Mr. J. Howard Beales III
Bureau of Consumer Protection
Federal Trade Commission
600 Pennsylvania Avenue, N.W.
Washington, DC, 20580
Spyware: What You
Don't Know Can Hurt You
Subcommittee on Commerce, Trade, and Consumer Protection
April 29, 2004
Mr. Chairman and members of the Committee, the Federal Trade Commission
("Commission" or "FTC") appreciates this opportunity
to provide the Commission's
views on "spyware."
The FTC has a broad mandate to prevent unfair competition and
deceptive acts or practices in the marketplace. Section 5 of the Federal
Trade Commission Act gives the agency the authority to challenge acts and practices
in or affecting commerce that are unfair or deceptive. The
Commission's law enforcement activities against unfair or deceptive acts and
practices are generally designed to promote informed consumer choice. This
statement will discuss the FTC's activities related to spyware, including our
recent workshop and potential law enforcement actions.
FTC Spyware Workshop
For nearly a decade, the FTC has addressed online privacy and
affecting consumers. Through a series of workshops and hearings, the Commission
has sought to understand the online marketplace and its information practices,
to assess the impact of these practices on consumers, and to challenge industry
leaders to develop and implement meaningful self-regulatory
The most recent example of this approach is the workshop entitled "Monitoring
Software on Your PC: Spyware, Adware, and Other Software" that
last week. The workshop was designed to provide us with information about
the nature and extent of problems related to spyware, and possible responses
those problems. Specifically, the workshop focused on four main topics: (1)
defining "spyware" and exploring how it is distributed (including the
role of peer-to-peer file-sharing software and whether spyware may differ
from "adware"); (2) examining spyware's general effects on consumers
and competition; (3) exploring spyware's potential security and privacy risks;
and (4) identifying technological solutions, industry initiatives, and governmental
responses (including consumer education) related to spyware. Underscoring
the importance of this issue both FTC Commissioners Orson Swindle and Mozelle
Thompson personally participated in the workshop.
To encourage broad-based participation, the FTC issued a Federal
Notice announcing the workshop and requesting public comment. The
Commission received approximately 200 comments, and the record will remain open
until May 21, 2004, for submission of additional comments. At the workshop,
a wide range of panelists engaged in a spirited debate concerning spyware, including
what government, industry, and consumers ought to do to respond to the risks
associated with spyware.
Although the agency is continuing to receive information on this
important issue, the record at the workshop leads to some preliminary
conclusions. First, perhaps the most challenging task is
to carefully and clearly define the
issue. "spyware" is an elastic and vague term that has been used
to describe a wide range of software. Some
definitions of spyware could be so broad that they cover software that is beneficial
or benign; software that is beneficial but misused; or software that is just
poorly written or has inefficient code. Indeed, there continues to be considerable
debate regarding whether "adware" should be considered
spyware. Given the risks of defining spyware too broadly, some panelists
at our workshop argued that the more prudent course is to focus on the harms
caused by misuse or abuse of software rather than on the definition of spyware.
Panelists described a number of harms caused by spyware. These
include invasions of privacy, security risks, and functionality
problems for consumers. For example, spyware may harvest
personally identifiable information from consumers through monitoring
computer use without consent. Spyware also may facilitate
identity theft by surreptitiously planting a keystroke logger on
a consumer's personal computer. It may create security risks
if it exposes
communication channels to hackers. Spyware also may adversely affect the
operation of personal computers, including slowing processing time and causing
crashes, browser hijacking, home page resetting, installing dialers, and the
like. These harms are problems in themselves, and could lead to a loss
consumer confidence in the Internet as a medium of communication and commerce.
Many of the panelists discussed how spyware may cause problems
businesses. Companies may incur costs as they seek to block and remove
spyware from the computers of their employees. Employees will be less productive
if spyware causes their computers to crash or they are distracted from their
tasks by a barrage of pop-up ads. Spyware that captures the keystrokes
of employees could be used to obtain trade secrets and other confidential information
from businesses. In addition, representatives from companies such as ISPs,
PC manufacturers, anti-virus providers, and an operating system manufacturer
indicated that they spend substantial resources responding to customer inquiries
when PCs or Internet browsers do not work as expected due to the presence of
spyware. As such, these companies also may suffer injury to their reputations
and lose good will.
Because of the relatively recent emergence of spyware, there has
been little empirical data regarding the prevalence and magnitude
of these problems for
consumers and businesses. Given how broadly spyware can be distributed
and the severity of some of its potential risks, government, industry, and consumers
should treat the threats to privacy, security, and functionality posed by spyware
as real and significant problems.
At the workshop, we heard that substantial efforts are currently
address spyware. Industry is deploying new technologies as well as distributing
educational materials to assist consumers in addressing the problems associated
with spyware. Similarly, at the workshop, industries involved with the
dissemination of software reported that they are developing
Consumers and businesses are becoming more aware of the capabilities
of spyware, and they are responding by installing anti-spyware
products and taking
other measures to minimize these risks. Government and industry-sponsored
education programs, and industry self-regulation, could be instrumental in making
users more aware of the risks of spyware, thereby assisting them in taking actions
to protect themselves (such as running anti-spyware programs).
FTC Law Enforcement
As the nation's primary consumer protection agency, the Commission
also has a law enforcement role to play in connection with unfair
or deceptive acts or practices involved in the distribution or
use of spyware. At
the workshop, FTC and DOJ staff members noted that many of the
more egregious spyware practices described at the workshop may
be subject to attack under existing Federal and State laws, and
the workshop concluded with a request that industry and consumer
groups notify the FTC staff of problematic practices.
