused their problems. Even if they do, they may not know the source of the spyware. Despite the obstacles, the FTC has been active in taking action against internet practices involving consumer injury similar to those caused by spyware. For example, we're currently litigating against defendants who exploited allegedly an operating system feature to send incessant messenger service popup ads to consumers. It advertised software that supposedly would block such ads in the future. We filed a complaint, alleging that the defendants unfairly interfered with consumers' use of their computers and tried to coerce consumers into buying software to block the popup ads. And we brought several cases challenging the surreptitious distribution of dialer programs. These programs secretly disconnect consumers from their ISPs, reconnect them to another network and then charge exorbitant fees for long-distance telephone service or entertainment services delivered over the telephone line. We've also challenged the practice of page-jacking and then mouse-trapping consumers at pornographic websites. And the practice of bombarding consumers with an endless sequence of popup ads. We have the legal tools necessary to address bad practices. We continue to remain vigilant and eager to take action against those who are engaged in bad practices, and we've asked industry and consumer groups to notify the FTC staff of problematic practices. We are, as we said at the workshop, taking names. Thank you and I look forward to answering any questions that you may have. [The prepared statement of Hon. J. Howard Beales III follows:] Prepared Statement of The Federal Trade Commission Mr. Chairman and members of the Committee, the Federal Trade Commission (``Commission'' or ``FTC'') appreciates this opportunity to provide the Commission's views on ``spyware.'' <SUP>1</SUP> --------------------------------------------------------------------------- \1\ The written statement presents the views of the Federal Trade Commission. Oral statements and responses to questions reflect the views of the speaker and do not necessarily reflect the views of the Commission or any other Commissioner. --------------------------------------------------------------------------- The FTC has a broad mandate to prevent unfair competition and unfair or deceptive acts or practices in the marketplace. Section 5 of the Federal Trade Commission Act gives the agency the authority to challenge acts and practices in or affecting commerce that are unfair or deceptive.<SUP>2</SUP> The Commission's law enforcement activities against unfair or deceptive acts and practices are generally designed to promote informed consumer choice. This statement will discuss the FTC's activities related to spyware, including our recent workshop and potential law enforcement actions. --------------------------------------------------------------------------- \2\ 15 U.S.C. 45. --------------------------------------------------------------------------- FTC SPYWARE WORKSHOP For nearly a decade, the FTC has addressed online privacy and security issues affecting consumers. Through a series of workshops and hearings, the Commission has sought to understand the online marketplace and its information practices, to assess the impact of these practices on consumers, and to challenge industry leaders to develop and implement meaningful self-regulatory programs.<SUP>3</SUP> --------------------------------------------------------------------------- \3\ See, e.g., Workshop: Technologies for Protecting Personal Information, The Consumer Experience (May 14, 2003); Workshop: Technologies for Protecting Personal Information, The Business Experience (June 4, 2003); Consumer Information Security Workshop (May 20, 2002). --------------------------------------------------------------------------- The most recent example of this approach is the workshop entitled ``Monitoring Software on Your PC: Spyware, Adware, and Other Software'' that was held last week. The workshop was designed to provide us with information about the nature and extent of problems related to spyware, and possible responses to those problems. Specifically, the workshop focused on four main topics: (1) defining ``spyware'' and exploring how it is distributed (including the role of peer-to-peer file-sharing software and whether spyware may differ from ``adware''); (2) examining spyware's general effects on consumers and competition; (3) exploring spyware's potential security and privacy risks; and (4) identifying technological solutions, industry initiatives, and governmental responses (including consumer education) related to spyware. Underscoring the importance of this issue both FTC Commissioners Orson Swindle and Mozelle Thompson personally participated in the workshop. To encourage broad-based participation, the FTC issued a Federal Register Notice announcing the workshop and requesting public comment.<SUP>4</SUP> The Commission received approximately 200 comments, and the record will remain open until May 21, 2004, for submission of additional comments. At the workshop, a wide range of panelists engaged in a spirited debate concerning spyware, including what government, industry, and consumers ought to do to respond to the risks associated with spyware. --------------------------------------------------------------------------- \4\ 69 Fed. Reg. 8538 (Feb. 24, 2004), <www.ftc.gov/os/2004/02/ --------------------------------------------------------------------------- Although the agency is continuing to receive information on this important issue, the record at the workshop leads to some preliminary conclusions. First, perhaps the most challenging task is to carefully and clearly define the issue. ``Spyware'' is an elastic and vague term that has been used to describe a wide range of software.<SUP>5</SUP> Some definitions of spyware could be so broad that they cover software that is beneficial or benign; software that is beneficial but misused; or software that is just poorly written or has inefficient code. Indeed, there continues to be considerable debate regarding whether ``adware'' should be considered spyware. Given the risks of defining spyware too broadly, some panelists at our workshop argued that the more prudent course is to focus on the harms caused by misuse or abuse of software rather than on the definition of spyware. --------------------------------------------------------------------------- \5\ For the purposes of the workshop, the FTC Staff tentatively described spyware as ``software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer's consent, or asserts control over a computer without the consumer's knowledge.'' 69 Fed. Reg. 8538 (Feb. 24, 2004), <www.ftc.gov/os/2004/02/ --------------------------------------------------------------------------- Panelists described a number of harms caused by spyware. These include invasions of privacy, security risks, and functionality problems for consumers. For example, spyware may harvest personally identifiable information from consumers through monitoring computer use without consent. Spyware also may facilitate identity theft by surreptitiously planting a keystroke logger on a consumer's personal computer. It may create security risks if it exposes communication channels to hackers. Spyware also may adversely affect the operation of personal computers, including slowing processing time and causing crashes, browser hijacking, home page resetting, installing dialers, and the like. These harms are problems in themselves, and could lead to a loss in consumer confidence in the Internet as a medium of communication and commerce. Many of the panelists discussed how spyware may cause problems for businesses. Companies may incur costs as they seek to block and remove spyware from the computers of their employees. Employees will be less productive if spyware causes their computers to crash or they are distracted from their tasks by a barrage of pop-up ads. Spyware that captures the keystrokes of employees could be used to obtain trade secrets and other confidential information from businesses. In addition, representatives from companies such as ISPs, PC manufacturers, anti-virus providers, and an operating system manufacturer indicated that they spend substantial resources responding to customer inquiries when PCs or Internet browsers do not work as expected due to the presence of spyware. As such, these companies also may suffer injury to their reputations and lose good will. Because of the relatively recent emergence of spyware, there has been little empirical data regarding the prevalence and magnitude of these problems for consumers and businesses. Given how broadly spyware can be distributed and the severity of some of its potential risks, government, industry, and consumers should treat the threats to privacy, security, and functionality posed by spyware as real and significant problems. At the workshop, we heard that substantial efforts are currently underway to address spyware. Industry is deploying new technologies as well as distributing educational materials to assist consumers in addressing the problems associated with spyware. Similarly, at the workshop, industries involved with the dissemination of software reported that they are developing best practices. Consumers and businesses are becoming more aware of the capabilities of spyware, and they are responding by installing anti- spyware products and taking other measures to minimize these risks. Government and industry-sponsored education programs, and industry self-regulation, could be instrumental in making users more aware of the risks of spyware, thereby assisting them in taking actions to protect themselves (such as running anti-spyware programs).<SUP>6</SUP> --------------------------------------------------------------------------- \6\ Panelists at the workshop noted that consumers need to be very careful to obtain anti-spyware programs from legitimate providers because some purported anti-spyware programs in fact disseminate spyware. --------------------------------------------------------------------------- FTC LAW ENFORCEMENT As the nation's primary consumer protection agency, the Commission also has a law enforcement role to play in connection with unfair or deceptive acts or practices involved in the distribution or use of spyware.<SUP>7</SUP> At the workshop, FTC and DOJ staff members noted that many of the more egregious spyware practices described at the workshop may be subject to attack under existing Federal and State laws, and the workshop concluded with a request that industry and consumer groups notify the FTC staff of problematic practices. --------------------------------------------------------------------------- \7\ The Commission will find deception if there is a material representation, omission, or practice that is likely to mislead consumers acting reasonably in the circumstances, to their detriment. See Federal Trade Commission, Deception Policy Statement, appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984) (``Deception Statement''). An act or practice is ``unfair'' if it causes or is likely to cause substantial injury to consumers, that injury is not outweighed by any countervailing benefits to consumers and competition, and consumers could not have reasonably avoided the injury. 15 U.S.C. 45(n). --------------------------------------------------------------------------- The Commission is conducting non-public investigations related to the dissemination of spyware. As discussed at the workshop, however, investigating and prosecuting acts and practices related to spyware, particularly the more pernicious programs, pose substantial law enforcement challenges. Given the surreptitious nature of spyware, it often is difficult to ascertain from whom, from where, and how such products are disseminated. Consumer complaints, for instance, are less likely to lead directly to targets than in other law enforcement investigations, because consumers often do not know that spyware has caused the problems or, even if they do, they may not know the source of the spyware.<SUP>8</SUP> Indeed, computer manufacturers stated at our workshop that they believe an increasing number of service calls are spyware-related and spyware-related issues are difficult to diagnose. Similarly, search engine providers testified that consumers complain to them, not realizing that the spyware (not the search engine) is causing their dissatisfaction with their search engine. --------------------------------------------------------------------------- \8\ Identifying the source of spyware is especially difficult when consumers were not even aware that the spyware had been installed. --------------------------------------------------------------------------- The Commission has long been active in challenging unfair or deceptive acts or practices on the Internet, and spyware cases are not fundamentally different. Over the course of nearly a decade, we have brought approximately 300 cases challenging Internet practices involving substantial consumer harms, including harms similar to those posed by some examples of spyware. Most recently, in D Squared Solutions, LLC, the defendants allegedly exploited an operating system feature to harm consumers. The Windows operating system uses ``Messenger Service'' windows to allow network administrators to provide instant information to network users, for example, a message to let users know that a print job has been completed. The defendants in D Squared exploited this feature to send Messenger Service pop-up ads to consumers, advertising software that supposedly would block such ads in the future. Consumers would receive these pop-up ads as often as every ten minutes. The Commission filed a complaint in federal court alleging that the defendants unfairly interfered with consumers' use of their computers and tried to coerce consumers into buying software to block pop-up ads.<SUP>9</SUP> --------------------------------------------------------------------------- \9\ FTC v. D Squared Solutions, LLC, No. 03-CV-3108 (D. Md. 2003). The case is currently in litigation. --------------------------------------------------------------------------- The Commission brought several cases challenging the surreptitious distribution of dialer programs. A paper submitted at the workshop by the Computer Software Working Group <SUP>10</SUP> identified surreptitious downloads as an example of one of the problematic practices of some spyware programs. Past Commission actions have attacked similar programs that secretly disconnect consumers from their Internet Service Providers, reconnect them to another network, and charge them exorbitant fees for long distance telephone service or entertainment services delivered over the telephone line.<SUP>11</SUP> We also have challenged the practice of ``pagejacking'' consumers and then ``mousetrapping'' them at pornographic web sites.<SUP>12</SUP> These cases demonstrate that the Commission has the authority under Section 5 of the FTC Act to take action to prevent harms to consumers similar to those that spyware allegedly causes. --------------------------------------------------------------------------- \10\ The Consumer Software Working Group is comprised of public interest groups, software companies, Internet Service Providers, hardware manufacturers, and others. Available at <http://www.cdt.org/ privacy/spyware/20040419cswg.pdf> \11\ See, e.g., FTC v. Alyon Technologies, Inc., No. 1:03-CV-1297 (N.D. Ga. 2003); FTC v. BTV Indus., No. CV-S-02-0437-LRH-PAL (D. Nev. 2003); FTC v. Anderson, No. C00-1843P (W.D. Wash. 2000); FTC v. RJB Telcom, Inc., No. 002017 PHX EHC (D. Az. 2000); FTC v. Sheinkin, No. 2- 00-3636 18 (D.S.C. 2000); FTC v. Verity Int'l, Ltd., No. 00 Civ. 7422 (LAK) (S.D.N.Y. 2000); FTC v. Audiotex Connection, Inc., No. CV-97- 00726 (E.D.N.Y. 1997); see also Beylen Telecom, Ltd., FTC Docket No. C- 3782 (final consent Jan. 23, 1998). \12\ See, e.g., FTC v. Zuccarini, No. 01-CV-4854 (E.D. Pa. 2002); FTC v. Carlos Pereira d/b/a atariz.com, No. 99-1367-A (E.D.N.Y. 1999). --------------------------------------------------------------------------- CONCLUSION Spyware appears to be a new and rapidly growing practice that poses a risk of serious harm to consumers. The Commission is learning more about this practice, so that government responses to spyware will be focused and effective. We are continuing to pursue law enforcement investigations. The FTC thanks this Committee for focusing attention on this important issue, and for giving us an opportunity to present the preliminary results from our workshop. We look forward to further discussions with the Subcommittee on this issue. Mr. Stearns. I thank you. Mr. Ari Schwartz, Associate Director, Center for Democracy and Technology. Welcome. STATEMENT OF ARI SCHWARTZ Mr. Schwartz. Chairman Stearns, Ranking Member Schakowsky, members of the committee, thank you for inviting CDT to testify today. In November, we released our first report on the spyware issue entitled ``Ghosts in our Machines.'' At that same time we asked consumers to send us their concerns about specific spyware experiences. Since then hundreds have responded. Spyware is clearly an issue of growing concern for internet users. As we document in our report, the worse practices that we've seen are often based on mutated practices of legitimate software companies. Therefore, defining the term spyware has become difficult, if not impossible. The basic problem of spyware is that software being created to run on users' computers, that they have no control over and do not want, including some software that passes on personal information about the computer user with their consent. CDT believes that in order to stop this growing problem, we will need to see action in three areas: enforcement of existing law, industry commitment to stopping bad practices, and legislation to protect privacy online. I will quickly address each of these areas. It is CDT's opinion that many of the worst practices that we have seen today in the spyware are already illegal under existing fraud statutes. For example, if a consumer walked into a store and the door was locked behind them and they were forced to buy a product, we would expect law enforcement to do something about it. If hundreds of thousands of consumers were not allowed to leave a contract that they didn't even know that they'd enter, we would expect consumer law enforcement agencies to do something. And if a third party were to tamper with consumers' telephones in such a way that when they try to call Barnes and Noble they were instead connected to an adult book store, certainly we would expect law enforcement to be there. Yet, the online equivalent of each of these actions, online coercion, inability to uninstall or disable and host file overriding have not been a serious area of action for any law enforcement body to date. CDT worked with consumer groups and industry to help develop examples of unfair, deceptive and devious practices involving software. These examples are based on real cases where CDT believes that law enforcement should be focusing its efforts. That full document was included as part of my written testimony. Second, industry needs to do a better job of creating self- regulatory structures for software. CDT is encouraged by the advances in the anti-software technology such as those discussed here today by EarthLink and Microsoft and the others discussed at the FTC workshop last week. As we have seen in the spam war, it's very likely that as the anti-spyware technologies increase, the efforts of the spyware creators will undoubtedly double as well. Industry should go further and start to draw clear lines in the spectrum of current behaviors to begin to help consumers to distinguish the good actors from the bad. A code of best practices could give consumers the information and ability that they need to make better decisions in the marketplace today. Last, CDT strongly believes that many of the privacy concerns with spyware, some of which fall out of the scope of legal protections could be clearly addressed with the privacy law. As the chairman and the committee know, CDT has long argued that until we have a privacy law that addresses all of the basic fair information practices that privacy issues that we first saw 8 years ago with the collection of information via the web and then with cookies and then with spam and now with spyware will continue. And it will repeat again in new technologies in the future. A privacy law would get a root concern, not the root concern, but at a root concern rather than trying to define and scope each new technology in a limiting way. Still, spyware may pose some unique challenges that are not covered in the areas that I've outlined. We commend Representative Bono and Representative Towns for their work and their early attempts to take on this difficult issue, yet we also recognize that it would be difficult to define spyware or even the broader category of software in a way that addresses the problem without confining the market or accidentally legitimizing questionable practices that fall outside of the scope of the legislation. CDT is committed to working with the committee as the efforts move forward and I look forward to answering all of your questions. [The prepared statement of Ari Schwartz follows:] Prepared Statement of Ari Schwartz, Associate Director, Center for Democracy and Technology Chairman Sterns and Ranking Member Schakowsky, thank you for holding this hearing on spyware, an issue of growing concern for consumers and businesses alike. CDT is pleased to have the opportunity to participate. CDT is a non-profit, public interest organization dedicated to preserving and promoting privacy and other democratic values and civil liberties on the Internet. CDT has been widely-recognized as a leader in the policy debate about the issues raised by so-called ``spyware'' applications.