<DOC> [109th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:99899.wais] COMBATING SPYWARE: H.R. 29, THE SPY ACT ======================================================================= HEARING before the COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS FIRST SESSION __________ JANUARY 26, 2005 __________ Serial No. 109-10 __________ Printed for the use of the Committee on Energy and Commerce Available via the World Wide Web: http://www.access.gpo.gov/congress/ house U.S. GOVERNMENT PRINTING OFFICE 99-899 WASHINGTON : 2005 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800 Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001 __________ COMMITTEE ON ENERGY AND COMMERCE JOE BARTON, Texas, Chairman RALPH M. HALL, Texas JOHN D. DINGELL, Michigan MICHAEL BILIRAKIS, Florida Ranking Member Vice Chairman HENRY A. WAXMAN, California FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts CLIFF STEARNS, Florida RICK BOUCHER, Virginia PAUL E. GILLMOR, Ohio EDOLPHUS TOWNS, New York NATHAN DEAL, Georgia FRANK PALLONE, Jr., New Jersey ED WHITFIELD, Kentucky SHERROD BROWN, Ohio CHARLIE NORWOOD, Georgia BART GORDON, Tennessee BARBARA CUBIN, Wyoming BOBBY L. RUSH, Illinois JOHN SHIMKUS, Illinois ANNA G. ESHOO, California HEATHER WILSON, New Mexico BART STUPAK, Michigan JOHN B. SHADEGG, Arizona ELIOT L. ENGEL, New York CHARLES W. ``CHIP'' PICKERING, ALBERT R. WYNN, Maryland Mississippi, Vice Chairman GENE GREEN, Texas VITO FOSSELLA, New York TED STRICKLAND, Ohio ROY BLUNT, Missouri DIANA DeGETTE, Colorado STEVE BUYER, Indiana LOIS CAPPS, California GEORGE RADANOVICH, California MIKE DOYLE, Pennsylvania CHARLES F. BASS, New Hampshire TOM ALLEN, Maine JOSEPH R. PITTS, Pennsylvania JIM DAVIS, Florida MARY BONO, California JAN SCHAKOWSKY, Illinois GREG WALDEN, Oregon HILDA L. SOLIS, California LEE TERRY, Nebraska CHARLES A. GONZALEZ, Texas MIKE FERGUSON, New Jersey JAY INSLEE, Washington MIKE ROGERS, Michigan TAMMY BALDWIN, Texas C.L. ``BUTCH'' OTTER, Idaho MIKE ROSS, Arkansas SUE MYRICK, North Carolina JOHN SULLIVAN, Oklahoma TIM MURPHY, Pennsylvania MICHAEL C. BURGESS, Texas MARSHA BLACKBURN, Tennessee Bud Albright, Staff Director James D. Barnette, Deputy Staff Director and General Counsel Reid P.F. Stuntz, Minority Staff Director and Chief Counsel (ii) C O N T E N T S __________ Page Testimony of: Baker, David N., Vice President, Law and Public Policy, Earthlink, Inc............................................. 14 Rubinstein, Ira, Associate General Counsel, Microsoft Corporation................................................ 17 Schmidt, Howard A., President and Chief Executive Officer, R&H Security Consulting.................................... 24 Schwartz, Ari, Associate Director, Center for Democracy and Technology................................................. 28 Material submitted for the record by: Information Technology Association of America, white paper entitled, Spyware, Supportware, Noticeware, Adware and the Internet................................................... 57 Webroot Software, Inc., prepared statement of................ 54 (iii) COMBATING SPYWARE: H.R. 29, THE SPY ACT ---------- WEDNESDAY, JANUARY 26, 2005 House of Representatives, Committee on Energy and Commerce, Washington, DC. The committee met, pursuant to notice, at 10:23 a.m., in room 2123 of the Rayburn House Office Building, Hon. Joe Barton (chairman) presiding. Members present: Representatives Barton, Hall, Stearns, Gillmor, Deal, Whitfield, Cubin, Shimkus, Shadegg, Pickering, Buyer, Radanovich, Pitts, Walden, Terry, Ferguson, Rogers, Otter, Myrick, Murphy, Burgess, Blackburn, Markey, Towns, Eshoo, Stupak, Wynn, Green, Strickland, Schakowsky, Solis, Gonzalez, Inslee, Baldwin, and Ross. Staff present: Bud Albright, staff director; Andy Black, deputy staff director; David Cavicke, chief counsel; Chris Leahy, policy coordinator; Shannon Jacquot, counsel; Will Carty, professional staff; Billy Harvard, legislative clerk; Julie Fields, special assistant to policy coordinator; Consuela Washington, minority senior counsel; and Ashley Groesbeck, research assistant. Chairman Barton. The committee will come to order. Good morning, and welcome to all members and guests for the first hearing of the Energy and Commerce Committee for the 109th Congress. I want to welcome our new members on both sides of the aisle. We will have a formal recognition of each of you at the appropriate time when the former Chairman Dingell is here. He is in a Democratic Leadership meeting and may not be able to attend. So we will save the formal introductions for another time. Today, our committee is going to receive testimony on legislation to protect consumers against Internet spying. Legislation, I should add, that last year passed through this committee on a 45-5 vote, and then on the House floor 399-1. Not only did the bill receive overwhelming support from our members, but from many technology companies and associations, including Yahoo, eBay, AOL TimeWarner, Dell, Microsoft, EarthLink, and the U.S. Telecom Association. The reason for the broad support of the bill is evident: the problem of Internet spying has grown to a critical point. Internet and technology companies are swamped by complaints and calls from their customers, not only asking for help in cleaning their computers of these programs, but also expressing real anger that their machines are continually slowed or stopped by simply navigating the Internet. I have a personal experience of this. My daughter, Kristen, who just graduated from college, bought a brand-new computer last year, and it is totally worthless today because of spyware that has infected her computer. She recently decided to junk that computer and buy a new computer. Many consumers remain unaware of how these applications end up on their computers and remain unable to remove them because of deceptive or nonexistent instructions for un-installing them. Losing some level of control of your own personal property is bad enough, but when added to the likelihood that these programs are monitoring your computer usage and transferring, possibly, your own private information to third parties without your permission, the spyware problem rises to a dangerous level. Many of these violations constitute a trespass-like offense, and in the worst cases, facilitate theft and fraud. Information gathered by spyware programs can be used to further slow your computer by bombarding you with pop-up ads and the collection of personal information can be used to steal your money, your identity, or both. All members, their families, and their constituents have become susceptible to this problem. Even many of our committee computers here on the Hill have been hampered by spyware's ill effects. This is a problem that must be addressed quickly, and given the interstate nature of e-commerce, it must be addressed by Federal legislation. I am encouraged that the Federal Trade Commission is finally beginning to take action against some of the worst actors in the spyware area, but Congress must also act quickly to give the FTC the additional power it needs to stem the tide of Internet monitoring. Last year, as I mentioned, we succeeded in passing this bill through the House, but the Senate failed to act. I am hopeful that that will not be the case this year, and I have been in contact with several Democrat and Republican Senators, and they say that they are going to move the bill very quickly. I want to commend a number of members for their outstanding leadership on this issue. Our No. 1 leader, Congresswoman Mary Bono of California, is not here today, because she is ill in California with a severe case of bronchitis, so she couldn't make it back to Washington for the hearing today. But I do want to commend her for her leadership. She introduced this legislation in 2003, when most of us had never heard of spyware, and has worked tirelessly to ensure its passage. I also want to commend Congressman Ed Towns, he is here today, for his leadership. He co-sponsored with Congresswoman Bono this legislation in our committee, and he, too, has worked tirelessly in a bipartisan manner to make this an excellent piece of legislation. I also want to thank our subcommittee chairman Congressman Stearns and also our ranking member, the gentlelady from Illinois, Mrs. Schakowsky. She has done an excellent job in drafting this bill. These members, as well as Congressman Dingell, have worked diligently to bring this legislation to the floor last year, and I hope we can move just as quickly and just as cooperatively this year to put this legislation through the House and send it to the Senate and encourage the Senate to act. I am also encouraged by the participation of a number of industry groups. We have drawn on their expertise in crafting this legislation. I encourage them to continue to work with us to combat spyware on a technological and a consumer educational level. It will take a mix of technology, consumer awareness, industry best practices, and strong enforcement to effectively fight spyware. I want to thank those who have worked with us throughout the process and those that are participating in our hearing today. I would now yield, since Mr. Dingell is not here, to Ms. Schakowsky, the subcommittee ranking member, for an opening statement, and then we will go to Mr. Stearns. Ms. Schakowsky. Thank you, Mr. Chairman. I would like to first also welcome our new members and particularly thank the new Democratic members who made it possible for me to rise to this lofty position in the second row and close to the chairman. This is a big day for me. And I wanted you--to thank you, Chairman Barton, for holding this hearing on H.R. 29, the SPY ACT, a strong, pro-consumer, bipartisan piece of legislation, which addresses one of the newest and most troublesome consumer and privacy issue: spyware. And I would also like to thank Ranking Member Dingell, who is unable to be here today. And as the ranking Democrat on the Commerce Trade and Consumer Protection Subcommittee in the 108th Congress, I had the privilege of working closely with my Chairman, Chairman Stearns, along with Representative Towns and Bono on the first version of the SPY ACT. As we learned last year, spyware, while not yet a household word, is a household phenomenon. The recent--a recent study by America Online found that 80 percent of families with broadband access had spyware on their computers. EarthLink, one of our witnesses here today, along with Web Route, an anti-spyware software provider, found that in 3 million scans of computers, there was an average of 26 instances of spyware on each and every computer. With those kinds of numbers, spyware will soon be a part of everyone's vocabulary. However, because of the surreptitious nature of spyware, because of the furtive practices of the spyware purveyors, many people have no idea that their computers have been infected with the software. People notice that pop-up ads will not go away and they notice when their computers are much slower. And of course, they notice when their home pages have been changed, but not by them. Consumers tend to blame viruses, their--on their old computer or their Internet service providers. But because spyware is bundled with software people do want to download, and because it is drive-by downloaded from unknowingly visiting the wrong website, people do not know that, in many cases, the real cause of their headaches is spyware. As we pointed out last year, spyware is much more than merely annoying. Slow computers and pop-up ads are just symptoms of the real trouble spyware can cause. The software is so ``resourceful'' that it can snatch personal information from computer hard drives, track every website visited, and log every keystroke entered. Spyware is a serious threat to consumer privacy and potentially a powerful tool for identity theft, a serious crime that is on the rise. Although we do not want to stop legitimate uses of the software underlying spyware, like allowing easy access to online newspapers, we do want consumers to have control of their computers and personal information and to stop truly nefarious uses of the programs. The SPY ACT finds the balance that helps protect consumers from truly bad acts and actors while preserving the pro- consumer functions of the software. It prohibits indefensible uses of the software, like keystroke logging, and it gives consumers the choice to opt in to the installation or activation of information-collection software on their computers, but only when consumers know exactly what information will be collected and how it will be used. Furthermore, the SPY ACT gives the FTC the power it needs, on top of laws already in place, to pursue predatory uses of the software. The SPY ACT puts the control of computers and privacy back in consumers' hands, and I am glad that we are moving the bill forward once again. And once again, I thank my colleagues for this pro- consumer, pro-privacy, and bipartisan piece of legislation, and I look forward to working with you again this year. Thank you, Mr. Chairman. Chairman Barton. Thank you. We would now like to recognize the subcommittee chairman, Mr. Stearns, for an opening statement. Mr. Stearns. Good morning. And thank you, Mr. Chairman. I am pleased that H.R. 29 is the first order of business. I commend you for bringing it forward. I also hope that the Senate will pass this anti-spyware legislation so that we can arm the Federal Trade Commission with a strong Federal response to combat this growing problem before it gets out of control. The elimination of spyware and the preservation of privacy for the consumer are critical goals if the Internet is to remain safe, reliable, and a credible means of commerce for the United States and the rest of the world. We know ``spyware'' is loosely defined as ``malicious software'' downloaded from the Internet that spies on the computer owner or user, usually to provide information to third parties. And while I would like to believe that something this egregious should fall easily into the ``I know it when I see it'' category, spyware is a little bit different, my colleagues. It allows unwanted software programs or spies to break, undetected, into our private lives to snoop, steal, and manipulate our online activities right under our noses. The spy and this software also makes identifying and finding those unwelcome guests a challenge. In fact, the burden of disinfecting corrupt computers usually falls on the consumer, who, in turn, usually contacts the closest available support center, often thinking they have had--they have a hardware or software problem. The typical scenario takes an obvious toll on our productivity and the engine of commerce. It is important to note that the bill before us today, H.R. 29, is identical to the one that we passed in Congress by a 45- 5 vote in the full committee, and in the House, 399-1. This bill has been crafted to target obvious spyware abuses, like keystroke logging. The bill also goes after offenders hidden in the shadow of confusing licensing agreements and other less obvious means of deception and trickery intended to defraud the computer. Specifically, the bill does the following: prohibit deceptive practices, like keystroke logging, web page hijacking, and unsolicited ads that can't be deleted; establishes a clear opt-in for consumers wishes to download monitoring software, and requires that such software be easily disabled; three, creates penalties with heavy monetary penalties that should make fraudsters think twice before they act; and finally, reestablishes a uniform, national rule regulating spyware because of the inherently interstate nature of interstate commerce--Internet commerce. Another challenge we face is ensuring that a response to the growing spyware problem does not penalize legitimate uses of similar information technology designed to monitor and prevent unauthorized activity. For example, programs designed to help parents monitor the online activity of their children and legitimate online marketing techniques all use similar technologies in an inoffensive and legal manner. This committee understands that there are gray areas, Mr. Chairman, with spyware, and as a result has worked very hard and it is a credit to the subcommittee staff and what they have done here to try to negotiate to focus this bill on the bad actors while preserving the legitimate use of these technologies. But there are some concerns to H.R. 29: examining the need for an exception for cookies and the issue raises--raised by third-party cookies, since the bill is intended to apply only to software; two, looking at ways to compute damages that are realistic and not excessive so that we don't obstruct and stop the Internet explosion; and finally assessing whether the definition of ``information collection program'' adequately captures advances in the technology. These are obtuse, very difficult to understand a third-party cookie and how it works in the computer, but again, we do not want to necessarily stop these third-party cookies from working. This is a balanced bill, though, and I think we need to move forward. I think it will achieve our goals. I would like to thank the distinguished witnesses this morning for attending and assisting us in discussing and debating this. And I also want to recognize Chairman Barton for his vision and his leadership, and of course, as he has mentioned, Ms. Bono of California and Mr. Towns. I would also like to thank my subcommittee ranking member, Ms. Schakowsky and Mr. Dingell for his support. And with that, Mr. Chairman, I conclude. [The prepared statement of Hon. Clifford Stearns follows:] Prepared Statement of Hon. Clifford Stearns, a Representative in Congress from the State of Florida Thank you Mr. Chairman. Good morning. I am very pleased that H.R. 29, the ``Securely Protect Yourself Against Cyber Trespass Act'' or ``Spy Act'' is the first order of business for this great Committee as we start the 109th Congress. Enacting meaningful anti-spyware legislation is a priority, and therefore, it is fitting that the Committee get focused early on the important work necessary to pass this bipartisan bill during this Congress. I also would like to call on our Senate colleagues to pass similar anti-spyware legislation soon so that we can arm the Federal Trade Commission with a strong federal response to combat this growing problem before it gets out of control. The elimination of spyware and the preservation of privacy for the consumer are critical goals if the Internet is to remain a safe, reliable, and credible means of commerce for the United States and the rest of the world. As we now know, spyware is loosely defined as malicious software, downloaded from the Internet, that ``spies'' on the computer owner or user, usually to provide information to third parties. And while I'd like to believe that something this brazen and egregious should easily fall into the ``I know it when I see it category,'' spyware is different--it allows unwanted software programs or ``spies'' to break undetected into our private lives to snoop, steal, and manipulate our online activities right under our noses. The ``spy'' in this software also makes identifying and finding these unwelcome guests a challenge. In fact, the burden of disinfecting corrupted computers usually falls on the consumer, who in turn usually contacts the closest available support center often thinking they have a hardware or software problem. This typical scenario takes an obvious toll on our productivity and the engine of commerce. It is important to note that the bill before us today, H.R. 29, is identical to the one that passed in the last Congress by a 45-5 vote in this Committee and by 399-1 in the full House. And while H.R. 29 has been crafted to target obvious spyware abuses, like keystroke logging, the bill also goes after offenders hidden in the shadows of confusing licensing agreements and other less obvious means of deception and trickery intended to defraud the consumer. Specifically, H.R. 29 does the following: Prohibits deceptive practices like keystroke logging, web page hijackings, and unsolicited ads that can't be deleted. Establishes a clear opt-in for consumers wishing to download monitoring software, and requires that such software be easily disabled. Creates penalties with teeth- heavy monetary penalties that should make fraudsters think twice before they act. And reestablishes a uniform national rule regulating spyware because of the inherently interstate nature of Internet commerce. Another challenge that we face as legislators is ensuring that our responses to the growing spyware problem don't penalize legitimate uses of similar information technology designed to monitor and prevent unauthorized activity. For example, programs designed to help parents monitor the online activity of their children and legitimate online marketing techniques all use similar technology in an inoffensive and legal manner. This Committee understands that there is a gray area with spyware, and as a result, has worked very hard to focus this bill on the bad actors while preserving the legitimate use of these technologies. Among some of the concerns expressed regarding H.R. 29 that will be examined as we continue to work on the bill are: Examining the need for an exception for cookies and the issues raised by third party cookies since the bill is intended to apply only to software. Looking at ways to compute damages that are realistic and not excessive. Assessing whether the definition of ``information collection program'' adequately captures advances in the technology. This is a good, balanced bill that is needed to protect the online consumer from those with malicious intentions and to blow the cover of the ``spies'' residing in our personal property - our PERSONAL computers. I believe that H.R. 29 will achieve just that, and I continue to support its passage. I would like to thank the distinguished panel of witnesses before us today for assisting the Committee's important work to discuss, debate, and explore the issues at hand to achieve a balanced but aggressive solution. In closing, I'd like to recognize Chairman Barton for his vision and leadership on this issue. I'd also like to commend, in particular, Ms. Bono of California, for bringing the issue of spyware to the fore, and for her dedication to protecting the consumer. I also would like to recognize my Democratic colleagues, especially Mr. Dingell, Ms. Schakowsky, and Mr. Towns and their staffs for their help in making H.R. 29 a truly bipartisan effort and a pleasure to work on. Once again, I would like to welcome the witnesses today and look forward to their testimony. Thank you. Chairman Barton. I thank the gentleman. I would now like to recognize Mr. Markey of the World Champion Boston Red Sox and, perhaps, the World Champion New England Patriots for an opening statement. Mr. Markey. Mr. Chairman, we are the World Champion Boston Patriots, and we are going to continue being the World Champion Boston Patriots. So we are---- Chairman Barton. I ask unanimous consent to revise. Mr. Markey. We are--we can't believe it, either, so thank you, Mr. Chairman. And thank you for having this hearing today, and Mr. Dingell. Mr. Stearns and Ms. Schakowsky have done an excellent job in shepherding this bill through, and I want to congratulate Mr. Towns and Ms. Bono for their leadership on this very important issue. The online villains who spread spyware deceive computer uses through disingenuous download requests, phony icons and covert tricks to induce users to permit the installation of programs that computer users do not want or require. In contrast to software applications from reputable online companies, surreptitiously installed spyware programs are designed to thwart a user's ability to control their own computers. Rather than improving a computer's online experience, the installed features often deliver annoying pop- up ads, hijack home pages, and can secretly monitor a consumer's use of their computer and their travels across the Internet. Hopefully we can move this consensus bill through the process and have the Senate side produce spyware legislation this session as well. In addition, I would also like to note that I look forward to working with Chairman Barton and our other committee colleagues on privacy legislation this year. In the last session, I offered legislation to extend the Cable Act's privacy protections to other similar entities. I was successful in getting one portion of my bill enacted, namely extending these consumer privacy protections to satellite providers, such as DirectTV and EcoStar, as part of the Home Satellite Viewer Act legislation that became law last year. Yet, we need to pass the remaining part of my bill to close the current loophole, which leaves consumers of services such as Replay TV with no legal privacy protections. What consumers watch at home, how they use the Internet, who they call or e-mail, and what services they may subscribe to are nobody's business. And companies should not monitor, collect, and disclose such personal