b"<html>\n<title> - SPYWARE: WHAT YOU DON'T KNOW CAN HURT YOU</title>\n<body><pre>[House Hearing, 108 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n               SPYWARE: WHAT YOU DON'T KNOW CAN HURT YOU\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                            SUBCOMMITTEE ON\n                COMMERCE, TRADE, AND CONSUMER PROTECTION\n\n                                 of the\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             APRIL 29, 2004\n\n                               __________\n\n                           Serial No. 108-89\n\n                               __________\n\n      Printed for the use of the Committee on Energy and Commerce\n\n\n Available via the World Wide Web: http://www.access.gpo.gov/congress/\n                                 house\n\n                               __________\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n93-308                      WASHINGTON : DC\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                    ------------------------------  \n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                      JOE BARTON, Texas, Chairman\n\nW.J. ``BILLY'' TAUZIN, Louisiana     JOHN D. DINGELL, Michigan\nRALPH M. HALL, Texas                   Ranking Member\nMICHAEL BILIRAKIS, Florida           HENRY A. WAXMAN, California\nFRED UPTON, Michigan                 EDWARD J. MARKEY, Massachusetts\nCLIFF STEARNS, Florida               RICK BOUCHER, Virginia\nPAUL E. GILLMOR, Ohio                EDOLPHUS TOWNS, New York\nJAMES C. GREENWOOD, Pennsylvania     FRANK PALLONE, Jr., New Jersey\nCHRISTOPHER COX, California          SHERROD BROWN, Ohio\nNATHAN DEAL, Georgia                 BART GORDON, Tennessee\nRICHARD BURR, North Carolina         PETER DEUTSCH, Florida\nED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois\nCHARLIE NORWOOD, Georgia             ANNA G. ESHOO, California\nBARBARA CUBIN, Wyoming               BART STUPAK, Michigan\nJOHN SHIMKUS, Illinois               ELIOT L. ENGEL, New York\nHEATHER WILSON, New Mexico           ALBERT R. WYNN, Maryland\nJOHN B. SHADEGG, Arizona             GENE GREEN, Texas\nCHARLES W. ``CHIP'' PICKERING,       KAREN McCARTHY, Missouri\nMississippi, Vice Chairman           TED STRICKLAND, Ohio\nVITO FOSSELLA, New York              DIANA DeGETTE, Colorado\nSTEVE BUYER, Indiana                 LOIS CAPPS, California\nGEORGE RADANOVICH, California        MICHAEL F. DOYLE, Pennsylvania\nCHARLES F. BASS, New Hampshire       CHRISTOPHER JOHN, Louisiana\nJOSEPH R. PITTS, Pennsylvania        TOM ALLEN, Maine\nMARY BONO, California                JIM DAVIS, Florida\nGREG WALDEN, Oregon                  JANICE D. SCHAKOWSKY, Illinois\nLEE TERRY, Nebraska                  HILDA L. SOLIS, California\nMIKE FERGUSON, New Jersey            CHARLES A. GONZALEZ, Texas\nMIKE ROGERS, Michigan\nDARRELL E. ISSA, California\nC.L. ``BUTCH'' OTTER, Idaho\nJOHN SULLIVAN, Oklahoma\n\n                      Bud Albright, Staff Director\n\n                   James D. Barnette, General Counsel\n\n      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel\n\n                                 ______\n\n        Subcommittee on Commerce, Trade, and Consumer Protection\n\n                    CLIFF STEARNS, Florida, Chairman\n\nFRED UPTON, Michigan                 JANICE D. SCHAKOWSKY, Illinois\nED WHITFIELD, Kentucky                 Ranking Member\nBARBARA CUBIN, Wyoming               CHARLES A. GONZALEZ, Texas\nJOHN SHIMKUS, Illinois               EDOLPHUS TOWNS, New York\nJOHN B. SHADEGG, Arizona             SHERROD BROWN, Ohio\n  Vice Chairman                      PETER DEUTSCH, Florida\nGEORGE RADANOVICH, California        BOBBY L. RUSH, Illinois\nCHARLES F. BASS, New Hampshire       BART STUPAK, Michigan\nJOSEPH R. PITTS, Pennsylvania        GENE GREEN, Texas\nMARY BONO, California                KAREN McCARTHY, Missouri\nLEE TERRY, Nebraska                  TED STRICKLAND, Ohio\nMIKE FERGUSON, New Jersey            DIANA DeGETTE, Colorado\nDARRELL E. ISSA, California          JIM DAVIS, Florida\nC.L. ``BUTCH'' OTTER, Idaho          JOHN D. DINGELL, Michigan,\nJOHN SULLIVAN, Oklahoma                (Ex Officio)\nJOE BARTON, Texas,\n  (Ex Officio)\n\n                                  (ii)\n\n\n\n\n                            C O N T E N T S\n\n                               __________\n                                                                   Page\n\nTestimony of:\n    Baker, David N., Vice President, Law and Public Policy, \n      Earthlink..................................................    36\n    Beales, J. Howard, III, Director, Bureau of Consumer \n      Protection, Federal Trade Commission.......................    42\n    Friedberg, Jeffrey, Director of Windows Privacy, Microsoft...    10\n    Schwartz, Ari, Associate Director, Center for Democracy and \n      Technology.................................................    47\n    Thompson, Hon. Mozelle W., Commissioner, Federal Trade \n      Commission.................................................    38\nAdditional material submitted for the record:\n    Downloading Shared Files Threatens Security, article by Sgt. \n      1st Class Eric North.......................................    86\n    Thompson, Roger, Vice President for Product Development, \n      PestPatrol, Inc., prepared statement of....................    81\n    Webroot Software, Inc., prepared statement of................    83\n\n                                 (iii)\n\n  \n\n \n               SPYWARE: WHAT YOU DON'T KNOW CAN HURT YOU\n\n                              ----------                              \n\n\n                        THURSDAY, APRIL 29, 2004\n\n              House of Representatives,    \n              Committee on Energy and Commerce,    \n                       Subcommittee on Commerce, Trade,    \n                                   and Consumer Protection,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10 a.m., in \nroom 2123, Rayburn House Office Building, Hon. Cliff Stearns \n(chairman) presiding.\n    Members present: Representatives Stearns, Upton, Shimkus, \nShadegg, Bass, Bono, Otter, Barton (ex officio), Schakowsky, \nand Strickland.\n    Alsp present: Representatives Inslee and Greenwood.\n    Staff present: David L. Cavicke, majority counsel; Chris \nLeahy, policy coordinator; Shannon Jacquot, majority counsel; \nBrian McCullough, majority professional staff; Jill Latham, \nlegislative clerk; William Carty, legislative clerk; and \nConsuela Washington, minority counsel.\n    Mr. Stearns. Good morning. I am pleased to welcome all of \nyou to the Commerce, Trade and Consumer Protection Subcommittee \nhearing on spyware. Spyware is loosely defined as malicious \nsoftware, downloaded from the internet that spies on the \ncomputer owner or user, usually to provide information to third \nparties. The Federal Trade Commission has said that spyware is \nsoftware, that aids in gathering information about a person or \norganization without their knowledge and that may send such \ninformation to another entity without the consumer's consent or \nthat assert control over a computer without the consumer's \nknowledge. A spyware relative, known as adware, enables the \ncomputer owner or user to receive a stream of ads and other \nmarketing information usually based on data the software has \ncollected about the user. Adware or ad supported software is \nfrequently bundled with free internet software or free ware. \nLegitimate adware allows the user knowledge and consent about \nthe software and frequently provides an adware free version for \npurchase. More noxious adware versions, however, can be \ndownloaded without consent or through deceptive means, \nessentially making them spyware in themselves.\n    My colleagues, as we speak, spyware and adware software \nprograms are growing at a very, very rapid rate. According to \nthe consumer security firm, McAfee, these software programs \nhave grown in number from about 2 million in August 2003 to \nover 14 million currently.\n    As further proof of the potential scale of this problem, \nthe National Cyber Security Alliance has estimated that over 90 \npercent of users had some form of adware or software, spyware \non their computers and yet, most were unaware of it. In worse \ncases, the more malicious varieties of spyware can record \nkeystrokes and compromise personal information, including \npasswords and Social Security Numbers.\n    The simple act of downloading a desired program from the \ninternet can not only open the door on your personal computer \nand your most private information, but also can allow spies to \neffectively take up resident in your personal computer. Your \npersonal property, I might add, without your knowledge and \nwithout your consent.\n    Then after sneaking into your computer, some of these \nmalicious spyware programs can act as snoop, prying into your \nprivate life or thieves, stealing personal information or as \npornography dealers, exposing your children to obscene online \nmaterial.\n    If and when you finally discover the spy lurking in your \npersonal computer, the damage is already done. In the best \ncases, the technology that enables spyware also can serve as a \nfirst line of defense against obscene internet material by \ntracking website activity and filtering out the garbage. Other \nforms of the technology, like legitimate adware, are authorized \nby the consumer and provides businesses a new and efficient \nmeans of reaching potential customers with less expensive goods \nand services.\n    While some would have us to find spyware with technical \nparameters, others believe that it is not the technology tool \nthat needs to be defined and targeted. It's the unscrupulous \nindividuals preying on the consumer from these programs.\n    Clearly, no matter the definition we create today, it is \nalways reprehensible when someone intentionally downloads \nsecret software into a personal computer that is designed to \nsteal information or trick us into opening the doors into our \nprivate lives.\n    To try to address this egregious internet activity, Ms. \nBono of California, has introduced legislation to enhance \nspyware disclosures, root out this deceptive and fraudulent and \ncreate accountability. Her bill require the computer users \nreceive clear and conspicuous notice prior to downloading \nspyware and that all third parties provide their identity.\n    I sincerely commend her for her leadership on this issue. \nIt is my hope that we can reach bipartisan consensus on \nlegislation that will protect consumers from unwittingly being \nspied upon.\n    With the help of our distinguished panel of witnesses, one \nof our most important tasks is to try to establish the \nboundaries of what is clearly legitimate and what is clearly \nreprehensible. We then need to explore the murky area in the \nmiddle where cases aren't so stark and are not so clear-cut, \nespecially in cases where consumers are duped with lengthy and \nconfusing license agreements, website trickery and exploitation \nof weak, personal computer security.\n    The ultimate challenge, therefore, is to investigate ways \nindustry, consumers and Congress can work together to rid out \nour online marketplace of the bad apples, while preserving \nlegitimate uses for this software technology.\n    And finally, my colleagues, our panel today will help us \nunderstand how spyware and adware programs are distributed in \ncommerce, both legitimate and fraudulent. The scope of the \nprivacy and security risk posed by this software, its effects \non economic productivity and the need for Federal legislation. \nAnd I think many of you know that the State of Utah has already \npassed a spyware bill. The State of California and New York are \npresently looking at that.\n    I welcome our witnesses today and I look forward to their \ntestimony and with that, I call on the ranking member for her \nopening statement.\n    Ms. Schakowsky. Thank you, Chairman Stearns. One of the \ngreat things about this job is that you learn something new \nevery day. So that either indicates that I am way behind the \ncurve here or that perhaps the Congress is getting a grip on an \nemerging problem. Because increasingly people are finding that \ntheir home web pages are changed or their computers are \nsluggish, we get pop up ads that won't go away no matter how \nmany times they try to close them. They find software on their \ncomputer they didn't install and they can't uninstall. Their \ncomputers are no longer their own and they can't figure out \nwhy.\n    They think that the problem is with their computer, with a \nprogram they installed or with their internet service provider, \nbut more and more often, it's becoming clear that they are the \nunwitting victims of spyware. Because they clicked on the wrong \nweb page or signed an agreement to download one program, \nspyware has made it on to their computer.\n    While the above examples can be written off by some as \nmerely annoying, there are serious privacy and security issues \nat stake. The tracking capability of spyware programs can be so \npowerful that it can record every keystroke computer users \nenter. It can take pictures of personal computer screens. It \ncan snatch personal information from consumers' hard drives. \nPeople can see their bank account numbers, passwords and other \npersonal information stolen because they quite innocently went \nto a bad website or clicked an agreement they didn't know they \nshouldn't.\n    While some programs called spyware can have legitimate \npurposes like allowing for access to online newspapers without \nhaving to register every time you want to read it, truly \nnefarious spyware uses software and applications in ways that \ncannot be defended. Spyware purveyors engaged in unfair and \ndeceptive practices. They take personal information without \npermission. They exploit software vulnerabilities and co-op'd \nothers' computers.\n    Fortunately, we do have a number of laws on the books that \nwe can use against spyware. However, there has been virtually \nno enforcement of the laws. Spyware transmitters know how to \ncover their tracks and technology changes every day. It makes \nit very hard to find those who are to blame, but it can be done \nand we need to pursue enforcement of laws already on the books.\n    And we also need to explore legislation and other responses \nto deal with the inevitable loopholes that exist in the law \nbecause of the ever-evolving nature of technology. That's why \nI'm glad we're here and glad I'm here today to start discussing \nthe best way we as legislators can address these issues.\n    We also need to get the word out to consumers so that they \nknow what is really wrong with their computers and so that they \ncan protect themselves from online predators. We should build \non the consumer awareness efforts of the FTC and Center for \nDemocracy and Technology as a right of their pursuing comments \nabout how spyware has affected people. They have heard from \nhundreds of consumers concerned about spyware's invasion into \ntheir privacy. From these comments and very technical \ninvestigative follow-up, the Center for Democracy and \nTechnology has filed complaints with the FTC about two spyware \nbad actors. I'm quite pleased that we have distinguished \nwitnesses representing the broad spectrum of affected parties \nand as Chairman Stearns mentioned, we have the industry \nregulators and consumer groups and I look forward to hearing \nfrom all of you.\n    Thank you.\n    Mr. Stearns. I thank my colleague. The distinguished \nchairman of the full committee, the gentleman from Texas, Mr. \nBarton.\n    Chairman Barton. Well, thank you, Chairman Stearns, for \nholding this hearing and I want to thank Congresswoman Bono for \nintroducing this piece of legislation.\n    We checked our committee computers this week and found 167 \nspyware programs on it. I told that at a meeting breakfast a \ncouple of days ago and the gentleman held up his hand and said \nhe had just checked his computer and had over 200 and then I \ntold the story at dinner last night and somebody held up their \nhand and said over 400. So there is no more pernicious, \nintrusive activity going on on the internet today than the \nsubject of this hearing. And I hope that after the hearing, we \ncan come together on a bipartisan basis and decide what to do \nlegislatively about it.\n    I have told Congresswoman Bono that her bill is a starting \npoint, but not the end point and I want to tell all of the \nmembers of the committee and the folks in the audience and the \npeople that are watching this on television, if it's being \nbroadcast, that we really intend to do something about this. We \ndo not let people just wander around our homes without our \npermission. We don't let total strangers just come up to us, \nencourage us to buy this or buy that or do this or do that. And \nwe certainly when we have guests over, and they overstay their \nwelcome, we encourage them to leave. None of those can we do \nwith these spyware programs that are proliferating on our \npersonal computers and as we found out at the committee this \nweek, our office computers.\n    So I am very, very pleased that Chairman Stearns is holding \nthis hearing and I am very, very hopeful that after the record \nis developed from this hearing that we can very quickly move to \na legislative solution to that to cure this cancer on the \ninternet.\n    And with that, Mr. Chairman, I have an official statement \nfor the record, but I will yield my time back.\n    Mr. Stearns. By unanimous consent, so ordered.\n    Chairman Barton. Thank you.\n    [The prepared statement of Hon. Joe Barton follows:]\n\n Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy \n                              and Commerce\n\n    Thank you, Mr. Chairman, for holding this hearing today. It \ncontinues this Committee's longstanding work in the area of consumer \nprotection.\n    Spyware may be unfamiliar to many Americans, but unfamiliar does \nnot mean unaffected. I suspect a large number of those in this room are \nvictims of some of these foul abuses. Certainly all of us who use the \nInternet are threatened by them. And the very nature of the abuse is \nwhat keeps everyone threatened by it from seeking relief. It is aptly \nnamed spyware. Its installation is often sneaky or deceptive and even \nwhen it runs it often goes undetected. And when consumers notice \nrelated problems with their systems, those problems are easy to \nmisdiagnose. Even those that are technically savvy and aware of what is \non their system, may not be able to uninstall spyware.\n    Much of the recent discussion surrounding spyware has focused on \nthe difficulty in defining what it is. The most pernicious of the \nsoftware is composed of keystroke loggers and screen-capture utilities. \nThis has both privacy and security issues for consumer Internet use. \nFor example, some software can pick up your sensitive financial \ninformation when you use on-line banking, or it could monitor your \nemail traffic and transmit personal information contained in that \nemail. Both could lead to identity theft and other privacy and security \nabuses.\n    There is also ``adware.'' While adware does not capture keystrokes \nit often captures information, like websites visited, and sends that \ninformation back to a central server for the purpose of delivering \ntargeted advertising. I would be suspicious of someone following me \naround the shopping mall and popping over to me and offering me a \nbetter deal each time I reached a register. I suspect most of us would \ncall the police. But this adware does the very same thing. It follows \nyou around the Internet and just as you are looking at purchases, it \ninvades your computer with related and often unrelated offers. There \nmay be some who would consent to this ``point of sale'' availability of \ninformation. It is certainly marketing genius. But, without informed \nconsent, it is a true invasion of privacy.\n    We ran a sweep of a Committee computer earlier this week and \ndiscovered there were over 167 ``hits'' for third party cookies and \nadware. A recent demonstration by an anti-spyware software company \nshowed that most of that software ended up on the computer just by \nvisiting a site. No consent was requested and none was given. If I want \nsomeone to come into my home I invite them into my home--if they come \nin uninvited that is a trespass. And certainly if they take something \nfrom inside without authorization it is a burglary. The same should \nhold true for access to my home and information via my computer.\n    The Internet has been a great boon to society as a tool for \ninformation and commerce. But, surfing the web is increasingly becoming \na defensive exercise for consumers who wish to protect their privacy \nand maintain the security of their information. If this dynamic does \nnot change soon, there is a real risk of undermining all the commercial \ngains the Internet has achieved.I thank our witnesses for their \nparticipation today and look forward to their testimony. In particular, \nI would like to thank Ms. Bono and Mr. Towns for their leadership in \nintroducing legislation to enhance disclosures to consumers concerning \nspyware. After this hearing I will be working with all Members of the \nCommittee on a legislative solution to this problem.\n    Thank you and I yield back.\n\n    Mr. Stearns. And I thank the distinguished chairman and at \nthis point we'll have the author of the bill, the gentlelady \nfrom California for an opening statement.\n    Ms. Bono. Thank you, Chairman Stearns, and Chairman Barton \nfor your leadership on this issue. I welcome the full weight of \nthe committee chairman and subcommittee chairman behind this \nlegislation. It's also been a pleasure to work with Congressman \nEd Towns who apparently caught a flight home today.\n    We introduced H.R. 2929. We called it the Safeguards \nAgainst Privacy Invasions Act. I look forward to hearing from \nall of our witnesses this morning.\n    Spyware is a technological disease that is proliferating \neach day. It threatens the efficiency of our computers and \ninternet services as well as the security of our personal \ninformation and private transactions. Spyware programs can \nsecretly hijack web browsers and collect web surfing patterns, \nkeystrokes, password information, all that without the computer \nuser ever knowing that it has even occurred.\n    In fact, more often than not, computer users have no idea \nthat they have downloaded spyware, nor do they have any idea as \nto how they obtained it. Yesterday, Harris Interactive released \na web at work study which discovered that 92 percent of \ninformation technology managers estimate that their \norganizations have been infected by spyware at some point. \nHowever, only approximately 6 percent of the employees who \naccess the internet at work say they have ever visited websites \nthat contain spyware.\n    EarthLink and Webroot Software recently scanned more than 1 \nmillion personal computers and reported 23.8 million cookies \nand approximately 5.7 million adware and spyware programs. Pest \nPatrol which sells its own spyware remover, estimates that \nthere are more than 78,000 lurking spyware programs. One of the \nmain conduits for the spyware industry is the peer to peer file \nsharing scheme. Free file sharing services like Grokster and \nKazaa which are also centers for illegal copying, usually tie \nseveral pieces of adware and spyware to their programs. Kazaa, \nfor example, bundles Gator with its software. Gator, in turn, \ncontracts with companies who want targeted advertisements. For \na fee, Gator agrees to disseminate its software so that \ninternet habits can be monitored enabling targeted \nadvertisements.\n    However, spyware is not limited to bundling with other \nsoftware programs such as Kazaa. In fact, some websites and e-\nmail messages trick computer users into downloading spyware. \nOne common trick is to alert the computer user that his or her \nsystem is vulnerable and he or she must immediately download a \nsecurity patch. However, the patch only turns out to be spyware \nor adware. Spyware affects everyone from the most tech savvy \ncomputer users to the least tech savvy computer users and \ncertainly unsuspecting teens and kids.\n    Lynn Vaccaro, a manager at Errol Electronics, one of the \nlargest distributors of computer products, was having \ndifficulty with pop up ads, so she tried different pop up \nstoppers with no avail. She then realized she had spyware on \nher computer. She download SpyBot Search and Destroy and many \nother scanner and removal tools. The tools worked so well that \nthey eliminated parts of Internet Explorer as well as Windows. \nShe then had to reload both of them.\n    H.R. 2929 would require that spyware companies give clear, \nconcise and conspicuous notice to computer users about the \nfunction of their software as well as the information that may \nbe collected and transmitted through their software. After \ngiving such notice, the computer user would have to agree to \nthe downloading of the software. In other words, under the SPI \nAct, spyware would no longer be used to spy on unsuspecting \ncomputer users.\n    Although Congress has a responsibility to address the \nissues surrounding spyware, it is equally imperative that the \nFederal Trade Commission, as well as the technology industry, \ndoes all that it can to protect consumers from spyware. \nMoreover, it is necessary that we collectively educate \nconsumers about the nature and the threats of spyware.\n    I hope this hearing will help all of us learn more about \nspyware and it will enable us to begin tackling some of the \ncomplicated and technical questions that are related to \nspyware.\n    Thank you, Mr. Chairman.\n    Mr. Stearns. I thank the gentlelady. Mr. Shimkus.\n    Mr. Shimkus. Thank you, Mr. Chairman. I'll be brief. I \nbought a new Dell. I got Windows XP. I'm disappointed with both \nof those. My computer is lots more sluggish than it ever was \nunder my own system that had less memory, less capabilities and \nit's unfortunate and I think it's because I've got programs \ncompeting with each other. It's like trying to ride an old \nWestern, you're on that stagecoach and you've got those 16 \nhorses and you've got both reins and you just can't control it. \nIt's tremendously frustrating and I'm not tech savvy at all.\n    So this one of many issues that I think is frustrating the \npublic and I'm glad Mary has seen fit to work Mr. Towns and \nreally address this. This hearing is very, very important.\n    This also gives me the opportunity because of the inability \nto control our own personal computers any more. It also gives \nme the chance to advertise once again for .kids.us, the \nimportance of that, if you want to protect kids on the internet \nand we have a late weekend sale, we're having our hearing. I \nthink next week, Thursday, maybe, so those of you who have not \ngot a site up on .kids.us, you still have time before we have \nthe hearing and start identifying those good entities that are \ntrying to protect kids and those who are still a little \nnegligent and we will continue to try to coerce them.\n    I did receive an e-mail, Mr. Chairman, if I may submit into \nthe record.\n    Mr. Stearns. By unanimous consent, so ordered.\n    Mr. Shimkus. It's from Sergeant First Class on peer to peer \nissues and it's probably well known in the community. The other \nissue to this debate is the threat to national security. If \nthese things are on Department of Defense computers and \nindividuals have the ability then to snoop around in our \nintelligence community, Department of Defense, FBI and the \nlike, this is a really serious national security concern. I \nthink this article highlights that and so I think this is a \nvery timely hearing. I thank you for calling it and I thank my \ncolleague, Mary Bono, for bringing it to our attention.\n    I yield back.\n    Mr. Stearns. I thank the gentleman. The gentleman from \nMichigan, Mr. Upton.\n    Mr. Upton. Well, thank you, Mr. Chairman. I want to thank \nmy colleague, Ms. Bono, as well, for the great work she's done \non this legislation. I might say that I've got a Dell as well \nat home with an XP in it. At the beginning when you turn it on, \nI used to make a joke with my kids there's a lot of little guys \ninside, the click, click and they run around trying to plug in \nthe old circuits, sort of like the old telephone, but now \nit's--you need Raid because you find out, in fact, it's not \nlittle guys in there. It's spiders. And I've been a victim of \nspyware as well. I don't know how many hundred, Mr. Barton, \nthat I have, but I have a 12-year-old and a 16-year-old and we \nhad to have the computer doctor come visit and take it away and \ntake it to the ER and it's on life support. Found out it \ncouldn't even deal a deck of cards in Solitaire it was so slow, \nit was so pathetic. It's bad. It is bad.\n    I think for a lot of Americans when they become victims of \nthis they're a little surprised and they become very alarmed \nand then they become very angry and bitter that someone would \nviolate their personal space whether it be Kazaa or anybody \nelse and in fact, victimized an entire family, homework and \neverything else, that a PC provides assistance with.\n    So I think that we need legislation on this. I think we \nneed strong penalties. Some might suggest the death penalty. I \ndon't know that we'll go that far, we'll look for some \njudiciary help, but I want to thank my colleague, Ms. Bono, for \nthis. I want to thank you, Mr. Chairman, for holding this \nhearing and hopefully, we will move on a strong bipartisan \nbasis to use the Raid to get those little guys out of there.\n    I yield back my time.\n    Mr. Stearns. I thank the gentleman. The gentleman from New \nHampshire, Mr. Bass.\n    Mr. Bass. Thank you, Mr. Chairman, a great hearing. I've \nall the same issues that everybody else has talked today. I'm \neager to hear the witnesses, so I yield back.\n    Mr. Stearns. I thank the gentleman. Mr. Otter?\n    Mr. Otter. Well, thank you, Mr. Chairman, and let me join \nin this core of folks in showing appreciation to Ms. Bono for \nher efforts on bringing this to our attention and also holding \nthis hearing and getting some sort of a resolve.\n    Over the last few years, this Congress has debated the \nprivacy issues on many fronts. The passage of the Health \nInsurance Portability and Accountability Act, created new \nprivacy protection for individuals in the health market. \nHowever, Congress also passed the Patriot Act which has caused \nmany, including myself, to carefully evaluate the value we \nplace on personal privacy. I believe many in the public are not \naware of the many ways they are being watched online, tracked \nonline and in recent years there have been an increased \nawareness of identity theft, yet we still hear little about the \nintrusiveness and the risk associated with spyware.\n    There's no doubt that the function of spyware is to watch, \nto track, record an individual's internet usage and activity, \noften without the knowledge of the user. I'm very interested in \nhearing from the witnesses today on what they believe is an \nappropriate way to notify users before they download spyware.\n    I'm also very concerned about the websites like Kazaa that \ninfect computers with spyware in exchange for providing user \naccess to stolen goods and then profit from them by selling the \ninformation collected by spyware to other advertisers. As an \nadvocate of personal responsibility, I also believe that users \nwho participate in these illegal activities on these sites such \nas music and movie theft, should expect to be taken advantage \nof and I have little sympathy for them.\n    If you're going to play with fire, you need to expect to \nget burned. So if you don't want spyware from Kazaa and other \nsimilar sites on your computer, don't participate in these \nillegal activities.\n    Mr. Chairman, once again, I thank you and I thank Ms. Bono \nfor the opportunity to examine these issues and look for \nsolutions in solving them. I yield back.\n    Mr. Stearns. I thank the gentleman and just for his \ninformation, we're going to have a hearing on this Kazaa and \nthe peer to peer later.\n    The gentleman from Arizona, Mr. Shadegg.\n    Mr. Shadegg. Thank you, Mr. Chairman, I am also anxious to \nhear the witnesses because I think this is an extremely \nimportant topic. I similarly want to congratulate our colleague \nfrom California, Ms. Bono, on bringing an important issue to \nthe committee. I think this is an issue that we need to be very \nattentive to and quite frankly, it's an area where I think we \nneed legislation. I want to compliment you on holding the \nhearing.