[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]



               SPYWARE: WHAT YOU DON'T KNOW CAN HURT YOU

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                COMMERCE, TRADE, AND CONSUMER PROTECTION

                                 of the

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 29, 2004

                               __________

                           Serial No. 108-89

                               __________

      Printed for the use of the Committee on Energy and Commerce


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house

                               __________

                    U.S. GOVERNMENT PRINTING OFFICE
93-308                      WASHINGTON : DC
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                    ------------------------------  

                    COMMITTEE ON ENERGY AND COMMERCE

                      JOE BARTON, Texas, Chairman

W.J. ``BILLY'' TAUZIN, Louisiana     JOHN D. DINGELL, Michigan
RALPH M. HALL, Texas                   Ranking Member
MICHAEL BILIRAKIS, Florida           HENRY A. WAXMAN, California
FRED UPTON, Michigan                 EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida               RICK BOUCHER, Virginia
PAUL E. GILLMOR, Ohio                EDOLPHUS TOWNS, New York
JAMES C. GREENWOOD, Pennsylvania     FRANK PALLONE, Jr., New Jersey
CHRISTOPHER COX, California          SHERROD BROWN, Ohio
NATHAN DEAL, Georgia                 BART GORDON, Tennessee
RICHARD BURR, North Carolina         PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois
CHARLIE NORWOOD, Georgia             ANNA G. ESHOO, California
BARBARA CUBIN, Wyoming               BART STUPAK, Michigan
JOHN SHIMKUS, Illinois               ELIOT L. ENGEL, New York
HEATHER WILSON, New Mexico           ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona             GENE GREEN, Texas
CHARLES W. ``CHIP'' PICKERING,       KAREN McCARTHY, Missouri
Mississippi, Vice Chairman           TED STRICKLAND, Ohio
VITO FOSSELLA, New York              DIANA DeGETTE, Colorado
STEVE BUYER, Indiana                 LOIS CAPPS, California
GEORGE RADANOVICH, California        MICHAEL F. DOYLE, Pennsylvania
CHARLES F. BASS, New Hampshire       CHRISTOPHER JOHN, Louisiana
JOSEPH R. PITTS, Pennsylvania        TOM ALLEN, Maine
MARY BONO, California                JIM DAVIS, Florida
GREG WALDEN, Oregon                  JANICE D. SCHAKOWSKY, Illinois
LEE TERRY, Nebraska                  HILDA L. SOLIS, California
MIKE FERGUSON, New Jersey            CHARLES A. GONZALEZ, Texas
MIKE ROGERS, Michigan
DARRELL E. ISSA, California
C.L. ``BUTCH'' OTTER, Idaho
JOHN SULLIVAN, Oklahoma

                      Bud Albright, Staff Director

                   James D. Barnette, General Counsel

      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel

                                 ______

        Subcommittee on Commerce, Trade, and Consumer Protection

                    CLIFF STEARNS, Florida, Chairman

FRED UPTON, Michigan                 JANICE D. SCHAKOWSKY, Illinois
ED WHITFIELD, Kentucky                 Ranking Member
BARBARA CUBIN, Wyoming               CHARLES A. GONZALEZ, Texas
JOHN SHIMKUS, Illinois               EDOLPHUS TOWNS, New York
JOHN B. SHADEGG, Arizona             SHERROD BROWN, Ohio
  Vice Chairman                      PETER DEUTSCH, Florida
GEORGE RADANOVICH, California        BOBBY L. RUSH, Illinois
CHARLES F. BASS, New Hampshire       BART STUPAK, Michigan
JOSEPH R. PITTS, Pennsylvania        GENE GREEN, Texas
MARY BONO, California                KAREN McCARTHY, Missouri
LEE TERRY, Nebraska                  TED STRICKLAND, Ohio
MIKE FERGUSON, New Jersey            DIANA DeGETTE, Colorado
DARRELL E. ISSA, California          JIM DAVIS, Florida
C.L. ``BUTCH'' OTTER, Idaho          JOHN D. DINGELL, Michigan,
JOHN SULLIVAN, Oklahoma                (Ex Officio)
JOE BARTON, Texas,
  (Ex Officio)

                                  (ii)




                            C O N T E N T S

                               __________
                                                                   Page

Testimony of:
    Baker, David N., Vice President, Law and Public Policy, 
      Earthlink..................................................    36
    Beales, J. Howard, III, Director, Bureau of Consumer 
      Protection, Federal Trade Commission.......................    42
    Friedberg, Jeffrey, Director of Windows Privacy, Microsoft...    10
    Schwartz, Ari, Associate Director, Center for Democracy and 
      Technology.................................................    47
    Thompson, Hon. Mozelle W., Commissioner, Federal Trade 
      Commission.................................................    38
Additional material submitted for the record:
    Downloading Shared Files Threatens Security, article by Sgt. 
      1st Class Eric North.......................................    86
    Thompson, Roger, Vice President for Product Development, 
      PestPatrol, Inc., prepared statement of....................    81
    Webroot Software, Inc., prepared statement of................    83

                                 (iii)

  

 
               SPYWARE: WHAT YOU DON'T KNOW CAN HURT YOU

                              ----------                              


                        THURSDAY, APRIL 29, 2004

              House of Representatives,    
              Committee on Energy and Commerce,    
                       Subcommittee on Commerce, Trade,    
                                   and Consumer Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2123, Rayburn House Office Building, Hon. Cliff Stearns 
(chairman) presiding.
    Members present: Representatives Stearns, Upton, Shimkus, 
Shadegg, Bass, Bono, Otter, Barton (ex officio), Schakowsky, 
and Strickland.
    Alsp present: Representatives Inslee and Greenwood.
    Staff present: David L. Cavicke, majority counsel; Chris 
Leahy, policy coordinator; Shannon Jacquot, majority counsel; 
Brian McCullough, majority professional staff; Jill Latham, 
legislative clerk; William Carty, legislative clerk; and 
Consuela Washington, minority counsel.
    Mr. Stearns. Good morning. I am pleased to welcome all of 
you to the Commerce, Trade and Consumer Protection Subcommittee 
hearing on spyware. Spyware is loosely defined as malicious 
software, downloaded from the internet that spies on the 
computer owner or user, usually to provide information to third 
parties. The Federal Trade Commission has said that spyware is 
software, that aids in gathering information about a person or 
organization without their knowledge and that may send such 
information to another entity without the consumer's consent or 
that assert control over a computer without the consumer's 
knowledge. A spyware relative, known as adware, enables the 
computer owner or user to receive a stream of ads and other 
marketing information usually based on data the software has 
collected about the user. Adware or ad supported software is 
frequently bundled with free internet software or free ware. 
Legitimate adware allows the user knowledge and consent about 
the software and frequently provides an adware free version for 
purchase. More noxious adware versions, however, can be 
downloaded without consent or through deceptive means, 
essentially making them spyware in themselves.
    My colleagues, as we speak, spyware and adware software 
programs are growing at a very, very rapid rate. According to 
the consumer security firm, McAfee, these software programs 
have grown in number from about 2 million in August 2003 to 
over 14 million currently.
    As further proof of the potential scale of this problem, 
the National Cyber Security Alliance has estimated that over 90 
percent of users had some form of adware or software, spyware 
on their computers and yet, most were unaware of it. In worse 
cases, the more malicious varieties of spyware can record 
keystrokes and compromise personal information, including 
passwords and Social Security Numbers.
    The simple act of downloading a desired program from the 
internet can not only open the door on your personal computer 
and your most private information, but also can allow spies to 
effectively take up resident in your personal computer. Your 
personal property, I might add, without your knowledge and 
without your consent.
    Then after sneaking into your computer, some of these 
malicious spyware programs can act as snoop, prying into your 
private life or thieves, stealing personal information or as 
pornography dealers, exposing your children to obscene online 
material.
    If and when you finally discover the spy lurking in your 
personal computer, the damage is already done. In the best 
cases, the technology that enables spyware also can serve as a 
first line of defense against obscene internet material by 
tracking website activity and filtering out the garbage. Other 
forms of the technology, like legitimate adware, are authorized 
by the consumer and provides businesses a new and efficient 
means of reaching potential customers with less expensive goods 
and services.
    While some would have us to find spyware with technical 
parameters, others believe that it is not the technology tool 
that needs to be defined and targeted. It's the unscrupulous 
individuals preying on the consumer from these programs.
    Clearly, no matter the definition we create today, it is 
always reprehensible when someone intentionally downloads 
secret software into a personal computer that is designed to 
steal information or trick us into opening the doors into our 
private lives.
    To try to address this egregious internet activity, Ms. 
Bono of California, has introduced legislation to enhance 
spyware disclosures, root out this deceptive and fraudulent and 
create accountability. Her bill require the computer users 
receive clear and conspicuous notice prior to downloading 
spyware and that all third parties provide their identity.
    I sincerely commend her for her leadership on this issue. 
It is my hope that we can reach bipartisan consensus on 
legislation that will protect consumers from unwittingly being 
spied upon.
    With the help of our distinguished panel of witnesses, one 
of our most important tasks is to try to establish the 
boundaries of what is clearly legitimate and what is clearly 
reprehensible. We then need to explore the murky area in the 
middle where cases aren't so stark and are not so clear-cut, 
especially in cases where consumers are duped with lengthy and 
confusing license agreements, website trickery and exploitation 
of weak, personal computer security.
    The ultimate challenge, therefore, is to investigate ways 
industry, consumers and Congress can work together to rid out 
our online marketplace of the bad apples, while preserving 
legitimate uses for this software technology.
    And finally, my colleagues, our panel today will help us 
understand how spyware and adware programs are distributed in 
commerce, both legitimate and fraudulent. The scope of the 
privacy and security risk posed by this software, its effects 
on economic productivity and the need for Federal legislation. 
And I think many of you know that the State of Utah has already 
passed a spyware bill. The State of California and New York are 
presently looking at that.
    I welcome our witnesses today and I look forward to their 
testimony and with that, I call on the ranking member for her 
opening statement.
    Ms. Schakowsky. Thank you, Chairman Stearns. One of the 
great things about this job is that you learn something new 
every day. So that either indicates that I am way behind the 
curve here or that perhaps the Congress is getting a grip on an 
emerging problem. Because increasingly people are finding that 
their home web pages are changed or their computers are 
sluggish, we get pop up ads that won't go away no matter how 
many times they try to close them. They find software on their 
computer they didn't install and they can't uninstall. Their 
computers are no longer their own and they can't figure out 
why.
    They think that the problem is with their computer, with a 
program they installed or with their internet service provider, 
but more and more often, it's becoming clear that they are the 
unwitting victims of spyware. Because they clicked on the wrong 
web page or signed an agreement to download one program, 
spyware has made it on to their computer.
    While the above examples can be written off by some as 
merely annoying, there are serious privacy and security issues 
at stake. The tracking capability of spyware programs can be so 
powerful that it can record every keystroke computer users 
enter. It can take pictures of personal computer screens. It 
can snatch personal information from consumers' hard drives. 
People can see their bank account numbers, passwords and other 
personal information stolen because they quite innocently went 
to a bad website or clicked an agreement they didn't know they 
shouldn't.
    While some programs called spyware can have legitimate 
purposes like allowing for access to online newspapers without 
having to register every time you want to read it, truly 
nefarious spyware uses software and applications in ways that 
cannot be defended. Spyware purveyors engaged in unfair and 
deceptive practices. They take personal information without 
permission. They exploit software vulnerabilities and co-op'd 
others' computers.
    Fortunately, we do have a number of laws on the books that 
we can use against spyware. However, there has been virtually 
no enforcement of the laws. Spyware transmitters know how to 
cover their tracks and technology changes every day. It makes 
it very hard to find those who are to blame, but it can be done 
and we need to pursue enforcement of laws already on the books.
    And we also need to explore legislation and other responses 
to deal with the inevitable loopholes that exist in the law 
because of the ever-evolving nature of technology. That's why 
I'm glad we're here and glad I'm here today to start discussing 
the best way we as legislators can address these issues.
    We also need to get the word out to consumers so that they 
know what is really wrong with their computers and so that they 
can protect themselves from online predators. We should build 
on the consumer awareness efforts of the FTC and Center for 
Democracy and Technology as a right of their pursuing comments 
about how spyware has affected people. They have heard from 
hundreds of consumers concerned about spyware's invasion into 
their privacy. From these comments and very technical 
investigative follow-up, the Center for Democracy and 
Technology has filed complaints with the FTC about two spyware 
bad actors. I'm quite pleased that we have distinguished 
witnesses representing the broad spectrum of affected parties 
and as Chairman Stearns mentioned, we have the industry 
regulators and consumer groups and I look forward to hearing 
from all of you.
    Thank you.
    Mr. Stearns. I thank my colleague. The distinguished 
chairman of the full committee, the gentleman from Texas, Mr. 
Barton.
    Chairman Barton. Well, thank you, Chairman Stearns, for 
holding this hearing and I want to thank Congresswoman Bono for 
introducing this piece of legislation.
    We checked our committee computers this week and found 167 
spyware programs on it. I told that at a meeting breakfast a 
couple of days ago and the gentleman held up his hand and said 
he had just checked his computer and had over 200 and then I 
told the story at dinner last night and somebody held up their 
hand and said over 400. So there is no more pernicious, 
intrusive activity going on on the internet today than the 
subject of this hearing. And I hope that after the hearing, we 
can come together on a bipartisan basis and decide what to do 
legislatively about it.
    I have told Congresswoman Bono that her bill is a starting 
point, but not the end point and I want to tell all of the 
members of the committee and the folks in the audience and the 
people that are watching this on television, if it's being 
broadcast, that we really intend to do something about this. We 
do not let people just wander around our homes without our 
permission. We don't let total strangers just come up to us, 
encourage us to buy this or buy that or do this or do that. And 
we certainly when we have guests over, and they overstay their 
welcome, we encourage them to leave. None of those can we do 
with these spyware programs that are proliferating on our 
personal computers and as we found out at the committee this 
week, our office computers.
    So I am very, very pleased that Chairman Stearns is holding 
this hearing and I am very, very hopeful that after the record 
is developed from this hearing that we can very quickly move to 
a legislative solution to that to cure this cancer on the 
internet.
    And with that, Mr. Chairman, I have an official statement 
for the record, but I will yield my time back.
    Mr. Stearns. By unanimous consent, so ordered.
    Chairman Barton. Thank you.
    [The prepared statement of Hon. Joe Barton follows:]

 Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy 
                              and Commerce

    Thank you, Mr. Chairman, for holding this hearing today. It 
continues this Committee's longstanding work in the area of consumer 
protection.
    Spyware may be unfamiliar to many Americans, but unfamiliar does 
not mean unaffected. I suspect a large number of those in this room are 
victims of some of these foul abuses. Certainly all of us who use the 
Internet are threatened by them. And the very nature of the abuse is 
what keeps everyone threatened by it from seeking relief. It is aptly 
named spyware. Its installation is often sneaky or deceptive and even 
when it runs it often goes undetected. And when consumers notice 
related problems with their systems, those problems are easy to 
misdiagnose. Even those that are technically savvy and aware of what is 
on their system, may not be able to uninstall spyware.
    Much of the recent discussion surrounding spyware has focused on 
the difficulty in defining what it is. The most pernicious of the 
software is composed of keystroke loggers and screen-capture utilities. 
This has both privacy and security issues for consumer Internet use. 
For example, some software can pick up your sensitive financial 
information when you use on-line banking, or it could monitor your 
email traffic and transmit personal information contained in that 
email. Both could lead to identity theft and other privacy and security 
abuses.
    There is also ``adware.'' While adware does not capture keystrokes 
it often captures information, like websites visited, and sends that 
information back to a central server for the purpose of delivering 
targeted advertising. I would be suspicious of someone following me 
around the shopping mall and popping over to me and offering me a 
better deal each time I reached a register. I suspect most of us would 
call the police. But this adware does the very same thing. It follows 
you around the Internet and just as you are looking at purchases, it 
invades your computer with related and often unrelated offers. There 
may be some who would consent to this ``point of sale'' availability of 
information. It is certainly marketing genius. But, without informed 
consent, it is a true invasion of privacy.
    We ran a sweep of a Committee computer earlier this week and 
discovered there were over 167 ``hits'' for third party cookies and 
adware. A recent demonstration by an anti-spyware software company 
showed that most of that software ended up on the computer just by 
visiting a site. No consent was requested and none was given. If I want 
someone to come into my home I invite them into my home--if they come 
in uninvited that is a trespass. And certainly if they take something 
from inside without authorization it is a burglary. The same should 
hold true for access to my home and information via my computer.
    The Internet has been a great boon to society as a tool for 
information and commerce. But, surfing the web is increasingly becoming 
a defensive exercise for consumers who wish to protect their privacy 
and maintain the security of their information. If this dynamic does 
not change soon, there is a real risk of undermining all the commercial 
gains the Internet has achieved.I thank our witnesses for their 
participation today and look forward to their testimony. In particular, 
I would like to thank Ms. Bono and Mr. Towns for their leadership in 
introducing legislation to enhance disclosures to consumers concerning 
spyware. After this hearing I will be working with all Members of the 
Committee on a legislative solution to this problem.
    Thank you and I yield back.

    Mr. Stearns. And I thank the distinguished chairman and at 
this point we'll have the author of the bill, the gentlelady 
from California for an opening statement.
    Ms. Bono. Thank you, Chairman Stearns, and Chairman Barton 
for your leadership on this issue. I welcome the full weight of 
the committee chairman and subcommittee chairman behind this 
legislation. It's also been a pleasure to work with Congressman 
Ed Towns who apparently caught a flight home today.
    We introduced H.R. 2929. We called it the Safeguards 
Against Privacy Invasions Act. I look forward to hearing from 
all of our witnesses this morning.
    Spyware is a technological disease that is proliferating 
each day. It threatens the efficiency of our computers and 
internet services as well as the security of our personal 
information and private transactions. Spyware programs can 
secretly hijack web browsers and collect web surfing patterns, 
keystrokes, password information, all that without the computer 
user ever knowing that it has even occurred.
    In fact, more often than not, computer users have no idea 
that they have downloaded spyware, nor do they have any idea as 
to how they obtained it. Yesterday, Harris Interactive released 
a web at work study which discovered that 92 percent of 
information technology managers estimate that their 
organizations have been infected by spyware at some point. 
However, only approximately 6 percent of the employees who 
access the internet at work say they have ever visited websites 
that contain spyware.
    EarthLink and Webroot Software recently scanned more than 1 
million personal computers and reported 23.8 million cookies 
and approximately 5.7 million adware and spyware programs. Pest 
Patrol which sells its own spyware remover, estimates that 
there are more than 78,000 lurking spyware programs. One of the 
main conduits for the spyware industry is the peer to peer file 
sharing scheme. Free file sharing services like Grokster and 
Kazaa which are also centers for illegal copying, usually tie 
several pieces of adware and spyware to their programs. Kazaa, 
for example, bundles Gator with its software. Gator, in turn, 
contracts with companies who want targeted advertisements. For 
a fee, Gator agrees to disseminate its software so that 
internet habits can be monitored enabling targeted 
advertisements.
    However, spyware is not limited to bundling with other 
software programs such as Kazaa. In fact, some websites and e-
mail messages trick computer users into downloading spyware. 
One common trick is to alert the computer user that his or her 
system is vulnerable and he or she must immediately download a 
security patch. However, the patch only turns out to be spyware 
or adware. Spyware affects everyone from the most tech savvy 
computer users to the least tech savvy computer users and 
certainly unsuspecting teens and kids.
    Lynn Vaccaro, a manager at Errol Electronics, one of the 
largest distributors of computer products, was having 
difficulty with pop up ads, so she tried different pop up 
stoppers with no avail. She then realized she had spyware on 
her computer. She download SpyBot Search and Destroy and many 
other scanner and removal tools. The tools worked so well that 
they eliminated parts of Internet Explorer as well as Windows. 
She then had to reload both of them.
    H.R. 2929 would require that spyware companies give clear, 
concise and conspicuous notice to computer users about the 
function of their software as well as the information that may 
be collected and transmitted through their software. After 
giving such notice, the computer user would have to agree to 
the downloading of the software. In other words, under the SPI 
Act, spyware would no longer be used to spy on unsuspecting 
computer users.
    Although Congress has a responsibility to address the 
issues surrounding spyware, it is equally imperative that the 
Federal Trade Commission, as well as the technology industry, 
does all that it can to protect consumers from spyware. 
Moreover, it is necessary that we collectively educate 
consumers about the nature and the threats of spyware.
    I hope this hearing will help all of us learn more about 
spyware and it will enable us to begin tackling some of the 
complicated and technical questions that are related to 
spyware.
    Thank you, Mr. Chairman.
    Mr. Stearns. I thank the gentlelady. Mr. Shimkus.
    Mr. Shimkus. Thank you, Mr. Chairman. I'll be brief. I 
bought a new Dell. I got Windows XP. I'm disappointed with both 
of those. My computer is lots more sluggish than it ever was 
under my own system that had less memory, less capabilities and 
it's unfortunate and I think it's because I've got programs 
competing with each other. It's like trying to ride an old 
Western, you're on that stagecoach and you've got those 16 
horses and you've got both reins and you just can't control it. 
It's tremendously frustrating and I'm not tech savvy at all.
    So this one of many issues that I think is frustrating the 
public and I'm glad Mary has seen fit to work Mr. Towns and 
really address this. This hearing is very, very important.
    This also gives me the opportunity because of the inability 
to control our own personal computers any more. It also gives 
me the chance to advertise once again for .kids.us, the 
importance of that, if you want to protect kids on the internet 
and we have a late weekend sale, we're having our hearing. I 
think next week, Thursday, maybe, so those of you who have not 
got a site up on .kids.us, you still have time before we have 
the hearing and start identifying those good entities that are 
trying to protect kids and those who are still a little 
negligent and we will continue to try to coerce them.
    I did receive an e-mail, Mr. Chairman, if I may submit into 
the record.
    Mr. Stearns. By unanimous consent, so ordered.
    Mr. Shimkus. It's from Sergeant First Class on peer to peer 
issues and it's probably well known in the community. The other 
issue to this debate is the threat to national security. If 
these things are on Department of Defense computers and 
individuals have the ability then to snoop around in our 
intelligence community, Department of Defense, FBI and the 
like, this is a really serious national security concern. I 
think this article highlights that and so I think this is a 
very timely hearing. I thank you for calling it and I thank my 
colleague, Mary Bono, for bringing it to our attention.
    I yield back.
    Mr. Stearns. I thank the gentleman. The gentleman from 
Michigan, Mr. Upton.
    Mr. Upton. Well, thank you, Mr. Chairman. I want to thank 
my colleague, Ms. Bono, as well, for the great work she's done 
on this legislation. I might say that I've got a Dell as well 
at home with an XP in it. At the beginning when you turn it on, 
I used to make a joke with my kids there's a lot of little guys 
inside, the click, click and they run around trying to plug in 
the old circuits, sort of like the old telephone, but now 
it's--you need Raid because you find out, in fact, it's not 
little guys in there. It's spiders. And I've been a victim of 
spyware as well. I don't know how many hundred, Mr. Barton, 
that I have, but I have a 12-year-old and a 16-year-old and we 
had to have the computer doctor come visit and take it away and 
take it to the ER and it's on life support. Found out it 
couldn't even deal a deck of cards in Solitaire it was so slow, 
it was so pathetic. It's bad. It is bad.
    I think for a lot of Americans when they become victims of 
this they're a little surprised and they become very alarmed 
and then they become very angry and bitter that someone would 
violate their personal space whether it be Kazaa or anybody 
else and in fact, victimized an entire family, homework and 
everything else, that a PC provides assistance with.
    So I think that we need legislation on this. I think we 
need strong penalties. Some might suggest the death penalty. I 
don't know that we'll go that far, we'll look for some 
judiciary help, but I want to thank my colleague, Ms. Bono, for 
this. I want to thank you, Mr. Chairman, for holding this 
hearing and hopefully, we will move on a strong bipartisan 
basis to use the Raid to get those little guys out of there.
    I yield back my time.
    Mr. Stearns. I thank the gentleman. The gentleman from New 
Hampshire, Mr. Bass.
    Mr. Bass. Thank you, Mr. Chairman, a great hearing. I've 
all the same issues that everybody else has talked today. I'm 
eager to hear the witnesses, so I yield back.
    Mr. Stearns. I thank the gentleman. Mr. Otter?
    Mr. Otter. Well, thank you, Mr. Chairman, and let me join 
in this core of folks in showing appreciation to Ms. Bono for 
her efforts on bringing this to our attention and also holding 
this hearing and getting some sort of a resolve.
    Over the last few years, this Congress has debated the 
privacy issues on many fronts. The passage of the Health 
Insurance Portability and Accountability Act, created new 
privacy protection for individuals in the health market. 
However, Congress also passed the Patriot Act which has caused 
many, including myself, to carefully evaluate the value we 
place on personal privacy. I believe many in the public are not 
aware of the many ways they are being watched online, tracked 
online and in recent years there have been an increased 
awareness of identity theft, yet we still hear little about the 
intrusiveness and the risk associated with spyware.
    There's no doubt that the function of spyware is to watch, 
to track, record an individual's internet usage and activity, 
often without the knowledge of the user. I'm very interested in 
hearing from the witnesses today on what they believe is an 
appropriate way to notify users before they download spyware.
    I'm also very concerned about the websites like Kazaa that 
infect computers with spyware in exchange for providing user 
access to stolen goods and then profit from them by selling the 
information collected by spyware to other advertisers. As an 
advocate of personal responsibility, I also believe that users 
who participate in these illegal activities on these sites such 
as music and movie theft, should expect to be taken advantage 
of and I have little sympathy for them.
    If you're going to play with fire, you need to expect to 
get burned. So if you don't want spyware from Kazaa and other 
similar sites on your computer, don't participate in these 
illegal activities.
    Mr. Chairman, once again, I thank you and I thank Ms. Bono 
for the opportunity to examine these issues and look for 
solutions in solving them. I yield back.
    Mr. Stearns. I thank the gentleman and just for his 
information, we're going to have a hearing on this Kazaa and 
the peer to peer later.
    The gentleman from Arizona, Mr. Shadegg.
    Mr. Shadegg. Thank you, Mr. Chairman, I am also anxious to 
hear the witnesses because I think this is an extremely 
important topic. I similarly want to congratulate our colleague 
from California, Ms. Bono, on bringing an important issue to 
the committee. I think this is an issue that we need to be very 
attentive to and quite frankly, it's an area where I think we 
need legislation. I want to compliment you on holding the 
hearing.
    Mr. Stearns. I thank the gentleman. We also welcome Mr. 
Inslee from the State of Washington. He is a guest here with 
the committee.
    [Additional statement submitted for the record follows:]
Prepared Statement of Hon. Barbara Cubin, a Representative in Congress 
                       from the State of Wyoming
    Thank you, Mr. Chairman, for holding this timely hearing.
    I would also like to thank the distinguished panel of witnesses 
here today. Today's hearing brings together an assembly of panelists 
who are recognized experts of various technological industries, and I 
anticipate their insights to be of unparalleled value as we delve into 
the issues surrounding spyware.
    As Americans become increasingly dependent upon computer technology 
to navigate everyday life, there is a consumer-driven demand for 
technology to be perpetually updated. Unfortunately, in the 
continuously expanding domain of computer technology, there also exists 
the knowledge to utilize software for less desirable results. Today's 
hearing will educate and warn us all of an emerging, largely 
undesirable software technology phenomena known as spyware.
    Today's hearing will foster debate and thought regarding several 
complex issues surrounding spyware. First and perhaps most gravely is 
the need to develop a clear and accepted definition of spyware. We must 
first acknowledge that instances where this type of software can be 
used by third parties for valid and useful purposes do in fact exist. 
However, it is when this technology is utilized by unethical and 
fraudulent purposes that alarm must be raised. While most Americans 
will never understand how spyware is engineered, it is indisputably 
unacceptable for someone to secretly download software onto another's 
computer with the intent of stealing personal information. Therefore, 
today's debate should be based upon the bad practices and deviant 
behavior of promulgators of spyware rather than its technological 
aspects.
    Aside from the need to apply a definition to spyware, there also 
exists a need to examine the more complex matter of enforcing 
punishment of the inappropriate use of this technology. While consumers 
may not object to receiving advertisements, a line that must be drawn 
before people are allowed to use spyware for more invasive and 
intrusive purposes. Today's hearing will reveal what steps software 
industry leaders are taking to protect consumers from such invasions 
and increase our understanding of what role Congress should play in 
this capacity.
    Most importantly, today we have the opportuniy to help raise 
consumer awareness of the increasingly dangerous use of spyware. The 
majority of American consumers have likely been affected by spyware at 
some level, and I foresee today's hearing as the embarkment of a large-
scale campaign to help Americans better educate and protect themselves 
from the inappropriate use of spyware.
    Thank you Chairman, and I yield back the balance of my time.