The Commission is conducting non-public investigations related
dissemination of spyware. As discussed at the workshop, however, investigating
and prosecuting acts and practices related to spyware, particularly the more
pernicious programs, pose substantial law enforcement
challenges. Given the surreptitious nature of spyware, it often is difficult
to ascertain from whom, from where, and how such products are
disseminated. Consumer complaints, for instance, are less likely to lead
directly to targets than in other law enforcement investigations, because consumers
often do not know that spyware has caused the problems or, even if they do, they
may not know the source of the spyware. Indeed,
computer manufacturers stated at our workshop that they believe an increasing
number of service calls are spyware-related and spyware-related issues are difficult
to diagnose. Similarly, search engine providers testified that consumers
complain to them, not realizing that the spyware (not the search engine) is causing
their dissatisfaction with their search engine.
The Commission has long been active in challenging unfair or deceptive
acts or practices on the Internet, and spyware cases are not fundamentally
different. Over the course of nearly a decade, we have brought
approximately 300 cases challenging Internet practices involving
substantial consumer harms, including harms similar to those posed
by some examples of spyware.
Most recently, in D Squared Solutions, LLC, the defendants allegedly
exploited an operating system feature to harm consumers. The
operating system uses "Messenger Service" windows to allow network
administrators to provide instant information to network users, for example,
a message to let users know that a print job has been completed. The
defendants in D Squared exploited this feature to send Messenger Service pop-up
ads to consumers, advertising software that supposedly would block such ads in
the future. Consumers would receive these pop-up ads as often as every
minutes. The Commission filed a complaint in federal court alleging that
the defendants unfairly interfered with consumers' use of their computers and
tried to coerce consumers into buying software to block pop-up ads.
The Commission brought several cases challenging the surreptitious
distribution of dialer programs. A paper submitted at the
workshop by the
Computer Software Working Group identified
surreptitious downloads as an example of one of the problematic practices of
some spyware programs. Past Commission actions have attacked similar programs
that secretly disconnect consumers from their Internet Service Providers, reconnect
them to another network, and charge them exorbitant fees for long distance telephone
service or entertainment services delivered over the
telephone line. We
also have challenged the practice of "pagejacking" consumers and
then "mousetrapping" them at pornographic web sites. These
cases demonstrate that the Commission has the authority under Section 5 of the
FTC Act to take action to prevent harms to consumers similar to those that spyware
Spyware appears to be a new and rapidly growing practice that
poses a risk of
serious harm to consumers. The Commission is learning more about this practice,
so that government responses to spyware will be focused and effective. We
are continuing to pursue law enforcement investigations. The FTC thanks
this Committee for focusing attention on this important issue, and for giving
an opportunity to present the preliminary results from our workshop. We
look forward to further discussions with the Subcommittee on this issue.
written statement presents the views of the Federal Trade Commission. Oral
statements and responses to questions reflect the views of the
speaker and do not necessarily reflect the views of the Commission
or any other
U.S.C. ' 45.
e.g., Workshop: Technologies for Protecting Personal Information,
The Consumer Experience (May 14, 2003); Workshop: Technologies
for Protecting Personal Information, The Business Experience (June
4, 2003); Consumer
Information Security Workshop (May 20, 2002).
Fed. Reg. 8538 (Feb. 24, 2004), <www.ftc.gov/os/2004/02/040217spywareworkshopfrn.pdf>
the purposes of the workshop, the FTC Staff tentatively described
spyware as "software that aids in gathering information about
a person or organization without their knowledge and which may
send such information to another entity without the consumer's
consent, or asserts control over a computer without the consumer's
knowledge." 69 Fed. Reg. 8538 (Feb. 24, 2004), <www.ftc.gov/os/2004/02/040217spywareworkshopfrn.pdf>
at the workshop noted that consumers need to be very careful to
obtain anti-spyware programs from legitimate providers because
anti-spyware programs in fact disseminate spyware.
Commission will find deception if there is a material representation,
omission, or practice that is likely to mislead consumers acting
the circumstances, to their detriment. See Federal Trade Commission, Deception
Policy Statement, appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984)
("Deception Statement"). An act or practice is "unfair" if
it causes or is likely to cause substantial injury to consumers, that injury
is not outweighed by any countervailing benefits to consumers and competition,
and consumers could not have reasonably avoided the injury. 15 U.S.C. '
the source of spyware is especially difficult when consumers were
not even aware that the spyware had been installed.
v. D Squared Solutions, LLC, No. 03-CV-3108 (D. Md. 2003). The
currently in litigation.
Consumer Software Working Group is comprised of public interest
groups, software companies, Internet Service Providers, hardware
others. Available at <http://www.cdt.org/privacy/spyware/20040419cswg.pdf>.
e.g., FTC v. Alyon Technologies, Inc., No. 1:03‑CV‑1297
(N.D. Ga. 2003); FTC v. BTV Indus., No. CV-S-02-0437-LRH-PAL (D.
Nev. 2003); FTC v.
Anderson, No. C00‑1843P (W.D. Wash. 2000); FTC v. RJB Telcom, Inc., No.
002017 PHX EHC (D. Az. 2000); FTC v. Sheinkin, No. 2‑00‑3636 18 (D.S.C.
2000); FTC v. Verity Int'l, Ltd., No. 00 Civ. 7422 (LAK) (S.D.N.Y. 2000); FTC
v. Audiotex Connection, Inc., No. CV-97-00726 (E.D.N.Y. 1997); see also Beylen
Telecom, Ltd., FTC Docket No. C‑3782 (final consent Jan. 23, 1998).
e.g., FTC v. Zuccarini, No. 01-CV-4854 (E.D. Pa. 2002); FTC v.
Pereira d/b/a atariz.com, No. 99‑1367‑A (E.D.N.Y. 1999).