\n    Mr. Stearns. I thank the gentleman. We also welcome Mr. \nInslee from the State of Washington. He is a guest here with \nthe committee.\n    [Additional statement submitted for the record follows:]\nPrepared Statement of Hon. Barbara Cubin, a Representative in Congress \n                       from the State of Wyoming\n    Thank you, Mr. Chairman, for holding this timely hearing.\n    I would also like to thank the distinguished panel of witnesses \nhere today. Today's hearing brings together an assembly of panelists \nwho are recognized experts of various technological industries, and I \nanticipate their insights to be of unparalleled value as we delve into \nthe issues surrounding spyware.\n    As Americans become increasingly dependent upon computer technology \nto navigate everyday life, there is a consumer-driven demand for \ntechnology to be perpetually updated. Unfortunately, in the \ncontinuously expanding domain of computer technology, there also exists \nthe knowledge to utilize software for less desirable results. Today's \nhearing will educate and warn us all of an emerging, largely \nundesirable software technology phenomena known as spyware.\n    Today's hearing will foster debate and thought regarding several \ncomplex issues surrounding spyware. First and perhaps most gravely is \nthe need to develop a clear and accepted definition of spyware. We must \nfirst acknowledge that instances where this type of software can be \nused by third parties for valid and useful purposes do in fact exist. \nHowever, it is when this technology is utilized by unethical and \nfraudulent purposes that alarm must be raised. While most Americans \nwill never understand how spyware is engineered, it is indisputably \nunacceptable for someone to secretly download software onto another's \ncomputer with the intent of stealing personal information. Therefore, \ntoday's debate should be based upon the bad practices and deviant \nbehavior of promulgators of spyware rather than its technological \naspects.\n    Aside from the need to apply a definition to spyware, there also \nexists a need to examine the more complex matter of enforcing \npunishment of the inappropriate use of this technology. While consumers \nmay not object to receiving advertisements, a line that must be drawn \nbefore people are allowed to use spyware for more invasive and \nintrusive purposes. Today's hearing will reveal what steps software \nindustry leaders are taking to protect consumers from such invasions \nand increase our understanding of what role Congress should play in \nthis capacity.\n    Most importantly, today we have the opportuniy to help raise \nconsumer awareness of the increasingly dangerous use of spyware. The \nmajority of American consumers have likely been affected by spyware at \nsome level, and I foresee today's hearing as the embarkment of a large-\nscale campaign to help Americans better educate and protect themselves \nfrom the inappropriate use of spyware.\n    Thank you Chairman, and I yield back the balance of my time.\n\n    Mr. Stearns. We're going to, since the opening statements \nare complete, we're going to depart from the normal schedule \nand hearing from the witnesses. We're going to go to a \ndemonstration. I would hope that we would have an actual \ndemonstration of how spyware is used and so with that further \nado, we'll have this demonstration.\n    Mr. Friedberg. Actually, it's going to be part of my \ntestimony, so I can do it all at once.\n    Mr. Stearns. We'll let you start and go ahead and do that \nthen.\n\n STATEMENTS OF JEFFREY FRIEDBERG, DIRECTOR OF WINDOWS PRIVACY, \n   MICROSOFT; DAVID N. BAKER, VICE PRESIDENT, LAW AND PUBLIC \n  POLICY, EARTHLINK; HON. MOZELLE W. THOMPSON, COMMISSIONER, \n   FEDERAL TRADE COMMISSION; J. HOWARD BEALES III, DIRECTOR, \n BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION; AND \n  ARI SCHWARTZ, ASSOCIATE DIRECTOR, CENTER FOR DEMOCRACY AND \n                           TECHNOLOGY\n\n    Mr. Friedberg. Great. Chairman Stearns, Ranking Member \nSchakowsky and members of the subcommittee, my name is Jeffrey \nFriedberg and I am the Director of Windows Privacy at Microsoft \nCorporation. Thank you for the opportunity to share our views \non this growing threat to computer users around the world. I'd \nlike to comment the subcommittee for holding this hearing and \nits bipartisan approach to this important consumer issue.\n    I'd also like to acknowledge Representatives Bono and Towns \nfor the time and energy they have invested.\n    Spyware and deceptive software share a common theme. They \nuse ambiguity, coercion, deceit and outright trickery to lure \nand even force users to execute or install unwanted programs. \nThey can be invasive, offensive and even destructive.\n    Our customers complaint that deceptive software degrades \ntheir computing experiences, in some cases, making their \ncomputers unusable. We have evidence that this software is at \nleast partially responsible for approximately half of the \napplication crashes our customers report to us. It has become a \nmulti-million dollar support issue for computer manufacturers, \nISPs and companies like Microsoft.\n    I'm going to show you some examples of how our customers \nhave been tricked. My first slide illustrates what we call a \npop-under exploit. We don't have it on the back screen at the \nmoment.\n    Chairman Barton. I think we have spyware infecting our \napplication here.\n    Mr. Friedberg. Great.\n    Mr. Stearns. Do you just want to turn down the lights a \nlittle bit? Is that possible to do that?\n    Mr. Friedberg. So in this case a user goes to a website \nthey trust. I've simulated a news website here, may be their \nfavorite site, and after a delay----\n    Mr. Stearns. Just pull the mic up a little bit more because \nwhen you turn your head, we lose you.\n    Mr. Friedberg. Sorry. And after a delay, they get the \nsecurity warning which is normal which says hey, somebody is \ntrying to download software to you. Now the user thinks this \nmight be coming from the trusted site, but if you watch the \nscreen carefully, you'll notice that it's actually coming from \na window underneath, what we call a pop-under window that's \njust lying in wait, hoping that this can happen in which case \nthe user might think this download is for the trusted site and \nmight click yes.\n    This next one which is one of my favorites is cancel means \nyes. If you look at this screen, it looks like an official \nsecurity update or some kind of privacy update. In fact, if you \nread it carefully, it says this is a security update, a \npersonal privacy protection update and a system update. They've \nused every buzz word they can imagine and it's provided these \nokay and cancel buttons and it looks quite bona fide. The \nreality is is that this is actually just an image and none of \nthese buttons are functional. In fact, if you click on the okay \nor even the little X in the corner, it will all take you to the \nsite and attempt to download software to your machine. This is \nquite deceptive.\n    Here's another example of the same kind of trick. The \nsecurity alert in this window is embedded and again provides \nthe Yes/No cancel buttons, but it's just a picture and people \ncan embed pictures in web pages. This is a normal thing. But it \ntricks users and they click somewhere on this window and one of \nthese buttons and it still takes them to the site and attempts \nto download the software.\n    Another thing that bothers me about it is it says \n``warning, your computer is being attacked by spyware and \nadware.'' Well, how do they know that? I mean this is basically \njust scare tactics in order to get people to download this \nsoftware.\n    Finally, in the browser there's a security setting. This is \none other way that unwanted software can end up on your \nmachine. If you set it to the low setting, it means that all \nsites you visit are trusted. I call this leaving your front \ndoor open. In this case, there's no warning, the software will \nsimply load because you've told the system everything is \ntrusted. We first off have a default which is medium and we \nrecommend to users to leave it at medium or higher. So these \nslides provide just a sample of the ways users can be tricked. \nI've included other examples in my written testimony.\n    There is no silver bullet to address the wide range of \nissues with deceptive software. We believe it will take a \ncomprehensive approach that has four key elements. The first is \nbetter consumer education. Today's hearing and last week's FTC \nworkshop heightened consumer awareness of the problems caused \nby deceptive software. To complement these efforts, Microsoft \nrecently launched a website www.microsoft.com/spyware to help \nconsumers understand, identify, prevent and remove deceptive \nsoftware.\n    The next element is technology. Microsoft will make \navailable this summer a free update to Windows XP called \nService Pack 2. It will include a new pop up blocker and pop \nups is one of the most common ways that people get a \nproposition for a download through a pop up experience. Pop up \nblocker shows up in this thing called an information bar in \nInternet Explorer. It gives people both notice and choice of \nwhat's happening to them with the pop ups. They can choose to \nblock them or choose to allow them through or do that by site.\n    I know my financial institution needs pop ups to work, so I \nwould turn up pop ups for that site.\n    Another feature is this new download blocker. It \nspecifically is designed to prevent forced downloads. These are \ndownloads that are unsolicited. You go visit a website and \nsomebody attempts to jam software on your machine. Instead of \nthat happening, you get a little warning in this little \ninformation bar that says hey, someone is trying to download \nsome software, what do you want to do? And you don't have to \ntake any action. By having this blocker, you don't have to be \ninterrupted and take action and it's suppressed until you \ndecide on your terms to do something about.\n    This helps with two problems. One is that it prevents the \npop-under exploit I mentioned earlier and second, I have small \nkids and they don't even read and I ended up with some kind of \nspyware in my system because they clicked yes to some dialog \nthat popped up in the middle of a game. This would prevent that \nfrom happening. They won't even see that opportunity to \ndownload this kind of software.\n    We've also cleaned up the install prompts. The one on the \nleft is the old one and there's opportunity for some publishers \nto throw a lot more information there we had wanted originally \nwhich makes a very confusing experience. If you've actually \nlooked at the one on the left more carefully, it's almost a \nminiature license agreement thrown in this experience which is \ntotally inappropriate.\n    The one on the right makes that much more difficult to do \nand it truncates the line, makes it much easier to spot someone \ntrying to trick you. We also added a new feature called never \naccept software from a publisher. So you could choose by \npublisher to say look, I don't want software from you anymore \nand block that from happening.\n    The last thing, as I mentioned earlier about leaving your \nfront door open, it seems intuitively obvious well look, if low \nis kind of dangerous for most users, why do you offer it? So \nnow we actually pop an arrow that says look, you really can't \nset it to low anymore. Expert users can get around this and if \nthey want to lower their settings they can, but for the \nmajority of users, at least we've done something to slow down \nthis accidental way that they leave their doors open.\n    So these improvements, as well as others we are working on, \nwill advance our goal of helping users better understand what \nsoftware they are running and installing and whether they can \ntrust it.\n    The third element of our approach is industry-wide best \npractices which we believe will create an incentive for \nlegitimate software publishers to do the right thing. Best \npractices will also serve as a foundation for programs that \ncertify good actors and thereby enable consumers to make more \ninformed decisions. In the end, we believe self-regulatory \nmeasures will best account for the complexities of different \nsoftware applications and evolve to meet the ever-changing \nnature of technology.\n    The fourth element is aggressive enforcement of existing \nlaws. Such enforcement could put some of the most insidious \nviolators out of business which would have a significant impact \non the amount and the type of deceptive software that is \nproduced and distributed in the United States.\n    Finally, for what is not already illegal under existing \nlaw, Federal legislation can help fill in the gaps. That said, \nany legislation must carefully target deceptive behavior rather \nthan specific features or functionalities. My written testimony \nprovides examples of areas in which legislation can impose \nineffective or impractical requirements. As you consider \nlegislating in this area, we urge you to avoid such unintended \nconsequences.\n    In conclusion, we applaud the subcommittee for holding this \nhearing today and appreciate the opportunity to share our \nexperience and recommendations. We are committed to working \nwith you to thwart the efforts of those who produce industry-\ndeceptive software and to restore choice and control to our \ncustomers.\n    Thank you.\n    [The prepared statement of Jeffrey Friedberg follows:]\n\n Prepared Statement of Jeffrey Friedberg, Director of Windows Privacy, \n                         Microsoft Corporation\n\n    Chairman Stearns, Ranking Member Schakowsky, and Members of the \nSubcommittee: My name is Jeffrey Friedberg, and I am the Director of \nWindows Privacy at Microsoft Corporation. I want to thank you for the \nopportunity to share with the Subcommittee our views on this burgeoning \nthreat to computer users around the world. Spyware and other deceptive \nsoftware share a common theme: they use ambiguity, coercion, deceit, \nand outright trickery to lure or even force users to execute or install \nunwanted and often invasive programs. Our customers complain that this \nsoftware degrades their computing experiences--in some cases rendering \ntheir computers unusable--and causes them to feel frustrated and out of \ncontrol. It also compromises their privacy and can make their computers \nmore susceptible to attack.\n    Microsoft applauds Congress and the members of this Subcommittee \nfor their attention to this problem. In particular, we would like to \nacknowledge Representatives Mary Bono and Ed Towns for the time and \nenergy they have invested. Stopping the spread of deceptive software is \none of Microsoft's highest priorities. We are committed to providing \nconsumers with the information and technology that will help protect \nthem against deceptive software. And we are committed to working with \nyou, law enforcement, and others in the industry to identify and \npenalize the perpetrators of these nefarious programs.\n    Today, I want to describe the nature and nuances of deceptive \nsoftware, and explain Microsoft's comprehensive strategy for tackling \nthis issue. As with any issue that raises consumer protection concerns, \nthere are a number of ways in which the public and private sectors, \nworking together, can address the problem. These include educating \nconsumers, developing new technology to help protect users and to \nempower them to make more informed choices, identifying industry \nstandards and best practices, and taking enforcement actions against \nthose engaged in fraudulent, deceptive, and unfair practices. To the \ndegree existing law fails to capture bad actors, legislation could \ncomplement this strategy, but we believe it should be carefully crafted \nto target the bad behavior--not the underlying technology. Overbroad \nlegislation could place an undue burden on legitimate software, and \nseriously undermine the user experience.\nWhat Is Deceptive Software?\n    Let me explain what, exactly, I mean by deceptive software. \nDeceptive software generally describes programs that gain unauthorized \naccess to a computer--whether to spy on user activities, hijack user \nconfigurations, or deliver intrusive and unwanted pop-up \nadvertisements. The common thread that unifies deceptive software \nprograms--and that distinguishes them from legitimate applications--is \ntheir lack of notice and choice, and their absence of respect for \nusers' ability to control their own computers. With proper disclosure, \nuser authorization and control, these same features can be an asset: \nuser-approved tracking can lead to personalization; user-approved \nconfiguration changes (for example, setting a new search page) can \nyield a better user experience; and user-approved displaying of \nadvertisements can subsidize the cost of a service (such as e-mail), \nmaking it cheaper or even free for consumers. In short, the problem is \nwith bad practices, not the underlying features.\n    There is a spectrum of tricks that cause consumers to load software \napplications that they may not want. To better understand these tricks, \nit is useful to first briefly describe a legitimate download \nexperience. I would like to draw your attention to Slide A: ``User \nInitiates Download.'' This slide represents a typical web site \nconsumers might visit. On the web site is a link for downloading a \nprogram (in this example, a program that will display a ``stock \nticker''). When users click on the link, the operating system displays \na security warning that asks them whether they want to install the \nprogram, as shown in Slide B: ``Security Warning Displayed.'' These \nsecurity warnings are a normal part of the computing experience.\n    In some instances, however, web sites manipulate the download \nexperience in an attempt to mislead users. When users are presented \nwith a download request and security warning, they will often consider \nthe web site they are visiting to decide whether to accept the \ndownload. If the web site is one they trust, they may simply accept the \ndownload without much thought. Using a deceptive technique we call a \npop-under exploit, however, some web sites take advantage of this \ntrust, going out of their way to make it more difficult for users to \ntell which web site is actually offering the download. For example, on \nSlide C: ``Pop-Under Exploit--Step 1,'' users who are visiting a \nlegitimate website are presented with a download request that appears \nto have been generated from that site, which we see on Slide D: ``Pop-\nUnder Exploit--Step 2.'' In fact, the download request was actually \nlaunched from a web page that is hidden beneath the legitimate site, as \nwe see on Slide E: ``Pop-Under Exploit--The Trick.'' Launching a \ndownload request from a pop-under can result in a confusing or even \nmisleading experience. It is likely that the user, who cannot easily \nview the underlying web page, will assume that the request came from \nthe legitimate site and may choose to download the software for this \nreason.\n    Web sites are often compensated for each software download that \noccurs from their site and in order to increase this volume, some web \nsites will resort to deceptive practices. For example, a web site might \nconfuse users so that no matter where they click, they are taken to a \npage that requires a download. In this scenario, shown on Slide F: `` \n`Cancel' Means `Yes,' '' a user is presented with an image that mimics \na security warning or update and appears to provide the user with \nappropriate choices about downloading certain software. However, even \nif the user clicks the ``Cancel'' button or the ``[x]'' box to close \nthe window, the web site will attempt to download the software onto the \nuser's machine. This type of trick can also take place through embedded \nsecurity alerts, as shown on Slide G: ``Faux Security Alert,'' where \nall buttons in the alert mean ``yes'' and initiate a download \nexperience the user did not want.\n    Perhaps the most nefarious way that software is installed requires \nno action on the part of the user. In this scenario, bad actors exploit \na security hole and covertly install software without any notice to or \nconsent from the user. This practice is illegal under existing law, but \nbad actors still attempt to deceive users in this fashion. To educate \nconsumers on the steps they can take to minimize this risk, we created \na web site, www.microsoft.com/protect, that recommends (1) keeping \nsystems up to date using the free Windows Update service, (2) running \nup-to-date anti-virus software, and (3) using a firewall like the one \nincluded with Windows XP.\n    There is one other way that software can get installed without any \naction on the part of the user. If a user sets their browser security \nsetting to ``low,'' as illustrated on Slide H: ``Don't Leave Your Front \nDoor Open,'' all sites are assumed to be ``trusted,'' and no security \nwarning will be displayed. This can result in what are called ``drive-\nby-downloads,'' in which the download silently and automatically occurs \nby just visiting a web site. Microsoft encourages users to leave their \nsecurity settings on the default setting of ``medium'' or higher, and \nin cases where the browser security level must be set on ``low,'' we \nencourage users to reset security back to a higher level as soon as \npossible.\n    These slides illustrate just a few of the ways in which users can \nbe tricked into downloading unwanted and sometimes destructive \nsoftware. Other tricks include limiting users' ability to make a fair \nchoice by repeatedly asking them to make a decision until they say \n``yes''; covertly installing software by piggybacking on other software \nbeing installed; pretending to uninstall; and re-installing without \nauthorization.\nDeceptive Software is a Growing Problem for Our Customers\n    Our customers are becoming increasingly frustrated by unwanted and \ndeceptive software. We receive thousands of calls from customers each \nmonth directly related to unwanted or deceptive software, and we have \nevidence that suggests such software is at least partially responsible \nfor approximately one-half of all application crashes that our \ncustomers report to us. In addition, our industry partners who make \ncomputers--sometimes referred to as ``Original Equipment \nManufacturers'' or OEMs--have indicated that unwanted and deceptive \nsoftware is one of the top support issues they face, and that it costs \nmany of the larger OEMs millions of dollars per year.\n    Other estimates support the growing threat of the problem. \nAccording to the security software firm PC Pitstop, nearly a quarter of \npersonal computers are afflicted with some type of unwanted or \ndeceptive software application. More aggressive estimates place the \ntotal at between 80 and 90 percent of all PCs. Indeed, a 2003 study by \nthe National Cyber Alliance found that 91 percent of broadband \ncustomers have some form of unwanted or deceptive software on their \nhome computers.\n    What may be most alarming is the growth of these programs over the \npast year. PestPatrol, which sells spyware detection and removal \nsoftware, estimates that there are now more than 78,000 separate \nspyware programs in use. In the past year, PestPatrol identified more \nthan 500 new Trojan horses (which are programs that provide unlimited \naccess to PCs), 500 new key loggers (which monitor and record a user's \nkeystrokes), and nearly 1,300 new forms of programs that display \nadvertisements. The past year has also seen spyware manufacturers gain \nstrides in their ongoing technological battle against anti-spyware \nremoval and detection systems. Over the past six months, the number of \n``burrowers''--programs that dig so deeply into an operating system \nthat they cannot be found or removed without major and potentially \ndamaging surgery--has increased from six to more than 40.\n    The explosion in the volume of unwanted and deceptive software has \nhad an enormous impact on Microsoft, as has the accompanying increase \nin the complexity with which those programs operate and the damage that \nthey do. Many of our customers blame the problems caused by these \nprograms on Microsoft software, believing that their systems are \noperating slowly, improperly, or not at all because of flaws in our \nproducts or other legitimate software. This costs us not only millions \nof dollars per year in otherwise unnecessary support calls, but also \nimmeasurable damage to our reputation and, most importantly, to our \nefforts to optimize our customers' computer experiences.\nAdopting a Comprehensive Strategy To Combat Unwanted and Deceptive \n        Software\n    As I have shown, there is a continuum of behaviors that lead or \ntrick users into downloading unwanted software programs. In the same \nvein, there is a continuum of solutions that we believe must be part of \nthe strategy to end these behaviors and curb the spread of deceptive \nsoftware. This strategy has four prongs: widespread customer education; \ninnovative technology solutions; improved industry self-regulation; and \naggressive enforcement under existing state and federal laws. As I \nmentioned previously, new, carefully crafted and narrowly focused \nlegislation can also play a role to the extent that existing laws do \nnot fully address certain deceptive or misleading practices.\nAddressing the Problem Starts with Consumer Education\n    The first step in the battle against unwanted and deceptive \nsoftware is better consumer education. Once confined to the back pages \nof industry journals, the problem is beginning to move to the \nmainstream of consumer protection issues, as last week's workshop at \nthe Federal Trade Commission and today's hearing demonstrate. These \npublic forums are essential in heightening consumer awareness of the \nproblems caused by deceptive software.\n    To complement those efforts, Microsoft recently launched a \nwebsite--www.microsoft.com/spyware--with information that is \nspecifically designed to help consumers understand, identify, prevent, \nand remove unwanted and deceptive software. This website explains what \nspyware is and why it can be dangerous; tells users how they can \nprotect their machines from being compromised by these unauthorized \nprograms; helps consumers ascertain whether their computers already \ncontain unwanted or deceptive software by describing its symptoms, such \nas sluggish performance, an increase in random pop-up advertisements, \nand a hijacked home page; and points users to third-party tools that \ncan detect and remove these programs.\n    Microsoft is committed to working with Congress and the FTC to \ncontinue educating consumers about the ways they can prevent unwanted \nand deceptive software from attacking their PCs. While the Internet is \nan incredible resource that has enabled--and will continue to enable--\ncountless and sweeping improvements in communications, commerce, and \ngovernment, that same power requires that computer users take the same \ncare for their safety and security online as they would offline. As an \nindustry leader, we acknowledge and strive to fulfill our \nresponsibility to educate consumers about these and other related \nissues. Consumers who take steps to remove or prevent the installation \nof this software will not only preserve their own privacy, security, \nand optimum computer experiences, but they will make an important \ncontribution to the larger effort of generally eliminating the problem. \nThe entities that produce these programs will have much less incentive \nto create and download their products if consumers take steps to block \ntheir use--or at least do not respond to the seller on whose behalf the \ndeceptive software purveyor is operating.\nIndustry Is Working on New Technology To Combat Deceptive Software\n    The development of anti-spyware technology should complement the \nimpact of consumer education and awareness. For example, third parties \nhave released anti-spyware programs that enable users to remove or \ndisable many examples of unwanted and deceptive software from their PCs \nwithout damaging their existing hardware or legitimate software. These \ntools are continually being improved to address new variants and \nscenarios.\n    Microsoft is working on enhancements that will also help address \nthe problem. For example, we will soon be introducing Windows XP \nService Pack 2--a free update for all licensed Windows XP users--that \nincludes features designed to block some of the entry points and \ndistribution methods of deceptive software by better informing users in \nadvance about the type of software they will be installing. These \nenhancements include:\n\n\x01 A new pop-up blocker, turned on by default, that will reduce a user's \n        exposure to unsolicited downloads (See Slide I: ``New Popup \n        Blocker'');\n\x01 A new download blocker that will suppress unsolicited downloads until \n        the user expresses interest (See Slide J: ``New Download \n        Blocker'');\n\x01 Redesigned security warnings that make it easier for users to \n        understand what software is to be downloaded, make it more \n        obvious when bad practices are used (e.g., multi-line program \n        names), and allow users to choose to never install certain \n        types of software (See Slide K: ``Improved Install Prompts'');\n\x01 A new policy that restricts a user's ability to directly select \n        ``low'' security settings (See Slide L: ``Harder to Leave Your \n        Front Door Open''); and,\n\x01 Tools to help expert users and support professionals understand and \n        disable unwanted functionalities that have been added to the \n        browser. (See Slide M: ``New Add-On Manager.'')\n    Beyond Windows XP Service Pack 2, Microsoft is investing in future \ntechnologies that advance our goal of giving users the ability to \nunderstand what software they are running and installing, and whether \nthey can trust it. We continue to explore ways that we can better \ninform consumers in advance about programs that they plan to install, \nand to provide them with more control over the installation itself. We \nalso are striving to enhance and simplify the ways in which our \ncustomers can see what software is running on their computers, and to \nevaluate what to do with that software based on their preferences. And \nwe are working to advance technologies that can be used by our entire \nspectrum of customers--from the most sophisticated enterprise to the \nmost novice consumer--because we want them all to have an equally \nfulfilling computer experience.\nIndustry Best Practices Are an Important Part of the Solution\n    The third important part of our strategy is to develop a set of \nindustry-wide best practices. Developing best practices is critical \nbecause they will create an incentive for legitimate software \npublishers to distinguish themselves from less scrupulous publishers \nand minimize the risk of being classified with the bad actors that \nengage in deceptive practices. Best practices will also serve as a \nfoundation for programs that certify and label good actors and thereby \nenable users to make more informed decisions about the type of software \nthey execute and install on their computers.\n    The first step in this process is developing an understanding of \nthe devious, deceptive, or unfair practices that adversely affect \nconsumers. The Center for Democracy and Technology (CDT) has made great \nstrides in this area through its Consumer Software Working Group, of \nwhich we are a member. This group includes public interest \norganizations, software companies, Internet service providers, and \nhardware manufacturers, all of whom have worked hard to identify a set \nof deceptive practices that raise serious concerns. These practices--\nmany (if not all) of which are illegal under existing law--should help \nfocus regulatory and law enforcement efforts on the truly bad actors.\n    In addition to recognizing bad practices, we think it is equally \nimportant to begin to develop best practices in certain scenarios. \nThese scenarios include the collection and transmission of personal \ninformation, the display of advertisements, and changes to \nconfiguration settings that affect the Internet browser home page or \nbrowser search page. The touchstone of these best practices should be \nappropriate notice and consent. Users should understand what the \nsoftware will do in these scenarios before it is executed, and they \nshould then have a choice about whether to execute it. In addition, \nprograms with these features that are installed on a user's computer \nshould also be easily uninstalled or disabled--or if that is not \npossible, the user should be clearly informed of that fact upfront.