information without the prior knowledge and express approval of consumers. So I intend to reintroduce my privacy bill regarding Replay TV and other such devices, and I hope that we can work on that and similar online privacy legislation this year. I thank you, again, Mr. Chairman, for having this very important hearing today. Chairman Barton. Thank you, Mr. Markey. We would now like to recognize the gentleman from Ohio, Mr. Gillmor, for a 3-minute opening statement. Mr. Gillmor. Mr. Chairman, I will waive, other than to say that I am very happy to see the opt-in requirement in this legislation. Chairman Barton. Okay. We would recognize the gentleman from New York, the original cosponsor of the bill in the last Congress, Mr. Towns. Mr. Towns. Thank you very much, Mr. Chairman, for holding this hearing today. I greatly appreciate the commitment you have shown to address this important issue and this legislation. As the primary Democratic sponsor, I have been proud to work with Congresswoman Mary Bono, the author of this bill, and I hope she recovers really, really soon from her illness. Her leadership, insight, and persistence on the spyware problem have been unmatched. I salute her for her continued hard work on this legislation. When we first embarked on this legislative process, spyware was a growing consumer nuisance. Most people had no idea what it was. They had no idea that software could be downloaded on their computer without their knowledge and record and transmit their personal information. Now the problem is so widespread, it is hard to find someone who has not been negatively affected by spyware. In fact, the day the spyware act was on the House floor last year, my daughter called me to say that a computer had just crashed due to spyware and indicated that something needs to be done to rectify this problem. And I informed her that we were working on it as we were talking. Last year, with Chairman Barton and Ranking Member Dingell's leadership---- Chairman Barton. You just lost your microphone. Mr. Towns. Last year---- Chairman Barton. Oh, I am sorry. I inadvertently hit the mute button. Mr. Towns. So you are part of spyware. Last year, with the chairman and the Ranking Member Dingell's leadership, the bill passed the House floor. This year, by getting a much earlier start, I believe Congress can put a bill on the President's desk to provide consumers with additional tools to protect the consumer from spyware. This is not only critical for consumer privacy, but it is also essential to ensure the integrity of e-commerce. Throughout this process, we have made several modifications to the bill to target bad actors while preserving technological applications. I look forward to hearing from today's witnesses on this. And of course, Mr. Chairman, on that note, I yield back. Chairman Barton. I thank the distinguished gentleman from New York and point out that is the first time in my tenure as Chairman that I have used the mute button, even if inadvertently, and I hope it is the last time. Does the gentlelady from Wyoming seek to make an opening statement? Ms. Cubin. I will submit. Chairman Barton. Okay. Does the gentlelady from California, Ms. Eshoo, seek to make an opening statement? Ms. Eshoo. Mr. Chairman, I am going to place my statement in the record. I want to thank everyone that was involved in this. As some members might recall, when the bill was being marked up last year, I had some serious concerns and expressed those to my colleagues on the committee, and I thank them for paying attention to what we have put forward. And I think that we have a strengthened effort, and this should be not only passed by our committee but by the full House, and I look forward to that. So thank you, and here is to the 109th Congress to this committee distinguishing itself, as it has in the past. And I wish you and all of the subcommittee chairmen and ranking members my best and will do everything I can to bring even more credit to this committee and welcome to the new members. Chairman Barton. Thank you. Ms. Eshoo. Thank you. [The prepared statement of Hon. Anna G. Eshoo follows:] Prepared Statement of Hon. Anna G. Eshoo, a Representative in Congress from the State of California Mr. Chairman, I'm very pleased that the Committee is considering H.R. 29, the Spy Act, a bill which I'm proud to support. The word ``spyware'' raises eyebrows and causes anxiety for almost anyone that uses computers and the Internet, particularly those of us that have had their computer's hijacked, or know someone that has. But as we've learned, there are many ``monitoring'' or ``information gathering'' activities that are really benign and actually enhance a user's experience on the Net or with their computer. In fact, some of these activities are essential to protect personal computers from hackers or viruses. As my colleagues will recall, I was very concerned about the spyware legislation considered by the Committee during the last Congress (H.R. 2929), and I opposed this bill during Committee markup. I believed our consideration then was rushed, and that too many important issues were left unresolved, putting at risk many of the services and security features that consumers value and rely on. Subsequent to the Committee's consideration, Representative Issa and I se nt a letter to the Chairman and Ranking Member identifying our most significant concerns. I'm pleased that the Chairman, Mr. Dingell, and the bill's sponsors were very responsive to these concerns and that we were successful in putting an improved bill before the House last session. Unfortunately, the Senate never acted on this legislation. Once again, I'd like to thank the Chairman, the Ranking Member, Rep. Bono, Rep. Towns, and their staffs for their hard work on this legislation and their willingness to work with me to improve this bill and eliminate any unintended consequences. I look forward to hearing from the witnesses and working with my colleagues to pass H.R. 29 through Committee, and bring it back to the House floor. Chairman Barton. Thank you. Does the gentleman from Pennsylvania, Mr. Pitts, wish to make an opening statement? Mr. Pitts. No, thank you. Chairman Barton. Does the gentleman from Michigan, Mr. Stupak, wish to make an opening statement? Mr. Stupak. No, thank you. Chairman Barton. Does the gentleman from Oregon wish to make an opening statement? Mr. Walden. No, thank you, Mr. Chairman. I will reserve. Chairman Barton. Does the gentleman from Maryland, Mr. Wynn, wish to make an opening statement? Mr. Wynn. No. Chairman Barton. Okay. Does the gentleman from Nebraska, Mr. Terry? Okay. The gentleman from Texas, Mr. Green? Mr. Green. Mr. Chairman, I just am glad we are considering this bill, and I will waive and ask for extra time on questions. Chairman Barton. Okay. Does the distinguished vice- chairman, Mr. Pickering, wish to make an opening statement? Mr. Pickering. I just wish you a good morning, and I will pass. Chairman Barton. All right. The gentlelady from California, Ms. Solis? Ms. Solis. Yes, I will pass and just include something for the record, and want to also welcome the new members of the Energy and Commerce Committee. Chairman Barton. The gentleman from New Jersey, Mr. Burgess? Mr. Burgess. For fear of the mute button, I will pass, Mr. Chairman. Chairman Barton. Okay. The gentleman from Texas, Mr. Gonzalez? Mr. Gonzalez. No, thank you. Chairman Barton. The gentleman from Michigan, Mr. Rogers? Mr. Rogers. I will waive. Chairman Barton. My gosh, we are doing great. The gentleman from Washington, Mr. Inslee, a new member? Mr. Inslee. No, thank you. Chairman Barton. The gentleman from Idaho, Mr. Otter? Mr. Otter. No. Chairman Barton. Okay. The gentlelady from Wisconsin is going to waive. Okay. The gentlelady from North Carolina, Ms. Myrick? Okay. Does the gentleman from Arkansas wish to make an opening statement? Welcome to the committee. Okay. And I do want to tell our new members, we are giving you name tags, so I am--I apologize if we don't have them ready today, but they are on the way. Let us see, the gentleman from Pennsylvania, Mr. Murphy? Mr. Murphy. I would like to waive, but since this is my opportunity, and in lieu of a nametag, I would just like to mention a few things. This is the first hearing I am attending, and I am grateful to be a member of this committee now. Chairman Barton. The gentleman is recognized for 3 minutes. Mr. Murphy. Thank you. I am grateful to be a member of this committee because of issues such as this. Spyware is such an insidious problem in computers where the multibillion-dollar industry of people having systems in their own home have been destroyed by unscrupulous folks. Now these go by many names, and sometimes they even appear to be legitimate systems, but anything that does not allow the owner of their own computer to opt-in fully informed is wrong and should be made illegal. The points have been made earlier, but I know some of them, and being the father of a teenage daughter, I see this myself, too. It seems whenever she gets an e-mail from someone, some spyware might be attached to it as well, Gator being one of the more insidious ones, which suddenly find every time I--it is on the computer, I would have to work to get it off. And that is wrong that companies are using this, that they are able to download information, they are able to put software on computers, and I am grateful that this committee is moving forward on that. With that being said, I enthusiastically look forward to the remainder of this hearing. Thank you, Mr. Chairman. Chairman Barton. We thank the gentleman from Pennsylvania. Does the gentleman from Texas, Dr. Burgess, wish to make an opening statement? Mr. Whitfield of Kentucky, do you wish to make an opening statement? Mr. Whitfield waives. Seeing no other member present, the Chair would ask unanimous consent that all members not present have the regular number of days to enter a written statement into the record. Without objection, so ordered. [Additional statements submitted for the record follow:] Prepared Statement of Hon. Paul E. Gillmor, a Representative in Congress from the State of Ohio I thank the Chairman for holding this hearing today, kicking off another successful and productive year for our panel. With regard to H.R. 29, the SPY ACT, I am happy to add my name as a cosponsor this year, which is identical to the measure that the full House approved overwhelmingly last October. This legislation represents yet another effort by our committee to protect personal privacy, as it aims to curb computer programs that literally spy on its users. ``Spyware'' can easily high-jack our computers by downloading unrelated software when we simply click on a banner or pop-up ad. It then has the ability to silently record our every click, keystroke, and Internet search, gathering information such as passwords and credit card numbers. I particularly appreciate the provision in the SPY Act providing for a prominent ``opt-in'' for consumers prior to downloading any monitoring software onto that user's computer. I look forward to the input of our well-balanced panel of witnesses, welcome the new members of the Energy and Commerce Committee, and remain hopeful that H.R. 29 will soon be considered for swift approval in the 109th Congress. Again, I thank the Chairman and yield back the remainder of my time. ______ Prepared Statement of Hon. Charlie Norwood, a Representative in Congress from the State of Georgia Thank you Mr. Chairman. Before I start my statement I'd like to extend a warm welcome to the new members of the committee. I look forward to working with all of you throughout this Congress. Mr. Chairman, I'd like to thank you for holding this hearing today on H.R. 29, the SPY Act. This is a very clear-cut consumer privacy issue, one that I think is vital that we address for our constituents back home. Last year, Ms. Bono's SPY Act passed overwhelmingly in the House, but got tangled up in the other body. As we all know, ``spyware'' in its most intrusive form can invade a constituent's computer, steal their social security number and credit card information. On the other hand, spyware can also provide legitimate businesses with a vital tool for increasingly productivity. Striking a balance is vital for the SPY Act to succeed. I want to make sure the citizens of the Ninth District of Georgia are protected from fraud, but I do not want to overburden businesses with lengthy federal regulations. I believe H.R. 29 strikes this balance. That being said, I look forward to our witnesses' testimony today to weigh in their opinions. Thank you Mr. Chairman, I yield back. ______ Prepared Statement of Hon. Mary Bono, a Representative in Congress from the State of California Good morning, and thank you Mr. Chairman for holding this hearing today and for your continued interest and support in Cybersecurity. I would like to thank Congressman Towns for his support and efforts on this bill. He has been a champion of this issue and legislation from the beginning. I would also like to thank Ranking Member Congressman Dingell for his continued leadership on this issue, as well as Congressman Stearns and Congresswoman Schakowsky for their hard work to make this legislation a reality. I am hopeful that the testimony today from our witnesses is instrumental in helping the Committee formulate effective legislation on the issue of Spyware. Cybersecurity and the protection of personal data of consumers is a very real issue that warrants the attention and action of government, businesses, and consumers alike. There are many things that consumers can do to protect themselves. Anti-virus software and patches are regularly available for downloading and updating. Moreover, one should always be cautious while downloading software from unknown or un-trusted sources. Consumers should avoid opening e-mails from strangers and should be hesitant to disclose personally identifiable information over non-secure sites. However, the methods of hackers are evolving into misrepresentations to the consumer and tricking them into divulging their private information. Moreover, the methods and practices of these hackers and spyware users are getting past expert computer users and the most diligent anti-spyware customers--reflecting the true vulnerability of all computer users. Due to the overwhelming support (399-1) of H.R. 2929 last year, I reintroduced H.R. 29, ``The Securely Protect Yourself Against Cyber Trespass Act (``the SPY Act'').'' This bill aims to empower consumers to help safeguard them from bad actors. Unfortunately, consumers regularly and unknowingly download software programs that have the ability to track their every move. Consumers are sometimes informed when they download such software. However, the notice is often buried in multi-thousand word documents that are filled with technical terms, and legalese that would confuse even a high tech expert. Many spyware programs are surreptitiously designed to shut off any anti-virus or firewall software program it detects. The SPY Act would help prevent Internet spying by requiring spyware entities to inform computer users of the presence of such software, the nature of spyware, and its intended function. Moreover, before downloading such software, spyware companies would first have to obtain permission from the computer user. This is a very basic concept. The PC has become our new town square and global marketplace as well as our private database. If a consumer downloads software that can monitor the information shared during transactions, for the sake of the consumer as well as e-commerce, it is imperative that the consumer be informed of whom he or she is inviting into their computer and what he or she is capable of doing with their private information. After being informed, the consumer should have the chance to decide whether to continue with the download or reject the presence of such software. In short, consumers should be put in a position where they can make an informed choice about their private personal information. Once installed on computers, some spyware programs, like viruses, become imbedded among code for other programs and affect how those programs function on the user's computer. Additionally, spyware is becoming more and more difficult to detect and remove. Usually, such programs are bundled with another unrelated application and cannot be easily removed, even after the unrelated application has been removed. Moreover, the advertisements may not always be forthcoming. Many times, spyware entities contract with companies to post advertisements and in turn, post such advertisements on the websites of competitors. The result is confusion. In other words, while visiting the website for Company A, you may be browsing to purchase a product. However, while browsing a pop up link may appear informing you of a great sale. Under the impression that you are looking at a link for Company A, you may purchase the product, all the while uninformed that the product was purchased via a pop-up link from Company B. According to a recent study, many problems with computer performance can be linked in some way to spyware and its applications. Additionally, some computers have several hundred spyware advertising applications running, which inevitably slow down computers and can cause lockups. Some spyware can literally shut down your computer forcing the user to spend time and money getting their computer to function normally again. If you have spyware on your computer, you most likely are getting more pop-up advertisements than you would if you had no such software on your computer. I know the effects of spyware from personal experience as my daughter's computer has been completely shut down by this software. All of these consumer disadvantages can be decreased or eliminated if disclosures surrounding spyware are required and enforced. If consumers are informed about spyware, chances are they may not choose to download the software. Upon choosing not to download spyware: consumer's computers will run more efficiently; their anti-virus programs and firewalls will function better; they can decide which information to share and not share; and consumers will not be deceived into buying a product or service from unknown entities. Since the introduction of H.R. 29, I have had the opportunity to speak with many different sectors of the technology industry and retail businesses that operate on the Internet. Through these discussions, I have received meaningful feedback. I am currently working on refining H.R. 29. Some of these refinements include the following-- Prohibiting the unauthorized downloading of spyware without prohibiting the downloading of beneficial programs such as anti-virus software; Prohibiting the unauthorized use of spyware without prohibiting authorized uses and the use of cookies; Requiring spyware programs to be easily removable after they have been downloaded; Ensuring that the ``clear and conspicuous'' notices required in H.R. 29 are very clear; and Preventing deceptive advertisements that are facilitated through spyware. I look forward to continually working with the technology industry in order to produce a bill that protects consumers and legitimate uses of that information. Government and private enterprise must team up as one because the war against spyware cannot be done alone. Thank you, and I look forward to the testimony of the witnesses on this issue. ______ Prepared Statement of Hon. Gene Green, a Representative in Congress from the State of Texas Thank you Chairman Barton and Ranking Member Dingell for your leadership on this issue. Our colleagues, Representatives Bono and Towns did a great job moving this legislation through this committee and the House with overwhelming bi-partisan support. I hope in this Congress, we see this bill sent to the President and enacted. As a co-sponsor of the Anti-SPAM bill with our colleague Heather Wilson, I understand the importance of this issue. In fact, earlier this month, in my home state of Texas, the Attorney General has filed the first state suit against a SPAM operation which is listed in the top five SPAM operations in the world. Thanks to the Anti-SPAM legislation this committee passed, each person behind this operation now faces fines of up to $2 million each. Given our success with Anti-SPAM legislation, I believe we are on the right track with the Spyware legislation. We live in an age when technological breakthroughs bring us better, more efficient lives. However, these breakthroughs also entice people to take advantage of others for personal and financial gain. Congress needs to address these types of issues quickly because as we all know, the fast pace of technological growth will always bring with it new issues for Congress. During our experience with the Anti-SPAM bill, we all came to an understanding that technology itself is not the problem--it is the way some people and businesses use technology that is harmful to consumers. We were able to move this legislation quickly last Congress and I hope we are able to address any issues that may help this Committee send an even better bill to the Floor to ensure passage in the Senate. I think this legislation as it stands is strong. With the commitment Congresswoman Bono and Congressman Towns have made to make this legislation fair and enforceable, I'm confident we can see this bill become a law in the near future. Thank you Mr. Chairman. I yield back the balance of my time. ______ Prepared Statement of Hon. Hilda L. Solis, a Representative in Congress from the State of California Chairman Barton and Ranking Democrat Dingell, thank you for holding this hearing today. The issue of privacy is one that is important to me. Privacy is one of the civil liberties we have as Americans that makes this nation so special. Too often I hear from my constituents that they fear their privacy is being invaded and they are powerless to defend themselves. I believe legislation is critical to provide consumers the tools they need to regain their right to privacy. Last year I supported H.R. 2929 because I felt it provided the resources consumers needed. It is good to be supporting legislation that would not only strengthen security but also strengthen privacy--one of America's key civil liberties. I want to thank Ed Towns, Jan Schakowsky, Mary Bono, Cliff Stearns and others for their leadership on this issue, and I look forward to hearing comments on this legislation in the hopes that it too can help our consumers protect themselves. I look forward to working with my colleagues this year to hopefully take steps to make today's America a better America. Chairman Barton. We want to welcome our witness list today. We have Mr. David Baker, who is the Vice President, Law and Public Policy for EarthLink in Atlanta, Georgia. We have Mr. Ira Rubinstein, the Associate General Counsel for Microsoft, who represents them here in Washington, DC. We have Mr. Howard Schmidt, who is the President and Chief Executive Officer of R&H Security Consulting in Issaquah, Washington. And we have Mr. Ari Schwartz, who is the Associate Director for the Center for Democracy and Technology here in Washington, DC. Gentlemen, welcome to the committee. Your statements are in the record in their entirety. We are going to start with Mr. Baker and give each of you 7 minutes to expand upon your written statement. Welcome to the committee, Mr. Baker. STATEMENTS OF DAVID N. BAKER, VICE PRESIDENT, LAW AND PUBLIC POLICY, EARTHLINK, INC.; IRA RUBINSTEIN, ASSOCIATE GENERAL COUNSEL, MICROSOFT CORPORATION; HOWARD A. SCHMIDT, PRESIDENT AND CHIEF EXECUTIVE OFFICER, R&H SECURITY CONSULTING; AND ARI SCHWARTZ, ASSOCIATE DIRECTOR, CENTER FOR DEMOCRACY AND TECHNOLOGY Mr. Baker. Thank you. Chairman Barton, ladies and gentlemen of the committee, thank you for inviting me here today. I am Dave Baker, Vice President for Law and Public Policy with EarthLink. Headquartered in Atlanta, EarthLink is one of the Nation's largest Internet service providers, serving over 5 million customers nationwide with broadband, dial-up, web hosting, and wireless Internet services. EarthLink is always striving to improve its customers' online experience. To that end, we appreciate the efforts of this committee to combat the growing problem of spyware. We have reached a point in time where spyware has equaled, if not surpassed, spam as the biggest problem facing Internet users. Spyware compromises consumers' online experience and security. As the Wall Street Journal noted last April, ``Indeed, spyware, small programs that install themselves on computers to serve up advertising, monitor web surfing and other computer activities and carry out other orders, is quickly replacing spam as the online annoyance computer users most complain about.'' Like spam, we must fight spyware on several fronts. Legislation, enforcement, customer education, and technology solutions are all needed to combat this growing threat. We spoke here last year in support of H.R. 2929, the SPY ACT, which passed the House by a 399-1 margin last October. Similarly, we appear here today in support of