 |
Witness Testimony The Honorable Mozelle W. Thompson Spyware: What You
Don't Know Can Hurt You
Mr. Chairman and members of the Committee, the Federal Trade Commission ("Commission" or "FTC") appreciates this opportunity to provide the Commission's views on "spyware."[1] The FTC has a broad mandate to prevent unfair competition and unfair or deceptive acts or practices in the marketplace. Section 5 of the Federal Trade Commission Act gives the agency the authority to challenge acts and practices in or affecting commerce that are unfair or deceptive.[2] The Commission's law enforcement activities against unfair or deceptive acts and practices are generally designed to promote informed consumer choice. This statement will discuss the FTC's activities related to spyware, including our recent workshop and potential law enforcement actions. FTC Spyware Workshop For nearly a decade, the FTC has addressed online privacy and security issues affecting consumers. Through a series of workshops and hearings, the Commission has sought to understand the online marketplace and its information practices, to assess the impact of these practices on consumers, and to challenge industry leaders to develop and implement meaningful self-regulatory programs.[3] The most recent example of this approach is the workshop entitled "Monitoring Software on Your PC: Spyware, Adware, and Other Software" that was held last week. The workshop was designed to provide us with information about the nature and extent of problems related to spyware, and possible responses to those problems. Specifically, the workshop focused on four main topics: (1) defining "spyware" and exploring how it is distributed (including the role of peer-to-peer file-sharing software and whether spyware may differ from "adware"); (2) examining spyware's general effects on consumers and competition; (3) exploring spyware's potential security and privacy risks; and (4) identifying technological solutions, industry initiatives, and governmental responses (including consumer education) related to spyware. Underscoring the importance of this issue both FTC Commissioners Orson Swindle and Mozelle Thompson personally participated in the workshop. To encourage broad-based participation, the FTC issued a Federal Register Notice announcing the workshop and requesting public comment.[4] The Commission received approximately 200 comments, and the record will remain open until May 21, 2004, for submission of additional comments. At the workshop, a wide range of panelists engaged in a spirited debate concerning spyware, including what government, industry, and consumers ought to do to respond to the risks associated with spyware. Although the agency is continuing to receive information on this important issue, the record at the workshop leads to some preliminary conclusions. First, perhaps the most challenging task is to carefully and clearly define the issue. "spyware" is an elastic and vague term that has been used to describe a wide range of software.[5] Some definitions of spyware could be so broad that they cover software that is beneficial or benign; software that is beneficial but misused; or software that is just poorly written or has inefficient code. Indeed, there continues to be considerable debate regarding whether "adware" should be considered spyware. Given the risks of defining spyware too broadly, some panelists at our workshop argued that the more prudent course is to focus on the harms caused by misuse or abuse of software rather than on the definition of spyware. Panelists described a number of harms caused by spyware. These include invasions of privacy, security risks, and functionality problems for consumers. For example, spyware may harvest personally identifiable information from consumers through monitoring computer use without consent. Spyware also may facilitate identity theft by surreptitiously planting a keystroke logger on a consumer's personal computer. It may create security risks if it exposes communication channels to hackers. Spyware also may adversely affect the operation of personal computers, including slowing processing time and causing crashes, browser hijacking, home page resetting, installing dialers, and the like. These harms are problems in themselves, and could lead to a loss in consumer confidence in the Internet as a medium of communication and commerce. Many of the panelists discussed how spyware may cause problems for businesses. Companies may incur costs as they seek to block and remove spyware from the computers of their employees. Employees will be less productive if spyware causes their computers to crash or they are distracted from their tasks by a barrage of pop-up ads. Spyware that captures the keystrokes of employees could be used to obtain trade secrets and other confidential information from businesses. In addition, representatives from companies such as ISPs, PC manufacturers, anti-virus providers, and an operating system manufacturer indicated that they spend substantial resources responding to customer inquiries when PCs or Internet browsers do not work as expected due to the presence of spyware. As such, these companies also may suffer injury to their reputations and lose good will. Because of the relatively recent emergence of spyware, there has been little empirical data regarding the prevalence and magnitude of these problems for consumers and businesses. Given how broadly spyware can be distributed and the severity of some of its potential risks, government, industry, and consumers should treat the threats to privacy, security, and functionality posed by spyware as real and significant problems. At the workshop, we heard that substantial efforts are currently underway to address spyware. Industry is deploying new technologies as well as distributing educational materials to assist consumers in addressing the problems associated with spyware. Similarly, at the workshop, industries involved with the dissemination of software reported that they are developing best practices. Consumers and businesses are becoming more aware of the capabilities of spyware, and they are responding by installing anti-spyware products and taking other measures to minimize these risks. Government and industry-sponsored education programs, and industry self-regulation, could be instrumental in making users more aware of the risks of spyware, thereby assisting them in taking actions to protect themselves (such as running anti-spyware programs).[6] FTC Law Enforcement As the nation's primary consumer protection agency, the Commission also has a law enforcement role to play in connection with unfair or deceptive acts or practices involved in the distribution or use of spyware.