\n    Microsoft is actively extending its best practices to explicitly \ninclude the scenarios highlighted above. We are committed to working \nwith other companies in the industry to ensure that users have high-\nquality experiences with legitimate software. And we would be happy to \nshare our best practices to the extent they would be helpful in moving \nthe industry forward to this common goal. In the end, self-regulatory \nmeasures more than federal requirements will help industry leaders \ndefine and implement best practices that account for the complexities \nof different software applications and can evolve to meet the ever-\nchanging nature of technology.\nEnforcement Is a Critical Part of the Fight Against Deceptive Software\n    A fourth key weapon to stop the spread of deceptive software is the \naggressive enforcement of existing laws. Such enforcement could put \nsome of the most insidious violators out of business, which would have \na significant impact on the amount and type of deceptive software that \nis produced and distributed in the United States. Moreover, a few \ntargeted enforcement actions would serve as a powerful deterrent to \nother manufacturers of deceptive software.\n    Enforcement actions are possible using existing law. For example, \nunder the Federal Trade Commission Act, the FTC is empowered to \nchallenge unfair and deceptive trade practices, which--by definition--\nare at the heart of virtually all deceptive software programs. Many \nstates have similar laws that authorize their own enforcement agencies \nto prosecute entities that engage in these same types of practices. And \nthe Computer Fraud and Abuse Act provides other law enforcement \nagencies with the means to address spyware threats that involve hacking \ninto users' computers. Given the growing sophistication, diversity, and \nproliferation of spyware, the private and public sectors should combine \ntheir resources to hold those who publish illegitimate deceptive \nsoftware accountable for their actions and the damage they perpetrate.\nCongress Should Proceed Cautiously\n    Microsoft is hopeful that the combination of user education, \nimproved technology, industry best practices, and enforcement of \nexisting laws can effectively combat the growing problem of deceptive \nsoftware. Although we have seen an increase in the amount and \ncomplexity of deceptive software in recent months, it is encouraging to \nsee the stepped-up response of both the public and private sectors. We \nare open to considering whether federal legislation can provide an \nadditional layer of protection and another weapon in the fight against \ndeceptive software. However, Microsoft offers two important caveats \nwhen considering federal legislation.\n    First, as noted above, many deceptive software programs are already \neither prohibited under existing law--such as the Computer Fraud and \nAbuse Act--or are subject to the FTC's jurisdiction over unfair and \ndeceptive trade practices. Any additional federal legislation deemed \nnecessary to outlaw deceptive software must be carefully crafted to \nsupplement the existing legal framework only where gaps are identified.\n    Second, any legislation should target deceptive behavior, rather \nthan specific features or functionalities, to avoid imposing unworkable \nrequirements on legitimate programs and negatively impacting computer \nusers. Examples of some unintended consequences of well-intentioned \nlegislation include the following:\n\n\x01 Disruptive User Experience. Many legitimate software programs contain \n        an information-gathering activity to perform properly, \n        including error reporting applications, troubleshooting and \n        maintenance programs, security protocols, and Internet \n        browsers. Imposing notice and consent requirements every time \n        these legitimate programs collect and transmit a piece of \n        information would disrupt the computing experience, because \n        users would be flooded with constant, non-bypassable warnings--\n        making it impossible to perform routine Internet functions \n        (such as connecting to a web page) without intolerable delay \n        and distraction.\n\x01 Compromised Consent Experience. ``One size fits all'' notice and \n        consent requirements may not give users sufficient context to \n        make informed decisions. For example, requiring notice and \n        consent at the time of installation ignores the importance of a \n        technique we refer to as ``just in time'' consent, which delays \n        the notice and consent experience until the time most relevant \n        to the user--just before the feature is executed. If a program \n        crashes, for instance, Windows Error Reporting functionality \n        will ask the user whether he or she would like to send crash \n        information to Microsoft. At this time, the user is able to \n        examine the type of information that will be sent to Microsoft \n        and to assess the actual privacy impact, if any, of \n        transmitting such information in light of the potential benefit \n        of receiving a possible fix for the problem. In this case, the \n        user understands the costs and benefits of the proposition \n        being made and is able to make an informed choice. Presenting \n        the notice and choice experience at the time of installation, \n        on the other hand, would lack this critical context.\n\x01 Unrealistic Uninstall Requirements. Requiring standardized uninstall \n        practices for all software would be unworkable in many \n        circumstances. For example, there are cases where a full and \n        complete uninstall is neither technically possible nor \n        desirable, such as with a software component that is in use and \n        shared by other programs. In addition, there are other cases \n        where an uninstall may be technically possible, but the cost to \n        provide such functionality would be prohibitive, such as with \n        complex software systems that may require the entire software \n        system to be removed. Finally, there are situations where \n        requiring uninstall could actually comprise the security of the \n        system, such as backing out security upgrades or removing \n        critical services.\n    There are many other areas in which legislation could fall into \nsimilar traps, imposing ineffective or impracticable requirements, or \neven threatening PC security and usability. We therefore encourage \nCongress to focus its attention on the devious practices of deceptive \nsoftware, including those identified by CDT and its Consumer Software \nWorking Group; to legislate only to the extent such practices are not \nalready illegal under existing law; and to engage industry experts in \nunderstanding the complexities of software, thereby ensuring \nappropriate due diligence to avoid unintended consequences.\n    Unwanted and deceptive software is a growing problem, and we \nbelieve that a multi-faceted approach is needed: improved consumer \neducation; new technology solutions; a comprehensive set of industry \nbest practices; and aggressive enforcement of existing laws against \nviolators. This approach will enable consumers to make more informed \ndecisions about installing software; help distinguish good actors from \nbad ones; and make being bad an expensive proposition. We commend the \nSubcommittee for holding this hearing today and thank you for extending \nus an invitation to share our experience and recommendations with you. \nMicrosoft is committed to working with you to thwart the efforts of \nthose who produce and distribute these deceptive programs, and to \nrestoring choice and control back where it belongs--in the hands of \nconsumers.\n\n[GRAPHIC] [TIFF OMITTED] T3308.001\n\n[GRAPHIC] [TIFF OMITTED] T3308.002\n\n[GRAPHIC] [TIFF OMITTED] T3308.003\n\n[GRAPHIC] [TIFF OMITTED] T3308.004\n\n[GRAPHIC] [TIFF OMITTED] T3308.005\n\n[GRAPHIC] [TIFF OMITTED] T3308.006\n\n[GRAPHIC] [TIFF OMITTED] T3308.007\n\n[GRAPHIC] [TIFF OMITTED] T3308.008\n\n[GRAPHIC] [TIFF OMITTED] T3308.009\n\n[GRAPHIC] [TIFF OMITTED] T3308.010\n\n[GRAPHIC] [TIFF OMITTED] T3308.011\n\n[GRAPHIC] [TIFF OMITTED] T3308.012\n\n[GRAPHIC] [TIFF OMITTED] T3308.013\n\n[GRAPHIC] [TIFF OMITTED] T3308.014\n\n[GRAPHIC] [TIFF OMITTED] T3308.015\n\n[GRAPHIC] [TIFF OMITTED] T3308.016\n\n[GRAPHIC] [TIFF OMITTED] T3308.017\n\n    Mr. Stearns. I thank you for your demonstration.\n    Mr. David Baker, who is Vice President, Law and Public \nPolicy with Earthlink. We welcome you.\n\n                   STATEMENT OF DAVID N. BAKER\n\n    Mr. Baker. Mr. Chairman Stearns, Ranking Member Schakowsky, \nladies and gentlemen of the committee, thank you for inviting \nme here today. I'm Dave Baker, Vice President for Law and \nPublic Policy with Earthlink, headquartered in Atlanta. \nEarthlink is the Nation's third largest internet service \nprovider, serving over 5 million customers nationwide with \ndial-up, broadband, web posting and wireless internet services.\n    Earthlink is always striking to improve its customers \nonline experience. To that end, we appreciate the attention \nthis committee is paying to the growing problem of spyware. We \nmay be at the point in time with regard to the development and \nproliferation of spyware that we were just a year or 2 ago with \nspam. In other words, spyware is just now being noticed by many \nconsumers, yet threatens to grow to the point where it could \nsoon compromise their online experience and security if it does \nnot do so already.\n    As the Wall Street Journal noted just this past Monday, \nApril 26, ``indeed spyware, small programs that install \nthemselves on computers to serve up advertising, monitor web \nsurfing and other computer activities and carry out other \norders is quickly replacing spam as the online annoyance \ncomputer users most complain about.''\n    Also like spam, we must fight spyware on several fronts, \nusing legislation, enforcement, customer education and \ntechnology solutions. To this end, we applaud the efforts of \nCongresswoman Bono, Congressman Towns, other members and this \ncommittee to introduce legislation such as H.R. 2929, the \nSafeguard Against Privacy Invasions or SPI Act, prohibiting the \ninstallation of software without consent, requiring uninstall \ncapability, establishing requirements for transmission pursuant \nto license agreements and requiring notices for collection of \npersonally identifiable information, intent to advertise, and \nmodification of user settings are all steps that will empower \nconsumers and keep them in control of their computers and their \nonline experience.\n    As a leading internet provider, EarthLink is on the front \nlines in combating spyware. EarthLink makes available to both \nits customers and the general public technology solutions to \nspyware such as EarthLink Spy Audit powered by Webroot. Spy \nAudit is a free service that allows users to quickly examine \nhis or her computer and detect spyware. A free download of Spy \nAudit is available at our website and a screen shot of this web \npage is attached as Exhibit A to my testimony. EarthLink \nmembers also have access to Spyware Blocker which disabled all \ncommon forms of spyware including adware, system monitors, key \nloggers and Trojans. EarthLink Spyware Blocker is available \nfree for EarthLink members as a part of Total Access 2004, our \ninternet access software and a screen shot with information on \nSpyware Blocker is attached as Exhibit B to my testimony.\n    We include useful tools such as spamBlocker, Pop-Up \nBlocker, Virus Blocker, Privacy Tools and Parental Controls in \naddition to Spyware Blocker and we will soon be introducing \nScam Blocker which will help users detect and avoid nefarious \nfisher sites.\n    On April 15, 2004, EarthLink and Webroot announced the \nresults of their Spyware Audit report. Over 1 million Spy Audit \nscans performed from January 1 through March 31st of this found \nover 29.5 million instances of spyware. This represents almost \n28 instances of spyware per scanned PC. While approximately \n23.8 million of these installations were mostly harmless adware \ncookies, the scans revealed over 5.3 million installations of \nadware and more seriously, over 184,000 system monitors, and \nalmost 185,000 Trojans. A copy of the EarthLink/Webroot press \nrelease detailing these findings is attached as Exhibit C to my \ntestimony.\n    Spyware is thus a growing problem that demands the \nattention of Congress, the FTC, consumers and industry alike. \nThrough the efforts of Congress to introduce legislation like \nthe SPI Act, the FTC to investigate the issue at its recent \nspyware workshop and through industry development of anti-ware \ntools, we can all help protect consumers against a threat that \nis often unseen, but very much real.\n    Thank you for having me here today.\n    [The prepared statement of David N. Baker follows:]\n\n    Prepared Statement of David N. Baker, VP, Law & Public Policy, \n                            EarthLink, Inc.\n\n    Mr. Chairman, Ladies and Gentlemen of the Committee, thank you for \ninviting me here today. I am Dave Baker, Vice President for Law and \nPublic Policy with EarthLink. Headquartered in Atlanta, EarthLink is \nthe nation's 3rd largest Internet Service Provider (ISP), serving over \n5 million customers nationwide with dial-up, broadband (DSL, cable and \nsatellite), web hosting and wireless Internet services. EarthLink is \nalways striving to improve its customers' online experience. To that \nend, we appreciate the attention this committee is paying to the \ngrowing problem of spyware.\n\nSpyware: The Next Spam?\n    We may be at a point in time with regard to the development and \nproliferation of spyware that we were just a year or two ago with spam. \nIn other words, spyware is just now being noticed by many consumers yet \nthreatens to grow to the point where it could soon compromise their \nonline experience and security, if it does not do so already.\n    As the Wall Street Journal noted just this past Monday, April 26, \n``Indeed, spyware--small programs that install themselves on computers \nto serve up advertising, monitor Web surfing and other computer \nactivities, and carry out other orders--is quickly replacing spam as \nthe online annoyance computer users most com-plain about.''\n    Also like spam, we must fight spyware on several fronts, using \nlegislation, enforcement, customer education and technology solutions. \nTo this end, we applaud the efforts of Congress and this committee to \nintroduce legislation such as H.R. 2929, the Safeguard Against Privacy \nInvasions (SPI) Act. Prohibiting the installation of software without \nconsent, requiring uninstall capability, establishing requirements for \ntransmission pursuant to license agreements, and requiring notices for \ncollection of personally identifiable information, intent to advertise \nand modification of user settings are all steps that will empower \nconsumers and keep them in control of their computers and their online \nexperience.\n\nEarthLink Experience\n    As a leading Internet provider, EarthLink is on the front lines in \ncombating spyware. EarthLink makes available to both its customers and \nthe general public technology solutions to spyware such as EarthLink \nSpy Audit powered by Webroot (``Spy Audit''). Spy Audit is a free \nservice that allows a user to quickly examine his or her computer and \ndetect spyware. A free download of Spy Audit is available at \nwww.earthlink.net/spyaudit. (See Exhibit A, attached hereto.) EarthLink \nmembers also have access to EarthLink Spyware Blocker, which disables \nall common forms of spyware including adware, system monitors, key \nloggers and Trojans. EarthLink Spyware Blocker is available free for \nEarthLink members as part of Total Access 2004, our Internet access \nsoftware. See www.earthlink.net/home/software/spyblocker (Exhibit B, \nattached hereto).\n    Total Access 2004 includes useful tools such as spamBlocker, Pop-Up \nBlocker, Virus Blocker, Privacy Tools and Parental Controls in addition \nto Spyware Blocker.\n    On April 15, 2004, EarthLink and Webroot announced the results of \ntheir Spy Audit report. Over 1 million Spy Audit scams performed from \nJanuary 1, 2004 to March 31, 2004 found over 29,500,000 instances of \nspyware. This represents almost 28 instances of spyware per scanned PC. \nWhile approximately 23.8 million of these installations were mostly \nharmless adware cookies, the scans revealed over 5.3 million \ninstallations of adware, and more seriously, over 184,000 system \nmonitors, and almost 185,000 Trojans. A copy of the EarthLink/Webroot \npress release detailing these findings is attached hereto as Exhibit C.\n\nConclusion\n    Spyware is thus a growing problem that demands the attention of \nCongress, the FTC, consumers and industry alike. Through the efforts of \nCongress to introduce legislation like the SPI Act, the FTC to \ninvestigate the issue at its recent spyware workshop, and through \nindustry development of anti-spyware tools, we can all help protect \nconsumers against a threat that is often unseen, but very much real.\n    Thank you for your time today.\n\n    Mr. Stearns. I thank the gentleman. I'm going to go to the \nHonorable Mozelle Thompson, Commissioner, Federal Trade \nCommission and welcome you.\n\n              STATEMENT OF HON. MOZELLE W. THOMPSON\n\n    Mr. Thompson. Thank you, Mr. Chairman and Ranking Member \nSchakowsky, members of the committee and subcommittee. It's \ngood to see you.\n    As you know, I'm Commissioner at the FTC and I wish to \nthank the committee for holding this hearing on the important \nsubject of spyware. I also appreciate the opportunity to appear \nbefore you today.\n    As you know--well, first, let me begin by telling you the \nviews I express here are my own and not necessarily those of \nthe Commission.\n    As you know, the FTC has long been involved with internet \nissues like online privacy, identity theft, cross border fraud \nand spam. And our experience has given us a unique vantage \npoint to view developments in the consumer marketplace and \nidentify issues that warrant public attention.\n    Last week, the Commission held a 1-day public workshop on \none of those topics, the distribution and effects of software \ncommonly referred to as spyware. We began our workshop by \nasking participants to define what spyware is. As the chairman \nnoted, spyware commonly refers to software that essentially \nmonitors consumers' computing habits and as such, it \nnecessarily raises privacy issues. This software can offer \nconsumers and businesses various benefits, including a \nstreamline interactive online experience and updates and can \nallow businesses to more effectively communicate with their \ncustomers. However, spyware can also be used as secret software \nthat surreptitiously gathers information and transmits it to \nthird parties without the subject's knowledge or consent. \nSometimes these uses can result in identity theft and other \ntypes of fraud and in some cases can interfere with the \ncomputer's operability.\n    These activities undermine consumer confidence in the \nmarketplace and can also impose extra costs on good actors who \nare forced to compete against those willing to engage in \ndeception, fraud or worse.\n    I used our workshop as an opportunity to challenge industry \nto promptly develop a set of best practices with respect to \nspyware. These practices should contain several critical \nelements including meaningful notice and choice so the \nconsumers can make informed decisions about whether or not they \nwish to deal with an online business that uses monitoring \nspyware or partners with companies that do.\n    I also asked industry to develop a public campaign to \neducate consumers and businesses about what spyware is and how \nit operates. This public campaign should also discuss the array \nof technological tools that are available for consumer use. \nFinally, I called upon industry to establish a mechanism that \nwill allow businesses and consumers to maintain a continuing \ndialog on how government can take action against those who do \nwrong and undermine consumer confidence through the misuse of \nspyware.\n    Now some Members of Congress, including Representative Bono \nand Towns, are calling for spyware legislation. I commend you \nfor bringing important public attention to this issue. And I \nunderstand the desire to take action before the problems \nassociated with spyware grow worse and injure more consumers \nand businesses, but I do not believe legislation is the answer \nat this time.\n    Instead, I respectfully submit that we should give industry \nan opportunity to respond to my challenge. My experience \nworking on issues like online privacy and spam tells me that in \napproaching such problems any solution must at the very least \nbe based on transparency, adequate notice and consumer choice. \nSo I've used my challenge as a way to set out what I consider \nto be the critical elements that should form a baseline for any \nindustry response. If the self-regulatory response is not \ntimely or is inadequate, another perhaps legislative approach \nmight be appropriate.\n    In any event, whatever is done in this area should work in \nconjunction with existing laws like the FTC Act which allows \nthe Commission to take action against deceptive or unfair \npractices.\n    I make this suggestion with some circumspection, \nrecognizing that there are many who would like Congress to act \nnow. But absent a comprehensive data privacy law in the United \nStates and recognizing the challenge posed by defining spyware \nbecause it has beneficial and not beneficial uses, I believe \nthat self-regulation, combined with enforcement of existing \nlaws will help address many of the issues raised in this area.\n    I am also aware that States might be anxious to legislate \nhere, but I ask them to be cautious as well because a patchwork \nof differing and inconsistent State approaches might be \nconfusing to industry and consumers alike.\n    Now finally, as I mentioned, spyware raises important \nprivacy concerns and several years ago I appeared before \nCongress and suggested that a Federal law incorporating fair \ninformation practices might be an acceptable legislative \nresponse. I believe it may still be, but I don't think it will \nbe the most effective in addressing the problems posed by \nspyware.\n    For the time being, however, a strong, responsible and \nprompt industry self-regulatory response may provide an \neffective solution for the problems that spyware poses for both \nconsumers and industry.\n    Thank you very much.\n    [The prepared statement of Hon. Mozelle W. Thompson \nfollows:]\n\n           Prepared Statement of The Federal Trade Commission\n\n    Mr. Chairman and members of the Committee, the Federal Trade \nCommission (``Commission'' or ``FTC'') appreciates this opportunity to \nprovide the Commission's views on ``spyware.'' <SUP>1</SUP>\n---------------------------------------------------------------------------\n    \\1\\ The written statement presents the views of the Federal Trade \nCommission. Oral statements and responses to questions reflect the \nviews of the speaker and do not necessarily reflect the views of the \nCommission or any other Commissioner.\n---------------------------------------------------------------------------\n    The FTC has a broad mandate to prevent unfair competition and \nunfair or deceptive acts or practices in the marketplace. Section 5 of \nthe Federal Trade Commission Act gives the agency the authority to \nchallenge acts and practices in or affecting commerce that are unfair \nor deceptive.<SUP>2</SUP> The Commission's law enforcement activities \nagainst unfair or deceptive acts and practices are generally designed \nto promote informed consumer choice. This statement will discuss the \nFTC's activities related to spyware, including our recent workshop and \npotential law enforcement actions.\n---------------------------------------------------------------------------\n    \\2\\ 15 U.S.C. \x06 45.\n---------------------------------------------------------------------------\n                          FTC SPYWARE WORKSHOP\n\n    For nearly a decade, the FTC has addressed online privacy and \nsecurity issues affecting consumers. Through a series of workshops and \nhearings, the Commission has sought to understand the online \nmarketplace and its information practices, to assess the impact of \nthese practices on consumers, and to challenge industry leaders to \ndevelop and implement meaningful self-regulatory programs.<SUP>3</SUP>\n---------------------------------------------------------------------------\n    \\3\\ See, e.g., Workshop: Technologies for Protecting Personal \nInformation, The Consumer Experience (May 14, 2003); Workshop: \nTechnologies for Protecting Personal Information, The Business \nExperience (June 4, 2003); Consumer Information Security Workshop (May \n20, 2002).\n---------------------------------------------------------------------------\n    The most recent example of this approach is the workshop entitled \n``Monitoring Software on Your PC: Spyware, Adware, and Other Software'' \nthat was held last week. The workshop was designed to provide us with \ninformation about the nature and extent of problems related to spyware, \nand possible responses to those problems. Specifically, the workshop \nfocused on four main topics: (1) defining ``spyware'' and exploring how \nit is distributed (including the role of peer-to-peer file-sharing \nsoftware and whether spyware may differ from ``adware''); (2) examining \nspyware's general effects on consumers and competition; (3) exploring \nspyware's potential security and privacy risks; and (4) identifying \ntechnological solutions, industry initiatives, and governmental \nresponses (including consumer education) related to spyware. \nUnderscoring the importance of this issue both FTC Commissioners Orson \nSwindle and Mozelle Thompson personally participated in the workshop.\n    To encourage broad-based participation, the FTC issued a Federal \nRegister Notice announcing the workshop and requesting public \ncomment.<SUP>4</SUP> The Commission received approximately 200 \ncomments, and the record will remain open until May 21, 2004, for \nsubmission of additional comments. At the workshop, a wide range of \npanelists engaged in a spirited debate concerning spyware, including \nwhat government, industry, and consumers ought to do to respond to the \nrisks associated with spyware.\n---------------------------------------------------------------------------\n    \\4\\ 69 Fed. Reg. 8538 (Feb. 24, 2004), <www.ftc.gov/os/2004/02/\n---------------------------------------------------------------------------\n    Although the agency is continuing to receive information on this \nimportant issue, the record at the workshop leads to some preliminary \nconclusions. First, perhaps the most challenging task is to carefully \nand clearly define the issue. ``Spyware'' is an elastic and vague term \nthat has been used to describe a wide range of software.<SUP>5</SUP> \nSome definitions of spyware could be so broad that they cover software \nthat is beneficial or benign; software that is beneficial but misused; \nor software that is just poorly written or has inefficient code. \nIndeed, there continues to be considerable debate regarding whether \n``adware'' should be considered spyware. Given the risks of defining \nspyware too broadly, some panelists at our workshop argued that the \nmore prudent course is to focus on the harms caused by misuse or abuse \nof software rather than on the definition of spyware.\n---------------------------------------------------------------------------\n    \\5\\ For the purposes of the workshop, the FTC Staff tentatively \ndescribed spyware as ``software that aids in gathering information \nabout a person or organization without their knowledge and which may \nsend such information to another entity without the consumer's consent, \nor asserts control over a computer without the consumer's knowledge.'' \n69 Fed. Reg. 8538 (Feb. 24, 2004), <www.ftc.gov/os/2004/02/\n---------------------------------------------------------------------------\n    Panelists described a number of harms caused by spyware. These \ninclude invasions of privacy, security risks, and functionality \nproblems for consumers. For example, spyware may harvest personally \nidentifiable information from consumers through monitoring computer use \nwithout consent. Spyware also may facilitate identity theft by \nsurreptitiously planting a keystroke logger on a consumer's personal \ncomputer. It may create security risks if it exposes communication \nchannels to hackers. Spyware also may adversely affect the operation of \npersonal computers, including slowing processing time and causing \ncrashes, browser hijacking, home page resetting, installing dialers, \nand the like. These harms are problems in themselves, and could lead to \na loss in consumer confidence in the Internet as a medium of \ncommunication and commerce.\n    Many of the panelists discussed how spyware may cause problems for \nbusinesses. Companies may incur costs as they seek to block and remove \nspyware from the computers of their employees. Employees will be less \nproductive if spyware causes their computers to crash or they are \ndistracted from their tasks by a barrage of pop-up ads. Spyware that \ncaptures the keystrokes of employees could be used to obtain trade \nsecrets and other confidential information from businesses. In \naddition, representatives from companies such as ISPs, PC \nmanufacturers, anti-virus providers, and an operating system \nmanufacturer indicated that they spend substantial resources responding \nto customer inquiries when PCs or Internet browsers do not work as \nexpected due to the presence of spyware. As such, these companies also \nmay suffer injury to their reputations and lose good will.\n    Because of the relatively recent emergence of spyware, there has \nbeen little empirical data regarding the prevalence and magnitude of \nthese problems for consumers and businesses. Given how broadly spyware \ncan be distributed and the severity of some of its potential risks, \ngovernment, industry, and consumers should treat the threats to \nprivacy, security, and functionality posed by spyware as real and \nsignificant problems.\n    At the workshop, we heard that substantial efforts are currently \nunderway to address spyware. Industry is deploying new technologies as \nwell as distributing educational materials to assist consumers in \naddressing the problems associated with spyware. Similarly, at the \nworkshop, industries involved with the dissemination of software \nreported that they are developing best practices.\n    Consumers and businesses are becoming more aware of the \ncapabilities of spyware, and they are responding by installing anti-\nspyware products and taking other measures to minimize these risks. \nGovernment and industry-sponsored education programs, and industry \nself-regulation, could be instrumental in making users more aware of \nthe risks of spyware, thereby assisting them in taking actions to \nprotect themselves (such as running anti-spyware programs).<SUP>6</SUP>\n---------------------------------------------------------------------------\n    \\6\\ Panelists at the workshop noted that consumers need to be very \ncareful to obtain anti-spyware programs from legitimate providers \nbecause some purported anti-spyware programs in fact disseminate \nspyware.\n---------------------------------------------------------------------------\n                          FTC LAW ENFORCEMENT\n\n    As the nation's primary consumer protection agency, the Commission \nalso has a law enforcement role to play in connection with unfair or \ndeceptive acts or practices involved in the distribution or use of \nspyware.<SUP>7</SUP> At the workshop, FTC and DOJ staff members noted \nthat many of the more egregious spyware practices described at the \nworkshop may be subject to attack under existing Federal and State \nlaws, and the workshop concluded with a request that industry and \nconsumer groups notify the FTC staff of problematic practices.