the efforts of Congresswoman Bono, Congressman Towns, their cosponsors, and this committee to reintroduce this year's H.R. 29, the SPY ACT. Prohibiting the installation of software without a user's consent, requiring uninstall capability, establishing requirements for transmission pursuant to license agreements, and requiring notices for collection of personally identifiable information, intent to advertise, and modification of user settings are all steps that will empower consumers and keep them in control of their computers and their online experience. Spyware comes in several different forms, each presenting unique threats. Adware is advertising-supported software that displays pop-up advertisements whenever the program is running. Although it is seemingly harmless, adware can install components on your computer that track personal information. Adware cookies are pieces of software that websites store on your hard drive when you visit a site. Some cookies save you time, for example, when you check a box for a website to remember your password on your computer, but some adware cookies store personal information, like your surfing habits, user names, and passwords, and areas of interests and share that information with other websites. System monitors can capture virtually everything you do on your computer, from keystrokes, e-mails, and chat room dialog to which sites you visit and which programs you run. System monitors usually run in the background so that you don't know you are being watched. The information gathered by a system monitor is stored on your computer in an encrypted log file for later retrieval. Trojan horses are malicious programs designed to steal or encode computer data and to destroy systems. Some Trojan horses, called RATs, Remote Administration Tools, give attackers unrestricted access to your computer whenever you are online. Trojan horses are distributed as e-mail attachments or they can be bundled with other software programs. As a leading Internet provider, EarthLink is on the front lines in combating spyware. EarthLink makes available to both its customers and to the general public technology solutions, such as EarthLink Spy Audit powered by Webroot. Spy Audit is a free service that allows an online user to quickly examine his or her computer to detect spyware. A free download of Spy Audit is available on EarthLink's website. EarthLink members also have access to EarthLink Spyware Blocker, which disables all common forms of spyware, including adware, system monitors, keystroke loggers, and Trojans. EarthLink Spyware Blocker is available for free to EarthLink members as a part of Total Access 2005, our Internet access software. In addition to Spyware Blocker, Total Access 2005 includes a suite of protection tools, such as Spam Blocker, Pop-Up Blocker, Scam Blocker, which blocks phisher sites, Virus Blocker, and Parental Controls. As indicated in the attachment to my testimony, over 3.2 million Spy Audit scans performed in the first 3 quarters of 2004 found over 83 million instances of spyware. This represents an average of 26 spyware programs per scanned PC. While most of these installations were relatively harmless adware and adware cookies, the scans revealed over 1 million installations of much more serious system monitors and Trojans. Spyware is thus a growing problem that demands the attention of Congress, enforcement agencies, consumers, and industry alike. Through the efforts of Congress to introduce legislation like the SPY ACT, enforcement actions by the FTC and other agencies, and through industry development of anti- spyware tools, we can all help protect consumers against a threat that is often unseen but very much real. Thank you for your time today. [The prepared statement of David N. Baker follows:] Prepared Statement of David N. Baker, Vice President, Law and Public Policy, EarthLink, Inc. Mr. Chairman, Ladies and Gentlemen of the Committee, thank you for inviting me here today. I am Dave Baker, Vice President for Law and Public Policy with EarthLink. Headquartered in Atlanta, EarthLink is one of the nation's largest Internet Service Providers (ISPs), serving over 5 million customers nationwide with broadband (DSL, cable and satellite), dial-up, web hosting and wireless Internet services. EarthLink is always striving to improve its customers' online experience. To that end, we appreciate the efforts of this committee to combat the growing problem of spyware. SPYWARE: A GROWING THREAT We have reached a point in time where spyware has equaled if not surpassed spam as the biggest problem facing Internet users. Spyware compromises consumers' online experience and security. As the Wall Street Journal noted even last year, ``Indeed, spyware--small programs that install themselves on computers to serve up advertising, monitor Web surfing and other computer activities, and carry out other orders-- is quickly replacing spam as the online annoyance computer users most complain about.'' ``What's That Sneaking Into Your Computer?'' Wall Street Journal, April 26, 2004. Like spam, we must fight spyware on several fronts. Legislation, enforcement, customer education and technology solutions are all needed to combat this growing threat. We spoke here last April in support of H.R. 2929, the Safeguard Against Privacy Invasions (SPI) Act, which became the Securely Protect Yourself Against Cyber Trespass Act (SPY ACT) and which passed the House by a 399-1 margin last October. Similarly, we appear hear today in support of the efforts of Congresswoman Bono, her co-sponsors and this Committee to re-introduce this year's H.R. 29 the SPY ACT. Prohibiting the installation of software without a user's consent, requiring uninstall capability, establishing requirements for transmission pursuant to license agreements, and requiring notices for collection of personally identifiable information, intent to advertise and modification of user settings are all steps that will empower consumers and keep them in control of their computers and their online experience. VARIOUS FORMS OF SPYWARE Spyware comes in several different forms, each presenting unique threats: Adware is advertising-supported software that displays pop-up advertisements whenever the program is running. Often the software is available online for free, and the advertisements create revenue for the company. Although it's seemingly harmless (aside from the intrusiveness and annoyance of pop-up ads), adware can install components onto your computer that track personal information (including your age, sex, location, buying preferences, or surfing habits) for marketing purposes. Adware cookies are pieces of software that Web sites store on your hard drive when you visit a site. Some cookies exist just to save you time-for example, when you check a box for a Web site to remember your password on your computer. But some sites now deposit adware cookies, which store personal information (like your surfing habits, usernames and passwords, and areas of interest) and share the information with other Web sites. This sharing of information allows marketing firms to create a user profile based on your personal information and sell it to other firms. System monitors can capture virtually everything you do on your computer, from keystrokes, emails, and chat room dialogue to which sites you visit and which programs you run. System monitors usually run in the background so that you don't know you're being watched. The information gathered by the system monitor is stored on your computer in an encrypted log file for later retrieval. Some programs can even email the log files to other locations. There has been a recent wave of system monitoring tools disguised as email attachments or free software products. Trojan horses are malicious programs that appear as harmless or desirable applications. Trojan horses are designed to steal or encode computer data, and to destroy your system. Some Trojan horses, called RATs (Remote Administration Tools), give attackers unrestricted access to your computer whenever you're online. The attacker can perform activities like file transfers, adding or deleting files and programs, and controlling your mouse and keyboard. Trojan horses are distributed as email attachments, or they can be bundled with other software programs. EARTHLINK'S EXPERIENCE As a leading Internet provider, EarthLink is on the front lines in combating spyware. EarthLink makes available to both its customers and the general public technology solutions to spyware such as EarthLink Spy Audit powered by Webroot (``Spy Audit''). Spy Audit is a free service that allows an online user to quickly examine his or her computer to detect spyware. A free download of Spy Audit is available at www.earthlink.net/spyaudit. EarthLink members also have access to EarthLink Spyware Blocker, which disables all common forms of spyware including adware, system monitors, key loggers and Trojans. EarthLink Spyware Blocker is available free to EarthLink members as part of Total Access 2005, our Internet access software. See www.earthlink.net/home/ software/spyblocker. In addition to Spyware Blocker, Total Access 2005 includes a suite of protection tools such as spamBlocker, Pop-Up Blocker, Scam Blocker (which blocks phisher sites), Virus Blocker, and Parental Controls. Over 3.2 million Spy Audit scans performed in the first 3 quarters of 2004 found over 83 million instances of spyware. This represents an average of 26 spyware programs per scanned PC. While most of these installations were relatively harmless adware and adware cookies, the scans revealed just over 1 million installations of more serious system monitors or Trojans. CONCLUSION Spyware is thus a growing problem that demands the attention of Congress, enforcement agencies, consumers and industry alike. Through the efforts of Congress to introduce legislation like the SPY ACT, enforcement actions by the FTC and other agencies, and through industry development of anti-spyware tools, we can all help protect consumers against a threat that is often unseen, but very much real. Thank you for your time today. Chairman Barton. Thank you, Mr. Baker. And Mr. Rubinstein, before you speak, we are going to lower the screen in the back, so we can have the TV picture, and it is somewhat noisy. So if you will suspend until we can get the screen down in the back. We didn't want to interrupt his testimony. So welcome to the committee, Mr. Rubinstein, and your testimony is in record. We give you 7 minutes to expand upon it. STATEMENT OF IRA RUBINSTEIN Mr. Rubinstein. Thank you. Chairman Barton, Ranking Member Dingell, and members of the committee, my name is Ira Rubinstein, and I am an Associate General Counsel at Microsoft. Thank you for the opportunity to share our views on spyware, an issue of which you have been at the forefront. In particular, I want to acknowledge the leadership of Chairman Barton and Ranking Member Dingell, Chairman Stearns and Ranking Member Schakowsky of the Consumer Protection Subcommittee, and Representatives Bono and Towns, the lead sponsors of H.R. 29, the SPY ACT. This committee has worked tirelessly to draft legislation that targets the bad behavior at the root of the spyware problem, without unnecessarily impacting legitimate software functionality. We support the SPY ACT, and we look forward to working with Congress as the bill moves forward. Nine months ago, Microsoft testified on spyware before the Consumer Protection Subcommittee. We described a multifaceted approached that included technological development, consumer education, aggressive enforcement, and industry best practices. We also discussed the role of legislation in complementing this strategy. Since then, we have made significant headway in each of these areas. Today, I want to update the committee on that progress and describe how industry and Congress can continue working together to give consumers choice and control. Spyware is a problem of bad practices, practices that mislead, deceive, or even bully users into downloading unwanted applications. However, new anti-spyware technology is enabling users to fight back. For example, Microsoft recently released a Beta, or test version, of Windows AntiSpyware. This is our first dedicated anti-spyware solution, and it is available for free on www.Microsoft.com/spyware. This tool scans a user's computer, locates spyware, and enables---- Chairman Barton. Mr. Rubinstein, is your microphone turned on? Mr. Rubinstein. Yes, it is, sir. Chairman Barton. Okay. Could you then place it somewhat closer? We are having some trouble up here hearing you. Mr. Rubinstein. Yes, I will. Chairman Barton. Thank you. Mr. Rubinstein. This tool scans a user's computer, locates spyware, and enables the user to remove it and undo any damage. It also provides ongoing protection to computers through security checkpoints. These guard against more than 50 separate ways that spyware can be downloaded. If known spyware is detected at these checkpoints, it is blocked. If an unknown program is detected, Windows AntiSpyware informs the user and asks whether the download should proceed. We invite the committee to download the program and would welcome your feedback. In addition to technological developments, there has been substantial progress in other areas. This progress is attributed to the successful collaboration between government and industry. Consumer education is a good example. Over the past 9 months, through hearings like these, consumers have become more aware of the spyware problem and how they can protect themselves from these threats. Industry has also played an important role. Microsoft's AntiSpyware web site contains updated information that is designed to help consumers to understand, identify, prevent, and remove spyware. The site also includes step-by-step instructions on what consumers can do about spyware and an informative 3-minute video covering the same materials. Many others in the industry are engaged in similar efforts. Cooperation between the public and private sectors has also led to a successful FTC enforcement action against the spyware publisher. Microsoft actively supported this investigation, and we will continue to work with government and industry partners to go after spyware distributors. Industry best practices are another part of our anti- spyware strategy. They can serve as a foundation for programs that help identify the good actors. This, in turn, allows users to make more informed decisions about the software they download. Over the past year, representatives from a broad range of companies have been working to develop and implement a set of best practices, but more needs to be done. Microsoft is dedicated to work with industry in this effort that will help optimize user control. Federal legislation can be an effective complement to this combination of technology, education, enforcement, and industry best practices. But as we have stressed throughout the legislative progress--process, Congress must proceed cautiously to ensure that such legislation targets the deceptive behavior of spyware publishers and not features or functionalities that have legitimate uses. Our success in working together to achieve this goal is apparent, and our written testimony sets forth some of the scenarios that could have had unintended consequences, but that the committee has now addressed. As we move forward, we need to make sure that the law does not create disincentives for consumers to use these anti-spyware tools or leave anti-spyware vendors open to legal action for developing and distributing them. We want to thank the committee, again, for your attention to the spyware problem and for extending Microsoft the invitation to share our ideas and experiences with you, both today and as the process moves forward. We appreciate that the committee solicited further comment from industry on ways the clarify the bill, and we encourage the committee to continue this collaborative process. Microsoft remains committed to supporting legislation that will prevent bad actors from deceiving consumers and destroying their computing experience. Thank you. [The prepared statement of Ira Rubinstein follows:] Prepared Statement of Ira Rubinstein, Associate General Counsel, Microsoft Corporation Chairman Barton, Ranking Member Dingell, and Members of the Committee: My name is Ira Rubinstein and I am an Associate General Counsel at Microsoft Corporation. I want to thank you for the opportunity to share with the Committee Microsoft's views on addressing spyware--an issue on which this Committee has been at the forefront. In particular, I want to thank Chairman Barton and Ranking Member Dingell, Representatives Stearns and Schakowsky, the Chairman and Ranking Member, respectively, of the Commerce, Trade, and Consumer Protection Subcommittee, and Representatives Bono and Towns, the lead Republican and Democrat sponsors of H.R. 29, the SPY ACT. This Committee has worked tirelessly to raise public awareness of the threat posed by spyware, and to draft legislation that is carefully targeted to address the bad behavior at the root of the problem--without unnecessarily impacting legitimate software applications. Microsoft believes the Committee has met this goal: we are therefore pleased to support the SPY ACT in its current form, and we look forward to working with Congress as the bill moves forward. Nine months ago, my colleague Jeffrey Freidberg, who is the Director of Windows Privacy at Microsoft, testified at a hearing of this Committee's Subcommittee on Commerce, Trade, and Consumer Protection on the nature and nuances of spyware, and provided a slide presentation demonstrating some common tricks used by nefarious spyware publishers to deceive users into downloading unwanted programs. He also described Microsoft's commitment to attacking spyware on several levels--technology, consumer education, industry best practices, and enforcement--and the role of legislation in complementing this strategy. Today, I want to tell you about the progress that has been made in each of these areas over the past nine months, and the ways in which the public and private sectors can continue working together to restore choice and control back where it belongs--in the hands of consumers. Spyware Remains a Pervasive Problem. As Chairman Barton aptly recognized at last year's hearing, spyware represents an ``unwanted intrusion that is used for purposes that we have not approved, and most of the time without our even knowing it.'' <SUP>1</SUP> Purveyors of spyware manipulate computer users through misleading download requests, false icons, and covert practices that trick users or override low security settings in order to install programs that users do not need or want. Unlike legitimate applications, these programs show no respect for users' ability to control their own computers, and they misuse many features that can be an asset with proper disclosure, user authorization, and control. Instead of leading to personalization and better user experiences, these features are manipulated to surreptitiously monitor user activities, hijack home pages, and deliver an unstoppable barrage of pop-up advertisements. In short, spyware is a problem of bad practices--practices that mislead, deceive, or even bully users into downloading unwanted applications. --------------------------------------------------------------------------- \1\ Spyware: What You Don't Know Can Hurt You: Hearing Before the House Subcomm. on Commerce, Trade, and Consumer Protection of the Comm. on Energy and Commerce, 108th Cong. 77 (2004) (statement of Chairman Barton, House Comm. of Energy and Commerce). --------------------------------------------------------------------------- Spyware continues to be a primary frustration for our customers and industry partners. We receive thousands of calls from customers each month directly related to deceptive software, and we continue to receive reports that suggest such software is at least partially responsible for approximately one-half of all application crashes that our customers report to us. In addition, industry partners have indicated that unwanted and deceptive software remains one of the top support issues they face, and we understand that it costs many of the large computer manufacturers millions of dollars per year. Other studies demonstrate the continued growth of the problem. A study last fall conducted by America Online and the National Cyber Security Alliance found that approximately 80 percent of all users had some form of spyware or adware on their machines, and that the average computer contained 93 spyware or adware components.<SUP>2</SUP> Perhaps most troubling, 89 percent of respondents whose computers had tested positive were unaware that their systems contained any spyware.<SUP>3</SUP> Over the past year, we have also seen a rise in a particularly disturbing form of spyware programs--so-called ``betrayware.'' These applications claim to be anti-spyware detection or removal programs, but are in fact spyware; some analysts now estimate that there are more than 130 separate betrayware programs lurking in cyberspace.<SUP>4</SUP> --------------------------------------------------------------------------- \2\ See AOL/NCSA Online Safety Study (Oct. 2004), available at http://www.staysafeonline.info/news/safety_study_v04.pdf. \3\ Id. \4\ See Eric L. Howes, The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites, available at http:// www.spywarewarrior.com/ rogue--anti-spyware.htm. --------------------------------------------------------------------------- The explosion in the volume of spyware, and the accompanying increase in the complexity with which those programs operate and the damage that they do, has had an enormous impact on Microsoft. As we explained last year, many of our customers blame the problems caused by these programs on Microsoft software, believing that their systems are operating slowly, improperly, or not at all because of flaws in our products or other legitimate software. Spyware programs have increased our support costs, harmed our reputation and, most importantly, thwarted our efforts to optimize our customers' computing experiences. Anti-Spyware Tools Are Enabling Consumers To Take Back Control. Although spyware is becoming more pervasive and complex, the good news is that there have also been enormous strides over the past year in the fight against spyware--particularly with respect to the development of anti-spyware tools that empower users to protect themselves. As one example, in January of this year, Microsoft launched the Beta version of Windows AntiSpyware--Microsoft's first dedicated anti-spyware tool based on technology developed by GIANT Software Company, Inc. Microsoft acquired this technology from GIANT and rapidly developed and distributed the anti-spyware beta because our customers have made clear that spyware represents a major problem to them, and that they want Microsoft to deliver effective solutions as quickly as possible. Windows AntiSpyware works by scanning a customer's computer to locate spyware and other known deceptive software threats, and then giving users the tools to easily and rapidly remove those programs--as well as to quickly restore certain damage done by these programs. Once the spyware has been removed, the Windows AntiSpyware Scan Scheduler enables the scheduling of regular scans to help users maintain the condition of their computers. Windows AntiSpyware can also be configured to block known spyware and other unwanted software from being installed on the computer in the first place. To do this, the program relies on the worldwide SpyNet <SUP>TM</SUP> community, which plays a crucial role in determining which suspicious programs are classified as spyware. A voluntary network of users, SpyNet <SUP>TM</SUP> helps uncover new threats quickly to ensure that all users are better protected, and any user can choose to join SpyNet <SUP>TM</SUP> and report potential spyware to Microsoft. When new spyware programs are confirmed through SpyNet, their unique digital identifiers, or ``signatures,'' can be automatically downloaded by Windows AntiSpyware, helping to stop these new threats before they gain a foothold. Windows AntiSpyware also provides continuous protection to computers, establishing security checkpoints to guard against more than 50 separate ways that spyware can be downloaded. These checkpoints are monitored by (1) Internet agents that help protect against spyware that makes unauthorized connections to the Internet or changes a computer's Internet settings; (2) system agents that guard against spyware that makes unauthorized changes to a computer's non-Internet settings (such as passwords or security levels); and (3) application agents that protect against spyware that alters applications (such as modifying browsers or launching unwanted programs). If known spyware is detected at these checkpoints, it will be blocked. If an unknown program is detected, Windows AntiSpyware informs the user and asks whether to let the download proceed. Another feature of Windows AntiSpyware is its