    Mr. Stearns. We're going to, since the opening statements 
are complete, we're going to depart from the normal schedule 
and hearing from the witnesses. We're going to go to a 
demonstration. I would hope that we would have an actual 
demonstration of how spyware is used and so with that further 
ado, we'll have this demonstration.
    Mr. Friedberg. Actually, it's going to be part of my 
testimony, so I can do it all at once.
    Mr. Stearns. We'll let you start and go ahead and do that 
then.

 STATEMENTS OF JEFFREY FRIEDBERG, DIRECTOR OF WINDOWS PRIVACY, 
   MICROSOFT; DAVID N. BAKER, VICE PRESIDENT, LAW AND PUBLIC 
  POLICY, EARTHLINK; HON. MOZELLE W. THOMPSON, COMMISSIONER, 
   FEDERAL TRADE COMMISSION; J. HOWARD BEALES III, DIRECTOR, 
 BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION; AND 
  ARI SCHWARTZ, ASSOCIATE DIRECTOR, CENTER FOR DEMOCRACY AND 
                           TECHNOLOGY

    Mr. Friedberg. Great. Chairman Stearns, Ranking Member 
Schakowsky and members of the subcommittee, my name is Jeffrey 
Friedberg and I am the Director of Windows Privacy at Microsoft 
Corporation. Thank you for the opportunity to share our views 
on this growing threat to computer users around the world. I'd 
like to comment the subcommittee for holding this hearing and 
its bipartisan approach to this important consumer issue.
    I'd also like to acknowledge Representatives Bono and Towns 
for the time and energy they have invested.
    Spyware and deceptive software share a common theme. They 
use ambiguity, coercion, deceit and outright trickery to lure 
and even force users to execute or install unwanted programs. 
They can be invasive, offensive and even destructive.
    Our customers complaint that deceptive software degrades 
their computing experiences, in some cases, making their 
computers unusable. We have evidence that this software is at 
least partially responsible for approximately half of the 
application crashes our customers report to us. It has become a 
multi-million dollar support issue for computer manufacturers, 
ISPs and companies like Microsoft.
    I'm going to show you some examples of how our customers 
have been tricked. My first slide illustrates what we call a 
pop-under exploit. We don't have it on the back screen at the 
moment.
    Chairman Barton. I think we have spyware infecting our 
application here.
    Mr. Friedberg. Great.
    Mr. Stearns. Do you just want to turn down the lights a 
little bit? Is that possible to do that?
    Mr. Friedberg. So in this case a user goes to a website 
they trust. I've simulated a news website here, may be their 
favorite site, and after a delay----
    Mr. Stearns. Just pull the mic up a little bit more because 
when you turn your head, we lose you.
    Mr. Friedberg. Sorry. And after a delay, they get the 
security warning which is normal which says hey, somebody is 
trying to download software to you. Now the user thinks this 
might be coming from the trusted site, but if you watch the 
screen carefully, you'll notice that it's actually coming from 
a window underneath, what we call a pop-under window that's 
just lying in wait, hoping that this can happen in which case 
the user might think this download is for the trusted site and 
might click yes.
    This next one which is one of my favorites is cancel means 
yes. If you look at this screen, it looks like an official 
security update or some kind of privacy update. In fact, if you 
read it carefully, it says this is a security update, a 
personal privacy protection update and a system update. They've 
used every buzz word they can imagine and it's provided these 
okay and cancel buttons and it looks quite bona fide. The 
reality is is that this is actually just an image and none of 
these buttons are functional. In fact, if you click on the okay 
or even the little X in the corner, it will all take you to the 
site and attempt to download software to your machine. This is 
quite deceptive.
    Here's another example of the same kind of trick. The 
security alert in this window is embedded and again provides 
the Yes/No cancel buttons, but it's just a picture and people 
can embed pictures in web pages. This is a normal thing. But it 
tricks users and they click somewhere on this window and one of 
these buttons and it still takes them to the site and attempts 
to download the software.
    Another thing that bothers me about it is it says 
``warning, your computer is being attacked by spyware and 
adware.'' Well, how do they know that? I mean this is basically 
just scare tactics in order to get people to download this 
software.
    Finally, in the browser there's a security setting. This is 
one other way that unwanted software can end up on your 
machine. If you set it to the low setting, it means that all 
sites you visit are trusted. I call this leaving your front 
door open. In this case, there's no warning, the software will 
simply load because you've told the system everything is 
trusted. We first off have a default which is medium and we 
recommend to users to leave it at medium or higher. So these 
slides provide just a sample of the ways users can be tricked. 
I've included other examples in my written testimony.
    There is no silver bullet to address the wide range of 
issues with deceptive software. We believe it will take a 
comprehensive approach that has four key elements. The first is 
better consumer education. Today's hearing and last week's FTC 
workshop heightened consumer awareness of the problems caused 
by deceptive software. To complement these efforts, Microsoft 
recently launched a website www.microsoft.com/spyware to help 
consumers understand, identify, prevent and remove deceptive 
software.
    The next element is technology. Microsoft will make 
available this summer a free update to Windows XP called 
Service Pack 2. It will include a new pop up blocker and pop 
ups is one of the most common ways that people get a 
proposition for a download through a pop up experience. Pop up 
blocker shows up in this thing called an information bar in 
Internet Explorer. It gives people both notice and choice of 
what's happening to them with the pop ups. They can choose to 
block them or choose to allow them through or do that by site.
    I know my financial institution needs pop ups to work, so I 
would turn up pop ups for that site.
    Another feature is this new download blocker. It 
specifically is designed to prevent forced downloads. These are 
downloads that are unsolicited. You go visit a website and 
somebody attempts to jam software on your machine. Instead of 
that happening, you get a little warning in this little 
information bar that says hey, someone is trying to download 
some software, what do you want to do? And you don't have to 
take any action. By having this blocker, you don't have to be 
interrupted and take action and it's suppressed until you 
decide on your terms to do something about.
    This helps with two problems. One is that it prevents the 
pop-under exploit I mentioned earlier and second, I have small 
kids and they don't even read and I ended up with some kind of 
spyware in my system because they clicked yes to some dialog 
that popped up in the middle of a game. This would prevent that 
from happening. They won't even see that opportunity to 
download this kind of software.
    We've also cleaned up the install prompts. The one on the 
left is the old one and there's opportunity for some publishers 
to throw a lot more information there we had wanted originally 
which makes a very confusing experience. If you've actually 
looked at the one on the left more carefully, it's almost a 
miniature license agreement thrown in this experience which is 
totally inappropriate.
    The one on the right makes that much more difficult to do 
and it truncates the line, makes it much easier to spot someone 
trying to trick you. We also added a new feature called never 
accept software from a publisher. So you could choose by 
publisher to say look, I don't want software from you anymore 
and block that from happening.
    The last thing, as I mentioned earlier about leaving your 
front door open, it seems intuitively obvious well look, if low 
is kind of dangerous for most users, why do you offer it? So 
now we actually pop an arrow that says look, you really can't 
set it to low anymore. Expert users can get around this and if 
they want to lower their settings they can, but for the 
majority of users, at least we've done something to slow down 
this accidental way that they leave their doors open.
    So these improvements, as well as others we are working on, 
will advance our goal of helping users better understand what 
software they are running and installing and whether they can 
trust it.
    The third element of our approach is industry-wide best 
practices which we believe will create an incentive for 
legitimate software publishers to do the right thing. Best 
practices will also serve as a foundation for programs that 
certify good actors and thereby enable consumers to make more 
informed decisions. In the end, we believe self-regulatory 
measures will best account for the complexities of different 
software applications and evolve to meet the ever-changing 
nature of technology.
    The fourth element is aggressive enforcement of existing 
laws. Such enforcement could put some of the most insidious 
violators out of business which would have a significant impact 
on the amount and the type of deceptive software that is 
produced and distributed in the United States.
    Finally, for what is not already illegal under existing 
law, Federal legislation can help fill in the gaps. That said, 
any legislation must carefully target deceptive behavior rather 
than specific features or functionalities. My written testimony 
provides examples of areas in which legislation can impose 
ineffective or impractical requirements. As you consider 
legislating in this area, we urge you to avoid such unintended 
consequences.
    In conclusion, we applaud the subcommittee for holding this 
hearing today and appreciate the opportunity to share our 
experience and recommendations. We are committed to working 
with you to thwart the efforts of those who produce industry-
deceptive software and to restore choice and control to our 
customers.
    Thank you.
    [The prepared statement of Jeffrey Friedberg follows:]

 Prepared Statement of Jeffrey Friedberg, Director of Windows Privacy, 
                         Microsoft Corporation

    Chairman Stearns, Ranking Member Schakowsky, and Members of the 
Subcommittee: My name is Jeffrey Friedberg, and I am the Director of 
Windows Privacy at Microsoft Corporation. I want to thank you for the 
opportunity to share with the Subcommittee our views on this burgeoning 
threat to computer users around the world. Spyware and other deceptive 
software share a common theme: they use ambiguity, coercion, deceit, 
and outright trickery to lure or even force users to execute or install 
unwanted and often invasive programs. Our customers complain that this 
software degrades their computing experiences--in some cases rendering 
their computers unusable--and causes them to feel frustrated and out of 
control. It also compromises their privacy and can make their computers 
more susceptible to attack.
    Microsoft applauds Congress and the members of this Subcommittee 
for their attention to this problem. In particular, we would like to 
acknowledge Representatives Mary Bono and Ed Towns for the time and 
energy they have invested. Stopping the spread of deceptive software is 
one of Microsoft's highest priorities. We are committed to providing 
consumers with the information and technology that will help protect 
them against deceptive software. And we are committed to working with 
you, law enforcement, and others in the industry to identify and 
penalize the perpetrators of these nefarious programs.
    Today, I want to describe the nature and nuances of deceptive 
software, and explain Microsoft's comprehensive strategy for tackling 
this issue. As with any issue that raises consumer protection concerns, 
there are a number of ways in which the public and private sectors, 
working together, can address the problem. These include educating 
consumers, developing new technology to help protect users and to 
empower them to make more informed choices, identifying industry 
standards and best practices, and taking enforcement actions against 
those engaged in fraudulent, deceptive, and unfair practices. To the 
degree existing law fails to capture bad actors, legislation could 
complement this strategy, but we believe it should be carefully crafted 
to target the bad behavior--not the underlying technology. Overbroad 
legislation could place an undue burden on legitimate software, and 
seriously undermine the user experience.
What Is Deceptive Software?
    Let me explain what, exactly, I mean by deceptive software. 
Deceptive software generally describes programs that gain unauthorized 
access to a computer--whether to spy on user activities, hijack user 
configurations, or deliver intrusive and unwanted pop-up 
advertisements. The common thread that unifies deceptive software 
programs--and that distinguishes them from legitimate applications--is 
their lack of notice and choice, and their absence of respect for 
users' ability to control their own computers. With proper disclosure, 
user authorization and control, these same features can be an asset: 
user-approved tracking can lead to personalization; user-approved 
configuration changes (for example, setting a new search page) can 
yield a better user experience; and user-approved displaying of 
advertisements can subsidize the cost of a service (such as e-mail), 
making it cheaper or even free for consumers. In short, the problem is 
with bad practices, not the underlying features.
    There is a spectrum of tricks that cause consumers to load software 
applications that they may not want. To better understand these tricks, 
it is useful to first briefly describe a legitimate download 
experience. I would like to draw your attention to Slide A: ``User 
Initiates Download.'' This slide represents a typical web site 
consumers might visit. On the web site is a link for downloading a 
program (in this example, a program that will display a ``stock 
ticker''). When users click on the link, the operating system displays 
a security warning that asks them whether they want to install the 
program, as shown in Slide B: ``Security Warning Displayed.'' These 
security warnings are a normal part of the computing experience.
    In some instances, however, web sites manipulate the download 
experience in an attempt to mislead users. When users are presented 
with a download request and security warning, they will often consider 
the web site they are visiting to decide whether to accept the 
download. If the web site is one they trust, they may simply accept the 
download without much thought. Using a deceptive technique we call a 
pop-under exploit, however, some web sites take advantage of this 
trust, going out of their way to make it more difficult for users to 
tell which web site is actually offering the download. For example, on 
Slide C: ``Pop-Under Exploit--Step 1,'' users who are visiting a 
legitimate website are presented with a download request that appears 
to have been generated from that site, which we see on Slide D: ``Pop-
Under Exploit--Step 2.'' In fact, the download request was actually 
launched from a web page that is hidden beneath the legitimate site, as 
we see on Slide E: ``Pop-Under Exploit--The Trick.'' Launching a 
download request from a pop-under can result in a confusing or even 
misleading experience. It is likely that the user, who cannot easily 
view the underlying web page, will assume that the request came from 
the legitimate site and may choose to download the software for this 
reason.
    Web sites are often compensated for each software download that 
occurs from their site and in order to increase this volume, some web 
sites will resort to deceptive practices. For example, a web site might 
confuse users so that no matter where they click, they are taken to a 
page that requires a download. In this scenario, shown on Slide F: `` 
`Cancel' Means `Yes,' '' a user is presented with an image that mimics 
a security warning or update and appears to provide the user with 
appropriate choices about downloading certain software. However, even 
if the user clicks the ``Cancel'' button or the ``[x]'' box to close 
the window, the web site will attempt to download the software onto the 
user's machine. This type of trick can also take place through embedded 
security alerts, as shown on Slide G: ``Faux Security Alert,'' where 
all buttons in the alert mean ``yes'' and initiate a download 
experience the user did not want.
    Perhaps the most nefarious way that software is installed requires 
no action on the part of the user. In this scenario, bad actors exploit 
a security hole and covertly install software without any notice to or 
consent from the user. This practice is illegal under existing law, but 
bad actors still attempt to deceive users in this fashion. To educate 
consumers on the steps they can take to minimize this risk, we created 
a web site, www.microsoft.com/protect, that recommends (1) keeping 
systems up to date using the free Windows Update service, (2) running 
up-to-date anti-virus software, and (3) using a firewall like the one 
included with Windows XP.
    There is one other way that software can get installed without any 
action on the part of the user. If a user sets their browser security 
setting to ``low,'' as illustrated on Slide H: ``Don't Leave Your Front 
Door Open,'' all sites are assumed to be ``trusted,'' and no security 
warning will be displayed. This can result in what are called ``drive-
by-downloads,'' in which the download silently and automatically occurs 
by just visiting a web site. Microsoft encourages users to leave their 
security settings on the default setting of ``medium'' or higher, and 
in cases where the browser security level must be set on ``low,'' we 
encourage users to reset security back to a higher level as soon as 
possible.
    These slides illustrate just a few of the ways in which users can 
be tricked into downloading unwanted and sometimes destructive 
software. Other tricks include limiting users' ability to make a fair 
choice by repeatedly asking them to make a decision until they say 
``yes''; covertly installing software by piggybacking on other software 
being installed; pretending to uninstall; and re-installing without 
authorization.
Deceptive Software is a Growing Problem for Our Customers
    Our customers are becoming increasingly frustrated by unwanted and 
deceptive software. We receive thousands of calls from customers each 
month directly related to unwanted or deceptive software, and we have 
evidence that suggests such software is at least partially responsible 
for approximately one-half of all application crashes that our 
customers report to us. In addition, our industry partners who make 
computers--sometimes referred to as ``Original Equipment 
Manufacturers'' or OEMs--have indicated that unwanted and deceptive 
software is one of the top support issues they face, and that it costs 
many of the larger OEMs millions of dollars per year.
    Other estimates support the growing threat of the problem. 
According to the security software firm PC Pitstop, nearly a quarter of 
personal computers are afflicted with some type of unwanted or 
deceptive software application. More aggressive estimates place the 
total at between 80 and 90 percent of all PCs. Indeed, a 2003 study by 
the National Cyber Alliance found that 91 percent of broadband 
customers have some form of unwanted or deceptive software on their 
home computers.
    What may be most alarming is the growth of these programs over the 
past year. PestPatrol, which sells spyware detection and removal 
software, estimates that there are now more than 78,000 separate 
spyware programs in use. In the past year, PestPatrol identified more 
than 500 new Trojan horses (which are programs that provide unlimited 
access to PCs), 500 new key loggers (which monitor and record a user's 
keystrokes), and nearly 1,300 new forms of programs that display 
advertisements. The past year has also seen spyware manufacturers gain 
strides in their ongoing technological battle against anti-spyware 
removal and detection systems. Over the past six months, the number of 
``burrowers''--programs that dig so deeply into an operating system 
that they cannot be found or removed without major and potentially 
damaging surgery--has increased from six to more than 40.
    The explosion in the volume of unwanted and deceptive software has 
had an enormous impact on Microsoft, as has the accompanying increase 
in the complexity with which those programs operate and the damage that 
they do. Many of our customers blame the problems caused by these 
programs on Microsoft software, believing that their systems are 
operating slowly, improperly, or not at all because of flaws in our 
products or other legitimate software. This costs us not only millions 
of dollars per year in otherwise unnecessary support calls, but also 
immeasurable damage to our reputation and, most importantly, to our 
efforts to optimize our customers' computer experiences.
Adopting a Comprehensive Strategy To Combat Unwanted and Deceptive 
        Software
    As I have shown, there is a continuum of behaviors that lead or 
trick users into downloading unwanted software programs. In the same 
vein, there is a continuum of solutions that we believe must be part of 
the strategy to end these behaviors and curb the spread of deceptive 
software. This strategy has four prongs: widespread customer education; 
innovative technology solutions; improved industry self-regulation; and 
aggressive enforcement under existing state and federal laws. As I 
mentioned previously, new, carefully crafted and narrowly focused 
legislation can also play a role to the extent that existing laws do 
not fully address certain deceptive or misleading practices.
Addressing the Problem Starts with Consumer Education
    The first step in the battle against unwanted and deceptive 
software is better consumer education. Once confined to the back pages 
of industry journals, the problem is beginning to move to the 
mainstream of consumer protection issues, as last week's workshop at 
the Federal Trade Commission and today's hearing demonstrate. These 
public forums are essential in heightening consumer awareness of the 
problems caused by deceptive software.
    To complement those efforts, Microsoft recently launched a 
website--www.microsoft.com/spyware--with information that is 
specifically designed to help consumers understand, identify, prevent, 
and remove unwanted and deceptive software. This website explains what 
spyware is and why it can be dangerous; tells users how they can 
protect their machines from being compromised by these unauthorized 
programs; helps consumers ascertain whether their computers already 
contain unwanted or deceptive software by describing its symptoms, such 
as sluggish performance, an increase in random pop-up advertisements, 
and a hijacked home page; and points users to third-party tools that 
can detect and remove these programs.
    Microsoft is committed to working with Congress and the FTC to 
continue educating consumers about the ways they can prevent unwanted 
and deceptive software from attacking their PCs. While the Internet is 
an incredible resource that has enabled--and will continue to enable--
countless and sweeping improvements in communications, commerce, and 
government, that same power requires that computer users take the same 
care for their safety and security online as they would offline. As an 
industry leader, we acknowledge and strive to fulfill our 
responsibility to educate consumers about these and other related 
issues. Consumers who take steps to remove or prevent the installation 
of this software will not only preserve their own privacy, security, 
and optimum computer experiences, but they will make an important 
contribution to the larger effort of generally eliminating the problem. 
The entities that produce these programs will have much less incentive 
to create and download their products if consumers take steps to block 
their use--or at least do not respond to the seller on whose behalf the 
deceptive software purveyor is operating.
Industry Is Working on New Technology To Combat Deceptive Software
    The development of anti-spyware technology should complement the 
impact of consumer education and awareness. For example, third parties 
have released anti-spyware programs that enable users to remove or 
disable many examples of unwanted and deceptive software from their PCs 
without damaging their existing hardware or legitimate software. These 
tools are continually being improved to address new variants and 
scenarios.
    Microsoft is working on enhancements that will also help address 
the problem. For example, we will soon be introducing Windows XP 
Service Pack 2--a free update for all licensed Windows XP users--that 
includes features designed to block some of the entry points and 
distribution methods of deceptive software by better informing users in 
advance about the type of software they will be installing. These 
enhancements include:

 A new pop-up blocker, turned on by default, that will reduce a user's 
        exposure to unsolicited downloads (See Slide I: ``New Popup 
        Blocker'');
 A new download blocker that will suppress unsolicited downloads until 
        the user expresses interest (See Slide J: ``New Download 
        Blocker'');
 Redesigned security warnings that make it easier for users to 
        understand what software is to be downloaded, make it more 
        obvious when bad practices are used (e.g., multi-line program 
        names), and allow users to choose to never install certain 
        types of software (See Slide K: ``Improved Install Prompts'');
 A new policy that restricts a user's ability to directly select 
        ``low'' security settings (See Slide L: ``Harder to Leave Your 
        Front Door Open''); and,
 Tools to help expert users and support professionals understand and 
        disable unwanted functionalities that have been added to the 
        browser. (See Slide M: ``New Add-On Manager.'')
    Beyond Windows XP Service Pack 2, Microsoft is investing in future 
technologies that advance our goal of giving users the ability to 
understand what software they are running and installing, and whether 
they can trust it. We continue to explore ways that we can better 
inform consumers in advance about programs that they plan to install, 
and to provide them with more control over the installation itself. We 
also are striving to enhance and simplify the ways in which our 
customers can see what software is running on their computers, and to 
evaluate what to do with that software based on their preferences. And 
we are working to advance technologies that can be used by our entire 
spectrum of customers--from the most sophisticated enterprise to the 
most novice consumer--because we want them all to have an equally 
fulfilling computer experience.
Industry Best Practices Are an Important Part of the Solution
    The third important part of our strategy is to develop a set of 
industry-wide best practices. Developing best practices is critical 
because they will create an incentive for legitimate software 
publishers to distinguish themselves from less scrupulous publishers 
and minimize the risk of being classified with the bad actors that 
engage in deceptive practices. Best practices will also serve as a 
foundation for programs that certify and label good actors and thereby 
enable users to make more informed decisions about the type of software 
they execute and install on their computers.
    The first step in this process is developing an understanding of 
the devious, deceptive, or unfair practices that adversely affect 
consumers. The Center for Democracy and Technology (CDT) has made great 
strides in this area through its Consumer Software Working Group, of 
which we are a member. This group includes public interest 
organizations, software companies, Internet service providers, and 
hardware manufacturers, all of whom have worked hard to identify a set 
of deceptive practices that raise serious concerns. These practices--
many (if not all) of which are illegal under existing law--should help 
focus regulatory and law enforcement efforts on the truly bad actors.
    In addition to recognizing bad practices, we think it is equally 
important to begin to develop best practices in certain scenarios. 
These scenarios include the collection and transmission of personal 
information, the display of advertisements, and changes to 
configuration settings that affect the Internet browser home page or 
browser search page. The touchstone of these best practices should be 
appropriate notice and consent. Users should understand what the 
software will do in these scenarios before it is executed, and they 
should then have a choice about whether to execute it. In addition, 
programs with these features that are installed on a user's computer 
should also be easily uninstalled or disabled--or if that is not 
possible, the user should be clearly informed of that fact upfront.
    Microsoft is actively extending its best practices to explicitly 
include the scenarios highlighted above. We are committed to working 
with other companies in the industry to ensure that users have high-
quality experiences with legitimate software. And we would be happy to 
share our best practices to the extent they would be helpful in moving 
the industry forward to this common goal. In the end, self-regulatory 
measures more than federal requirements will help industry leaders 
define and implement best practices that account for the complexities 
of different software applications and can evolve to meet the ever-
changing nature of technology.
Enforcement Is a Critical Part of the Fight Against Deceptive Software
    A fourth key weapon to stop the spread of deceptive software is the 
aggressive enforcement of existing laws. Such enforcement could put 
some of the most insidious violators out of business, which would have 
a significant impact on the amount and type of deceptive software that 
is produced and distributed in the United States. Moreover, a few 
targeted enforcement actions would serve as a powerful deterrent to 
other manufacturers of deceptive software.
    Enforcement actions are possible using existing law. For example, 
under the Federal Trade Commission Act, the FTC is empowered to 
challenge unfair and deceptive trade practices, which--by definition--
are at the heart of virtually all deceptive software programs. Many 
states have similar laws that authorize their own enforcement agencies 
to prosecute entities that engage in these same types of practices. And 
the Computer Fraud and Abuse Act provides other law enforcement 
agencies with the means to address spyware threats that involve hacking 
into users' computers. Given the growing sophistication, diversity, and 
proliferation of spyware, the private and public sectors should combine 
their resources to hold those who publish illegitimate deceptive 
software accountable for their actions and the damage they perpetrate.
Congress Should Proceed Cautiously
    Microsoft is hopeful that the combination of user education, 
improved technology, industry best practices, and enforcement of 
existing laws can effectively combat the growing problem of deceptive 
software. Although we have seen an increase in the amount and 
complexity of deceptive software in recent months, it is encouraging to 
see the stepped-up response of both the public and private sectors. We 
are open to considering whether federal legislation can provide an 
additional layer of protection and another weapon in the fight against 
deceptive software. However, Microsoft offers two important caveats 
when considering federal legislation.
    First, as noted above, many deceptive software programs are already 
either prohibited under existing law--such as the Computer Fraud and 
Abuse Act--or are subject to the FTC's jurisdiction over unfair and 
deceptive trade practices. Any additional federal legislation deemed 
necessary to outlaw deceptive software must be carefully crafted to 
supplement the existing legal framework only where gaps are identified.
    Second, any legislation should target deceptive behavior, rather 
than specific features or functionalities, to avoid imposing unworkable 
requirements on legitimate programs and negatively impacting computer 
users. Examples of some unintended consequences of well-intentioned 
legislation include the following:

 Disruptive User Experience. Many legitimate software programs contain 
        an information-gathering activity to perform properly, 
        including error reporting applications, troubleshooting and 
        maintenance programs, security protocols, and Internet 
        browsers. Imposing notice and consent requirements every time 
        these legitimate programs collect and transmit a piece of 
        information would disrupt the computing experience, because 
        users would be flooded with constant, non-bypassable warnings--
        making it impossible to perform routine Internet functions 
        (such as connecting to a web page) without intolerable delay 
        and distraction.
 Compromised Consent Experience. ``One size fits all'' notice and 
        consent requirements may not give users sufficient context to 
        make informed decisions. For example, requiring notice and 
        consent at the time of installation ignores the importance of a 
        technique we refer to as ``just in time'' consent, which delays 
        the notice and consent experience until the time most relevant 
        to the user--just before the feature is executed. If a program 
        crashes, for instance, Windows Error Reporting functionality 
        will ask the user whether he or she would like to send crash 
        information to Microsoft. At this time, the user is able to 
        examine the type of information that will be sent to Microsoft 
        and to assess the actual privacy impact, if any, of 
        transmitting such information in light of the potential benefit 
        of receiving a possible fix for the problem. In this case, the 
        user understands the costs and benefits of the proposition 
        being made and is able to make an informed choice. Presenting 
        the notice and choice experience at the time of installation, 
        on the other hand, would lack this critical context.
 Unrealistic Uninstall Requirements. Requiring standardized uninstall 
        practices for all software would be unworkable in many 
        circumstances. For example, there are cases where a full and 
        complete uninstall is neither technically possible nor 
        desirable, such as with a software component that is in use and 
        shared by other programs. In addition, there are other cases 
        where an uninstall may be technically possible, but the cost to 
        provide such functionality would be prohibitive, such as with 
        complex software systems that may require the entire software 
        system to be removed. Finally, there are situations where 
        requiring uninstall could actually comprise the security of the 
        system, such as backing out security upgrades or removing 
        critical services.
    There are many other areas in which legislation could fall into 
similar traps, imposing ineffective or impracticable requirements, or 
even threatening PC security and usability. We therefore encourage 
Congress to focus its attention on the devious practices of deceptive 
software, including those identified by CDT and its Consumer Software 
Working Group; to legislate only to the extent such practices are not 
already illegal under existing law; and to engage industry experts in 
understanding the complexities of software, thereby ensuring 
appropriate due diligence to avoid unintended consequences.
    Unwanted and deceptive software is a growing problem, and we 
believe that a multi-faceted approach is needed: improved consumer 
education; new technology solutions; a comprehensive set of industry 
best practices; and aggressive enforcement of existing laws against 
violators. This approach will enable consumers to make more informed 
decisions about installing software; help distinguish good actors from 
bad ones; and make being bad an expensive proposition. We commend the 
Subcommittee for holding this hearing today and thank you for extending 
us an invitation to share our experience and recommendations with you. 
Microsoft is committed to working with you to thwart the efforts of 
those who produce and distribute these deceptive programs, and to 
restoring choice and control back where it belongs--in the hands of 
consumers.

[GRAPHIC] [TIFF OMITTED] T3308.001

[GRAPHIC] [TIFF OMITTED] T3308.002

[GRAPHIC] [TIFF OMITTED] T3308.003

[GRAPHIC] [TIFF OMITTED] T3308.004

[GRAPHIC] [TIFF OMITTED] T3308.005

[GRAPHIC] [TIFF OMITTED] T3308.006

[GRAPHIC] [TIFF OMITTED] T3308.007

[GRAPHIC] [TIFF OMITTED] T3308.008

[GRAPHIC] [TIFF OMITTED] T3308.009

[GRAPHIC] [TIFF OMITTED] T3308.010

[GRAPHIC] [TIFF OMITTED] T3308.011

[GRAPHIC] [TIFF OMITTED] T3308.012

[GRAPHIC] [TIFF OMITTED] T3308.013

[GRAPHIC] [TIFF OMITTED] T3308.014

[GRAPHIC] [TIFF OMITTED] T3308.015

[GRAPHIC] [TIFF OMITTED] T3308.016

[GRAPHIC] [TIFF OMITTED] T3308.017

    Mr. Stearns. I thank you for your demonstration.
    Mr. David Baker, who is Vice President, Law and Public 
Policy with Earthlink. We welcome you.

                   STATEMENT OF DAVID N. BAKER

    Mr. Baker. Mr. Chairman Stearns, Ranking Member Schakowsky, 
ladies and gentlemen of the committee, thank you for inviting 
me here today. I'm Dave Baker, Vice President for Law and 
Public Policy with Earthlink, headquartered in Atlanta. 
Earthlink is the Nation's third largest internet service 
provider, serving over 5 million customers nationwide with 
dial-up, broadband, web posting and wireless internet services.
    Earthlink is always striking to improve its customers 
online experience. To that end, we appreciate the attention 
this committee is paying to the growing problem of spyware. We 
may be at the point in time with regard to the development and 
proliferation of spyware that we were just a year or 2 ago with 
spam. In other words, spyware is just now being noticed by many 
consumers, yet threatens to grow to the point where it could 
soon compromise their online experience and security if it does 
not do so already.
    As the Wall Street Journal noted just this past Monday, 
April 26, ``indeed spyware, small programs that install 
themselves on computers to serve up advertising, monitor web 
surfing and other computer activities and carry out other 
orders is quickly replacing spam as the online annoyance 
computer users most complain about.''
    Also like spam, we must fight spyware on several fronts, 
using legislation, enforcement, customer education and 
technology solutions. To this end, we applaud the efforts of 
Congresswoman Bono, Congressman Towns, other members and this 
committee to introduce legislation such as H.R. 2929, the 
Safeguard Against Privacy Invasions or SPI Act, prohibiting the 
installation of software without consent, requiring uninstall 
capability, establishing requirements for transmission pursuant 
to license agreements and requiring notices for collection of 
personally identifiable information, intent to advertise, and 
modification of user settings are all steps that will empower 
consumers and keep them in control of their computers and their 
online experience.
    As a leading internet provider, EarthLink is on the front 
lines in combating spyware. EarthLink makes available to both 
its customers and the general public technology solutions to 
spyware such as EarthLink Spy Audit powered by Webroot. Spy 
Audit is a free service that allows users to quickly examine 
his or her computer and detect spyware. A free download of Spy 
Audit is available at our website and a screen shot of this web 
page is attached as Exhibit A to my testimony. EarthLink 
members also have access to Spyware Blocker which disabled all 
common forms of spyware including adware, system monitors, key 
loggers and Trojans. EarthLink Spyware Blocker is available 
free for EarthLink members as a part of Total Access 2004, our 
internet access software and a screen shot with information on 
Spyware Blocker is attached as Exhibit B to my testimony.
    We include useful tools such as spamBlocker, Pop-Up 
Blocker, Virus Blocker, Privacy Tools and Parental Controls in 
addition to Spyware Blocker and we will soon be introducing 
Scam Blocker which will help users detect and avoid nefarious 
fisher sites.
    On April 15, 2004, EarthLink and Webroot announced the 
results of their Spyware Audit report. Over 1 million Spy Audit 
scans performed from January 1 through March 31st of this found 
over 29.5 million instances of spyware. This represents almost 
28 instances of spyware per scanned PC. While approximately 
23.8 million of these installations were mostly harmless adware 
cookies, the scans revealed over 5.3 million installations of 
adware and more seriously, over 184,000 system monitors, and 
almost 185,000 Trojans. A copy of the EarthLink/Webroot press 
release detailing these findings is attached as Exhibit C to my 
testimony.
    Spyware is thus a growing problem that demands the 
attention of Congress, the FTC, consumers and industry alike. 
Through the efforts of Congress to introduce legislation like 
the SPI Act, the FTC to investigate the issue at its recent 
spyware workshop and through industry development of anti-ware 
tools, we can all help protect consumers against a threat that 
is often unseen, but very much real.
    Thank you for having me here today.
    [The prepared statement of David N. Baker follows:]

    Prepared Statement of David N. Baker, VP, Law & Public Policy, 
                            EarthLink, Inc.

    Mr. Chairman, Ladies and Gentlemen of the Committee, thank you for 
inviting me here today. I am Dave Baker, Vice President for Law and 
Public Policy with EarthLink. Headquartered in Atlanta, EarthLink is 
the nation's 3rd largest Internet Service Provider (ISP), serving over 
5 million customers nationwide with dial-up, broadband (DSL, cable and 
satellite), web hosting and wireless Internet services. EarthLink is 
always striving to improve its customers' online experience. To that 
end, we appreciate the attention this committee is paying to the 
growing problem of spyware.

Spyware: The Next Spam?
    We may be at a point in time with regard to the development and 
proliferation of spyware that we were just a year or two ago with spam. 
In other words, spyware is just now being noticed by many consumers yet 
threatens to grow to the point where it could soon compromise their 
online experience and security, if it does not do so already.
    As the Wall Street Journal noted just this past Monday, April 26, 
``Indeed, spyware--small programs that install themselves on computers 
to serve up advertising, monitor Web surfing and other computer 
activities, and carry out other orders--is quickly replacing spam as 
the online annoyance computer users most com-plain about.''
    Also like spam, we must fight spyware on several fronts, using 
legislation, enforcement, customer education and technology solutions. 
To this end, we applaud the efforts of Congress and this committee to 
introduce legislation such as H.R. 2929, the Safeguard Against Privacy 
Invasions (SPI) Act. Prohibiting the installation of software without 
consent, requiring uninstall capability, establishing requirements for 
transmission pursuant to license agreements, and requiring notices for 
collection of personally identifiable information, intent to advertise 
and modification of user settings are all steps that will empower 
consumers and keep them in control of their computers and their online 
experience.

EarthLink Experience
    As a leading Internet provider, EarthLink is on the front lines in 
combating spyware. EarthLink makes available to both its customers and 
the general public technology solutions to spyware such as EarthLink 
Spy Audit powered by Webroot (``Spy Audit''). Spy Audit is a free 
service that allows a user to quickly examine his or her computer and 
detect spyware. A free download of Spy Audit is available at 
www.earthlink.net/spyaudit. (See Exhibit A, attached hereto.) EarthLink 
members also have access to EarthLink Spyware Blocker, which disables 
all common forms of spyware including adware, system monitors, key 
loggers and Trojans. EarthLink Spyware Blocker is available free for 
EarthLink members as part of Total Access 2004, our Internet access 
software. See www.earthlink.net/home/software/spyblocker (Exhibit B, 
attached hereto).
    Total Access 2004 includes useful tools such as spamBlocker, Pop-Up 
Blocker, Virus Blocker, Privacy Tools and Parental Controls in addition 
to Spyware Blocker.
    On April 15, 2004, EarthLink and Webroot announced the results of 
their Spy Audit report. Over 1 million Spy Audit scams performed from 
January 1, 2004 to March 31, 2004 found over 29,500,000 instances of 
spyware. This represents almost 28 instances of spyware per scanned PC. 
While approximately 23.8 million of these installations were mostly 
harmless adware cookies, the scans revealed over 5.3 million 
installations of adware, and more seriously, over 184,000 system 
monitors, and almost 185,000 Trojans. A copy of the EarthLink/Webroot 
press release detailing these findings is attached hereto as Exhibit C.

Conclusion
    Spyware is thus a growing problem that demands the attention of 
Congress, the FTC, consumers and industry alike. Through the efforts of 
Congress to introduce legislation like the SPI Act, the FTC to 
investigate the issue at its recent spyware workshop, and through 
industry development of anti-spyware tools, we can all help protect 
consumers against a threat that is often unseen, but very much real.
    Thank you for your time today.

    Mr. Stearns. I thank the gentleman. I'm going to go to the 
Honorable Mozelle Thompson, Commissioner, Federal Trade 
Commission and welcome you.

              STATEMENT OF HON. MOZELLE W. THOMPSON

    Mr. Thompson. Thank you, Mr. Chairman and Ranking Member 
Schakowsky, members of the committee and subcommittee. It's 
good to see you.
    As you know, I'm Commissioner at the FTC and I wish to 
thank the committee for holding this hearing on the important 
subject of spyware. I also appreciate the opportunity to appear 
before you today.
    As you know--well, first, let me begin by telling you the 
views I express here are my own and not necessarily those of 
the Commission.
    As you know, the FTC has long been involved with internet 
issues like online privacy, identity theft, cross border fraud 
and spam. And our experience has given us a unique vantage 
point to view developments in the consumer marketplace and 
identify issues that warrant public attention.
    Last week, the Commission held a 1-day public workshop on 
one of those topics, the distribution and effects of software 
commonly referred to as spyware. We began our workshop by 
asking participants to define what spyware is. As the chairman 
noted, spyware commonly refers to software that essentially 
monitors consumers' computing habits and as such, it 
necessarily raises privacy issues. This software can offer 
consumers and businesses various benefits, including a 
streamline interactive online experience and updates and can 
allow businesses to more effectively communicate with their 
customers. However, spyware can also be used as secret software 
that surreptitiously gathers information and transmits it to 
third parties without the subject's knowledge or consent. 
Sometimes these uses can result in identity theft and other 
types of fraud and in some cases can interfere with the 
computer's operability.
    These activities undermine consumer confidence in the 
marketplace and can also impose extra costs on good actors who 
are forced to compete against those willing to engage in 
deception, fraud or worse.
    I used our workshop as an opportunity to challenge industry 
to promptly develop a set of best practices with respect to 
spyware. These practices should contain several critical 
elements including meaningful notice and choice so the 
consumers can make informed decisions about whether or not they 
wish to deal with an online business that uses monitoring 
spyware or partners with companies that do.
    I also asked industry to develop a public campaign to 
educate consumers and businesses about what spyware is and how 
it operates. This public campaign should also discuss the array 
of technological tools that are available for consumer use. 
Finally, I called upon industry to establish a mechanism that 
will allow businesses and consumers to maintain a continuing 
dialog on how government can take action against those who do 
wrong and undermine consumer confidence through the misuse of 
spyware.
    Now some Members of Congress, including Representative Bono 
and Towns, are calling for spyware legislation. I commend you 
for bringing important public attention to this issue. And I 
understand the desire to take action before the problems 
associated with spyware grow worse and injure more consumers 
and businesses, but I do not believe legislation is the answer 
at this time.
    Instead, I respectfully submit that we should give industry 
an opportunity to respond to my challenge. My experience 
working on issues like online privacy and spam tells me that in 
approaching such problems any solution must at the very least 
be based on transparency, adequate notice and consumer choice. 
So I've used my challenge as a way to set out what I consider 
to be the critical elements that should form a baseline for any 
industry response. If the self-regulatory response is not 
timely or is inadequate, another perhaps legislative approach 
might be appropriate.
    In any event, whatever is done in this area should work in 
conjunction with existing laws like the FTC Act which allows 
the Commission to take action against deceptive or unfair 
practices.
    I make this suggestion with some circumspection, 
recognizing that there are many who would like Congress to act 
now. But absent a comprehensive data privacy law in the United 
States and recognizing the challenge posed by defining spyware 
because it has beneficial and not beneficial uses, I believe 
that self-regulation, combined with enforcement of existing 
laws will help address many of the issues raised in this area.
    I am also aware that States might be anxious to legislate 
here, but I ask them to be cautious as well because a patchwork 
of differing and inconsistent State approaches might be 
confusing to industry and consumers alike.
    Now finally, as I mentioned, spyware raises important 
privacy concerns and several years ago I appeared before 
Congress and suggested that a Federal law incorporating fair 
information practices might be an acceptable legislative 
response. I believe it may still be, but I don't think it will 
be the most effective in addressing the problems posed by 
spyware.
    For the time being, however, a strong, responsible and 
prompt industry self-regulatory response may provide an 
effective solution for the problems that spyware poses for both 
consumers and industry.
    Thank you very much.
    [The prepared statement of Hon. Mozelle W. Thompson 
follows:]

           Prepared Statement of The Federal Trade Commission

    Mr. Chairman and members of the Committee, the Federal Trade 
Commission (``Commission'' or ``FTC'') appreciates this opportunity to 
provide the Commission's views on ``spyware.'' 1
---------------------------------------------------------------------------
    \1\ The written statement presents the views of the Federal Trade 
Commission. Oral statements and responses to questions reflect the 
views of the speaker and do not necessarily reflect the views of the 
Commission or any other Commissioner.
---------------------------------------------------------------------------
    The FTC has a broad mandate to prevent unfair competition and 
unfair or deceptive acts or practices in the marketplace. Section 5 of 
the Federal Trade Commission Act gives the agency the authority to 
challenge acts and practices in or affecting commerce that are unfair 
or deceptive.2 The Commission's law enforcement activities 
against unfair or deceptive acts and practices are generally designed 
to promote informed consumer choice. This statement will discuss the 
FTC's activities related to spyware, including our recent workshop and 
potential law enforcement actions.
---------------------------------------------------------------------------
    \2\ 15 U.S.C.  45.
---------------------------------------------------------------------------
                          FTC SPYWARE WORKSHOP

    For nearly a decade, the FTC has addressed online privacy and 
security issues affecting consumers. Through a series of workshops and 
hearings, the Commission has sought to understand the online 
marketplace and its information practices, to assess the impact of 
these practices on consumers, and to challenge industry leaders to 
develop and implement meaningful self-regulatory programs.3
---------------------------------------------------------------------------
    \3\ See, e.g., Workshop: Technologies for Protecting Personal 
Information, The Consumer Experience (May 14, 2003); Workshop: 
Technologies for Protecting Personal Information, The Business 
Experience (June 4, 2003); Consumer Information Security Workshop (May 
20, 2002).
---------------------------------------------------------------------------
    The most recent example of this approach is the workshop entitled 
``Monitoring Software on Your PC: Spyware, Adware, and Other Software'' 
that was held last week. The workshop was designed to provide us with 
information about the nature and extent of problems related to spyware, 
and possible responses to those problems. Specifically, the workshop 
focused on four main topics: (1) defining ``spyware'' and exploring how 
it is distributed (including the role of peer-to-peer file-sharing 
software and whether spyware may differ from ``adware''); (2) examining 
spyware's general effects on consumers and competition; (3) exploring 
spyware's potential security and privacy risks; and (4) identifying 
technological solutions, industry initiatives, and governmental 
responses (including consumer education) related to spyware. 
Underscoring the importance of this issue both FTC Commissioners Orson 
Swindle and Mozelle Thompson personally participated in the workshop.
    To encourage broad-based participation, the FTC issued a Federal 
Register Notice announcing the workshop and requesting public 
comment.4 The Commission received approximately 200 
comments, and the record will remain open until May 21, 2004, for 
submission of additional comments. At the workshop, a wide range of 
panelists engaged in a spirited debate concerning spyware, including 
what government, industry, and consumers ought to do to respond to the 
risks associated with spyware.
---------------------------------------------------------------------------
    \4\ 69 Fed. Reg. 8538 (Feb. 24, 2004), 5 
Some definitions of spyware could be so broad that they cover software 
that is beneficial or benign; software that is beneficial but misused; 
or software that is just poorly written or has inefficient code. 
Indeed, there continues to be considerable debate regarding whether 
``adware'' should be considered spyware. Given the risks of defining 
spyware too broadly, some panelists at our workshop argued that the 
more prudent course is to focus on the harms caused by misuse or abuse 
of software rather than on the definition of spyware.
---------------------------------------------------------------------------
    \5\ For the purposes of the workshop, the FTC Staff tentatively 
described spyware as ``software that aids in gathering information 
about a person or organization without their knowledge and which may 
send such information to another entity without the consumer's consent, 
or asserts control over a computer without the consumer's knowledge.'' 
69 Fed. Reg. 8538 (Feb. 24, 2004), 6
---------------------------------------------------------------------------
    \6\ Panelists at the workshop noted that consumers need to be very 
careful to obtain anti-spyware programs from legitimate providers 
because some purported anti-spyware programs in fact disseminate 
spyware.
---------------------------------------------------------------------------
                          FTC LAW ENFORCEMENT

    As the nation's primary consumer protection agency, the Commission 
also has a law enforcement role to play in connection with unfair or 
deceptive acts or practices involved in the distribution or use of 
spyware.7 At the workshop, FTC and DOJ staff members noted 
that many of the more egregious spyware practices described at the 
workshop may be subject to attack under existing Federal and State 
laws, and the workshop concluded with a request that industry and 
consumer groups notify the FTC staff of problematic practices.
---------------------------------------------------------------------------
    \7\ The Commission will find deception if there is a material 
representation, omission, or practice that is likely to mislead 
consumers acting reasonably in the circumstances, to their detriment. 
See Federal Trade Commission, Deception Policy Statement, appended to 
Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984) (``Deception 
Statement''). An act or practice is ``unfair'' if it causes or is 
likely to cause substantial injury to consumers, that injury is not 
outweighed by any countervailing benefits to consumers and competition, 
and consumers could not have reasonably avoided the injury. 15 U.S.C.  
45(n).
---------------------------------------------------------------------------
    The Commission is conducting non-public investigations related to 
the dissemination of spyware. As discussed at the workshop, however, 
investigating and prosecuting acts and practices related to spyware, 
particularly the more pernicious programs, pose substantial law 
enforcement challenges. Given the surreptitious nature of spyware, it 
often is difficult to ascertain from whom, from where, and how such 
products are disseminated. Consumer complaints, for instance, are less 
likely to lead directly to targets than in other law enforcement 
investigations, because consumers often do not know that spyware has 
caused the problems or, even if they do, they may not know the source 
of the spyware.8 Indeed, computer manufacturers stated at 
our workshop that they believe an increasing number of service calls 
are spyware-related and spyware-related issues are difficult to 
diagnose. Similarly, search engine providers testified that consumers 
complain to them, not realizing that the spyware (not the search 
engine) is causing their dissatisfaction with their search engine.
---------------------------------------------------------------------------
    \8\ Identifying the source of spyware is especially difficult when 
consumers were not even aware that the spyware had been installed.
---------------------------------------------------------------------------
    The Commission has long been active in challenging unfair or 
deceptive acts or practices on the Internet, and spyware cases are not 
fundamentally different. Over the course of nearly a decade, we have 
brought approximately 300 cases challenging Internet practices 
involving substantial consumer harms, including harms similar to those 
posed by some examples of spyware.
    Most recently, in D Squared Solutions, LLC, the defendants 
allegedly exploited an operating system feature to harm consumers. The 
Windows operating system uses ``Messenger Service'' windows to allow 
network administrators to provide instant information to network users, 
for example, a message to let users know that a print job has been 
completed. The defendants in D Squared exploited this feature to send 
Messenger Service pop-up ads to consumers, advertising software that 
supposedly would block such ads in the future. Consumers would receive 
these pop-up ads as often as every ten minutes. The Commission filed a 
complaint in federal court alleging that the defendants unfairly 
interfered with consumers' use of their computers and tried to coerce 
consumers into buying software to block pop-up ads.9
---------------------------------------------------------------------------
    \9\ FTC v. D Squared Solutions, LLC, No. 03-CV-3108 (D. Md. 2003). 
The case is currently in litigation.
---------------------------------------------------------------------------
    The Commission brought several cases challenging the surreptitious 
distribution of dialer programs. A paper submitted at the workshop by 
the Computer Software Working Group 10 identified 
surreptitious downloads as an example of one of the problematic 
practices of some spyware programs. Past Commission actions have 
attacked similar programs that secretly disconnect consumers from their 
Internet Service Providers, reconnect them to another network, and 
charge them exorbitant fees for long distance telephone service or 
entertainment services delivered over the telephone line.11 
We also have challenged the practice of ``pagejacking'' consumers and 
then ``mousetrapping'' them at pornographic web sites.12 
These cases demonstrate that the Commission has the authority under 
Section 5 of the FTC Act to take action to prevent harms to consumers 
similar to those that spyware allegedly causes.
---------------------------------------------------------------------------
    \10\ The Consumer Software Working Group is comprised of public 
interest groups, software companies, Internet Service Providers, 
hardware manufacturers, and others. Available at 1
---------------------------------------------------------------------------
    \1\ The written statement presents the views of the Federal Trade 
Commission. Oral statements and responses to questions reflect the 
views of the speaker and do not necessarily reflect the views of the 
Commission or any other Commissioner.
---------------------------------------------------------------------------
    The FTC has a broad mandate to prevent unfair competition and 
unfair or deceptive acts or practices in the marketplace. Section 5 of 
the Federal Trade Commission Act gives the agency the authority to 
challenge acts and practices in or affecting commerce that are unfair 
or deceptive.2 The Commission's law enforcement activities 
against unfair or deceptive acts and practices are generally designed 
to promote informed consumer choice. This statement will discuss the 
FTC's activities related to spyware, including our recent workshop and 
potential law enforcement actions.
---------------------------------------------------------------------------
    \2\ 15 U.S.C.  45.
---------------------------------------------------------------------------
                          FTC SPYWARE WORKSHOP

    For nearly a decade, the FTC has addressed online privacy and 
security issues affecting consumers. Through a series of workshops and 
hearings, the Commission has sought to understand the online 
marketplace and its information practices, to assess the impact of 
these practices on consumers, and to challenge industry leaders to 
develop and implement meaningful self-regulatory programs.3
---------------------------------------------------------------------------
    \3\ See, e.g., Workshop: Technologies for Protecting Personal 
Information, The Consumer Experience (May 14, 2003); Workshop: 
Technologies for Protecting Personal Information, The Business 
Experience (June 4, 2003); Consumer Information Security Workshop (May 
20, 2002).
---------------------------------------------------------------------------
    The most recent example of this approach is the workshop entitled 
``Monitoring Software on Your PC: Spyware, Adware, and Other Software'' 
that was held last week. The workshop was designed to provide us with 
information about the nature and extent of problems related to spyware, 
and possible responses to those problems. Specifically, the workshop 
focused on four main topics: (1) defining ``spyware'' and exploring how 
it is distributed (including the role of peer-to-peer file-sharing 
software and whether spyware may differ from ``adware''); (2) examining 
spyware's general effects on consumers and competition; (3) exploring 
spyware's potential security and privacy risks; and (4) identifying 
technological solutions, industry initiatives, and governmental 
responses (including consumer education) related to spyware. 