\n---------------------------------------------------------------------------\n    \\7\\ The Commission will find deception if there is a material \nrepresentation, omission, or practice that is likely to mislead \nconsumers acting reasonably in the circumstances, to their detriment. \nSee Federal Trade Commission, Deception Policy Statement, appended to \nCliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984) (``Deception \nStatement''). An act or practice is ``unfair'' if it causes or is \nlikely to cause substantial injury to consumers, that injury is not \noutweighed by any countervailing benefits to consumers and competition, \nand consumers could not have reasonably avoided the injury. 15 U.S.C. \x06 \n45(n).\n---------------------------------------------------------------------------\n    The Commission is conducting non-public investigations related to \nthe dissemination of spyware. As discussed at the workshop, however, \ninvestigating and prosecuting acts and practices related to spyware, \nparticularly the more pernicious programs, pose substantial law \nenforcement challenges. Given the surreptitious nature of spyware, it \noften is difficult to ascertain from whom, from where, and how such \nproducts are disseminated. Consumer complaints, for instance, are less \nlikely to lead directly to targets than in other law enforcement \ninvestigations, because consumers often do not know that spyware has \ncaused the problems or, even if they do, they may not know the source \nof the spyware.<SUP>8</SUP> Indeed, computer manufacturers stated at \nour workshop that they believe an increasing number of service calls \nare spyware-related and spyware-related issues are difficult to \ndiagnose. Similarly, search engine providers testified that consumers \ncomplain to them, not realizing that the spyware (not the search \nengine) is causing their dissatisfaction with their search engine.\n---------------------------------------------------------------------------\n    \\8\\ Identifying the source of spyware is especially difficult when \nconsumers were not even aware that the spyware had been installed.\n---------------------------------------------------------------------------\n    The Commission has long been active in challenging unfair or \ndeceptive acts or practices on the Internet, and spyware cases are not \nfundamentally different. Over the course of nearly a decade, we have \nbrought approximately 300 cases challenging Internet practices \ninvolving substantial consumer harms, including harms similar to those \nposed by some examples of spyware.\n    Most recently, in D Squared Solutions, LLC, the defendants \nallegedly exploited an operating system feature to harm consumers. The \nWindows operating system uses ``Messenger Service'' windows to allow \nnetwork administrators to provide instant information to network users, \nfor example, a message to let users know that a print job has been \ncompleted. The defendants in D Squared exploited this feature to send \nMessenger Service pop-up ads to consumers, advertising software that \nsupposedly would block such ads in the future. Consumers would receive \nthese pop-up ads as often as every ten minutes. The Commission filed a \ncomplaint in federal court alleging that the defendants unfairly \ninterfered with consumers' use of their computers and tried to coerce \nconsumers into buying software to block pop-up ads.<SUP>9</SUP>\n---------------------------------------------------------------------------\n    \\9\\ FTC v. D Squared Solutions, LLC, No. 03-CV-3108 (D. Md. 2003). \nThe case is currently in litigation.\n---------------------------------------------------------------------------\n    The Commission brought several cases challenging the surreptitious \ndistribution of dialer programs. A paper submitted at the workshop by \nthe Computer Software Working Group <SUP>10</SUP> identified \nsurreptitious downloads as an example of one of the problematic \npractices of some spyware programs. Past Commission actions have \nattacked similar programs that secretly disconnect consumers from their \nInternet Service Providers, reconnect them to another network, and \ncharge them exorbitant fees for long distance telephone service or \nentertainment services delivered over the telephone line.<SUP>11</SUP> \nWe also have challenged the practice of ``pagejacking'' consumers and \nthen ``mousetrapping'' them at pornographic web sites.<SUP>12</SUP> \nThese cases demonstrate that the Commission has the authority under \nSection 5 of the FTC Act to take action to prevent harms to consumers \nsimilar to those that spyware allegedly causes.\n---------------------------------------------------------------------------\n    \\10\\ The Consumer Software Working Group is comprised of public \ninterest groups, software companies, Internet Service Providers, \nhardware manufacturers, and others. Available at <http://www.cdt.org/\nprivacy/spyware/2\n    \\11\\ See, e.g., FTC v. Alyon Technologies, Inc., No. 1:03-CV-1297 \n(N.D. Ga. 2003); FTC v. BTV Indus., No. CV-S-02-0437-LRH-PAL (D. Nev. \n2003); FTC v. Anderson, No. C00-1843P (W.D. Wash. 2000); FTC v. RJB \nTelcom, Inc., No. 002017 PHX EHC (D. Az. 2000); FTC v. Sheinkin, No. 2-\n00-3636 18 (D.S.C. 2000); FTC v. Verity Int'l, Ltd., No. 00 Civ. 7422 \n(LAK) (S.D.N.Y. 2000); FTC v. Audiotex Connection, Inc., No. CV-97-\n00726 (E.D.N.Y. 1997); see also Beylen Telecom, Ltd., FTC Docket No. C-\n3782 (final consent Jan. 23, 1998).\n    \\12\\ See, e.g., FTC v. Zuccarini, No. 01-CV-4854 (E.D. Pa. 2002); \nFTC v. Carlos Pereira d/b/a atariz.com, No. 99-1367-A (E.D.N.Y. 1999).\n---------------------------------------------------------------------------\n                               CONCLUSION\n\n    Spyware appears to be a new and rapidly growing practice that poses \na risk of serious harm to consumers. The Commission is learning more \nabout this practice, so that government responses to spyware will be \nfocused and effective. We are continuing to pursue law enforcement \ninvestigations. The FTC thanks this Committee for focusing attention on \nthis important issue, and for giving us an opportunity to present the \npreliminary results from our workshop. We look forward to further \ndiscussions with the Subcommittee on this issue.\n\n    Mr. Stearns. Thank you, Commissioner. Mr. Howard Beales, \nDirector of Bureau of Consumer Protection.\n\n             STATEMENT OF HON. J. HOWARD BEALES III\n\n    Mr. Beales. Thank you, Mr. Chairman, and members of the \nsubcommittee. I'd like to thank you for providing the Federal \nTrade Commission with this opportunity to submit testimony. The \nwritten testimony represents the views of the Federal Trade \nCommission and my oral comments do not necessarily reflect the \nviews of the Commission or any individual Commissioner.\n    We're here today to discuss spyware, a subject of growing \nconcern to consumers. Loosely defined, spyware is software that \naids in gathering information about a person or organization \nwithout their knowledge and it may send such information to \nanother entity without the consumers consent. Other spyware may \nassert control over a computer without the consumer's \nknowledge.\n    As in many cases of the new internet issues, the question \nis how to proceed against practices that are clearly abusive \nwithout interfering with the benefits that the internet \nprovides to consumers. As Commissioner Thompson has described, \nwe've accomplished this task through a series of workshops and \nhearings where the Commission has sought to understand the \nonline marketplace and its information practices, to assess the \nimpact of these practices on consumers, and to challenge \nindustry leaders to deal with consumers in a straight forward \nand responsible manner.\n    Our most recently application of this approach was last \nweek's workshop, monitoring software on your PC, spyware, \nadware and other software. It seems clear from the workshop's \ndiscussion that spyware may harvest personally identifiable \ninformation from consumers through monitoring computer use \nwithout consent. It also may facilitate identity theft by \nsurreptitiously planting a keystroke logger on a user's \npersonal computer. Spyware may create security risks if it \nexposes communications' channels to hackers. It also may affect \nthe operation of personal computers, causing crashes, browser \nhijacking, home page resetting and the like.\n    These harms are problems in themselves and could lead to a \nloss in consumer confidence in the internet as a medium of \ncommunication and commerce.\n    Second, many of the panelists discussed how spyware may \ncause problems for businesses too. Companies may incur costs as \nthey seek to block and remove spyware from computers of their \nemployees or their customers. Employees will also be less \nproductive if spyware causes their computers to crash or if \nthey're distracted from their tasks by a barrage of popup ads. \nSpyware that captures the keystrokes of employees could be used \nto obtain trade secrets and confidential information from \nbusinesses.\n    We also heard that substantial efforts are currently \nunderway to address spyware. In response to market forces, \nindustry is developing and deploying new technologies to assist \nconsumers. Consumers and businesses are becoming more aware of \nthe risks of spyware and they're responding by installing anti-\nspyware products and other measures. Certain industry \nrepresentatives indicated that they would explore best \npractices and consumer education on issues related to spyware. \nAll of these efforts are very encouraging.\n    Another key theme of our workshop was the need to define \nthe problem carefully and clearly. Defining a class of software \nthat causes problems is a difficult task. Spyware is an elastic \nand vague term that's been used to describe a wide range of \nsoftware. A vague definition of software could be so broad that \nit covers software that is beneficial or benign, software that \nis harmful, software that is beneficial or benign, but misused, \nand software that is just poorly written or inefficient code. \nSuch imprecise definitions would treat these types of software \nin the same manner. We need to determine whether there is a \ndefinable class of software that can truly be called spyware.\n    The easiest way to start drawing lines is through case by \ncase law enforcement. The Commission has law enforcement \nauthority to challenge unfair or deceptive practices involved \nin the distribution or use of spyware. At the workshop, FTC and \nDOJ staff members noted that many of the more egregious spyware \npractices described at the workshop are subject to attack under \nexisting Federal and State laws including Section 5 of the FTC \nAct.\n    We have nonpublic investigations related to the \ndissemination of spyware. However, investigating and \nprosecuting acts and practices related to spyware, particularly \nthe more pernicious programs pose law enforcement challenges. \nGiven the surreptitious nature of spyware, it is often \ndifficult to ascertain from whom, from where and how such \nproducts are dissemination. Consumer complaints are less likely \nto lead directly to targets that are in other law enforcement \ninvestigations because consumers often do not know that spyware \nhas caused their problems. Even if they do, they may not know \nthe source of the spyware.\n    Despite the obstacles, the FTC has been active in taking \naction against internet practices involving consumer injury \nsimilar to those caused by spyware. For example, we're \ncurrently litigating against defendants who exploited allegedly \nan operating system feature to send incessant messenger service \npopup ads to consumers. It advertised software that supposedly \nwould block such ads in the future. We filed a complaint, \nalleging that the defendants unfairly interfered with \nconsumers' use of their computers and tried to coerce consumers \ninto buying software to block the popup ads.\n    And we brought several cases challenging the surreptitious \ndistribution of dialer programs. These programs secretly \ndisconnect consumers from their ISPs, reconnect them to another \nnetwork and then charge exorbitant fees for long-distance \ntelephone service or entertainment services delivered over the \ntelephone line.\n    We've also challenged the practice of page-jacking and then \nmouse-trapping consumers at pornographic websites. And the \npractice of bombarding consumers with an endless sequence of \npopup ads. We have the legal tools necessary to address bad \npractices.\n    We continue to remain vigilant and eager to take action \nagainst those who are engaged in bad practices, and we've asked \nindustry and consumer groups to notify the FTC staff of \nproblematic practices. We are, as we said at the workshop, \ntaking names.\n    Thank you and I look forward to answering any questions \nthat you may have.\n    [The prepared statement of Hon. J. Howard Beales III \nfollows:]\n\n           Prepared Statement of The Federal Trade Commission\n\n    Mr. Chairman and members of the Committee, the Federal Trade \nCommission (``Commission'' or ``FTC'') appreciates this opportunity to \nprovide the Commission's views on ``spyware.'' <SUP>1</SUP>\n---------------------------------------------------------------------------\n    \\1\\ The written statement presents the views of the Federal Trade \nCommission. Oral statements and responses to questions reflect the \nviews of the speaker and do not necessarily reflect the views of the \nCommission or any other Commissioner.\n---------------------------------------------------------------------------\n    The FTC has a broad mandate to prevent unfair competition and \nunfair or deceptive acts or practices in the marketplace. Section 5 of \nthe Federal Trade Commission Act gives the agency the authority to \nchallenge acts and practices in or affecting commerce that are unfair \nor deceptive.<SUP>2</SUP> The Commission's law enforcement activities \nagainst unfair or deceptive acts and practices are generally designed \nto promote informed consumer choice. This statement will discuss the \nFTC's activities related to spyware, including our recent workshop and \npotential law enforcement actions.\n---------------------------------------------------------------------------\n    \\2\\ 15 U.S.C. \x06 45.\n---------------------------------------------------------------------------\n                          FTC SPYWARE WORKSHOP\n\n    For nearly a decade, the FTC has addressed online privacy and \nsecurity issues affecting consumers. Through a series of workshops and \nhearings, the Commission has sought to understand the online \nmarketplace and its information practices, to assess the impact of \nthese practices on consumers, and to challenge industry leaders to \ndevelop and implement meaningful self-regulatory programs.<SUP>3</SUP>\n---------------------------------------------------------------------------\n    \\3\\ See, e.g., Workshop: Technologies for Protecting Personal \nInformation, The Consumer Experience (May 14, 2003); Workshop: \nTechnologies for Protecting Personal Information, The Business \nExperience (June 4, 2003); Consumer Information Security Workshop (May \n20, 2002).\n---------------------------------------------------------------------------\n    The most recent example of this approach is the workshop entitled \n``Monitoring Software on Your PC: Spyware, Adware, and Other Software'' \nthat was held last week. The workshop was designed to provide us with \ninformation about the nature and extent of problems related to spyware, \nand possible responses to those problems. Specifically, the workshop \nfocused on four main topics: (1) defining ``spyware'' and exploring how \nit is distributed (including the role of peer-to-peer file-sharing \nsoftware and whether spyware may differ from ``adware''); (2) examining \nspyware's general effects on consumers and competition; (3) exploring \nspyware's potential security and privacy risks; and (4) identifying \ntechnological solutions, industry initiatives, and governmental \nresponses (including consumer education) related to spyware. \n\nUnderscoring the importance of this issue both FTC Commissioners Orson \nSwindle and Mozelle Thompson personally participated in the workshop.\n    To encourage broad-based participation, the FTC issued a Federal \nRegister Notice announcing the workshop and requesting public \ncomment.<SUP>4</SUP> The Commission received approximately 200 \ncomments, and the record will remain open until May 21, 2004, for \nsubmission of additional comments. At the workshop, a wide range of \npanelists engaged in a spirited debate concerning spyware, including \nwhat government, industry, and consumers ought to do to respond to the \nrisks associated with spyware.\n---------------------------------------------------------------------------\n    \\4\\ 69 Fed. Reg. 8538 (Feb. 24, 2004), <www.ftc.gov/os/2004/02/\n---------------------------------------------------------------------------\n    Although the agency is continuing to receive information on this \nimportant issue, the record at the workshop leads to some preliminary \nconclusions. First, perhaps the most challenging task is to carefully \nand clearly define the issue. ``Spyware'' is an elastic and vague term \nthat has been used to describe a wide range of software.<SUP>5</SUP> \nSome definitions of spyware could be so broad that they cover software \nthat is beneficial or benign; software that is beneficial but misused; \nor software that is just poorly written or has inefficient code. \nIndeed, there continues to be considerable debate regarding whether \n``adware'' should be considered spyware. Given the risks of defining \nspyware too broadly, some panelists at our workshop argued that the \nmore prudent course is to focus on the harms caused by misuse or abuse \nof software rather than on the definition of spyware.\n---------------------------------------------------------------------------\n    \\5\\ For the purposes of the workshop, the FTC Staff tentatively \ndescribed spyware as ``software that aids in gathering information \nabout a person or organization without their knowledge and which may \nsend such information to another entity without the consumer's consent, \nor asserts control over a computer without the consumer's knowledge.'' \n69 Fed. Reg. 8538 (Feb. 24, 2004), <www.ftc.gov/os/2004/02/\n---------------------------------------------------------------------------\n    Panelists described a number of harms caused by spyware. These \ninclude invasions of privacy, security risks, and functionality \nproblems for consumers. For example, spyware may harvest personally \nidentifiable information from consumers through monitoring computer use \nwithout consent. Spyware also may facilitate identity theft by \nsurreptitiously planting a keystroke logger on a consumer's personal \ncomputer. It may create security risks if it exposes communication \nchannels to hackers. Spyware also may adversely affect the operation of \npersonal computers, including slowing processing time and causing \ncrashes, browser hijacking, home page resetting, installing dialers, \nand the like. These harms are problems in themselves, and could lead to \na loss in consumer confidence in the Internet as a medium of \ncommunication and commerce.\n    Many of the panelists discussed how spyware may cause problems for \nbusinesses. Companies may incur costs as they seek to block and remove \nspyware from the computers of their employees. Employees will be less \nproductive if spyware causes their computers to crash or they are \ndistracted from their tasks by a barrage of pop-up ads. Spyware that \ncaptures the keystrokes of employees could be used to obtain trade \nsecrets and other confidential information from businesses. In \naddition, representatives from companies such as ISPs, PC \nmanufacturers, anti-virus providers, and an operating system \nmanufacturer indicated that they spend substantial resources responding \nto customer inquiries when PCs or Internet browsers do not work as \nexpected due to the presence of spyware. As such, these companies also \nmay suffer injury to their reputations and lose good will.\n    Because of the relatively recent emergence of spyware, there has \nbeen little empirical data regarding the prevalence and magnitude of \nthese problems for consumers and businesses. Given how broadly spyware \ncan be distributed and the severity of some of its potential risks, \ngovernment, industry, and consumers should treat the threats to \nprivacy, security, and functionality posed by spyware as real and \nsignificant problems.\n    At the workshop, we heard that substantial efforts are currently \nunderway to address spyware. Industry is deploying new technologies as \nwell as distributing educational materials to assist consumers in \naddressing the problems associated with spyware. Similarly, at the \nworkshop, industries involved with the dissemination of software \nreported that they are developing best practices.\n    Consumers and businesses are becoming more aware of the \ncapabilities of spyware, and they are responding by installing anti-\nspyware products and taking other measures to minimize these risks. \nGovernment and industry-sponsored education programs, and industry \nself-regulation, could be instrumental in making users more aware of \nthe risks of spyware, thereby assisting them in taking actions to \nprotect themselves (such as running anti-spyware programs).<SUP>6</SUP>\n---------------------------------------------------------------------------\n    \\6\\ Panelists at the workshop noted that consumers need to be very \ncareful to obtain anti-spyware programs from legitimate providers \nbecause some purported anti-spyware programs in fact disseminate \nspyware.\n---------------------------------------------------------------------------\n                          FTC LAW ENFORCEMENT\n\n    As the nation's primary consumer protection agency, the Commission \nalso has a law enforcement role to play in connection with unfair or \ndeceptive acts or practices involved in the distribution or use of \nspyware.<SUP>7</SUP> At the workshop, FTC and DOJ staff members noted \nthat many of the more egregious spyware practices described at the \nworkshop may be subject to attack under existing Federal and State \nlaws, and the workshop concluded with a request that industry and \nconsumer groups notify the FTC staff of problematic practices.\n---------------------------------------------------------------------------\n    \\7\\ The Commission will find deception if there is a material \nrepresentation, omission, or practice that is likely to mislead \nconsumers acting reasonably in the circumstances, to their detriment. \nSee Federal Trade Commission, Deception Policy Statement, appended to \nCliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984) (``Deception \nStatement''). An act or practice is ``unfair'' if it causes or is \nlikely to cause substantial injury to consumers, that injury is not \noutweighed by any countervailing benefits to consumers and competition, \nand consumers could not have reasonably avoided the injury. 15 U.S.C. \x06 \n45(n).\n---------------------------------------------------------------------------\n    The Commission is conducting non-public investigations related to \nthe dissemination of spyware. As discussed at the workshop, however, \ninvestigating and prosecuting acts and practices related to spyware, \nparticularly the more pernicious programs, pose substantial law \nenforcement challenges. Given the surreptitious nature of spyware, it \noften is difficult to ascertain from whom, from where, and how such \nproducts are disseminated. Consumer complaints, for instance, are less \nlikely to lead directly to targets than in other law enforcement \ninvestigations, because consumers often do not know that spyware has \ncaused the problems or, even if they do, they may not know the source \nof the spyware.<SUP>8</SUP> Indeed, computer manufacturers stated at \nour workshop that they believe an increasing number of service calls \nare spyware-related and spyware-related issues are difficult to \ndiagnose. Similarly, search engine providers testified that consumers \ncomplain to them, not realizing that the spyware (not the search \nengine) is causing their dissatisfaction with their search engine.\n---------------------------------------------------------------------------\n    \\8\\ Identifying the source of spyware is especially difficult when \nconsumers were not even aware that the spyware had been installed.\n---------------------------------------------------------------------------\n    The Commission has long been active in challenging unfair or \ndeceptive acts or practices on the Internet, and spyware cases are not \nfundamentally different. Over the course of nearly a decade, we have \nbrought approximately 300 cases challenging Internet practices \ninvolving substantial consumer harms, including harms similar to those \nposed by some examples of spyware.\n    Most recently, in D Squared Solutions, LLC, the defendants \nallegedly exploited an operating system feature to harm consumers. The \nWindows operating system uses ``Messenger Service'' windows to allow \nnetwork administrators to provide instant information to network users, \nfor example, a message to let users know that a print job has been \ncompleted. The defendants in D Squared exploited this feature to send \nMessenger Service pop-up ads to consumers, advertising software that \nsupposedly would block such ads in the future. Consumers would receive \nthese pop-up ads as often as every ten minutes. The Commission filed a \ncomplaint in federal court alleging that the defendants unfairly \ninterfered with consumers' use of their computers and tried to coerce \nconsumers into buying software to block pop-up ads.<SUP>9</SUP>\n---------------------------------------------------------------------------\n    \\9\\ FTC v. D Squared Solutions, LLC, No. 03-CV-3108 (D. Md. 2003). \nThe case is currently in litigation.\n---------------------------------------------------------------------------\n    The Commission brought several cases challenging the surreptitious \ndistribution of dialer programs. A paper submitted at the workshop by \nthe Computer Software Working Group <SUP>10</SUP> identified \nsurreptitious downloads as an example of one of the problematic \npractices of some spyware programs. Past Commission actions have \nattacked similar programs that secretly disconnect consumers from their \nInternet Service Providers, reconnect them to another network, and \ncharge them exorbitant fees for long distance telephone service or \nentertainment services delivered over the telephone line.<SUP>11</SUP> \nWe also have challenged the practice of ``pagejacking'' consumers and \nthen ``mousetrapping'' them at pornographic web sites.<SUP>12</SUP> \nThese cases demonstrate that the Commission has the authority under \nSection 5 of the FTC Act to take action to prevent harms to consumers \nsimilar to those that spyware allegedly causes.\n---------------------------------------------------------------------------\n    \\10\\ The Consumer Software Working Group is comprised of public \ninterest groups, software companies, Internet Service Providers, \nhardware manufacturers, and others. Available at <http://www.cdt.org/\nprivacy/spyware/20040419cswg.pdf>\n    \\11\\ See, e.g., FTC v. Alyon Technologies, Inc., No. 1:03-CV-1297 \n(N.D. Ga. 2003); FTC v. BTV Indus., No. CV-S-02-0437-LRH-PAL (D. Nev. \n2003); FTC v. Anderson, No. C00-1843P (W.D. Wash. 2000); FTC v. RJB \nTelcom, Inc., No. 002017 PHX EHC (D. Az. 2000); FTC v. Sheinkin, No. 2-\n00-3636 18 (D.S.C. 2000); FTC v. Verity Int'l, Ltd., No. 00 Civ. 7422 \n(LAK) (S.D.N.Y. 2000); FTC v. Audiotex Connection, Inc., No. CV-97-\n00726 (E.D.N.Y. 1997); see also Beylen Telecom, Ltd., FTC Docket No. C-\n3782 (final consent Jan. 23, 1998).\n    \\12\\ See, e.g., FTC v. Zuccarini, No. 01-CV-4854 (E.D. Pa. 2002); \nFTC v. Carlos Pereira d/b/a atariz.com, No. 99-1367-A (E.D.N.Y. 1999).\n---------------------------------------------------------------------------\n                               CONCLUSION\n\n    Spyware appears to be a new and rapidly growing practice that poses \na risk of serious harm to consumers. The Commission is learning more \nabout this practice, so that government responses to spyware will be \nfocused and effective. We are continuing to pursue law enforcement \ninvestigations. The FTC thanks this Committee for focusing attention on \nthis important issue, and for giving us an opportunity to present the \npreliminary results from our workshop. We look forward to further \ndiscussions with the Subcommittee on this issue.\n\n    Mr. Stearns. I thank you. Mr. Ari Schwartz, Associate \nDirector, Center for Democracy and Technology.\n    Welcome.\n\n                    STATEMENT OF ARI SCHWARTZ\n\n    Mr. Schwartz. Chairman Stearns, Ranking Member Schakowsky, \nmembers of the committee, thank you for inviting CDT to testify \ntoday.\n    In November, we released our first report on the spyware \nissue entitled ``Ghosts in our Machines.'' At that same time we \nasked consumers to send us their concerns about specific \nspyware experiences. Since then hundreds have responded.\n    Spyware is clearly an issue of growing concern for internet \nusers. As we document in our report, the worse practices that \nwe've seen are often based on mutated practices of legitimate \nsoftware companies. Therefore, defining the term spyware has \nbecome difficult, if not impossible.\n    The basic problem of spyware is that software being created \nto run on users' computers, that they have no control over and \ndo not want, including some software that passes on personal \ninformation about the computer user with their consent. CDT \nbelieves that in order to stop this growing problem, we will \nneed to see action in three areas: enforcement of existing law, \nindustry commitment to stopping bad practices, and legislation \nto protect privacy online.\n    I will quickly address each of these areas. It is CDT's \nopinion that many of the worst practices that we have seen \ntoday in the spyware are already illegal under existing fraud \nstatutes. For example, if a consumer walked into a store and \nthe door was locked behind them and they were forced to buy a \nproduct, we would expect law enforcement to do something about \nit. If hundreds of thousands of consumers were not allowed to \nleave a contract that they didn't even know that they'd enter, \nwe would expect consumer law enforcement agencies to do \nsomething. And if a third party were to tamper with consumers' \ntelephones in such a way that when they try to call Barnes and \nNoble they were instead connected to an adult book store, \ncertainly we would expect law enforcement to be there. Yet, the \nonline equivalent of each of these actions, online coercion, \ninability to uninstall or disable and host file overriding have \nnot been a serious area of action for any law enforcement body \nto date.\n    CDT worked with consumer groups and industry to help \ndevelop examples of unfair, deceptive and devious practices \ninvolving software. These examples are based on real cases \nwhere CDT believes that law enforcement should be focusing its \nefforts. That full document was included as part of my written \ntestimony.\n    Second, industry needs to do a better job of creating self-\nregulatory structures for software. CDT is encouraged by the \nadvances in the anti-software technology such as those \ndiscussed here today by EarthLink and Microsoft and the others \ndiscussed at the FTC workshop last week. As we have seen in the \nspam war, it's very likely that as the anti-spyware \ntechnologies increase, the efforts of the spyware creators will \nundoubtedly double as well.\n    Industry should go further and start to draw clear lines in \nthe spectrum of current behaviors to begin to help consumers to \ndistinguish the good actors from the bad. A code of best \npractices could give consumers the information and ability that \nthey need to make better decisions in the marketplace today.\n    Last, CDT strongly believes that many of the privacy \nconcerns with spyware, some of which fall out of the scope of \nlegal protections could be clearly addressed with the privacy \nlaw.\n    As the chairman and the committee know, CDT has long argued \nthat until we have a privacy law that addresses all of the \nbasic fair information practices that privacy issues that we \nfirst saw 8 years ago with the collection of information via \nthe web and then with cookies and then with spam and now with \nspyware will continue. And it will repeat again in new \ntechnologies in the future.