ability to work with the security enhancements in Windows XP Service Pack 2 (``XPSP2''). When Mr. Friedberg testified before the Subcommittee last April, he described a number of ways in which XPSP2 would help block the entry points used by spyware programs by better informing users in advance about the type of software they would be installing. As promised, Microsoft did introduce XPSP2 in 2004, and these enhancements are designed to target the particular tricks that spyware distributors use to surreptitiously install unwanted programs: A new pop-up blocker, turned on by default, that reduces a user's exposure to unsolicited downloads; A new download blocker that suppresses unsolicited downloads until the user expresses interest; Redesigned security warnings that make it easier for users to understand what software is to be downloaded, make it more obvious when bad practices are used, and allow users to choose to never install certain types of software; and A new policy that restricts a user's ability to directly select ``low'' security settings. Beyond Windows AntiSpyware and XPSP2, Microsoft will continue working collaboratively with all of our security partners: developing anti-spyware tools that empower our customers to protect themselves is a top priority. In the short term, we want everyone to run some kind of anti-spyware solution on a regular basis. In the long term, we want to develop and implement solutions so that spyware is no longer a major issue for our customers. This is an ambitious goal that will require cooperation and dedication, but we believe that the acquisition of GIANT and implementation of Windows AntiSpyware and XPSP2 are significant strides toward achieving that result. Advances in Education, Enforcement, and Industry Standards Are Evident. Technology is a critical part of the solution to spyware, but it cannot work alone. Heightened consumer education, aggressive law enforcement, and improved industry self-regulation are also important to ending the spyware epidemic. In the nine months since Microsoft last testified on spyware, there have been significant developments in each of these areas. Consumer Education. A year or two ago, only the most sophisticated users even knew what spyware was, let alone how to stop it. Now spyware is becoming well-known as a critical consumer protection issue. For example, in its first day on the Microsoft home page, our new Windows AntiSpyware site received more than 130,000 clicks--easily a record for a launch on our home page, and an indication of the tremendously increased customer interest in and attention to the spyware problem. Much of the credit for heightening consumer awareness about spyware should go to Congress--and particularly to this Committee. Through hearings such as this and determined efforts to enact effective anti- spyware legislation, Congress has attracted media attention to the spyware problem, and has helped educate consumers about the importance of the issue and how to protect themselves. Industry should also play a role in consumer education, and the Web site we launched in 2004-- www.microsoft.com/spyware--contains information that is specifically designed to help consumers understand, identify, prevent, and remove spyware. We update this site regularly, and it now includes a comprehensive but easy-to-read white paper describing our spyware strategy, as well as public newsgroups on spyware that our security- focused ``most valuable professionals'' monitor to assist the online community. We want to provide users with clear, current, and trusted resources to help understand, remove, and avoid spyware. Representative Bono emphasized last year that ``it is necessary that we [government and industry] collectively educate consumers about the nature and the threats of spyware,'' and we agree.<SUP>5</SUP> Although much work has been done over the past year to educate consumers about spyware, we are committed to continuing to working with you and other industry members in this important effort. --------------------------------------------------------------------------- \5\ Spyware: What You Don't Know Can Hurt You: Hearing Before the House Subcomm. on Commerce, Trade, and Consumer Protection of the Comm. on Energy and Commerce, 108th Cong. 6 (2004) (statement of Rep. Bono, House Comm. of Energy and Commerce). --------------------------------------------------------------------------- Enforcement of Existing Laws. The use of aggressive enforcement actions against spyware purveyors is another critical part of our approach to the problem. Targeting the most insidious violators would have a significant impact on the amount and type of spyware that is produced and distributed--and would serve as a powerful deterrent to would-be violators. Last April, we explained to the Subcommittee that enforcement actions were possible under existing law. In October 2004, the Federal Trade Commission demonstrated that this was true, taking the first federal enforcement action and obtaining a temporary restraining order against a major distributor of spyware for unfair and deceptive practices that violated the FTC Act. The defendant in that case, Stanford Wallace (who is also known as the ``Spam King''), had developed and installed on unsuspecting users' computers code that tracked their Internet behavior, changed home pages and search engines, and launched a stream of pop-up ads. Wallace then went a step further and targeted these users with pop-up advertisements promoting faulty anti-spyware remedies that Wallace sold for approximately $30 each. Microsoft supported the FTC's investigation in that case, and our Internet Safety Enforcement team is committed to enforcing existing laws against the distributors of spyware. The team investigates spyware threats that are reported by customers or others, working with government and industry partners and using advanced technology to find the sources of these programs. After the investigation, the team either pursues these cases internally or refers them to law enforcement, including the FTC, U.S. Attorneys, and State Attorneys General. And as in the suit against the Spam King, the team also assists law enforcement officials with their spyware investigations. Microsoft believes that the public and private sectors should continue to work together to hold spyware publishers accountable for their unlawful acts, and we look forward to other successful enforcement actions in the future. Industry Best Practices. Developing a set of industry-wide standards is another piece of our spyware strategy. Such best practices create an incentive for legitimate software publishers to distinguish themselves from bad actors, and can serve as a foundation for programs that certify and label the good actors--which in turn empower users to make informed decisions about the software they download to their computers. Representatives from a broad range of companies have been working to develop and implement a set of best practices, but more needs to be done. Initial efforts have focused on standards for the installation of software through the Internet--as well as more broadly with respect to the collection and use of personal information, the display of pop-up advertisements, and the form and substance of notice and consent. The overriding goal of these practices is to empower consumers--allowing them to make informed decisions by providing appropriate notice and consent experiences, balancing the need for transparency and detail, and offering appropriate controls. Self-regulatory measures should continue to evolve to account for the complexities and challenges that are a result of the ever-changing nature of technology. Microsoft is committed to working with industry to formulate best practices and believes that these practices can help supplement other efforts. Targeted Legislation Has a Role To Play. Microsoft is optimistic that this combination of technology, education, enforcement, and industry standards can effectively combat the spyware problem. And significant progress has been made toward this goal in the past year: technological solutions to empower consumers to protect themselves from spyware are now widely available; consumers are much more educated about the nature and scope of spyware; a successful enforcement action has been taken against a spyware publisher under existing law; and legitimate industry practices are becoming better and more consistent. Federal legislation can be an effective complement to this strategy, providing an additional layer of protection for consumers and another tool for enforcement officials. As we stressed at the beginning of this process, however, Congress must proceed cautiously to ensure that such legislation targets the deceptive behavior of spyware publishers--and not features or functionalities that have substantial legitimate uses. This distinction is critical to avoid imposing unworkable requirements on legitimate applications and adversely affecting legions of computer users. The Proposed Legislation Has Improved Dramatically. When we last testified, we offered some scenarios in which well- intended legislation could have unfortunate and unintended consequences. As you know, we were concerned that initial drafts of anti-spyware legislation contained provisions that might compromise specific functionalities rather than target the bad practices at the core of the spyware problem. We have been extremely pleased, however, at the willingness of Representatives Bono and Towns and other members of this Committee to work with us and others in the private sector to create a bill that captures the bad actors without unnecessarily impeding the good ones. Representative Towns recognized this when the SPY ACT was brought to the House floor last year, noting that ``any time we legislate on highly technical matters, there is always a danger in stifling innovation or making the use of legitimate software too burdensome. It is a very difficult tightrope to walk, but I think we have done an excellent job in walking that line.'' <SUP>6</SUP> That we successfully worked together to achieve this balance is apparent when we re-examine those scenarios we raised last April. --------------------------------------------------------------------------- \6\ 150 Cong. Rec. H8085 (daily ed. Oct. 5, 2004) (statement of Rep. Towns). --------------------------------------------------------------------------- Disruptive User Experience. As we explained then, many legitimate software programs contain an information-gathering functionality that these programs need in order to perform properly. These include error reporting applications, troubleshooting and maintenance programs, security protocols, and Internet browsers. Imposing notice and consent requirements every time these legitimate programs collect and transmit a piece of information would disrupt the computing experience, because users would be flooded with constant, non-bypassable warnings--making it impossible to perform routine Internet functions (such as connecting to a web page) without intolerable delay and distraction. The current version of the SPY ACT understands these issues, and takes steps to safeguard the user experience. In particular, the bill allows notices to consumers to be tailored to take into account different scenarios. It also contains important exceptions for critical functionalities--such as security procedures and authentication checks--and recognizes circumstances where information-sharing is driven by the user. These revisions help the legislation target bad actors without impeding legitimate applications. Compromised Consent Experience. We were also concerned about ``one size fits all'' notice and consent requirements, which may not give users sufficient context to make informed decisions. For example, requiring notice and consent at the time of installation ignored the importance of a technique we refer to as ``just in time'' consent, which delays the notice and consent experience until the time most relevant to the user--just before the feature is executed. If a program crashes, for instance, Windows Error Reporting functionality will ask the user whether he or she would like to send crash information to Microsoft. At this time, the user is able to examine the type of information that will be sent to Microsoft and to assess the actual privacy impact, if any, of transmitting such information in light of the potential benefit of receiving a possible fix for the problem. Presenting the notice and choice experience for Windows Error Reporting at the time Windows is first installed, in contrast, would lack this critical context. As a result of cooperation between Congress and industry, the current version of the bill allows for ``just in time'' consent. This is an important inclusion that empowers users by providing them with notice and requiring choice at the time most appropriate to making an informed decision. Unrealistic Uninstall Requirements. Finally, we were concerned about provisions in the bill that required standardized uninstall practices for all software, which we feared would be unworkable in many circumstances. For example, there are cases where a full and complete uninstall is neither technically possible nor desirable, such as with a software component that is in use and shared by other programs. In addition, there are other cases where an uninstall may be technically possible, but the cost to provide such functionality would be prohibitive, such as with complex software systems that may require the entire software system to be removed. Finally, there are situations where requiring uninstall could actually compromise the security of the system, such as backing out security upgrades or removing critical services. Here again, the Committee has been responsive to industry concerns, and the bill has been modified to provide legitimate developers with the flexibility necessary to avoid the types of problems outlined above. We look forward to continuing to work with the Committee to ensure that all appropriate uninstall scenarios are adequately addressed. Legislation Must Be Forward-Thinking. As Chairman Barton rightly recognized when bringing the SPY ACT to the House floor last term, ``technological development moves quickly, much faster than the regulatory or legislative process.'' <SUP>7</SUP> We praise the Chairman for his hard work to move the SPY ACT through the legislative process so we can rapidly get additional tools in the hands of regulators to fight this burgeoning threat. But spyware is a relatively new problem, and the list of acts prohibited by the bill today might not capture every practice used by bad actors tomorrow. We and others in the industry are working to develop and implement new and better anti-spyware tools that will empower consumers to make more informed choices with respect to their computers. We need to make sure that the law does not create disincentives for consumers to use these tools, or for companies to develop and distribute them. --------------------------------------------------------------------------- \7\ 150 Cong. Rec. H8080-81 (daily ed. Oct. 5, 2004) (statement of Rep. Barton). --------------------------------------------------------------------------- Congress recognized the importance of enabling consumers to take advantage of technological tools in addressing spam. In that context, Congress worked to clarify that merely because a message is not unlawful under federal law does not mean that consumers are in any way precluded from using technology to block the message. Similarly, with respect to spyware, simply because a software program complies with the SPY ACT should not prohibit consumers from choosing whether to download it, nor should it leave vendors of anti-spyware tools open to legal action for providing tools that enable consumers to make these choices. We think it is self-evident that the SPY ACT should support the creation of such tools and not provide disincentives for the development of ever more powerful anti-spyware technologies. We look forward to working with Congress to ensure that the legislation achieves its aims of empowering consumers to maintain control over their computer systems and protect themselves as they see fit. We want to thank the Committee once again for your attention to the spyware problem and for extending Microsoft an invitation to share our ideas and experiences with you--both today and as this process moves forward. By continuing to attack the problem on several levels-- consumer education, technology solutions, industry best practices, aggressive enforcement, and targeted legislation--we believe we can thwart the efforts of those who produce and distribute spyware. Microsoft remains committed to working with you to prevent bad actors from deceiving consumers and destroying their computing experience. Mr. Stearns [presiding]. Thank you. Mr. Schmidt? STATEMENT OF HOWARD A. SCHMIDT Mr. Schmidt. Good morning, Mr. Chairman. Mr. Stearns. Good morning. Mr. Schmidt. Members of the committee, my name is Howard Schmidt. I am the President and CEO of R&H Security Consulting. Over the past 20 years, I have served as a computer crime investigator with the Chandler, Arizona Police Department. I left the FBI's Computer Exploitation Team for the National Drug Intelligence Center at Johnstown, Pennsylvania. I served as the Director of Computer Crime and Information Warfare at the Air Force Office Special Investigations. I have been the Chief Security Officer of Microsoft and eBay. And in the aftermath of September 11, I was appointed by President Bush as the Vice- Chairman of the President's Critical Infrastructure Protection Board and Special Advisor for Siberia Security. I, to this day, continue to serve, as the privilege, on the U.S. Army Reserves as a computer crime investigator. And I thought I had seen it all until I have seen the effects of what happens with spyware today. And I thank you for the opportunity to share with you my perspective on the impact, an issue that the committee has shown great leadership in working tirelessly to raise awareness and--of a potential threat. In previous testimony, I have talked about the impact of cybersecurity in our day-to-day lives and the protection of critical infrastructure. Today, I would like to tell you why the threats posed by spyware threaten more than just our privacy and protection of personal information, but also speak briefly as to the progress that market forces and the private sector have made in the past year. It has been proven time and time again that by the public and private sectors working together to protect innovation as well as to improve end user protection. As Chairman Barton discussed in previous hearings, spyware represents an intrusion into our day-to-day computer experience without our knowledge. But I would like to focus my comments into two specific areas, the end user/consumer area as well as the enterprise. As some of the members have stated, I got to see firsthand with my own family members the impact that this has. My son is a computer crime detective in Arizona. My wife teaches computer forensics in Wisconsin to law enforcement, but that is sort of where the end of the technology expertise ends in my family. My brother-in-law in Wisconsin, who is a great carpenter, wound up finding his computer totally unusable after being hijacked--his browser was hijacked by a system that even programs designed to remove that specific system were unable to do so, which we had to completely rebuild the system. On the other end of the spectrum, my 88-year-old father lives in Florida and uses the Internet for entertainment, communication with friends around the country, and digital photography. Within a few moments of buying--a few days after buying it, the new computer was akin to a 15-year-old computer system. To this, we have seen industry respond rapidly to deal with the intrusiveness of spyware. We started putting out pop-up blockers, making them available for free, and anti-virus vendors started to include spyware technology into the security suites. As Mr. Rubinstein mentioned, Microsoft recently launched a product that, once again, helps deal with these products. But as we continue to work on the problem of spyware, we need to remember that much of the benefits we derive from online experience is based on the interactive nature of the Internet. In the early days of computing, people used computers to do things, and to this day, in many instances, computers interact with other computers, so consequently, we want to make sure we don't disrupt, and this committee has paid a great deal of attention to impacting that interaction on our behalf. One of the things that we discussed were the convergence of various technologies, voice-over IP, telecommunications, and computers. One of the things we have also seen, though, is the convergence of the spyware in the more nefarious aspects of it, including tools that enable systems to be hacked, identity theft, keystroke loggers, and robots, which in turn take over computer systems and use those computers to attack other computer systems through installation of spyware. While the vast majority of these acts are covered under provisions such as Title 18, Title 5, Electronic Communications Privacy Act, Computer Fraud and Abuse Act, this particular bill, H.R. 29, closes an important gap that we don't see in some of the other things, and it targets a set of behaviors, not specific technologies. It should continue to improve and protect the interactive software used for positive purposes while indeed holding those accountable for the nefarious acts. There are four major areas, though, that I think are very important when we combat those areas and the many areas of cybersecurity. First, the use of technology and market forces are the strongest potential solution when it comes to dealing with online threats. Thanks to the freely online anti-spyware software, including the new Microsoft product, my father's system, as I have cited a moment ago, was free and hopefully will stay that way for a long time. Second, the efforts of education and awareness go a long way in informing users what capabilities they have, whether it is Internet phishing threats, Trojans, or spyware, an educated and informed public is a vital weapon for protection of these things. Third, companies, even competitors are working very closely together to identify new threats, share information with each other, and publish updates to deal with the new threats faster than ever in the past. As a matter of fact, many of the industry leaders are now working together to deal with the factor of two-factor authentication, basically something akin to an ATM card where we can better protect ourselves as well. And fourthly, is the--as with many other issues harming society, technology, education, and information are not going to be 100 percent solution. To that end, we need to have penalties and trained, equipped, and staffed law environment personnel to enforce these penalties. And while our online safety continues to improve day-by-day, hour-by-hour, this committee's work is crucial to help us get close to that 100- percent level. The provisions of the SPY ACT should continue to encourage companies to develop and distribute ever more effective and powerful anti-spyware and security technologies, and I look forward to our continued great working relationship with Congress to ensure that the legislation achieves its aims of protecting and empowering consumers in order to protect themselves in the situation to fit them. I would like to also thank the committee for their continued leadership and attention to this problem and for inviting me to appear before this committee and talk about this issue. I would like to thank you for the ability and look forward to any questions you might have. Thank you. [The prepared statement of Howard A. Schmidt follows:] Prepared Statement of Howard A. Schmidt, President and CEO, R&H Security Consulting LLC Chairman Barton, Ranking Member Dingell, and Members of the Committee: My name is Howard A. Schmidt and I am President & CEO of R & H Security Consulting LLC. Over the past 20 years I have served as a Computer Crime Investigator, with the Chandler Arizona Police Department, led the computer exploitation team for the FBI at the National Drug Intelligence Center as well as the Director of Computer Crime and Information Warfare at Air Force Office Special Investigations. I have also been the Chief Security Officer for the Microsoft Corporation and Chief Information Security Officer and Chief Security Strategist for eBay Inc. In the aftermath of 9/11, I was appointed by President Bush as the Vice Chairman of the President's Critical Infrastructure Protection Board and Special Advisor for Cyber Security. I want to thank you for the opportunity to share with the Committee my perspective on the impact of Spyware--an issue on which this Committee has shown great leadership by working tirelessly to raise public awareness of the potential threat posed by Spyware and by drafting legislation