[7] At the workshop, FTC and DOJ staff members noted that many of the more egregious spyware practices described at the workshop may be subject to attack under existing Federal and State laws, and the workshop concluded with a request that industry and consumer groups notify the FTC staff of problematic practices. The Commission is conducting non-public investigations related to the dissemination of spyware. As discussed at the workshop, however, investigating and prosecuting acts and practices related to spyware, particularly the more pernicious programs, pose substantial law enforcement challenges. Given the surreptitious nature of spyware, it often is difficult to ascertain from whom, from where, and how such products are disseminated. Consumer complaints, for instance, are less likely to lead directly to targets than in other law enforcement investigations, because consumers often do not know that spyware has caused the problems or, even if they do, they may not know the source of the spyware.[8] Indeed, computer manufacturers stated at our workshop that they believe an increasing number of service calls are spyware-related and spyware-related issues are difficult to diagnose. Similarly, search engine providers testified that consumers complain to them, not realizing that the spyware (not the search engine) is causing their dissatisfaction with their search engine. The Commission has long been active in challenging unfair or deceptive acts or practices on the Internet, and spyware cases are not fundamentally different. Over the course of nearly a decade, we have brought approximately 300 cases challenging Internet practices involving substantial consumer harms, including harms similar to those posed by some examples of spyware. Most recently, in D Squared Solutions, LLC, the defendants allegedly exploited an operating system feature to harm consumers. The Windows operating system uses "Messenger Service" windows to allow network administrators to provide instant information to network users, for example, a message to let users know that a print job has been completed. The defendants in D Squared exploited this feature to send Messenger Service pop-up ads to consumers, advertising software that supposedly would block such ads in the future. Consumers would receive these pop-up ads as often as every ten minutes. The Commission filed a complaint in federal court alleging that the defendants unfairly interfered with consumers' use of their computers and tried to coerce consumers into buying software to block pop-up ads.[9] The Commission brought several cases challenging the surreptitious distribution of dialer programs. A paper submitted at the workshop by the Computer Software Working Group[10] identified surreptitious downloads as an example of one of the problematic practices of some spyware programs. Past Commission actions have attacked similar programs that secretly disconnect consumers from their Internet Service Providers, reconnect them to another network, and charge them exorbitant fees for long distance telephone service or entertainment services delivered over the telephone line.[11] We also have challenged the practice of "pagejacking" consumers and then "mousetrapping" them at pornographic web sites.[12] These cases demonstrate that the Commission has the authority under Section 5 of the FTC Act to take action to prevent harms to consumers similar to those that spyware allegedly causes. Conclusion Spyware appears to be a new and rapidly growing practice that poses a risk of serious harm to consumers. The Commission is learning more about this practice, so that government responses to spyware will be focused and effective. We are continuing to pursue law enforcement investigations. The FTC thanks this Committee for focusing attention on this important issue, and for giving us an opportunity to present the preliminary results from our workshop. We look forward to further discussions with the Subcommittee on this issue.
[1] The written statement presents the views of the Federal Trade Commission. Oral statements and responses to questions reflect the views of the speaker and do not necessarily reflect the views of the Commission or any other Commissioner. [2] 15 U.S.C. ' 45. [3] See, e.g., Workshop: Technologies for Protecting Personal Information, The Consumer Experience (May 14, 2003); Workshop: Technologies for Protecting Personal Information, The Business Experience (June 4, 2003); Consumer Information Security Workshop (May 20, 2002). [4] 69 Fed. Reg. 8538 (Feb. 24, 2004), <www.ftc.gov/os/2004/02/040217spywareworkshopfrn.pdf> [5] For the purposes of the workshop, the FTC Staff tentatively described spyware as "software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer's consent, or asserts control over a computer without the consumer's knowledge." 69 Fed. Reg. 8538 (Feb. 24, 2004), <www.ftc.gov/os/2004/02/040217spywareworkshopfrn.pdf> [6] Panelists at the workshop noted that consumers need to be very careful to obtain anti-spyware programs from legitimate providers because some purported anti-spyware programs in fact disseminate spyware. [7] The Commission will find deception if there is a material representation, omission, or practice that is likely to mislead consumers acting reasonably in the circumstances, to their detriment. See Federal Trade Commission, Deception Policy Statement, appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984) ("Deception Statement"). An act or practice is "unfair" if it causes or is likely to cause substantial injury to consumers, that injury is not outweighed by any countervailing benefits to consumers and competition, and consumers could not have reasonably avoided the injury. 15 U.S.C. ' 45(n). [8] Identifying the source of spyware is especially difficult when consumers were not even aware that the spyware had been installed. [9] FTC v. D Squared Solutions, LLC, No. 03-CV-3108 (D. Md. 2003). The case is currently in litigation. [10] The Consumer Software Working Group is comprised of public interest groups, software companies, Internet Service Providers, hardware manufacturers, and others. Available at <http://www.cdt.org/privacy/spyware/20040419cswg.pdf>. [11] See, e.g., FTC v. Alyon Technologies, Inc., No. 1:03‑CV‑1297 (N.D. Ga. 2003); FTC v. BTV Indus., No. CV-S-02-0437-LRH-PAL (D. Nev. 2003); FTC v. Anderson, No. C00‑1843P (W.D. Wash. 2000); FTC v. RJB Telcom, Inc., No. 002017 PHX EHC (D. Az. 2000); FTC v. Sheinkin, No. 2‑00‑3636 18 (D.S.C. 2000); FTC v. Verity Int'l, Ltd., No. 00 Civ. 7422 (LAK) (S.D.N.Y. 2000); FTC v. Audiotex Connection, Inc., No. CV-97-00726 (E.D.N.Y. 1997); see also Beylen Telecom, Ltd., FTC Docket No. C‑3782 (final consent Jan. 23, 1998). [12] See, e.g., FTC v. Zuccarini, No. 01-CV-4854 (E.D. Pa. 2002); FTC v. Carlos Pereira d/b/a atariz.com, No. 99‑1367‑A (E.D.N.Y. 1999).
|