\n    A privacy law would get a root concern, not the root \nconcern, but at a root concern rather than trying to define and \nscope each new technology in a limiting way. Still, spyware may \npose some unique challenges that are not covered in the areas \nthat I've outlined. We commend Representative Bono and \nRepresentative Towns for their work and their early attempts to \ntake on this difficult issue, yet we also recognize that it \nwould be difficult to define spyware or even the broader \ncategory of software in a way that addresses the problem \nwithout confining the market or accidentally legitimizing \nquestionable practices that fall outside of the scope of the \nlegislation.\n    CDT is committed to working with the committee as the \nefforts move forward and I look forward to answering all of \nyour questions.\n    [The prepared statement of Ari Schwartz follows:]\n\n  Prepared Statement of Ari Schwartz, Associate Director, Center for \n                        Democracy and Technology\n\n    Chairman Sterns and Ranking Member Schakowsky, thank you for \nholding this hearing on spyware, an issue of growing concern for \nconsumers and businesses alike. CDT is pleased to have the opportunity \nto participate.\n    CDT is a non-profit, public interest organization dedicated to \npreserving and promoting privacy and other democratic values and civil \nliberties on the Internet. CDT has been widely-recognized as a leader \nin the policy debate about the issues raised by so-called ``spyware'' \napplications.<SUP>1</SUP> We have been engaged in the early \nlegislative, regulatory, and self-regulatory efforts to deal with the \nspyware problem, and have been active in public education efforts \nthrough the press and our own grassroots network.\n---------------------------------------------------------------------------\n    \\1\\ See, e.g., CDT's ``Campaign Against Spyware,'' http://\nwww.cdt.org/action/spyware/action (calling on users to report their \nproblems with spyware to CDT; since November 2003, CDT has received \nover 250 responses). CDT's Complaint and Request for Investigation, \nInjunction, and Other Relief, in the Matter of MailWiper, Inc., and \nSeismic Entertainment Productions, Inc., February 11, 2004 (available \nat http://www.cdt.org/privacy/20040210cdt.pdf). ``Eye Spyware,'' The \nChristian Science Monitor Editorial, April 21, 2004 [``Some computer-\nfocused organizations, like the Center for Democracy and Technology, \nare working to increase public awareness of spyware and its risks. \n``The Spies in Your Computer,'' New York Times Editorial, February 18, \n2004 (arguing that ``Congress will miss the point (in spyware \nlegislation) if it regulates specific varieties of spyware, only to \nwatch the programs mutate into forms that evade narrowly tailored law. \nA better solution, as proposed recently by the Center for Democracy and \nTechnology, is to develop privacy standards that protect computer users \nfrom all programs that covertly collect information that rightfully \nbelongs to the user.''). John Borland, ``Spyware and its discontents,'' \nCNET.com, February 12, 2004. (``In the past few months, Ari Schwartz \nand the Washington, D.C.-based Center for Democracy andTechnology have \nleapt into the front ranks of the Net's spyware-fighters.'')\n---------------------------------------------------------------------------\nA. Summary\n    In our testimony today, we hope to address two questions: What is \nspyware? And how should we respond to it?\n    In Section B of our testimony below, we attempt to help define and \nunderstand the spyware problem. CDT's report ``Ghosts in Our Machines: \nBackground and Policy Proposals on the `Spyware' Problem,'' \n<SUP>2</SUP> released in November 2003, addresses this issue. The \nreport describes the range of invasive software applications referred \nto as ``spyware'' and clarifies the privacy, transparency and user \ncontrol issues raised by these rogue programs.\n---------------------------------------------------------------------------\n    \\2\\ http://www.cdt.org/privacy/031100spyware.pdf\n---------------------------------------------------------------------------\n    Additionally, over the last six months, CDT has led discussions of \na Consumer Software Working Group that includes leading members of the \nInternet industry, advertising companies, public interest groups and \nacademics in order to identify examples the worst practices that \nconsumers are facing online. In our testimony today, we highlight some \nof the pertinent issues raised by the working group, summarize the \nfindings of CDT's report, and describe some of CDT's subsequent \nresearch and ongoing efforts in these areas.\n    In Section C, we turn to potential responses to the spyware \nproblem. CDT sees three major areas where action is necessary to stem \nthe disturbing trend toward a loss of control and transparency for \nInternet users:\n\n1) Enforcement of existing laws could go a long way toward reducing the \n        problem of spyware. While longstanding fraud statutes already \n        cover many of the issues raised by these applications, \n        currently they are rarely enforced against spyware programmers \n        and distributors.\n2) Fundamental to the issue of spyware is the overarching concern about \n        online Internet privacy. Legislation to address the collection \n        and sharing of information on the Internet would resolve many \n        of the privacy issues raised by spyware. If we do not deal with \n        the broad Internet privacy concerns now, in the context of \n        spyware, we will undoubtedly find ourselves confronted by them \n        yet again when they are raised anew by some other, as yet \n        unanticipated, technology.\n3) To be effective, legislation and enforcement approaches will have to \n        be carried out concurrently with better consumer education, \n        industry self-regulation and the development of new anti-\n        spyware technologies.\n    We address each of these avenues in turn.\n\nB. Defining and Understanding ``Spyware'' and ``Adware''\n    ``Spyware'' has no precise definition. The term has been applied to \neverything from keystroke loggers, to advertising applications that \ntrack users' web browsing, to web cookies, to programs designed to help \nprovide security patches directly to users. ``Spyware'' programs can be \ninstalled on users' computers in a variety of ways, and they can have \nwidely differing functionalities.\n    What these programs have in common is a lack of transparency and an \nabsence of respect for users' ability to control their own computers \nand Internet connections.\n    While many programs that have been called ``spyware'' are \nadvertising software, CDT has emphasized that there is nothing \ninherently objectionable about ad-support as a business model. We \nhighlight email applications, such as Eudora, that are successful and \nuser-friendly examples of ad-supported software.\n    However, in many cases, the revenue that these applications provide \nhas given software distributors the incentive to push them onto users' \ncomputers using deceptive or fraudulent means. Ad-support can and must \nbe implemented in a way that is transparent to users and respects their \nchoices and privacy preferences.\n\nDistribution of Spyware\n    ``Spyware'' programs can be distributed in a variety of ways. For \nexample, they may be bundled with other free applications, including \npeer-to-peer file sharing applications; they may be distributed through \ndeceptive download practices; or they may be installed by exploiting \nsecurity holes in the web browser or operating system on a user's \ncomputer. In some cases, once one ``spyware'' application has gained \naccess to a user's computer, it will surreptitiously download and \ninstall other applications.\n    In each of these scenarios, users generally do not know that the \nsoftware is being installed. And once these invasive applications are \non a user's computer they can be difficult or impossible to find and \nremove.\n\nEffects of Spyware\n    As mentioned above, the overarching concerns raised by spyware \napplications are transparency and user control. Within these broad \ncategories, spyware programs can raise a host of specific concerns.\n\n\x01 These programs can change the appearance of websites, modify users' \n        ``start'' and ``search'' pages in their browsers, or change low \n        level system settings. In our complaint to the FTC against \n        MailWiper and Seismic Entertainment Productions, filed in \n        February, CDT asked the Commission to investigate one \n        particularly egregious example of such ``browser hijacking'' \n        behavior.\n\x01 Spyware programs are also often responsible for significant \n        reductions in computer performance and system stability. In \n        many cases, consumers mistakenly assume that the problem is \n        with another application or with their Internet provider, \n        placing a substantial burden on the support departments of \n        providers of those legitimate applications and services.\n\x01 Spyware programs can track users' online activities. Some gather \n        personally identifiable information. The most egregious forms \n        of spyware can capture all keystrokes, or record periodic \n        screenshots from a user's computer.\n\x01 Even in cases where spyware programs transmit no personally \n        identifiable information, their hidden, unauthorized \n        appropriation of users' computing resources and Internet \n        connections threatens the security of computers and the \n        integrity of online communications. The ``auto-update'' \n        component of many of these applications can create major new \n        security vulnerabilities by including capabilities to \n        automatically download and install additional pieces of code \n        without notifying users or asking for their consent, typically \n        with minimal security safeguards.\n    CDT is currently conducting technical and public opinion research \non the spyware issue. We hope to continue to report the results of this \nwork to the Committee as we learn more.\n\nC. Possible Responses to Spyware Concerns\n    Combating the most invasive spyware technologies will require a \ncombination of approaches. First and foremost, vigorous enforcement of \nexisting anti-fraud laws should result in a significant reduction of \nthe spyware problem.\n    Addressing the problem of spyware also offers an important \nopportunity to establish in law baseline standards for privacy for \nonline collection and sharing of data. Providing these protections \nwould not only address the privacy concerns that current forms of \nspyware raise, but would put in place standards that would apply to \nfuture technologies that might challenge online privacy. Anti-spyware \ntools, better consumer education, and self-regulatory policies are also \nall necessary elements of a spyware solution.\n    Legislation to establish standards for privacy, notice, and consent \nspecifically for software, such as H.R.2929, currently before this \nCommittee, may play an important role as well. The challenge to such \nefforts is in crafting language that effectively addresses the spyware \nissue without unnecessarily burdening legitimate software developers or \nunintentionally hindering innovation.\n    So far the efforts to address the spyware issue are all in very \npreliminary stages. They will each require cooperation among \ngovernment, private sector, and public interest initiatives.\nEnforcement of Existing Law\n    CDT believes that three existing federal laws already prohibit many \nof the invasive or deceptive practices employed by malevolent software \nmakers. Better enforcement of these statutes could have an immediate \npositive effect on the spyware problem.\n    Title 5 of the Federal Trade Commission Act is most directly \napplicable to the most common varieties of spyware. We believe that \nmany of the more invasive forms of spyware discussed above clearly fall \nunder the FTC's jurisdiction over unfair and deceptive trade practices. \nSome of these practices are highlighted in the Appendix--the Consumer \nSoftware Working Group's Examples of Unfair, Deceptive or Devious \nPractices Involving Software. To our knowledge, the FTC so far has not \nbrought any major actions against spyware makers or spyware \ndistributing companies. In February, CDT filed a complaint with the FTC \nagainst two companies for engaging in browser hijacking to display \ndeceptive advertisements to consumers for software sold by one of the \ncompanies.<SUP>3</SUP>\n---------------------------------------------------------------------------\n    \\3\\ Complaint and Request for Investigation, Injunction, and Other \nRelief, in the Matter of MailWiper, Inc., and Seismic Entertainment \nProductions, Inc., February 11, 2004 (available at http://www.cdt.org/\nprivacy/20040210cdt.pdf).\n---------------------------------------------------------------------------\n    We believe that one of the most immediate ways in which Congress \ncould have a positive impact on the spyware problem is by directing the \nFTC to increase enforcement against unfair and deceptive practices in \nthe use or distribution of downloadable software and by providing \nincreased resources for such efforts.\n    Several laws besides the FTC Act may also have relevance. The \nElectronic Communications Privacy Act (ECPA), which makes illegal the \ninterception of communications without a court order or permission of \none of the parties, may cover programs that collect click-through data \nand other web browsing information without consent. The Computer Fraud \nand Abuse Act (CFAA) also applies to some uses of spyware. Distributing \nprograms by exploiting security vulnerabilities in network software, \nco-opting control of users' computers, or exploiting their Internet \nconnection can constitute violations of the CFAA, especially in cases \nwhere spyware programs are used to steal passwords and other \ninformation.\n    In addition to federal laws, many states have long-standing fraud \nstatutes that would allow state attorneys general to take action \nagainst invasive or deceptive software. Like their federal \ncounterparts, these laws have not been strongly enforced to date.\n\nNew Legislation\n    CDT has argued that the most effective way to address the spyware \nproblem through legislation is in the context of online privacy \ngenerally. Specifically, we believe that the privacy dimension of \nspyware would best be addressed through baseline Internet privacy \nlegislation that is applicable to online information collection and \nsharing irrespective of the technology or application. CDT has \nadvocated such legislation before the Senate Commerce Committee and in \nother fora. Until we address the online privacy concern, new privacy \nissues will arise as we encounter new online technologies and \napplications.\n    Still, software may pose some unique problems. A comprehensive \nlegislative solution to spyware may need to address the user-control \naspects of the issue such as piggybacking, and avoiding uninstallation. \nH.R. 2929 before this Committee represents an important acknowledgement \nof several of these problems. We appreciate the desire to craft \ntargeted legislation focusing on some of the specific problems raised \nby spyware, and CDT commends Representatives Bono and Towns for \nbringing attention to this important issue.\n    At the same time, we wish to emphasize the complexity of such \nefforts. The broad industry opposition to an anti-spyware bill recently \npassed in the Utah legislature, based on potential unintended \nconsequences of the bill for legitimate software companies, \ndemonstrates the difficulties that can be introduced by such \nlegislation if it is not carefully drafted. We know Representatives \nBono and Towns have been looking hard at some of the specific \ndefinitional concerns raised by CDT and others, and we look forward to \ncontinuing to work with the Committee on this bill.\n\nNon-Regulatory Approaches\n    Technology measures, self-regulation and user education must work \nin concert, and will be critical components of any spyware solution. \nCompanies must do a better job of helping users understand and control \nhow their computers and Internet connections are used, and users must \nbecome better educated about how to protect themselves from spyware.\n    The first step is development of industry best practices for \ndownloadable software. Although not all software manufacturers will \nabide by best practices, certification programs will allow consumers to \nquickly identify those that do and to avoid those that do not. In the \ncurrent environment consumers cannot easily determine which programs \npost a threat, especially as doing so can involve wading through long \nand unwieldy licensing agreements.\n    Technologies to deal with invasive applications and related privacy \nissues are in various stages of development. Several programs exist \nthat will search a hard-drive for these applications and attempt to \ndelete them. Some companies are experimenting with ways to prevent \ninstallation of the programs in the first place. However, even these \ntechnologies encounter difficulties in determining which applications \nto block or remove. Clear industry best practices are crucial in this \nregard as well.\n    Standards such as the Platform for Privacy Preferences (P3P) may \nalso play an important role in technical efforts to increase \ntransparency and provide users with greater control over their \ncomputers and their personal information. P3P is a specification \ndeveloped by the World Wide Web Consortium (W3C) to allow websites to \npublish standard, machine-readable statements of their privacy policies \nfor easy access by a user's browser. If developed further, standards \nlike P3P could help facilitate privacy best practices to allow users \nand anti-spyware technologies distinguish legitimate software from \nunwanted or invasive applications.\n    The IT industry has initially been slow to undertake such efforts. \nHowever, increasing public concern about spyware and the growing burden \nplaced on the providers of legitimate software by these invasive \napplications has led to more industry attention on this \nfront.<SUP>4</SUP> The Consumer Software Working Group, including major \nInternet service providers, software companies, and hardware \nmanufacturers, has expressed its view that this area is ripe for \nindustry self-regulation and best practices.\n---------------------------------------------------------------------------\n    \\4\\ See, e.g. , Earthlink press release: Earthlink Offers Free \nSpyware Analysis Tool to All Internet Users, January 14, 2004 \n(available at: http://www.earthlink.net/about/press/pr_analysis/); \nAmerica Online press release: America Online Announces Spyware \nProtection for Members, January 6, 2004 (available at: http://\nmedia.aoltimewarner.com/media/newmedia/cb_press_view.\ncfm?release_num=55253697); Microsoft press release: Battling `Spyware': \nDebate Intensifies on Controlling Deceptive Programs, April 20, 2004 \n(available at: http://www.microsoft.com/presspass/features/2004/apr04/\n04-20Spyware.asp)\n---------------------------------------------------------------------------\n    CDT believes Congress can have an immediate positive impact by \nencouraging industry to continue to follow through on these efforts.\n\nD. Conclusion\n    Users should have control over what programs are installed on their \ncomputers and over how their Internet connections are used. They should \nbe able to rely on a predictable web-browsing experience and to remove \nfor any reason and at any time programs they don't want. The widespread \nproliferation of invasive software applications takes away this \ncontrol.\n    Better consumer education, industry self-regulation, and new anti-\nspyware tools are all key to addressing this problem. New laws, if \ncarefully crafted, may also have a role to play. Many spyware \npractices, however, are already illegal. Even before passing new \nlegislation, existing fraud statutes should be robustly enforced \nagainst the distributors of these programs.\n    The potential of the Internet will be substantially harmed if users \ncome to believe that they cannot use the Internet without being at risk \nof infection from spyware applications. We must find creative ways to \naddress this problem through law, technology, public education and \nindustry initiatives if the Internet is to continue to flourish.\n\nAppendix: Examples of Unfair, Deceptive or Devious Practices Involving \n                                Software\n\n                    CONSUMER SOFTWARE WORKING GROUP\n\n    The Consumer Software Working Group is a diverse community of \npublic interest groups, software companies, Internet service providers, \nhardware manufacturers, and others that are seeking consensus responses \nto the concerns raised by practices that harm consumers.\n    Over the past several years, a subset of computer software referred \nto as ``spyware'' has become the subject of growing public concern. \nComputer users increasingly find programs on their computers that they \ndid not know were installed, that create risks to privacy, that open \nsecurity holes, that impair the performance and stability of their \nsystems, that frustrate their attempts to uninstall or disable the \nprograms, or that lead them to mistakenly believe that these problems \nare the fault of another application or their Internet service \nprovider.\n    There is agreement that these practices can raise serious concerns. \nAt the same time, the wide range of and lack of clarity in attempted \ndefinitions for the types of software practices that most concern \nconsumers hamper attempts at self-regulatory, technological and \nlegislative responses. Many definitions of spyware in circulation today \nare either under-inclusive in important respects or, more commonly, \noverbroad so that they include practices that clearly benefit \nconsumers, or both.<SUP>5</SUP>\n---------------------------------------------------------------------------\n    \\5\\ For example, the Working Group observes that the current Utah \nlaw addresses practices involving software that most informed consumers \nwould not consider unfair, deceptive or devious and fails to cover some \npractices that most informed consumers would consider unfair, deceptive \nor devious.\n---------------------------------------------------------------------------\n    The Center for Democracy and Technology convened the Consumer \nSoftware Working Group. Companies, public interest groups or academics \ninterested in joining the Working Group should contact Ari Schwartz \n<ari@cdt.org>, Michael Steffen <msteffen@cdt.org>, or John Morris \n<jmorris@cdt.org> at the Center for Democracy and Technology.\n\n EXAMPLES OF UNFAIR, DECEPTIVE OR DEVIOUS PRACTICES INVOLVING SOFTWARE \n                              VERSION 1.0\n\n    The Consumer Software Working Group is concerned about a specific \nset of devious, deceptive or unfair practices that adversely affect \nconsumers online. While the following list of examples is not nearly \ncomplete, it describes a series of activities and behaviors that the \nGroup considers to be clearly objectionable.\n    Specifically, the Group identifies three broad types of practices \nwhere abuses occur today. Most of these practices may be illegal under \ncurrent law, depending on the specific facts of the particular case. \nWithin each area, we offer illustrative examples, based on real cases. \nWe note that each of the objectionable behaviors we identify has \nconstructive consumer-friendly counterparts when carried out with \nproper notice and consent and in ways that give consumers control. \nAutomatic installation, personalization and tracking, and in some cases \nresistance to uninstallation can provide important benefits to \nconsumers.\n    We hope that this list of objectionable practices will help to \nfocus technical, self-regulatory, regulatory and law enforcement \nefforts to protect consumers from inappropriate activities in a more \ntargeted and effective manner, while avoiding unintended negative \nconsequences for good actors and consumers alike. The Working Group \nbelieves that this is an area that could be ripe for self-regulatory \nefforts to craft industry principles to protect consumers and the \nmarketplace.\n    1) Hijacking--The practices described in this section are \nobjectionable to the extent that they enable an unaffiliated person to \nuse the user's computer in a way that ordinarily would not be expected. \nThis may occur through an unnoticed program consuming the user's \ncomputing resources or resetting a user's existing configurations \nwithout the user's knowledge, or through coercion or deception.\n          Example: A computer user sees an Internet advertisement for \n        Program A. The user clicks on the ad and is sent to a page that \n        pops up a window asking if the user wants to download Program \n        A. The user clicks ``no,'' but Program A is eventually \n        downloaded and installed anyway.\n          Example: A computer user sees an Internet advertisement for \n        Product B. The user clicks on the advertisement, and is sent to \n        a page that informs the user that ``Program C is needed to view \n        this Web page.'' This leads the user to believe that Program C \n        is necessary to view the site about Product B, so the user \n        clicks ``yes'' and the program is downloaded and installed. In \n        fact, Program C is not necessary to view the website for \n        Product B and the user is never informed of the actual reason \n        why Program C was installed.\n          Example: A computer user sees an Internet advertisement for \n        Program D. The user clicks on the ad, and she is sent to a page \n        that immediately pops up a window asking if she wants to \n        download Program D. The user clicks ``no.'' This happens \n        repeatedly until the user gets frustrated and clicks ``yes.''\n          Example: A computer user receives an Internet advertisement \n        for Product E as part of a webpage he is looking at. Simply as \n        a result of loading the ad, Software Program F wholly unrelated \n        to Product E is downloaded onto the user's computer. No notice \n        or opportunity to consent to download Software Program F was \n        provided.\n          Example: While browsing the Internet, a computer user is \n        offered the opportunity to download and install Software \n        Program G. Using a fraudulently obtained digital certificate, \n        the download request falsely identifies Software Program G as \n        being from the user's trusted Internet Service Provider, H. In \n        fact, the Program is not from Internet Service Provider H, and \n        has no relation to the ISP. However, based on its claimed \n        affiliation with H, the user agrees to let the program be \n        downloaded and installed.\n          Example: A computer user loads Company I's Web page. The Web \n        page opens another page running a java script. When the user \n        closes Company I's Web page, the java script page covertly \n        resets the user's homepage without obtaining consent.\n          Example: A computer user loads Company J's Web page. The Web \n        page opens another page running a java script. When the user \n        closes Company J's Web page, the java script page covertly \n        resets the user's homepage. The java script is written such \n        that any time the user attempts to reset his homepage, the \n        program automatically resets it again so the user cannot reset \n        his homepage to what it was before the hijacking took place.\n          Example: A computer user downloads Software Package K. Among \n        the programs in Software Package K is a dialer application that \n        was not mentioned in any advertisements, software licenses, or \n        consumer notices associated with the package or in information \n        provided in conjunction with the ongoing operations of the \n        package. The dialer application is not an integral part of \n        Software Package K. When the user opens her Web browser after \n        installation of Software Package K, the dialer opens in a \n        hidden window, turns off the sound of the user's computer, and \n        calls a phone number without the user's permission.\n          Example: A computer user is sent Software Package L as an \n        attachment to an unsolicited commercial email message. There is \n        no documentation for Software Package L. Included in Software \n        Package L is Program M that sends a message to Computer N. \n        Computer N then uses Program M on the user's computer as a \n        means to send out unsolicited commercial emails.\n    2) Surreptitious surveillance--The practices described in this \nsection are objectionable to the extent that they involve intrusive and \nsurreptitious collection and use of personally identifiable information \nabout users that is wholly unrelated to the purpose of the software as \ndescribed to the consumer.\n          Example: A computer user downloads Software Package P. \n        Software Package P contains a keystroke logger unrelated to any \n        functions described to the user. The keystroke logger records \n        all information input on the user's computer and sends this \n        information on to another computer user. The first user is not \n        informed about the operation of the keystroke logger.\n          Example: Program Q advertises itself as a search tool bar. A \n        user downloads Program Q to gain the search functionalities. \n        Program Q installs a tool bar, but--once installed--also mines \n        the user's registry and other programs for personally \n        identifiable information about the user unrelated to the search \n        functionality and without informing the user or obtaining \n        consent. When the user connects to the Internet, Program Q \n        sends this information back to the company that makes Program \n        Q.\n    3) Inhibiting termination--The practices described in this section \nare objectionable to the extent that they frustrate consumers' efforts \nto remove a program, deactivate it or otherwise render it inoperative. \nGenerally, these practices are intended to prevent the user from \nsevering or terminating a relationship with the provider of the \nprogram.\n          Example: A computer user downloads Software Package S. \n        Software Package S contains Advertising Program T. Advertising \n        Program T sends the user pop-up ads while the user is surfing \n        the Web even if no other programs in Software Package S are \n        running. The pop-up ads are not labeled as related to \n        Advertising Program T or Software Package S in any way and \n        there is no other way to find the ads' origin. The user is \n        concerned about the increase in pop-up ads, but does not know \n        whether they are caused by Program T or are from the Web sites \n        that he is visiting. The user has no means to find out the \n        origin of the ads in order to make a decision about \n        uninstalling Program T.\n          Example: A computer user downloads Software Package U. As \n        initially disclosed to the user, Software Package U contains a \n        mandatory program, Advertising Program V, which is bundled as a \n        way to generate revenue and pay for the development of Software \n        Package U only. When the user uninstalls Software Package U, \n        the user is not given a clear opportunity to uninstall Program \n        V at that time, and Advertising Program V stays on the user's \n        computer.\n          Example: A computer user downloads Gaming Program W. The user \n        wants to remove Gaming Program W from the computer. Gaming \n        Program W does not have an uninstall program or instructions \n        and does not show up in the standard feature in the user's \n        operating system that removes unwanted programs (assuming this \n        feature exists in the operating system). The user's attempts to \n        otherwise delete Program W are met by confusing prompts from \n        Program W with misrepresentative statements that deleting the \n        program will make all future operations unstable.\n          Example: A computer user downloads Program X. The user wants \n        to remove Program X from the computer. Program X appears in the \n        standard feature in the user's operating system that removes \n        unwanted programs. However, when the user utilizes the \n        ``remove'' option in the operating system, a component of \n        Program X remains behind. The next time the user connects to \n        the Internet, this component re-downloads the remainder of \n        Program X and reinstalls it.