that is carefully targeted to address the bad behavior at the root of the problem, without unnecessarily impacting legitimate software applications. As citizens, we owe a debt of gratitude to Chairman Barton, Representatives Stearns and Schakowsky, the Chairman and Ranking Member, respectively, of the Commerce, Trade, and Consumer Protection Subcommittee, and Representatives Bono and Towns, the lead Republican and Democrat sponsors of H.R. 29, the SPY ACT. Your willingness to work closely with the private and public sector makes your contribution to this issue even more valuable. During my previous testimony before House Committees, I have discussed the implications of cyber security on our day to day lives and the protection of critical infrastructure. Today, I would like to tell you why the threats proposed by Spyware threaten more than just our privacy and protection of personal information, but also speak briefly as to the progress that market forces and the private sector have made in the past year. It has been proven time and time again, the tremendous value that results when the public and private sectors work together to protect innovation as well as to improve end user protection. A. SPYWARE CONTINUES TO BE A THREAT TO CYBER SECURITY. As Chairman Barton discussed in the previous hearing, Spyware represents an intrusion into our day-to-day computing experience without our knowledge. I would like to focus my testimony in two very similar areas, the ``end user/consumer'' and the enterprise. Other witnesses in previous testimony, as well as today's testimony, have described what Spyware is and some of it's effects, so I will not delve into what Spyware is and how it works again I do not have to go much further then my own family to see first hand the impact Spyware has on the online experience. While my son is a computer crime detective and my wife teaches computer forensics to law enforcement, the technology expertise stops there. My first example was when my brother-in-law was not able to use his computer for anything because a piece of Spyware had hijacked his browser. Normally it would have been just a matter of resetting the ``home page'' to the page one would prefer, but this piece of Spyware was so invasive that even using programs specifically designed to remove this application did not function and eventually resulted in his system not functioning at all. He had to send the computer to me in another state and I had to rebuild the entire system. The second personal example is the PC of my 88 year old father, who uses the PC and the internet for daily entertainment, communications with friends and digital photography. Within a short period of time of him purchasing his new computer, it went from being a high-speed piece of technology to something akin to a 15-year-old computer running so slow it was almost useless. I am sure that these examples are nothing new to many of us in the IT/Security business, but to ``normal'' users this is very troubling. To deal with this, industry, using market forces, has responded rapidly to deal with the intrusiveness of Spyware. It started with pop- up blockers being made available for free and then anti-virus vendors started to include anti-Spyware technology into their ``security suites.'' We now have many ``toolbars'' that have built in pop-up and spy protection. Recently, Microsoft has launched a Spyware product that is in beta form that shows tremendous promise in providing a technology solution to dealing with a large part of the problem. As we continue to work on the problem of Spyware, we need to remember that much of the benefits we derive from the online experience is based on the interactive nature of the internet. In the early days of internet use, people interacted with computers. However, in the recent past it has become more of an issue of computers interacting with other computers on behalf of people. Although there are those that would exploit computer-to-computer interaction, we should be very sensitive as to not disrupt the legitimate interactive nature of computers acting on behalf of people. The key difference, as this Committee has learned by working well with the private sector, between good and bad software is not the means by which it is distributed, but the intent and the behavior of the software. As we move towards a computing environment where we develop self-healing, self-repairing, and self-configuring computers, we must ensure the need to, without end-user intervention, have the ability to download upgrades, security fixes, and protective software. Clearly this type of software installation should not and would not fit into the category as Spyware. A classic example is the use of anti-fraud/id theft software updates, these installations are very important to the integrity of the experience on the internet., The concern that many of us have is when the software is introduced in a deceptive manner and performs functions that are annoying or harmful and difficult, if not impossible, to remove. At the same time that we are discussing the benefits of convergence of modern day technology, there is also a negative convergence of ``traditional'' hacking, identity theft, key loggers, and ``bots'' being installed using what we traditionally call Spyware. While the vast majority of these acts are covered by provisions of Title 18, Title 5, Electronic Communications Privacy Act (ECPA), Computer Fraud and Abuse Act, the FTC's existing authority to pursue unfair or deceptive trade practices, or international law, H.R. 29, the SPY Act, makes an important contribution to supplementing these laws, and I believe will be successful to the extent that it targets a set of behaviors and not a class of technology. This bill should continue to protect interactive software that is used for positive purposes including where the users have agreed to an end user license agreements (EULA) and understands what their choices are. In short, the end users should be empowered to make their own choices on how they interact with software applications as ``one size does not fit all.'' As many of us said when dealing with many issues of cyber security, we agree that there are four major steps that must be taken to protect end users. First, the uses of technology and market forces are the strongest potential solution when it comes to dealing with online threats. As I testified earlier, industry has developed a number of technologies to combat not only Spyware but other threats. Industry's efforts are to be commended and these efforts work for the vast majority of the routine cases we face today. Thanks to freely available anti-Spyware software, including the new Microsoft anti-Spyware beta application, my father's computer is now Spyware free and all indications suggest that it will stay that way. Second, the education and awareness of ALL users is vital to reducing problems associated with many of the internet threats, whether it is ``Phishing,'' virus and Trojans or Spyware, an educated and informed public is one of the best weapons. Many companies have created ``Security Centers'' on their web sites to better educate their users as to how protect their computers and their privacy. The National Cyber Security Alliance (NCSA) has consumer tips on its website http:// www.stafesafeonline.info. Additional information can be found at http:/ /www.personalfirewallday.org, which provides information for users. The FTC has been a leader in the awareness and education about online security. Third, companies, even competitors, are working closely together to identify new threats, share information with each other and publish updates to deal with new threats faster than ever in the past. Online companies now are providing free anti-virus services, pop up blockers, and anti-Spyware applications to their customers. Additionally, many of the industry leaders in identity management such as RSA, Verisign, Entrust and Geotrust are providing tools to improve 2 factor authentication to protect privacy and identity. The National Cyber Security Partnership has brought together leaders in this space across various sectors to better coordinate and publicize the industry and government accomplishments. Fourth, as with many other issues harming society, technology, education and information are not 100% effective in solving problems To that end, the need to have penalties and trained, equipped and staffed law enforcement personnel to enforce those penalties are essential. While online safety continues to improve day-by-day, hour-by-hour the work of this Committee is beneficial to help us get closer to the 100% level. The provisions of the SPY ACT should continue to encourage companies to develop and distribute ever more effective and powerful anti-Spyware and security technologies. I look forward to continuing our great working relationship with Congress to ensure that the legislation achieves its aims of protecting and empowering consumers to control their computer systems and to exercise valuable protective measures which fit their situation. I again would like to thank the Committee for your leadership and attention to the Spyware problem and for extending the invitation for me to appear before you to share my experiences with you today and as in the future as this process evolves. Cyber security has always and always will employed using a ``layered defense'' perspective. By working with this body, technology companies, law enforcement agencies, and diplomatic leaders, I believe we can continue to reduce the impact that bad actors have on our online experience and we can continue to strengthen national security, public safety, and economic advancements, while providing for a rich and robust online experience for us all. I thank you again for the ability to appear here before you today and I look forward to any questions that you may have. Mr. Stearns. I thank the gentleman. Mr. Schwartz, welcome. STATEMENT OF ARI SCHWARTZ Mr. Schwartz. Chairman Stearns, Ranking Member Schakowsky, members of the committee, thank you very much for having CDT testify today. Since the Center for Democracy and Technology last testified on this issue in front of the Consumer Protection Subcommittee in April of last year, the spyware problem has only gotten worse. Just this week, a study was released that showed that \2/3\ of information technology managers now consider spyware to be the biggest threat to network security. On a personal note, following the holiday season, I can count myself among the tens of thousands of technically-- consumers and computer professionals, and from what we have heard, members of this committee who have tried to help a family member or friend fix a computer that has been plagued by spyware. And in my case, it was my father-in-law. I also came to the conclusion that it would be better to buy a new computer and reformat the hard drive than to continue to try and remove the spyware through the existing tools that were supposed to be able to remove the software, as Mr. Schmidt had suggested in his case. Over a year ago, CDT asked consumers to send us complaints about specific spyware programs so we can investigate them more fully. We now receive so many complaints that we have had to create a prioritizing system in order to try and figure out which ones to prioritize and even which ones to read. Fortunately, there is also some positive news. On the technology front, companies such as EarthLink and American Online and Microsoft, as we have heard, have begun to distribute anti-spyware tools more actively. The case that CDT brought to the Federal Trade Commission against spyware purveyor Seismic Entertainment last February has come to trial in New Hampshire. This is the first FTC case against a spyware company. The Seismic case highlights the growing complexity of a marketplace that allows mainstream companies to fund illegal activities through a maze of distributors and affiliates. As I document in my written testimony, the relationships are usually so complex that the companies involved do not know more than one player in what becomes a six or seven-level chain of distributors and affiliates. CDT sees three major areas where action is necessary to stem the disturbing trends for the loss of control and transparency for Internet users in the environment that we now face. First, it is clear that we need stronger enforcement of existing law. CDT brought the Seismic case in February to the FTC's attention. The FTC took action in October. And court proceedings continue through today. If each case takes such a singular focus over such a long period of time, the enforcement will not be able to serve as a real deterrent in this area. Second, we need even better consumer education, industry self-regulation, and improved technologies to give consumers real control. We have only seen the beginning of what industry can do to help solve this problem on their own. Last, CDT strongly believes that many of the privacy concerns of spyware, some of which fall out of the scope of current legal protections, could be clearly addressed with an online privacy law. As members of this committee know, CDT has long argued that until we have an online privacy law that addresses all of the basic fair information practices, the privacy issues that we first saw 9 years ago in the collection of information via the web and then with cookies and then with spam and now with spyware and RFID and phishing will only repeat with new technologies in the future. A privacy law that could get at a root concern rather than trying to define and scope each new technology in a limiting way. This kind of privacy legislation would provide businesses with guidance about their responsibilities as they deploy new technologies and business models that involve the collection of information. At the same time, privacy assurances and law would give consumers a measure of confidence that their privacy is protected as companies roll out new ventures. The legislation at hand today, H.R. 29, can serve as an important launching point that CDT generally supports. Representatives Bono and Towns deserve credit for raising the profile of this important issue in such a constructive manner. In particular, raising the penalties on bad practices can help the FTC create real deterrence. On the other hand, CDT is less enthusiastic about the notice and other requirements on information collection programs in the current bill. We are concerned that the definitions are vague and may bring unintended consequences in the regulatory process that could serve to harm consumers. Instead, we would prefer to see this issue addressed in baseline privacy legislation so that consumers have a consistent framework for privacy and notice and consent across all technologies. CDT is committed to working with the committee as your efforts continue, and I look forward to answering your questions. [The prepared statement of Ari Schwartz follows:] Prepared Statement of Ari Schwartz, Associate Director, Center for Democracy and Technology Chairman Barton and Ranking Member Dingell, thank you for holding this hearing on spyware, an issue of growing concern for consumers and businesses alike. CDT is honored to have the opportunity to participate in the Committee's first hearing of this new Congress. CDT is a non-profit, public interest organization devoted to promoting privacy, civil liberties, and democratic values online. CDT has been widely recognized as a leader in the policy debate surrounding so-called ``spyware'' applications.<SUP>1</SUP> We have been engaged in the legislative, regulatory, and self-regulatory efforts to deal with the spyware problem, and have been active in public education efforts through the press and our own grassroots network. --------------------------------------------------------------------------- \1\ See, e.g., CDT's ``Campaign Against Spyware,'' http:// www.cdt.org/action/spyware/action (calling on users to report their problems with spyware to CDT; since November 2003, CDT has received over 650 responses). Center for Democracy & Technology, Complaint and Request for Investigation, Injunction, and Other Relief, in the Matter of MailWiper, Inc., and Seismic Entertainment Productions, Inc., February 11, 2004, available at http://www.cdt.org/privacy/ 20040210cdt.pdf (hereafter CDT Complaint Against MailWiper and Seismic). ``Eye Spyware,'' Christian Science Monitor Editorial, April 21, 2004 (``Some computer-focused organizations, like the Center for Democracy and Technology, are working to increase public awareness of spyware and its risks.''). ``The Spies in Your Computer,'' New York Times Editorial, February 18, 2004 (arguing that ``Congress will miss the point [in spyware legislation] if it regulates specific varieties of spyware, only to watch the programs mutate into forms that evade narrowly tailored law. A better solution, as proposed recently by the Center for Democracy and Technology, is to develop privacy standards that protect computer users from all programs that covertly collect information that rightfully belongs to the user.''). John Borland, ``Spyware and its discontents,'' CNET.com, February 12, 2004 (``In the past few months, Ari Schwartz and the Washington, D.C.-based Center for Democracy and Technology have leapt into the front ranks of the Net's spyware-fighters.'') --------------------------------------------------------------------------- As an organization dedicated both to protecting consumer privacy and to preserving openness and innovation online, CDT has sought to promote responses to the spyware epidemic that provide meaningful protection for users while avoiding unintended consequences that could harm the open, decentralized Internet. Last year we testified before the Subcommittee on Commerce, Trade, and Consumer Protection on the issue of spyware, attempting to define the problem and suggest the range of responses required to address it. Since that time, we have worked closely with the Committee toward legislation to target spyware. We have appreciated the Committee's open, deliberative approach to this complex and important issue. Summary The alarming rate of growth of the spyware problem is a major threat to Internet users, as well as to the long-term health of the open and decentralized Internet. Of particular concern is the growing complexity of a marketplace that allows mainstream companies to unwittingly fund illegal activities through a maze of distributors and affiliates. CDT sees three major areas where action is necessary to stem this disturbing trend toward a loss of control and transparency for Internet users: 1) enforcement of existing law; 2) better consumer education, industry self-regulation, and anti-spyware technologies; and 3) baseline Internet privacy legislation. H.R. 29 marks a substantial step forward in addressing many of the concerns of consumer groups and companies. CDT is generally supportive of the current bill. In particular, we strongly endorse the idea of raising penalties on and calling specific attention to the worst types of deceptive software practices online. CDT is less enthusiastic about the specific notice and consent requirements on adware and information collection programs, because of the definitional difficulties in crafting such a regime narrowly targeted at certain classes of software. We look forward to continuing to work with the Committee to help improve these element of the bill. On a broader note, we hope that work on the spyware issue will provide a jumping off point for efforts to craft baseline standards for online privacy, now that many companies have expressed their support for such a goal. Privacy legislation would provide businesses with guidance about their responsibilities as they deploy new technologies and business models that involve the collection of information. At the same time, privacy assurances in law would give consumers some measure of confidence that their privacy is protected as companies roll out new ventures. If we do not begin to think about privacy issues more comprehensively, the same players will be back in front of this Committee in a matter of months to address the next threat to online privacy. We hope that we can address these issue up front, rather than waiting for each new privacy threat to present itself. 1. Understanding and Combating Spyware What is ``spyware?'' No precise definition of spyware exists. The term has been applied to software ranging from ``keystroke loggers'' that capture every key typed on a particular computer; to advertising applications that track users' web browsing; to programs that hijack users' system settings. Much attention has been focused on the surveillance dimension of the spwyare issue, though it is in fact a much broader problem. What the growing array of invasive programs known as ``spyware'' have in common is a lack of transparency and an absence of respect for users' ability to control over their own computers and Internet connections. In this regard, these programs may be better thought of as trespassware.<SUP>2</SUP> Among the host of objectionable behaviors for which such nefarious applications can be responsible, are: --------------------------------------------------------------------------- \2\ Chairman Barton's statement at last year's Subcommittee hearing aptly expressed this idea: ``[Spyware's] installation is often sneaky or deceptive and even when it runs, it often goes undetected . . . If I want someone to come into my home, I invite them into my home. If they come uninvited, it is a trespass.'' Doug Abrahms, ``Anti-spyware bill drawing praise, support,'' Gannett News Service, Apr. 30, 2004. ``browser hijacking'' and other covert manipulation of users' settings; surreptitious installation, including through security holes; actively avoiding uninstallation, automatic reinstallation, and otherwise frustrating users' attempts to remove the programs; substantially decreasing system performance and speed, in some cases sufficient to render systems unusable; and opening security backdoors on users' computers that could be used to compromise their computers or the wider network. Each of these behaviors was specifically documented by CDT or reported to us by individual users frustrated by their inability to use their own systems. Although no single behavior of this kind defines ``spyware,'' together they characterize the transparency and control problems common to such applications. How can we respond to the problem? Combating spyware requires a multifaceted approach. Significant progress has already been made since the spyware issue first began to receive national attention over a year ago, but much ground still remains. Law enforcement. Under federal law, much spyware is currently covered by Section 5 of the FTC Act, banning unfair and deceptive trade practices, as well as by the Computer Fraud and Abuse Act or the Electronic Communications Privacy Act. Spyware programs may also violate a variety of state statutes. Private efforts, including continued consumer education, the continued improvement of anti-spyware technologies, and stepped up efforts to close the security holes exploited by spyware purveyors, are all necessary. In particular, sound best practices for downloadable software are sorely needed. Legislative approaches to fighting spyware fall into two broad categories--attempts to narrowly address the issues raised by spyware, and attempts to deal, in a coherent and long-term fashion, with the underlying privacy issues. H.R. 29, which we address in detail below, is an example of the first approach. CDT has appreciated the opportunity to work with the Committee on this bill and is supportive of this effort. However, we remain firmly committed to idea that a long-term solution to spyware and other similar issues requires baseline online privacy legislation. Many of the issues raised by spyware may be easier to deal with in this context. This framework represented our starting point on the spyware issue a year ago, and remains largely unchanged today. There have, however, been important developments in the problem, and in our research on the issue, since we appeared before the House Subcommittee last year. We address these in the following sections. 2. Spyware Continues to Grow as a Threat to Internet Users When CDT first became involved in the spyware issue, we launched a ``Campaign Against Spyware,'' calling on Internet users to send us their experiences with these invasive applications.<SUP>3</SUP> We indicated that we would investigate the complaints received and, where we believed appropriate, file complaints with the FTC. In our appearance before the Consumer Protection Subcommittee, we testified regarding the dramatic response to our campaign. In the nine months since our last appearance, CDT has continued to receive complaints through our online submission form. Among what are now hundreds of complaints, a total which continues to grow daily, are regular reports of new spyware programs arising. --------------------------------------------------------------------------- \3\ See http://www.cdt.org/action/spyware --------------------------------------------------------------------------- While it is exceptionally difficult to obtain precise data on the prevalence of the spyware problem, the best study done to date, conducted by AOL and the Nation CyberSecurity Alliance, found that 80% of broadband and dial-up users had adware or spyware programs running on their computers.