April 19, 2004 7:04 PM PDT

Few solutions pop up at FTC adware workshop

WASHINGTON--Spyware, adware and other code that lurks on hard drives has become so pervasive it's bedeviling home users, driving corporate technology managers to distraction and has become the top complaint in customer service calls to computer makers.

But participants in a one-day workshop convened Monday by the Federal Trade Commission couldn't decide what to do about it.

Attendees at a Federal Trade Commission workshop on spyware fill a room.

Software companies warned of poorly written laws targeting spyware that could inadvertently affect legitimate products like smut-filtering software or security update mechanisms. Microsoft suggested that technology in a forthcoming Windows XP Service Pack might do the trick, while other participants touted third-party rating systems and voluntary codes of conduct.

Politicians and their aides defended laws targeting spyware, citing the example of last year's federal law regulating spam. But some advertising companies claim their business model is perfectly legitimate, and law enforcement representatives acknowledged they already had sufficient legal authority under computer crime laws to put the most noxious spyware makers in prison.

When asked whether new laws were needed to place spyware authors in prison, Mark Eckenwiler, a senior computer crime prosecutor at the U.S. Justice Department, replied: "By and large, the answer is no. In our quiver, we have a number of arrows we can use in prosecutions."

While spyware and adware started to become a public concern about a year ago, only in the past few months have some variants become the Internet equivalent of Public Enemy No. 1.

Spyware and adware problems became the largest single customer service complaint late last year, Dell attorney Maureen Cushman told the FTC workshop. It's become "a huge technical support issue for us," Cushman said, resulting in "slow performance, inability to access the Internet, extra icons and pop-up ads. This damages our brand and, most importantly, impairs the customer experience."

McAfee Security manager Bryson Gordon, whose company sells the McAfee AntiSpyware utility, says his company detected fewer than 2 million adware or spyware products in August 2003. By March 2004, the total number had zoomed to just more than 14 million. It's become "a larger technical support problem than viruses," Gordon said.

Much of the simmering disagreement on Monday arose from participants not being able to agree on a definition that would permit ad-supported software--while prohibiting parasitical spyware that quietly embeds itself in a personal computer and records keystrokes or sends out spam.

Complicating any definition is that adware from companies like Claria (formerly Gator) and WhenU typically seeks permission from users, though critics charge that the companies intentionally make the terms of service agreement difficult to understand so most people don't know what they're getting. The company's utilities monitor a user's Web browsing activity and display relevant advertisements in pop-up windows.

An anecdotal survey that antispyware company PC Pitstop described on Monday said that "75 percent of the respondents did not even recall installing (Claria's Gator Advertising Information Network) application on their PC...Adding the tally for users that did not know GAIN was installed to those that read the 20-page license for less than five minutes, an incredible 97 percent of GAIN users are largely unaware of what the application is doing on their system."

Growing regulatory attention
Avi Naider, chief executive of WhenU, defended his company's business practices, saying the word spyware "was never meant to include software-based advertising...It's pro-consumer; it's pro-competition; it's pro-competitive. (It's) one of the most promising technologies that exists on the Internet today."

Naider was especially pointed in his criticism of Utah, which last month became the first state to restrict spyware. Other regulatory efforts are afoot: Two similar proposals have been introduced in the U.S. Congress, and the Center for Democracy and Technology has filed a complaint against Mail Wiper before the FTC, alleging it engaged in illegal "browser hijacking."


Special report
Out of the shadows
A growing movement aims
to stop or regulate
software that
surreptitiously monitors
computer use.


Last week, WhenU filed suit to block Utah's spyware law, saying it was unconstitutionally broad. Naider said, "there's been a lot of mixing of the issues," and claimed that the Utah law was unreasonably aimed at WhenU even though its customers wanted the product.

Speaking later in the day, Utah state representative Stephen Urquhart said of WhenU that "we concluded it's parasitic...Unless there is regulation in this area, the butcher, the baker, the candlestick maker will stick to bricks and mortar." The Utah law generally bars companies from installing software that reports its users' online actions, sends any personal data to other companies, or pops up advertisements without permission.

Jennifer Baird, legislative counsel to Rep. Mary Bono, R-Calif., said the technology industry was naive to think that politicians would sit idle while companies debated definitions. "What we're hearing is that, 'This is a problem, it should be solved, but we don't know how to do that, hold on,'" said Baird, whose boss has introduced an antispyware bill. "That's not how it works in Congress."

Technology approaches
While they might disagree about details, representatives of the technology companies who showed up at the FTC event did appear to be uniformly skeptical of new laws singling out spyware or adware.