\n    The following companies, organizations and individuals have worked \nto describe Examples of Unfair, Deceptive and Devious Practices \nInvolving Software. These descriptions can be used to help focus \ntechnical, self-regulatory, regulatory and law enforcement efforts to \nprotect consumers from inappropriate activities.\n    America Online; Business Software Alliance; Center for Democracy \nand Technology; Claria Corporation; Consortium of Anti-Spyware \nTechnology Vendors; Consumer Action; CryptoRights Foundation; Dell, \nInc.; Distributed Computing Industry Association; EarthLink; eBay; \nElectronic Frontier Foundation; Google; HP; Information Technology \nIndustry Council; Internet Commerce Coalition; Lavasoft; Microsoft; \nNetwork Advertising Initiative; Privacilla.org; Sharman Networks; Peter \nSwire, Moritz College of Law of the Ohio State University;<SUP>6</SUP> \nTRUSTe; Webroot Software; WhenU; and Yahoo!.\n---------------------------------------------------------------------------\n    \\6\\ Individuals are listed with their affiliation for \nidentification purposes only.\n\n    Mr. Stearns. I thank the gentleman. I'll start out with my \nline of questioning and I think I'll just make a general \ncomment and then I want to ask each of you a specific question, \na yes or no answer, if possible.\n    I think as in the opening statement of the chairman of our \ncommittee, the gentleman from Texas, indicated we found on \nemployees in the Commerce Committee have over 200 spyware and \nthey did not know this. We've heard from other members how it's \naffected their computers at home and slowed them down. So \nobviously, there's some deep concern, not only about privacy, \nbut efficiency and overall security.\n    So the question is and I think I know the answers listening \nto your opening statements, I'll start with you, Commissioner. \nYou at this point do not believe that we need legislation, just \nyes or no, is that true?\n    Mr. Thompson. Yes, at this time, we do not----\n    Mr. Stearns. We do not need legislation. And Mr. Beales, do \nyou think we need legislation?\n    Mr. Beales. I do not.\n    Mr. Stearns. And Mr. Schwartz?\n    Mr. Schwartz. I think that we need privacy legislation \ntoday and we may need spyware legislation in the future once \nwe've gone further in going after worst practices.\n    Mr. Stearns. You mentioned three areas: enforcement, \neliminating bad practices and legislation.\n    Mr. Schwartz. And privacy legislation.\n    Mr. Stearns. So what you're talking about is an overall \nprivacy legislation of which spyware would be a component, is \nthat what you're saying?\n    Mr. Schwartz. That's correct, yes.\n    Mr. Stearns. And Mr. Baker? Do we need legislation?\n    Mr. Baker. We think legislation would complement industry \ntechnology efforts and FTC enforcement.\n    Mr. Stearns. Okay, and Mr. Friedberg?\n    Mr. Friedberg. Yes. We believe in a holistic solution and \nto the degree enforcement can't do what they need to do because \nthere's some laws missing, then we would----\n    Mr. Stearns. You mentioned you're going to have a new \nsoftware program, but today, would you advocate legislation to \nsolve this problem, yes or no?\n    Mr. Friedberg. Again, I think it goes back to whether or \nnot there's enough teeth in the existing laws to go after the \ndeceptive practices.\n    Mr. Stearns. Do you think there's enough teeth in the \nexisting laws?\n    Mr. Friedberg. Unfortunately, I'm not a lawyer, but I \nwould----\n    Mr. Stearns. I'm asking you a personal opinion. I mean \nyou're here, you're one of the experts here on the panel and \nyour high technology of interest and expertise, we've just told \nyou that member employees on our Commerce Committee have over \n200 of these spywares that they didn't know it, it's slowing it \ndown, so you're saying that your software would solve all the \nproblems?\n    Mr. Friedberg. No, absolutely not.\n    Mr. Stearns. Do you think legislation----\n    Mr. Friedberg. We think there's a holistic strategy and I \nthink Commissioner Thompson and others have stated they feel \nvery confident about the current laws. That's fantastic, I \nthink. We can go after them and create a deterrent, it's \nwonderful.\n    Mr. Stearns. Let me ask you then, you testified that any \nFederal legislation should address deceptive behavior and not \nfunctionality and I guess that's the key point, that we want to \nnot bog down the internet. We want to have the functionality \nthere, but we've got to address this deceptive behavior.\n    Please explain what behaviors are not illegal already that \nwe should address.\n    Mr. Friedberg. Not illegal already?\n    Mr. Stearns. In other words, when a person is dealing with \nspyware, from what I hear it looks like most of it is coming in \nillegally. It's in my computer and I don't want it. So that's a \nbehavior that I don't want. So what is the functionality of \nthis that I should allow it to be in and why shouldn't I \nlegislate to say don't come in without my permission.\n    Mr. Friedberg. When you actually look at the features that \nunderlie some of what's happening, it turns out that a lot of \nthose features have positive user benefit. For example----\n    Mr. Stearns. Give me some examples of positive user \nbenefit.\n    Mr. Friedberg. Let's just take adware. Obviously, it's a \nvery contentious issue, but a piece of software that's going to \ndisplay some advertisements, that's what it does. That's its \nfunction. Now if I'm a user and I have to pay $120 a year for a \nservice and I have the choice to maybe see some ads and not \nhave to pay that money, I think that's a fair horse trade \nproviding I was told up front what that deal is and I can fully \nunderstand the terms under which it's happening and so there's \nan example of where the feature is not the issue, it's when \npeople do it deceptively where you have no control over that \nadware, it's just showing up in your box, can't turn it off. \nClearly a bad situation.\n    Mr. Stearns. Commissioner, you are on the panel of peers to \nbe the strongest advocate for no legislation. The State of Utah \nhas passed a bill. California and Texas is doing this. New York \nis going to do this. Shouldn't Congress, if nothing else, \npreempt these with a Federal law instead of having 50 separate \nState laws dealing with spyware?\n    Mr. Thompson. I understand that point and I think that----\n    Mr. Stearns. I mean, the practicality.\n    Mr. Thompson. But what I say is at this time what I'm \nlooking for is industry to define good behavior to isolate bad \nbehavior. That's what you heard with the other people on this \npanel. There are certain behaviors that are bad that we can get \nat right now. Unfair and deceptive practices, for example, if \nthey put something on your computer and it violates their \nprivacy policy, then we can do something about it. If it's \nsending information that you have no way of avoiding, that's \nsomething we need to know about. But----\n    Mr. Stearns. But shouldn't we stop that practice of putting \nit in your computer without you knowing about it?\n    Mr. Thompson. I think we can get at some of that right now. \nThe point is that I need----\n    Mr. Stearns. Well, why isn't our staff doing it? The public \nobviously has ignorance on this and doesn't even know. You \nclick a bar up here, some of the bars that were clicked up here \nyou hit cancel or yes or even the top of the dialog bar, it \ndoesn't matter. You're still going to get the spyware in the \ncomputer, so tell me why shouldn't we stop that?\n    Mr. Thompson. And that's part of the challenge that we \nhave. First of all, we need the responsible companies to come \nclean and tell consumers what it is they're doing, how they're \ndoing it and then the second thing, then we need to isolate \nthose people who are not.\n    Let me tell you something. Most of the people who are \ninvolved in the most insidious behavior, secret spyware that \nwill get after, that will allow them to get identity theft, to \nmine your information, etcetera, that's unlawful now and those \npeople don't care about the law.\n    Mr. Stearns. I'll conclude by just saying I'm a little \nconcerned that you're not outraged that people have access to \nsomebody's privacy, Social Security Numbers and all this and \nyou're saying just let things go by the wayside when actually I \nwould think you as Federal Trade Commission should be saying we \nneed more money, we want to enforce it, we're going to do \nsomething about this, Congress, this is what we need.\n    Mr. Thompson. I am outraged and we always need more money, \nbut what I am saying to you is there's a danger. The danger in \ntrying to define this in the scope of legislation right now, is \nto be overbroad which will deny us of beneficial uses.\n    Mr. Stearns. My time is up.\n    Mr. Thompson. Or too narrow.\n    Mr. Stearns. The gentlelady, Ms. Schakowsky.\n    Ms. Schakowsky. Mr. Thompson, if legislation is not \nwarranted at this time, I know you had a workshop and that's \nthe beginning, but what are you doing exactly in terms of \nenforcement of current laws? It seems to me the ball is in your \ncourt as well as in that of industry. You're looking for a \nvoluntary industry response, you're saying, but what exactly \nare your plans then in the short term?\n    Mr. Thompson. I would like the Bureau Director to be in to \ntalk about that because he can talk about specific enforcement \nactivity.\n    Mr. Beales. We are actively looking for spyware cases. We \nhave open investigations. We will pursue those. We have brought \ncases that have challenged the deceptive downloads of dialers \nthat disconnect you and reconnect you. We've brought cases that \nare very much the same kind of practice of once you're in the \ndoor, you can't get out until you buy the program. We've \nbrought the extortion kind of case of buy this product and I'll \nstop sending you the ads that--this product will stop the ads \nthat we're sending you.\n    We've brought all those kinds of cases. We will continue to \npursue those cases. The problem is not one of legal authority. \nIt is developing and proving a case in Federal Court.\n    Ms. Schakowsky. It sounds like this is a problem that's \nescalating rather than shrinking as we go forward. So what is \nit that consumers ought to be expecting from both industry and \nfrom the regulatory agencies right now? And then, Mr. Schwartz, \nI'd like you to add why it is that this broad privacy \nlegislation might add relief to consumers?\n    Mr. Thompson. I think step one, I think responsible \nindustry needs to tell consumers what software they're putting \non the system, how it works and giving consumers a choice of \nwhether to have it or not to have it.\n    Ms. Schakowsky. How big a problem is responsible industry? \nUsually when we're dealing with the most insidious scams, we're \ndealing with irresponsible players here who have the intention \nof robbing people of their information, et cetera.\n    Mr. Thompson. And that's exactly the point. One of the \nthings I would like to see done is that the good guys can all \nwork on the same baseline to say this is what the behavior, \nstandard behavior is in the industry, so we can begin to say \nanything that's outside of that is really ripe for our picking.\n    Ms. Schakowsky. Are you planning then to establish some \nkind of rule that would set those boundaries and the parameters \nrather than simply relying on industry itself to come up with \nthat?\n    Mr. Thompson. As you said in your comments, we are at the \nbeginning stages of talking about that. The workshop was very \nhelpful. And as I said in my statement, I want effective and \ntimely responses. I think we will continue to work with \nindustry to see that that happens, but this is one issue that I \nthink is important to have the committee's continued \ninvolvement and review.\n    Ms. Schakowsky. Clearly, the Congress and the bipartisan \nway is interested in stepping into this. If you're saying we \nshould not, then it seems to me you have to have a very clear \ntime line to come back with and say this is our plan, this is \nwhat we expect from industry. We really haven't seen that.\n    I would like to particularly get Mr. Schwartz'--tell me how \nthis broad privacy legislation would help?\n    Mr. Schwartz. Let's take a step back and look at the \nbroader picture of online privacy. If we pass a law that says \nwhen you download software and you focus on the privacy of \ndownloaded software, rather than general software, so let's say \nwe do get the real fair information practices built into a \nsoftware law that has notice, choice of intent for consumers, \nability to access and see what they are turning over to the \ncompanies, etcetera. Then simply the bad acting companies \nsimply start doing that from a server that's--where information \nis not downloaded to the computer, from somewhere remote. We've \nseen cases like that similar to that today.\n    By trying to define software and come up with privacy rules \njust for software, you're leaving out the exact same practices \nthat we consider to be bad practices that are just done from a \nremote server.\n    Similarly, we saw this in web privacy as well. Early on we \ndid not have any notices at all. As practices start to improve \nin one area, the bad acting companies shift and go to another \narea where they feel they can take advantage of consumers and \nthat's going to continue to happen because that's the nature of \ntechnology. We're going to come up with new technological \nchallenges. But if we have a broad law that focuses on the \npractice, rather than the technology, we can go after the \nactual root cause which is that companies are misusing people's \npersonal information, not telling them what they're doing with \nit and keeping it in incorrect ways where consumers don't even \nknow it could be used against them and they don't even have the \nability to change it if it's wrong.\n    Ms. Schakowsky. Thank you.\n    Mr. Stearns. The full chairman of the committee, the \ngentleman from Texas, Mr. Barton.\n    Chairman Barton. Thank you, Mr. Chairman. I am reading from \nthe FTC testimony here, the Commissioner's testimony, page 5, \nit says ``at the workshop, FTC and Department of Justice staff \nmembers noted that many of the more egregious spyware practices \ndescribed at the workshop may be subject to attack under \nexisting Federal and State laws.''\n    Later on in that same page it says, ``However, \ninvestigating and prosecuting acts and practices related to \nspyware, particularly the more pernicious programs pose \nsubstantial law enforcement challenges.''\n    Now then, my understanding, Commissioner, is that you said \nthat you didn't think additional Federal legislation was \nnecessary, yet in your testimony you're talking about it says \n``it may be subject to attack and pose substantial law \nenforcement challenges.''\n    Why in the heck don't you support us legislating so we make \nit perfectly clear? If somebody walks in my house without my \nknowledge, without my permission, they're trespassing and \nthere's a law that says that's illegal. And what you're saying \nis if somebody comes into my personal computer in my house, it \nmay violate a law and it may be a problem, but it might be \ndifficult to prosecute. Why not work with this committee to \ncome up with legislation that makes it perfectly clear that \nit's illegal? And then if somebody wants that crap on their \ncomputer, they can opt to let it be.\n    I mean I don't understand. I really don't understand why \nwe're having a semantical debate about something that everybody \nI've talked to is totally outraged about. I'm the moderate on \nthis issue, by the way, on the panel.\n    Mr. Thompson. Well, Mr. Chairman, you know what I think \nabout privacy in general, and we've discussed that before. I \nthink that targeted legislation here at this time would be very \ndifficult, if not impossible to define. And what I'm concerned \nabout is leading people to believe that defining a certain kind \nof software, for example, will address the problem.\n    Let me give you an example. There are so many things in \nthis area that would be a problem notwithstanding whether they \ninformed you of it or not. If someone came in and told you \nwe're going to disclose to you that we're putting software on \nyour machine that's going to monitor your activity, that we can \nsend to identity thieves, that would be unlawful no matter \nwhat. And it doesn't really matter----\n    Chairman Barton. My understanding is there's not been one \nenforcement action even attempted. Is that true or not true?\n    Mr. Thompson. That's not true.\n    Chairman Barton. That's not true. So you've done one?\n    Mr. Thompson. There are some things that are pending that I \ncan talk about----\n    Chairman Barton. Ah, some things that are pending. Maybe \ntwo, three? We've got 140 million people and I've yet to see a \nperson when they find out this is on their computer says oh, \nthat's okay. I'm okay with it.\n    Mr. Beales. We have brought a number of cases, at least \nthree or four, that challenged deceptive downloading of dialer \nprograms that disconnect you and reconnect you to different \nservice provider.\n    Chairman Barton. Have you got any convictions?\n    Mr. Beales. Yes, we have.\n    Chairman Barton. You've got how many?\n    Mr. Beales. In all of those cases. In none of those cases \nthat have been fully litigated or resolved and none of our \ncases have we lost.\n    Chairman Barton. If we were to pass a law that said you \ncan't put anything on a person's personal computer without \ntheir explicit knowledge and if you do, it's a Federal crime \nsubject to whatever the penalties are, would that help or hurt \nprosecute these cases, if we made it explicit?\n    Mr. Beales. I don't think it would make any difference in \nthe ability to prosecute these cases. It would make the process \nof installing new software with hundreds of different \nsubprograms that I have no clue what they do, extremely tedious \nand difficult.\n    Chairman Barton. And that's a good thing.\n    Mr. Beales. No, it's not.\n    Chairman Barton. You want this stuff on your computer? \nYou're the only person in the country that wants spyware on \nyour computer.\n    Mr. Beales. No, I want my word processing program to work.\n    Chairman Barton. We do too.\n    Mr. Beales. And if you pass a law that says I have to go \nthrough each component of that word processing program as it \ninstalls and agree to that component, either I'm going to agree \nto everything and the spyware is still going to be there \nbecause I've been trained to agree to everything or my word \nprocessor----\n    Chairman Barton. So now you're saying that spyware is \nnecessary to install a program on your computer?\n    Mr. Beales. No, I'm saying that software includes a lot of \ndifferent programs where I don't know and I don't want to know \nexactly how they function to put a footnote in my document.\n    Chairman Barton. And that's what spyware does?\n    Mr. Beales. No, it's what software does.\n    Chairman Barton. We're not opposed to software.\n    Mr. Beales. But if you require consent to the installation \nof each program, then I'm going to have to go through each one \nof those programs----\n    Chairman Barton. Let me just clue you. Unless I'm totally \nmistaken, when we get ready to move this bill all but a handful \nof the members of this committee on a bipartisan are going to \nbe supportive of it. Now I'm not a software expert. I'm not a \ncomputer expert, but I can count votes on my committee. And I \nwould encourage the Federal officials at the table to work with \nus on how to clarify the language that helps you enforce the \nlaw. Instead of trying to defend something that is not \ndefendable.\n    I bet you that we could go to every person in this room \nthat has a personal computer and I would be stunned unless they \njust cleaned their programs, cleaned their computers, they \ndon't have spyware on their personal programs right now, \nincluding the people at the witness table. Every one of you.\n    And then I would double down and bet that if we asked if \nthey wanted to take it off, almost everybody would say they \nwant to take it off, except for you, sir, who apparently thinks \nit's a great thing which is what makes America great that we \ncan agree to disagree, I guess.\n    Mr. Beales. I think it is very difficult to draw a line \naround the what is the spyware, where I don't want it either \nand where we think there clearly are bad practices.\n    Chairman Barton. Well, then work with us----\n    Mr. Beales. We are happy to do that.\n    Chairman Barton. Work with us to define the line.\n    Mr. Beales. We are happy to do that to try to draw the line \nas well as possible. What is not clear to us is whether there \nis a meaningful line that can be drawn.\n    Chairman Barton. I am very confident that with the lawyers \nwe have on the committee and the lawyers that we have at your \nagency, we can draw the line.\n    With that, Mr. Chairman, I yield back the negative balance \nof my time.\n    Mr. Stearns. That's all right, Mr. Chairman, I just want to \nbuttress your argument by pointing out, as I point out in 2003 \nthere were 2 million spyware software programs. Today, in the \nyear--they project 14 million currently. So I would say to the \nCommissioner, with those statistics it sort of shows that the \nchairman is talking about a serious problem.\n    Mr. Strickland.\n    Mr. Strickland. Thank you, Mr. Chairman. We've been talking \nabout for lack of a better way to put it, bad actors, using \nspyware. Are there good actors who use spyware?\n    Mr. Beales. Well, it depends on how you define it, but on \nmany definitions, yes, there are. Keystroke loggers, for \nexample, which can be used to steal personal information and \nfor identity theft are frequently downloaded by help desks to \ntry to figure out what it is you're doing, how it is they can \nhelp you use your computer better. That's a perfectly \nlegitimate use of exactly the same software.\n    Mr. Strickland. Is that done with the permission of the \nperson whose information is being collected?\n    Mr. Beales. Certainly with the implicit permission, whether \nit's explicit or not, I don't know, but certainly with the \nimplicit permission because they've called and asked for help.\n    Mr. Strickland. Let me ask this question. How many of you \nwould agree with this statement, instead of regulating and \noutlawing certain types of software, we need to rather regulate \ncertain types of behavior?\n    Do any of you agree or disagree with that?\n    Mr. Beales. I would agree with that completely.\n    Mr. Thompson. I would agree with that as well.\n    Mr. Strickland. And is it your impression that the \nlegislation under consideration from my colleague from \nCalifornia an attempt to regulate software rather than an \nattempt to regulate behavior as you understand the proposal?\n    Mr. Baker. No sir, if I may, I don't think that it's an \nattempt to regulate software. I think it does regulate behavior \nbecause it's not saying that any specific type of software is \nbanned, but rather that software can't be downloaded to a user \nwithout their consent, without clear notice, without a means to \nuninstall it. So I think that is addressing the behavior.\n    And to your earlier question, I mean no, and I think this \nis what Mr. Beales was trying to describe earlier. We don't \nwant a world where every time a consumer tries to use any \nprogram every web page they go to, every click of the mouse \nthey're going to get a nothing dialog box saying do you agree, \ndo you agree, do you agree? Nobody wants that.\n    But I think what we're doing here is establishing when \nthings are loaded onto users' computers without their \npermission, from somebody that they have not agreed to. \nCertainly, if it's an update to their Microsoft operating \nsystem, to their EarthLink internet access, I mean that's \nsomething that the user has already agreed to and I think \nthere's a fundamental difference there.\n    And I think that the statute does a pretty good job of \ndistinguishing between legitimate and illegitimate users of \nsoftware that's downloaded to a computer without the user's \nknowledge.\n    Mr. Strickland. I have some problem understanding the \ndifference between my Chairman's position and what I'm hearing \nfrom some of you in terms of if there's a problem and people \nare being abused in ways that they don't choose to have their \ncomputer used and is it possible to achieve what Mr. Barton \nwants to achieve and at the same time avoid the problem that \nMr. Beales, I think, is trying to describe for us? Is there a \nway to accomplish both?\n    Mr. Friedberg. I think as Congresswoman Bono mentioned, the \ndevil is in the details and I think we all really want these \nbad actors to go away and for us to take back control of our \ncomputers. Everybody wants that. And we know that one element \nof the solution is kind of focusing on behavior, but when we \nwrite the clauses and the rules, we need to still tie it down \nto something. That's where the challenge is is tying it to the \nstuff, the software.\n    Mr. Strickland. But do you feel that that can be \naccomplished without interfering----\n    Mr. Friedberg. It is very, very hard. I have been thinking \nabout this a lot and I am a computer scientist by trade and so \nI can tell you how hard it is. There are a couple of areas in \nparticular that are very challenging. Uninstall requirements is \none. The way you do consent is another. I know as a best \npractice I suggest to people in our company to do just in time \nconsent and that's this concept of waiting until the most \nrelevant moment when the user actually has some context to make \na decision. If we put in certain rules and I'm not saying any \nparticular legislation does this, but that require everything \nthat happened in install time or transmission time, we've \nreally missed the boat in terms of what, how users make trust \ndecision. And we need to think about what's going to make my \nmom make good decisions when she's presented with the software \nand at what point does it make sense to have that?\n    I know in Windows, when something crashes, we pop up this \nwindow's error report. And we do that at the time of the crash \nand we tell the user hey, we might be able to find a fix for \nyou if you let us send some data back to Microsoft to figure it \nout. So the user has great context. They know exactly hey, I \nwant to keep going, I want my word thing to word and it's okay, \nI'm going to send this data and you can actually look to see \nwhat data is going to be sent, so you can understand your \nprivacy impact at the time of the situation.\n    If we ask this question at the beginning, at installation \ntime, there's no context. So there's all these different \nparadigms to consider, different ways to do consent, different \nways to get this notice to show up.\n    Another is the user interface issues and design. As people \npointed out, nobody wants to have 100 of these popups just show \nup and completely color your experience. It doesn't make any \nsense. Also, we have new devices that are coming out almost \nevery day and so it's very hard to figure out what their \nrequirements are going to be. For example, there's this media \ncenter edition that we offer that's a 10 foot experience. \nLetters are really big. We only get two lines of text to \ncommunicate to the user these big issues, so we can't have very \nelaborate notices in that experience and likewise, if I have a \nwatch that's really smart and it wants to download some new \nsoftware, I've got very little room to provide that same \nnotice. So we have to really think hard about all of these \ndifferent scenarios. And that's why people are saying it's a \nlittle early. We really haven't had time to look at all of \nthese, what I'll call test cases and watch out and figure out \nwhere the gotchas are. Because if we codify some of this stuff \ninto law, suddenly we've tied our hands in an evasion which I \nthink is a mistake.\n    Mr. Schwartz. Can I address another issue along with some \nof the things that makes this more difficult----\n    Mr. Strickland. My time is up, but----\n    Mr. Stearns. Sure, why don't we just let them answer the \nquestion and call it quits.\n    Mr. Schwartz. I was just going to say that the complexity \nof--this is not just like one company coming and monitoring the \nbehavior of a computer user. These are--it's a complex network \nof affiliates, of individuals that are all involved in passing \ninformation to each other and cram the software down on \ncomputer users.\n    In the case that we brought to the FTC that we hope that \nthere will be action on we found at least four or five \ndifferent parties, two of whom didn't know what was going on at \nall. They were simply kind of pawns in the whole scheme, \nwhereas two others, to our mind, seemed to be active actors \ntrying to put spyware on people's computers and trying to get \nthem to guy software that they didn't really need.\n    And in developing this case, it took us 2 months to put \ntogether and to turn it over to the FTC. It takes a lot of \nresources to put together these cases and track back the entire \nnetwork. I think that's true for spam cases as well. \nPersonally, I think we need to see the FTC get more resources \nto be able to go after these kinds of cases. Even if we had a \nnew law that got at, closed up some of the existing holes, we \nwould still have to have this same problem of being able to \ntrack down the bad guys.\n    Mr. Stearns. Thank you and the author of the bill, the \ngentlelady from California, Ms. Bono.\n    Ms. Bono. Thank you, Mr. Chairman. It sure is nice to have \nagain your full weight and that of Chairman Barton's behind \nthis legislation and since we've started this hearing I think \nI've gained three co-sponsors, so I appreciate my colleagues \npaying attention.\n    But I am stymied by a lot of what I'm hearing and I'm also \nencouraged by a lot. First of all, we keep talking about \nprosection, prosecution. What the FTC has certainly failed to \ndo is stop the proliferation of spyware and adware. You have \nfailed in that. And it has grown exponentially and that is my \nintent. First of all, is to stop this growth, boom in this \nbusiness, but also this bill is really about consumer \nempowerment. And as I mentioned to Mr. Friedberg, the devil is \nin the details in all of the legislation we write here and I \nlook forward to working with all of you in industry and my \ncolleagues on crafting the perfect legislation. I have been \nrevising it day by day, just to address these issues.\n    But you know, if we take this away from the realm of ones \nand zeros and change it to durable goods--for example, a car. I \nthink Chairman Barton talked about this a little bit in \ntrespassing. If I just bought a new car and I drove it home, \nparked it in my garage, would that give the automobile \nmanufacturer the opportunity to come to my house and come into \nmy garage and fix something because there was a recall notice \non it without my knowledge? I don't think so. I do agree that \nthere are beneficial uses of spyware, but I think if you warn \nthe consumer first that this is all we're installing, it should \nbe so simple. I love how Congress sometimes loses--I don't know \nthat Congress has, but I think some people have, lost common \nsense. What is wrong with consumers simply knowing this is \nbeing installed. For example, Kazaa. I have two teenagers at \nhome. They installed Kazaa. They thought this was great \nsoftware. They were getting all of this free music, until I had \nto remind them about copyright and all of these things. I \nsaid--I had to point out to them somebody is still making money \noff of this and let me tell you how it works. And that's the \nway this all began. Somebody is making money. But it's not a \nsongwriter. It's not a copyright holder. It's a third party you \ndon't even know about.