<SUP>4</SUP> Our perception based on the complaints we have received and our own research is that the prevalence of egregious spyware violations, including many mentioned in Section 2 of H.R. 29 before this Committee, has increased dramatically. Of particular concern is the use of security holes in web browsers to silently force software onto users computers. We believe many Internet users may simply be turning off the Internet in response to these threats.<SUP>5</SUP> --------------------------------------------------------------------------- \4\ http://www.staysafeonline.info/news/safety_study_v04.pdf \5\ See, e.g. Joseph Menn, ``No More Internet for Them,'' Los Angeles Times, January 14, 2005, p. A1. --------------------------------------------------------------------------- CDT was very pleased to see the first public enforcement action brought in October by the FTC against Samford Wallace and Seismic Entertainment on the basis of a complaint filed earlier by CDT.<SUP>6</SUP> This case included many of the clearly unfair and deceptive activities mentioned above, including browser hijacking and covert installation through security holes. We applaud the Commission for its work on the case, which has led to an injunction against further exploitative practices by Seismic. --------------------------------------------------------------------------- \6\ There were instances of private enforcement against spyware purveyors that preceded the FTC's case. For example, in July of last year, 180solutions, a large adware vendor, sued a distributor that was using security holes to force 180solutions' software onto Internet user's computers in order to collect per-install commissions. --------------------------------------------------------------------------- The Commission's initial action against Seismic must be only the first step, however. First, many other parties were involved in the unfair and deceptive activities which CDT highlighted in our complaint to the FTC. We believe that the FTC's discovery in the Seismic case will provide ample basis to pursue these connections, and we expect that the Commission will announce further actions as other bad actors come to light. We discuss this affiliate issue in more detail below. In addition, both the FTC and other national and state level law enforcement agencies must actively pursue further cases. While the FTC's first spyware case was an important milestone, both the number and frequency of cases must be dramatically increased if law enforcement is to provide a significant deterrent to purveyors of spyware. Currently, we believe law enforcement is still losing the battle against egregious spyware purveyors clearly guilty of violating existing law. 3. The Affiliate Problem is at the Center of the Spyware Issue In CDT's complaint to the FTC regarding Seismic Entertainment and Mail Wiper, we asked the FTC to specifically investigate the affiliate relationships between the parties involved. We highlighted the problem of affiliate relationship being ``exploited by companies to deflect responsibility and avoid accountability.'' <SUP>7</SUP> --------------------------------------------------------------------------- \7\ CDT Complaint Against MailWiper and Seismic at 2. --------------------------------------------------------------------------- Since CDT testified before the Consumer Protection Subcommittee last year, it has become increasingly clear to us that the affiliate issue is at the heart of several aspects of the spyware problem. We want to take the opportunity in our testimony today to highlight and explain this issue, which has not been given sufficient attention to date. Adware companies have a superficially simple business model: they provide a means of support for free software programs in a similar way that commercials support free television. Advertisers pay adware companies a fee to have their advertisements included in the adware program's rotation. The adware company then passes on a portion of that fee to distributors in exchange for bundling the adware program with other free software--such as gaming programs, screen savers, or peer- to-peer applications. Finally, the consumer downloads the bundle, agreeing to receive the advertising served by the adware program in exchange for the free software. In fact, this simple description of how distribution of adware and other bundled software takes place is often a radical oversimplification. In fact, many adware companies and other software bundlers operate through much more complex networks of affiliate arrangements, which dilute accountability, make it difficult for consumers to understand what is going on, and frustrate law enforcement efforts. The diagram below presents some of the actors and relationships in the online advertising world as we currently understand it. These include: product and service vendors, who have contracts with adware vendors and advertising brokers to distribute ads for their offerings; adware companies, who have multi-tier affiliate arrangements with other adware companies, software producers, website owners, and advertising brokers; software makers and website owners, who enter into bundling and distribution agreements with adware companies and advertising brokers, as well as with other software makers and website owners; and advertising brokers, who serve as middlemen in the full array of affiliate arrangements. The consequence of these ubiquitous affiliate arrangements is that when an adware program ends up on a user's computer, it may be many steps removed from the maker of the software itself. The existence of this complex network of intermediaries exacerbates the spyware problem in several ways. For example: Industry Responsibility--Adware companies, advertising brokers, and others all may disclaim responsibility for attacks on users' computers, while encouraging these behaviors through their affiliate schemes and doing little to police the networks of affiliates acting on their behalf. Advertisers, too, should be pushed to take greater responsibility for the companies they advertise with.<SUP>8</SUP> --------------------------------------------------------------------------- \8\ Examples of steps in this direction include public policies by Major League Baseball and Verizon setting standards for what software companies they will advertise with. Similarly, Google has drafted a specific public policy on what other applications it will bundle its utilities with. --------------------------------------------------------------------------- Enforcement--Complex webs of affiliate relationships obstruct law enforcement efforts to track back parties responsible for attacks. The complexity of these cases puts an extreme strain on enforcement agencies, which struggle to tackle the problem with limited resources. Consumer Notice--Adware companies and their affiliates have been reluctant to clearly disclose their relationships in a way that is transparent to consumers. Appendix A excerpts a recent CDT submission to the FTC on this issue, demonstrating ways that adware companies could begin to improve transparency in bundling and ad-support arrangements. Companies have resisted these changes. Efforts to bring transparency to the full chain of affiliate and distribution arrangements have met with even greater opposition. For these reasons, the affiliate issue has become a central aspect of the spyware epidemic. Finding ways to effectively reform affiliate relationships will remove a lynchpin of spyware purveyors' operations. 4. Comments on H.R. 29, the ``SPY ACT'' H.R. 29, before this Committee, represents the outcome of an extended drafting effort to target bad practices and bring responsibility back to the distribution of downloadable software. The overwhelming support for this bill in the last Congress demonstrates the desire to craft targeted legislation focusing on some of the specific problems raised by spyware. CDT commends Representatives Bono and the Committee for your work raising the profile of this formerly silent plague on our computers. The focus of this Committee has allowed consumer groups and companies to bring the attention of the public and law enforcement agencies to this issue. The current bill marks a substantial step forward in addressing many of the concerns of consumer groups and companies and CDT is generally supportive of the current bill. In particular, CDT believes that Section 2's focus on bad practices and its increase of the penalties for violators will serve as a valuable deterrent. H.R. 29 will give the Federal Trade Commission the clear authority and explicit mandate to pursue spyware purveyors. To this end, CDT also strongly supports the reporting requirement under Section 7. CDT has been more hesitant to embrace Section 3 of this bill. The notice and other requirements on adware and information collection programs raise extremely difficult definitional issues which, if handled wrong, could have unintended consequences in the regulatory process that could ultimately harm consumers. For this reason, the bill may be well served by another round of input from a wide range of parties in order to limit unintended consequences--especially in Section 3, where H.R. 29 deviates from the effort to focus on bad practices. CDT still believes that it would be most effective to address notice and consent issues in a general online privacy bill rather than a software specific bill, but we understand the desire to attempt to address this acute concern first, despite the complexities involved. We look forward to working with the Committee on this process. CDT main concern is actually not with the bill itself, but the political process to move the bill forward. We do not want to see the passage of this bill be used to diminish efforts by this Committee or others in Congress to address online privacy in a long-term and coherent way. Rather we hope that the current effort on spyware can provide a jumping off point for efforts to craft baseline standards for online privacy now that many companies have expressed their support for such a goal. Otherwise, we will simply be back in this same place when we confront the next privacy-invasive technology. We have very much appreciated the Committee's hard work and openness to comment in the anti-spyware legislation process, and we look forward to continuing to work with you on this and other digital privacy issues. Appendix A Adware companies face a particular hurdle in making their operations and value proposition transparent to users because adware programs typically do not run at the same time as the applications they support. In general, adware programs display advertisements while the user is surfing the web, regardless of whether the bundled game or file-sharing program is even running. This behavior can obscure the connection between the adware program and its bundled affiliate. As one way to help address this issue, CDT has pushed adware companies--and the software companies they bundle with--to implement co-branding, putting the names and logos of supported applications on all advertisements. Although advertisements would still appear to users out-of-context, separated from the applications they support, co- branding would at least provide an immediately visible indication of the connection between the advertisements users see and the applications those ads support. The mock-ups below show some ways that co-branding might be implemented. CDT submitted these same examples to the FTC's workshop on peer-to-peer file sharing applications. Some of these examples demonstrate more consumer-friendly labeling than others, but they all illustrate the fundamental principle of creating a visible link between adware and their co-bundled partners. Co-branding is needed because notice and consent at the time of installation is not enough. The ongoing operations of adware programs must also be made transparent. To date, no adware company of which we are aware co-brands its advertisements. [GRAPHIC] [TIFF OMITTED] T9899.001 [GRAPHIC] [TIFF OMITTED] T9899.002 [GRAPHIC] [TIFF OMITTED] T9899.003 Mr. Stearns. I thank the panel, and I will take the liberty, as Chairman, to start the questioning. Mr. Schwartz, you have indicated sort of a little bit of concern here. What would you do today to improve the bill? Mr. Schwartz. Well, as I said, I mean, the main focus here on this bill--we generally support the bill, the--especially the focus on the bad--on bad---- Mr. Stearns. So at this point, there is nothing you would change in the bill? Mr. Schwartz. Well, the concerns are about the definitions and more that a lot of it gets left to the FTC and the regulatory process, so it leaves a lot open for the FTC---- Mr. Stearns. Yeah. Mr. Schwartz. [continuing] for FTC interpretation at this point. Mr. Stearns. Mr. Schwartz, anything in the bill--Mr. Schmidt, rather, anything in the bill that you would change today? Mr. Schmidt. Well, generally, as--like Mr. Schwartz, I generally support it, and---- Mr. Stearns. Support the bill? Mr. Schmidt. [continuing] looking at some of the provisions that are in there, we have gone through four questions here in the past couple of days I would like some better clarity about on how those--the definitions are defined and who makes those decisions on those as well. Mr. Stearns. Mr. Rubinstein, what I am sensing is that everybody supports the bill, but they just want clarification of the language from our staff. Is that your feeling, too? Mr. Rubinstein. Yes, it is. There were a number of questions circulated by staff, and several of us testifying today are providing comments there. Mr. Stearns. Okay. Mr. Rubinstein. I think the cookie exception is an area worth exploring and should remain in the bill. I also alluded in my oral testimony to an issue around not allowing H.R. 29 to become a safe harbor for spyware vendors. And what I mean by that is, in the case of spam, for example, the fact that spam complies with the Act doesn't prevent ISPs from filtering spam or end users from deciding whether to accept mail or not. And similarly, in the case of spyware, even if a program does comply with this act, that shouldn't be viewed as a reason that consumers are obligated to download those programs. So in order for consumers to have full choice and for vendors to distribute very aggressive anti-spyware programs, we need to make clear that the bill itself does not change the legality in any way of programs that block spyware. So that shouldn't be pleated as a sort of defense by a spyware company. You know, I comply with the law, therefore the anti-spyware vendors should not be permitted to block my program. That should be up to the consumer. Mr. Stearns. I think that is a good point. Mr. Baker, you were nodding your head. You agree with that then? Mr. Baker. I would generally agree with the comments by Mr. Rubinstein and the other witnesses. Mr. Stearns. Okay. And no one has any problem with the penalty side of this bill? I am assuming that that is acceptable, Mr. Schmidt? Mr. Schmidt. Yes, I do. As a matter of fact, I think many of us have talked for a long time that we have got to raise the cost of doing bad things beyond the point where it is no longer---- Mr. Stearns. That the bad actors feel it. Mr. Schmidt. Yes, sir. Mr. Stearns. Yeah. Mr. Schmidt, I understand that you are a consultant to the Homeland Security. Is that true? Mr. Schmidt. That is correct, yes. Mr. Stearns. Let me ask you, apart from this legislation, what steps should the industry and consumers take to enhance security on the Internet? If you had to protect a family member's computer for use on the Internet, what would you do and what functions would you allow to prevent others from spying on them? Mr. Schmidt. You know, that is a good question. I think that breaks into two major categories. There is the maintenance piece of that, if you would, which is like an automobile. You need to keep oil, check your brakes, et cetera. And that goes to the security updates, the anti-virus software, the anti- spyware portion of the maintenance to the computer itself. The other is the educational and where they go. And I will use the analogy. One of my staff came up with this at one point. We could have the best shopping store in the country, but if you get mugged in the parking lot, you are not going to want to go there any more. So consequently, we have to do all we can, in addition to what enterprises are doing, to make sure that the consumers are aware of where to go, how to protect themselves, and Ralph there has good experience. And that is about doing trust and safety of the online experience as well. Mr. Stearns. Mr. Baker, this is a question. Does H.R. 29 adequately address the phishing problem? Does EarthLink, for example, educate its consumers about the phishing, both e-mail and web-based? Mr. Baker. Yes, Mr. Chairman, we do educate our consumers. We educate consumers generally about that and also--both let them know about the dangers of it and also provide tools to help. We have a program that uses heuristics to detect if they---- Mr. Stearns. How would I---- Mr. Baker. [continuing] if a website is phishy, if you will, and warn consumers away from that. Mr. Stearns. Now how would I, as a consumer using EarthLink, be told about this and use your program? I mean, do you proactively tell the consumer, or do you just tell them to go to your website or---- Mr. Baker. Well, as part of the EarthLink software, we include the tools like Scam Blocker that blocks access to phisher sites and gives a notice to a consumer when they are-- if they get a phisher--if they get an e-mail that leads to a website or if that looks like it is coming from a legitimate merchant, but it is actually a phisher site, the Scam Blocker program alerts the consumer to that. And we also provide information to our consumers as to ways you can also help protect yourself by looking, for instance, at the URL or if you get an e-mail and you are not sure, rather than just clicking on the link that is provided in the e-mail, instead, go to your browser and type in the name of the merchant you are trying to get to. Whether that is EarthLink or eBay or Citicorp or whatever. So instead of just clicking on the link, which could take you to the phisher site, and again, they are made to look like the real thing, one way the consumer can protect themselves is, like I said, going and opening the browser and typing in www.Citicorp.com or www.Earthlink.net and that way the consumer can have some assurance that they are going to the correct website. So those are two of several different ways that consumers can protect themselves. Mr. Stearns. All right. My time has expired. The ranking member on our committee, Ms. Schakowsky, is recognized. Ms. Schakowsky. Thank you, Mr. Chairman, and thank you for your testimony. I say that to all of our witnesses. I wanted to--and we have talked a lot about what spyware can do to individual computers and to individual consumers, but one thing we really haven't talked about is the potential damages that a spyware infection can do to businesses, to Congressional offices. And I wondered if any of the panelists would like to fill us in a bit on those threats. Mr. Schmidt, go ahead. Mr. Schmidt. Yeah, I would be happy to. As a matter of fact, I alluded to that during my verbal testimony. What we have seen is sort of--as I have mentioned, sort of the additional pieces of spyware, which include Trojans, which then give someone an access to remotely control your system to create a bot network out of a robot network, which basically then could be used against critical infrastructure as a distributed denial service attack, keystroke capture to grab passwords, which generally not only relate to what you may be doing in your work environment, but also, oftentimes, your online banking and everything. So these things become very, very insidious as far as their ability to affect more than just an individual. And that is why corporations and enterprises are working very hard to make sure that they can wipe out the spyware on there, because it does affect their ability to manufacture, to provide--you know, for example, we have seen the situations in the past where airline reservation systems have been down for computer problems that could have conceivably been affected by spyware as well. So it is your--you are quite correct. It is more than just about privacy and personal protection. Ms. Schakowsky. That terrible situation we had during a snowstorm where all of the baggage was tied up, has that been attached at all to spyware, do you know? Mr. Schmidt. Not to my knowledge, no. Ms. Schakowsky. Okay. Mr. Rubinstein, according to a September 2004 article by Consumer Reports, Microsoft has found that spyware is directly responsible for more than 1/3 of application software crashes that might be linked to as many as half of the crashes Microsoft customers experience. Let me just ask you some basic--what does Microsoft mean by a ``crash''? What does this do to a person's computer, to any files that they may have? And I am wondering if there is any way that you can estimate, in dollar amounts, how much damage this has caused for consumers or for businesses or for Microsoft. Mr. Rubinstein. It is hard to put precise dollar amounts on the damage it has caused. I know that it is probably the leading reason for support calls, both to Microsoft and to the leading manufacturers, such as Dell, so that imposes, certainly, millions of dollars of cost on the providers of technology. In terms of crashes, spyware is often responsible for either slowing down the performance of a computer or simply not allowing the user to navigate to a selected site or even to use certain programs to stop pop-ups from interfering and so on. So it is certainly quite damaging, and I think the one point that I really want to call attention to is that the scenarios we have heard where I--the spyware tools are getting more sophisticated, but the scenarios we have heard where they were ineffective and where the consumer is forced to reformat a hard drive or replace a computer are just simply unacceptable, and I think that is why I think we need to bring together all of these different elements to combat the spyware. Ms. Schakowsky. Finally, Mr. Schwartz has emphasized the need for baseline privacy legislation. I just wanted to ask the other three of you what your feeling was about the need to do just that. Mr. Baker? Mr. Baker. Privacy legislation? Ms. Schakowsky. Baseline privacy legislation. Mr. Baker. Well, I think that--meaning this legislation, we have already taken a large step to protecting consumers' online privacy, because one of the insidious applications of spyware is, of course, transmitting personally identifiable information to another website without that user's knowledge. So this is-- and so with or without stand-alone privacy legislation, this bill will--it takes a big step toward protecting consumers' online privacy. Mr. Rubinstein. Microsoft is committed to strong consumer protection of privacy, and we would be--we would welcome the opportunity to talk about legislation. Mr. Schmidt. Yes, I think one of the things that I have always found very helpful is you look at legislation after market forces now, and I think with the collaborative effort that we have been looking at from the private sector agreeing on some baselines, if you would, for privacy protection, I think that would be the first avenue that I would recommend. And then if that, indeed, failed within a relatively short period of time, then I would look more toward the legislation. But even in that vein, I think the dialog that your leadership and Mr. Towns and Ms. Bono have done as well basically give us that vehicle that--to have the dialog to make sure we do things in the proper manner. Mr. Stearns. The gentlelady's time has expired. The full Chairman, Mr. Barton. Chairman Barton. Thank you, Mr. Stearns. We appreciate your leadership on this. Let--Mr. Baker, your company purportedly has the best anti- spyware program on the market. Would you care to, in laymen's terms, explain to us why your program is reputed to be the best? Mr. Baker. Thank you. I suppose I should quit while I am ahead and not question the source of that assessment. But no, we do take our customers' online experience very seriously, and so we have developed, either on our own or in conjunction with other companies, various applications, like Spy Audit that, again, lets a user--it lets anybody, you don't even have to be an EarthLink customer, scan their computer to see what spyware is on there. And then if you are an EarthLink customer, you have a spyware blocker that lets you disable it. And it is--we are just always working. It