<SUP>1</SUP> We have been engaged in the early legislative, regulatory, and self-regulatory efforts to deal with the spyware problem, and have been active in public education efforts through the press and our own grassroots network. --------------------------------------------------------------------------- \1\ See, e.g., CDT's ``Campaign Against Spyware,'' http:// www.cdt.org/action/spyware/action (calling on users to report their problems with spyware to CDT; since November 2003, CDT has received over 250 responses). CDT's Complaint and Request for Investigation, Injunction, and Other Relief, in the Matter of MailWiper, Inc., and Seismic Entertainment Productions, Inc., February 11, 2004 (available at http://www.cdt.org/privacy/20040210cdt.pdf). ``Eye Spyware,'' The Christian Science Monitor Editorial, April 21, 2004 [``Some computer- focused organizations, like the Center for Democracy and Technology, are working to increase public awareness of spyware and its risks. ``The Spies in Your Computer,'' New York Times Editorial, February 18, 2004 (arguing that ``Congress will miss the point (in spyware legislation) if it regulates specific varieties of spyware, only to watch the programs mutate into forms that evade narrowly tailored law. A better solution, as proposed recently by the Center for Democracy and Technology, is to develop privacy standards that protect computer users from all programs that covertly collect information that rightfully belongs to the user.''). John Borland, ``Spyware and its discontents,'' CNET.com, February 12, 2004. (``In the past few months, Ari Schwartz and the Washington, D.C.-based Center for Democracy andTechnology have leapt into the front ranks of the Net's spyware-fighters.'') --------------------------------------------------------------------------- A. Summary In our testimony today, we hope to address two questions: What is spyware? And how should we respond to it? In Section B of our testimony below, we attempt to help define and understand the spyware problem. CDT's report ``Ghosts in Our Machines: Background and Policy Proposals on the `Spyware' Problem,'' <SUP>2</SUP> released in November 2003, addresses this issue. The report describes the range of invasive software applications referred to as ``spyware'' and clarifies the privacy, transparency and user control issues raised by these rogue programs. --------------------------------------------------------------------------- \2\ http://www.cdt.org/privacy/031100spyware.pdf --------------------------------------------------------------------------- Additionally, over the last six months, CDT has led discussions of a Consumer Software Working Group that includes leading members of the Internet industry, advertising companies, public interest groups and academics in order to identify examples the worst practices that consumers are facing online. In our testimony today, we highlight some of the pertinent issues raised by the working group, summarize the findings of CDT's report, and describe some of CDT's subsequent research and ongoing efforts in these areas. In Section C, we turn to potential responses to the spyware problem. CDT sees three major areas where action is necessary to stem the disturbing trend toward a loss of control and transparency for Internet users: 1) Enforcement of existing laws could go a long way toward reducing the problem of spyware. While longstanding fraud statutes already cover many of the issues raised by these applications, currently they are rarely enforced against spyware programmers and distributors. 2) Fundamental to the issue of spyware is the overarching concern about online Internet privacy. Legislation to address the collection and sharing of information on the Internet would resolve many of the privacy issues raised by spyware. If we do not deal with the broad Internet privacy concerns now, in the context of spyware, we will undoubtedly find ourselves confronted by them yet again when they are raised anew by some other, as yet unanticipated, technology. 3) To be effective, legislation and enforcement approaches will have to be carried out concurrently with better consumer education, industry self-regulation and the development of new anti- spyware technologies. We address each of these avenues in turn. B. Defining and Understanding ``Spyware'' and ``Adware'' ``Spyware'' has no precise definition. The term has been applied to everything from keystroke loggers, to advertising applications that track users' web browsing, to web cookies, to programs designed to help provide security patches directly to users. ``Spyware'' programs can be installed on users' computers in a variety of ways, and they can have widely differing functionalities. What these programs have in common is a lack of transparency and an absence of respect for users' ability to control their own computers and Internet connections. While many programs that have been called ``spyware'' are advertising software, CDT has emphasized that there is nothing inherently objectionable about ad-support as a business model. We highlight email applications, such as Eudora, that are successful and user-friendly examples of ad-supported software. However, in many cases, the revenue that these applications provide has given software distributors the incentive to push them onto users' computers using deceptive or fraudulent means. Ad-support can and must be implemented in a way that is transparent to users and respects their choices and privacy preferences. Distribution of Spyware ``Spyware'' programs can be distributed in a variety of ways. For example, they may be bundled with other free applications, including peer-to-peer file sharing applications; they may be distributed through deceptive download practices; or they may be installed by exploiting security holes in the web browser or operating system on a user's computer. In some cases, once one ``spyware'' application has gained access to a user's computer, it will surreptitiously download and install other applications. In each of these scenarios, users generally do not know that the software is being installed. And once these invasive applications are on a user's computer they can be difficult or impossible to find and remove. Effects of Spyware As mentioned above, the overarching concerns raised by spyware applications are transparency and user control. Within these broad categories, spyware programs can raise a host of specific concerns. These programs can change the appearance of websites, modify users' ``start'' and ``search'' pages in their browsers, or change low level system settings. In our complaint to the FTC against MailWiper and Seismic Entertainment Productions, filed in February, CDT asked the Commission to investigate one particularly egregious example of such ``browser hijacking'' behavior. Spyware programs are also often responsible for significant reductions in computer performance and system stability. In many cases, consumers mistakenly assume that the problem is with another application or with their Internet provider, placing a substantial burden on the support departments of providers of those legitimate applications and services. Spyware programs can track users' online activities. Some gather personally identifiable information. The most egregious forms of spyware can capture all keystrokes, or record periodic screenshots from a user's computer. Even in cases where spyware programs transmit no personally identifiable information, their hidden, unauthorized appropriation of users' computing resources and Internet connections threatens the security of computers and the integrity of online communications. The ``auto-update'' component of many of these applications can create major new security vulnerabilities by including capabilities to automatically download and install additional pieces of code without notifying users or asking for their consent, typically with minimal security safeguards. CDT is currently conducting technical and public opinion research on the spyware issue. We hope to continue to report the results of this work to the Committee as we learn more. C. Possible Responses to Spyware Concerns Combating the most invasive spyware technologies will require a combination of approaches. First and foremost, vigorous enforcement of existing anti-fraud laws should result in a significant reduction of the spyware problem. Addressing the problem of spyware also offers an important opportunity to establish in law baseline standards for privacy for online collection and sharing of data. Providing these protections would not only address the privacy concerns that current forms of spyware raise, but would put in place standards that would apply to future technologies that might challenge online privacy. Anti-spyware tools, better consumer education, and self-regulatory policies are also all necessary elements of a spyware solution. Legislation to establish standards for privacy, notice, and consent specifically for software, such as H.R.2929, currently before this Committee, may play an important role as well. The challenge to such efforts is in crafting language that effectively addresses the spyware issue without unnecessarily burdening legitimate software developers or unintentionally hindering innovation. So far the efforts to address the spyware issue are all in very preliminary stages. They will each require cooperation among government, private sector, and public interest initiatives. Enforcement of Existing Law CDT believes that three existing federal laws already prohibit many of the invasive or deceptive practices employed by malevolent software makers. Better enforcement of these statutes could have an immediate positive effect on the spyware problem. Title 5 of the Federal Trade Commission Act is most directly applicable to the most common varieties of spyware. We believe that many of the more invasive forms of spyware discussed above clearly fall under the FTC's jurisdiction over unfair and deceptive trade practices. Some of these practices are highlighted in the Appendix--the Consumer Software Working Group's Examples of Unfair, Deceptive or Devious Practices Involving Software. To our knowledge, the FTC so far has not brought any major actions against spyware makers or spyware distributing companies. In February, CDT filed a complaint with the FTC against two companies for engaging in browser hijacking to display deceptive advertisements to consumers for software sold by one of the companies.<SUP>3</SUP> --------------------------------------------------------------------------- \3\ Complaint and Request for Investigation, Injunction, and Other Relief, in the Matter of MailWiper, Inc., and Seismic Entertainment Productions, Inc., February 11, 2004 (available at http://www.cdt.org/ privacy/20040210cdt.pdf). --------------------------------------------------------------------------- We believe that one of the most immediate ways in which Congress could have a positive impact on the spyware problem is by directing the FTC to increase enforcement against unfair and deceptive practices in the use or distribution of downloadable software and by providing increased resources for such efforts. Several laws besides the FTC Act may also have relevance. The Electronic Communications Privacy Act (ECPA), which makes illegal the interception of communications without a court order or permission of one of the parties, may cover programs that collect click-through data and other web browsing information without consent. The Computer Fraud and Abuse Act (CFAA) also applies to some uses of spyware. Distributing programs by exploiting security vulnerabilities in network software, co-opting control of users' computers, or exploiting their Internet connection can constitute violations of the CFAA, especially in cases where spyware programs are used to steal passwords and other information. In addition to federal laws, many states have long-standing fraud statutes that would allow state attorneys general to take action against invasive or deceptive software. Like their federal counterparts, these laws have not been strongly enforced to date. New Legislation CDT has argued that the most effective way to address the spyware problem through legislation is in the context of online privacy generally. Specifically, we believe that the privacy dimension of spyware would best be addressed through baseline Internet privacy legislation that is applicable to online information collection and sharing irrespective of the technology or application. CDT has advocated such legislation before the Senate Commerce Committee and in other fora. Until we address the online privacy concern, new privacy issues will arise as we encounter new online technologies and applications. Still, software may pose some unique problems. A comprehensive legislative solution to spyware may need to address the user-control aspects of the issue such as piggybacking, and avoiding uninstallation. H.R. 2929 before this Committee represents an important acknowledgement of several of these problems. We appreciate the desire to craft targeted legislation focusing on some of the specific problems raised by spyware, and CDT commends Representatives Bono and Towns for bringing attention to this important issue. At the same time, we wish to emphasize the complexity of such efforts. The broad industry opposition to an anti-spyware bill recently passed in the Utah legislature, based on potential unintended consequences of the bill for legitimate software companies, demonstrates the difficulties that can be introduced by such legislation if it is not carefully drafted. We know Representatives Bono and Towns have been looking hard at some of the specific definitional concerns raised by CDT and others, and we look forward to continuing to work with the Committee on this bill. Non-Regulatory Approaches Technology measures, self-regulation and user education must work in concert, and will be critical components of any spyware solution. Companies must do a better job of helping users understand and control how their computers and Internet connections are used, and users must become better educated about how to protect themselves from spyware. The first step is development of industry best practices for downloadable software. Although not all software manufacturers will abide by best practices, certification programs will allow consumers to quickly identify those that do and to avoid those that do not. In the current environment consumers cannot easily determine which programs post a threat, especially as doing so can involve wading through long and unwieldy licensing agreements. Technologies to deal with invasive applications and related privacy issues are in various stages of development. Several programs exist that will search a hard-drive for these applications and attempt to delete them. Some companies are experimenting with ways to prevent installation of the programs in the first place. However, even these technologies encounter difficulties in determining which applications to block or remove. Clear industry best practices are crucial in this regard as well. Standards such as the Platform for Privacy Preferences (P3P) may also play an important role in technical efforts to increase transparency and provide users with greater control over their computers and their personal information. P3P is a specification developed by the World Wide Web Consortium (W3C) to allow websites to publish standard, machine-readable statements of their privacy policies for easy access by a user's browser. If developed further, standards like P3P could help facilitate privacy best practices to allow users and anti-spyware technologies distinguish legitimate software from unwanted or invasive applications. The IT industry has initially been slow to undertake such efforts. However, increasing public concern about spyware and the growing burden placed on the providers of legitimate software by these invasive applications has led to more industry attention on this front.<SUP>4</SUP> The Consumer Software Working Group, including major Internet service providers, software companies, and hardware manufacturers, has expressed its view that this area is ripe for industry self-regulation and best practices. --------------------------------------------------------------------------- \4\ See, e.g. , Earthlink press release: Earthlink Offers Free Spyware Analysis Tool to All Internet Users, January 14, 2004 (available at: http://www.earthlink.net/about/press/pr_analysis/); America Online press release: America Online Announces Spyware Protection for Members, January 6, 2004 (available at: http:// media.aoltimewarner.com/media/newmedia/cb_press_view. cfm?release_num=55253697); Microsoft press release: Battling `Spyware': Debate Intensifies on Controlling Deceptive Programs, April 20, 2004 (available at: http://www.microsoft.com/presspass/features/2004/apr04/ 04-20Spyware.asp) --------------------------------------------------------------------------- CDT believes Congress can have an immediate positive impact by encouraging industry to continue to follow through on these efforts. D. Conclusion Users should have control over what programs are installed on their computers and over how their Internet connections are used. They should be able to rely on a predictable web-browsing experience and to remove for any reason and at any time programs they don't want. The widespread proliferation of invasive software applications takes away this control. Better consumer education, industry self-regulation, and new anti- spyware tools are all key to addressing this problem. New laws, if carefully crafted, may also have a role to play. Many spyware practices, however, are already illegal. Even before passing new legislation, existing fraud statutes should be robustly enforced against the distributors of these programs. The potential of the Internet will be substantially harmed if users come to believe that they cannot use the Internet without being at risk of infection from spyware applications. We must find creative ways to address this problem through law, technology, public education and industry initiatives if the Internet is to continue to flourish. Appendix: Examples of Unfair, Deceptive or Devious Practices Involving Software CONSUMER SOFTWARE WORKING GROUP The Consumer Software Working Group is a diverse community of public interest groups, software companies, Internet service providers, hardware manufacturers, and others that are seeking consensus responses to the concerns raised by practices that harm consumers. Over the past several years, a subset of computer software referred to as ``spyware'' has become the subject of growing public concern. Computer users increasingly find programs on their computers that they did not know were installed, that create risks to privacy, that open security holes, that impair the performance and stability of their systems, that frustrate their attempts to uninstall or disable the programs, or that lead them to mistakenly believe that these problems are the fault of another application or their Internet service provider. There is agreement that these practices can raise serious concerns. At the same time, the wide range of and lack of clarity in attempted definitions for the types of software practices that most concern consumers hamper attempts at self-regulatory, technological and legislative responses. Many definitions of spyware in circulation today are either under-inclusive in important respects or, more commonly, overbroad so that they include practices that clearly benefit consumers, or both.