\n    My question to you, Commissioner, is would you allow that? \nWould you allow--let's say I've taken that new car, that new \nFord I bought and it's no longer in my garage. I've parked it \non the street, because it's a public highway, similar to the \ninternet. So now I'm going to allow Ford to come by and fix \nthat recall notice without my--and this is a legitimate use of \nspyware. I'm actually talking about a legitimate use because I \nbelieve that Microsoft and Symantec and legitimate software \ncompanies do warn you and they do say we're going to update \nyour software and occasionally they allow you to hit a button \nthat says yes, I know you're doing it. Sometimes it happens \nautomatically. That's a convenience. I know it's happening. But \nwould you allow that to happen to a Ford? Because that's what \nI'm hearing you say right now, it's okay. It's okay or maybe \nyou'll enforce it or maybe you'll stop it, but right now it's \nokay.\n    Mr. Thompson. Let make something perhaps a little clearer. \nThe challenge is the definition, because the same kinds of \nbehavior--the same kinds of software can be used for beneficial \nand non-beneficial uses----\n    Ms. Bono. Excuse me, Mr. Commissioner, I disagree. I \ndisagree. And you know, first of all, again as I've said, the \nbeneficial use, most companies do inform you that they're going \nto be collecting data from your computer and they let you know \nthat when you install the software. So that could be covered. \nWe could allow that. The end user license agreement which is \npages long, if we simplified to a simple box that would be \ncovered, legitimate software sites could be covered. So I don't \neven know that you need to differentiate between because they \nare covered because they are doing that currently.\n    Mr. Thompson. What I'm concerned about is if you define \nsomething that is really based on consent and not in more \ndetail about behavior, then the very same thing that people are \nasked to consent to without any context can be used by that \nsame company in ways that consumers don't want.\n    Ms. Bono. Which leads me, if I can jump because time flies.\n    Mr. Friedberg, can you tell me really fast, according to \nPestPatrol, there's something called Alexa and Alexa is a new \ntool bar and apparently it's bundled with Microsoft's Internet \nExplorer and I understand it collects information from websites \nthat are visited. Can you briefly describe Microsoft's \nrelationship with Alexa?\n    Mr. Friedberg. There are two different versions of Alexa \nthat I know of. One is a tool bar that Alexa offers that's not \ndirectly coupled to IE. There's another lighter weight version \nthat's actually in IE that provides something called show \nrelated links. The lightweight version that's actually in IE \nsends an URL to the service and it returns back links that are \nsimilar to that link that you might be interested.\n    It's my understanding that that service does not retain or \nstore any data and that the only information that's passed is \nthis URL and it's sent back to the user. I can't speak for what \nthe Alexa tool bar does. You'd have to talk to them and look at \ntheir privacy statement and read it very carefully, but again, \nwhen you look at the spyware results, when people say something \nis something on those lists, you have to look very carefully \nwhat the criteria is to understand which version of the \nsoftware they're actually ranking. Just to be clear.\n    Ms. Bono. I look forward to working with you more on it and \nI know, Mr. Chairman, my time has expired. Thank you very much.\n    Mr. Stearns. I thank the gentlelady. The gentleman from \nArizona.\n    Mr. Shadegg. Thank you, Mr. Chairman, I didn't know my time \nwas up. I thought we had to go to the other side.\n    Gentlemen, let me begin with the gentlemen from the FTC. \nCommissioner Thompson, you said no legislation is needed and \nyou said the FTC Act allows the Commission to take action \nagainst deception now.\n    Mr. Beales, you said we have the necessary tools to stop or \nat least address the practice. So both of you contend we don't \nneed legislation.\n    I want to know how many people you have brought enforcement \nactions against and achieved a penalty against to date?\n    Mr. Beales. Well----\n    Mr. Shadegg. My time is very limited, just----\n    Mr. Beales. It depends exactly what you mean by spyware. \nThere are probably--this is a guess and I'll get you for the \nrecord precisely. There are probably 15 or 20 defendants that \nhave been involved in the dialer programs, all of whom have \nbeen, all of whom have been penalized in one way or the other.\n    Mr. Shadegg. I would like you to supply to the committee \nprecisely how many you have gone after that you contend could \nbe considered spyware and taken action against. Then I want to \nknow first, right now, what are the potential penalties you can \nimpose?\n    Mr. Beales. We can get full redress for whatever money they \nhave made from consumers and----\n    Mr. Shadegg. Full redress. Can you impose criminal \npenalties?\n    Mr. Beales. No, we have no criminal authority.\n    Mr. Shadegg. So full redress means they make $200,000 out \nof the deal, they steal that from me, you can get back the \n$200,000. What's the disincentive if all you can get back is \nwhat they took from me, what's the disincentive for them to do \nthat again?\n    Mr. Beales. Well, in a typical case, there's not anything \nlike $200,000 left. And----\n    Mr. Shadegg. I've worked very extensively on identity theft \nlegislation and I guarantee you when your identity gets stolen, \nit's nearly impossible to quantify the damages people suffer \nand calculating how much they've suffered is near impossible. \nThe point is in all of criminal law, and I used to work for the \nArizona Attorney General's Office, if all you can get back from \nthe bank robber is what he took, there's no disincentive to rob \nthe bank. So I guess my question is do you have the ability to \nimpose penalties beyond what you think they've profited?\n    Mr. Beales. We do not in the typical case of unfair and \ndeceptive practices. Many of the kinds of conduct at issue here \nmay violate other criminal laws. It's common----\n    Mr. Shadegg. Then I want to know if those criminal cases \nhave been brought. I want to know all of the cases you've \nbrought, all of the penalties you've exacted and then I want to \nknow all of the criminal cases that have been brought that \nyou're aware of against people that engage in this conduct. And \nI'd like you to supply that to the committee.\n    Is that all right?\n    Mr. Beales. We will be happy to do our best.\n    Mr. Shadegg. Let me move to a separate topic. One of the \nconcerns I have is that in many of these agreements that we \ntalk about you say well, they're legitimate things that are \nbeing done. There are also illegitimate things that are being \ndone.\n    What are you doing with regard to what I call fine print \npermission, that is, I sign an agreement with one of the \nlegitimate companies and buried deep, deep, deep in the fine \nprint is a very, very small disclosure that says I give you \npermission to get into my computer and do all kinds of things \nthat no rational person would want to do.\n    Are you pursuing that now?\n    Mr. Beales. We think disclosures need to be clear and \nconspicuous. What that means depends on the consequences of the \nparticular disclosure.\n    Mr. Shadegg. Have you ever looked at the disclosures that \nare required? Have you brought an enforcement action against \nsomebody?\n    Mr. Beales. We've brought many actions involving \ndisclosures that were not sufficiently clear and conspicuous.\n    Mr. Shadegg. Okay, I'd like you to supply me with a list of \nthose that relate to abuses of, for example, getting into my \ncomputer and taking privacy information that I don't approve \nof.\n    Mr. Beales. I don't think we've brought cases that involved \nend user license agreements. We've brought numerous cases that \ninvolve insufficiently clear disclosures in a wide variety of \ncontexts and the legal principles----\n    Mr. Shadegg. But not for as an individual consumer?\n    Mr. Beales. I'm sorry?\n    Mr. Shadegg. You said not end user license agreements. I \nthink we're talking about end user license agreements right \nnow, aren't we?\n    It's my computer they're getting into and some would \ncontend with permission because I signed agreement that had a \nfine print disclosure.\n    Mr. Beales. We have brought numerous cases like that, not \nin the software context. The disclosure issue though of is it \nclear and conspicuous is not fundamentally different.\n    Mr. Shadegg. Except we're talking about the software \ncontext and if you haven't brought any of the software context, \nthat doesn't sound like that's an enforcement tool that will \nhelp solve those problems.\n    I'm going to run out of time. I want to move on, so I'd \nlike to know what you contend fits there.\n    You have said that it would be impossible, Commissioner, to \ndefine this issue. I want you to tell me under what \ncircumstances it would ever be appropriate for someone to get \ninto my computer without my permission and monitor every single \nkeystroke of my computer forever and give that information away \nto somebody else?\n    I mean that's one of the most offensive practices that I \nthink is going on here is they get into my computer. You talked \nabout it. They put a stroke monitor on my computer and they \nknow everything I do on that computer and then they sell that \ninformation or use that information.\n    My question to you is, you say it's impossible to define \nthis legislation. Under what circumstances would anyone ever \nwant to have it occur that someone can get into my computer or \nyour computer, monitor every stroke I make without my \npermission and give that information away or use it for their \nbenefit, every stroke?\n    Mr. Thompson. I can't answer that question because I know \nthat it would bother me and I know that one of the problems \nwith the legislation that's proposed, to the extent to ask you \nto give permission for context, out of context, you may--what \nI'm worried about is consumers are going to be asked to say yes \nto behaviors they don't even know are going to happen.\n    Mr. Shadegg. You just admitted to me that there is never, \nyou can't imagine--and this is your business--you can't imagine \na circumstance under which it would ever be appropriate for \nsomebody to get into someone's computer without their \npermission and monitor every single stroke----\n    Mr. Thompson. For all circumstances----\n    Mr. Shadegg. For ever. I understand that when I go into my \nBank One account, I have the choice on my computer to say I \nwant to permanently register both my user ID and my password. \nThat's a single transaction. What's going on here is they're in \nmy computer and they do that forever. I quite frankly, and I'm \nrunning out of time, I do not see a thing different between \nthat and wiretapping. And we don't say to people who have \ntelephones, you know there's a danger that someone might tap \nyour telephone and listen to all of your phone conversations, \nso you should buy a device, we should teach you that, we should \naddress this as consumer education, we should teach you that \nthat might happen and then you should buy a device to put on \nyour telephone that stops them from tapping your telephone. And \nyet what I hear both of you from the FTC saying is that even \nthough someone under spyware can get into your computer, \nCongressman, and can without your permission put a stroke \nrecorder I think was the term you put on it and record every \nstroke you make and every stroke your kids make and every \nstroke your wife makes and know every where you go and \neverything you do, we think the way to stop that is to tell \nyou, Congressman, is to be aware that it might happen and to \nmake you go buy something to put on your computer to stop it.\n    Mr. Beales. Congressman, I think what we're more worried \nabout is the perfectly legitimate download that you agree to of \nthat keystroke monitor from the help desk----\n    Mr. Shadegg. No, no, no, no. I never----\n    Mr. Beales. That's buried in the fine print that gives them \npermission to do that indefinitely.\n    Mr. Shadegg. I got a flash, I would never ever, ever agree \nto give permission to someone to monitor every single keystroke \nof my computer for ever and ever, for a week, for a month. I \nmight give permission for one transaction. I might give it to \nmy bank for two transactions. But that's not the abuse we're \ntalking about and you said it's impossible to write legislation \ndefining this problem and yet the Commissioner just admitted to \nme that he can't imagine ever a circumstance in which it would \nbe appropriate.\n    Quite frankly, it's simply identical to my having my \ntelephone tapped--I would never give somebody permission to tap \nmy telephone.\n    Mr. Beales. Congressman, I think it's more akin to having \nan extension on your phone where sometimes somebody picks it up \nand----\n    Mr. Shadegg. In my own house? These people aren't in my \nhousehold. These people are somewhere else, they're miles away \nand they're doing this without my permission.\n    Mr. Beales. And you invited them in to help you with your \ntransaction.\n    Mr. Shadegg. Exactly, as if I called the car dealer. If I \ncall the car dealer and said I'm interested in a car, I \nwouldn't have said to that car dealer, oh, by the way, because \nI called you you have the right to tap my phone for the rest of \nhistory.\n    Mr. Beales. I agree. If that was in the consent, I wouldn't \nthink it was adequate, but that's because it's not a consent \nproblem, it's a behavior problem.\n    Chairman Barton. Will the gentleman yield?\n    Mr. Shadegg. I think it is a consent problem and I think \nthe last point here that I want to make is----\n    Chairman Barton. I would ask unanimous consent that Mr. \nShadegg have an additional 2 minutes.\n    Mr. Stearns. Unanimous consent, so ordered. I would point \nout to the chairman we're going to have a second round here, so \nI would encourage the gentleman from Arizona to stay around.\n    Mr. Shadegg. Unfortunately, I can't stay around, but I'd be \nhappy to yield.\n    Chairman Barton. If I have a problem with my telephone, I \ncall Southwestern Bell and I say there's something wrong with \nmy phone line. And Southwestern Bell sends a repairman to my \nhouse to check the phone lines and hopefully repair it, but the \nSouthwestern Bell repairman doesn't just move in with me.\n    He doesn't say what's for supper and what are you going to \nbe watching on TV and you know. Put a beeper on me so that \nwherever I go make sure that I'm home in time to cook and clean \nfor him.\n    So I just simply don't understand why we can't agree that \nthese unwanted intrusions should be totally explicitly illegal. \nWe're not talking about asking Microsoft when I buy the \ncomputer, we have to sign an agreement to use the Microsoft \noperating system on the computer. We're not talking about that. \nWe're talking about programs that get put on our computer \nwithout our knowledge and are doing things that we don't want \nto be done and taking information that we don't want to be \ntaken.\n    Do you all agree with that?\n    Mr. Beales. I do. I think it's a question of whether you \ntry to prohibit that and make it illegal under the general \napproach of the deceptive practices that were used to install \nit, or whether you try to write legislation that draws bright \nlines and says you have to do it exactly this way.\n    We agree there's a problem. We agree that the kinds of \nconduct you're talking about here are illegal. The question is \nwhat's the best kind of a statute to address that. Is it the \ngeneral deceptive practices authority we've already got or is \nit something more specific that says go through these hoops and \nthat constitutes consent to this keystroke logger that lives \nthere forever.\n    Mr. Shadegg. Let me just tell you where I see you're coming \nfrom from my perspective. You're telling us--and I'm a former \nprosecutor with the Attorney General's Office in Arizona. \nYou're saying current law is adequate to handle this problem. \nOh but, we're really not enforcing the law right now. We think \nyou can't define the issue, although I just gave you a \ndefinition that neither one of you could say you're right, \nCongressman, that ought to happen some time. And then your last \nanswer is self-regulation. I am typically a guy who believes \nvery much in industry self-regulation. But Commissioner \nThompson, you pointed out that we've got criminals out here \nengaged in this activity that don't care that it's already \nillegal. You tell me how the legitimate industries are going to \nstop those criminals with self-regulation. It's not going to \nhappen.\n    We've got a wide open door for criminals here. Your answer \nis well, give us time, we may bring an action later. I'm sorry, \nI just don't think--of course, it's difficult to write a law in \nany area. We understand that writing definitions in this kind \nof complex area of any law is very difficult and we don't want \noverly broad legislation, but I've got to tell you, doing \nnothing about the fact that somebody can get into my computer \nand record every single stroke on it and that I ought to try to \nself-protect against that which to me is wiretapping of the \ncurrent generation, just makes no sense.\n    I applaud Ms. Bono and yield back my time.\n    Mr. Stearns. The gentleman's time has expired. My unanimous \nconsent, we have a guest who is not a member of the full \ncommittee or the subcommittee, obviously. We're going to allow \nan opportunity for him to ask questions for 3 minutes and then \nwe'll have a second round for anybody who would like to--just \nfor the members, we'll have an opportunity for a second round \nand Mr. Inslee will be offered one opportunity for 3 minutes. \nSo I recognize the gentleman from Washington.\n    Mr. Inslee. Thank you, Mr. Chairman. First I want to thank \nMary Bono for her vision on this to understand that action was \nneeded by Congress and she's been ahead of the curve and I look \nforward to working with her and others on this. I want to thank \nthe committee chair for allowing me to participate and the \nreason is that I'll be introducing an alternative, a bill to \ntry to address this very difficult issue. And I believe it is \nclear that we need to act and I'm disappointed that the \nCommission has allowed the difficulty of this task to overwhelm \nthe obvious necessity for action here because we do need \naction.\n    The bill I will be introducing will have two approaches and \nI think it's a pleasure to hear the testimony of the witnesses \nbecause it sounds like we might be on the right track. No. 1, \nthe bill I will be introducing will address behavior, rather \nthan just a designation of type of software and I've heard sort \nof unanimity of the panel to date, suggesting that that's a \nmodel that will allow us to cut with a sharp scalpel, rather \nthan a blunt instrument and that's what we need to do in this \nhighly tech area.\n    Second, it will try to have just in time notice and consent \nbecause in thinking through this, to me, having the consumer \nhave the ability to do notice and consent at the time of the \nexecution rather than just even a transmission will be a \npreferable way to do this. So that's the two thrusts and I look \nforward to working with the committee members on that.\n    I want to just give the Commission a moment, my take on \nwhat is going on is the reason there has been such a \nspectacular failure by the American government to protect \nconsumers from this outright abuse of their privacy that is \ngoing on in hundreds of thousands of cases today is that we \nhave a 20th century law trying to regulate a 21st century type \nof new technology. And what I hear from the Commission today is \nkind of like if in the wild West if the bunch rode in and \nrobbed the bank, the regulators are trying to say that the \ntownspeople would say well, let's call for self-regulation. I \ndon't think that's what the townspeople are calling for here. \nThey're calling for a strong sheriff and a clear definition of \nwhat is allowable and now allowable.\n    Now isn't it true that the reason that you haven't taken \nmuch enforcement action despite these hundreds of thousands of \nprivacy violations is that there is relatively great ambiguity \nand vagueness that makes prosecution very difficult for you \nright now because we have so much vagueness in existing law?\n    Mr. Beales. No.\n    Mr. Inslee. Then what is the reason?\n    Mr. Beales. The reason--what limits our ability to bring \nthese cases is that, and your bank robbery analogy is somewhat \napt, is the bad guys ride off into the hills. But these are \ncyberhills and there are no footprints.\n    Mr. Inslee. Well, that just won't wash. In today's \ntechnological society so that that we have hundreds of \nthousands of violations and you can't find a half dozen \nviolators, that doesn't wash. You need to hire some people that \ncome out of private enterprise, if you can't find these guys.\n    My time is limited, I need to ask another question. There \nwas discussion about notice and consent and we'll get to that \nnext round, if you will allow, Mr. Chair.\n    Mr. Stearns. Well, I was just hoping you will participate \nand I give you that opportunity, but I'll start with myself \nwith the second round of questions and I thank the gentleman.\n    We have the chairman of the Oversight and Investigations \nSubcommittee and I am very pleased to see him arrive. Before I \nstart, Mr. Greenwood, congratulations and we welcome you here. \nIf you want to have some questions, you're welcome.\n    Mr. Greenwood. I do. Good morning, gentlemen. I apologize \nfor missing the hearing heretofore, but it couldn't be helped.\n    On my home computer, I have experienced what my staff tells \nme is called browser hijacking. And that is we have a home page \nthat we had set up that's useful to our family and all of a \nsudden this bizarre home page is there and it won't go away. I \nkeep going back and re-establishing, resetting MSN, I think it \nis, is our home page and this thing pops up and it's annoying \nin a lot of ways, but one of the ways it's annoying is if you \ntry to use it as a search engine, it only goes--it doesn't take \nyou where you want to go. It only goes to commercial sites that \nare trying to sell you something.\n    And my staff fellow who is with me this morning said that \nhe just checked his computer and he has 81 spyware programs \nthat have been stuck into his computer. So the question is \nfirst off, can anyone define for me, browser hijacking just so \nI know we're on the same page. And then has the question--has \nthe FTC taken any actions? I believe there's been a complaint \nfiled by CDT against MailWiper and also against Seismic \nEntertainment Productions. Has the FTC taken any action with \nregard to browser hijacking? If so, what is that? And under \ncurrent laws, would browser hijacking be actionable and does \nthe FTC have additional authority to pursue those actions?\n    There are all the questions and I'd be happy to hear from \nany of you that would like to comment on any of those \nquestions.\n    Mr. Friedberg. I'll just start by defining browser \nhijacking for you. It's the changing of the key settings in the \nbrowser, specifically the home page or the search page without \nappropriate notice and choice to the user.\n    Mr. Greenwood. I'm sorry, I was interrupted. Say that \nagain?\n    Mr. Friedberg. It's the changing of the key settings in the \nbrowser, specifically the home page and the search page are \nmost common without appropriate notice and choice where you \naren't told and you can't undue it.\n    Mr. Greenwood. Is it illegal?\n    Mr. Beales. Yes, it is. We have brought cases that \nchallenged the practice of page-jacking which is essentially \nthe same thing. You try to go to one page and you end up on \nanother. We've challenged that as an unfair practice and have \nbeen successful in doing that.\n    Mr. Greenwood. You have been successful. And what \nconsequences have people who have successfully been prosecuted \nfaced?\n    Mr. Beales. That particular case was one that was brought \nin about 2000, I believe, and I don't know exactly what the \nsanctions were in that particular case.\n    In general, we can get full redress for consumers who have \nbeen injured. We get a permanent injunction----\n    Mr. Greenwood. What would be--how do you redress me? How do \nyou--my wife has been trying for years, but how do you \ncompensate me fairly for this experience?\n    Mr. Beales. Well, in cases where injury is difficult to \nassess and this is certainly one, we would frequently go on a \ndisgorgement theory of getting back all the money that whoever \nwas behind this had received.\n    Mr. Greenwood. It's obviously continuing to be done with \nimpunity, the people who do this must not have--they obviously \ndon't think they'll ever be caught or if they think that if \nthey do, they'll make enough money that it will be well worth \ntheir effort.\n    What do we do about that?\n    Mr. Beales. We are trying very hard to make sure they're \nwrong on both counts.\n    Mr. Greenwood. So what should a consumer do? What should I \ndo in this case? What are my options as a consumer to respond \nto identify the printout, the home page, the uninvited home \npage and send it to the FTC or what?\n    Mr. Beales. As a way to complain, yes. We would love to \nhear from consumers about specific complaints. That's very \nuseful to us as the starting point of an investigation.\n    Mr. Greenwood. What's the most difficult--obviously, anyone \nwatching this hearing anywhere in the country right now, I \nimagine a very significant portion of them, that's exactly what \nhappens to me and they could all make complaints to the FTC. \nWhat's your resources limitations have to do with how much \naction would actually occur?\n    Mr. Beales. What we use our complaints for and if anybody \nis watching, complaints can go to www.ftc.gov. What we use our \ncomplaints for is to identify targets for law enforcement based \non the volume of complaints. We do not have the capability to \nresolve individual complaints, but it does help to figure out \nwhat kinds of practices are out there, who is doing them and \nthen target our enforcement actions against those cases.\n    Mr. Greenwood. My time is up, but do plaintiff's attorneys \nfile Class Action suits in these cases with any success?\n    Mr. Beales. I don't know of any in these cases. The problem \nthat we have in terms of financial relief for consumers is that \nthere's not money and that tends to make them unattractive \ncases for plaintiff's attorneys as well.\n    Mr. Schwartz. In the MailWiper case that you mentioned that \nwe brought to the FTC's attention, there is a class that's \nbringing a case in North Dakota right now against the same \ncompanies that we filed the complaint against.\n    Mr. Greenwood. Thank you, Mr. Chairman.\n    Mr. Stearns. I thank my colleague and I thank him for \ntaking the time to come out.\n    I'll start the second round of questioning. Do any of you \nknow about the law that passed in the State of Utah?\n    Mr. Baker, as I understand, this law allows a private right \nof action, so what Mr. Greenwood is talking about or Mr. \nShadegg is talking about, I think they have a private right of \naction.\n    Mr. Schwartz, is that correct?\n    Mr. Schwartz. No, you would need to be a website owner or a \ntrademark holder. So unless Mr. Greenwood runs his own website \nout of his house, he would not be able to sue in the private \nright of action under the Utah bill, Utah law.\n    Mr. Stearns. Well, I mean I'm trying to get to the point \nthat Mr. Greenwood and Mr. Shadegg touched on. What rights \nshould consumers have in the courts when this occurs?\n    Mr. Baker?\n    Mr. Baker. Speaking to the Utah law specifically, Mr. \nChairman?\n    Mr. Stearns. Yes.\n    Mr. Baker. There's great concern among the industry, many, \nmany companies that the Utah law is overbroad.\n    Mr. Stearns. Overbroad. Because it allows too much \npossibility of litigation?\n    Mr. Baker. Not so much that is that it outlaws too many \nthings and there's great concern that, for instance, a \nlibrary's attempt to install filtering software to keep \nchildren and other patrons free from pornographic websites or \nparental controls even, that those--that this wall would, in \nfact, bar applications such as that. I don't think that that's \nwhat any of us would be after.\n    So getting back to the House bill, one of the things we \nlike about the pending legislation here is in fact the pre-\nemption provisions because we are concerned. It would be a \ncruel irony if, in fact, you have an anti-spyware statute that \nis so broad that it might even bar the downloading of anti-\nspyware software.\n    Mr. Stearns. Right, so I think it's important to say we see \none State passed a law and we should understand what's good and \nwhat's bad about it, so that if we move forward on the Federal, \nthat we not incorporate the bad and try to do what's good. And \nat the same time, do you think a Federal law should prevent \nprivate right of action?\n    Mr. Baker. This is just a personal observation.\n    Mr. Stearns. Yes.\n    Mr. Baker. I'm always a little wary of private rights of \nactions in Federal legislation and this was one of the things \nthat was debated in the recent Canned Spam Act, for instance. \nUltimately did not--was not included, because you do run the \nrisk there of otherwise legitimate companies facing the wrath \nof multiple lawsuits.\n    Mr. Stearns. And Mr. Friedberg, how do you feel about that, \ndo you agree with Mr. Baker in that respect?\n    Mr. Friedberg. I really can't comment on private rights of \naction. That's not my expertise.\n    Mr. Stearns. Okay, anyone else? Mr. Schwartz?\n    Mr. Schwartz. We're usually in favor of private right of \naction in this type of case. It would depend on the definition \nthough if it is overly broad. We would have concerns about how \nthat might be misused in the courts. But generally speaking, we \nwould want to see private right of action in a privacy law that \nwould move forward.\n    Second, the Attorneys General, as well, that's something in \nthe Utah law that Attorney General, even the Attorney General \nin the State of Utah can't act. That seems to us to be a \nconcern as well. We want to see the Attorneys General have some \npower as well.\n    Mr. Stearns. I would just say in passing to the \nCommissioner, we passed the Spam Act which prevents all this \nspam material coming into the computer and then we passed the \nDo Not Call List which was saying we didn't want to have \ntelemarketers come into our home. So if you follow the logic in \nboth of these you're vigorously implementing, if we're trying \nto talk about e-mails and we're talking about telemarketing, it \nseems to me then the Federal Trade Commission would welcome \nsome kind of Federal legislation to prevent spyware.\n    Does that seem logical?\n    Mr. Thompson. I understand your point. As was said earlier, \nthe devil is in the details. The Canned Spam Act is an \ninteresting piece of legislation. It's still a very significant \nchallenge to get at the worst actors who are involved in spam \nfor a number of different reasons, including the fact that most \nof the people who are the most egregious actors really don't \ncare about the law. And that's where the real challenges rest.\n    Let me say this too. I don't want the Commission to be \ncharacterized as being uncaring or inactive----\n    Mr. Stearns. No, I want to give you the last word here. \nHere's your chance.\n    Mr. Thompson. We brought the workshop to bring public \nattention to this issue. We're asking industry to self-regulate \nfor one very important reason, we want them to begin to outline \nstandards. That's going to be instructive for us on this issue \ngoing forward no matter what, not only on talking to consumers \nabout what's good behavior and what's bad behavior, but even in \ntalking to us as law enforcers or talking to legislators about \nunderstanding where that line is.\n    Right now, that discussion hasn't really taken place and \nthat's one of the reasons why we've asked for the workshop to \nbegin to outline the parameters of what this issue is about.\n    Mr. Stearns. Thank you. My time is expired. The chairman of \nthe full committee, the gentleman from Texas, Mr. Barton.\n    Chairman Barton. Thank you. I want to ask Mr. Friedberg a \nquestion. Your responsibility at Windows is to monitor the \nprivacy protection that is built into the base Windows program, \nis that right?\n    Mr. Friedberg. Actually, the way I define my job is I would \nlike to think that I make people feel better about using \nWindows by protecting their privacy, most notably by giving \nthem notice and choice and appropriate control.