is almost like an arms race. You know. We devise tools to block spyware and to remove it and at the same time, the folks who write this now-ware, as it is sometimes called, spyware and other bad applications are always, you know, trying to find ways around the protection. So it is just a question of constant innovation and getting feedback from customers and finding out where this is coming from and designing tools and systems to help consumers enhance their online experience. Chairman Barton. Why do you think the perpetrators of spyware--what is the potential gain that causes them to try so hard to get around the anti-spyware programs and to invade people's computers? What is it that they gain by successfully putting spyware on an individual or corporate computer? Mr. Baker. Well, that depends on the form of spyware. In the case of the less intrusive and less insidious adware, it is just a question of revenue. One site pays--one website will pay another website when a cookie or another piece of adware indicates that a customer got to website B, having first visited website A. So there is--money changes hands there. In the case of phisher sites that Mr. Stearns mentioned earlier, while those are not strictly spyware, clearly the motivation there is that if the perpetrator can steal a consumer's credit card number or bank information or other information, then obviously there is--money can be gained there. In the case of other forms of spyware, it is just malicious. It is online vandalism. And I guess---- Chairman Barton. So there is no financial---- Mr. Baker. [continuing] in some cases, there is no direct monetary benefit, other than just the malicious harm that can be done to an online user, their Internet provider, their software provider, their---- Chairman Barton. Well, this is a question for all of the panel. Who are the generally guilty parties in the spyware business? Are they businesses seeking financial gain, or are they college students and teenagers just trying to do it for the heck of it? Who are we--who is the enemy? Mr. Schwartz. There are a lot more businesses out for financial gain at this point than there have been in the past. As we map it out in our testimony, this chain of affiliates and distributors that has been created through the process of which distributor--software gets distributed online, and it has created this kind of incentive for making the ends justify the means of getting this software on people's computers. So an advertiser might not know how this software got on someone's computer, and the person who is actually delivering the software may not even know. There are--all of these affiliates in the middle, six or seven layers worth of affiliates who are all getting paid up and down the chain. And so therefore, someone in the middle is completely unscrupulous and has no-- doesn't really care how the consumer gets it. The people at the top and the bottom may care, however, the website that is actually interacting with the consumer may care. The company that is advertising may care. But the people creating the software and creating the means to try to get it on the computer often do not care. And they are making a good deal of money out of getting this software onto people's computers. Chairman Barton. So in general, you all agree it is business. It is that people are in it for some sort of propriety gain that are the perpetrators. We have some of them that do it just for the heck of it, but most of it is really a business for business reasons. Would you all agree with that? Mr. Rubinstein. I think that is right, Mr. Chairman. There is a sense in which spyware is beginning to replace spam as a-- kind of an opportunity for unscrupulous business people. But I think there is also a growing trend for more serious organized crime, taking advantage of spyware to create, as Mr. Schmidt indicated, these so-called bot nets or zombie networks that allow them to take control over a machine, and then sometimes, you know, have a group of thousands of machines, which they rent or sell to these businesses to further spam schemes or phishing schemes. So we are seeing more of that as well. Chairman Barton. Well, my time has expired, but I want to thank all of you gentlemen for your testimony today. I thank the full committee chairman. The gentleman from New York, Mr. Towns. Mr. Towns. Thank you very much, Mr. Chairman. I would like to ask you, Mr. Baker, when a consumer's computer crashes, he often calls the software or the hardware provider for assistance. This technical assistance costs companies in the millions. What types of costs are incurred by Internet service providers, such as your company, as a result of the spyware? In other words, let me put it this way. How much is spyware costing your company? Mr. Baker. Congressman Towns, I don't have an exact figure on it, but it is literally in the millions and millions of dollars, because, as you have pointed out, customers can call into their ISP, and you know--an Internet provider kind of exists at a crossroads between hardware and software, between the user's individual computer and the Internet at large, and so any time something affects any of those systems, the consumer is going to look to their Internet provider as to why they can't get online. And so it generates a call to our call center and--or sometimes e-mail or sometimes chat, but it drives up the contact rates, it drives up the times that our reps are on the phone with customers, and you know, sometimes it is easily resolved and sometimes it is not. Obviously that causes frustration to the user, and it does increase our costs, so again, I don't have an exact figure on it. I would be happy to provide that to you and get you an estimate, but again, it is in the millions of dollars per year. Mr. Towns. I would appreciate it if you would. To you, Mr. Rubinstein, first let me thank you, Microsoft, for their support of this legislation. We appreciate that. And I was pleased that your written testimony noted that we had successfully focused on bad practices. Throughout this process, it was critical to me that we craft legislation that does not hamper legitimate software applications and activities, like computer security, diagnostic, and technical support. You talked about shared responsibility for tackling spyware, taking into account the legislation and the progress in the different areas identified in your testimony, how close are we to solving the spyware problem, and what more should industry be doing? Mr. Rubinstein. Thank you, Congressman Towns. I think there has been substantial progress on consumer education, making that available. There are a number of excellent sites, and I can provide those, if you like. I think the anti-spyware tools are becoming more sophisticated as well. I think the two areas where there really needs to be more attention and focus are first around industry agreeing upon best practices for good software. It is very useful, as we have found in the spam--in the anti-spam effort to have both safe lists and block lists. So if you can have criteria that legitimate software follows for installing itself, for example, and then have a way of representing that a given program is actually safe to install, that aides the anti-spyware tools in really focusing on the bad actors and being more effective. So I think that is something that industry needs to move ahead on. There have been several best practice guidelines distributed both Center for Democracy and Technology and the Online Privacy Alliance have been active in that, but I think more needs to be done. I also think that a key technological development is having not only a detection and removal capability in the spyware tools but also real time protection, which means that as the spyware attempts to load itself, the tool is actively blocking it in real time, so that you don't have to get hit and then try to recover. You are actually protected as you surf the web. And finally, I think, from a technology standpoint, the important future development will be protection at the enterprise level, by which I mean not just at the level of an end user's machine, but the ISPs, the large enterprises, like the House or the Senate or universities blocking spyware before it even enters their systems so that it is not up to the end user to do that, but it is instead taken care of at a more systemic level. Mr. Towns. All right. Thank you very much. Mr. Chairman, very quickly. Mr. Schwartz, many consumers continue to download software infected with spyware so they can illegally trade music or movies. Do you think that most consumers know that they are putting at risk the operation of computers, which may cost $2,000, $3,000, or $4,000? What more can we do to educate the public about the dangers of spyware? Mr. Schwartz. In our testimony, we document some examples of how we could highlight better how people actually got the software down on their--down to their computer, that forcing some of the advertisers to start engaging in the best practice discussion, as Mr. Rubinstein said earlier, that we are starting to move toward a more--a better discussion of best practices for advertising I think will illuminate a lot of the issues in terms of peer-to-peer in particular. Representative Murphy raised the example of Gator or Gain, and that is exactly what we are--we mock up on the back of--Kazaa, which is a peer- to-peer program, now comes with Gain when you--when a consumer downloads it, they get Gain, which acts--which runs, actually, while the person is on the web, not while they are using the other program. So they might even know that it is advertising supported, but they wouldn't necessarily know what program it is or how it works. It is very confusing to consumers. So we are trying--we suggest trying--moving toward best practices of making them co-brand, so that when you go to remove the software, you know that it came because you had Kazaa. When you get the ad itself, you start seeing these pop-ups, you know that it came because you have this peer-to-peer software on your computer. Also, it shows--it should show up on the add/remove file. As you know, it does not, today, show--the products in Gain does not show up in the add/remove file. It makes it very difficult for consumers to be able to remove it. These are just common best practices that software should have to file, and that is exactly along the lines that we think--where we think we should be moving, as Mr. Rubinstein referred to earlier, toward best practices. Chairman Barton. I thank you, Mr. Schwartz. The gentleman from Georgia, Mr. Deal. Mr. Deal. Thank you, Mr. Chairman. And first of all, I would like to welcome my friend, Mr. Baker, to the panel today and for those of you who don't know, he was formally an elected public service commissioner of our State survey, I believe, in his former life, and we are pleased that he is here taking a position on a cutting-edge issue that affects all of us. I have been looking at the enforcement provisions of this bill, and I would like to ask you a couple of questions, anyone on the panel, quite frankly, as to whether or not the enforcement provisions we provide are adequate or whether or not we have the potential of doing some harm here. And let me highlight a few of the issues that I am concerned about. As I read the bill, the primary--the exclusive enforcement provision is through the FTC. And it only outlines civil penalties, financial or civil penalties. Are there potential criminal penalties associated with this activity under the referenced sections to the existing Federal Trade Communication Act? I don't think so since it goes ahead here and it says the exclusiveness of the remedies are those outlined here in this bill. So are we only talking about civil penalties, as you understand the proposed Act? Anybody? Mr. Rubinstein. Yes, Congressman, I believe that is correct. I would point out, though, that there may be criminal complaints that could be brought under the Computer Fraud and Abuse Act for at least some of the more egregious bad practices that would be viewed as computer abuses under that statute. Mr. Deal. Okay. I am concerned that we talk very much here about exclusiveness of remedies and we hinge it all to conduct defined in this Act and make it the exclusive remedy. Let me tell you another concern that I have, too, and that is the preemption clause of the statute. As Mr. Baker knows, our Governor has recently announced an aggressive State proposal to deal with spam through State statute. I believe he is proposing to make it a felony. He is mad about it, as you can tell. We are here preempting State laws. It is a little bit strangely worded to me, however. It talks about preemption of State law, and it says anything that is the prohibited conduct described in sections two and three. And then it goes, on the next page, to talk about that only an attorney general of the State may bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act. Does that take local district attorneys at the State level out of the picture of enforcing anything that would relate to this? And if so, what is the venue? That really, to me, is a primary concern. If it is a criminal act, the venue is where the act is committed, not where the defendant is located, which is the venue for civil penalties. Would somebody expound on that area? Mr. Baker. If I may, Congressman, and thank you for your kind words. As to venue, I believe we have a situation where as long as any part of that transaction touches where the consumer is, the violator may or may not be in that same jurisdiction, but if the harm--where the harm is done is sufficient for venue. And to your earlier question as far as the exclusive remedy and enforcement and preemption issues, I would look, by analogy, to exactly the situation that you mentioned with spam where we had Federal legislation in the form of the Can Spam Act. And there were some preemption sections in that. However, that did not totally preempt State laws, either those that were already extent or, as in the case of Georgia, ones that are being introduced, so it is possible to still have Federal legislation without completely preempting--Federal legislation with a preemption clause, it still does not completely preempt State laws, which would complement it. And again, to give you an example of our own efforts in fighting spammers. Even before the introduction and passage of the Can Spam Act, EarthLink still sued spammers. We probably sued about 100 to date and have various counts in those complaints, whether that is Federal laws, like Computer Fraud and Abuse Act, or State laws, whether they are rather more recent laws that are specifically technology related or whether they are just long-standing common law notions of nuisance and trespass. So we have always had the ability and maintain the ability, whether it is a spammer or a purveyor of spyware, to go after them. But--so we view Federal legislation like this as a complement to those efforts and notwithstanding preemption clauses that may be in it or specific requirements for exclusivity of enforcement as pertains to that law. There are still other counts that an online provider could use in going after these folks or State attorney general or another entity. So---- Mr. Stearns [pesiding]. The gentleman's time has expired. Just a point of information, some of the most egregious acts, spyware acts, I think are covered under the Wire Fraud Act. So we already have existing statutes to cover that, and obviously with the bill we have, since our jurisdiction is the Federal Trade Commission, you know, we would not have an criminal penalties in it. The gentleman from Washington, Mr. Inslee. Mr. Inslee. Thank you. Ira, I wanted to thank you for Microsoft's effort, but this is a little off subject. I would also like to thank a fellow who works for Microsoft who made a contribution of $750 million to the International Vaccine Effort yesterday. We appreciate that effort, the whole Microsoft family. But I want to ask you about your Microsoft protection efforts. Could you just elaborate on what your experience has been on the new product that you have made available in a sense? You refer to it generally. How many people have accessed it? Has it worked? Have you had any difficulties? Are there ways around it? How are you doing with the international folks? Just if you can elaborate on it. Mr. Rubinstein. Thank you, Congressman Inslee. We acquired a company called Giant in late December, and we committed to release it as a--release their anti-spyware tool as a Microsoft product within a month, and we are very happy that we met that goal. And the figures I have are that in the last--in the first 2 weeks of January, at least, there have been more than 3 million downloads of the tool, so we are very pleased to see that positive feedback. We think that the tool has a number of interesting features beyond just detect and removal. As I pointed out before, it also has a real-time protection aspect to block spyware as it is downloaded. And it also creates, on an opt-in basis, something we call spynet, which allows consumers to report suspected spyware and then have that investigated on a priority basis and quickly added to the list of spyware programs that the tool detects. So we have taken the power of the Internet and turned it, you know, toward identifying more spyware and doing so very quickly. Our plans are to accept consumer feedback for several months to begin working on localization of the product and then to release it as a full-fledged product some time probably in the first half of this year. Mr. Inslee. Got you. A question for the whole panel. Talk to us about our international efforts from offshore folks. What is our best protection against that? What strategies should we be thinking about that are not in this bill? What are you doing about it? We are looking for brainstorming here. Mr. Schmidt. Thank you, Mr. Inslee, and it is good to see you again, sir. It is interesting, because that is very closely aligned to Mr. Deal's question relative to the States where you have, you know--what is not in anybody's best interest is 50 different statutes or 50 different sets of regulations relative to this. You compound that tremendously by going international. So currently under the G8 Subcommittee on Cybercrime, which the State Department and the Department of Justice have been gracious enough to invite many of us from private sector to participate in that, we are working on the international realm as well, trying to use that same framework that has been established in this bill to try and internationalize that. It is very, very challenging, because some people view this truly as criminal. Some of the countries we deal with don't even have any laws close to the cybercrime piece of it, let alone the civil penalties, the provisions that this Act provides. So we are working that. Also, in a private sector perspective, Microsoft, Yahoo, eBay, and AOL recently met in Asia with a number of the countries in Asia and signed a Memorandum of Understanding on working collectively on a proactive basis, as Mr. Rubinstein pointed out, to prevent these sort of things from happening. So there are a lot of efforts, but none of them have been put together in a fashion by week and say in 6 months, we are going to have a solution. But it is not being ignored, by any stretch of the imagination. Mr. Inslee. So if you look forward to the passage of this bill, does it just drive these folks from one country to another as we increase our international agreement, which I presume will start with G8, but I don't know how many countries there are, but there are a lot more than eight, is this--are they going to be one hopscotch ahead of us constantly until the world is under this bill we are going to pass or what do you think? Mr. Schmidt. Yeah, it is interesting. Mr. Deal was asking a question while I wrote a note to myself, and relating back to the old issue, we dealt with telemarketers. And actually, we were forming, sort of, safe harbors for them, because they were hiding under certain States under the provisions where they felt they could operate in exemption. And that is correct. And we are, indeed, worried about that aspect of it. And relative to the G8, by the way, even though it is the G8 Subcommittee, we have over 110 nations now that are a part-- participating in that proactively as well as some multilaterals as well. Mr. Schwartz. But one point to add on to that is that the Federal Trade Commission has really been moving, and they really recognize exactly this problem that you raise, that as we move into more of a network world, we are going to see-- start seeing the bad guys move offshore and move their businesses offshore and have--has started to try and build alliances and started--start to work on some of these issues. This committee dealt with it--this issue in the crossborder fraud legislation that came forward, that the FTC has been pushing forward. And there have been other efforts that the FTC has been working on. So I think this is a question that goes beyond just spyware. It is really a question of how are we going to do enforcement for the Internet generally. One thing to point out, though, is it is going to be very expensive to do the kind of forensic works you need--work you need to be able to track people across the world--around the world. Just giving more power to the FTC is not, alone, going to do it. Mr. Inslee. Ira, I think you made reference to you don't want to create a safe harbor that doesn't exist now. We always want to retain consumer choice here. Have we solved that problem or is there specific language you would suggest or---- Mr. Rubinstein. There is language in the Can Spam Act that goes in this direction. There is also a Good Samaritan provision in this Act that might be adjusted to deal with the issue that I identified. Mr. Inslee. Should we use the Can Spam language in this bill? Mr. Rubinstein. I think that would be appropriate. We have just begun to discuss that with staff, so we are in the early stages of addressing it. Mr. Inslee. Thank you. Thanks, folks. Mr. Stearns. I thank the gentleman. The gentleman from Arizona, Mr. Shadegg. Mr. Shadegg. Thank you, Mr. Chairman. I want to thank the full committee chairman for this hearing. I want to thank you for your interest in the topic, and I want to thank our witnesses. When this legislation appeared before this committee before, I made it clear that I view it as of deep concern. There are many different versions of spyware and probably far too many for me to begin to comprehend, maybe even too many for any of you to comprehend in terms of what all is out there. But I have at least one basic understanding of spyware, and that is keystroke recording, which takes me back all of the way to the days when we had wire tapping. I think the American people are deeply concerned about their privacy interests, and I think that if they understood that someone was wire tapping their phone, either at home or at work, they would be deeply upset. And I am not certain that when the average American hears the word ``spyware'' that they have an understanding that this is the electronic, or at least one aspect of spyware, is the electronic equivalent of wire tapping, where they record every stroke I hit on my computer. I want to--I think it is extremely important that we get beyond the internal Congressional disputes on this legislation and that we, in fact, pass something and that we pressure our friends in the Senate to pass something on this topic. I think it would be a serious failure if we don't do that. I recognize that the industry has reservations about what precisely should be done, and I am more than willing to listen carefully to those reservations and try to craft the language as carefully as we can. If, as was just suggested, there are other definitions that should be lifted from other draft legislation and placed in this bill, I would support that, but I think it will be inexcusable if this Congress fails to act in this area. I share Mr. Deal's concern about the issue of preemption. It seems to me if the American people understood that this is the equivalent of wire tapping and then understood that we were preempting a State's attorney general's office from going after the equivalent of wire tapping where someone was, essentially, gaining access to their personal computer and then recording everything they do on that computer, no matter what expectation of privacy they had, they would not be happy about that. The chairman of the committee indicated that there are other penalties. I guess I would like to ask you, Mr. Chairman, or counsel, if those penalties include criminal penalties that would go at keystroke recording so that we can get at--so that we are assured that there is, in fact, a criminal penalty for somebody who essentially wire taps through this mechanism. Mr. Stearns. The gentleman--I understand from staff it is currently a felony. Mr. Shadegg. Okay. Is that--if I might as the panel--the chairman--the members of the committee--or