<SUP>5</SUP> --------------------------------------------------------------------------- \5\ For example, the Working Group observes that the current Utah law addresses practices involving software that most informed consumers would not consider unfair, deceptive or devious and fails to cover some practices that most informed consumers would consider unfair, deceptive or devious. --------------------------------------------------------------------------- The Center for Democracy and Technology convened the Consumer Software Working Group. Companies, public interest groups or academics interested in joining the Working Group should contact Ari Schwartz <ari@cdt.org>, Michael Steffen <msteffen@cdt.org>, or John Morris <jmorris@cdt.org> at the Center for Democracy and Technology. EXAMPLES OF UNFAIR, DECEPTIVE OR DEVIOUS PRACTICES INVOLVING SOFTWARE VERSION 1.0 The Consumer Software Working Group is concerned about a specific set of devious, deceptive or unfair practices that adversely affect consumers online. While the following list of examples is not nearly complete, it describes a series of activities and behaviors that the Group considers to be clearly objectionable. Specifically, the Group identifies three broad types of practices where abuses occur today. Most of these practices may be illegal under current law, depending on the specific facts of the particular case. Within each area, we offer illustrative examples, based on real cases. We note that each of the objectionable behaviors we identify has constructive consumer-friendly counterparts when carried out with proper notice and consent and in ways that give consumers control. Automatic installation, personalization and tracking, and in some cases resistance to uninstallation can provide important benefits to consumers. We hope that this list of objectionable practices will help to focus technical, self-regulatory, regulatory and law enforcement efforts to protect consumers from inappropriate activities in a more targeted and effective manner, while avoiding unintended negative consequences for good actors and consumers alike. The Working Group believes that this is an area that could be ripe for self-regulatory efforts to craft industry principles to protect consumers and the marketplace. 1) Hijacking--The practices described in this section are objectionable to the extent that they enable an unaffiliated person to use the user's computer in a way that ordinarily would not be expected. This may occur through an unnoticed program consuming the user's computing resources or resetting a user's existing configurations without the user's knowledge, or through coercion or deception. Example: A computer user sees an Internet advertisement for Program A. The user clicks on the ad and is sent to a page that pops up a window asking if the user wants to download Program A. The user clicks ``no,'' but Program A is eventually downloaded and installed anyway. Example: A computer user sees an Internet advertisement for Product B. The user clicks on the advertisement, and is sent to a page that informs the user that ``Program C is needed to view this Web page.'' This leads the user to believe that Program C is necessary to view the site about Product B, so the user clicks ``yes'' and the program is downloaded and installed. In fact, Program C is not necessary to view the website for Product B and the user is never informed of the actual reason why Program C was installed. Example: A computer user sees an Internet advertisement for Program D. The user clicks on the ad, and she is sent to a page that immediately pops up a window asking if she wants to download Program D. The user clicks ``no.'' This happens repeatedly until the user gets frustrated and clicks ``yes.'' Example: A computer user receives an Internet advertisement for Product E as part of a webpage he is looking at. Simply as a result of loading the ad, Software Program F wholly unrelated to Product E is downloaded onto the user's computer. No notice or opportunity to consent to download Software Program F was provided. Example: While browsing the Internet, a computer user is offered the opportunity to download and install Software Program G. Using a fraudulently obtained digital certificate, the download request falsely identifies Software Program G as being from the user's trusted Internet Service Provider, H. In fact, the Program is not from Internet Service Provider H, and has no relation to the ISP. However, based on its claimed affiliation with H, the user agrees to let the program be downloaded and installed. Example: A computer user loads Company I's Web page. The Web page opens another page running a java script. When the user closes Company I's Web page, the java script page covertly resets the user's homepage without obtaining consent. Example: A computer user loads Company J's Web page. The Web page opens another page running a java script. When the user closes Company J's Web page, the java script page covertly resets the user's homepage. The java script is written such that any time the user attempts to reset his homepage, the program automatically resets it again so the user cannot reset his homepage to what it was before the hijacking took place. Example: A computer user downloads Software Package K. Among the programs in Software Package K is a dialer application that was not mentioned in any advertisements, software licenses, or consumer notices associated with the package or in information provided in conjunction with the ongoing operations of the package. The dialer application is not an integral part of Software Package K. When the user opens her Web browser after installation of Software Package K, the dialer opens in a hidden window, turns off the sound of the user's computer, and calls a phone number without the user's permission. Example: A computer user is sent Software Package L as an attachment to an unsolicited commercial email message. There is no documentation for Software Package L. Included in Software Package L is Program M that sends a message to Computer N. Computer N then uses Program M on the user's computer as a means to send out unsolicited commercial emails. 2) Surreptitious surveillance--The practices described in this section are objectionable to the extent that they involve intrusive and surreptitious collection and use of personally identifiable information about users that is wholly unrelated to the purpose of the software as described to the consumer. Example: A computer user downloads Software Package P. Software Package P contains a keystroke logger unrelated to any functions described to the user. The keystroke logger records all information input on the user's computer and sends this information on to another computer user. The first user is not informed about the operation of the keystroke logger. Example: Program Q advertises itself as a search tool bar. A user downloads Program Q to gain the search functionalities. Program Q installs a tool bar, but--once installed--also mines the user's registry and other programs for personally identifiable information about the user unrelated to the search functionality and without informing the user or obtaining consent. When the user connects to the Internet, Program Q sends this information back to the company that makes Program Q. 3) Inhibiting termination--The practices described in this section are objectionable to the extent that they frustrate consumers' efforts to remove a program, deactivate it or otherwise render it inoperative. Generally, these practices are intended to prevent the user from severing or terminating a relationship with the provider of the program. Example: A computer user downloads Software Package S. Software Package S contains Advertising Program T. Advertising Program T sends the user pop-up ads while the user is surfing the Web even if no other programs in Software Package S are running. The pop-up ads are not labeled as related to Advertising Program T or Software Package S in any way and there is no other way to find the ads' origin. The user is concerned about the increase in pop-up ads, but does not know whether they are caused by Program T or are from the Web sites that he is visiting. The user has no means to find out the origin of the ads in order to make a decision about uninstalling Program T. Example: A computer user downloads Software Package U. As initially disclosed to the user, Software Package U contains a mandatory program, Advertising Program V, which is bundled as a way to generate revenue and pay for the development of Software Package U only. When the user uninstalls Software Package U, the user is not given a clear opportunity to uninstall Program V at that time, and Advertising Program V stays on the user's computer. Example: A computer user downloads Gaming Program W. The user wants to remove Gaming Program W from the computer. Gaming Program W does not have an uninstall program or instructions and does not show up in the standard feature in the user's operating system that removes unwanted programs (assuming this feature exists in the operating system). The user's attempts to otherwise delete Program W are met by confusing prompts from Program W with misrepresentative statements that deleting the program will make all future operations unstable. Example: A computer user downloads Program X. The user wants to remove Program X from the computer. Program X appears in the standard feature in the user's operating system that removes unwanted programs. However, when the user utilizes the ``remove'' option in the operating system, a component of Program X remains behind. The next time the user connects to the Internet, this component re-downloads the remainder of Program X and reinstalls it. The following companies, organizations and individuals have worked to describe Examples of Unfair, Deceptive and Devious Practices Involving Software. These descriptions can be used to help focus technical, self-regulatory, regulatory and law enforcement efforts to protect consumers from inappropriate activities. America Online; Business Software Alliance; Center for Democracy and Technology; Claria Corporation; Consortium of Anti-Spyware Technology Vendors; Consumer Action; CryptoRights Foundation; Dell, Inc.; Distributed Computing Industry Association; EarthLink; eBay; Electronic Frontier Foundation; Google; HP; Information Technology Industry Council; Internet Commerce Coalition; Lavasoft; Microsoft; Network Advertising Initiative; Privacilla.org; Sharman Networks; Peter Swire, Moritz College of Law of the Ohio State University;<SUP>6</SUP> TRUSTe; Webroot Software; WhenU; and Yahoo!. --------------------------------------------------------------------------- \6\ Individuals are listed with their affiliation for identification purposes only. Mr. Stearns. I thank the gentleman. I'll start out with my line of questioning and I think I'll just make a general comment and then I want to ask each of you a specific question, a yes or no answer, if possible. I think as in the opening statement of the chairman of our committee, the gentleman from Texas, indicated we found on employees in the Commerce Committee have over 200 spyware and they did not know this. We've heard from other members how it's affected their computers at home and slowed them down. So obviously, there's some deep concern, not only about privacy, but efficiency and overall security. So the question is and I think I know the answers listening to your opening statements, I'll start with you, Commissioner. You at this point do not believe that we need legislation, just yes or no, is that true? Mr. Thompson. Yes, at this time, we do not---- Mr. Stearns. We do not need legislation. And Mr. Beales, do you think we need legislation? Mr. Beales. I do not. Mr. Stearns. And Mr. Schwartz? Mr. Schwartz. I think that we need privacy legislation today and we may need spyware legislation in the future once we've gone further in going after worst practices. Mr. Stearns. You mentioned three areas: enforcement, eliminating bad practices and legislation. Mr. Schwartz. And privacy legislation. Mr. Stearns. So what you're talking about is an overall privacy legislation of which spyware would be a component, is that what you're saying? Mr. Schwartz. That's correct, yes. Mr. Stearns. And Mr. Baker? Do we need legislation? Mr. Baker. We think legislation would complement industry technology efforts and FTC enforcement. Mr. Stearns. Okay, and Mr. Friedberg? Mr. Friedberg. Yes. We believe in a holistic solution and to the degree enforcement can't do what they need to do because there's some laws missing, then we would---- Mr. Stearns. You mentioned you're going to have a new software program, but today, would you advocate legislation to solve this problem, yes or no? Mr. Friedberg. Again, I think it goes back to whether or not there's enough teeth in the existing laws to go after the deceptive practices. Mr. Stearns. Do you think there's enough teeth in the existing laws? Mr. Friedberg. Unfortunately, I'm not a lawyer, but I would---- Mr. Stearns. I'm asking you a personal opinion. I mean you're here, you're one of the experts here on the panel and your high technology of interest and expertise, we've just told you that member employees on our Commerce Committee have over 200 of these spywares that they didn't know it, it's slowing it down, so you're saying that your software would solve all the problems? Mr. Friedberg. No, absolutely not. Mr. Stearns. Do you think legislation---- Mr. Friedberg. We think there's a holistic strategy and I think Commissioner Thompson and others have stated they feel very confident about the current laws. That's fantastic, I think. We can go after them and create a deterrent, it's wonderful. Mr. Stearns. Let me ask you then, you testified that any Federal legislation should address deceptive behavior and not functionality and I guess that's the key point, that we want to not bog down the internet. We want to have the functionality there, but we've got to address this deceptive behavior. Please explain what behaviors are not illegal already that we should address. Mr. Friedberg. Not illegal already? Mr. Stearns. In other words, when a person is dealing with spyware, from what I hear it looks like most of it is coming in illegally. It's in my computer and I don't want it. So that's a behavior that I don't want. So what is the functionality of this that I should allow it to be in and why shouldn't I legislate to say don't come in without my permission. Mr. Friedberg. When you actually look at the features that underlie some of what's happening, it turns out that a lot of those features have positive user benefit. For example---- Mr. Stearns. Give me some examples of positive user benefit. Mr. Friedberg. Let's just take adware. Obviously, it's a very contentious issue, but a piece of software that's going to display some advertisements, that's what it does. That's its function. Now if I'm a user and I have to pay $120 a year for a service and I have the choice to maybe see some ads and not have to pay that money, I think that's a fair horse trade providing I was told up front what that deal is and I can fully understand the terms under which it's happening and so there's an example of where the feature is not the issue, it's when people do it deceptively where you have no control over that adware, it's just showing up in your box, can't turn it off. Clearly a bad situation. Mr. Stearns. Commissioner, you are on the panel of peers to be the strongest advocate for no legislation. The State of Utah has passed a bill. California and Texas is doing this. New York is going to do this. Shouldn't Congress, if nothing else, preempt these with a Federal law instead of having 50 separate State laws dealing with spyware? Mr. Thompson. I understand that point and I think that---- Mr. Stearns. I mean, the practicality. Mr. Thompson. But what I say is at this time what I'm looking for is industry to define good behavior to isolate bad behavior. That's what you heard with the other people on this panel. There are certain behaviors that are bad that we can get at right now. Unfair and deceptive practices, for example, if they put something on your computer and it violates their privacy policy, then we can do something about it. If it's sending information that you have no way of avoiding, that's something we need to know about. But---- Mr. Stearns. But shouldn't we stop that practice of putting it in your computer without you knowing about it? Mr. Thompson. I think we can get at some of that right now. The point is that I need---- Mr. Stearns. Well, why isn't our staff doing it? The public obviously has ignorance on this and doesn't even know. You click a bar up here, some of the bars that were clicked up here you hit cancel or yes or even the top of the dialog bar, it doesn't matter. You're still going to get the spyware in the computer, so tell me why shouldn't we stop that? Mr. Thompson. And that's part of the challenge that we have. First of all, we need the responsible companies to come clean and tell consumers what it is they're doing, how they're doing it and then the second thing, then we need to isolate those people who are not. Let me tell you something. Most of the people who are involved in the most insidious behavior, secret spyware that will get after, that will allow them to get identity theft, to mine your information, etcetera, that's unlawful now and those people don't care about the law. Mr. Stearns. I'll conclude by just saying I'm a little concerned that you're not outraged that people have access to somebody's privacy, Social Security Numbers and all this and you're saying just let things go by the wayside when actually I would think you as Federal Trade Commission should be saying we need more money, we want to enforce it, we're going to do something about this, Congress, this is what we need. Mr. Thompson. I am outraged and we always need more money, but what I am saying to you is there's a danger. The danger in trying to define this in the scope of legislation right now, is to be overbroad which will deny us of beneficial uses. Mr. Stearns. My time is up. Mr. Thompson. Or too narrow. Mr. Stearns. The gentlelady, Ms. Schakowsky. Ms. Schakowsky. Mr. Thompson, if legislation is not warranted at this time, I know you had a workshop and that's the beginning, but what are you doing exactly in terms of enforcement of current laws? It seems to me the ball is in your court as well as in that of industry. You're looking for a voluntary industry response, you're saying, but what exactly are your plans then in the short term? Mr. Thompson. I would like the Bureau Director to be in to talk about that because he can talk about specific enforcement activity. Mr. Beales. We are actively looking for spyware cases. We have open investigations. We will pursue those. We have brought cases that have challenged the deceptive downloads of dialers that disconnect you and reconnect you. We've brought cases that are very much the same kind of practice of once you're in the door, you can't get out until you buy the program. We've brought the extortion kind of case of buy this product and I'll stop sending you the ads that--this product will stop the ads that we're sending you. We've brought all those kinds of cases. We will continue to pursue those cases. The problem is not one of legal authority. It is developing and proving a case in Federal Court. Ms. Schakowsky. It sounds like this is a problem that's escalating rather than shrinking as we go forward. So what is it that consumers ought to be expecting from both industry and from the regulatory agencies right now? And then, Mr. Schwartz, I'd like you to add why it is that this broad privacy legislation might add relief to