Addressing the cause, not symptoms
By Evan Hansen and John Borland
Staff Writers, CNET News.com
June 24, 2002, 4:00 a.m. PT
At first, the signs are subtle: Your computer is slower than usual, something is different about your browser, occasionally you're redirected to an unfamiliar Web site for no apparent reason.
When you finally figure out the problem, you discover that someone has been tracking every keystroke on your keyboard for days while using your PC's resources to maintain a network that researches extraterrestrial life. Adding insult to injury, you find that your 8-year-old son agreed to the whole mess to get some software given away online.
Variations of this scenario have proliferated across the Internet thanks to an emerging breed of opportunistic programs that push the limits on accepted business practices. The resulting potential for abuse affecting millions of computers at a time underscores the need for government regulation, which has been delayed for years.
The politically libertarian foundation of the Internet is certain to make any new law a difficult proposition. Many stalwarts prefer technological solutions, as evidenced by a growing grassroots movement of programmers dedicated to thwarting intrusive programs. Others argue that legislation is unnecessary because many offensive applications are of questionable business value and may die naturally.
However, after years of chances and failures, anti-regulatory dogma regarding the Internet has worn thin. People are becoming increasingly fed up with companies that seek to entrench themselves deep within the viscera of their PCs, and each violation of their trust by short-lived start-ups makes it more difficult for legitimate businesses to win back their confidence.
"To most consumers, the hard drive is like the home, with the same sense of the sanctity of the home," said Richard Smith, a privacy consultant responsible for revealing some of the earliest online breaches of personal information. "They react to someone snooping in their hard drive the same way they would to someone snooping around their house."
Free software downloaded from the Net has long carried a hidden price, often in the form of information collected about its recipients with tracking technologies opposed by privacy advocates yet tolerated by consumers. In the last few months, however, the issue has triggered an unprecedented backlash.
The technologies in question invite companies directly into consumers' hard drives, where they have nearly unlimited opportunity to manipulate computers. Barring consent, the practice might otherwise be called electronic trespassing or outright hacking.
Consumer concerns over such intrusions are finally being heard. In Washington, the Senate Commerce Committee signed off on a bill last month that among other things targets companies that include tracking software--known as "adware" or "spyware"--in their products to collect detailed consumer information used for marketing research. Moreover, a group studying consumer Internet privacy for the European Union extended the scope of its inquiry to include music programs, which have been among the most prolific sources for bundled tracking technologies.
But Washington's legislation, while taking some key steps toward securing privacy online, does little to address the broader issue of preventing unsolicited companies from camping out and running their businesses on individuals' hard drives.
To be truly effective, legislators must shed their reluctance to deal with specific technologies, which they have often avoided out of ignorance or to encourage unfettered growth of a previously booming new industry. There are no laws, for example, that prevent companies from changing individual computer settings--even though the practice is analogous to a traveling salesman entering a house and rearranging the furniture so that all chairs face a large advertising placard placed in the middle of the living room.
"Many sites are taking garden-variety click-through agreements and doing things that hackers might do," said Ira Rothken, a lawyer who has brought several high-profile privacy cases, including a class action targeting DoubleClick that was settled last month. "That's the tension: Should there be certain things that should never be allowed?"
Although the power of software downloads to take control of PCs is well known, the technology has unaccountably been ignored in debates over Internet privacy and online regulation. Truste, the main online privacy accreditation group in the United States, has voluntarily certified some 2,000 Web sites as safe for consumers and was initially assailed for refusing to review software, but that criticism never led to any action.
The issue was cast in stark relief this year, when millions of people discovered that they had agreed to install an application that quietly "piggybacked" on Kazaa's popular file-swapping software. The program, from a little-known start-up called Brilliant Digital Entertainment, had the potential to turn people's PCs into nodes for an ambitious commercial network that could host and disseminate music, ads or other content from different companies, using the PCs' processing power to do so.
Brilliant did nothing illegal, having stated its intentions in a standard consent agreement that accompanied the downloads. But the controversy illustrated the possibility of wide abuse to many consumers in clear terms for the first time.
"I am opposed to such piggybacking applications. They're dangerous for many reasons," said Andy Oram of technology publisher O'Reilly & Associates, speaking as a member of the activist group Computer Professionals for Social Responsibility. "Users don't really know what is being carried out, and it's possible they might not like the task. For instance, not all users approve morally of all biological experiments."
In their defense, Brilliant and many other companies have been forced to experiment with new business strategies to survive the dot-com bust. The post-apocalyptic shakeout has drastically reduced the number of previously free products and services on the Internet as companies look to make money any way they can--a situation that increasingly calls for government intervention to keep them from going too far.
Web businesses have long maintained that self-interest and self-regulation will provide the necessary safeguards for consumers online. Imposing laws at this early stage of the game will only do more harm than good, they argue.
"Anytime you start talking about writing new rules, you need to begin with a strong factual basis," said Ronnie Brooke of the Consumer Sentinel Project Team, an online fraud unit created by the Federal Trade Commission. "You need a lot of data to find the right trade-off, and it's still fairly young for that."