Underscoring the importance of this issue both FTC Commissioners Orson 
Swindle and Mozelle Thompson personally participated in the workshop.
    To encourage broad-based participation, the FTC issued a Federal 
Register Notice announcing the workshop and requesting public 
comment.4 The Commission received approximately 200 
comments, and the record will remain open until May 21, 2004, for 
submission of additional comments. At the workshop, a wide range of 
panelists engaged in a spirited debate concerning spyware, including 
what government, industry, and consumers ought to do to respond to the 
risks associated with spyware.
---------------------------------------------------------------------------
    \4\ 69 Fed. Reg. 8538 (Feb. 24, 2004), 5 
Some definitions of spyware could be so broad that they cover software 
that is beneficial or benign; software that is beneficial but misused; 
or software that is just poorly written or has inefficient code. 
Indeed, there continues to be considerable debate regarding whether 
``adware'' should be considered spyware. Given the risks of defining 
spyware too broadly, some panelists at our workshop argued that the 
more prudent course is to focus on the harms caused by misuse or abuse 
of software rather than on the definition of spyware.
---------------------------------------------------------------------------
    \5\ For the purposes of the workshop, the FTC Staff tentatively 
described spyware as ``software that aids in gathering information 
about a person or organization without their knowledge and which may 
send such information to another entity without the consumer's consent, 
or asserts control over a computer without the consumer's knowledge.'' 
69 Fed. Reg. 8538 (Feb. 24, 2004), 6
---------------------------------------------------------------------------
    \6\ Panelists at the workshop noted that consumers need to be very 
careful to obtain anti-spyware programs from legitimate providers 
because some purported anti-spyware programs in fact disseminate 
spyware.
---------------------------------------------------------------------------
                          FTC LAW ENFORCEMENT

    As the nation's primary consumer protection agency, the Commission 
also has a law enforcement role to play in connection with unfair or 
deceptive acts or practices involved in the distribution or use of 
spyware.7 At the workshop, FTC and DOJ staff members noted 
that many of the more egregious spyware practices described at the 
workshop may be subject to attack under existing Federal and State 
laws, and the workshop concluded with a request that industry and 
consumer groups notify the FTC staff of problematic practices.
---------------------------------------------------------------------------
    \7\ The Commission will find deception if there is a material 
representation, omission, or practice that is likely to mislead 
consumers acting reasonably in the circumstances, to their detriment. 
See Federal Trade Commission, Deception Policy Statement, appended to 
Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984) (``Deception 
Statement''). An act or practice is ``unfair'' if it causes or is 
likely to cause substantial injury to consumers, that injury is not 
outweighed by any countervailing benefits to consumers and competition, 
and consumers could not have reasonably avoided the injury. 15 U.S.C.  
45(n).
---------------------------------------------------------------------------
    The Commission is conducting non-public investigations related to 
the dissemination of spyware. As discussed at the workshop, however, 
investigating and prosecuting acts and practices related to spyware, 
particularly the more pernicious programs, pose substantial law 
enforcement challenges. Given the surreptitious nature of spyware, it 
often is difficult to ascertain from whom, from where, and how such 
products are disseminated. Consumer complaints, for instance, are less 
likely to lead directly to targets than in other law enforcement 
investigations, because consumers often do not know that spyware has 
caused the problems or, even if they do, they may not know the source 
of the spyware.8 Indeed, computer manufacturers stated at 
our workshop that they believe an increasing number of service calls 
are spyware-related and spyware-related issues are difficult to 
diagnose. Similarly, search engine providers testified that consumers 
complain to them, not realizing that the spyware (not the search 
engine) is causing their dissatisfaction with their search engine.
---------------------------------------------------------------------------
    \8\ Identifying the source of spyware is especially difficult when 
consumers were not even aware that the spyware had been installed.
---------------------------------------------------------------------------
    The Commission has long been active in challenging unfair or 
deceptive acts or practices on the Internet, and spyware cases are not 
fundamentally different. Over the course of nearly a decade, we have 
brought approximately 300 cases challenging Internet practices 
involving substantial consumer harms, including harms similar to those 
posed by some examples of spyware.
    Most recently, in D Squared Solutions, LLC, the defendants 
allegedly exploited an operating system feature to harm consumers. The 
Windows operating system uses ``Messenger Service'' windows to allow 
network administrators to provide instant information to network users, 
for example, a message to let users know that a print job has been 
completed. The defendants in D Squared exploited this feature to send 
Messenger Service pop-up ads to consumers, advertising software that 
supposedly would block such ads in the future. Consumers would receive 
these pop-up ads as often as every ten minutes. The Commission filed a 
complaint in federal court alleging that the defendants unfairly 
interfered with consumers' use of their computers and tried to coerce 
consumers into buying software to block pop-up ads.9
---------------------------------------------------------------------------
    \9\ FTC v. D Squared Solutions, LLC, No. 03-CV-3108 (D. Md. 2003). 
The case is currently in litigation.
---------------------------------------------------------------------------
    The Commission brought several cases challenging the surreptitious 
distribution of dialer programs. A paper submitted at the workshop by 
the Computer Software Working Group 10 identified 
surreptitious downloads as an example of one of the problematic 
practices of some spyware programs. Past Commission actions have 
attacked similar programs that secretly disconnect consumers from their 
Internet Service Providers, reconnect them to another network, and 
charge them exorbitant fees for long distance telephone service or 
entertainment services delivered over the telephone line.11 
We also have challenged the practice of ``pagejacking'' consumers and 
then ``mousetrapping'' them at pornographic web sites.12 
These cases demonstrate that the Commission has the authority under 
Section 5 of the FTC Act to take action to prevent harms to consumers 
similar to those that spyware allegedly causes.
---------------------------------------------------------------------------
    \10\ The Consumer Software Working Group is comprised of public 
interest groups, software companies, Internet Service Providers, 
hardware manufacturers, and others. Available at 
    \11\ See, e.g., FTC v. Alyon Technologies, Inc., No. 1:03-CV-1297 
(N.D. Ga. 2003); FTC v. BTV Indus., No. CV-S-02-0437-LRH-PAL (D. Nev. 
2003); FTC v. Anderson, No. C00-1843P (W.D. Wash. 2000); FTC v. RJB 
Telcom, Inc., No. 002017 PHX EHC (D. Az. 2000); FTC v. Sheinkin, No. 2-
00-3636 18 (D.S.C. 2000); FTC v. Verity Int'l, Ltd., No. 00 Civ. 7422 
(LAK) (S.D.N.Y. 2000); FTC v. Audiotex Connection, Inc., No. CV-97-
00726 (E.D.N.Y. 1997); see also Beylen Telecom, Ltd., FTC Docket No. C-
3782 (final consent Jan. 23, 1998).
    \12\ See, e.g., FTC v. Zuccarini, No. 01-CV-4854 (E.D. Pa. 2002); 
FTC v. Carlos Pereira d/b/a atariz.com, No. 99-1367-A (E.D.N.Y. 1999).
---------------------------------------------------------------------------
                               CONCLUSION

    Spyware appears to be a new and rapidly growing practice that poses 
a risk of serious harm to consumers. The Commission is learning more 
about this practice, so that government responses to spyware will be 
focused and effective. We are continuing to pursue law enforcement 
investigations. The FTC thanks this Committee for focusing attention on 
this important issue, and for giving us an opportunity to present the 
preliminary results from our workshop. We look forward to further 
discussions with the Subcommittee on this issue.

    Mr. Stearns. I thank you. Mr. Ari Schwartz, Associate 
Director, Center for Democracy and Technology.
    Welcome.

                    STATEMENT OF ARI SCHWARTZ

    Mr. Schwartz. Chairman Stearns, Ranking Member Schakowsky, 
members of the committee, thank you for inviting CDT to testify 
today.
    In November, we released our first report on the spyware 
issue entitled ``Ghosts in our Machines.'' At that same time we 
asked consumers to send us their concerns about specific 
spyware experiences. Since then hundreds have responded.
    Spyware is clearly an issue of growing concern for internet 
users. As we document in our report, the worse practices that 
we've seen are often based on mutated practices of legitimate 
software companies. Therefore, defining the term spyware has 
become difficult, if not impossible.
    The basic problem of spyware is that software being created 
to run on users' computers, that they have no control over and 
do not want, including some software that passes on personal 
information about the computer user with their consent. CDT 
believes that in order to stop this growing problem, we will 
need to see action in three areas: enforcement of existing law, 
industry commitment to stopping bad practices, and legislation 
to protect privacy online.
    I will quickly address each of these areas. It is CDT's 
opinion that many of the worst practices that we have seen 
today in the spyware are already illegal under existing fraud 
statutes. For example, if a consumer walked into a store and 
the door was locked behind them and they were forced to buy a 
product, we would expect law enforcement to do something about 
it. If hundreds of thousands of consumers were not allowed to 
leave a contract that they didn't even know that they'd enter, 
we would expect consumer law enforcement agencies to do 
something. And if a third party were to tamper with consumers' 
telephones in such a way that when they try to call Barnes and 
Noble they were instead connected to an adult book store, 
certainly we would expect law enforcement to be there. Yet, the 
online equivalent of each of these actions, online coercion, 
inability to uninstall or disable and host file overriding have 
not been a serious area of action for any law enforcement body 
to date.
    CDT worked with consumer groups and industry to help 
develop examples of unfair, deceptive and devious practices 
involving software. These examples are based on real cases 
where CDT believes that law enforcement should be focusing its 
efforts. That full document was included as part of my written 
testimony.
    Second, industry needs to do a better job of creating self-
regulatory structures for software. CDT is encouraged by the 
advances in the anti-software technology such as those 
discussed here today by EarthLink and Microsoft and the others 
discussed at the FTC workshop last week. As we have seen in the 
spam war, it's very likely that as the anti-spyware 
technologies increase, the efforts of the spyware creators will 
undoubtedly double as well.
    Industry should go further and start to draw clear lines in 
the spectrum of current behaviors to begin to help consumers to 
distinguish the good actors from the bad. A code of best 
practices could give consumers the information and ability that 
they need to make better decisions in the marketplace today.
    Last, CDT strongly believes that many of the privacy 
concerns with spyware, some of which fall out of the scope of 
legal protections could be clearly addressed with the privacy 
law.
    As the chairman and the committee know, CDT has long argued 
that until we have a privacy law that addresses all of the 
basic fair information practices that privacy issues that we 
first saw 8 years ago with the collection of information via 
the web and then with cookies and then with spam and now with 
spyware will continue. And it will repeat again in new 
technologies in the future.
    A privacy law would get a root concern, not the root 
concern, but at a root concern rather than trying to define and 
scope each new technology in a limiting way. Still, spyware may 
pose some unique challenges that are not covered in the areas 
that I've outlined. We commend Representative Bono and 
Representative Towns for their work and their early attempts to 
take on this difficult issue, yet we also recognize that it 
would be difficult to define spyware or even the broader 
category of software in a way that addresses the problem 
without confining the market or accidentally legitimizing 
questionable practices that fall outside of the scope of the 
legislation.
    CDT is committed to working with the committee as the 
efforts move forward and I look forward to answering all of 
your questions.
    [The prepared statement of Ari Schwartz follows:]

  Prepared Statement of Ari Schwartz, Associate Director, Center for 
                        Democracy and Technology

    Chairman Sterns and Ranking Member Schakowsky, thank you for 
holding this hearing on spyware, an issue of growing concern for 
consumers and businesses alike. CDT is pleased to have the opportunity 
to participate.
    CDT is a non-profit, public interest organization dedicated to 
preserving and promoting privacy and other democratic values and civil 
liberties on the Internet. CDT has been widely-recognized as a leader 
in the policy debate about the issues raised by so-called ``spyware'' 
applications.1 We have been engaged in the early 
legislative, regulatory, and self-regulatory efforts to deal with the 
spyware problem, and have been active in public education efforts 
through the press and our own grassroots network.
---------------------------------------------------------------------------
    \1\ See, e.g., CDT's ``Campaign Against Spyware,'' http://
www.cdt.org/action/spyware/action (calling on users to report their 
problems with spyware to CDT; since November 2003, CDT has received 
over 250 responses). CDT's Complaint and Request for Investigation, 
Injunction, and Other Relief, in the Matter of MailWiper, Inc., and 
Seismic Entertainment Productions, Inc., February 11, 2004 (available 
at http://www.cdt.org/privacy/20040210cdt.pdf). ``Eye Spyware,'' The 
Christian Science Monitor Editorial, April 21, 2004 [``Some computer-
focused organizations, like the Center for Democracy and Technology, 
are working to increase public awareness of spyware and its risks. 
``The Spies in Your Computer,'' New York Times Editorial, February 18, 
2004 (arguing that ``Congress will miss the point (in spyware 
legislation) if it regulates specific varieties of spyware, only to 
watch the programs mutate into forms that evade narrowly tailored law. 
A better solution, as proposed recently by the Center for Democracy and 
Technology, is to develop privacy standards that protect computer users 
from all programs that covertly collect information that rightfully 
belongs to the user.''). John Borland, ``Spyware and its discontents,'' 
CNET.com, February 12, 2004. (``In the past few months, Ari Schwartz 
and the Washington, D.C.-based Center for Democracy andTechnology have 
leapt into the front ranks of the Net's spyware-fighters.'')
---------------------------------------------------------------------------
A. Summary
    In our testimony today, we hope to address two questions: What is 
spyware? And how should we respond to it?
    In Section B of our testimony below, we attempt to help define and 
understand the spyware problem. CDT's report ``Ghosts in Our Machines: 
Background and Policy Proposals on the `Spyware' Problem,'' 
2 released in November 2003, addresses this issue. The 
report describes the range of invasive software applications referred 
to as ``spyware'' and clarifies the privacy, transparency and user 
control issues raised by these rogue programs.
---------------------------------------------------------------------------
    \2\ http://www.cdt.org/privacy/031100spyware.pdf
---------------------------------------------------------------------------
    Additionally, over the last six months, CDT has led discussions of 
a Consumer Software Working Group that includes leading members of the 
Internet industry, advertising companies, public interest groups and 
academics in order to identify examples the worst practices that 
consumers are facing online. In our testimony today, we highlight some 
of the pertinent issues raised by the working group, summarize the 
findings of CDT's report, and describe some of CDT's subsequent 
research and ongoing efforts in these areas.
    In Section C, we turn to potential responses to the spyware 
problem. CDT sees three major areas where action is necessary to stem 
the disturbing trend toward a loss of control and transparency for 
Internet users:

1) Enforcement of existing laws could go a long way toward reducing the 
        problem of spyware. While longstanding fraud statutes already 
        cover many of the issues raised by these applications, 
        currently they are rarely enforced against spyware programmers 
        and distributors.
2) Fundamental to the issue of spyware is the overarching concern about 
        online Internet privacy. Legislation to address the collection 
        and sharing of information on the Internet would resolve many 
        of the privacy issues raised by spyware. If we do not deal with 
        the broad Internet privacy concerns now, in the context of 
        spyware, we will undoubtedly find ourselves confronted by them 
        yet again when they are raised anew by some other, as yet 
        unanticipated, technology.
3) To be effective, legislation and enforcement approaches will have to 
        be carried out concurrently with better consumer education, 
        industry self-regulation and the development of new anti-
        spyware technologies.
    We address each of these avenues in turn.

B. Defining and Understanding ``Spyware'' and ``Adware''
    ``Spyware'' has no precise definition. The term has been applied to 
everything from keystroke loggers, to advertising applications that 
track users' web browsing, to web cookies, to programs designed to help 
provide security patches directly to users. ``Spyware'' programs can be 
installed on users' computers in a variety of ways, and they can have 
widely differing functionalities.
    What these programs have in common is a lack of transparency and an 
absence of respect for users' ability to control their own computers 
and Internet connections.
    While many programs that have been called ``spyware'' are 
advertising software, CDT has emphasized that there is nothing 
inherently objectionable about ad-support as a business model. We 
highlight email applications, such as Eudora, that are successful and 
user-friendly examples of ad-supported software.
    However, in many cases, the revenue that these applications provide 
has given software distributors the incentive to push them onto users' 
computers using deceptive or fraudulent means. Ad-support can and must 
be implemented in a way that is transparent to users and respects their 
choices and privacy preferences.

Distribution of Spyware
    ``Spyware'' programs can be distributed in a variety of ways. For 
example, they may be bundled with other free applications, including 
peer-to-peer file sharing applications; they may be distributed through 
deceptive download practices; or they may be installed by exploiting 
security holes in the web browser or operating system on a user's 
computer. In some cases, once one ``spyware'' application has gained 
access to a user's computer, it will surreptitiously download and 
install other applications.
    In each of these scenarios, users generally do not know that the 
software is being installed. And once these invasive applications are 
on a user's computer they can be difficult or impossible to find and 
remove.

Effects of Spyware
    As mentioned above, the overarching concerns raised by spyware 
applications are transparency and user control. Within these broad 
categories, spyware programs can raise a host of specific concerns.

 These programs can change the appearance of websites, modify users' 
        ``start'' and ``search'' pages in their browsers, or change low 
        level system settings. In our complaint to the FTC against 
        MailWiper and Seismic Entertainment Productions, filed in 
        February, CDT asked the Commission to investigate one 
        particularly egregious example of such ``browser hijacking'' 
        behavior.
 Spyware programs are also often responsible for significant 
        reductions in computer performance and system stability. In 
        many cases, consumers mistakenly assume that the problem is 
        with another application or with their Internet provider, 
        placing a substantial burden on the support departments of 
        providers of those legitimate applications and services.
 Spyware programs can track users' online activities. Some gather 
        personally identifiable information. The most egregious forms 
        of spyware can capture all keystrokes, or record periodic 
        screenshots from a user's computer.
 Even in cases where spyware programs transmit no personally 
        identifiable information, their hidden, unauthorized 
        appropriation of users' computing resources and Internet 
        connections threatens the security of computers and the 
        integrity of online communications. The ``auto-update'' 
        component of many of these applications can create major new 
        security vulnerabilities by including capabilities to 
        automatically download and install additional pieces of code 
        without notifying users or asking for their consent, typically 
        with minimal security safeguards.
    CDT is currently conducting technical and public opinion research 
on the spyware issue. We hope to continue to report the results of this 
work to the Committee as we learn more.

C. Possible Responses to Spyware Concerns
    Combating the most invasive spyware technologies will require a 
combination of approaches. First and foremost, vigorous enforcement of 
existing anti-fraud laws should result in a significant reduction of 
the spyware problem.
    Addressing the problem of spyware also offers an important 
opportunity to establish in law baseline standards for privacy for 
online collection and sharing of data. Providing these protections 
would not only address the privacy concerns that current forms of 
spyware raise, but would put in place standards that would apply to 
future technologies that might challenge online privacy. Anti-spyware 
tools, better consumer education, and self-regulatory policies are also 
all necessary elements of a spyware solution.
    Legislation to establish standards for privacy, notice, and consent 
specifically for software, such as H.R.2929, currently before this 
Committee, may play an important role as well. The challenge to such 
efforts is in crafting language that effectively addresses the spyware 
issue without unnecessarily burdening legitimate software developers or 
unintentionally hindering innovation.
    So far the efforts to address the spyware issue are all in very 
preliminary stages. They will each require cooperation among 
government, private sector, and public interest initiatives.
Enforcement of Existing Law
    CDT believes that three existing federal laws already prohibit many 
of the invasive or deceptive practices employed by malevolent software 
makers. Better enforcement of these statutes could have an immediate 
positive effect on the spyware problem.
    Title 5 of the Federal Trade Commission Act is most directly 
applicable to the most common varieties of spyware. We believe that 
many of the more invasive forms of spyware discussed above clearly fall 
under the FTC's jurisdiction over unfair and deceptive trade practices. 
Some of these practices are highlighted in the Appendix--the Consumer 
Software Working Group's Examples of Unfair, Deceptive or Devious 
Practices Involving Software. To our knowledge, the FTC so far has not 
brought any major actions against spyware makers or spyware 
distributing companies. In February, CDT filed a complaint with the FTC 
against two companies for engaging in browser hijacking to display 
deceptive advertisements to consumers for software sold by one of the 
companies.3
---------------------------------------------------------------------------
    \3\ Complaint and Request for Investigation, Injunction, and Other 
Relief, in the Matter of MailWiper, Inc., and Seismic Entertainment 
Productions, Inc., February 11, 2004 (available at http://www.cdt.org/
privacy/20040210cdt.pdf).
---------------------------------------------------------------------------
    We believe that one of the most immediate ways in which Congress 
could have a positive impact on the spyware problem is by directing the 
FTC to increase enforcement against unfair and deceptive practices in 
the use or distribution of downloadable software and by providing 
increased resources for such efforts.
    Several laws besides the FTC Act may also have relevance. The 
Electronic Communications Privacy Act (ECPA), which makes illegal the 
interception of communications without a court order or permission of 
one of the parties, may cover programs that collect click-through data 
and other web browsing information without consent. The Computer Fraud 
and Abuse Act (CFAA) also applies to some uses of spyware. Distributing 
programs by exploiting security vulnerabilities in network software, 
co-opting control of users' computers, or exploiting their Internet 
connection can constitute violations of the CFAA, especially in cases 
where spyware programs are used to steal passwords and other 
information.
    In addition to federal laws, many states have long-standing fraud 
statutes that would allow state attorneys general to take action 
against invasive or deceptive software. Like their federal 
counterparts, these laws have not been strongly enforced to date.

New Legislation
    CDT has argued that the most effective way to address the spyware 
problem through legislation is in the context of online privacy 
generally. Specifically, we believe that the privacy dimension of 
spyware would best be addressed through baseline Internet privacy 
legislation that is applicable to online information collection and 
sharing irrespective of the technology or application. CDT has 
advocated such legislation before the Senate Commerce Committee and in 
other fora. Until we address the online privacy concern, new privacy 
issues will arise as we encounter new online technologies and 
applications.
    Still, software may pose some unique problems. A comprehensive 
legislative solution to spyware may need to address the user-control 
aspects of the issue such as piggybacking, and avoiding uninstallation. 
H.R. 2929 before this Committee represents an important acknowledgement 
of several of these problems. We appreciate the desire to craft 
targeted legislation focusing on some of the specific problems raised 
by spyware, and CDT commends Representatives Bono and Towns for 
bringing attention to this important issue.
    At the same time, we wish to emphasize the complexity of such 
efforts. The broad industry opposition to an anti-spyware bill recently 
passed in the Utah legislature, based on potential unintended 
consequences of the bill for legitimate software companies, 
demonstrates the difficulties that can be introduced by such 
legislation if it is not carefully drafted. We know Representatives 
Bono and Towns have been looking hard at some of the specific 
definitional concerns raised by CDT and others, and we look forward to 
continuing to work with the Committee on this bill.

Non-Regulatory Approaches
    Technology measures, self-regulation and user education must work 
in concert, and will be critical components of any spyware solution. 
Companies must do a better job of helping users understand and control 
how their computers and Internet connections are used, and users must 
become better educated about how to protect themselves from spyware.
    The first step is development of industry best practices for 
downloadable software. Although not all software manufacturers will 
abide by best practices, certification programs will allow consumers to 
quickly identify those that do and to avoid those that do not. In the 
current environment consumers cannot easily determine which programs 
post a threat, especially as doing so can involve wading through long 
and unwieldy licensing agreements.
    Technologies to deal with invasive applications and related privacy 
issues are in various stages of development. Several programs exist 
that will search a hard-drive for these applications and attempt to 
delete them. Some companies are experimenting with ways to prevent 
installation of the programs in the first place. However, even these 
technologies encounter difficulties in determining which applications 
to block or remove. Clear industry best practices are crucial in this 
regard as well.
    Standards such as the Platform for Privacy Preferences (P3P) may 
also play an important role in technical efforts to increase 
transparency and provide users with greater control over their 
computers and their personal information. P3P is a specification 
developed by the World Wide Web Consortium (W3C) to allow websites to 
publish standard, machine-readable statements of their privacy policies 
for easy access by a user's browser. If developed further, standards 
like P3P could help facilitate privacy best practices to allow users 
and anti-spyware technologies distinguish legitimate software from 
unwanted or invasive applications.
    The IT industry has initially been slow to undertake such efforts. 
However, increasing public concern about spyware and the growing burden 
placed on the providers of legitimate software by these invasive 
applications has led to more industry attention on this 
front.4 The Consumer Software Working Group, including major 
Internet service providers, software companies, and hardware 
manufacturers, has expressed its view that this area is ripe for 
industry self-regulation and best practices.
---------------------------------------------------------------------------
    \4\ See, e.g. , Earthlink press release: Earthlink Offers Free 
Spyware Analysis Tool to All Internet Users, January 14, 2004 
(available at: http://www.earthlink.net/about/press/pr_analysis/); 
America Online press release: America Online Announces Spyware 
Protection for Members, January 6, 2004 (available at: http://
media.aoltimewarner.com/media/newmedia/cb_press_view.
cfm?release_num=55253697); Microsoft press release: Battling `Spyware': 
Debate Intensifies on Controlling Deceptive Programs, April 20, 2004 
(available at: http://www.microsoft.com/presspass/features/2004/apr04/
04-20Spyware.asp)
---------------------------------------------------------------------------
    CDT believes Congress can have an immediate positive impact by 
encouraging industry to continue to follow through on these efforts.