consumers? Mr. Thompson. I think step one, I think responsible industry needs to tell consumers what software they're putting on the system, how it works and giving consumers a choice of whether to have it or not to have it. Ms. Schakowsky. How big a problem is responsible industry? Usually when we're dealing with the most insidious scams, we're dealing with irresponsible players here who have the intention of robbing people of their information, et cetera. Mr. Thompson. And that's exactly the point. One of the things I would like to see done is that the good guys can all work on the same baseline to say this is what the behavior, standard behavior is in the industry, so we can begin to say anything that's outside of that is really ripe for our picking. Ms. Schakowsky. Are you planning then to establish some kind of rule that would set those boundaries and the parameters rather than simply relying on industry itself to come up with that? Mr. Thompson. As you said in your comments, we are at the beginning stages of talking about that. The workshop was very helpful. And as I said in my statement, I want effective and timely responses. I think we will continue to work with industry to see that that happens, but this is one issue that I think is important to have the committee's continued involvement and review. Ms. Schakowsky. Clearly, the Congress and the bipartisan way is interested in stepping into this. If you're saying we should not, then it seems to me you have to have a very clear time line to come back with and say this is our plan, this is what we expect from industry. We really haven't seen that. I would like to particularly get Mr. Schwartz'--tell me how this broad privacy legislation would help? Mr. Schwartz. Let's take a step back and look at the broader picture of online privacy. If we pass a law that says when you download software and you focus on the privacy of downloaded software, rather than general software, so let's say we do get the real fair information practices built into a software law that has notice, choice of intent for consumers, ability to access and see what they are turning over to the companies, etcetera. Then simply the bad acting companies simply start doing that from a server that's--where information is not downloaded to the computer, from somewhere remote. We've seen cases like that similar to that today. By trying to define software and come up with privacy rules just for software, you're leaving out the exact same practices that we consider to be bad practices that are just done from a remote server. Similarly, we saw this in web privacy as well. Early on we did not have any notices at all. As practices start to improve in one area, the bad acting companies shift and go to another area where they feel they can take advantage of consumers and that's going to continue to happen because that's the nature of technology. We're going to come up with new technological challenges. But if we have a broad law that focuses on the practice, rather than the technology, we can go after the actual root cause which is that companies are misusing people's personal information, not telling them what they're doing with it and keeping it in incorrect ways where consumers don't even know it could be used against them and they don't even have the ability to change it if it's wrong. Ms. Schakowsky. Thank you. Mr. Stearns. The full chairman of the committee, the gentleman from Texas, Mr. Barton. Chairman Barton. Thank you, Mr. Chairman. I am reading from the FTC testimony here, the Commissioner's testimony, page 5, it says ``at the workshop, FTC and Department of Justice staff members noted that many of the more egregious spyware practices described at the workshop may be subject to attack under existing Federal and State laws.'' Later on in that same page it says, ``However, investigating and prosecuting acts and practices related to spyware, particularly the more pernicious programs pose substantial law enforcement challenges.'' Now then, my understanding, Commissioner, is that you said that you didn't think additional Federal legislation was necessary, yet in your testimony you're talking about it says ``it may be subject to attack and pose substantial law enforcement challenges.'' Why in the heck don't you support us legislating so we make it perfectly clear? If somebody walks in my house without my knowledge, without my permission, they're trespassing and there's a law that says that's illegal. And what you're saying is if somebody comes into my personal computer in my house, it may violate a law and it may be a problem, but it might be difficult to prosecute. Why not work with this committee to come up with legislation that makes it perfectly clear that it's illegal? And then if somebody wants that crap on their computer, they can opt to let it be. I mean I don't understand. I really don't understand why we're having a semantical debate about something that everybody I've talked to is totally outraged about. I'm the moderate on this issue, by the way, on the panel. Mr. Thompson. Well, Mr. Chairman, you know what I think about privacy in general, and we've discussed that before. I think that targeted legislation here at this time would be very difficult, if not impossible to define. And what I'm concerned about is leading people to believe that defining a certain kind of software, for example, will address the problem. Let me give you an example. There are so many things in this area that would be a problem notwithstanding whether they informed you of it or not. If someone came in and told you we're going to disclose to you that we're putting software on your machine that's going to monitor your activity, that we can send to identity thieves, that would be unlawful no matter what. And it doesn't really matter---- Chairman Barton. My understanding is there's not been one enforcement action even attempted. Is that true or not true? Mr. Thompson. That's not true. Chairman Barton. That's not true. So you've done one? Mr. Thompson. There are some things that are pending that I can talk about---- Chairman Barton. Ah, some things that are pending. Maybe two, three? We've got 140 million people and I've yet to see a person when they find out this is on their computer says oh, that's okay. I'm okay with it. Mr. Beales. We have brought a number of cases, at least three or four, that challenged deceptive downloading of dialer programs that disconnect you and reconnect you to different service provider. Chairman Barton. Have you got any convictions? Mr. Beales. Yes, we have. Chairman Barton. You've got how many? Mr. Beales. In all of those cases. In none of those cases that have been fully litigated or resolved and none of our cases have we lost. Chairman Barton. If we were to pass a law that said you can't put anything on a person's personal computer without their explicit knowledge and if you do, it's a Federal crime subject to whatever the penalties are, would that help or hurt prosecute these cases, if we made it explicit? Mr. Beales. I don't think it would make any difference in the ability to prosecute these cases. It would make the process of installing new software with hundreds of different subprograms that I have no clue what they do, extremely tedious and difficult. Chairman Barton. And that's a good thing. Mr. Beales. No, it's not. Chairman Barton. You want this stuff on your computer? You're the only person in the country that wants spyware on your computer. Mr. Beales. No, I want my word processing program to work. Chairman Barton. We do too. Mr. Beales. And if you pass a law that says I have to go through each component of that word processing program as it installs and agree to that component, either I'm going to agree to everything and the spyware is still going to be there because I've been trained to agree to everything or my word processor---- Chairman Barton. So now you're saying that spyware is necessary to install a program on your computer? Mr. Beales. No, I'm saying that software includes a lot of different programs where I don't know and I don't want to know exactly how they function to put a footnote in my document. Chairman Barton. And that's what spyware does? Mr. Beales. No, it's what software does. Chairman Barton. We're not opposed to software. Mr. Beales. But if you require consent to the installation of each program, then I'm going to have to go through each one of those programs---- Chairman Barton. Let me just clue you. Unless I'm totally mistaken, when we get ready to move this bill all but a handful of the members of this committee on a bipartisan are going to be supportive of it. Now I'm not a software expert. I'm not a computer expert, but I can count votes on my committee. And I would encourage the Federal officials at the table to work with us on how to clarify the language that helps you enforce the law. Instead of trying to defend something that is not defendable. I bet you that we could go to every person in this room that has a personal computer and I would be stunned unless they just cleaned their programs, cleaned their computers, they don't have spyware on their personal programs right now, including the people at the witness table. Every one of you. And then I would double down and bet that if we asked if they wanted to take it off, almost everybody would say they want to take it off, except for you, sir, who apparently thinks it's a great thing which is what makes America great that we can agree to disagree, I guess. Mr. Beales. I think it is very difficult to draw a line around the what is the spyware, where I don't want it either and where we think there clearly are bad practices. Chairman Barton. Well, then work with us---- Mr. Beales. We are happy to do that. Chairman Barton. Work with us to define the line. Mr. Beales. We are happy to do that to try to draw the line as well as possible. What is not clear to us is whether there is a meaningful line that can be drawn. Chairman Barton. I am very confident that with the lawyers we have on the committee and the lawyers that we have at your agency, we can draw the line. With that, Mr. Chairman, I yield back the negative balance of my time. Mr. Stearns. That's all right, Mr. Chairman, I just want to buttress your argument by pointing out, as I point out in 2003 there were 2 million spyware software programs. Today, in the year--they project 14 million currently. So I would say to the Commissioner, with those statistics it sort of shows that the chairman is talking about a serious problem. Mr. Strickland. Mr. Strickland. Thank you, Mr. Chairman. We've been talking about for lack of a better way to put it, bad actors, using spyware. Are there good actors who use spyware? Mr. Beales. Well, it depends on how you define it, but on many definitions, yes, there are. Keystroke loggers, for example, which can be used to steal personal information and for identity theft are frequently downloaded by help desks to try to figure out what it is you're doing, how it is they can help you use your computer better. That's a perfectly legitimate use of exactly the same software. Mr. Strickland. Is that done with the permission of the person whose information is being collected? Mr. Beales. Certainly with the implicit permission, whether it's explicit or not, I don't know, but certainly with the implicit permission because they've called and asked for help. Mr. Strickland. Let me ask this question. How many of you would agree with this statement, instead of regulating and outlawing certain types of software, we need to rather regulate certain types of behavior? Do any of you agree or disagree with that? Mr. Beales. I would agree with that completely. Mr. Thompson. I would agree with that as well. Mr. Strickland. And is it your impression that the legislation under consideration from my colleague from California an attempt to regulate software rather than an attempt to regulate behavior as you understand the proposal? Mr. Baker. No sir, if I may, I don't think that it's an attempt to regulate software. I think it does regulate behavior because it's not saying that any specific type of software is banned, but rather that software can't be downloaded to a user without their consent, without clear notice, without a means to uninstall it. So I think that is addressing the behavior. And to your earlier question, I mean no, and I think this is what Mr. Beales was trying to describe earlier. We don't want a world where every time a consumer tries to use any program every web page they go to, every click of the mouse they're going to get a nothing dialog box saying do you agree, do you agree, do you agree? Nobody wants that. But I think what we're doing here is establishing when things are loaded onto users' computers without their permission, from somebody that they have not agreed to. Certainly, if it's an update to their Microsoft operating system, to their EarthLink internet access, I mean that's something that the user has already agreed to and I think there's a fundamental difference there. And I think that the statute does a pretty good job of distinguishing between legitimate and illegitimate users of software that's downloaded to a computer without the user's knowledge. Mr. Strickland. I have some problem understanding the difference between my Chairman's position and what I'm hearing from some of you in terms of if there's a problem and people are being abused in ways that they don't choose to have their computer used and is it possible to achieve what Mr. Barton wants to achieve and at the same time avoid the problem that Mr. Beales, I think, is trying to describe for us? Is there a way to accomplish both? Mr. Friedberg. I think as Congresswoman Bono mentioned, the devil is in the details and I think we all really want these bad actors to go away and for us to take back control of our computers. Everybody wants that. And we know that one element of the solution is kind of focusing on behavior, but when we write the clauses and the rules, we need to still tie it down to something. That's where the challenge is is tying it to the stuff, the software. Mr. Strickland. But do you feel that that can be accomplished without interfering---- Mr. Friedberg. It is very, very hard. I have been thinking about this a lot and I am a computer scientist by trade and so I can tell you how hard it is. There are a couple of areas in particular that are very challenging. Uninstall requirements is one. The way you do consent is another. I know as a best practice I suggest to people in our company to do just in time consent and that's this concept of waiting until the most relevant moment when the user actually has some context to make a decision. If we put in certain rules and I'm not saying any particular legislation does this, but that require everything that happened in install time or transmission time, we've really missed the boat in terms of what, how users make trust decision. And we need to think about what's going to make my mom make good decisions when she's presented with the software and at what point does it make sense to have that? I know in Windows, when something crashes, we pop up this window's error report. And we do that at the time of the crash and we tell the user hey, we might be able to find a fix for you if you let us send some data back to Microsoft to figure it out. So the user has great context. They know exactly hey, I want to keep going, I want my word thing to word and it's okay, I'm going to send this data and you can actually look to see what data is going to be sent, so you can understand your privacy impact at the time of the situation. If we ask this question at the beginning, at installation time, there's no context. So there's all these different paradigms to consider, different ways to do consent, different ways to get this notice to show up. Another is the user interface issues and design. As people pointed out, nobody wants to have 100 of these popups just show up and completely color your experience. It doesn't make any sense. Also, we have new devices that are coming out almost every day and so it's very hard to figure out what their requirements are going to be. For example, there's this media center edition that we offer that's a 10 foot experience. Letters are really big. We only get two lines of text to communicate to the user these big issues, so we can't have very elaborate notices in that experience and likewise, if I have a watch that's really smart and it wants to download some new software, I've got very little room to provide that same notice. So we have to really think hard about all of these different scenarios. And that's why people are saying it's a little early. We really haven't had time to look at all of these, what I'll call test cases and watch out and figure out where the gotchas are. Because if we codify some of this stuff into law, suddenly we've tied our hands in an evasion which I think is a mistake. Mr. Schwartz. Can I address another issue along with some of the things that makes this more difficult---- Mr. Strickland. My time is up, but---- Mr. Stearns. Sure, why don't we just let them answer the question and call it quits. Mr. Schwartz. I was just going to say that the complexity of--this is not just like one company coming and monitoring the behavior of a computer user. These are--it's a complex network of affiliates, of individuals that are all involved in passing information to each other and cram the software down on computer users. In the case that we brought to the FTC that we hope that there will be action on we found at least four or five different parties, two of whom didn't know what was going on at all. They were simply kind of pawns in the whole scheme, whereas two others, to our mind, seemed to be active actors trying to put spyware on people's computers and trying to get them to guy software that they didn't really need. And in developing this case, it took us 2 months to put together and to turn it over to the FTC. It takes a lot of resources to put together these cases and track back the entire network. I think that's true for spam cases as well. Personally, I think we need to see the FTC get more resources to be able to go after these kinds of cases. Even if we had a new law that got at, closed up some of the existing holes, we would still have to have this same problem of being able to track down the bad guys. Mr. Stearns. Thank you and the author of the bill, the gentlelady from California, Ms. Bono. Ms. Bono. Thank you, Mr. Chairman. It sure is nice to have again your full weight and that of Chairman Barton's behind this legislation and since we've started this hearing I think I've gained three co-sponsors, so I appreciate my colleagues paying attention. But I am stymied by a lot of what I'm hearing and I'm also encouraged by a lot. First of all, we keep talking about prosection, prosecution. What the FTC has certainly failed to do is stop the proliferation of spyware and adware. You have failed in that. And it has grown exponentially and that is my intent. First of all, is to stop this growth, boom in this business, but also this bill is really about consumer empowerment. And as I mentioned to Mr. Friedberg, the devil is in the details in all of the legislation we write here and I look forward to working with all of you in industry and my colleagues on crafting the perfect legislation. I have been revising it day by day, just to address these issues. But you know, if we take this away from the realm of ones and zeros and change it to durable goods--for example, a car. I think Chairman Barton talked about this a little bit in trespassing. If I just bought a new car and I drove it home, parked it in my garage, would that give the automobile manufacturer the opportunity to come to my house and come into my garage and fix something because there was a recall notice on it without my knowledge? I don't think so. I do agree that there are beneficial uses of spyware, but I think if you warn the consumer first that this is all we're installing, it should be so simple. I love how Congress sometimes loses--I don't know that Congress has, but I think some people have, lost common sense. What is wrong with consumers simply knowing this is being installed. For example, Kazaa. I have two teenagers at home. They installed Kazaa. They thought this was great software. They were getting all of this free music, until I had to remind them about copyright and all of these things. I said--I