Mark Bohannon, general counsel of the Software and Information Industry Association, suggested that Congress should stay out of trying to craft definitions to sort software into good and bad categories. Otherwise it could create more of the problems caused by Utah's measure and ban "routine, benign Internet communications such as instant messaging." The association's members include AOL Time Warner, Credit Suisse First Boston, eBay, Intuit, Novell and Sun Microsystems.

J. Trevor Hughes, executive director of the Network Advertising Initiative, was more blunt, warning of "hasty legislative responses...A legislative response is probably the worst first response." Hughes and other industry participants suggested that educating users not to install software from Web sites they don't trust would be a wiser approach, coupled with improvements in technology similar to what antivirus and antispam products have experienced.

In a bid to organize the technology industry against the threat of buggy legislation, the nonprofit Center for Democracy and Technology distributed a five-page paper from an ad hoc "Consumer Software Working Group" that was signed by companies including Microsoft, Google, America Online, Yahoo, Claria and WhenU. But it was focused on pointing out examples--such as a dialer that secretly calls a long-distance number and runs up phone bills--that are already illegal, and it didn't try to come up with a consensus definition.

Google senior policy counsel Andrew McLaughlin said his employer is "probably a little less allergic to legislation," but went on to say, "the more that I look at the text of the bills that are floating around, the more nervous I become." Google makes available a toolbar utility for Web browsers that eliminates pop-up ads and, if the user chooses, sends information about Web sites visited back to the company.

Nearly all known spyware programs infect Microsoft Windows, not Apple's OS X operating system or other Unix or Linux variants. "There are a lot of things we can do at the software level to make it harder for users to get tricked," said Microsoft Vice President Brian Arbogast.

Jeff Friedberg, Microsoft's director of Windows privacy, said that the next release of Windows XP Service Pack takes major steps to limit malicious code. Those are: a pop-up blocker in Windows, a mechanism to prevent unsolicited downloads, an option to never install software from a particular company, and an Active X manager that permits certain controls to be disabled. In addition to bugs in Windows, many spyware programs rely on Active X to take control of a computer.

3 comments

Join the conversation!
Add your comment
Pro-consumer?!
If Avi Naider thinks his adware is "pro-consumer," he has not been subjected to its effect on a typical dial-up internet session for any serious length of time. Is WhenU installed and active on all of the PCs personally used by Naider?
Posted by C.Schroeder (126 comments )
Reply Link Flag
EULA law
I think it would help if adware/spyware programs were required to have a disclaimer at the very beginning of their EULA stating that track keystrokes, log websites viewed, pop up ads, etc...

The purpose of this is that most people are not interested in reading an entire EULA just to see if it contains something relating to spyware/adware burried someware in the 20 pages of text. A 20 page EULA more like 100+ pages when viewed in the small window they are often contained in, which makes it hard to scan through.


We need a group of people to agree upon small descriptions of each type of spyware/adware known. Each vendor of spyware/adware will have to include in their disclaimer each statement that fits their software. They should not be allowed to modify the text of the statements and they must include all statments that apply to them.

Pre-determined statments would look similar to the following list:



This program is preconfigured to track your internet usage and will update collected usage without asking your permission each time.

This program is preconfigured to track your internet usage and will update collected usage at your discretion.

This program, when enabled by the user, will track your internet usage and will update collected usage without asking your permission each time.

This program, when enabled by the user, will track your internet usage and will update collected usage at your descretion.

This program displays ads within it's own interface.

This program displays ads outside of it's own interface.

This program downloads updates to itself without asking your permission each time.

This program downloads other programs from the same vendor without asking your permission each time.

This program downloads other programs from third party vendors without asking your permission each time.
Posted by danp129 (7 comments )
Reply Link Flag
Google should worry, laws are a threat to them.
Google should worry, Microsoft should lead the fight against spyware, Yahoo should show some leadership also. It would be in both companies interest to market into the trend in computer users desire for privacy online. Gmail showed us all that we really do not want our private communication made available for Goons to look over to target ads back at us that really are good for nothing but making Google Rich.

Spyware laws are being proposed right now, internet users can do something about this, contact your Senators and demand that they support anti spyware/adware laws and software that transfers information to third parties, read more about this at <a class="jive-link-external" href="http://www.searchwars.squarespace.com/display/ShowPage?moduleId=25147" target="_newWindow">http://www.searchwars.squarespace.com/display/ShowPage?moduleId=25147</a> We need Microsoft to take the lead against spyware and adware and market into this strong desire among internet users to rid the internet of the Big Brother Software Programs that threaten the internet itself as a commerce platform.
Posted by anthonycea (103 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.