D. Conclusion
    Users should have control over what programs are installed on their 
computers and over how their Internet connections are used. They should 
be able to rely on a predictable web-browsing experience and to remove 
for any reason and at any time programs they don't want. The widespread 
proliferation of invasive software applications takes away this 
control.
    Better consumer education, industry self-regulation, and new anti-
spyware tools are all key to addressing this problem. New laws, if 
carefully crafted, may also have a role to play. Many spyware 
practices, however, are already illegal. Even before passing new 
legislation, existing fraud statutes should be robustly enforced 
against the distributors of these programs.
    The potential of the Internet will be substantially harmed if users 
come to believe that they cannot use the Internet without being at risk 
of infection from spyware applications. We must find creative ways to 
address this problem through law, technology, public education and 
industry initiatives if the Internet is to continue to flourish.

Appendix: Examples of Unfair, Deceptive or Devious Practices Involving 
                                Software

                    CONSUMER SOFTWARE WORKING GROUP

    The Consumer Software Working Group is a diverse community of 
public interest groups, software companies, Internet service providers, 
hardware manufacturers, and others that are seeking consensus responses 
to the concerns raised by practices that harm consumers.
    Over the past several years, a subset of computer software referred 
to as ``spyware'' has become the subject of growing public concern. 
Computer users increasingly find programs on their computers that they 
did not know were installed, that create risks to privacy, that open 
security holes, that impair the performance and stability of their 
systems, that frustrate their attempts to uninstall or disable the 
programs, or that lead them to mistakenly believe that these problems 
are the fault of another application or their Internet service 
provider.
    There is agreement that these practices can raise serious concerns. 
At the same time, the wide range of and lack of clarity in attempted 
definitions for the types of software practices that most concern 
consumers hamper attempts at self-regulatory, technological and 
legislative responses. Many definitions of spyware in circulation today 
are either under-inclusive in important respects or, more commonly, 
overbroad so that they include practices that clearly benefit 
consumers, or both.5
---------------------------------------------------------------------------
    \5\ For example, the Working Group observes that the current Utah 
law addresses practices involving software that most informed consumers 
would not consider unfair, deceptive or devious and fails to cover some 
practices that most informed consumers would consider unfair, deceptive 
or devious.
---------------------------------------------------------------------------
    The Center for Democracy and Technology convened the Consumer 
Software Working Group. Companies, public interest groups or academics 
interested in joining the Working Group should contact Ari Schwartz 
, Michael Steffen , or John Morris 
 at the Center for Democracy and Technology.

 EXAMPLES OF UNFAIR, DECEPTIVE OR DEVIOUS PRACTICES INVOLVING SOFTWARE 
                              VERSION 1.0

    The Consumer Software Working Group is concerned about a specific 
set of devious, deceptive or unfair practices that adversely affect 
consumers online. While the following list of examples is not nearly 
complete, it describes a series of activities and behaviors that the 
Group considers to be clearly objectionable.
    Specifically, the Group identifies three broad types of practices 
where abuses occur today. Most of these practices may be illegal under 
current law, depending on the specific facts of the particular case. 
Within each area, we offer illustrative examples, based on real cases. 
We note that each of the objectionable behaviors we identify has 
constructive consumer-friendly counterparts when carried out with 
proper notice and consent and in ways that give consumers control. 
Automatic installation, personalization and tracking, and in some cases 
resistance to uninstallation can provide important benefits to 
consumers.
    We hope that this list of objectionable practices will help to 
focus technical, self-regulatory, regulatory and law enforcement 
efforts to protect consumers from inappropriate activities in a more 
targeted and effective manner, while avoiding unintended negative 
consequences for good actors and consumers alike. The Working Group 
believes that this is an area that could be ripe for self-regulatory 
efforts to craft industry principles to protect consumers and the 
marketplace.
    1) Hijacking--The practices described in this section are 
objectionable to the extent that they enable an unaffiliated person to 
use the user's computer in a way that ordinarily would not be expected. 
This may occur through an unnoticed program consuming the user's 
computing resources or resetting a user's existing configurations 
without the user's knowledge, or through coercion or deception.
          Example: A computer user sees an Internet advertisement for 
        Program A. The user clicks on the ad and is sent to a page that 
        pops up a window asking if the user wants to download Program 
        A. The user clicks ``no,'' but Program A is eventually 
        downloaded and installed anyway.
          Example: A computer user sees an Internet advertisement for 
        Product B. The user clicks on the advertisement, and is sent to 
        a page that informs the user that ``Program C is needed to view 
        this Web page.'' This leads the user to believe that Program C 
        is necessary to view the site about Product B, so the user 
        clicks ``yes'' and the program is downloaded and installed. In 
        fact, Program C is not necessary to view the website for 
        Product B and the user is never informed of the actual reason 
        why Program C was installed.
          Example: A computer user sees an Internet advertisement for 
        Program D. The user clicks on the ad, and she is sent to a page 
        that immediately pops up a window asking if she wants to 
        download Program D. The user clicks ``no.'' This happens 
        repeatedly until the user gets frustrated and clicks ``yes.''
          Example: A computer user receives an Internet advertisement 
        for Product E as part of a webpage he is looking at. Simply as 
        a result of loading the ad, Software Program F wholly unrelated 
        to Product E is downloaded onto the user's computer. No notice 
        or opportunity to consent to download Software Program F was 
        provided.
          Example: While browsing the Internet, a computer user is 
        offered the opportunity to download and install Software 
        Program G. Using a fraudulently obtained digital certificate, 
        the download request falsely identifies Software Program G as 
        being from the user's trusted Internet Service Provider, H. In 
        fact, the Program is not from Internet Service Provider H, and 
        has no relation to the ISP. However, based on its claimed 
        affiliation with H, the user agrees to let the program be 
        downloaded and installed.
          Example: A computer user loads Company I's Web page. The Web 
        page opens another page running a java script. When the user 
        closes Company I's Web page, the java script page covertly 
        resets the user's homepage without obtaining consent.
          Example: A computer user loads Company J's Web page. The Web 
        page opens another page running a java script. When the user 
        closes Company J's Web page, the java script page covertly 
        resets the user's homepage. The java script is written such 
        that any time the user attempts to reset his homepage, the 
        program automatically resets it again so the user cannot reset 
        his homepage to what it was before the hijacking took place.
          Example: A computer user downloads Software Package K. Among 
        the programs in Software Package K is a dialer application that 
        was not mentioned in any advertisements, software licenses, or 
        consumer notices associated with the package or in information 
        provided in conjunction with the ongoing operations of the 
        package. The dialer application is not an integral part of 
        Software Package K. When the user opens her Web browser after 
        installation of Software Package K, the dialer opens in a 
        hidden window, turns off the sound of the user's computer, and 
        calls a phone number without the user's permission.
          Example: A computer user is sent Software Package L as an 
        attachment to an unsolicited commercial email message. There is 
        no documentation for Software Package L. Included in Software 
        Package L is Program M that sends a message to Computer N. 
        Computer N then uses Program M on the user's computer as a 
        means to send out unsolicited commercial emails.
    2) Surreptitious surveillance--The practices described in this 
section are objectionable to the extent that they involve intrusive and 
surreptitious collection and use of personally identifiable information 
about users that is wholly unrelated to the purpose of the software as 
described to the consumer.
          Example: A computer user downloads Software Package P. 
        Software Package P contains a keystroke logger unrelated to any 
        functions described to the user. The keystroke logger records 
        all information input on the user's computer and sends this 
        information on to another computer user. The first user is not 
        informed about the operation of the keystroke logger.
          Example: Program Q advertises itself as a search tool bar. A 
        user downloads Program Q to gain the search functionalities. 
        Program Q installs a tool bar, but--once installed--also mines 
        the user's registry and other programs for personally 
        identifiable information about the user unrelated to the search 
        functionality and without informing the user or obtaining 
        consent. When the user connects to the Internet, Program Q 
        sends this information back to the company that makes Program 
        Q.
    3) Inhibiting termination--The practices described in this section 
are objectionable to the extent that they frustrate consumers' efforts 
to remove a program, deactivate it or otherwise render it inoperative. 
Generally, these practices are intended to prevent the user from 
severing or terminating a relationship with the provider of the 
program.
          Example: A computer user downloads Software Package S. 
        Software Package S contains Advertising Program T. Advertising 
        Program T sends the user pop-up ads while the user is surfing 
        the Web even if no other programs in Software Package S are 
        running. The pop-up ads are not labeled as related to 
        Advertising Program T or Software Package S in any way and 
        there is no other way to find the ads' origin. The user is 
        concerned about the increase in pop-up ads, but does not know 
        whether they are caused by Program T or are from the Web sites 
        that he is visiting. The user has no means to find out the 
        origin of the ads in order to make a decision about 
        uninstalling Program T.
          Example: A computer user downloads Software Package U. As 
        initially disclosed to the user, Software Package U contains a 
        mandatory program, Advertising Program V, which is bundled as a 
        way to generate revenue and pay for the development of Software 
        Package U only. When the user uninstalls Software Package U, 
        the user is not given a clear opportunity to uninstall Program 
        V at that time, and Advertising Program V stays on the user's 
        computer.
          Example: A computer user downloads Gaming Program W. The user 
        wants to remove Gaming Program W from the computer. Gaming 
        Program W does not have an uninstall program or instructions 
        and does not show up in the standard feature in the user's 
        operating system that removes unwanted programs (assuming this 
        feature exists in the operating system). The user's attempts to 
        otherwise delete Program W are met by confusing prompts from 
        Program W with misrepresentative statements that deleting the 
        program will make all future operations unstable.
          Example: A computer user downloads Program X. The user wants 
        to remove Program X from the computer. Program X appears in the 
        standard feature in the user's operating system that removes 
        unwanted programs. However, when the user utilizes the 
        ``remove'' option in the operating system, a component of 
        Program X remains behind. The next time the user connects to 
        the Internet, this component re-downloads the remainder of 
        Program X and reinstalls it.
    The following companies, organizations and individuals have worked 
to describe Examples of Unfair, Deceptive and Devious Practices 
Involving Software. These descriptions can be used to help focus 
technical, self-regulatory, regulatory and law enforcement efforts to 
protect consumers from inappropriate activities.
    America Online; Business Software Alliance; Center for Democracy 
and Technology; Claria Corporation; Consortium of Anti-Spyware 
Technology Vendors; Consumer Action; CryptoRights Foundation; Dell, 
Inc.; Distributed Computing Industry Association; EarthLink; eBay; 
Electronic Frontier Foundation; Google; HP; Information Technology 
Industry Council; Internet Commerce Coalition; Lavasoft; Microsoft; 
Network Advertising Initiative; Privacilla.org; Sharman Networks; Peter 
Swire, Moritz College of Law of the Ohio State University;6 
TRUSTe; Webroot Software; WhenU; and Yahoo!.
---------------------------------------------------------------------------
    \6\ Individuals are listed with their affiliation for 
identification purposes only.