had to point out to them somebody is still making money off of this and let me tell you how it works. And that's the way this all began. Somebody is making money. But it's not a songwriter. It's not a copyright holder. It's a third party you don't even know about. My question to you, Commissioner, is would you allow that? Would you allow--let's say I've taken that new car, that new Ford I bought and it's no longer in my garage. I've parked it on the street, because it's a public highway, similar to the internet. So now I'm going to allow Ford to come by and fix that recall notice without my--and this is a legitimate use of spyware. I'm actually talking about a legitimate use because I believe that Microsoft and Symantec and legitimate software companies do warn you and they do say we're going to update your software and occasionally they allow you to hit a button that says yes, I know you're doing it. Sometimes it happens automatically. That's a convenience. I know it's happening. But would you allow that to happen to a Ford? Because that's what I'm hearing you say right now, it's okay. It's okay or maybe you'll enforce it or maybe you'll stop it, but right now it's okay. Mr. Thompson. Let make something perhaps a little clearer. The challenge is the definition, because the same kinds of behavior--the same kinds of software can be used for beneficial and non-beneficial uses---- Ms. Bono. Excuse me, Mr. Commissioner, I disagree. I disagree. And you know, first of all, again as I've said, the beneficial use, most companies do inform you that they're going to be collecting data from your computer and they let you know that when you install the software. So that could be covered. We could allow that. The end user license agreement which is pages long, if we simplified to a simple box that would be covered, legitimate software sites could be covered. So I don't even know that you need to differentiate between because they are covered because they are doing that currently. Mr. Thompson. What I'm concerned about is if you define something that is really based on consent and not in more detail about behavior, then the very same thing that people are asked to consent to without any context can be used by that same company in ways that consumers don't want. Ms. Bono. Which leads me, if I can jump because time flies. Mr. Friedberg, can you tell me really fast, according to PestPatrol, there's something called Alexa and Alexa is a new tool bar and apparently it's bundled with Microsoft's Internet Explorer and I understand it collects information from websites that are visited. Can you briefly describe Microsoft's relationship with Alexa? Mr. Friedberg. There are two different versions of Alexa that I know of. One is a tool bar that Alexa offers that's not directly coupled to IE. There's another lighter weight version that's actually in IE that provides something called show related links. The lightweight version that's actually in IE sends an URL to the service and it returns back links that are similar to that link that you might be interested. It's my understanding that that service does not retain or store any data and that the only information that's passed is this URL and it's sent back to the user. I can't speak for what the Alexa tool bar does. You'd have to talk to them and look at their privacy statement and read it very carefully, but again, when you look at the spyware results, when people say something is something on those lists, you have to look very carefully what the criteria is to understand which version of the software they're actually ranking. Just to be clear. Ms. Bono. I look forward to working with you more on it and I know, Mr. Chairman, my time has expired. Thank you very much. Mr. Stearns. I thank the gentlelady. The gentleman from Arizona. Mr. Shadegg. Thank you, Mr. Chairman, I didn't know my time was up. I thought we had to go to the other side. Gentlemen, let me begin with the gentlemen from the FTC. Commissioner Thompson, you said no legislation is needed and you said the FTC Act allows the Commission to take action against deception now. Mr. Beales, you said we have the necessary tools to stop or at least address the practice. So both of you contend we don't need legislation. I want to know how many people you have brought enforcement actions against and achieved a penalty against to date? Mr. Beales. Well---- Mr. Shadegg. My time is very limited, just---- Mr. Beales. It depends exactly what you mean by spyware. There are probably--this is a guess and I'll get you for the record precisely. There are probably 15 or 20 defendants that have been involved in the dialer programs, all of whom have been, all of whom have been penalized in one way or the other. Mr. Shadegg. I would like you to supply to the committee precisely how many you have gone after that you contend could be considered spyware and taken action against. Then I want to know first, right now, what are the potential penalties you can impose? Mr. Beales. We can get full redress for whatever money they have made from consumers and---- Mr. Shadegg. Full redress. Can you impose criminal penalties? Mr. Beales. No, we have no criminal authority. Mr. Shadegg. So full redress means they make $200,000 out of the deal, they steal that from me, you can get back the $200,000. What's the disincentive if all you can get back is what they took from me, what's the disincentive for them to do that again? Mr. Beales. Well, in a typical case, there's not anything like $200,000 left. And---- Mr. Shadegg. I've worked very extensively on identity theft legislation and I guarantee you when your identity gets stolen, it's nearly impossible to quantify the damages people suffer and calculating how much they've suffered is near impossible. The point is in all of criminal law, and I used to work for the Arizona Attorney General's Office, if all you can get back from the bank robber is what he took, there's no disincentive to rob the bank. So I guess my question is do you have the ability to impose penalties beyond what you think they've profited? Mr. Beales. We do not in the typical case of unfair and deceptive practices. Many of the kinds of conduct at issue here may violate other criminal laws. It's common---- Mr. Shadegg. Then I want to know if those criminal cases have been brought. I want to know all of the cases you've brought, all of the penalties you've exacted and then I want to know all of the criminal cases that have been brought that you're aware of against people that engage in this conduct. And I'd like you to supply that to the committee. Is that all right? Mr. Beales. We will be happy to do our best. Mr. Shadegg. Let me move to a separate topic. One of the concerns I have is that in many of these agreements that we talk about you say well, they're legitimate things that are being done. There are also illegitimate things that are being done. What are you doing with regard to what I call fine print permission, that is, I sign an agreement with one of the legitimate companies and buried deep, deep, deep in the fine print is a very, very small disclosure that says I give you permission to get into my computer and do all kinds of things that no rational person would want to do. Are you pursuing that now? Mr. Beales. We think disclosures need to be clear and conspicuous. What that means depends on the consequences of the particular disclosure. Mr. Shadegg. Have you ever looked at the disclosures that are required? Have you brought an enforcement action against somebody? Mr. Beales. We've brought many actions involving disclosures that were not sufficiently clear and conspicuous. Mr. Shadegg. Okay, I'd like you to supply me with a list of those that relate to abuses of, for example, getting into my computer and taking privacy information that I don't approve of. Mr. Beales. I don't think we've brought cases that involved end user license agreements. We've brought numerous cases that involve insufficiently clear disclosures in a wide variety of contexts and the legal principles---- Mr. Shadegg. But not for as an individual consumer? Mr. Beales. I'm sorry? Mr. Shadegg. You said not end user license agreements. I think we're talking about end user license agreements right now, aren't we? It's my computer they're getting into and some would contend with permission because I signed agreement that had a fine print disclosure. Mr. Beales. We have brought numerous cases like that, not in the software context. The disclosure issue though of is it clear and conspicuous is not fundamentally different. Mr. Shadegg. Except we're talking about the software context and if you haven't brought any of the software context, that doesn't sound like that's an enforcement tool that will help solve those problems. I'm going to run out of time. I want to move on, so I'd like to know what you contend fits there. You have said that it would be impossible, Commissioner, to define this issue. I want you to tell me under what circumstances it would ever be appropriate for someone to get into my computer without my permission and monitor every single keystroke of my computer forever and give that information away to somebody else? I mean that's one of the most offensive practices that I think is going on here is they get into my computer. You talked about it. They put a stroke monitor on my computer and they know everything I do on that computer and then they sell that information or use that information. My question to you is, you say it's impossible to define this legislation. Under what circumstances would anyone ever want to have it occur that someone can get into my computer or your computer, monitor every stroke I make without my permission and give that information away or use it for their benefit, every stroke? Mr. Thompson. I can't answer that question because I know that it would bother me and I know that one of the problems with the legislation that's proposed, to the extent to ask you to give permission for context, out of context, you may--what I'm worried about is consumers are going to be asked to say yes to behaviors they don't even know are going to happen. Mr. Shadegg. You just admitted to me that there is never, you can't imagine--and this is your business--you can't imagine a circumstance under which it would ever be appropriate for somebody to get into someone's computer without their permission and monitor every single stroke---- Mr. Thompson. For all circumstances---- Mr. Shadegg. For ever. I understand that when I go into my Bank One account, I have the choice on my computer to say I want to permanently register both my user ID and my password. That's a single transaction. What's going on here is they're in my computer and they do that forever. I quite frankly, and I'm running out of time, I do not see a thing different between that and wiretapping. And we don't say to people who have telephones, you know there's a danger that someone might tap your telephone and listen to all of your phone conversations, so you should buy a device, we should teach you that, we should address this as consumer education, we should teach you that that might happen and then you should buy a device to put on your telephone that stops them from tapping your telephone. And yet what I hear both of you from the FTC saying is that even though someone under spyware can get into your computer, Congressman, and can without your permission put a stroke recorder I think was the term you put on it and record every stroke you make and every stroke your kids make and every stroke your wife makes and know every where you go and everything you do, we think the way to stop that is to tell you, Congressman, is to be aware that it might happen and to make you go buy something to put on your computer to stop it. Mr. Beales. Congressman, I think what we're more worried about is the perfectly legitimate download that you agree to of that keystroke monitor from the help desk---- Mr. Shadegg. No, no, no, no. I never---- Mr. Beales. That's buried in the fine print that gives them permission to do that indefinitely. Mr. Shadegg. I got a flash, I would never ever, ever agree to give permission to someone to monitor every single keystroke of my computer for ever and ever, for a week, for a month. I might give permission for one transaction. I might give it to my bank for two transactions. But that's not the abuse we're talking about and you said it's impossible to write legislation defining this problem and yet the Commissioner just admitted to me that he can't imagine ever a circumstance in which it would be appropriate. Quite frankly, it's simply identical to my having my telephone tapped--I would never give somebody permission to tap my telephone. Mr. Beales. Congressman, I think it's more akin to having an extension on your phone where sometimes somebody picks it up and---- Mr. Shadegg. In my own house? These people aren't in my household. These people are somewhere else, they're miles away and they're doing this without my permission. Mr. Beales. And you invited them in to help you with your transaction. Mr. Shadegg. Exactly, as if I called the car dealer. If I call the car dealer and said I'm interested in a car, I wouldn't have said to that car dealer, oh, by the way, because I called you you have the right to tap my phone for the rest of history. Mr. Beales. I agree. If that was in the consent, I wouldn't think it was adequate, but that's because it's not a consent problem, it's a behavior problem. Chairman Barton. Will the gentleman yield? Mr. Shadegg. I think it is a consent problem and I think the last point here that I want to make is---- Chairman Barton. I would ask unanimous consent that Mr. Shadegg have an additional 2 minutes. Mr. Stearns. Unanimous consent, so ordered. I would point out to the chairman we're going to have a second round here, so I would encourage the gentleman from Arizona to stay around. Mr. Shadegg. Unfortunately, I can't stay around, but I'd be happy to yield. Chairman Barton. If I have a problem with my telephone, I call Southwestern Bell and I say there's something wrong with my phone line. And Southwestern Bell sends a repairman to my house to check the phone lines and hopefully repair it, but the Southwestern Bell repairman doesn't just move in with me. He doesn't say what's for supper and what are you going to be watching on TV and you know. Put a beeper on me so that wherever I go make sure that I'm home in time to cook and clean for him. So I just simply don't understand why we can't agree that these unwanted intrusions should be totally explicitly illegal. We're not talking about asking Microsoft when I buy the computer, we have to sign an agreement to use the Microsoft operating system on the computer. We're not talking about that. We're talking about programs that get put on our computer without our knowledge and are doing things that we don't want to be done and taking information that we don't want to be taken. Do you all agree with that? Mr. Beales. I do. I think it's a question of whether you try to prohibit that and make it illegal under the general approach of the deceptive practices that were used to install it, or whether you try to write legislation that draws bright lines and says you have to do it exactly this way. We agree there's a problem. We agree that the kinds of conduct you're talking about here are illegal. The question is what's the best kind of a statute to address that. Is it the general deceptive practices authority we've already got or is it something more specific that says go through these hoops and that constitutes consent to this keystroke logger that lives there forever. Mr. Shadegg. Let me just tell you where I see you're coming from from my perspective. You're telling us--and I'm a former prosecutor with the Attorney General's Office in Arizona. You're saying current law is adequate to handle this problem. Oh but, we're really not enforcing the law right now. We think you can't define the issue, although I just gave you a definition that neither one of you could say you're right, Congressman, that ought to happen some time. And then your last answer is self-regulation. I am typically a guy who believes very much in industry self-regulation. But Commissioner Thompson, you pointed out that we've got criminals out here engaged in this activity that don't care that it's already illegal. You tell me how the legitimate industries are going to stop those criminals with self-regulation. It's not going to happen. We've got a wide open door for criminals here. Your answer is well, give us time, we may bring an action later. I'm sorry, I just don't think--of course, it's difficult to write a law in any area. We understand that writing definitions in this kind of complex area of any law is very difficult and we don't want overly broad legislation, but I've got to tell you, doing nothing about the fact that somebody can get into my computer and record every single stroke on it and that I ought to try to self-protect against that which to me is wiretapping of the current generation, just makes no sense. I applaud Ms. Bono and yield back my time. Mr. Stearns. The gentleman's time has expired. My unanimous consent, we have a guest who is not a member of the full committee or the subcommittee, obviously. We're going to allow an opportunity for him to ask questions for 3 minutes and then we'll have a second round for anybody who would like to--just for the members, we'll have an opportunity for a second round and Mr. Inslee will be offered one opportunity for 3 minutes. So I recognize the gentleman from Washington. Mr. Inslee. Thank you, Mr. Chairman. First I want to thank Mary Bono for her vision on this to understand that action was needed by Congress and she's been ahead of the curve and I look forward to working with her and others on this. I want to thank the committee chair for allowing me to participate and the reason is that I'll be introducing an alternative, a bill to try to address this very difficult issue. And I believe it is clear that we need to act and I'm disappointed that the Commission has allowed the difficulty of this task to overwhelm the obvious necessity for action here because we do need action. The bill I will be introducing will have two approaches and I think it's a pleasure to hear the testimony of the witnesses because it sounds like we might be on the right track. No. 1, the bill I will be introducing will address behavior, rather than just a designation of type of software and I've heard sort of unanimity of the panel to date, suggesting that that's a model that will allow us to cut with a sharp scalpel, rather than a blunt instrument and that's what we need to do in this highly tech area. Second, it will try to have just in time notice and consent because in thinking through this, to me, having the consumer have the ability to do notice and consent at the time of the execution rather than just even a transmission will be a preferable way to do this. So that's the two thrusts and I look forward to working with the committee members on that. I want to just give the Commission a moment, my take on what is going on is the reason there has been such a spectacular failure by the American government to protect consumers from this outright abuse of their privacy that is going on in hundreds of thousands of cases today is that we have a 20th century law trying to regulate a 21st century type of new technology. And what I hear from the Commission today is kind of like if in the wild West if the bunch rode in and robbed the bank, the regulators are trying to say that the townspeople would say well, let's call for self-regulation. I don't think that's what the townspeople are calling for here. They're calling for a strong sheriff and a clear definition of what is allowable and now allowable. Now isn't it true that the reason that you haven't taken much enforcement action despite these hundreds of thousands of privacy violations is that there is relatively great ambiguity and vagueness that makes prosecution very difficult for you right now because we have so much vagueness in existing law? Mr. Beales. No. Mr. Inslee. Then what is the reason? Mr. Beales. The reason--what limits our ability to bring these cases is that, and your bank robbery analogy is somewhat apt, is the bad guys ride off into the hills. But these are cyberhills and there are no footprints. Mr. Inslee. Well, that just won't wash. In today's technological society