on Commerce, Trade, and Consumer Protection
November 19, 2003
2123 Rayburn House Office Building
Mr. Roger Thompson
Vice President of Product Development
1650 Emerald Ridge
Marietta, GA, 30062
Spyware is silent. It's invisible to the consumer. It allows criminals
to steal from them. It arrives uninvited and unwanted. It has not
received the attention needed to warn the unsuspecting of these
dangers to their personal and confidential information. And, perhaps
worst of all, spyware and similar malware problems rob consumers
of the confidence needed to make commerce over the Internet inviting,
safe and successful.
Every day, we hear horror stories from our customers that illustrate
the very real and personal losses caused by the spyware problem.
Listen for a moment to
- Wanda Gilman is a church secretary from Saginaw, Michigan.
Like most people, she has received warnings from her anti-virus
software about virus attacks, and she thought she was pretty
much protected on that front. Unfortunately, it became abundantly
clear to Wanda that she needed something more than her anti-virus
after she experienced not one but two incidences of identity
theft. While neither incident involved more than $1000, it was
an uncomfortable feeling for her to have her identity hijacked,
and a long and complicated recovery each time around.
- Michelle Scalero from New Jersey has a home computer that her
family shares for online banking and purchasing, as well as enjoying
what the web has to offer them and their young children. They
were extremely alarmed when they found their PC flooded with
explicit teen porn pop-ups caused by a trojan horse program that
had been delivered by a piece of spyware they had unknowingly
downloaded onto their computer.
- Barbara Wolski bought a brand new computer that was supposed
to be very fast (2.6 GHz), which included a special feature called
hyperthread technology to make the processing speed even faster.
While her old computer was only 1.2 GHz, it ran faster than the
new one. Barbara ran our anti-spyware software on the new machine
and found over 5000 pieces of spyware factory-installed on the
new machine, all busy "phoning home" information about
her - causing the massive slow-down.
None of this needed to happen. And we hear thousands of similarly
sad stories all the time. Our customers reported a record number
of such incidents this year - more than 60,000 as of the end of
last month - and the complaints keep
Here are some numbers to think about as we discuss protecting
- 24 billion dollars. that's estimated identity theft losses
in the US from identity theft last year.
- 73 billion dollars. that's estimated losses from identity theft
projected domestically by the end of this year.
- 9,800 dollars . that's the estimated average "take" from
each identity robbery.
These numbers come from the Aberdeen Group, an industry analyst
calls identity theft "the crime that pays." Aberdeen also warns that
the profits from these crimes are so encouraging that the organized crime is
becoming a factor.
You may have heard that last week was a dubious anniversary. it's
been 20 years since the first virus was created. Through much of
my career, I have watched the damage that computer intruders can
cause - to every PC user from children at home to senior corporate
My computing career began in Australia (perhaps you recognize
the accent) in 1979, where I worked as a mainframe systems engineer.
I co-founded the first Australian anti-virus software company,
Leprechaun Software, and launched the Virus Buster product back
in 1987. After moving to the United States, I started Thompson
Network Software, which produced The Doctor range of systems management
and security products.
When I became Director of Malware Research at TruSecure Corporation,
I was able to focus more closely on the way that different kinds
of malware were developing, and the sheer size of the problem was
really brought home to me. And now, at my current company, I am
working with malware's fastest-growing and most insidious incarnation
yet - spyware.
The anti-spyware industry is still in its infancy, but it's proven
to me every day from the prevalence data collected by my company
that this type of secretive, invasive software is a huge problem
for computer users.
Before we can address possible solutions to the problem, however,
we need to define what the spyware problem actually is. For me,
spyware is any software that is intended to aid an unauthorized
person or entity in causing a computer, without the knowledge of
the computer's user or owner, to divulge private
The industry has begun to make consumers more aware of this threat
by banding together. To begin educating the public on spyware and
its dangers, we recently co-founded, along with several other anti-spyware
software companies, the Consortium Of Anti-Spyware Technology (COAST)
group. This non-profit organization is a forum in which members
cooperate to increase awareness of the growing spyware problem.
We've reached agreement on the definition of spyware, which helps
us technology vendors create products that address consumers'
The dangers of spyware are not always known and are almost never
obvious. Usually, you know when you have a virus or worm - these
problems are "in
your face". Spyware, on the other hand, silently installs itself on a PC,
where it might start to take any number of different and unwanted actions. For
- "Phone home" information about you, your computer
and your surfing habits to a third party to use to spam you or
push pop-up ads to your screen ·
- Open up your computer to a remote attacker using a RAT (Remote
Access Trojan) to remotely control your computer ·
- Capture every keystroke you type - private or confidential
emails, passwords, bank account information - and report it back
to a thief or blackmailer
- Allow your computer to be hijacked and used to attack a third
party's computers in a denial-of-service attack that can cost
companies millions and make you liable for damages
- Probe your system for vulnerabilities that can enable a hacker
to steal files or otherwise exploit your system.
If that doesn't make the computer users on the subcommittee nervous,
that the holiday online commerce season has already arrived.
During the holiday shopping season, with more and more people
shopping online, the potential for identity theft is much greater
- shoppers are stressed and distracted, and may not take their
usual care in protecting themselves from
No one would allow a silent and hidden burglar into his or her
home without a fight. As you saw with the real-world experiences
I described earlier, spyware has the potential to ruin someone's
Christmas. Like having your wallet stolen, life becomes a bureaucratic
nightmare of new identity cards and credit cards. And, ultimately,
how do you retrieve your privacy from an unknown and uncaring prowler
or corporation using the Internet as a hunting ground?
The anti-virus companies were often accused of hyping gloom and
doom to help increase their own sales and profits - that was long
ago proven to be unfounded. Today, the billions of dollars lost
- in identity theft, transaction hijacking, sensitive information
- are compounded by the huge losses to credit card companies that
must reissue cards whenever any account has been compromised or
even suspected of being compromised. The growing threat is no exaggeration.
I think everyone on this panel would agree that a huge portion
of damages and tangential damages caused by spyware and malware
goes unreported and is unknown.
Something must be done to protect the Wanda Gilmans's, Michelle
Scaleros's and Barbara Wolskis's, who only want to conduct their
online activities and purchases with the peace of mind of knowing
they can do so safely. H.R. 2929, the Safeguards Against Privacy
Invasions Act, is powerful step in this direction. In person, consumers
have the choice not to answer address, phone and email address
questions when they go shopping. Why shouldn't on-line shoppers
have the same choice to say no to spyware?
As a representative of my company and as a person who has devoted
my working life to malware eradication, I urge you to pass the
Roger Thompson VP, Product Development PestPatrol, Inc
PestPatrol, Inc. is a Carlisle, PA based developer of security
tools founded in May 2000 by a team of security software professionals
to counter the growing threat of malicious non-viral software.
The company's founders, Robert C. Bales and Dr. David Stang, were
the original founders of the National Computer Security Association
(NCSA), later the ICSA and now TruSecure Corporation. PestPatrol
was recently ranked the number 1 anti-spyware software by the German
magazine PC Professionell. The company was the recipient of the
NetworkWorld Category Breaker Award in 2002 for innovative security
technology, and in March 2003, the Technology Council of Central
Pennsylvania named PestPatrol Growth Company of the Year. Further
details about the company may be found at