    Mr. Stearns. I thank the gentleman. I'll start out with my 
line of questioning and I think I'll just make a general 
comment and then I want to ask each of you a specific question, 
a yes or no answer, if possible.
    I think as in the opening statement of the chairman of our 
committee, the gentleman from Texas, indicated we found on 
employees in the Commerce Committee have over 200 spyware and 
they did not know this. We've heard from other members how it's 
affected their computers at home and slowed them down. So 
obviously, there's some deep concern, not only about privacy, 
but efficiency and overall security.
    So the question is and I think I know the answers listening 
to your opening statements, I'll start with you, Commissioner. 
You at this point do not believe that we need legislation, just 
yes or no, is that true?
    Mr. Thompson. Yes, at this time, we do not----
    Mr. Stearns. We do not need legislation. And Mr. Beales, do 
you think we need legislation?
    Mr. Beales. I do not.
    Mr. Stearns. And Mr. Schwartz?
    Mr. Schwartz. I think that we need privacy legislation 
today and we may need spyware legislation in the future once 
we've gone further in going after worst practices.
    Mr. Stearns. You mentioned three areas: enforcement, 
eliminating bad practices and legislation.
    Mr. Schwartz. And privacy legislation.
    Mr. Stearns. So what you're talking about is an overall 
privacy legislation of which spyware would be a component, is 
that what you're saying?
    Mr. Schwartz. That's correct, yes.
    Mr. Stearns. And Mr. Baker? Do we need legislation?
    Mr. Baker. We think legislation would complement industry 
technology efforts and FTC enforcement.
    Mr. Stearns. Okay, and Mr. Friedberg?
    Mr. Friedberg. Yes. We believe in a holistic solution and 
to the degree enforcement can't do what they need to do because 
there's some laws missing, then we would----
    Mr. Stearns. You mentioned you're going to have a new 
software program, but today, would you advocate legislation to 
solve this problem, yes or no?
    Mr. Friedberg. Again, I think it goes back to whether or 
not there's enough teeth in the existing laws to go after the 
deceptive practices.
    Mr. Stearns. Do you think there's enough teeth in the 
existing laws?
    Mr. Friedberg. Unfortunately, I'm not a lawyer, but I 
would----
    Mr. Stearns. I'm asking you a personal opinion. I mean 
you're here, you're one of the experts here on the panel and 
your high technology of interest and expertise, we've just told 
you that member employees on our Commerce Committee have over 
200 of these spywares that they didn't know it, it's slowing it 
down, so you're saying that your software would solve all the 
problems?
    Mr. Friedberg. No, absolutely not.
    Mr. Stearns. Do you think legislation----
    Mr. Friedberg. We think there's a holistic strategy and I 
think Commissioner Thompson and others have stated they feel 
very confident about the current laws. That's fantastic, I 
think. We can go after them and create a deterrent, it's 
wonderful.
    Mr. Stearns. Let me ask you then, you testified that any 
Federal legislation should address deceptive behavior and not 
functionality and I guess that's the key point, that we want to 
not bog down the internet. We want to have the functionality 
there, but we've got to address this deceptive behavior.
    Please explain what behaviors are not illegal already that 
we should address.
    Mr. Friedberg. Not illegal already?
    Mr. Stearns. In other words, when a person is dealing with 
spyware, from what I hear it looks like most of it is coming in 
illegally. It's in my computer and I don't want it. So that's a 
behavior that I don't want. So what is the functionality of 
this that I should allow it to be in and why shouldn't I 
legislate to say don't come in without my permission.
    Mr. Friedberg. When you actually look at the features that 
underlie some of what's happening, it turns out that a lot of 
those features have positive user benefit. For example----
    Mr. Stearns. Give me some examples of positive user 
benefit.
    Mr. Friedberg. Let's just take adware. Obviously, it's a 
very contentious issue, but a piece of software that's going to 
display some advertisements, that's what it does. That's its 
function. Now if I'm a user and I have to pay $120 a year for a 
service and I have the choice to maybe see some ads and not 
have to pay that money, I think that's a fair horse trade 
providing I was told up front what that deal is and I can fully 
understand the terms under which it's happening and so there's 
an example of where the feature is not the issue, it's when 
people do it deceptively where you have no control over that 
adware, it's just showing up in your box, can't turn it off. 
Clearly a bad situation.
    Mr. Stearns. Commissioner, you are on the panel of peers to 
be the strongest advocate for no legislation. The State of Utah 
has passed a bill. California and Texas is doing this. New York 
is going to do this. Shouldn't Congress, if nothing else, 
preempt these with a Federal law instead of having 50 separate 
State laws dealing with spyware?
    Mr. Thompson. I understand that point and I think that----
    Mr. Stearns. I mean, the practicality.
    Mr. Thompson. But what I say is at this time what I'm 
looking for is industry to define good behavior to isolate bad 
behavior. That's what you heard with the other people on this 
panel. There are certain behaviors that are bad that we can get 
at right now. Unfair and deceptive practices, for example, if 
they put something on your computer and it violates their 
privacy policy, then we can do something about it. If it's 
sending information that you have no way of avoiding, that's 
something we need to know about. But----
    Mr. Stearns. But shouldn't we stop that practice of putting 
it in your computer without you knowing about it?
    Mr. Thompson. I think we can get at some of that right now. 
The point is that I need----
    Mr. Stearns. Well, why isn't our staff doing it? The public 
obviously has ignorance on this and doesn't even know. You 
click a bar up here, some of the bars that were clicked up here 
you hit cancel or yes or even the top of the dialog bar, it 
doesn't matter. You're still going to get the spyware in the 
computer, so tell me why shouldn't we stop that?
    Mr. Thompson. And that's part of the challenge that we 
have. First of all, we need the responsible companies to come 
clean and tell consumers what it is they're doing, how they're 
doing it and then the second thing, then we need to isolate 
those people who are not.
    Let me tell you something. Most of the people who are 
involved in the most insidious behavior, secret spyware that 
will get after, that will allow them to get identity theft, to 
mine your information, etcetera, that's unlawful now and those 
people don't care about the law.
    Mr. Stearns. I'll conclude by just saying I'm a little 
concerned that you're not outraged that people have access to 
somebody's privacy, Social Security Numbers and all this and 
you're saying just let things go by the wayside when actually I 
would think you as Federal Trade Commission should be saying we 
need more money, we want to enforce it, we're going to do 
something about this, Congress, this is what we need.
    Mr. Thompson. I am outraged and we always need more money, 
but what I am saying to you is there's a danger. The danger in 
trying to define this in the scope of legislation right now, is 
to be overbroad which will deny us of beneficial uses.
    Mr. Stearns. My time is up.
    Mr. Thompson. Or too narrow.
    Mr. Stearns. The gentlelady, Ms. Schakowsky.
    Ms. Schakowsky. Mr. Thompson, if legislation is not 
warranted at this time, I know you had a workshop and that's 
the beginning, but what are you doing exactly in terms of 
enforcement of current laws? It seems to me the ball is in your 
court as well as in that of industry. You're looking for a 
voluntary industry response, you're saying, but what exactly 
are your plans then in the short term?
    Mr. Thompson. I would like the Bureau Director to be in to 
talk about that because he can talk about specific enforcement 
activity.
    Mr. Beales. We are actively looking for spyware cases. We 
have open investigations. We will pursue those. We have brought 
cases that have challenged the deceptive downloads of dialers 
that disconnect you and reconnect you. We've brought cases that 
are very much the same kind of practice of once you're in the 
door, you can't get out until you buy the program. We've 
brought the extortion kind of case of buy this product and I'll 
stop sending you the ads that--this product will stop the ads 
that we're sending you.
    We've brought all those kinds of cases. We will continue to 
pursue those cases. The problem is not one of legal authority. 
It is developing and proving a case in Federal Court.
    Ms. Schakowsky. It sounds like this is a problem that's 
escalating rather than shrinking as we go forward. So what is 
it that consumers ought to be expecting from both industry and 
from the regulatory agencies right now? And then, Mr. Schwartz, 
I'd like you to add why it is that this broad privacy 
legislation might add relief to consumers?
    Mr. Thompson. I think step one, I think responsible 
industry needs to tell consumers what software they're putting 
on the system, how it works and giving consumers a choice of 
whether to have it or not to have it.
    Ms. Schakowsky. How big a problem is responsible industry? 
Usually when we're dealing with the most insidious scams, we're 
dealing with irresponsible players here who have the intention 
of robbing people of their information, et cetera.
    Mr. Thompson. And that's exactly the point. One of the 
things I would like to see done is that the good guys can all 
work on the same baseline to say this is what the behavior, 
standard behavior is in the industry, so we can begin to say 
anything that's outside of that is really ripe for our picking.
    Ms. Schakowsky. Are you planning then to establish some 
kind of rule that would set those boundaries and the parameters 
rather than simply relying on industry itself to come up with 
that?
    Mr. Thompson. As you said in your comments, we are at the 
beginning stages of talking about that. The workshop was very 
helpful. And as I said in my statement, I want effective and 
timely responses. I think we will continue to work with 
industry to see that that happens, but this is one issue that I 
think is important to have the committee's continued 
involvement and review.
    Ms. Schakowsky. Clearly, the Congress and the bipartisan 
way is interested in stepping into this. If you're saying we 
should not, then it seems to me you have to have a very clear 
time line to come back with and say this is our plan, this is 
what we expect from industry. We really haven't seen that.
    I would like to particularly get Mr. Schwartz'--tell me how 
this broad privacy legislation would help?
    Mr. Schwartz. Let's take a step back and look at the 
broader picture of online privacy. If we pass a law that says 
when you download software and you focus on the privacy of 
downloaded software, rather than general software, so let's say 
we do get the real fair information practices built into a 
software law that has notice, choice of intent for consumers, 
ability to access and see what they are turning over to the 
companies, etcetera. Then simply the bad acting companies 
simply start doing that from a server that's--where information 
is not downloaded to the computer, from somewhere remote. We've 
seen cases like that similar to that today.
    By trying to define software and come up with privacy rules 
just for software, you're leaving out the exact same practices 
that we consider to be bad practices that are just done from a 
remote server.
    Similarly, we saw this in web privacy as well. Early on we 
did not have any notices at all. As practices start to improve 
in one area, the bad acting companies shift and go to another 
area where they feel they can take advantage of consumers and 
that's going to continue to happen because that's the nature of 
technology. We're going to come up with new technological 
challenges. But if we have a broad law that focuses on the 
practice, rather than the technology, we can go after the 
actual root cause which is that companies are misusing people's 
personal information, not telling them what they're doing with 
it and keeping it in incorrect ways where consumers don't even 
know it could be used against them and they don't even have the 
ability to change it if it's wrong.
    Ms. Schakowsky. Thank you.
    Mr. Stearns. The full chairman of the committee, the 
gentleman from Texas, Mr. Barton.
    Chairman Barton. Thank you, Mr. Chairman. I am reading from 
the FTC testimony here, the Commissioner's testimony, page 5, 
it says ``at the workshop, FTC and Department of Justice staff 
members noted that many of the more egregious spyware practices 
described at the workshop may be subject to attack under 
existing Federal and State laws.''
    Later on in that same page it says, ``However, 
investigating and prosecuting acts and practices related to 
spyware, particularly the more pernicious programs pose 
substantial law enforcement challenges.''
    Now then, my understanding, Commissioner, is that you said 
that you didn't think additional Federal legislation was 
necessary, yet in your testimony you're talking about it says 
``it may be subject to attack and pose substantial law 
enforcement challenges.''
    Why in the heck don't you support us legislating so we make 
it perfectly clear? If somebody walks in my house without my 
knowledge, without my permission, they're trespassing and 
there's a law that says that's illegal. And what you're saying 
is if somebody comes into my personal computer in my house, it 
may violate a law and it may be a problem, but it might be 
difficult to prosecute. Why not work with this committee to 
come up with legislation that makes it perfectly clear that 
it's illegal? And then if somebody wants that crap on their 
computer, they can opt to let it be.
    I mean I don't understand. I really don't understand why 
we're having a semantical debate about something that everybody 
I've talked to is totally outraged about. I'm the moderate on 
this issue, by the way, on the panel.
    Mr. Thompson. Well, Mr. Chairman, you know what I think 
about privacy in general, and we've discussed that before. I 
think that targeted legislation here at this time would be very 
difficult, if not impossible to define. And what I'm concerned 
about is leading people to believe that defining a certain kind 
of software, for example, will address the problem.
    Let me give you an example. There are so many things in 
this area that would be a problem notwithstanding whether they 
informed you of it or not. If someone came in and told you 
we're going to disclose to you that we're putting software on 
your machine that's going to monitor your activity, that we can 
send to identity thieves, that would be unlawful no matter 
what. And it doesn't really matter----
    Chairman Barton. My understanding is there's not been one 
enforcement action even attempted. Is that true or not true?
    Mr. Thompson. That's not true.
    Chairman Barton. That's not true. So you've done one?
    Mr. Thompson. There are some things that are pending that I 
can talk about----
    Chairman Barton. Ah, some things that are pending. Maybe 
two, three? We've got 140 million people and I've yet to see a 
person when they find out this is on their computer says oh, 
that's okay. I'm okay with it.
    Mr. Beales. We have brought a number of cases, at least 
three or four, that challenged deceptive downloading of dialer 
programs that disconnect you and reconnect you to different 
service provider.
    Chairman Barton. Have you got any convictions?
    Mr. Beales. Yes, we have.
    Chairman Barton. You've got how many?
    Mr. Beales. In all of those cases. In none of those cases 
that have been fully litigated or resolved and none of our 
cases have we lost.
    Chairman Barton. If we were to pass a law that said you 
can't put anything on a person's personal computer without 
their explicit knowledge and if you do, it's a Federal crime 
subject to whatever the penalties are, would that help or hurt 
prosecute these cases, if we made it explicit?
    Mr. Beales. I don't think it would make any difference in 
the ability to prosecute these cases. It would make the process 
of installing new software with hundreds of different 
subprograms that I have no clue what they do, extremely tedious 
and difficult.
    Chairman Barton. And that's a good thing.
    Mr. Beales. No, it's not.
    Chairman Barton. You want this stuff on your computer? 
You're the only person in the country that wants spyware on 
your computer.
    Mr. Beales. No, I want my word processing program to work.
    Chairman Barton. We do too.
    Mr. Beales. And if you pass a law that says I have to go 
through each component of that word processing program as it 
installs and agree to that component, either I'm going to agree 
to everything and the spyware is still going to be there 
because I've been trained to agree to everything or my word 
processor----
    Chairman Barton. So now you're saying that spyware is 
necessary to install a program on your computer?
    Mr. Beales. No, I'm saying that software includes a lot of 
different programs where I don't know and I don't want to know 
exactly how they function to put a footnote in my document.
    Chairman Barton. And that's what spyware does?
    Mr. Beales. No, it's what software does.
    Chairman Barton. We're not opposed to software.
    Mr. Beales. But if you require consent to the installation 
of each program, then I'm going to have to go through each one 
of those programs----
    Chairman Barton. Let me just clue you. Unless I'm totally 
mistaken, when we get ready to move this bill all but a handful 
of the members of this committee on a bipartisan are going to 
be supportive of it. Now I'm not a software expert. I'm not a 
computer expert, but I can count votes on my committee. And I 
would encourage the Federal officials at the table to work with 
us on how to clarify the language that helps you enforce the 
law. Instead of trying to defend something that is not 
defendable.
    I bet you that we could go to every person in this room 
that has a personal computer and I would be stunned unless they 
just cleaned their programs, cleaned their computers, they 
don't have spyware on their personal programs right now, 
including the people at the witness table. Every one of you.
    And then I would double down and bet that if we asked if 
they wanted to take it off, almost everybody would say they 
want to take it off, except for you, sir, who apparently thinks 
it's a great thing which is what makes America great that we 
can agree to disagree, I guess.
    Mr. Beales. I think it is very difficult to draw a line 
around the what is the spyware, where I don't want it either 
and where we think there clearly are bad practices.
    Chairman Barton. Well, then work with us----
    Mr. Beales. We are happy to do that.
    Chairman Barton. Work with us to define the line.
    Mr. Beales. We are happy to do that to try to draw the line 
as well as possible. What is not clear to us is whether there 
is a meaningful line that can be drawn.
    Chairman Barton. I am very confident that with the lawyers 
we have on the committee and the lawyers that we have at your 
agency, we can draw the line.
    With that, Mr. Chairman, I yield back the negative balance 
of my time.
    Mr. Stearns. That's all right, Mr. Chairman, I just want to 
buttress your argument by pointing out, as I point out in 2003 
there were 2 million spyware software programs. Today, in the 
year--they project 14 million currently. So I would say to the 
Commissioner, with those statistics it sort of shows that the 
chairman is talking about a serious problem.
    Mr. Strickland.
    Mr. Strickland. Thank you, Mr. Chairman. We've been talking 
about for lack of a better way to put it, bad actors, using 
spyware. Are there good actors who use spyware?
    Mr. Beales. Well, it depends on how you define it, but on 
many definitions, yes, there are. Keystroke loggers, for 
example, which can be used to steal personal information and 
for identity theft are frequently downloaded by help desks to 
try to figure out what it is you're doing, how it is they can 
help you use your computer better. That's a perfectly 
legitimate use of exactly the same software.
    Mr. Strickland. Is that done with the permission of the 
person whose information is being collected?
    Mr. Beales. Certainly with the implicit permission, whether 
it's explicit or not, I don't know, but certainly with the 
implicit permission because they've called and asked for help.
    Mr. Strickland. Let me ask this question. How many of you 
would agree with this statement, instead of regulating and 
outlawing certain types of software, we need to rather regulate 
certain types of behavior?
    Do any of you agree or disagree with that?
    Mr. Beales. I would agree with that completely.
    Mr. Thompson. I would agree with that as well.
    Mr. Strickland. And is it your impression that the 
legislation under consideration from my colleague from 
California an attempt to regulate software rather than an 
attempt to regulate behavior as you understand the proposal?
    Mr. Baker. No sir, if I may, I don't think that it's an 
attempt to regulate software. I think it does regulate behavior 
because it's not saying that any specific type of software is 
banned, but rather that software can't be downloaded to a user 
without their consent, without clear notice, without a means to 
uninstall it. So I think that is addressing the behavior.
    And to your earlier question, I mean no, and I think this 
is what Mr. Beales was trying to describe earlier. We don't 
want a world where every time a consumer tries to use any 
program every web page they go to, every click of the mouse 
they're going to get a nothing dialog box saying do you agree, 
do you agree, do you agree? Nobody wants that.
    But I think what we're doing here is establishing when 
things are loaded onto users' computers without their 
permission, from somebody that they have not agreed to. 
Certainly, if it's an update to their Microsoft operating 
system, to their EarthLink internet access, I mean that's 
something that the user has already agreed to and I think 
there's a fundamental difference there.
    And I think that the statute does a pretty good job of 
distinguishing between legitimate and illegitimate users of 
software that's downloaded to a computer without the user's 
knowledge.
    Mr. Strickland. I have some problem understanding the 
difference between my Chairman's position and what I'm hearing 
from some of you in terms of if there's a problem and people 
are being abused in ways that they don't choose to have their 
computer used and is it possible to achieve what Mr. Barton 
wants to achieve and at the same time avoid the problem that 
Mr. Beales, I think, is trying to describe for us? Is there a 
way to accomplish both?
    Mr. Friedberg. I think as Congresswoman Bono mentioned, the 
devil is in the details and I think we all really want these 
bad actors to go away and for us to take back control of our 
computers. Everybody wants that. And we know that one element 
of the solution is kind of focusing on behavior, but when we 
write the clauses and the rules, we need to still tie it down 
to something. That's where the challenge is is tying it to the 
stuff, the software.
    Mr. Strickland. But do you feel that that can be 
accomplished without interfering----
    Mr. Friedberg. It is very, very hard. I have been thinking 
about this a lot and I am a computer scientist by trade and so 
I can tell you how hard it is. There are a couple of areas in 
particular that are very challenging. Uninstall requirements is 
one. The way you do consent is another. I know as a best 
practice I suggest to people in our company to do just in time 
consent and that's this concept of waiting until the most 
relevant moment when the user actually has some context to make 
a decision. If we put in certain rules and I'm not saying any 
particular legislation does this, but that require everything 
that happened in install time or transmission time, we've 
really missed the boat in terms of what, how users make trust 
decision. And we need to think about what's going to make my 
mom make good decisions when she's presented with the software 
and at what point does it make sense to have that?
    I know in Windows, when something crashes, we pop up this 
window's error report. And we do that at the time of the crash 
and we tell the user hey, we might be able to find a fix for 
you if you let us send some data back to Microsoft to figure it 
out. So the user has great context. They know exactly hey, I 
want to keep going, I want my word thing to word and it's okay, 
I'm going to send this data and you can actually look to see 
what data is going to be sent, so you can understand your 
privacy impact at the time of the situation.
    If we ask this question at the beginning, at installation 
time, there's no context. So there's all these different 
paradigms to consider, different ways to do consent, different 
ways to get this notice to show up.
    Another is the user interface issues and design. As people 
pointed out, nobody wants to have 100 of these popups just show 
up and completely color your experience. It doesn't make any 
sense. Also, we have new devices that are coming out almost 
every day and so it's very hard to figure out what their 
requirements are going to be. For example, there's this media 
center edition that we offer that's a 10 foot experience. 
Letters are really big. We only get two lines of text to 
communicate to the user these big issues, so we can't have very 
elaborate notices in that experience and likewise, if I have a 
watch that's really smart and it wants to download some new 
software, I've got very little room to provide that same 
notice. So we have to really think hard about all of these 
different scenarios. And that's why people are saying it's a 
little early. We really haven't had time to look at all of 
these, what I'll call test cases and watch out and figure out 
where the gotchas are. Because if we codify some of this stuff 
into law, suddenly we've tied our hands in an evasion which I 
think is a mistake.
    Mr. Schwartz. Can I address another issue along with some 
of the things that makes this more difficult----
    Mr. Strickland. My time is up, but----
    Mr. Stearns. Sure, why don't we just let them answer the 
question and call it quits.
    Mr. Schwartz. I was just going to say that the complexity 
of--this is not just like one company coming and monitoring the 
behavior of a computer user. These are--it's a complex network 
of affiliates, of individuals that are all involved in passing 
information to each other and cram the software down on 
computer users.
    In the case that we brought to the FTC that we hope that 
there will be action on we found at least four or five 
different parties, two of whom didn't know what was going on at 
all. They were simply kind of pawns in the whole scheme, 
whereas two others, to our mind, seemed to be active actors 
trying to put spyware on people's computers and trying to get 
them to guy software that they didn't really need.
    And in developing this case, it took us 2 months to put 
together and to turn it over to the FTC. It takes a lot of 
resources to put together these cases and track back the entire 
network. I think that's true for spam cases as well. 
Personally, I think we need to see the FTC get more resources 
to be able to go after these kinds of cases. Even if we had a 
new law that got at, closed up some of the existing holes, we 
would still have to have this same problem of being able to 
track down the bad guys.
    Mr. Stearns. Thank you and the author of the bill, the 
gentlelady from California, Ms. Bono.
    Ms. Bono. Thank you, Mr. Chairman. It sure is nice to have 
again your full weight and that of Chairman Barton's behind 
this legislation and since we've started this hearing I think 
I've gained three co-sponsors, so I appreciate my colleagues 
paying attention.
    But I am stymied by a lot of what I'm hearing and I'm also 
encouraged by a lot. First of all, we keep talking about 
prosection, prosecution. What the FTC has certainly failed to 
do is stop the proliferation of spyware and adware. You have 
failed in that. And it has grown exponentially and that is my 
intent. First of all, is to stop this growth, boom in this 
business, but also this bill is really about consumer 
empowerment. And as I mentioned to Mr. Friedberg, the devil is 
in the details in all of the legislation we write here and I 
look forward to working with all of you in industry and my 
colleagues on crafting the perfect legislation. I have been 
revising it day by day, just to address these issues.
    But you know, if we take this away from the realm of ones 
and zeros and change it to durable goods--for example, a car. I 
think Chairman Barton talked about this a little bit in 
trespassing. If I just bought a new car and I drove it home, 
parked it in my garage, would that give the automobile 
manufacturer the opportunity to come to my house and come into 
my garage and fix something because there was a recall notice 
on it without my knowledge? I don't think so. I do agree that 
there are beneficial uses of spyware, but I think if you warn 
the consumer first that this is all we're installing, it should 
be so simple. I love how Congress sometimes loses--I don't know 
that Congress has, but I think some people have, lost common 
sense. What is wrong with consumers simply knowing this is 
being installed. For example, Kazaa. I have two teenagers at 
home. They installed Kazaa. They thought this was great 
software. They were getting all of this free music, until I had 
to remind them about copyright and all of these things. I 
said--I had to point out to them somebody is still making money 
off of this and let me tell you how it works. And that's the 
way this all began. Somebody is making money. But it's not a 
songwriter. It's not a copyright holder. It's a third party you 
don't even know about.
    My question to you, Commissioner, is would you allow that? 
Would you allow--let's say I've taken that new car, that new 
Ford I bought and it's no longer in my garage. I've parked it 
on the street, because it's a public highway, similar to the 
internet. So now I'm going to allow Ford to come by and fix 
that recall notice without my--and this is a legitimate use of 
spyware. I'm actually talking about a legitimate use because I 
believe that Microsoft and Symantec and legitimate software 
companies do warn you and they do say we're going to update 
your software and occasionally they allow you to hit a button 
that says yes, I know you're doing it. Sometimes it happens 
automatically. That's a convenience. I know it's happening. But 
would you allow that to happen to a Ford? Because that's what 
I'm hearing you say right now, it's okay. It's okay or maybe 
you'll enforce it or maybe you'll stop it, but right now it's 
okay.
    Mr. Thompson. Let make something perhaps a little clearer. 
The challenge is the definition, because the same kinds of 
behavior--the same kinds of software can be used for beneficial 
and non-beneficial uses----
    Ms. Bono. Excuse me, Mr. Commissioner, I disagree. I 
disagree. And you know, first of all, again as I've said, the 
beneficial use, most companies do inform you that they're going 
to be collecting data from your computer and they let you know 
that when you install the software. So that could be covered. 
We could allow that. The end user license agreement which is 
pages long, if we simplified to a simple box that would be 
covered, legitimate software sites could be covered. So I don't 
even know that you need to differentiate between because they 
are covered because they are doing that currently.
    Mr. Thompson. What I'm concerned about is if you define 
something that is really based on consent and not in more 
detail about behavior, then the very same thing that people are 
asked to consent to without any context can be used by that 
same company in ways that consumers don't want.
    Ms. Bono. Which leads me, if I can jump because time flies.
    Mr. Friedberg, can you tell me really fast, according to 
PestPatrol, there's something called Alexa and Alexa is a new 
tool bar and apparently it's bundled with Microsoft's Internet 
Explorer and I understand it collects information from websites 
that are visited. Can you briefly describe Microsoft's 
relationship with Alexa?
    Mr. Friedberg. There are two different versions of Alexa 
that I know of. One is a tool bar that Alexa offers that's not 
directly coupled to IE. There's another lighter weight version 
that's actually in IE that provides something called show 
related links. The lightweight version that's actually in IE 
sends an URL to the service and it returns back links that are 
similar to that link that you might be interested.
    It's my understanding that that service does not retain or 
store any data and that the only information that's passed is 
this URL and it's sent back to the user. I can't speak for what 
the Alexa tool bar does. You'd have to talk to them and look at 
their privacy statement and read it very carefully, but again, 
when you look at the spyware results, when people say something 
is something on those lists, you have to look very carefully 
what the criteria is to understand which version of the 
software they're actually ranking. Just to be clear.
    Ms. Bono. I look forward to working with you more on it and 
I know, Mr. Chairman, my time has expired. Thank you very much.
    Mr. Stearns. I thank the gentlelady. The gentleman from 
Arizona.
    Mr. Shadegg. Thank you, Mr. Chairman, I didn't know my time 
was up. I thought we had to go to the other side.
    Gentlemen, let me begin with the gentlemen from the FTC. 
Commissioner Thompson, you said no legislation is needed and 
you said the FTC Act allows the Commission to take action 
against deception now.
    Mr. Beales, you said we have the necessary tools to stop or 
at least address the practice. So both of you contend we don't 
need legislation.
    I want to know how many people you have brought enforcement 
actions against and achieved a penalty against to date?
    Mr. Beales. Well----
    Mr. Shadegg. My time is very limited, just----
    Mr. Beales. It depends exactly what you mean by spyware. 
There are probably--this is a guess and I'll get you for the 
record precisely. There are probably 15 or 20 defendants that 
have been involved in the dialer programs, all of whom have 
been, all of whom have been penalized in one way or the other.
    Mr. Shadegg. I would like you to supply to the committee 
precisely how many you have gone after that you contend could 
be considered spyware and taken action against. Then I want to 
know first, right now, what are the potential penalties you can 
impose?
    Mr. Beales. We can get full redress for whatever money they 
have made from consumers and----
    Mr. Shadegg. Full redress. Can you impose criminal 
penalties?
    Mr. Beales. No, we have no criminal authority.
    Mr. Shadegg. So full redress means they make $200,000 out 
of the deal, they steal that from me, you can get back the 
$200,000. What's the disincentive if all you can get back is 
what they took from me, what's the disincentive for them to do 
that again?
    Mr. Beales. Well, in a typical case, there's not anything 
like $200,000 left. And----
    Mr. Shadegg. I've worked very extensively on identity theft 
legislation and I guarantee you when your identity gets stolen, 
it's nearly impossible to quantify the damages people suffer 
and calculating how much they've suffered is near impossible. 
The point is in all of criminal law, and I used to work for the 
Arizona Attorney General's Office, if all you can get back from 
the bank robber is what he took, there's no disincentive to rob 
the bank. So I guess my question is do you have the ability to 
impose penalties beyond what you think they've profited?
    Mr. Beales. We do not in the typical case of unfair and 
deceptive practices. Many of the kinds of conduct at issue here 
may violate other criminal laws. It's common----
    Mr. Shadegg. Then I want to know if those criminal cases 
have been brought. I want to know all of the cases you've 
brought, all of the penalties you've exacted and then I want to 
know all of the criminal cases that have been brought that 
you're aware of against people that engage in this conduct. And 
I'd like you to supply that to the committee.
    Is that all right?
    Mr. Beales. We will be happy to do our best.
    Mr. Shadegg. Let me move to a separate topic. One of the 
concerns I have is that in many of these agreements that we 
talk about you say well, they're legitimate things that are 
being done. There are also illegitimate things that are being 
done.
    What are you doing with regard to what I call fine print 
permission, that is, I sign an agreement with one of the 
legitimate companies and buried deep, deep, deep in the fine 
print is a very, very small disclosure that says I give you 
permission to get into my computer and do all kinds of things 
that no rational person would want to do.
    Are you pursuing that now?
    Mr. Beales. We think disclosures need to be clear and 
conspicuous. What that means depends on the consequences of the 
particular disclosure.
    Mr. Shadegg. Have you ever looked at the disclosures that 
are required? Have you brought an enforcement action against 
somebody?
    Mr. Beales. We've brought many actions involving 
disclosures that were not sufficiently clear and conspicuous.
    Mr. Shadegg. Okay, I'd like you to supply me with a list of 
those that relate to abuses of, for example, getting into my 
computer and taking privacy information that I don't approve 
of.
    Mr. Beales. I don't think we've brought cases that involved 
end user license agreements. We've brought numerous cases that 
involve insufficiently clear disclosures in a wide variety of 
contexts and the legal principles----
    Mr. Shadegg. But not for as an individual consumer?
    Mr. Beales. I'm sorry?
    Mr. Shadegg. You said not end user license agreements. I 
think we're talking about end user license agreements right 
now, aren't we?
    It's my computer they're getting into and some would 
contend with permission because I signed agreement that had a 
fine print disclosure.
    Mr. Beales. We have brought numerous cases like that, not 
in the software context. The disclosure issue though of is it 
clear and conspicuous is not fundamentally different.
    Mr. Shadegg. Except we're talking about the software 
context and if you haven't brought any of the software context, 
that doesn't sound like that's an enforcement tool that will 
help solve those problems.
    I'm going to run out of time. I want to move on, so I'd 
like to know what you contend fits there.
    You have said that it would be impossible, Commissioner, to 
define this issue. I want you to tell me under what 
circumstances it would ever be appropriate for someone to get 
into my computer without my permission and monitor every single 
keystroke of my computer forever and give that information away 
to somebody else?
    I mean that's one of the most offensive practices that I 
think is going on here is they get into my computer. You talked 
about it. They put a stroke monitor on my computer and they 
know everything I do on that computer and then they sell that 
information or use that information.
    My question to you is, you say it's impossible to define 
this legislation. Under what circumstances would anyone ever 
want to have it occur that someone can get into my computer or 
your computer, monitor every stroke I make without my 
permission and give that information away or use it for their 
benefit, every stroke?
    Mr. Thompson. I can't answer that question because I know 
that it would bother me and I know that one of the problems 
with the legislation that's proposed, to the extent to ask you 
to give permission for context, out of context, you may--what 
I'm worried about is consumers are going to be asked to say yes 
to behaviors they don't even know are going to happen.
    Mr. Shadegg. You just admitted to me that there is never, 
you can't imagine--and this is your business--you can't imagine 
a circumstance under which it would ever be appropriate for 
somebody to get into someone's computer without their 
permission and monitor every single stroke----
    Mr. Thompson. For all circumstances----
    Mr. Shadegg. For ever. I understand that when I go into my 
Bank One account, I have the choice on my computer to say I 
want to permanently register both my user ID and my password. 
That's a single transaction. What's going on here is they're in 
my computer and they do that forever. I quite frankly, and I'm 
running out of time, I do not see a thing different between 
that and wiretapping. And we don't say to people who have 
telephones, you know there's a danger that someone might tap 
your telephone and listen to all of your phone conversations, 
so you should buy a device, we should teach you that, we should 
address this as consumer education, we should teach you that 
that might happen and then you should buy a device to put on 
your telephone that stops them from tapping your telephone. And 
yet what I hear both of you from the FTC saying is that even 
though someone under spyware can get into your computer, 
Congressman, and can without your permission put a stroke 
recorder I think was the term you put on it and record every 
stroke you make and every stroke your kids make and every 
stroke your wife makes and know every where you go and 
everything you do, we think the way to stop that is to tell 
you, Congressman, is to be aware that it might happen and to 
make you go buy something to put on your computer to stop it.
    Mr. Beales. Congressman, I think what we're more worried 
about is the perfectly legitimate download that you agree to of 
that keystroke monitor from the help desk----
    Mr. Shadegg. No, no, no, no. I never----
    Mr. Beales. That's buried in the fine print that gives them 
permission to do that indefinitely.
    Mr. Shadegg. I got a flash, I would never ever, ever agree 
to give permission to someone to monitor every single keystroke 
of my computer for ever and ever, for a week, for a month. I 
might give permission for one transaction. I might give it to 
my bank for two transactions. But that's not the abuse we're 
talking about and you said it's impossible to write legislation 
defining this problem and yet the Commissioner just admitted to 
me that he can't imagine ever a circumstance in which it would 
be appropriate.
    Quite frankly, it's simply identical to my having my 
telephone tapped--I would never give somebody permission to tap 
my telephone.
    Mr. Beales. Congressman, I think it's more akin to having 
an extension on your phone where sometimes somebody picks it up 
and----
    Mr. Shadegg. In my own house? These people aren't in my 
household. These people are somewhere else, they're miles away 
and they're doing this without my permission.
    Mr. Beales. And you invited them in to help you with your 
transaction.
    Mr. Shadegg. Exactly, as if I called the car dealer. If I 
call the car dealer and said I'm interested in a car, I 
wouldn't have said to that car dealer, oh, by the way, because 
I called you you have the right to tap my phone for the rest of 
history.
    Mr. Beales. I agree. If that was in the consent, I wouldn't 
think it was adequate, but that's because it's not a consent 
problem, it's a behavior problem.
    Chairman Barton. Will the gentleman yield?
    Mr. Shadegg. I think it is a consent problem and I think 
the last point here that I want to make is----
    Chairman Barton. I would ask unanimous consent that Mr. 
Shadegg have an additional 2 minutes.
    Mr. Stearns. Unanimous consent, so ordered. I would point 
out to the chairman we're going to have a second round here, so 
I would encourage the gentleman from Arizona to stay around.
    Mr. Shadegg. Unfortunately, I can't stay around, but I'd be 
happy to yield.
    Chairman Barton. If I have a problem with my telephone, I 
call Southwestern Bell and I say there's something wrong with 
my phone line. And Southwestern Bell sends a repairman to my 
house to check the phone lines and hopefully repair it, but the 
Southwestern Bell repairman doesn't just move in with me.
    He doesn't say what's for supper and what are you going to 
be watching on TV and you know. Put a beeper on me so that 
wherever I go make sure that I'm home in time to cook and clean 
for him.
    So I just simply don't understand why we can't agree that 
these unwanted intrusions should be totally explicitly illegal. 
We're not talking about asking Microsoft when I buy the 
computer, we have to sign an agreement to use the Microsoft 
operating system on the computer. We're not talking about that. 
We're talking about programs that get put on our computer 
without our knowledge and are doing things that we don't want 
to be done and taking information that we don't want to be 
taken.
    Do you all agree with that?
    Mr. Beales. I do. I think it's a question of whether you 
try to prohibit that and make it illegal under the general 
approach of the deceptive practices that were used to install 
it, or whether you try to write legislation that draws bright 
lines and says you have to do it exactly this way.
    We agree there's a problem. We agree that the kinds of 
conduct you're talking about here are illegal. The question is 
what's the best kind of a statute to address that. Is it the 
general deceptive practices authority we've already got or is 
it something more specific that says go through these hoops and 
that constitutes consent to this keystroke logger that lives 
there forever.
    Mr. Shadegg. Let me just tell you where I see you're coming 
from from my perspective. You're telling us--and I'm a former 
prosecutor with the Attorney General's Office in Arizona. 
You're saying current law is adequate to handle this problem. 
Oh but, we're really not enforcing the law right now. We think 
you can't define the issue, although I just gave you a 
definition that neither one of you could say you're right, 
Congressman, that ought to happen some time. And then your last 
answer is self-regulation. I am typically a guy who believes 
very much in industry self-regulation. But Commissioner 
Thompson, you pointed out that we've got criminals out here 
engaged in this activity that don't care that it's already 
illegal. You tell me how the legitimate industries are going to 
stop those criminals with self-regulation. It's not going to 
happen.
    We've got a wide open door for criminals here. Your answer 
is well, give us time, we may bring an action later. I'm sorry, 
I just don't think--of course, it's difficult to write a law in 
any area. We understand that writing definitions in this kind 
of complex area of any law is very difficult and we don't want 
overly broad legislation, but I've got to tell you, doing 
nothing about the fact that somebody can get into my computer 
and record every single stroke on it and that I ought to try to 
self-protect against that which to me is wiretapping of the 
current generation, just makes no sense.
    I applaud Ms. Bono and yield back my time.
    Mr. Stearns. The gentleman's time has expired. My unanimous 
consent, we have a guest who is not a member of the full 
committee or the subcommittee, obviously. We're going to allow 
an opportunity for him to ask questions for 3 minutes and then 
we'll have a second round for anybody who would like to--just 
for the members, we'll have an opportunity for a second round 
and Mr. Inslee will be offered one opportunity for 3 minutes. 
So I recognize the gentleman from Washington.
    Mr. Inslee. Thank you, Mr. Chairman. First I want to thank 
Mary Bono for her vision on this to understand that action was 
needed by Congress and she's been ahead of the curve and I look 
forward to working with her and others on this. I want to thank 
the committee chair for allowing me to participate and the 
reason is that I'll be introducing an alternative, a bill to 
try to address this very difficult issue. And I believe it is 
clear that we need to act and I'm disappointed that the 
Commission has allowed the difficulty of this task to overwhelm 
the obvious necessity for action here because we do need 
action.
    The bill I will be introducing will have two approaches and 
I think it's a pleasure to hear the testimony of the witnesses 
because it sounds like we might be on the right track. No. 1, 
the bill I will be introducing will address behavior, rather 
than just a designation of type of software and I've heard sort 
of unanimity of the panel to date, suggesting that that's a 
model that will allow us to cut with a sharp scalpel, rather 
than a blunt instrument and that's what we need to do in this 
highly tech area.
    Second, it will try to have just in time notice and consent 
because in thinking through this, to me, having the consumer 
have the ability to do notice and consent at the time of the 
execution rather than just even a transmission will be a 
preferable way to do this. So that's the two thrusts and I look 
forward to working with the committee members on that.
    I want to just give the Commission a moment, my take on 
what is going on is the reason there has been such a 
spectacular failure by the American government to protect 
consumers from this outright abuse of their privacy that is 
going on in hundreds of thousands of cases today is that we 
have a 20th century law trying to regulate a 21st century type 
of new technology. And what I hear from the Commission today is 
kind of like if in the wild West if the bunch rode in and 
robbed the bank, the regulators are trying to say that the 
townspeople would say well, let's call for self-regulation. I 
don't think that's what the townspeople are calling for here. 
They're calling for a strong sheriff and a clear definition of 
what is allowable and now allowable.
    Now isn't it true that the reason that you haven't taken 
much enforcement action despite these hundreds of thousands of 
privacy violations is that there is relatively great ambiguity 
and vagueness that makes prosecution very difficult for you 
right now because we have so much vagueness in existing law?
    Mr. Beales. No.
    Mr. Inslee. Then what is the reason?
    Mr. Beales. The reason--what limits our ability to bring 
these cases is that, and your bank robbery analogy is somewhat 
apt, is the bad guys ride off into the hills. But these are 
cyberhills and there are no footprints.
    Mr. Inslee. Well, that just won't wash. In today's 
technological society so that that we have hundreds of 
thousands of violations and you can't find a half dozen 
violators, that doesn't wash. You need to hire some people that 
come out of private enterprise, if you can't find these guys.
    My time is limited, I need to ask another question. There 
was discussion about notice and consent and we'll get to that 
next round, if you will allow, Mr. Chair.
    Mr. Stearns. Well, I was just hoping you will participate 
and I give you that opportunity, but I'll start with myself 
with the second round of questions and I thank the gentleman.
    We have the chairman of the Oversight and Investigations 
Subcommittee and I am very pleased to see him arrive. Before I 
start, Mr. Greenwood, congratulations and we welcome you here. 
If you want to have some questions, you're welcome.
    Mr. Greenwood. I do. Good morning, gentlemen. I apologize 
for missing the hearing heretofore, but it couldn't be helped.
    On my home computer, I have experienced what my staff tells 
me is called browser hijacking. And that is we have a home page 
that we had set up that's useful to our family and all of a 
sudden this bizarre home page is there and it won't go away. I 
keep going back and re-establishing, resetting MSN, I think it 
is, is our home page and this thing pops up and it's annoying 
in a lot of ways, but one of the ways it's annoying is if you 
try to use it as a search engine, it only goes--it doesn't take 
you where you want to go. It only goes to commercial sites that 
are trying to sell you something.
    And my staff fellow who is with me this morning said that 
he just checked his computer and he has 81 spyware programs 
that have been stuck into his computer. So the question is 
first off, can anyone define for me, browser hijacking just so 
I know we're on the same page. And then has the question--has 
the FTC taken any actions? I believe there's been a complaint 
filed by CDT against MailWiper and also against Seismic 
Entertainment Productions. Has the FTC taken any action with 
regard to browser hijacking? If so, what is that? And under 
current laws, would browser hijacking be actionable and does 
the FTC have additional authority to pursue those actions?
    There are all the questions and I'd be happy to hear from 
any of you that would like to comment on any of those 
questions.
    Mr. Friedberg. I'll just start by defining browser 
hijacking for you. It's the changing of the key settings in the 
browser, specifically the home page or the search page without 
appropriate notice and choice to the user.
    Mr. Greenwood. I'm sorry, I was interrupted. Say that 
again?
    Mr. Friedberg. It's the changing of the key settings in the 
browser, specifically the home page and the search page are 
most common without appropriate notice and choice where you 
aren't told and you can't undue it.
    Mr. Greenwood. Is it illegal?
    Mr. Beales. Yes, it is. We have brought cases that 
challenged the practice of page-jacking which is essentially 
the same thing. You try to go to one page and you end up on 
another. We've challenged that as an unfair practice and have 
been successful in doing that.
    Mr. Greenwood. You have been successful. And what 
consequences have people who have successfully been prosecuted 
faced?
    Mr. Beales. That particular case was one that was brought 
in about 2000, I believe, and I don't know exactly what the 
sanctions were in that particular case.
    In general, we can get full redress for consumers who have 
been injured. We get a permanent injunction----
    Mr. Greenwood. What would be--how do you redress me? How do 
you--my wife has been trying for years, but how do you 
compensate me fairly for this experience?
    Mr. Beales. Well, in cases where injury is difficult to 
assess and this is certainly one, we would frequently go on a 
disgorgement theory of getting back all the money that whoever 
was behind this had received.
    Mr. Greenwood. It's obviously continuing to be done with 
impunity, the people who do this must not have--they obviously 
don't think they'll ever be caught or if they think that if 
they do, they'll make enough money that it will be well worth 
their effort.
    What do we do about that?
    Mr. Beales. We are trying very hard to make sure they're 
wrong on both counts.
    Mr. Greenwood. So what should a consumer do? What should I 
do in this case? What are my options as a consumer to respond 
to identify the printout, the home page, the uninvited home 
page and send it to the FTC or what?
    Mr. Beales. As a way to complain, yes. We would love to 
hear from consumers about specific complaints. That's very 
useful to us as the starting point of an investigation.
    Mr. Greenwood. What's the most difficult--obviously, anyone 
watching this hearing anywhere in the country right now, I 
imagine a very significant portion of them, that's exactly what 
happens to me and they could all make complaints to the FTC. 
What's your resources limitations have to do with how much 
action would actually occur?
    Mr. Beales. What we use our complaints for and if anybody 
is watching, complaints can go to www.ftc.gov. What we use our 
complaints for is to identify targets for law enforcement based 
on the volume of complaints. We do not have the capability to 
resolve individual complaints, but it does help to figure out 
what kinds of practices are out there, who is doing them and 
then target our enforcement actions against those cases.
    Mr. Greenwood. My time is up, but do plaintiff's attorneys 
file Class Action suits in these cases with any success?
    Mr. Beales. I don't know of any in these cases. The problem 
that we have in terms of financial relief for consumers is that 
there's not money and that tends to make them unattractive 
cases for plaintiff's attorneys as well.
    Mr. Schwartz. In the MailWiper case that you mentioned that 
we brought to the FTC's attention, there is a class that's 
bringing a case in North Dakota right now against the same 
companies that we filed the complaint against.
    Mr. Greenwood. Thank you, Mr. Chairman.
    Mr. Stearns. I thank my colleague and I thank him for 
taking the time to come out.
    I'll start the second round of questioning. Do any of you 
know about the law that passed in the State of Utah?
    Mr. Baker, as I understand, this law allows a private right 
of action, so what Mr. Greenwood is talking about or Mr. 
Shadegg is talking about, I think they have a private right of 
action.
    Mr. Schwartz, is that correct?
    Mr. Schwartz. No, you would need to be a website owner or a 
trademark holder. So unless Mr. Greenwood runs his own website 
out of his house, he would not be able to sue in the private 
right of action under the Utah bill, Utah law.
    Mr. Stearns. Well, I mean I'm trying to get to the point 
that Mr. Greenwood and Mr. Shadegg touched on. What rights 
should consumers have in the courts when this occurs?
    Mr. Baker?
    Mr. Baker. Speaking to the Utah law specifically, Mr. 
Chairman?
    Mr. Stearns. Yes.
    Mr. Baker. There's great concern among the industry, many, 
many companies that the Utah law is overbroad.
    Mr. Stearns. Overbroad. Because it allows too much 
possibility of litigation?
    Mr. Baker. Not so much that is that it outlaws too many 
things and there's great concern that, for instance, a 
library's attempt to install filtering software to keep 
children and other patrons free from pornographic websites or 
parental controls even, that those--that this wall would, in 
fact, bar applications such as that. I don't think that that's 
what any of us would be after.
    So getting back to the House bill, one of the things we 
like about the pending legislation here is in fact the pre-
emption provisions because we are concerned. It would be a 
cruel irony if, in fact, you have an anti-spyware statute that 
is so broad that it might even bar the downloading of anti-
spyware software.
    Mr. Stearns. Right, so I think it's important to say we see 
one State passed a law and we should understand what's good and 
what's bad about it, so that if we move forward on the Federal, 
that we not incorporate the bad and try to do what's good. And 
at the same time, do you think a Federal law should prevent 
private right of action?
    Mr. Baker. This is just a personal observation.
    Mr. Stearns. Yes.
    Mr. Baker. I'm always a little wary of private rights of 
actions in Federal legislation and this was one of the things 
that was debated in the recent Canned Spam Act, for instance. 
Ultimately did not--was not included, because you do run the 
risk there of otherwise legitimate companies facing the wrath 
of multiple lawsuits.
    Mr. Stearns. And Mr. Friedberg, how do you feel about that, 
do you agree with Mr. Baker in that respect?
    Mr. Friedberg. I really can't comment on private rights of 
action. That's not my expertise.
    Mr. Stearns. Okay, anyone else? Mr. Schwartz?
    Mr. Schwartz. We're usually in favor of private right of 
action in this type of case. It would depend on the definition 
though if it is overly broad. We would have concerns about how 
that might be misused in the courts. But generally speaking, we 
would want to see private right of action in a privacy law that 
would move forward.
    Second, the Attorneys General, as well, that's something in 
the Utah law that Attorney General, even the Attorney General 
in the State of Utah can't act. That seems to us to be a 
concern as well. We want to see the Attorneys General have some 
power as well.
    Mr. Stearns. I would just say in passing to the 
Commissioner, we passed the Spam Act which prevents all this 
spam material coming into the computer and then we passed the 
Do Not Call List which was saying we didn't want to have 
telemarketers come into our home. So if you follow the logic in 
both of these you're vigorously implementing, if we're trying 
to talk about e-mails and we're talking about telemarketing, it 
seems to me then the Federal Trade Commission would welcome 
some kind of Federal legislation to prevent spyware.
    Does that seem logical?
    Mr. Thompson. I understand your point. As was said earlier, 
the devil is in the details. The Canned Spam Act is an 
interesting piece of legislation. It's still a very significant 
challenge to get at the worst actors who are involved in spam 
for a number of different reasons, including the fact that most 
of the people who are the most egregious actors really don't 
care about the law. And that's where the real challenges rest.
    Let me say this too. I don't want the Commission to be 
characterized as being uncaring or inactive----
    Mr. Stearns. No, I want to give you the last word here. 
Here's your chance.
    Mr. Thompson. We brought the workshop to bring public 
attention to this issue. We're asking industry to self-regulate 
for one very important reason, we want them to begin to outline 
standards. That's going to be instructive for us on this issue 
going forward no matter what, not only on talking to consumers 
about what's good behavior and what's bad behavior, but even in 
talking to us as law enforcers or talking to legislators about 
understanding where that line is.
    Right now, that discussion hasn't really taken place and 
that's one of the reasons why we've asked for the workshop to 
begin to outline the parameters of what this issue is about.
    Mr. Stearns. Thank you. My time is expired. The chairman of 
the full committee, the gentleman from Texas, Mr. Barton.
    Chairman Barton. Thank you. I want to ask Mr. Friedberg a 
question. Your responsibility at Windows is to monitor the 
privacy protection that is built into the base Windows program, 
is that right?
    Mr. Friedberg. Actually, the way I define my job is I would 
like to think that I make people feel better about using 
Windows by protecting their privacy, most notably by giving 
them notice and choice and appropriate control.
    Chairman Barton. Is it Microsoft's assumption that the 
computer in a person's home is that person's private property?
    Mr. Friedberg. Their physical hardware, yes, I believe they 
license the software from us.
    Chairman Barton. Is it Windows' position that access to 
that computer is the prerogative of the person who owns it in 
their home?
    Mr. Friedberg. A person should be able to control what goes 
on in their computer, sure.
    I don't know,d id that answer your question?
    Chairman Barton. So if we wanted to postulate such a thing 
as computer trespass, just like if somebody walks through the 
physical front door of my home without my permission, they've 
created a crime. They've trespassed.
    So if somebody comes into my computer without my permission 
and I chose to prosecute whoever came in to my computer, I 
could accuse of them criminal or computer trespass. Now I don't 
know that there is--I'm not an attorney and this isn't the 
Judiciary Committee, but the concept of computer trespass.
    Mr. Schwartz. I was just going to add that the Computer 
Fraud and Abuse Act is partially aimed at that idea. If there 
is damages, certain kinds of damages, the Department of Justice 
is supposed to be able to go after companies that do trespass-
caused damage on people's computers. We haven't seen them act 
in these kind of cases though.
    Chairman Barton. We're kind of talking past each other. In 
my first round with Mr. Thompson, Commissioner Thompson and 
Director Beales, they were talking about deceptive trade 
practices. I don't consider it a deceptive trade practice when 
somebody violates my privacy. They've trespassed against me.
    We all seem to be in agreement that if it was a live person 
coming into our home, that wouldn't be right unless we wanted 
them in our home. But when we talk about using the internet to 
come into our personal computers, then you get into this debate 
about if it's fair or unfair and all the good things that 
theoretically happen when people do come into our computers 
without us knowing about it.
    Well, I can have a debate that all day, but I want to ask 
the gentleman from Windows if this concept of computer trespass 
is something that we can work with?
    Mr. Friedberg. From a personal perspective it makes 
intuitive sense to me. I very much believe in making sure 
there's consent before someone does something on your computer.
    Chairman Barton. Now I understand that the FTC doesn't have 
criminal prosecution ability. You're civil. You can fine 
people, but if we worked with the Judiciary Committee to define 
as a crime the concept of computer trespass, Commissioner 
Thompson, is that something that the FTC would be comfortable 
working with us to get the definition right?
    Mr. Thompson. We are always happy to work with the 
committee. Let me just point out a challenge though. The 
trespass issue is an interesting issue. What I find more often 
the question is defining when you've actually invited people in 
and going further is when you've asked them to actually come 
into your kitchen because you may have asked them to come in to 
your house, but you may not have asked them to walk around to 
places where you didn't want them to walk around.
    Chairman Barton. I understand that. And I from time to time 
on my personal computer in Inez, Texas have downloaded Windows 
software and I have downloaded game, videogame software from 
certain companies and I wanted that. Now if they put something 
on my computer when I downloaded what I wanted that I didn't 
know about to track my behavior, I want to put a stop to that.
    If I open my door and there's somebody from Amway outside 
the door wanting to sell me a product, I can make a decision 
and invite them in and buy the product or not buy the product. 
And even to this day and age, Inez, Texas is a small enough 
town that we do have some door to door salesmen and saleswomen 
still come by and I'm okay with that, so I want to apply that 
same concept of privacy, the physical front door, to the 
computer front door. And I want the Microsoft people to help us 
and I want the FTC people to help us and at a certain point in 
time, we want the Department of Justice to help us.
    If you all understand that, then we're going to be okay. 
Nobody is trying to prevent a legitimate business entity from 
providing a product that is wanted to the end user in their 
home. We're all, I think, trying to prevent the unwanted 
intrusion that is used for purposes that we have not approved 
and most of the time without our even knowing about it. That's 
what we're trying to prevent.
    Mr. Friedberg. We are very eager to work with anyone who is 
trying to address this problem.
    Chairman Barton. With that, Mr. Chairman, I'm overextended 
again and I'm going to yield back.
    Mr. Stearns I thank the chairman.
    Chairman Barton. Let me say one final thing. I don't want 
anybody to be under the impression that this hearing is just a 
hearing and nothing is going to happen. We are going to move 
heaven and earth to work on a bipartisan basis to modify the 
Bono Bill and move it at subcommittee and at full committee and 
onto the floor and through the House and hopefully get a 
companion bill in the Senate and go to conference and get a 
conference report that's passed by the House and the Senate 
this year.
    I'm not guaranteeing that that will happen, but that is the 
intent of this hearing to start the process, regular order to 
make that possible.
    Mr. Stearns. I thank the chairman. The gentlelady from 
California.
    Ms. Bono. Thank you, Mr. Chairman, I kind of liked it up 
there in that big fancy chair, but I'm happy to be back here 
and to Chairman Barton, also you forgot the best part of due 
process and that was where the President signs the bill, 
ultimately, so I'm looking forward to that day as well.
    Chairman Stearns has mentioned repeatedly, I believe, about 
what will become a patchwork of State laws and we've seen the 
Utah bill. There's also a pending bill in State legislature of 
California that was introduced in February. Now as I understand 
the language, and what it does, they say it prohibits a person 
or entity conducting business in California from hijacking a 
user's computer, from inhibiting the termination of a computer 
program and from surreptitious surveillance of a user's 
computer in California.
    I don't know that that protects the California consumer, 
but I know that lends to the nightmare of patchwork of 
different State laws, so I think that further gives weight to 
what we're trying to do here.
    I also want to point out that California was the first 
State to pass anti-spam legislation.
    Commissioner Thompson, I understand you opposed anti-spam 
legislation on the Federal level. Is that true or did you 
support anti-spam legislation?
    Mr. Thompson. I don't believe I expressed opinion one way 
or the other.
    Ms. Bono. Okay, did the FTC oppose originally?
    Mr. Beales. The FTC at various points along the way did not 
recommend legislation.
    Ms. Bono. Okay, and are you using it now?
    Mr. Beales. Well, when canned spam passed, it was with the 
Commission's support. We are announcing our first case is 
today.
    Ms. Bono. Great news. Hopefully that will be the same case 
here, that we're going to turn you guys around too and we'll be 
one big happy family.
    But on to Microsoft, you mentioned a problem with my bill 
and I wanted a one-step removal tool. As I understand it, with 
Kazaa or a real fun version of spyware, adware, I guess Bonzi 
Buddy. If you guys are parents, you know what I'm talking 
about, this cute little purple gorilla swings suddenly on your 
monitor, and kids love to download this little Bonzi Buddy. But 
to remove it is nearly impossible, and when we've tried to 
remove little Bonzi Buddy, the purple gorilla, he somehow comes 
back. Is it that impossible? Microsoft, with all of these 
programs, especially Windows XP, why can't we do one step 
removal tool?
    Mr. Friedberg. Well, actually, it largely due to the bad 
actor in this case. If they don't provide that kind of 
functionality when they install the software, it's going to be 
hard to figure out how to remove it.
    I totally advocate the goal of trying to make things as 
easy for people to uninstall as possible. The only trick, 
again, the devil is in the details is that software is a 
complex kind of beast and there's scenarios where it's very 
hard, if not impossible, to remove parts of software without 
removing larger chunks of things. You can't remove things, for 
example, that are already in use by other programs and certain 
things that might be for security, you might want to think 
twice about removing.
    Trying to get it right in codifying into law how an 
uninstall should work is what's the challenge, not the intent 
of having control over your system. Fully agree, we want to be 
able to get rid of stuff when we don't want it. At a minimum, 
disable it, neutralize it and at best actually not having any 
remnants left over. It's just kind of challenging to do it in 
all cases.
    Ms. Bono. It's like those little .dll files, isn't it?
    Mr. Friedberg. The problem is legitimate software has 
reasonable scenarios where uninstall is just not that easier. 
It's the way software is.
    Ms. Bono. Well, it seems to me that if this law were 
passed, that when people installed this onto computers, they 
would just have to come up with a way to do it, and it's common 
sense to me if you instruct him to build a program that way 
that they could. If we don't tell them to do it, they're not 
going to do it. But is it your understanding to? Am I missing 
something on removing Bonzi Buddy and Kazaa? Are they sort of 
self-perpetuating?
    Mr. Friedberg. There's this other kind of problem and some 
people call them tickler applications and stuff like that. 
They'll actually attempt to reinstall a piece of software after 
you've deleted it. I consider this very deceptive practice 
since it's a covert install and hopefully there are laws 
already that sort of address this kind of behavior.
    Ms. Bono. How is that different than a virus? I understand 
how it's different than a virus, but I'm hoping you'll answer 
the question the way I want you to answer it. A virus we all 
see as detrimental because it's self-replicating and it passes 
from computer to computer without knowledge. But suddenly now 
because somehow you've downloaded this thing and it's not self-
replicating, just because it's passed on by a third party, in a 
sense it is a virus. I see it as a virus without the self-
replicating tool, but it's just as harmful as a virus is.
    Mr. Friedberg. Along those lines, when you look at a virus, 
people talk about viruses because of how they propagate, as you 
point out. And it's the payload inside the virus that's the 
issue. I mean some viruses might be benign in terms of how they 
actually do what they do. They may just count things or 
something, who knows?
    But it's what the payload is doing and if someone is doing 
something destructive on your machine, they should be punished, 
regardless of how it got there.
    Ms. Bono. Thank you. Can you briefly define for the sake of 
refining my legislation two points, why a cookie is not 
considered spyware?
    Mr. Friedberg. A cookie is just a simple data storage 
facility. It makes life easier for people who may surf the web 
in order to keep state. It's not an active component and the 
way the web is set up, these cookies are only read by the 
websites that put them there. It's their local storage to make 
life easier for you.
    It's up to them, the site that you're going to, to tell you 
what they're going to do with the cookie and you now, if 
they're going to track you or do some kind of behavior like 
that, it needs to be in their privacy statement. But cookies in 
themselves are not necessarily anything worse than a file.
    Ms. Bono. Thank you. Also, are there any type of spyware 
functions that are utilized in good ways for the enabling of e-
mail or instant massaging?
    Mr. Friedberg. I just think of spyware using that term as 
something that's a negative. I would never consider something 
spyware as being a positive thing. The functions of spyware may 
have positive elements. For example, tracking. I know I got to 
Amazon.com and I get suggestions for books I might want to read 
that are similar to other books and I like that. I call that 
personalization when the tracking is done with my consent. I 
have control over it and it's to my benefit. So tracking is not 
the problem. It's unauthorized tracking or covert tracking 
which is spying.
    I can't imagine a time where that's valid, except for maybe 
some small examples, for example, as a parent, maybe you want 
to track the behaviors of your children and you want to have 
the right to be able to put some kind of key logger to be able 
to see what they're doing. If that's okay by local law, then 
that should be permitted. Likewise an employer/employee 
relationship. If it's allowed that you can monitor employee 
behavior, you're going to use one of these tools that we talked 
about and that's a valid, potentially legal use that makes 
sense.
    Ms. Bono. Actually, the bill clearly defines those two uses 
as fine. But also, I always think that's sort of repetitious 
anyway because the owner of the computer is generally the 
parent, first of all. So you're installing it on your own 
property and I would think the same with an employer, but we do 
define those two in the bill.
    Mr. Chairman, I have gone over my time. I just really want 
to thank you for this hearing and thank our panelists. I really 
look forward to passing something that protects the American 
consumer and continues to broaden the American experience with 
computers.
    Mr. Stearns. I thank the gentlelady and we'll conclude our 
hearing.
    Mr. Friedberg, I think you answered her question when the 
question was it's not easy to take the spyware off your 
computer. If I went back to my computer without having a high 
tech person, I couldn't do it, could I?
    Mr. Friedberg. Actually, what I recommend to people 
nowadays is to use a third party and a spyware tool.
    Mr. Stearns. You need a spyware tool, you need a third 
party and somebody needs to have technical expertise.
    Mr. Friedberg. As of today.
    Mr. Stearns. As of today.
    Mr. Friedberg. That's the situation. These things are 
relatively new and people are just trying to catch up with the 
way that they're doing what they're doing.
    We would like to see longer term solutions that are more 
holistic, especially in the technology area because we have 
some control over that, that make it less likely that this can 
happen to you.
    Mr. Stearns. But I think it goes to the heart of what Ms. 
Bono has mentioned is, in the heart of the discussion today is 
that the average consumer cannot take these off themselves and 
second, they don't even know they're on the computer.
    Mr. Friedberg. I can't take them off myself.
    Mr. Stearns. You can't.
    Mr. Friedberg. I use a third party tool at this point.
    Mr. Stearns. Okay.
    Mr. Friedberg. And I'm looking for relief as well.
    Mr. Stearns. I'll just conclude by saying that I think 
spyware is not just at our gates, but through the gate, through 
the door of our homes and now in our computers with full spying 
privileges and I think this hearing has brought a lot of 
information to the forefront and helps obviously all of us as 
legislators to think this through and try to come up with 
legislation which is balanced and I want to thank all of you 
for your time and your patience. With that, the subcommittee is 
adjourned.
    [Whereupon, at 12:22 p.m., the hearing was concluded.]
    [Additional materal submitted for the record follows:]