so that that we have hundreds of thousands of violations and you can't find a half dozen violators, that doesn't wash. You need to hire some people that come out of private enterprise, if you can't find these guys. My time is limited, I need to ask another question. There was discussion about notice and consent and we'll get to that next round, if you will allow, Mr. Chair. Mr. Stearns. Well, I was just hoping you will participate and I give you that opportunity, but I'll start with myself with the second round of questions and I thank the gentleman. We have the chairman of the Oversight and Investigations Subcommittee and I am very pleased to see him arrive. Before I start, Mr. Greenwood, congratulations and we welcome you here. If you want to have some questions, you're welcome. Mr. Greenwood. I do. Good morning, gentlemen. I apologize for missing the hearing heretofore, but it couldn't be helped. On my home computer, I have experienced what my staff tells me is called browser hijacking. And that is we have a home page that we had set up that's useful to our family and all of a sudden this bizarre home page is there and it won't go away. I keep going back and re-establishing, resetting MSN, I think it is, is our home page and this thing pops up and it's annoying in a lot of ways, but one of the ways it's annoying is if you try to use it as a search engine, it only goes--it doesn't take you where you want to go. It only goes to commercial sites that are trying to sell you something. And my staff fellow who is with me this morning said that he just checked his computer and he has 81 spyware programs that have been stuck into his computer. So the question is first off, can anyone define for me, browser hijacking just so I know we're on the same page. And then has the question--has the FTC taken any actions? I believe there's been a complaint filed by CDT against MailWiper and also against Seismic Entertainment Productions. Has the FTC taken any action with regard to browser hijacking? If so, what is that? And under current laws, would browser hijacking be actionable and does the FTC have additional authority to pursue those actions? There are all the questions and I'd be happy to hear from any of you that would like to comment on any of those questions. Mr. Friedberg. I'll just start by defining browser hijacking for you. It's the changing of the key settings in the browser, specifically the home page or the search page without appropriate notice and choice to the user. Mr. Greenwood. I'm sorry, I was interrupted. Say that again? Mr. Friedberg. It's the changing of the key settings in the browser, specifically the home page and the search page are most common without appropriate notice and choice where you aren't told and you can't undue it. Mr. Greenwood. Is it illegal? Mr. Beales. Yes, it is. We have brought cases that challenged the practice of page-jacking which is essentially the same thing. You try to go to one page and you end up on another. We've challenged that as an unfair practice and have been successful in doing that. Mr. Greenwood. You have been successful. And what consequences have people who have successfully been prosecuted faced? Mr. Beales. That particular case was one that was brought in about 2000, I believe, and I don't know exactly what the sanctions were in that particular case. In general, we can get full redress for consumers who have been injured. We get a permanent injunction---- Mr. Greenwood. What would be--how do you redress me? How do you--my wife has been trying for years, but how do you compensate me fairly for this experience? Mr. Beales. Well, in cases where injury is difficult to assess and this is certainly one, we would frequently go on a disgorgement theory of getting back all the money that whoever was behind this had received. Mr. Greenwood. It's obviously continuing to be done with impunity, the people who do this must not have--they obviously don't think they'll ever be caught or if they think that if they do, they'll make enough money that it will be well worth their effort. What do we do about that? Mr. Beales. We are trying very hard to make sure they're wrong on both counts. Mr. Greenwood. So what should a consumer do? What should I do in this case? What are my options as a consumer to respond to identify the printout, the home page, the uninvited home page and send it to the FTC or what? Mr. Beales. As a way to complain, yes. We would love to hear from consumers about specific complaints. That's very useful to us as the starting point of an investigation. Mr. Greenwood. What's the most difficult--obviously, anyone watching this hearing anywhere in the country right now, I imagine a very significant portion of them, that's exactly what happens to me and they could all make complaints to the FTC. What's your resources limitations have to do with how much action would actually occur? Mr. Beales. What we use our complaints for and if anybody is watching, complaints can go to www.ftc.gov. What we use our complaints for is to identify targets for law enforcement based on the volume of complaints. We do not have the capability to resolve individual complaints, but it does help to figure out what kinds of practices are out there, who is doing them and then target our enforcement actions against those cases. Mr. Greenwood. My time is up, but do plaintiff's attorneys file Class Action suits in these cases with any success? Mr. Beales. I don't know of any in these cases. The problem that we have in terms of financial relief for consumers is that there's not money and that tends to make them unattractive cases for plaintiff's attorneys as well. Mr. Schwartz. In the MailWiper case that you mentioned that we brought to the FTC's attention, there is a class that's bringing a case in North Dakota right now against the same companies that we filed the complaint against. Mr. Greenwood. Thank you, Mr. Chairman. Mr. Stearns. I thank my colleague and I thank him for taking the time to come out. I'll start the second round of questioning. Do any of you know about the law that passed in the State of Utah? Mr. Baker, as I understand, this law allows a private right of action, so what Mr. Greenwood is talking about or Mr. Shadegg is talking about, I think they have a private right of action. Mr. Schwartz, is that correct? Mr. Schwartz. No, you would need to be a website owner or a trademark holder. So unless Mr. Greenwood runs his own website out of his house, he would not be able to sue in the private right of action under the Utah bill, Utah law. Mr. Stearns. Well, I mean I'm trying to get to the point that Mr. Greenwood and Mr. Shadegg touched on. What rights should consumers have in the courts when this occurs? Mr. Baker? Mr. Baker. Speaking to the Utah law specifically, Mr. Chairman? Mr. Stearns. Yes. Mr. Baker. There's great concern among the industry, many, many companies that the Utah law is overbroad. Mr. Stearns. Overbroad. Because it allows too much possibility of litigation? Mr. Baker. Not so much that is that it outlaws too many things and there's great concern that, for instance, a library's attempt to install filtering software to keep children and other patrons free from pornographic websites or parental controls even, that those--that this wall would, in fact, bar applications such as that. I don't think that that's what any of us would be after. So getting back to the House bill, one of the things we like about the pending legislation here is in fact the pre- emption provisions because we are concerned. It would be a cruel irony if, in fact, you have an anti-spyware statute that is so broad that it might even bar the downloading of anti- spyware software. Mr. Stearns. Right, so I think it's important to say we see one State passed a law and we should understand what's good and what's bad about it, so that if we move forward on the Federal, that we not incorporate the bad and try to do what's good. And at the same time, do you think a Federal law should prevent private right of action? Mr. Baker. This is just a personal observation. Mr. Stearns. Yes. Mr. Baker. I'm always a little wary of private rights of actions in Federal legislation and this was one of the things that was debated in the recent Canned Spam Act, for instance. Ultimately did not--was not included, because you do run the risk there of otherwise legitimate companies facing the wrath of multiple lawsuits. Mr. Stearns. And Mr. Friedberg, how do you feel about that, do you agree with Mr. Baker in that respect? Mr. Friedberg. I really can't comment on private rights of action. That's not my expertise. Mr. Stearns. Okay, anyone else? Mr. Schwartz? Mr. Schwartz. We're usually in favor of private right of action in this type of case. It would depend on the definition though if it is overly broad. We would have concerns about how that might be misused in the courts. But generally speaking, we would want to see private right of action in a privacy law that would move forward. Second, the Attorneys General, as well, that's something in the Utah law that Attorney General, even the Attorney General in the State of Utah can't act. That seems to us to be a concern as well. We want to see the Attorneys General have some power as well. Mr. Stearns. I would just say in passing to the Commissioner, we passed the Spam Act which prevents all this spam material coming into the computer and then we passed the Do Not Call List which was saying we didn't want to have telemarketers come into our home. So if you follow the logic in both of these you're vigorously implementing, if we're trying to talk about e-mails and we're talking about telemarketing, it seems to me then the Federal Trade Commission would welcome some kind of Federal legislation to prevent spyware. Does that seem logical? Mr. Thompson. I understand your point. As was said earlier, the devil is in the details. The Canned Spam Act is an interesting piece of legislation. It's still a very significant challenge to get at the worst actors who are involved in spam for a number of different reasons, including the fact that most of the people who are the most egregious actors really don't care about the law. And that's where the real challenges rest. Let me say this too. I don't want the Commission to be characterized as being uncaring or inactive---- Mr. Stearns. No, I want to give you the last word here. Here's your chance. Mr. Thompson. We brought the workshop to bring public attention to this issue. We're asking industry to self-regulate for one very important reason, we want them to begin to outline standards. That's going to be instructive for us on this issue going forward no matter what, not only on talking to consumers about what's good behavior and what's bad behavior, but even in talking to us as law enforcers or talking to legislators about understanding where that line is. Right now, that discussion hasn't really taken place and that's one of the reasons why we've asked for the workshop to begin to outline the parameters of what this issue is about. Mr. Stearns. Thank you. My time is expired. The chairman of the full committee, the gentleman from Texas, Mr. Barton. Chairman Barton. Thank you. I want to ask Mr. Friedberg a question. Your responsibility at Windows is to monitor the privacy protection that is built into the base Windows program, is that right? Mr. Friedberg. Actually, the way I define my job is I would like to think that I make people feel better about using Windows by protecting their privacy, most notably by giving them notice and choice and appropriate control. Chairman Barton. Is it Microsoft's assumption that the computer in a person's home is that person's private property? Mr. Friedberg. Their physical hardware, yes, I believe they license the software from us. Chairman Barton. Is it Windows' position that access to that computer is the prerogative of the person who owns it in their home? Mr. Friedberg. A person should be able to control what goes on in their computer, sure. I don't know,d id that answer your question? Chairman Barton. So if we wanted to postulate such a thing as computer trespass, just like if somebody walks through the physical front door of my home without my permission, they've created a crime. They've trespassed. So if somebody comes into my computer without my permission and I chose to prosecute whoever came in to my computer, I could accuse of them criminal or computer trespass. Now I don't know that there is--I'm not an attorney and this isn't the Judiciary Committee, but the concept of computer trespass. Mr. Schwartz. I was just going to add that the Computer Fraud and Abuse Act is partially aimed at that idea. If there is damages, certain kinds of damages, the Department of Justice is supposed to be able to go after companies that do trespass- caused damage on people's computers. We haven't seen them act in these kind of cases though. Chairman Barton. We're kind of talking past each other. In my first round with Mr. Thompson, Commissioner Thompson and Director Beales, they were talking about deceptive trade practices. I don't consider it a deceptive trade practice when somebody violates my privacy. They've trespassed against me. We all seem to be in agreement that if it was a live person coming into our home, that wouldn't be right unless we wanted them in our home. But when we talk about using the internet to come into our personal computers, then you get into this debate about if it's fair or unfair and all the good things that theoretically happen when people do come into our computers without us knowing about it. Well, I can have a debate that all day, but I want to ask the gentleman from Windows if this concept of computer trespass is something that we can work with? Mr. Friedberg. From a personal perspective it makes intuitive sense to me. I very much believe in making sure there's consent before someone does something on your computer. Chairman Barton. Now I understand that the FTC doesn't have criminal prosecution ability. You're civil. You can fine people, but if we worked with the Judiciary Committee to define as a crime the concept of computer trespass, Commissioner Thompson, is that something that the FTC would be comfortable working with us to get the definition right? Mr. Thompson. We are always happy to work with the committee. Let me just point out a challenge though. The trespass issue is an interesting issue. What I find more often the question is defining when you've actually invited people in and going further is when you've asked them to actually come into your kitchen because you may have asked them to come in to your house, but you may not have asked them to walk around to places where you didn't want them to walk around. Chairman Barton. I understand that. And I from time to time on my personal computer in Inez, Texas have downloaded Windows software and I have downloaded game, videogame software from certain companies and I wanted that. Now if they put something on my computer when I downloaded what I wanted that I didn't know about to track my behavior, I want to put a stop to that. If I open my door and there's somebody from Amway outside the door wanting to sell me a product, I can make a decision and invite them in and buy the product or not buy the product. And even to this day and age, Inez, Texas is a small enough town that we do have some door to door salesmen and saleswomen still come by and I'm okay with that, so I want to apply that same concept of privacy, the physical front door, to the computer front door. And I want the Microsoft people to help us and I want the FTC people to help us and at a certain point in time, we want the Department of Justice to help us. If you all understand that, then we're going to be okay. Nobody is trying to prevent a legitimate business entity from providing a product that is wanted to the end user in their home. We're all, I think, trying to prevent the unwanted intrusion that is used for purposes that we have not approved and most of the time without our even knowing about it. That's what we're trying to prevent. Mr. Friedberg. We are very eager to work with anyone who is trying to address this problem. Chairman Barton. With that, Mr. Chairman, I'm overextended again and I'm going to yield back. Mr. Stearns I thank the chairman. Chairman Barton. Let me say one final thing. I don't want anybody to be under the impression that this hearing is just a hearing and nothing is going to happen. We are going to move heaven and earth to work on a bipartisan basis to modify the Bono Bill and move it at subcommittee and at full committee and onto the floor and through the House and hopefully get a companion bill in the Senate and go to conference and get a conference report that's passed by the House and the Senate this year. I'm not guaranteeing that that will happen, but that is the intent of this hearing to start the process, regular order to make that possible. Mr. Stearns. I thank the chairman. The gentlelady from California. Ms. Bono. Thank you, Mr. Chairman, I kind of liked it up there in that big fancy chair, but I'm happy to be back here and to Chairman Barton, also you forgot the best part of due process and that was where the President signs the bill, ultimately, so I'm looking forward to that day as well. Chairman Stearns has mentioned repeatedly, I believe, about what will become a patchwork of State laws and we've seen the Utah bill. There's also a pending bill in State legislature of California that was introduced in February. Now as I understand the language, and what it does, they say it prohibits a person or entity conducting business in California from hijacking a user's computer, from inhibiting the termination of a computer program and from surreptitious surveillance of a user's computer in California. I don't know that that protects the California consumer, but I know that lends to the nightmare of patchwork of different State laws, so I think that further gives weight to what we're trying to do here. I also want to point out that California was the first State to pass anti-spam legislation. Commissioner Thompson, I understand you opposed anti-spam legislation on the Federal level. Is that true or did you support anti-spam legislation? Mr. Thompson. I don't believe I expressed opinion one way or the other. Ms. Bono. Okay, did the FTC oppose originally? Mr. Beales. The FTC at various points along the way did not recommend legislation. Ms. Bono. Okay, and are you using it now? Mr. Beales. Well, when canned spam passed, it was with the Commission's support. We are announcing our first case is today. Ms. Bono. Great news. Hopefully that will be the same case here, that we're going to turn you guys around too and we'll be one big happy family. But on to Microsoft, you mentioned a problem with my bill and I wanted a one-step removal tool. As I understand it, with Kazaa or a real fun version of spyware, adware, I guess Bonzi Buddy. If you guys are parents, you know what I'm talking about, this cute little purple gorilla swings suddenly on your monitor, and kids love to download this little Bonzi Buddy. But to remove it is nearly impossible, and when we've tried to remove little Bonzi Buddy, the purple gorilla, he somehow comes back. Is it that impossible? Microsoft, with all of these programs, especially Windows XP, why can't we do one step removal tool? Mr. Friedberg. Well, actually, it largely due to the bad actor in this case. If they don't provide that kind of functionality when they install the software, it's going to be hard to figure out how to remove it. I totally advocate the goal of trying to make things as easy for people to uninstall as possible. The only trick, again, the devil is in the details is that software is a complex kind of beast and there's scenarios where it's very hard, if not impossible, to remove parts of software without removing larger chunks of things. You can't remove things, for example, that are already in use by other programs and certain things that might be for security, you might want to think twice about removing. Trying to get it right in codifying into law how an uninstall should work is what's the challenge, not the intent of having control over your system. Fully agree, we want to be able to get rid of stuff when we don't want it. At a minimum, disable it, neutralize it and at best actually not having any remnants left over. It's just kind of challenging to do it in all cases. Ms. Bono. It's like those