Why "opt in" is no option
Much of the debate has centered on this question: What constitutes fair notice of what companies are actually doing with individuals' private data? Consumer advocates have generally argued for an "opt in" method, which would require specific consent before companies could do anything with a consumer's personal information, such as sell it to marketers. More recently, some have advocated applying an opt-in approach to any software that takes over components of a PC, regardless of whether it collects data.
Businesses, on the other hand, have argued for an "opt out" method, which would automatically allow companies access to hard drives and use of personal information unless consumers were to take explicit steps to block them. As a practical matter, such a "default" mechanism would have enormous influence on behavior because most people typically keep the computer settings they've been given at the outset simply because it is the easiest thing to do.
| || |
| || |
They're camping out
in your hard drive.
Although the opt-in alternative adds an important layer of security, it has proven a political deal-breaker in Congress. Last year, for instance, Sen. Ernest "Fritz" Hollings proposed opt-in privacy requirements for collecting personal information that were immediately opposed by Sens. Conrad Burns and Bob Kerrey, who had drafted competing legislation.
The two sides compromised on the current bill, S. 2201, requiring opt-in approval only for sensitive information defined as financial status, medical history, Social Security numbers, ethnicity, religious affiliation, sexual orientation and political party affiliation. Other information is considered non-sensitive data that can be used for marketing research and therefore subject to the opt-out approach.
"Hollings got crushed last year because of opt-in," said Chris Hoofnagle, legislative counsel with the Electronic Privacy Information Center (EPIC).
Politics aside, the technology exists to make opt-in proposals a reality. Industry standards groups have approved tools that allow Web surfers to automatically compare preset preferences to privacy policies and act on them by agreeing in advance to accept or reject certain actions.
Buried in the fine print
To see the need for reform on this front, one need only consult any number of "terms of service" agreements or privacy policies attached to downloads available on the Web, impenetrably worded documents that are typically ignored by consumers. Only
government regulation can ensure the prominence and readability of these crucial documents, which could include the use of desktop icons or other high-profile devices flagging people to their existence.
"Consumers need to have more confidence in the Internet," said Andy Davis, a spokesman for Hollings, who has been pushing vigorously for privacy legislation for the past three years and wrote the recently approved Commerce Committee bill. "You're not going to get deep adoption of broadband and e-commerce until consumers have greater trust doing business online."
Despite its shortcomings, the Hollings legislation is one of the strongest bills of its kind to date. It carries some powerful weapons for consumers, including the right to see information that companies keep about them and the ability to bring private lawsuits over leaks of sensitive data--two provisions bitterly opposed by business interests.
The provisions will bring a flood of litigation, companies argue. Joe Rubin, a lobbyist for the U.S. Chamber of Commerce, says the law would become "a trial lawyer's right-to-sue act."
Nevertheless, as powerhouses such as Microsoft and AOL begin offering technological and entertainment services that are increasingly intertwined with consumers' lives, property and finances, measures designed to strengthen trust are more important than ever.
In many ways, technology companies have only themselves to blame for any consumer anger. For years, many of the best-known names in the industry have built business plans that exploit consumers' lack of technical knowledge and their tendencies to glaze over fine print.
Trust still in short supply
According to an April report from Consumer WebWatch, a Web-ranking group backed by the nonprofit Consumers Union, just 29 percent of people in the United States who use the Internet trust Web sites that sell products or services. Of 1,500 telephone respondents, only one-third said they trust Web sites that provide advice about such purchases or services. That compares with 58 percent who said they trust newspapers and television news and 47 percent who said they trust the federal government.
Even if the Senate bill becomes law in its current form, lawmakers will have only begun to address the Internet's problem with public trust, which has become a dwindling commodity for any business sector in the post-Enron corporate world.
"It's an age-old question," lawyer Rothken said. "Is notice good enough to do what they're doing?"
Rather than broad legal parameters, consumers need regulations that would have an immediate impact on their computers. For example, consumers would benefit if software makers were required to offer tools that could remove technologies as easily as they were installed. Also helpful would be a required desktop icon or some other conspicuous label linked to a central place where consumers could review tasks tied to each application on their machines and manage preferences for them through a master menu.
Whether by design or oversight, applications used to collect consumer data, borrow PC resources or perform other functions through downloaded software are often built to run surreptitiously. Standard applications such as word-processing software display splash screens and icons indicating that the software is running, but adware, spyware and distributed-computing programs are far more difficult to find and manage--if the consumer is aware of their existence at all.
Oram, like many Internet pioneers, is wary of government intrusion on the medium. But he acknowledges that anyone who downloads software on the Internet today is vulnerable to the whims of piggybacked technologies and can even find themselves perpetuating offenses they have no control over, creating "the problem of cascading responsibility."
"The real-life equivalent to this is something experienced by many of us when we are young and have roommates," he said. "You may trust your roommate, but he or she may invite a friend over, and that friend may make a long-distance call for a couple hours that you find on your phone bill a month later after everybody has moved out."
News.com's Mike Yamamoto contributed to this report.