the panel, is that your understanding as well? Mr. Schwartz. Yes. Mr. Schmidt. That is correct, sir. Yes. Mr. Shadegg. And are those penalties currently being pursued by either U.S. law enforcement officials, U.S. attorneys and others across the country, or are there similar penalties at the State level? Mr. Schmidt. If I may speak from the perspective of a State local law enforcement from my days at Chandler Police Department, and of course Arizona was one of the early States that passed criminal statutes relative to a vast array of computer crimes. I called my son when I was preparing for the testimony. I said, ``Well, how many cases do you actually get at Tempe on people complaining about spyware?'' And he says he gets very few, because they don't understand. Mr. Shadegg. Right. They don't even know it is happening. Mr. Schmidt. That is correct. They call and they ask how to remove it, but not the provisions of how to prosecute someone. And I asked him, ``Well, if you were asked to do that, how-- would you be able to do so?'' And he said, ``Right now, there is just--the resource is not available for State and local law enforcement to be able to successfully do those in any numbers at all.'' Mr. Shadegg. I think it is important that we do that, because, as you know, a good part of criminal law enforcement is prophylactic. That is to say, you enforce the crime against somebody and you make an example out of them, and that discourages anybody else from engaging in that conduct. And so it seems to me that it is important that we act in that regard. And---- Mr. Schmidt. One quick comment, if I may, Congressman. It may be just a little side note to this. And I have been encouraging a number of law enforcement folks I have dealt with across the country, as part of their crime prevention efforts they do is they send out brochures on how to put burglar bars to protect yourself. Do something very similar to these sort of acts to help do the very preventative nature of it so we can reduce the number of activities that take place that need to be investigated and prosecuted. Mr. Shadegg. Now I think that is important and I think that far too many Americans are unaware of the fact that spyware can be essentially very criminal conduct that can invade their privacy in very specific ways and can be very serious, and in the business world, could, in fact, be financially ruinous. So I appreciate your testimony here today. I appreciate your support of this legislation. I look forward to working with you to ensure its passage. It seems to me we have failed last year. We dare not fail this year. With that, Mr. Chairman, I yield back. Mr. Stearns. I thank the gentleman for his good comments. The gentlelady from Wisconsin, Ms. Baldwin. Ms. Baldwin. Thank you, Mr. Chairman. Mr. Stearns. And I would just also welcome you to the committee, and we are delighted to have you. Ms. Baldwin. Well, it has been a delight, actually, to have this as our first hearing of the session, and I will take advantage of being a newcomer and ask some questions that perhaps I wouldn't get away with as a senior member of the committee. In this discussion, we do not have a representative of the Federal Trade Commission testifying today, and there has been some discussion, I think, Mr. Schwartz, in your testimony, you were talking about the fact that we have to dramatically increase investigations enforcement if law enforcement is going to serve as a deterrent. You discussed, also, in your testimony, the specific case that you brought before the FTC and pleasure that it was taken seriously and investigated and will lead to others. But the legislation before us will give the FTC more specific power. I would like to hear about the resources that go along with that. Are you seeing an increase in the investigations, the enforcement efforts that are going on at the FTC? Also, let me throw a second question out, and any of the panelists who feel comfortable answering it, can. We are talking about the State level. Have you seen promising investigations of enforcement at the State level at this point that can add to the dramatic increase that is going to be necessary for a sufficient deterrent? Mr. Schwartz. To follow-up on the FTC question, we--they don't tell us about ongoing investigations. They--it is against their rules to do that. So we don't know how many they have. They have told us that they are investigating cases, and certainly, when we have gone to brief them on certain things that we have been seeing, there have been more people in the room now than there were a year ago. So that--it seems as though that is a positive sign toward doing more--toward doing better enforcement. The issue, I think, of the complexity, though, of these kinds of cases really does go to your point in terms of needing more resources to be able to do something like this. Taking this on on our own, and when we did the Seismic case, it took us a great deal of time just to map out the different players and the--that were involved, and still of them we still don't know, to this day. It takes the FTC the ability to do the same kind of mapping and then go in and get discovery and find out all of the players involved and then go through all of their files and find out all of those players involved. It is quite an extensive process to do one of these--the forensics for one of these cases together. And I don't want that to be lost, because certainly raising the penalties does give them more power, but it doesn't serve as a deterrent if you can't use it. Mr. Schmidt. I would like to make two quick comments on that. For the FTC, particularly Commissioner Swindle has been a leader in this area, from FTC working, not only with the Congress as well as private sector, but also the OECD. But it is tantamount to drinking from a fire hose is what it boils down to, which is why a lot of the efforts we are doing, and we are hoping this bill helps, is become an incentive not to do these sort of behaviors so we can get it down to something that is manageable. The other thing relative to FTC, like any other law enforcement agency or any investigator or regulatory body, they just don't--will never have the resources, which is why they are oftentimes augmented by their counterparts in private sector. You know, the provisions of Title 182703, which gives us the ability to protect our networks, we can collect a lot of information and turn that over to FTC or turn it over to law enforcement, which they may have the challenges in doing so with the lack of resources. So we can actually become very good partners, and we have seen that happen on a regular basis. Mr. Rubinstein. I would just add, Congresswoman, that Microsoft, EarthLink, AOL all now have a long history of bringing hundreds of lawsuits in the spam arena, and I think we are all starting to gear up additional legal and investigatory resources to devote to some of these new threats, such as spyware and phishing. So we hope to bring more cases and to cooperate both at the Federal and the State level. Ms. Baldwin. Any comment about the State level enforcements or investigations that have been helpful in this? Mr. Schwartz. Well, there haven't really been that many State level enforcements. We have been contacted by a few attorney generals and a few State district attorneys as well on certain cases, but again, it is--cases are extremely complex, and we haven't been able to really map out those cases in the same way that we could in the Seismic case. I know that they have resources that they are putting toward it, but we haven't seen the fruits of the labor yet. Mr. Stearns. You are all finished? Complete. Okay. The gentleman from Pennsylvania. Mr. Murphy. Thank you, Mr. Chairman. I have a few questions I just want to ask in general and see if--who can answer these, but they are--some of the specifics have been raised today about the bill. Mr. Stearns. Okay. Mr. Murphy. For example, does this bill adequately require every download of information at the computer software to be an opt-in? Does it adequately--is the wording adequate for that? I will go a few more, and if you can't get it for me today, maybe you can get it to me eventually, or get it to the chairman. Does it--Mr. Schwartz, you mentioned the add/remove file. Does the wording in the bill adequately address that anything that is downloaded has to be visible and it can't be hidden for an add/remove file, and further that it be visible in search files or in program files when one gets into those areas? Do you know if the wording in the bill adequately addresses that? Mr. Schwartz. Well, this is some of the difficulty of doing this on a technology-specific basis. It is hard to know. I mean, this is exactly the--was my point earlier about the definitional issues. It is hard to know exactly how this is going to lay out, how the definition of software information collection programs are going to work themselves out in the regulatory process. So it is hard to know today to be able to say yes it adequately covers it or not. We would prefer to have--to cover this across technologies and say it is the collection of information, it is--and it is the transparency issue, as you have raised, that are important that consumers understand that their information is being used in that way, at least for the privacy aspects of this. Mr. Murphy. Well, that--and Mr. Chairman, maybe I can just state this in general and hopefully have these sent back to the committee from our experts. But other areas, too, and that is does it prevent some software from lying dormant and then sometimes reemerging to do this so that if one is even searching for files to find if anything has been downloaded that it really is visible at the time of downloads? Does it also prevent these things from attaching itself to e-mails, because that is oftentimes how things come on computers surreptitiously or cloaking itself as a legitimate website, as was brought up, too, and then a person thinks they are going to a legitimate link and then it turns out to not be or--and I guess all of these mechanisms, and more that we can't even anticipate yet, because as soon as you make something illegal, someone else will come up with a technique to make--to find another loophole there. But that is why--although we are looking for specifics to still come up with enough general ideas to prevent some of these from surreptitiously or illegally or at least without informed consent to have some of these, and I am hoping these are--this is information that the committee can, perhaps, get back to us in writing, back to the chairman. I would love to have that review. Thank you, Mr. Chairman. No further questions. Mr. Stearns. Well, thank you. I think what we can do, Mr. Strickland, you are next, and I think we have got a vote, but I think we have got sufficient time for you and then---- Mr. Strickland. One question and then a quick question. Mr. Stearns. Okay. Mr. Strickland. And I am sorry I wasn't here, but I had a meeting earlier for the testimony. Mr. Stearns. I understand. We all understand. Mr. Strickland. But I just wanted to ask you, do you think that this bill, as written, will deter innovation in e- commerce? Mr. Baker. No, I---- Mr. Strickland. Anyone can answer that. Yes, no, or if you want to elaborate. Mr. Baker. Let me--that is clearly not the intent of the bill, and I don't think it will. What we need to do with this bill, or any legislation, is go after the bad actors, and I think this bill does a good job of doing that. I mean, clearly, it is not meant to apply to the operating system, the Microsoft operating system that comes preloaded on the computer or the EarthLink software that allows an online user to connect to the Internet. Mr. Strickland. I understand. And you know, sometimes we pass well-intentioned legislation, and then we find out later it has adverse consequences, and I was just--you know, thank you for your opinion. I don't challenge your conclusion. I just wanted to ask the question to see what it was that you thought in terms of this particular matter. So thank you, sir. Thank you. Mr. Rubinstein. If I may supplement that answer, Congressman. I think the section two, which focuses on bad practices, will not have that impact. But section three, where there is some very crucial definitions that try to balance the types of scenarios where information needs to be exchanged in the background, because it is just the way the Internet works, those are very important provisions. In particular, we don't want, in the name of going after spyware actors, to have a transformation of the user experience so that when you go to a website you just get bombarded with consent dialogs: ``Is it okay to do this?'' ``Is it okay to do this?'' ``Is it okay to do this?'' And as long as we maintain that balance between requiring notice and consent in certain cases but accepting it in sort of the ordinary use of cookies, just for shopping carts, for identifying customers, et cetera, then I don't think it will have any adverse consequences. Mr. Schmidt. In short, Congressman, it is unlikely that it is going to have a bad effect, but we want to make sure, and to Mr. Murphy's question about the definitions of some of these things, a lot of the things we are working on, for example, I am not here on behalf of eBay, but I know eBay is--we have launched an account guard, which automatically does sort of the delineation between good sites and bad sites to protect consumers very proactively that requires that download and in the early version of this, it would have inhibited our ability to do something like that. So we want to make sure that we continue to make sure there is a clear demarcation between the bad actions and the things that are a benefit to the consumers. Thank you. Mr. Schwartz. I basically agree with everything that has been said here, but I would also like to point back to Mr. Rubinstein's comments earlier that were not part of my testimony, but I agree with the idea that we need to be careful about the anti-spyware tools and making sure that we are not limiting the ability for anti-spyware tools to gain the consent of consumers to be able to do this so that they can continue to innovate, too. That is an extremely important key to make--to this effort to stop spyware is going to be the technologies. Mr. Strickland. Thank you, Mr. Chairman. Chairman Barton. Thank you, Mr. Strickland. We have a series of votes on. There are no other members present, and I am told on the Minority side that there are no members wishing to come back and ask questions, so I am going to conclude the hearing. I want to thank you gentlemen. I will make an announcement before we formally adjourn. We are going to take the comments on the bill, as introduced. The deadline is, I think, close of business today. It is not a mistake that the--in the last Congress this bill was H.R. 2929 and in this Congress it is H.R. 29. I think that shows you how the priority has shifted. We expect to be ready to move this bill very quickly, probably, within the next 2 to 3 weeks. If the comments come in as favorable as our verbal comments have been, we are aware of a few minor issues that we agree need to be clarified, but because of jurisdictional reasons, I don't think we are going to do that at the committee. We will probably do that on the floor or in conference when we go to conference with the Senate. So this is on the fast track, and we will hope to be marking this bill up in the very near future. And gentlemen, I wish to thank you and all of you--the interest groups that you represent for your attendance and your support for this bill. This hearing is adjourned. [Whereupon, at 12:07 p.m., the committee was adjourned.] [Additional material submitted for the record follows:] Prepared Statement of Webroot Software, Inc. experts at combating spyware Webroot Software, Inc. appreciates the opportunity to provide written comments in conjunction with the Committee's hearing on H.R. 29, the Spy Act. Webroot, a privately held company based in Boulder, Colorado, was founded in 1997 to provide computer users with privacy, protection and peace of mind. Today, Webroot provides innovative products and services for millions of users around the world, ranging from enterprises, Internet service providers, government agencies and higher education institutions, to small businesses and individuals. Webroot, maker of the award-winning Spy Sweeper, is the industry leader at combating spyware. Earlier this month, Webroot introduced the anti-spyware industry's first automated spyware research system. The new system, called Phileas, uses ``bots'' to continuously comb the Web, uncovering spyware, adware and other types of potentially unwanted software that are deeply embedded on web sites. One hour of automated research is the equivalent of approximately 80 hours of manual research. The bots visit millions of sites per day, identifying and archiving the HTML sources and URLs in Webroot's spyware definition database--the largest and most accurate catalog of spyware definitions. New definition updates are then developed by the Webroot Threat Research Team and distributed to Webroot customers, before their systems are infected by these programs. In the first production use of the system, it identified more than 20,000 sites used to deploy spyware through drive-by downloads, as well as several new spyware variants. By February 2005, Webroot will deploy more than 100 bots online to track all forms of spyware and adware, with each bot visiting as many as 10 URLs per second, collectively visiting over 80 million URLs per day. THE PROBLEM GROWS LARGER EVERYDAY These technological advances are vital to combating spyware, as the problem grows larger everyday. Since the committee first began work on spyware legislation in Spring 2004, the incidents of spyware have mushroomed. Seven years ago, Webroot's detection list included about 200 pieces of spyware. By March 2003, the detection database included 700 pieces of spyware. Today, Webroot's database lists over 2,000 pieces of spyware, reflected in over 50,000 traces, and this number continues to rise rapidly. Most weeks, Webroot is finding over 250 new spyware programs, although only a minority of these are brand new, while the others are older versions with subtle changes made as an attempt to avoid detection. During 2004, Earthlink and Webroot collaborated to offer a free SpyAudit to Earthlink subscribers. From January 1, 2004 to September 27, 2004, more than three million scans were performed. The scans discovered approximately 83.4 million instances of spyware, for an average of 26 traces of spyware per SpyAudit scan. We will send the committee a copy of the 2004 year-end report once it is completed over the next week. Industry analyst organizations like IDC are reporting similar findings. IDC's December 2004 report, ``Worldwide Spyware 2004-2008 Forecast and analysis: Security and System Management Sharing Nightmares,'' includes these findings: IDC estimates that 67 percent of all computers have some form of spyware, and in most cases, there are multiple spyware programs, even hundreds. The impacts of spyware go beyond annoying pop-ups and can be a serious drain on help desks and system management resources. The report estimates that in 2003 one or two out of every 100 support calls made by consumers concerned spyware. At the end of 2004, the estimate increased to two out of every five. Spyware is often a revenue source for legitimate corporations. While the Committee has done an excellent job over the past year of articulating the many risks spyware and adware pose to individual computer users, little attention to date has been paid to the even more serious threat these malicious and unwanted programs can pose to larger organizations. When we consider the kinds of trade secrets, confidential government information, personnel and other sensitive data that can reside on computers used by corporations, government agencies and organizations, the economic costs and security risks associated with spyware are exponentially greater. In the same IDC study mentioned above, they surveyed over 600 organizations, and found that spyware was the fourth greatest threat to a company's enterprise network security. A survey of more than 275 IT managers and executives across the U.S. commissioned by Webroot in September, 2004 found some alarming results: Nearly 82 percent reported their desktops are currently infected with spyware, with more than a third noticing an increase in spyware infections in the previous six months. More than 70 percent of corporations expressed an increased concern with spyware. However, less than 10 percent of businesses have implemented commercially available anti-spyware software. Between October 7, 2004 and January 1, 2005, Webroot's free and voluntary Corporate SpyAudit scanned more than 23,000 systems across more than 5,100 companies, and discovered an average of 17 pieces of spyware per corporate desktop computer. A recent InformationWeek story entitled, ``Another Fight to Wage,'' provides further evidence of these trends. The story, just published on January 17, 2005, reports the results from a survey of 400 business- technology professionals recently completed by its research department: Nearly 80 percent of respondents said their organizations have been infiltrated in the last 12 months by spyware. Over 70 percent will spend somewhat or significantly more money to manage spyware. Sixty percent will spend somewhat or significantly more money to manage adware. THE ROLE OF GOVERNMENT Webroot applauds the work of the Committee, your Senate counterparts and the Federal Trade Commission in publicizing the problems associated with spyware and other programs loaded on users' computers without their knowledge or informed consent. We realize this committee, in particular, has spent countless hours trying to develop legislative language that will help offer consumers a higher level of protection and motivate regulatory enforcement actions against spyware purveyors. The unfortunate reality is that there is no way to eradicate spyware through regulatory or enforcement means. The Internet is global, which makes establishing and enforcing legal standards very difficult. Just as large a challenge in this endeavor is the strong economic motivation that underlies the propagation of spyware and adware type programs, which is unlikely to be substantially diminished. As a further disincentive, we believe the bill should include criminal penalties, and we support the lack of a monetary cap in the enforcement section. Given the growing prevalence of the problem, we support the legislation as a clear statement that these acts are covered under the law. In particular, many attempt to argue that arcane statements in small print buried at the end of lengthy end user license agreements constitute the notice and consent of the user. This is clearly not the case. Our number one priority is to advocate for our customers and to empower users with information they can use to make educated decisions about what enters their computers (and thus, their homes, companies and lives.) To address this current problem, the bill sends a clear signal and sets a standard that deceptive practices cannot be used and that users must knowingly ``opt-in'' before software is loaded onto their computers. Along with these more stringent guidelines, increased awareness and public education about spyware is essential to effectively deal with the problem. The ``Good Samaritan'' provision that is included is very important to help assure that companies like Webroot continue to exist and provide users with tools to find what is on their machines, and a means to remove things that users determine they do not want. We also support the preemption provision of the bill. It is important that the law related to these practices be consistent throughout the U.S. There are a few places where we are concerned that the bill language might not adequately cover the current practices we see. We would be happy to share results of our ongoing research efforts with the committee, to ensure that you have the most current information about the technology being used to invade computers, track users' activities without their knowledge, and undermine system security and personal privacy. It is clearly going to take a combination of technology, public education, sound public policy and strong enforcement to address this problem. We are poised to offer any assistance the committee needs as you continue to work on this issue. [GRAPHIC] [TIFF OMITTED] T9899.004 [GRAPHIC] [TIFF OMITTED] T9899.005 [GRAPHIC] [TIFF OMITTED] T9899.006 [GRAPHIC] [TIFF OMITTED] T9899.007 [GRAPHIC] [TIFF OMITTED] T9899.008 [GRAPHIC] [TIFF OMITTED] T9899.009 [GRAPHIC] [TIFF OMITTED] T9899.010 [GRAPHIC] [TIFF OMITTED] T9899.011 [GRAPHIC] [TIFF OMITTED] T9899.012 [GRAPHIC] [TIFF OMITTED] T9899.013 [GRAPHIC] [TIFF OMITTED] T9899.014 [GRAPHIC] [TIFF OMITTED] T9899.015 [GRAPHIC] [TIFF OMITTED] T9899.016 [GRAPHIC] [TIFF OMITTED] T9899.017 [GRAPHIC] [TIFF OMITTED] T9899.018 <all>