little .dll files, isn't it? Mr. Friedberg. The problem is legitimate software has reasonable scenarios where uninstall is just not that easier. It's the way software is. Ms. Bono. Well, it seems to me that if this law were passed, that when people installed this onto computers, they would just have to come up with a way to do it, and it's common sense to me if you instruct him to build a program that way that they could. If we don't tell them to do it, they're not going to do it. But is it your understanding to? Am I missing something on removing Bonzi Buddy and Kazaa? Are they sort of self-perpetuating? Mr. Friedberg. There's this other kind of problem and some people call them tickler applications and stuff like that. They'll actually attempt to reinstall a piece of software after you've deleted it. I consider this very deceptive practice since it's a covert install and hopefully there are laws already that sort of address this kind of behavior. Ms. Bono. How is that different than a virus? I understand how it's different than a virus, but I'm hoping you'll answer the question the way I want you to answer it. A virus we all see as detrimental because it's self-replicating and it passes from computer to computer without knowledge. But suddenly now because somehow you've downloaded this thing and it's not self- replicating, just because it's passed on by a third party, in a sense it is a virus. I see it as a virus without the self- replicating tool, but it's just as harmful as a virus is. Mr. Friedberg. Along those lines, when you look at a virus, people talk about viruses because of how they propagate, as you point out. And it's the payload inside the virus that's the issue. I mean some viruses might be benign in terms of how they actually do what they do. They may just count things or something, who knows? But it's what the payload is doing and if someone is doing something destructive on your machine, they should be punished, regardless of how it got there. Ms. Bono. Thank you. Can you briefly define for the sake of refining my legislation two points, why a cookie is not considered spyware? Mr. Friedberg. A cookie is just a simple data storage facility. It makes life easier for people who may surf the web in order to keep state. It's not an active component and the way the web is set up, these cookies are only read by the websites that put them there. It's their local storage to make life easier for you. It's up to them, the site that you're going to, to tell you what they're going to do with the cookie and you now, if they're going to track you or do some kind of behavior like that, it needs to be in their privacy statement. But cookies in themselves are not necessarily anything worse than a file. Ms. Bono. Thank you. Also, are there any type of spyware functions that are utilized in good ways for the enabling of e- mail or instant massaging? Mr. Friedberg. I just think of spyware using that term as something that's a negative. I would never consider something spyware as being a positive thing. The functions of spyware may have positive elements. For example, tracking. I know I got to Amazon.com and I get suggestions for books I might want to read that are similar to other books and I like that. I call that personalization when the tracking is done with my consent. I have control over it and it's to my benefit. So tracking is not the problem. It's unauthorized tracking or covert tracking which is spying. I can't imagine a time where that's valid, except for maybe some small examples, for example, as a parent, maybe you want to track the behaviors of your children and you want to have the right to be able to put some kind of key logger to be able to see what they're doing. If that's okay by local law, then that should be permitted. Likewise an employer/employee relationship. If it's allowed that you can monitor employee behavior, you're going to use one of these tools that we talked about and that's a valid, potentially legal use that makes sense. Ms. Bono. Actually, the bill clearly defines those two uses as fine. But also, I always think that's sort of repetitious anyway because the owner of the computer is generally the parent, first of all. So you're installing it on your own property and I would think the same with an employer, but we do define those two in the bill. Mr. Chairman, I have gone over my time. I just really want to thank you for this hearing and thank our panelists. I really look forward to passing something that protects the American consumer and continues to broaden the American experience with computers. Mr. Stearns. I thank the gentlelady and we'll conclude our hearing. Mr. Friedberg, I think you answered her question when the question was it's not easy to take the spyware off your computer. If I went back to my computer without having a high tech person, I couldn't do it, could I? Mr. Friedberg. Actually, what I recommend to people nowadays is to use a third party and a spyware tool. Mr. Stearns. You need a spyware tool, you need a third party and somebody needs to have technical expertise. Mr. Friedberg. As of today. Mr. Stearns. As of today. Mr. Friedberg. That's the situation. These things are relatively new and people are just trying to catch up with the way that they're doing what they're doing. We would like to see longer term solutions that are more holistic, especially in the technology area because we have some control over that, that make it less likely that this can happen to you. Mr. Stearns. But I think it goes to the heart of what Ms. Bono has mentioned is, in the heart of the discussion today is that the average consumer cannot take these off themselves and second, they don't even know they're on the computer. Mr. Friedberg. I can't take them off myself. Mr. Stearns. You can't. Mr. Friedberg. I use a third party tool at this point. Mr. Stearns. Okay. Mr. Friedberg. And I'm looking for relief as well. Mr. Stearns. I'll just conclude by saying that I think spyware is not just at our gates, but through the gate, through the door of our homes and now in our computers with full spying privileges and I think this hearing has brought a lot of information to the forefront and helps obviously all of us as legislators to think this through and try to come up with legislation which is balanced and I want to thank all of you for your time and your patience. With that, the subcommittee is adjourned. [Whereupon, at 12:22 p.m., the hearing was concluded.] [Additional materal submitted for the record follows:] Prepared Statement of Roger Thompson, Vice President of Product Development, PestPatrol, Inc. Mr. Chairman and Members of the Subcommittee, thank you for the opportunity to submit comments on the important issue of spyware and its threats to the security and privacy of consumers and businesses. Before I offer an assessment of the situation and possible actions to address it, let me provide a brief overview of my company. PestPatrol was founded in May 2000 by a team of security software professionals to counter the growing threat of malicious non-viral software. We are the leading provider of anti-spyware software to consumers. Our database of malicious code--what we call ``pests''--is the most extensive in the industry and serves as the basis for many of the research results about which we read in the press. Definition Debate No one debates that spyware is becoming a relentless onslaught from those seeking to capture and use private information for their own ends. However, there continues to be much debate about what constitutes spyware. While that debate is an important one in terms of possible remedies, we can count the cost that unfettered spyware is having on individual users as well as on corporate networks. Regardless of whether we agree to divide the term spyware into various subsets such as adware or malware, the truth is that any software application, if it is downloaded unknowingly or unwittingly, and without full explanation, is unacceptable and unwelcome. At PestPatrol we define spyware as any software that is intended to aid an unauthorized person or entity in causing a computer, without the knowledge of the computer's user or owner, to divulge private information. This definition applies to legitimate business as much as to malicious code writers and hackers who are taking advantage of spyware to break into users' PCs. Spyware Dangers Real and Extensive The dangers of spyware are not always known and are almost never obvious. Usually, you know when you have a virus or worm--these problems are ``in your face''. Spyware silently installs itself on a PC, where it might start to take any number of different and unwanted actions, including: ``Phoning home'' information about you, your computer and your surfing habits to a third party to use to spam you or push pop- up ads to your screen Open up your computer to a remote attacker using a RAT--a Remote Access Trojan--to remotely control your computer Capture every keystroke you type--private or confidential emails, passwords, bank account information--and report it back to a thief or blackmailer Allow your computer to be hijacked and used to attack a third party's computers in a denial-of-service attack that can cost companies millions and make you liable for damages Probe your system for vulnerabilities that can enable a hacker to steal files or otherwise exploit your system. The newest threat is that of large numbers of captured personal computers mobilized into ``Bot Armies'' and used to launch highly organized Distributed Denial of Service (DDoS) attacks aimed at disrupting major business or government activity. Individual PC users are never aware that their machine is being used to disrupt internet traffic. There is currently little or no recourse to a legal solution even if the occurrence can be monitored. Many PC users have unwittingly loaded, or unknowingly had spyware downloaded onto their computers. This happens when a user clicks ``yes'' in response to a lengthy and often extremely technical or legalistic end user licensing agreement. Or it happens when a user simply surfs the web, where self-activating code is simply dropped onto their machines in what is known as a ``drive-by-download.'' Spyware Harms Computer Performance The misuse of technology and hijacking of spyware is a real and present danger to security and privacy. Unfortunately, the ill effects of spyware do not stop there. Spyware seriously degrades computer performance and productivity. Testing earlier this month at the PestPatrol research laboratory revealed that the addition of just one adware pest slowed a computer's boot time--the amount of time it took to start up and function--by 3.5 times. Instead of just under 2 minutes to perform this operation, it took the infected PC close to 7 minutes. Multiply that by a large number of PCs and you have a huge productivity sink hole. Add another pest and the slow-down doubles again. We also tested web page access, and again it took much longer once a pest was added to a clean machine. Almost five times longer in fact for a web page to load on an infected PC. The pest also caused 3 web sites to be accessed, rather than the one requested, and caused the PC to transmit and receive much greater amounts of unknown data--889 bytes transmitted compared to 281 transmitted from the clean machine, and 3086 bytes received compared to 1419 bytes received by the clean machine. This translates into significant increases in bandwidth utilization. Managing bandwidth costs money. Increased costs due to unnecessary consumption of bandwidth on individual PCs, and the necessary labor cost in rebuilding systems to ensure they are no longer corrupt is virtually unquantifiable. It's likely quite large. System degradation is time consuming for the individual PC user and even more so for network administrators managing corporate networks. Even new PCs straight from the factory come loaded with thousands of pieces of spyware, all busy ``phoning-home'' information about the user and slowing down computing speeds. Users do not invite this spyware onto their machines and should not have to live with it. Clearly this level of infestation is stepping beyond the bounds of what is fair and reasonable. Solutions On the basis of our extensive work in this area, we at PestPatrol believe only a combination of consumer education and protection, disclosure through legislation, and active prosecution will provide the answer needed to address the spyware threat. None of these solutions by themselves is enough. While we advocate and applaud industry self- regulation, we do not believe that it alone will be speedy or dramatic enough to address the spyware problem. The first line of defense is education and protection. Any individual or business connected to the Internet today has to realize they are part of a complex network that is inextricably intertwined. Creators of spyware take advantage of that fact, plus the knowledge that most PC users are not sophisticated technologists. As an industry, we have begun to make computer users aware of the spyware threat by the creation of and active outreach by several groups and organizations. PestPatrol is a founding member of the Consortium of Anti-Spyware Technology, or COAST, a non-profit organization of anti-spyware companies and software developers committed to best practices. Consumer education about spyware and promotion of comprehensive anti-spyware software aimed at detecting and removing unwanted pests is fundamental to our outreach. Our efforts are modeled after the decade- long effort by anti-virus software companies to raise awareness about virus threats. However, we also acknowledge that consumers, precisely because of the insidious nature of spyware, can only do so much to protect themselves, and cannot be alone responsible for controlling the spread of spyware. Which brings us to the second line of defense--disclosure legislation. All applications, including those that are bundled and downloaded along with free software and with legitimate commercial applications, should be readily identifiable by users prior to installation and made easy to remove or uninstall. It is this transparent disclosure, and the ability of consumers to decide what does and does not reside on their systems, that needs to be legislated. Consumers should have the ability to make fully informed decisions about what they choose to download onto their machines, while understanding the implications of doing so. The third line of defense is aggressive prosecution. The deceptive practices employed by many spyware developers are already illegal under existing laws against consumer fraud and identity theft. Law enforcement agencies at the federal and state level should be encouraged to more aggressively pursue and prosecute those who clandestinely use spyware to disrupt service, steal data or engage in other illegal activity. A greater focus on spyware and the necessary allocation of resources to pursue this criminal activity is vital. Spyware is a significant threat to the effective functioning and continued growth of the Internet. It is more than a nuisance. Given the dangers it represents, it is important that consumers, business and government work together to address the issue and safeguard the productivity and utility of the Internet computing environment. I sincerely appreciate the opportunity to present my company's ideas on how to achieve this goal. Thank you. ______ Prepared Statement of Webroot Software, Inc. Webroot Software, Inc. appreciates the opportunity to provide written comments in conjunction with the Subcommittee's hearing on spyware. The hearing title is most appropriate. Spyware presents a serious problem for both the public and businesses, yet there is still minimum awareness about the significant risks associated with the rapid growth of spyware. Experts at Fighting Spyware Webroot Software, Inc., was founded in 1997 to provide computer users with privacy, protection and peace of mind. Today, Webroot provides solutions and services for millions of users around the world, ranging from enterprises, Internet service providers, government agencies and higher education institutions, to small businesses and individuals. Among its award winning products is Spy Sweeper, winner of PC Magazine's 2004 Editors' Choice award. The magazine's objective review of 14 spyware detection products found: ``Spy Sweeper is the most effective standalone tool for detecting, removing and blocking spyware.'' In the April 5 issue of Business Week, Stephen Wildstrom, author of the ``Technology and You'' column also recommended Spy Sweeper, referring to Webroot as the ``established leader'' in the market. Webroot's world headquarters is located in Boulder, Colorado, with a European headquarters in Frankfurt, Germany, and sales offices in Chicago, London, Amsterdam, and Paris. Webroot products are sold online at www.webroot.com, and at leading retailers around the world, including Best Buy, CompUSA, Circuit City, Fry's, Staples and MicroCenter. In addition, Webroot provides a full suite of privacy and security solutions designed to help ISPs like Earthlink provide value- added products and services to their customers. Every day, Webroot employees talk to computer users in the U.S. and Europe who are being negatively impacted by spyware that has found its way onto their computers. Webroot is on the front lines fighting spyware, but Congress and the Federal Trade Commission (FTC) have critical roles to play on this issue to increase public awareness, develop and reinforce clear rules, and actively enforce the law. Defining Spyware In 2003, Webroot helped to found the Consortium of Anti-Spyware Technology vendors (COAST), a non-profit organization established to facilitate collaboration among spyware detectors and increase awareness of the growing spyware problem. COAST defines spyware as: Any software program that aids in gathering information about a person or organization without their knowledge, and can relay this information back to an unauthorized third party. ``Without your knowledge'' and ``to an unauthorized third party'' are key components of this definition. The FTC recently held a workshop on spyware, which they appropriately titled: ``Computer Monitoring Software on Your PC: Spyware, Adware, and Other Software.'' As the problem of spyware has grown, a slew of new words have surfaced. For informational purposes, we have attached as an appendix the glossary of spyware-related terms developed by COAST. From a pure technology point of view, there is little difference between computer monitoring programs that serve legitimate purposes and those that put your privacy and personal information at serious risk. For example, a keylogger program like ChildSafe, a Webroot product, provides parents with the ability to monitor their childrens' online activities by tracking what the child types on the keyboard. A functionally similar keylogger program installed without permission by JuJu Jioang on computers in at least 15 Kinkos stores provided him with personal information about over 400 people, which he used to open back accounts and commit other illegal activities. Fortunately, that was one case that the government successfully investigated and prosecuted, but there are many more cases where the perpetrators are not yet identified, or even worse, where the victims do not even know they are victims. Thus, there is not a technological definition for spyware. The definition is contextual--how the program came to reside on your computer is a threshold question to defining it as spyware. The Anatomy of Spyware There are many kinds of programs that fit within this definition of spyware. The COAST glossary attached as an appendix provides a more complete list, but there are four most common forms of spyware. Back Door Trojans are malicious programs that appear as harmless or desirable programs. Back Door Trojans deploy remote access tools, allowing hackers to gain unrestricted access to a user's computer. Trojans can be deployed as email attachments, or bundled with another software program. Keyloggers are programs that can monitor and record the user's every keystroke. Key loggers can be used to gather sensitive data such as username and password, private communications, credit card numbers, etc. System Monitors are applications designed to monitor computer activity. These programs can capture everything that is done on a computer. Information can be received at the computer, through remote access, or scheduled emails. Adware is advertising supported software that displays pop-up advertisements whenever the program is running. Once installed, these programs will download and install new software and data files-- advertisements, etc.