    Prepared Statement of Roger Thompson, Vice President of Product 
                     Development, PestPatrol, Inc.

    Mr. Chairman and Members of the Subcommittee, thank you for the 
opportunity to submit comments on the important issue of spyware and 
its threats to the security and privacy of consumers and businesses.
    Before I offer an assessment of the situation and possible actions 
to address it, let me provide a brief overview of my company. 
PestPatrol was founded in May 2000 by a team of security software 
professionals to counter the growing threat of malicious non-viral 
software. We are the leading provider of anti-spyware software to 
consumers. Our database of malicious code--what we call ``pests''--is 
the most extensive in the industry and serves as the basis for many of 
the research results about which we read in the press.
Definition Debate
    No one debates that spyware is becoming a relentless onslaught from 
those seeking to capture and use private information for their own 
ends. However, there continues to be much debate about what constitutes 
spyware.
    While that debate is an important one in terms of possible 
remedies, we can count the cost that unfettered spyware is having on 
individual users as well as on corporate networks. Regardless of 
whether we agree to divide the term spyware into various subsets such 
as adware or malware, the truth is that any software application, if it 
is downloaded unknowingly or unwittingly, and without full explanation, 
is unacceptable and unwelcome.
    At PestPatrol we define spyware as any software that is intended to 
aid an unauthorized person or entity in causing a computer, without the 
knowledge of the computer's user or owner, to divulge private 
information. This definition applies to legitimate business as much as 
to malicious code writers and hackers who are taking advantage of 
spyware to break into users' PCs.