--based on user activities such as websites visits. Unlike a virus that many users get in the same way at the same time, spyware finds its way onto your computer through multiple channels at multiple times. Spyware may arrive bundled with freeware or shareware, through peer-to-peer downloads, attached to or embedded in email or instant messenger communications, as an ActiveX installation, or it may be placed on your computer accidentally or deliberately by someone with access to it. Once on your system, spyware secretly installs itself and goes to work. Anti-virus software does not offer protection from spyware because spyware is not viral. Since it attaches itself to legitimate downloads, spyware can often pass easily through firewalls unchallenged. And by intertwining itself with files essential to system operation, spyware cannot be safely removed by simply deleting files with a system- cleaning tool. In its most benign form, spyware can significantly slow systems down and result in more pop-up ads than usual. The more malicious spyware programs can lead to identity theft, theft of intellectual and other property, and data corruption. Unlike personalization or session cookies, spyware is difficult to detect, and difficult (if not impossible) for the average user to remove manually. Some of the types of information collected by spyware programs without the knowledge of the computer owner are: Usernames and Passwords Electronic Assets Browsing Habits Applications Used Personal Information Email & IM Conversations IP and Trade Secrets Financial Records Customer Databases Spyware can execute unwanted, unauthorized, and/or inappropriate code and use vital system resources. Spyware programs can be used to facilitate the unauthorized use of your machine for things like: Email Forwarding to Send Spam Background Computing Hacker Attacks While some argue that spyware is installed with the user's knowledge (although the user may not understand exactly what s/he has done), most of the time it is installed surreptitiously as part of another program installation. Even if the bundling of software and information tracking practices are disclosed to the consumer through the End User License Agreement (EULA), such disclosures are rarely clear and conspicuous. Even when they exist, notices often fail to provide users with a real understanding of what information will be collected and how the entity collecting the information will use it. A Real and Growing Problem Earthlink and Webroot collaborated in the first quarter of 2004 to offer a free SpyAudit to Earthlink subscribers. On April 15, 2004 the companies jointly released the findings for January 1, 2004 through March 31, 2004. During that timeframe, 1,062,756 spyware scans were run, identifying a total of 29,540,618 instances of spyware, meaning roughly 28 instances of spyware per PC. Of particular concern, were the large number of System Monitors and Trojans found which accounted for 369,478 of all the spyware instances found. Expert reports have estimated that 9 out of 10 PCs in the United States are infected with spyware. Studies have often showed that spyware is growing at a much faster rate than computer viruses. Responding to Spyware The unfortunate reality is that there is probably no way to completely eradicate spyware. The Internet is global, which makes establishing and enforcing legal standards challenging. There are also significant economic drivers that make the creation and dissemination of spyware very appealing to many people, both in the U.S. and abroad. The combination of a profit-driven motivation, coupled with the vulnerability of personal information, makes spyware unique and more threatening than many other online security and privacy concerns, like viruses and spam, which the government has addressed in the past several years. It is clearly going to take a combination of technology, public education, sound public policy and strong enforcement to address this problem. To that end, we applaud the efforts of Congresswoman Bono, Congressman Towns, Senators Burns, Boxer and Wyden and the FTC to call attention to the serious negative impacts that spyware can have on the public and the economy. Increased awareness and education about spyware is essential to effectively deal with the problem. Certainly, regulating technology-related issues is inherently tricky, but this is not an issue that will go away by itself, and industry self-regulation is unlikely to adequately address the issue in a reasonable time frame. Congress has an opportunity to address this issue before it becomes debilitating. H.R. 2929 and S. 2145 offer alternative approaches, both with good qualities. We urge that this issue not be set aside to resolve itself--because it won't. We are on the front lines of this arms race, and we need reinforcement in the form of clear rules related to spyware to help us effectively fight for businesses and consumers who need to retain control over their PCs. We appreciate the opportunity to share our views with the Subcommittee. Glossary of Spyware Related Terms Developed by the Consortium of Anti- Spyware Technology Vendors Adware: Often used as a term for spyware, it is preferred and used by makers of software that include ad-serving mechanisms. Adware is advertising-supported software that displays pop-up advertisements whenever the program is running. Browser Helper Object (BHO): A small program that runs automatically every time an Internet browser is launched. Generally, a BHO is placed on the system by another software program and is typically installed by toolbar accessories. They can track usage data and collect any information displayed on the Internet. Bundled: An arrangement in which one or more software programs are included with another program, for technical reasons or because of a business partnership. Many instances of spyware installations come through bundling. Cookie: A mechanism for storing a user's information--such as login information and passwords, or a user's previous activity on a site--on a local drive. Dialers: Dialers are software that, once downloaded, disconnects the user from his or her modem's usual Internet service provider, connect to another phone number, and the user is then billed. Drive-by Download: While not a piece of spyware itself, this misleading dialogue box serves as a gateway for the stealth installation of spyware applications. In some cases, spyware can be installed even if the user does not choose the ``yes'' or ``accept'' button. File-sharing programs: These are software applications that allow the exchange of files (especially music, games, and video) over a public or private network. See Peer-to-Peer. Freeware: Software that can be downloaded and shared at no cost. Hijacker: Hijackers typically come in two categories, Browser/Page Hijackers and System Hijackers: Browser/Page Hijackers: Applications that attempt to take control over a user's home page or desktop icons, resetting them to a pre- determined website destination. System Hijacker: Software that uses the host computer's resources to proliferate itself or use the system as a resource for other activities. This taxes the host computer's resources, negatively affecting computer and Internet speeds. KeyLoggers--See System Monitors. Opt-in: An online process by which a user chooses to receive information (such as e-mail newsletters) or software, often by checking a check box on a Web page or software installation screen. Opt-out: An online process (such as un-checking a pre-checked box) by which a user actively chooses not to receive information, such as e- mail newsletters or software. Actively opting out will prevent a user's information from being a shared with businesses. Users should be warned that most ``opt-out'' options are actually a scam that serves to confirm legitimate/active email addresses. Privacy experts recommend that users do not use the ``opt-out'' option unless they are personally familiar with the company where the email originated. Parasite: A parasite is unsolicited commercial software or programs installed on a computer for profit without the consent or knowledge of the user. Parasiteware: Parasiteware is the term for any Adware that by default overwrites affiliate-tracking links. This behavior is viewed as parasitic because this software diverts affiliate commissions and credits the affiliate's income to another party. To the end user, Parasiteware is not a serious security threat. See Thiefware. Peer-to-peer (P2P): A method of file sharing over a network in which individual computers are linked via the Internet or a private network to share programs/files, often illegally. Users download files directly from other users' computers, rather than from a central server. Many P2P programs bundle third-party advertising programs, and are currently the second largest source of virus, Trojan and data mining infections. Remote Administration Tools/ RATs: Some Trojans, called RATs (Remote Administration Tools), allow an attacker to gain unrestricted access of a computer whenever the user is online. The attacker can perform activities such as file transfers, adding/deleting files, and controlling the mouse and keyboard. Scumware: A slang term for spyware or any unwanted software/ programs installed on your computer. Shareware: Software that is distributed--usually via the Internet and or CD-Rom--for free and on a trial basis. System Monitors/Keyloggers: These applications are designed to monitor computer activity to various degrees. They can capture virtually everything a user does on his or her computer, including recording all keystrokes, emails, chat room conversations, web sites visited, and programs run. Thiefware: Thiefware applications steal affiliate commissions by either overwriting tracking cookies or spawning new windows to redirect traffic from search engine keywords or other websites. This practice, while not currently illegal, is considered unethical among those in the merchant/affiliate community. See Parasiteware. Tracking Cookies: Not to be confused with personalization cookies (which allow users to customize pages and remember passwords), some web sites now issue tracking cookies. Tracking cookies allow multiple web sites to store and access records that may contain personal information (including surfing habits, user names and passwords, areas of interest, etc.), and subsequently share this information with other web sites and marketing firms. Trojan Horses: Trojans are malicious programs that appear as harmless or desirable applications. Trojans are designed to be actively harmful to PCs by intentionally damaging PC operating systems, other software or hard drives. Trojans are generally distributed as email attachments or bundled with another software program (often fraudulent versions of legitimate software). Web bugs: A file, usually a small or invisible graphic image, that is placed on a Web page or in e-mail to allow a third party to monitor user behavior. ______ Downloading Shared Files Threatens Security by Sgt. 1st Class Eric Hortin FORT HUACHUCA, Ariz. (Army News Service, April 22, 2004)--People spend hours in front of their computer screen, downloading music or new movies from the Internet, and not paying a cent, the Army considers such action on government computers to be a security threat. One program that is used to downloaded files is Peer-to-Peer (P2P) architecture. It is a type of network in which each workstation has the capability to function as both a client and a server. It allows any computer running specific applications to share files and access devices with any other computer running on the same network without the need for a separate server. Most P2P applications allow the user to configure the sharing of specific directories, drives or devices. In a white paper written by the Army's Computer Network Operations Intelligence section, unauthorized P2P applications on government systems, ``represent a threat to network security.'' ``The idea of someone else getting unfettered access to anything of yours without your explicit consent should scare anybody--and that's exactly what P2P authorizes,'' says Zina Justiniano, an intelligence analyst with the U.S. Army Network Enterprise Technology Command's (NETCOM) Intelligence Division, G2. ``P2P is freeware. Freeware, shareware--most of the stuff that you pay nothing for, has a high price. The fact that it's free says that anybody and their cousin can get it; that means that anybody and their cousin can get to your machine.'' P2P applications are configured to use specific ports to communicate within the file sharing ``network,'' sometimes sidestepping firewalls. This circumvention creates a compromise and potential vulnerabilities in the network that, in a worse case scenario, can lead to network intrusions, data compromise, or the introduction of illegal material and pornography. There is also the issue of bandwidth. Since the start of the global war on terrorism, the most pressing issue from service members in the field has been the shortage of bandwidth to transmit battlefield intelligence to combatant commanders. The average four-minute song converted into an audio file recorded at 128-bit, can be upwards of 5 megabytes. Full-length video MPEG files can easily reach 1.6 gigabytes. Depending on the connection speed, even a small file may take several minutes to hours to download, using valuable bandwidth. Unauthorized use of P2P applications account for significant bandwidth consumption. It limits the bandwidth required for official business, and storage capacity on government systems. While those who monitor the Army networks agree that copyright infringement is a valid issue, they do have other, more important concerns. There are several known Trojan horses, worms and viruses that use commercial P2P networks to spread and create more opportunities for hackers to attack systems. Trojan horse applications record information and transmit it to an outside source. They can also install ``backdoors'' on operating systems, transmit credit card numbers and passwords--making these malicious programs a favorite of hackers. Some of the malicious codes allow hackers to snoop for passwords, disables antivirus and firewall software, and links the infected system to P2P networks to send large amounts of information (spam) using vulnerabilities in Windows operating systems. ``If it's a really good Trojan horse, it will actually run two programs; it will run the program they said they were going to run, so they will not only download it, but they will install it and be very happy that it's there,'' Justiniano said. ``Meanwhile in the background, another program is doing malicious damage to the computer by either damaging files or possibly taking files off the computer without your knowledge. If it's a really nice program that runs well, (the user) will pass that file over to someone else because they really got their money's worth out of it. People will just keep passing it along.'' Trojan horses are not the cause of all security issues. Oftentimes, ``spyware'' applications are installed with the users consent; it's buried in the really long agreement that nobody reads that a user must click, ``I Accept,'' in order to begin the installation. This is especially true with free-ware applications downloaded from the Internet. According to published reports, a couple of years ago, some P2P applications came packaged with a spyware application that acted as a Trojan horse. This specific program sent information to an online lottery server. Those are just a couple of reasons the Army doesn't want its people loading P2P on their systems, and enacted regulations prohibiting loading those applications. The Army's regulation on Information Assurance, Army Regulation 25- 2, specifically prohibits certain activities; sharing files by means of P2P applications being one of them. There are some, however, who have P2P applications on their Army systems and use them despite the prohibition of such activities. Over a two-month period at the end of last year, government organizations identified more than 420 suspected P2P sessions on Army systems in more than 30 locations around the globe. It seems some don't understand or haven't read the standard Department of Defense warning that says, ``Use of this DOD computer system, authorized or unauthorized, constitutes consent to monitoring.'' For those who think, ``How are they going to know it's me? I'm just one person in a network of hundreds of thousands,'' don't be surprised when network access is cut off and the brigade commander is calling. It is the role of the Theater Network Operations and Security Center, located in Fort Huachuca, Ariz., to monitor and defend its portion of the Army network. This includes identifying potential security risks to the network, and unauthorized P2P applications, which create a considerable risk to those networks. ``People shouldn't assume they are using P2P applications in secrecy,'' said Ronald Stewart, deputy director of the C-TNOSC. ``We are able to detect use of P2P, and when we do, we take measures. We can detect and identify systems with P2P software on them; and when we find them, we direct the removal of the software from the system through the command chain.'' Some Soldiers try to work around the Army networks to feed their P2P habits. Lt. Col. Roberto Andujar, director of the C-TNOSC, says using the Terminal Server Access Controller System (TSACS) to dial into the military network is not a work-around, because there are tools in place to identify P2P traffic. Methods commonly used by commercial industry, such as Internet Protocol (IP) address and port blocking, random monitoring, and configuring routers are some of the methods the C-TNOSC and installations take to prevent P2P access. There are other methods used, but specific examples cannot be discussed. Commanders who unwittingly allow P2P to run unchecked on their networks are not exempt from liability. Commanders may be held personally liable for any illegal possession, storage, copying, or distribution of copyrighted materials that occurs on their networks. Soldiers, civilian employees and contractors face even tougher penalties. People using P2P on government computers can to look forward to other possibly harsher punishments depending on the kinds of files the users are sharing. ``Say you have a Soldier downloading music through P2P, in violation of copyright rules,'' said Tom King, a legal adviser with NETCOM. ``The people who own the copyright can actually sue that Soldier. Then you have the issue that he's violating a lawful order. Then you have the issue that it's a misuse of government time and misuse of a government resource. He can be in a world of hurt. Then he's also exposing the Army network to hacking attacks.'' ``Prosecutions are on the rise. Discipline is on the rise. People are taking this stuff more and more seriously all the time,'' King said. ``People just don't understand that there's a price to be paid for this.'' Not understanding seems to be the main reason P2P applications keep showing up on Army computer systems. ``User education is one of the keys,'' said Kathy Buonocore, chief of the Regional Computer Emergency Response Team. ``Some users don't know it's illegal.'' ``When I call some commanders and tell them, they say, `What's P2P?' '' Andujar said. ``Commanders have to be educated and take action.'' Education has to extend down to the organization administrators. Justiniano says those who have administrator privileges on government computer systems are the ones loading the unauthorized programs. To prevent this, system and network administrators should configure systems correctly, so users cannot install unauthorized software. ``There are very few benefits that are not addressed somewhere else, that do not include the risk of P2P software,'' Justiniano said, adding that the use of Army Knowledge Online knowledge centers and secure File Transfer Protocol sites are their preferred method of file sharing. (Editor's note: Sgt. 1st Class Eric Hortin is a journalist for the U.S. Army Network Enterprise Technology Command.) <all>