Spyware Dangers Real and Extensive
    The dangers of spyware are not always known and are almost never 
obvious. Usually, you know when you have a virus or worm--these 
problems are ``in your face''. Spyware silently installs itself on a 
PC, where it might start to take any number of different and unwanted 
actions, including:

 ``Phoning home'' information about you, your computer and your 
        surfing habits to a third party to use to spam you or push pop-
        up ads to your screen
 Open up your computer to a remote attacker using a RAT--a Remote 
        Access Trojan--to remotely control your computer
 Capture every keystroke you type--private or confidential emails, 
        passwords, bank account information--and report it back to a 
        thief or blackmailer
 Allow your computer to be hijacked and used to attack a third party's 
        computers in a denial-of-service attack that can cost companies 
        millions and make you liable for damages
 Probe your system for vulnerabilities that can enable a hacker to 
        steal files or otherwise exploit your system.
    The newest threat is that of large numbers of captured personal 
computers mobilized into ``Bot Armies'' and used to launch highly 
organized Distributed Denial of Service (DDoS) attacks aimed at 
disrupting major business or government activity. Individual PC users 
are never aware that their machine is being used to disrupt internet 
traffic. There is currently little or no recourse to a legal solution 
even if the occurrence can be monitored.
    Many PC users have unwittingly loaded, or unknowingly had spyware 
downloaded onto their computers. This happens when a user clicks 
``yes'' in response to a lengthy and often extremely technical or 
legalistic end user licensing agreement. Or it happens when a user 
simply surfs the web, where self-activating code is simply dropped onto 
their machines in what is known as a ``drive-by-download.''

Spyware Harms Computer Performance
    The misuse of technology and hijacking of spyware is a real and 
present danger to security and privacy. Unfortunately, the ill effects 
of spyware do not stop there. Spyware seriously degrades computer 
performance and productivity.
    Testing earlier this month at the PestPatrol research laboratory 
revealed that the addition of just one adware pest slowed a computer's 
boot time--the amount of time it took to start up and function--by 3.5 
times. Instead of just under 2 minutes to perform this operation, it 
took the infected PC close to 7 minutes. Multiply that by a large 
number of PCs and you have a huge productivity sink hole. Add another 
pest and the slow-down doubles again.
    We also tested web page access, and again it took much longer once 
a pest was added to a clean machine. Almost five times longer in fact 
for a web page to load on an infected PC. The pest also caused 3 web 
sites to be accessed, rather than the one requested, and caused the PC 
to transmit and receive much greater amounts of unknown data--889 bytes 
transmitted compared to 281 transmitted from the clean machine, and 
3086 bytes received compared to 1419 bytes received by the clean 
machine. This translates into significant increases in bandwidth 
utilization. Managing bandwidth costs money.

Increased costs due to unnecessary consumption of bandwidth on
    individual PCs, and the necessary labor cost in rebuilding systems 
to ensure they are no longer corrupt is virtually unquantifiable. It's 
likely quite large. System degradation is time consuming for the 
individual PC user and even more so for network administrators managing 
corporate networks. Even new PCs straight from the factory come loaded 
with thousands of pieces of spyware, all busy ``phoning-home'' 
information about the user and slowing down computing speeds.
    Users do not invite this spyware onto their machines and should not 
have to live with it. Clearly this level of infestation is stepping 
beyond the bounds of what is fair and reasonable.

Solutions
    On the basis of our extensive work in this area, we at PestPatrol 
believe only a combination of consumer education and protection, 
disclosure through legislation, and active prosecution will provide the 
answer needed to address the spyware threat. None of these solutions by 
themselves is enough. While we advocate and applaud industry self-
regulation, we do not believe that it alone will be speedy or dramatic 
enough to address the spyware problem.
    The first line of defense is education and protection. Any 
individual or business connected to the Internet today has to realize 
they are part of a complex network that is inextricably intertwined. 
Creators of spyware take advantage of that fact, plus the knowledge 
that most PC users are not sophisticated technologists. As an industry, 
we have begun to make computer users aware of the spyware threat by the 
creation of and active outreach by several groups and organizations. 
PestPatrol is a founding member of the Consortium of Anti-Spyware 
Technology, or COAST, a non-profit organization of anti-spyware 
companies and software developers committed to best practices.
    Consumer education about spyware and promotion of comprehensive 
anti-spyware software aimed at detecting and removing unwanted pests is 
fundamental to our outreach. Our efforts are modeled after the decade-
long effort by anti-virus software companies to raise awareness about 
virus threats. However, we also acknowledge that consumers, precisely 
because of the insidious nature of spyware, can only do so much to 
protect themselves, and cannot be alone responsible for controlling the 
spread of spyware.
    Which brings us to the second line of defense--disclosure 
legislation. All applications, including those that are bundled and 
downloaded along with free software and with legitimate commercial 
applications, should be readily identifiable by users prior to 
installation and made easy to remove or uninstall. It is this 
transparent disclosure, and the ability of consumers to decide what 
does and does not reside on their systems, that needs to be legislated. 
Consumers should have the ability to make fully informed decisions 
about what they choose to download onto their machines, while 
understanding the implications of doing so.
    The third line of defense is aggressive prosecution. The deceptive 
practices employed by many spyware developers are already illegal under 
existing laws against consumer fraud and identity theft. Law 
enforcement agencies at the federal and state level should be 
encouraged to more aggressively pursue and prosecute those who 
clandestinely use spyware to disrupt service, steal data or engage in 
other illegal activity. A greater focus on spyware and the necessary 
allocation of resources to pursue this criminal activity is vital.
    Spyware is a significant threat to the effective functioning and 
continued growth of the Internet. It is more than a nuisance. Given the 
dangers it represents, it is important that consumers, business and 
government work together to address the issue and safeguard the 
productivity and utility of the Internet computing environment.
    I sincerely appreciate the opportunity to present my company's 
ideas on how to achieve this goal. Thank you.
                                 ______
                                 
              Prepared Statement of Webroot Software, Inc.

    Webroot Software, Inc. appreciates the opportunity to provide 
written comments in conjunction with the Subcommittee's hearing on 
spyware. The hearing title is most appropriate. Spyware presents a 
serious problem for both the public and businesses, yet there is still 
minimum awareness about the significant risks associated with the rapid 
growth of spyware.

Experts at Fighting Spyware
    Webroot Software, Inc., was founded in 1997 to provide computer 
users with privacy, protection and peace of mind. Today, Webroot 
provides solutions and services for millions of users around the world, 
ranging from enterprises, Internet service providers, government 
agencies and higher education institutions, to small businesses and 
individuals.
    Among its award winning products is Spy Sweeper, winner of PC 
Magazine's 2004 Editors' Choice award. The magazine's objective review 
of 14 spyware detection products found: ``Spy Sweeper is the most 
effective standalone tool for detecting, removing and blocking 
spyware.'' In the April 5 issue of Business Week, Stephen Wildstrom, 
author of the ``Technology and You'' column also recommended Spy 
Sweeper, referring to Webroot as the ``established leader'' in the 
market.
    Webroot's world headquarters is located in Boulder, Colorado, with 
a European headquarters in Frankfurt, Germany, and sales offices in 
Chicago, London, Amsterdam, and Paris. Webroot products are sold online 
at www.webroot.com, and at leading retailers around the world, 
including Best Buy, CompUSA, Circuit City, Fry's, Staples and 
MicroCenter. In addition, Webroot provides a full suite of privacy and 
security solutions designed to help ISPs like Earthlink provide value-
added products and services to their customers.
    Every day, Webroot employees talk to computer users in the U.S. and 
Europe who are being negatively impacted by spyware that has found its 
way onto their computers. Webroot is on the front lines fighting 
spyware, but Congress and the Federal Trade Commission (FTC) have 
critical roles to play on this issue to increase public awareness, 
develop and reinforce clear rules, and actively enforce the law.

Defining Spyware
    In 2003, Webroot helped to found the Consortium of Anti-Spyware 
Technology vendors (COAST), a non-profit organization established to 
facilitate collaboration among spyware detectors and increase awareness 
of the growing spyware problem.
    COAST defines spyware as: Any software program that aids in 
gathering information about a person or organization without their 
knowledge, and can relay this information back to an unauthorized third 
party.
    ``Without your knowledge'' and ``to an unauthorized third party'' 
are key components of this definition. The FTC recently held a workshop 
on spyware, which they appropriately titled: ``Computer Monitoring 
Software on Your PC: Spyware, Adware, and Other Software.'' As the 
problem of spyware has grown, a slew of new words have surfaced. For 
informational purposes, we have attached as an appendix the glossary of 
spyware-related terms developed by COAST.
    From a pure technology point of view, there is little difference 
between computer monitoring programs that serve legitimate purposes and 
those that put your privacy and personal information at serious risk. 
For example, a keylogger program like ChildSafe, a Webroot product, 
provides parents with the ability to monitor their childrens' online 
activities by tracking what the child types on the keyboard. A 
functionally similar keylogger program installed without permission by 
JuJu Jioang on computers in at least 15 Kinkos stores provided him with 
personal information about over 400 people, which he used to open back 
accounts and commit other illegal activities. Fortunately, that was one 
case that the government successfully investigated and prosecuted, but 
there are many more cases where the perpetrators are not yet 
identified, or even worse, where the victims do not even know they are 
victims.
    Thus, there is not a technological definition for spyware. The 
definition is contextual--how the program came to reside on your 
computer is a threshold question to defining it as spyware.

The Anatomy of Spyware
    There are many kinds of programs that fit within this definition of 
spyware. The COAST glossary attached as an appendix provides a more 
complete list, but there are four most common forms of spyware.
    Back Door Trojans are malicious programs that appear as harmless or 
desirable programs. Back Door Trojans deploy remote access tools, 
allowing hackers to gain unrestricted access to a user's computer. 
Trojans can be deployed as email attachments, or bundled with another 
software program.
    Keyloggers are programs that can monitor and record the user's 
every keystroke. Key loggers can be used to gather sensitive data such 
as username and password, private communications, credit card numbers, 
etc.
    System Monitors are applications designed to monitor computer 
activity. These programs can capture everything that is done on a 
computer. Information can be received at the computer, through remote 
access, or scheduled emails.
    Adware is advertising supported software that displays pop-up 
advertisements whenever the program is running. Once installed, these 
programs will download and install new software and data files--
advertisements, etc.--based on user activities such as websites visits.
    Unlike a virus that many users get in the same way at the same 
time, spyware finds its way onto your computer through multiple 
channels at multiple times. Spyware may arrive bundled with freeware or 
shareware, through peer-to-peer downloads, attached to or embedded in 
email or instant messenger communications, as an ActiveX installation, 
or it may be placed on your computer accidentally or deliberately by 
someone with access to it. Once on your system, spyware secretly 
installs itself and goes to work.
    Anti-virus software does not offer protection from spyware because 
spyware is not viral. Since it attaches itself to legitimate downloads, 
spyware can often pass easily through firewalls unchallenged. And by 
intertwining itself with files essential to system operation, spyware 
cannot be safely removed by simply deleting files with a system-
cleaning tool.
    In its most benign form, spyware can significantly slow systems 
down and result in more pop-up ads than usual. The more malicious 
spyware programs can lead to identity theft, theft of intellectual and 
other property, and data corruption. Unlike personalization or session 
cookies, spyware is difficult to detect, and difficult (if not 
impossible) for the average user to remove manually.
    Some of the types of information collected by spyware programs 
without the knowledge of the computer owner are:

 Usernames and Passwords
 Electronic Assets
 Browsing Habits
 Applications Used
 Personal Information
 Email & IM Conversations
 IP and Trade Secrets
 Financial Records
 Customer Databases
    Spyware can execute unwanted, unauthorized, and/or inappropriate 
code and use vital system resources. Spyware programs can be used to 
facilitate the unauthorized use of your machine for things like:

 Email Forwarding to Send Spam
 Background Computing
 Hacker Attacks
    While some argue that spyware is installed with the user's 
knowledge (although the user may not understand exactly what s/he has 
done), most of the time it is installed surreptitiously as part of 
another program installation. Even if the bundling of software and 
information tracking practices are disclosed to the consumer through 
the End User License Agreement (EULA), such disclosures are rarely 
clear and conspicuous. Even when they exist, notices often fail to 
provide users with a real understanding of what information will be 
collected and how the entity collecting the information will use it.

A Real and Growing Problem
    Earthlink and Webroot collaborated in the first quarter of 2004 to 
offer a free SpyAudit to Earthlink subscribers. On April 15, 2004 the 
companies jointly released the findings for January 1, 2004 through 
March 31, 2004. During that timeframe, 1,062,756 spyware scans were 
run, identifying a total of 29,540,618 instances of spyware, meaning 
roughly 28 instances of spyware per PC. Of particular concern, were the 
large number of System Monitors and Trojans found which accounted for 
369,478 of all the spyware instances found.
    Expert reports have estimated that 9 out of 10 PCs in the United 
States are infected with spyware. Studies have often showed that 
spyware is growing at a much faster rate than computer viruses.

Responding to Spyware
    The unfortunate reality is that there is probably no way to 
completely eradicate spyware. The Internet is global, which makes 
establishing and enforcing legal standards challenging. There are also 
significant economic drivers that make the creation and dissemination 
of spyware very appealing to many people, both in the U.S. and abroad. 
The combination of a profit-driven motivation, coupled with the 
vulnerability of personal information, makes spyware unique and more 
threatening than many other online security and privacy concerns, like 
viruses and spam, which the government has addressed in the past 
several years.
    It is clearly going to take a combination of technology, public 
education, sound public policy and strong enforcement to address this 
problem. To that end, we applaud the efforts of Congresswoman Bono, 
Congressman Towns, Senators Burns, Boxer and Wyden and the FTC to call 
attention to the serious negative impacts that spyware can have on the 
public and the economy. Increased awareness and education about spyware 
is essential to effectively deal with the problem.
    Certainly, regulating technology-related issues is inherently 
tricky, but this is not an issue that will go away by itself, and 
industry self-regulation is unlikely to adequately address the issue in 
a reasonable time frame. Congress has an opportunity to address this 
issue before it becomes debilitating. H.R. 2929 and S. 2145 offer 
alternative approaches, both with good qualities. We urge that this 
issue not be set aside to resolve itself--because it won't. We are on 
the front lines of this arms race, and we need reinforcement in the 
form of clear rules related to spyware to help us effectively fight for 
businesses and consumers who need to retain control over their PCs.
    We appreciate the opportunity to share our views with the 
Subcommittee.

 Glossary of Spyware Related Terms Developed by the Consortium of Anti-
                       Spyware Technology Vendors

    Adware: Often used as a term for spyware, it is preferred and used 
by makers of software that include ad-serving mechanisms. Adware is 
advertising-supported software that displays pop-up advertisements 
whenever the program is running.
    Browser Helper Object (BHO): A small program that runs 
automatically every time an Internet browser is launched. Generally, a 
BHO is placed on the system by another software program and is 
typically installed by toolbar accessories. They can track usage data 
and collect any information displayed on the Internet.
    Bundled: An arrangement in which one or more software programs are 
included with another program, for technical reasons or because of a 
business partnership. Many instances of spyware installations come 
through bundling.
    Cookie: A mechanism for storing a user's information--such as login 
information and passwords, or a user's previous activity on a site--on 
a local drive.
    Dialers: Dialers are software that, once downloaded, disconnects 
the user from his or her modem's usual Internet service provider, 
connect to another phone number, and the user is then billed.
    Drive-by Download: While not a piece of spyware itself, this 
misleading dialogue box serves as a gateway for the stealth 
installation of spyware applications. In some cases, spyware can be 
installed even if the user does not choose the ``yes'' or ``accept'' 
button.
    File-sharing programs: These are software applications that allow 
the exchange of files (especially music, games, and video) over a 
public or private network. See Peer-to-Peer.
    Freeware: Software that can be downloaded and shared at no cost.
    Hijacker: Hijackers typically come in two categories, Browser/Page 
Hijackers and System Hijackers:

Browser/Page Hijackers: Applications that attempt to take control over 
        a user's home page or desktop icons, resetting them to a pre-
        determined website destination.
System Hijacker: Software that uses the host computer's resources to 
        proliferate itself or use the system as a resource for other 
        activities. This taxes the host computer's resources, 
        negatively affecting computer and Internet speeds.
    KeyLoggers--See System Monitors.
    Opt-in: An online process by which a user chooses to receive 
information (such as e-mail newsletters) or software, often by checking 
a check box on a Web page or software installation screen.
    Opt-out: An online process (such as un-checking a pre-checked box) 
by which a user actively chooses not to receive information, such as e-
mail newsletters or software. Actively opting out will prevent a user's 
information from being a shared with businesses.
    Users should be warned that most ``opt-out'' options are actually a 
scam that serves to confirm legitimate/active email addresses. Privacy 
experts recommend that users do not use the ``opt-out'' option unless 
they are personally familiar with the company where the email 
originated.
    Parasite: A parasite is unsolicited commercial software or programs 
installed on a computer for profit without the consent or knowledge of 
the user.
    Parasiteware: Parasiteware is the term for any Adware that by 
default overwrites affiliate-tracking links. This behavior is viewed as 
parasitic because this software diverts affiliate commissions and 
credits the affiliate's income to another party. To the end user, 
Parasiteware is not a serious security threat. See Thiefware.
    Peer-to-peer (P2P): A method of file sharing over a network in 
which individual computers are linked via the Internet or a private 
network to share programs/files, often illegally. Users download files 
directly from other users' computers, rather than from a central 
server.
    Many P2P programs bundle third-party advertising programs, and are 
currently the second largest source of virus, Trojan and data mining 
infections.
    Remote Administration Tools/ RATs: Some Trojans, called RATs 
(Remote Administration Tools), allow an attacker to gain unrestricted 
access of a computer whenever the user is online. The attacker can 
perform activities such as file transfers, adding/deleting files, and 
controlling the mouse and keyboard.
    Scumware: A slang term for spyware or any unwanted software/
programs installed on your computer.
    Shareware: Software that is distributed--usually via the Internet 
and or CD-Rom--for free and on a trial basis.
    System Monitors/Keyloggers: These applications are designed to 
monitor computer activity to various degrees. They can capture 
virtually everything a user does on his or her computer, including 
recording all keystrokes, emails, chat room conversations, web sites 
visited, and programs run.
    Thiefware: Thiefware applications steal affiliate commissions by 
either overwriting tracking cookies or spawning new windows to redirect 
traffic from search engine keywords or other websites. This practice, 
while not currently illegal, is considered unethical among those in the 
merchant/affiliate community. See Parasiteware.
    Tracking Cookies: Not to be confused with personalization cookies 
(which allow users to customize pages and remember passwords), some web 
sites now issue tracking cookies. Tracking cookies allow multiple web 
sites to store and access records that may contain personal information 
(including surfing habits, user names and passwords, areas of interest, 
etc.), and subsequently share this information with other web sites and 
marketing firms.
    Trojan Horses: Trojans are malicious programs that appear as 
harmless or desirable applications. Trojans are designed to be actively 
harmful to PCs by intentionally damaging PC operating systems, other 
software or hard drives. Trojans are generally distributed as email 
attachments or bundled with another software program (often fraudulent 
versions of legitimate software).
    Web bugs: A file, usually a small or invisible graphic image, that 
is placed on a Web page or in e-mail to allow a third party to monitor 
user behavior.
                                 ______
                                 
              Downloading Shared Files Threatens Security
                     by Sgt. 1st Class Eric Hortin

    FORT HUACHUCA, Ariz. (Army News Service, April 22, 2004)--People 
spend hours in front of their computer screen, downloading music or new 
movies from the Internet, and not paying a cent, the Army considers 
such action on government computers to be a security threat.
    One program that is used to downloaded files is Peer-to-Peer (P2P) 
architecture. It is a type of network in which each workstation has the 
capability to function as both a client and a server. It allows any 
computer running specific applications to share files and access 
devices with any other computer running on the same network without the 
need for a separate server. Most P2P applications allow the user to 
configure the sharing of specific directories, drives or devices.
    In a white paper written by the Army's Computer Network Operations 
Intelligence section, unauthorized P2P applications on government 
systems, ``represent a threat to network security.''
    ``The idea of someone else getting unfettered access to anything of 
yours without your explicit consent should scare anybody--and that's 
exactly what P2P authorizes,'' says Zina Justiniano, an intelligence 
analyst with the U.S. Army Network Enterprise Technology Command's 
(NETCOM) Intelligence Division, G2. ``P2P is freeware. Freeware, 
shareware--most of the stuff that you pay nothing for, has a high 
price. The fact that it's free says that anybody and their cousin can 
get it; that means that anybody and their cousin can get to your 
machine.'' P2P applications are configured to use specific ports to 
communicate within the file sharing ``network,'' sometimes sidestepping 
firewalls. This circumvention creates a compromise and potential 
vulnerabilities in the network that, in a worse case scenario, can lead 
to network intrusions, data compromise, or the introduction of illegal 
material and pornography. There is also the issue of bandwidth. Since 
the start of the global war on terrorism, the most pressing issue from 
service members in the field has been the shortage of bandwidth to 
transmit battlefield intelligence to combatant commanders. The average 
four-minute song converted into an audio file recorded at 128-bit, can 
be upwards of 5 megabytes. Full-length video MPEG files can easily 
reach 1.6 gigabytes. Depending on the connection speed, even a small 
file may take several minutes to hours to download, using valuable 
bandwidth. Unauthorized use of P2P applications account for significant 
bandwidth consumption. It limits the bandwidth required for official 
business, and storage capacity on government systems. While those who 
monitor the Army networks agree that copyright infringement is a valid 
issue, they do have other, more important concerns.
    There are several known Trojan horses, worms and viruses that use 
commercial P2P networks to spread and create more opportunities for 
hackers to attack systems. Trojan horse applications record information 
and transmit it to an outside source. They can also install 
``backdoors'' on operating systems, transmit credit card numbers and 
passwords--making these malicious programs a favorite of hackers. Some 
of the malicious codes allow hackers to snoop for passwords, disables 
antivirus and firewall software, and links the infected system to P2P 
networks to send large amounts of information (spam) using 
vulnerabilities in Windows operating systems.
    ``If it's a really good Trojan horse, it will actually run two 
programs; it will run the program they said they were going to run, so 
they will not only download it, but they will install it and be very 
happy that it's there,'' Justiniano said. ``Meanwhile in the 
background, another program is doing malicious damage to the computer 
by either damaging files or possibly taking files off the computer 
without your knowledge. If it's a really nice program that runs well, 
(the user) will pass that file over to someone else because they really 
got their money's worth out of it. People will just keep passing it 
along.''
    Trojan horses are not the cause of all security issues. Oftentimes, 
``spyware'' applications are installed with the users consent; it's 
buried in the really long agreement that nobody reads that a user must 
click, ``I Accept,'' in order to begin the installation. This is 
especially true with free-ware applications downloaded from the 
Internet. According to published reports, a couple of years ago, some 
P2P applications came packaged with a spyware application that acted as 
a Trojan horse. This specific program sent information to an online 
lottery server.
    Those are just a couple of reasons the Army doesn't want its people 
loading P2P on their systems, and enacted regulations prohibiting 
loading those applications.
    The Army's regulation on Information Assurance, Army Regulation 25-
2, specifically prohibits certain activities; sharing files by means of 
P2P applications being one of them. There are some, however, who have 
P2P applications on their Army systems and use them despite the 
prohibition of such activities.
    Over a two-month period at the end of last year, government 
organizations identified more than 420 suspected P2P sessions on Army 
systems in more than 30 locations around the globe.
    It seems some don't understand or haven't read the standard 
Department of Defense warning that says, ``Use of this DOD computer 
system, authorized or unauthorized, constitutes consent to 
monitoring.'' For those who think, ``How are they going to know it's 
me? I'm just one person in a network of hundreds of thousands,'' don't 
be surprised when network access is cut off and the brigade commander 
is calling.
    It is the role of the Theater Network Operations and Security 
Center, located in Fort Huachuca, Ariz., to monitor and defend its 
portion of the Army network. This includes identifying potential 
security risks to the network, and unauthorized P2P applications, which 
create a considerable risk to those networks.
    ``People shouldn't assume they are using P2P applications in 
secrecy,'' said Ronald Stewart, deputy director of the C-TNOSC. ``We 
are able to detect use of P2P, and when we do, we take measures. We can 
detect and identify systems with P2P software on them; and when we find 
them, we direct the removal of the software from the system through the 
command chain.''
    Some Soldiers try to work around the Army networks to feed their 
P2P habits. Lt. Col. Roberto Andujar, director of the C-TNOSC, says 
using the Terminal Server Access Controller System (TSACS) to dial into 
the military network is not a work-around, because there are tools in 
place to identify P2P traffic.
    Methods commonly used by commercial industry, such as Internet 
Protocol (IP) address and port blocking, random monitoring, and 
configuring routers are some of the methods the C-TNOSC and 
installations take to prevent P2P access. There are other methods used, 
but specific examples cannot be discussed.
    Commanders who unwittingly allow P2P to run unchecked on their 
networks are not exempt from liability. Commanders may be held 
personally liable for any illegal possession, storage, copying, or 
distribution of copyrighted materials that occurs on their networks. 
Soldiers, civilian employees and contractors face even tougher 
penalties.
    People using P2P on government computers can to look forward to 
other possibly harsher punishments depending on the kinds of files the 
users are sharing.
    ``Say you have a Soldier downloading music through P2P, in 
violation of copyright rules,'' said Tom King, a legal adviser with 
NETCOM. ``The people who own the copyright can actually sue that 
Soldier. Then you have the issue that he's violating a lawful order. 
Then you have the issue that it's a misuse of government time and 
misuse of a government resource. He can be in a world of hurt. Then 
he's also exposing the Army network to hacking attacks.''
    ``Prosecutions are on the rise. Discipline is on the rise. People 
are taking this stuff more and more seriously all the time,'' King 
said. ``People just don't understand that there's a price to be paid 
for this.''
    Not understanding seems to be the main reason P2P applications keep 
showing up on Army computer systems.
    ``User education is one of the keys,'' said Kathy Buonocore, chief 
of the Regional Computer Emergency Response Team. ``Some users don't 
know it's illegal.''
    ``When I call some commanders and tell them, they say, `What's 
P2P?' '' Andujar said. ``Commanders have to be educated and take 
action.''
    Education has to extend down to the organization administrators. 
Justiniano says those who have administrator privileges on government 
computer systems are the ones loading the unauthorized programs. To 
prevent this, system and network administrators should configure 
systems correctly, so users cannot install unauthorized software.
    ``There are very few benefits that are not addressed somewhere 
else, that do not include the risk of P2P software,'' Justiniano said, 
adding that the use of Army Knowledge Online knowledge centers and 
secure File Transfer Protocol sites are their preferred method of file 
sharing.
    (Editor's note: Sgt. 1st Class Eric Hortin is a journalist for the 
U.S. Army Network Enterprise Technology Command.)

                                 