\n    Chairman Barton. Is it Microsoft's assumption that the \ncomputer in a person's home is that person's private property?\n    Mr. Friedberg. Their physical hardware, yes, I believe they \nlicense the software from us.\n    Chairman Barton. Is it Windows' position that access to \nthat computer is the prerogative of the person who owns it in \ntheir home?\n    Mr. Friedberg. A person should be able to control what goes \non in their computer, sure.\n    I don't know,d id that answer your question?\n    Chairman Barton. So if we wanted to postulate such a thing \nas computer trespass, just like if somebody walks through the \nphysical front door of my home without my permission, they've \ncreated a crime. They've trespassed.\n    So if somebody comes into my computer without my permission \nand I chose to prosecute whoever came in to my computer, I \ncould accuse of them criminal or computer trespass. Now I don't \nknow that there is--I'm not an attorney and this isn't the \nJudiciary Committee, but the concept of computer trespass.\n    Mr. Schwartz. I was just going to add that the Computer \nFraud and Abuse Act is partially aimed at that idea. If there \nis damages, certain kinds of damages, the Department of Justice \nis supposed to be able to go after companies that do trespass-\ncaused damage on people's computers. We haven't seen them act \nin these kind of cases though.\n    Chairman Barton. We're kind of talking past each other. In \nmy first round with Mr. Thompson, Commissioner Thompson and \nDirector Beales, they were talking about deceptive trade \npractices. I don't consider it a deceptive trade practice when \nsomebody violates my privacy. They've trespassed against me.\n    We all seem to be in agreement that if it was a live person \ncoming into our home, that wouldn't be right unless we wanted \nthem in our home. But when we talk about using the internet to \ncome into our personal computers, then you get into this debate \nabout if it's fair or unfair and all the good things that \ntheoretically happen when people do come into our computers \nwithout us knowing about it.\n    Well, I can have a debate that all day, but I want to ask \nthe gentleman from Windows if this concept of computer trespass \nis something that we can work with?\n    Mr. Friedberg. From a personal perspective it makes \nintuitive sense to me. I very much believe in making sure \nthere's consent before someone does something on your computer.\n    Chairman Barton. Now I understand that the FTC doesn't have \ncriminal prosecution ability. You're civil. You can fine \npeople, but if we worked with the Judiciary Committee to define \nas a crime the concept of computer trespass, Commissioner \nThompson, is that something that the FTC would be comfortable \nworking with us to get the definition right?\n    Mr. Thompson. We are always happy to work with the \ncommittee. Let me just point out a challenge though. The \ntrespass issue is an interesting issue. What I find more often \nthe question is defining when you've actually invited people in \nand going further is when you've asked them to actually come \ninto your kitchen because you may have asked them to come in to \nyour house, but you may not have asked them to walk around to \nplaces where you didn't want them to walk around.\n    Chairman Barton. I understand that. And I from time to time \non my personal computer in Inez, Texas have downloaded Windows \nsoftware and I have downloaded game, videogame software from \ncertain companies and I wanted that. Now if they put something \non my computer when I downloaded what I wanted that I didn't \nknow about to track my behavior, I want to put a stop to that.\n    If I open my door and there's somebody from Amway outside \nthe door wanting to sell me a product, I can make a decision \nand invite them in and buy the product or not buy the product. \nAnd even to this day and age, Inez, Texas is a small enough \ntown that we do have some door to door salesmen and saleswomen \nstill come by and I'm okay with that, so I want to apply that \nsame concept of privacy, the physical front door, to the \ncomputer front door. And I want the Microsoft people to help us \nand I want the FTC people to help us and at a certain point in \ntime, we want the Department of Justice to help us.\n    If you all understand that, then we're going to be okay. \nNobody is trying to prevent a legitimate business entity from \nproviding a product that is wanted to the end user in their \nhome. We're all, I think, trying to prevent the unwanted \nintrusion that is used for purposes that we have not approved \nand most of the time without our even knowing about it. That's \nwhat we're trying to prevent.\n    Mr. Friedberg. We are very eager to work with anyone who is \ntrying to address this problem.\n    Chairman Barton. With that, Mr. Chairman, I'm overextended \nagain and I'm going to yield back.\n    Mr. Stearns I thank the chairman.\n    Chairman Barton. Let me say one final thing. I don't want \nanybody to be under the impression that this hearing is just a \nhearing and nothing is going to happen. We are going to move \nheaven and earth to work on a bipartisan basis to modify the \nBono Bill and move it at subcommittee and at full committee and \nonto the floor and through the House and hopefully get a \ncompanion bill in the Senate and go to conference and get a \nconference report that's passed by the House and the Senate \nthis year.\n    I'm not guaranteeing that that will happen, but that is the \nintent of this hearing to start the process, regular order to \nmake that possible.\n    Mr. Stearns. I thank the chairman. The gentlelady from \nCalifornia.\n    Ms. Bono. Thank you, Mr. Chairman, I kind of liked it up \nthere in that big fancy chair, but I'm happy to be back here \nand to Chairman Barton, also you forgot the best part of due \nprocess and that was where the President signs the bill, \nultimately, so I'm looking forward to that day as well.\n    Chairman Stearns has mentioned repeatedly, I believe, about \nwhat will become a patchwork of State laws and we've seen the \nUtah bill. There's also a pending bill in State legislature of \nCalifornia that was introduced in February. Now as I understand \nthe language, and what it does, they say it prohibits a person \nor entity conducting business in California from hijacking a \nuser's computer, from inhibiting the termination of a computer \nprogram and from surreptitious surveillance of a user's \ncomputer in California.\n    I don't know that that protects the California consumer, \nbut I know that lends to the nightmare of patchwork of \ndifferent State laws, so I think that further gives weight to \nwhat we're trying to do here.\n    I also want to point out that California was the first \nState to pass anti-spam legislation.\n    Commissioner Thompson, I understand you opposed anti-spam \nlegislation on the Federal level. Is that true or did you \nsupport anti-spam legislation?\n    Mr. Thompson. I don't believe I expressed opinion one way \nor the other.\n    Ms. Bono. Okay, did the FTC oppose originally?\n    Mr. Beales. The FTC at various points along the way did not \nrecommend legislation.\n    Ms. Bono. Okay, and are you using it now?\n    Mr. Beales. Well, when canned spam passed, it was with the \nCommission's support. We are announcing our first case is \ntoday.\n    Ms. Bono. Great news. Hopefully that will be the same case \nhere, that we're going to turn you guys around too and we'll be \none big happy family.\n    But on to Microsoft, you mentioned a problem with my bill \nand I wanted a one-step removal tool. As I understand it, with \nKazaa or a real fun version of spyware, adware, I guess Bonzi \nBuddy. If you guys are parents, you know what I'm talking \nabout, this cute little purple gorilla swings suddenly on your \nmonitor, and kids love to download this little Bonzi Buddy. But \nto remove it is nearly impossible, and when we've tried to \nremove little Bonzi Buddy, the purple gorilla, he somehow comes \nback. Is it that impossible? Microsoft, with all of these \nprograms, especially Windows XP, why can't we do one step \nremoval tool?\n    Mr. Friedberg. Well, actually, it largely due to the bad \nactor in this case. If they don't provide that kind of \nfunctionality when they install the software, it's going to be \nhard to figure out how to remove it.\n    I totally advocate the goal of trying to make things as \neasy for people to uninstall as possible. The only trick, \nagain, the devil is in the details is that software is a \ncomplex kind of beast and there's scenarios where it's very \nhard, if not impossible, to remove parts of software without \nremoving larger chunks of things. You can't remove things, for \nexample, that are already in use by other programs and certain \nthings that might be for security, you might want to think \ntwice about removing.\n    Trying to get it right in codifying into law how an \nuninstall should work is what's the challenge, not the intent \nof having control over your system. Fully agree, we want to be \nable to get rid of stuff when we don't want it. At a minimum, \ndisable it, neutralize it and at best actually not having any \nremnants left over. It's just kind of challenging to do it in \nall cases.\n    Ms. Bono. It's like those little .dll files, isn't it?\n    Mr. Friedberg. The problem is legitimate software has \nreasonable scenarios where uninstall is just not that easier. \nIt's the way software is.\n    Ms. Bono. Well, it seems to me that if this law were \npassed, that when people installed this onto computers, they \nwould just have to come up with a way to do it, and it's common \nsense to me if you instruct him to build a program that way \nthat they could. If we don't tell them to do it, they're not \ngoing to do it. But is it your understanding to? Am I missing \nsomething on removing Bonzi Buddy and Kazaa? Are they sort of \nself-perpetuating?\n    Mr. Friedberg. There's this other kind of problem and some \npeople call them tickler applications and stuff like that. \nThey'll actually attempt to reinstall a piece of software after \nyou've deleted it. I consider this very deceptive practice \nsince it's a covert install and hopefully there are laws \nalready that sort of address this kind of behavior.\n    Ms. Bono. How is that different than a virus? I understand \nhow it's different than a virus, but I'm hoping you'll answer \nthe question the way I want you to answer it. A virus we all \nsee as detrimental because it's self-replicating and it passes \nfrom computer to computer without knowledge. But suddenly now \nbecause somehow you've downloaded this thing and it's not self-\nreplicating, just because it's passed on by a third party, in a \nsense it is a virus. I see it as a virus without the self-\nreplicating tool, but it's just as harmful as a virus is.\n    Mr. Friedberg. Along those lines, when you look at a virus, \npeople talk about viruses because of how they propagate, as you \npoint out. And it's the payload inside the virus that's the \nissue. I mean some viruses might be benign in terms of how they \nactually do what they do. They may just count things or \nsomething, who knows?\n    But it's what the payload is doing and if someone is doing \nsomething destructive on your machine, they should be punished, \nregardless of how it got there.\n    Ms. Bono. Thank you. Can you briefly define for the sake of \nrefining my legislation two points, why a cookie is not \nconsidered spyware?\n    Mr. Friedberg. A cookie is just a simple data storage \nfacility. It makes life easier for people who may surf the web \nin order to keep state. It's not an active component and the \nway the web is set up, these cookies are only read by the \nwebsites that put them there. It's their local storage to make \nlife easier for you.\n    It's up to them, the site that you're going to, to tell you \nwhat they're going to do with the cookie and you now, if \nthey're going to track you or do some kind of behavior like \nthat, it needs to be in their privacy statement. But cookies in \nthemselves are not necessarily anything worse than a file.\n    Ms. Bono. Thank you. Also, are there any type of spyware \nfunctions that are utilized in good ways for the enabling of e-\nmail or instant massaging?\n    Mr. Friedberg. I just think of spyware using that term as \nsomething that's a negative. I would never consider something \nspyware as being a positive thing. The functions of spyware may \nhave positive elements. For example, tracking. I know I got to \nAmazon.com and I get suggestions for books I might want to read \nthat are similar to other books and I like that. I call that \npersonalization when the tracking is done with my consent. I \nhave control over it and it's to my benefit. So tracking is not \nthe problem. It's unauthorized tracking or covert tracking \nwhich is spying.\n    I can't imagine a time where that's valid, except for maybe \nsome small examples, for example, as a parent, maybe you want \nto track the behaviors of your children and you want to have \nthe right to be able to put some kind of key logger to be able \nto see what they're doing. If that's okay by local law, then \nthat should be permitted. Likewise an employer/employee \nrelationship. If it's allowed that you can monitor employee \nbehavior, you're going to use one of these tools that we talked \nabout and that's a valid, potentially legal use that makes \nsense.\n    Ms. Bono. Actually, the bill clearly defines those two uses \nas fine. But also, I always think that's sort of repetitious \nanyway because the owner of the computer is generally the \nparent, first of all. So you're installing it on your own \nproperty and I would think the same with an employer, but we do \ndefine those two in the bill.\n    Mr. Chairman, I have gone over my time. I just really want \nto thank you for this hearing and thank our panelists. I really \nlook forward to passing something that protects the American \nconsumer and continues to broaden the American experience with \ncomputers.\n    Mr. Stearns. I thank the gentlelady and we'll conclude our \nhearing.\n    Mr. Friedberg, I think you answered her question when the \nquestion was it's not easy to take the spyware off your \ncomputer. If I went back to my computer without having a high \ntech person, I couldn't do it, could I?\n    Mr. Friedberg. Actually, what I recommend to people \nnowadays is to use a third party and a spyware tool.\n    Mr. Stearns. You need a spyware tool, you need a third \nparty and somebody needs to have technical expertise.\n    Mr. Friedberg. As of today.\n    Mr. Stearns. As of today.\n    Mr. Friedberg. That's the situation. These things are \nrelatively new and people are just trying to catch up with the \nway that they're doing what they're doing.\n    We would like to see longer term solutions that are more \nholistic, especially in the technology area because we have \nsome control over that, that make it less likely that this can \nhappen to you.\n    Mr. Stearns. But I think it goes to the heart of what Ms. \nBono has mentioned is, in the heart of the discussion today is \nthat the average consumer cannot take these off themselves and \nsecond, they don't even know they're on the computer.\n    Mr. Friedberg. I can't take them off myself.\n    Mr. Stearns. You can't.\n    Mr. Friedberg. I use a third party tool at this point.\n    Mr. Stearns. Okay.\n    Mr. Friedberg. And I'm looking for relief as well.\n    Mr. Stearns. I'll just conclude by saying that I think \nspyware is not just at our gates, but through the gate, through \nthe door of our homes and now in our computers with full spying \nprivileges and I think this hearing has brought a lot of \ninformation to the forefront and helps obviously all of us as \nlegislators to think this through and try to come up with \nlegislation which is balanced and I want to thank all of you \nfor your time and your patience. With that, the subcommittee is \nadjourned.\n    [Whereupon, at 12:22 p.m., the hearing was concluded.]\n    [Additional materal submitted for the record follows:]\n\n    Prepared Statement of Roger Thompson, Vice President of Product \n                     Development, PestPatrol, Inc.\n\n    Mr. Chairman and Members of the Subcommittee, thank you for the \nopportunity to submit comments on the important issue of spyware and \nits threats to the security and privacy of consumers and businesses.\n    Before I offer an assessment of the situation and possible actions \nto address it, let me provide a brief overview of my company. \nPestPatrol was founded in May 2000 by a team of security software \nprofessionals to counter the growing threat of malicious non-viral \nsoftware. We are the leading provider of anti-spyware software to \nconsumers. Our database of malicious code--what we call ``pests''--is \nthe most extensive in the industry and serves as the basis for many of \nthe research results about which we read in the press.\nDefinition Debate\n    No one debates that spyware is becoming a relentless onslaught from \nthose seeking to capture and use private information for their own \nends. However, there continues to be much debate about what constitutes \nspyware.\n    While that debate is an important one in terms of possible \nremedies, we can count the cost that unfettered spyware is having on \nindividual users as well as on corporate networks. Regardless of \nwhether we agree to divide the term spyware into various subsets such \nas adware or malware, the truth is that any software application, if it \nis downloaded unknowingly or unwittingly, and without full explanation, \nis unacceptable and unwelcome.\n    At PestPatrol we define spyware as any software that is intended to \naid an unauthorized person or entity in causing a computer, without the \nknowledge of the computer's user or owner, to divulge private \ninformation. This definition applies to legitimate business as much as \nto malicious code writers and hackers who are taking advantage of \nspyware to break into users' PCs.\n\nSpyware Dangers Real and Extensive\n    The dangers of spyware are not always known and are almost never \nobvious. Usually, you know when you have a virus or worm--these \nproblems are ``in your face''. Spyware silently installs itself on a \nPC, where it might start to take any number of different and unwanted \nactions, including:\n\n\x01 ``Phoning home'' information about you, your computer and your \n        surfing habits to a third party to use to spam you or push pop-\n        up ads to your screen\n\x01 Open up your computer to a remote attacker using a RAT--a Remote \n        Access Trojan--to remotely control your computer\n\x01 Capture every keystroke you type--private or confidential emails, \n        passwords, bank account information--and report it back to a \n        thief or blackmailer\n\x01 Allow your computer to be hijacked and used to attack a third party's \n        computers in a denial-of-service attack that can cost companies \n        millions and make you liable for damages\n\x01 Probe your system for vulnerabilities that can enable a hacker to \n        steal files or otherwise exploit your system.\n    The newest threat is that of large numbers of captured personal \ncomputers mobilized into ``Bot Armies'' and used to launch highly \norganized Distributed Denial of Service (DDoS) attacks aimed at \ndisrupting major business or government activity. Individual PC users \nare never aware that their machine is being used to disrupt internet \ntraffic. There is currently little or no recourse to a legal solution \neven if the occurrence can be monitored.\n    Many PC users have unwittingly loaded, or unknowingly had spyware \ndownloaded onto their computers. This happens when a user clicks \n``yes'' in response to a lengthy and often extremely technical or \nlegalistic end user licensing agreement. Or it happens when a user \nsimply surfs the web, where self-activating code is simply dropped onto \ntheir machines in what is known as a ``drive-by-download.''\n\nSpyware Harms Computer Performance\n    The misuse of technology and hijacking of spyware is a real and \npresent danger to security and privacy. Unfortunately, the ill effects \nof spyware do not stop there. Spyware seriously degrades computer \nperformance and productivity.\n    Testing earlier this month at the PestPatrol research laboratory \nrevealed that the addition of just one adware pest slowed a computer's \nboot time--the amount of time it took to start up and function--by 3.5 \ntimes. Instead of just under 2 minutes to perform this operation, it \ntook the infected PC close to 7 minutes. Multiply that by a large \nnumber of PCs and you have a huge productivity sink hole. Add another \npest and the slow-down doubles again.\n    We also tested web page access, and again it took much longer once \na pest was added to a clean machine. Almost five times longer in fact \nfor a web page to load on an infected PC. The pest also caused 3 web \nsites to be accessed, rather than the one requested, and caused the PC \nto transmit and receive much greater amounts of unknown data--889 bytes \ntransmitted compared to 281 transmitted from the clean machine, and \n3086 bytes received compared to 1419 bytes received by the clean \nmachine. This translates into significant increases in bandwidth \nutilization. Managing bandwidth costs money.\n\nIncreased costs due to unnecessary consumption of bandwidth on\n    individual PCs, and the necessary labor cost in rebuilding systems \nto ensure they are no longer corrupt is virtually unquantifiable. It's \nlikely quite large. System degradation is time consuming for the \nindividual PC user and even more so for network administrators managing \ncorporate networks. Even new PCs straight from the factory come loaded \nwith thousands of pieces of spyware, all busy ``phoning-home'' \ninformation about the user and slowing down computing speeds.\n    Users do not invite this spyware onto their machines and should not \nhave to live with it. Clearly this level of infestation is stepping \nbeyond the bounds of what is fair and reasonable.\n\nSolutions\n    On the basis of our extensive work in this area, we at PestPatrol \nbelieve only a combination of consumer education and protection, \ndisclosure through legislation, and active prosecution will provide the \nanswer needed to address the spyware threat. None of these solutions by \nthemselves is enough. While we advocate and applaud industry self-\nregulation, we do not believe that it alone will be speedy or dramatic \nenough to address the spyware problem.\n    The first line of defense is education and protection. Any \nindividual or business connected to the Internet today has to realize \nthey are part of a complex network that is inextricably intertwined. \nCreators of spyware take advantage of that fact, plus the knowledge \nthat most PC users are not sophisticated technologists. As an industry, \nwe have begun to make computer users aware of the spyware threat by the \ncreation of and active outreach by several groups and organizations. \nPestPatrol is a founding member of the Consortium of Anti-Spyware \nTechnology, or COAST, a non-profit organization of anti-spyware \ncompanies and software developers committed to best practices.\n    Consumer education about spyware and promotion of comprehensive \nanti-spyware software aimed at detecting and removing unwanted pests is \nfundamental to our outreach. Our efforts are modeled after the decade-\nlong effort by anti-virus software companies to raise awareness about \nvirus threats. However, we also acknowledge that consumers, precisely \nbecause of the insidious nature of spyware, can only do so much to \nprotect themselves, and cannot be alone responsible for controlling the \nspread of spyware.\n    Which brings us to the second line of defense--disclosure \nlegislation. All applications, including those that are bundled and \ndownloaded along with free software and with legitimate commercial \napplications, should be readily identifiable by users prior to \ninstallation and made easy to remove or uninstall. It is this \ntransparent disclosure, and the ability of consumers to decide what \ndoes and does not reside on their systems, that needs to be legislated. \nConsumers should have the ability to make fully informed decisions \nabout what they choose to download onto their machines, while \nunderstanding the implications of doing so.\n    The third line of defense is aggressive prosecution. The deceptive \npractices employed by many spyware developers are already illegal under \nexisting laws against consumer fraud and identity theft. Law \nenforcement agencies at the federal and state level should be \nencouraged to more aggressively pursue and prosecute those who \nclandestinely use spyware to disrupt service, steal data or engage in \nother illegal activity. A greater focus on spyware and the necessary \nallocation of resources to pursue this criminal activity is vital.\n    Spyware is a significant threat to the effective functioning and \ncontinued growth of the Internet. It is more than a nuisance. Given the \ndangers it represents, it is important that consumers, business and \ngovernment work together to address the issue and safeguard the \nproductivity and utility of the Internet computing environment.\n    I sincerely appreciate the opportunity to present my company's \nideas on how to achieve this goal. Thank you.\n                                 ______\n                                 \n              Prepared Statement of Webroot Software, Inc.\n\n    Webroot Software, Inc. appreciates the opportunity to provide \nwritten comments in conjunction with the Subcommittee's hearing on \nspyware. The hearing title is most appropriate. Spyware presents a \nserious problem for both the public and businesses, yet there is still \nminimum awareness about the significant risks associated with the rapid \ngrowth of spyware.\n\nExperts at Fighting Spyware\n    Webroot Software, Inc., was founded in 1997 to provide computer \nusers with privacy, protection and peace of mind. Today, Webroot \nprovides solutions and services for millions of users around the world, \nranging from enterprises, Internet service providers, government \nagencies and higher education institutions, to small businesses and \nindividuals.\n    Among its award winning products is Spy Sweeper, winner of PC \nMagazine's 2004 Editors' Choice award. The magazine's objective review \nof 14 spyware detection products found: ``Spy Sweeper is the most \neffective standalone tool for detecting, removing and blocking \nspyware.'' In the April 5 issue of Business Week, Stephen Wildstrom, \nauthor of the ``Technology and You'' column also recommended Spy \nSweeper, referring to Webroot as the ``established leader'' in the \nmarket.\n    Webroot's world headquarters is located in Boulder, Colorado, with \na European headquarters in Frankfurt, Germany, and sales offices in \nChicago, London, Amsterdam, and Paris. Webroot products are sold online \nat www.webroot.com, and at leading retailers around the world, \nincluding Best Buy, CompUSA, Circuit City, Fry's, Staples and \nMicroCenter. In addition, Webroot provides a full suite of privacy and \nsecurity solutions designed to help ISPs like Earthlink provide value-\nadded products and services to their customers.\n    Every day, Webroot employees talk to computer users in the U.S. and \nEurope who are being negatively impacted by spyware that has found its \nway onto their computers. Webroot is on the front lines fighting \nspyware, but Congress and the Federal Trade Commission (FTC) have \ncritical roles to play on this issue to increase public awareness, \ndevelop and reinforce clear rules, and actively enforce the law.\n\nDefining Spyware\n    In 2003, Webroot helped to found the Consortium of Anti-Spyware \nTechnology vendors (COAST), a non-profit organization established to \nfacilitate collaboration among spyware detectors and increase awareness \nof the growing spyware problem.\n    COAST defines spyware as: Any software program that aids in \ngathering information about a person or organization without their \nknowledge, and can relay this information back to an unauthorized third \nparty.\n    ``Without your knowledge'' and ``to an unauthorized third party'' \nare key components of this definition. The FTC recently held a workshop \non spyware, which they appropriately titled: ``Computer Monitoring \nSoftware on Your PC: Spyware, Adware, and Other Software.'' As the \nproblem of spyware has grown, a slew of new words have surfaced. For \ninformational purposes, we have attached as an appendix the glossary of \nspyware-related terms developed by COAST.\n    From a pure technology point of view, there is little difference \nbetween computer monitoring programs that serve legitimate purposes and \nthose that put your privacy and personal information at serious risk. \nFor example, a keylogger program like ChildSafe, a Webroot product, \nprovides parents with the ability to monitor their childrens' online \nactivities by tracking what the child types on the keyboard. A \nfunctionally similar keylogger program installed without permission by \nJuJu Jioang on computers in at least 15 Kinkos stores provided him with \npersonal information about over 400 people, which he used to open back \naccounts and commit other illegal activities. Fortunately, that was one \ncase that the government successfully investigated and prosecuted, but \nthere are many more cases where the perpetrators are not yet \nidentified, or even worse, where the victims do not even know they are \nvictims.\n    Thus, there is not a technological definition for spyware. The \ndefinition is contextual--how the program came to reside on your \ncomputer is a threshold question to defining it as spyware.\n\nThe Anatomy of Spyware\n    There are many kinds of programs that fit within this definition of \nspyware. The COAST glossary attached as an appendix provides a more \ncomplete list, but there are four most common forms of spyware.\n    Back Door Trojans are malicious programs that appear as harmless or \ndesirable programs. Back Door Trojans deploy remote access tools, \nallowing hackers to gain unrestricted access to a user's computer. \nTrojans can be deployed as email attachments, or bundled with another \nsoftware program.\n    Keyloggers are programs that can monitor and record the user's \nevery keystroke. Key loggers can be used to gather sensitive data such \nas username and password, private communications, credit card numbers, \netc.\n    System Monitors are applications designed to monitor computer \nactivity. These programs can capture everything that is done on a \ncomputer. Information can be received at the computer, through remote \naccess, or scheduled emails.\n    Adware is advertising supported software that displays pop-up \nadvertisements whenever the program is running. Once installed, these \nprograms will download and install new software and data files--\nadvertisements, etc.--based on user activities such as websites visits.\n    Unlike a virus that many users get in the same way at the same \ntime, spyware finds its way onto your computer through multiple \nchannels at multiple times. Spyware may arrive bundled with freeware or \nshareware, through peer-to-peer downloads, attached to or embedded in \nemail or instant messenger communications, as an ActiveX installation, \nor it may be placed on your computer accidentally or deliberately by \nsomeone with access to it. Once on your system, spyware secretly \ninstalls itself and goes to work.\n    Anti-virus software does not offer protection from spyware because \nspyware is not viral. Since it attaches itself to legitimate downloads, \nspyware can often pass easily through firewalls unchallenged. And by \nintertwining itself with files essential to system operation, spyware \ncannot be safely removed by simply deleting files with a system-\ncleaning tool.\n    In its most benign form, spyware can significantly slow systems \ndown and result in more pop-up ads than usual. The more malicious \nspyware programs can lead to identity theft, theft of intellectual and \nother property, and data corruption. Unlike personalization or session \ncookies, spyware is difficult to detect, and difficult (if not \nimpossible) for the average user to remove manually.\n    Some of the types of information collected by spyware programs \nwithout the knowledge of the computer owner are:\n\n\x01 Usernames and Passwords\n\x01 Electronic Assets\n\x01 Browsing Habits\n\x01 Applications Used\n\x01 Personal Information\n\x01 Email & IM Conversations\n\x01 IP and Trade Secrets\n\x01 Financial Records\n\x01 Customer Databases\n    Spyware can execute unwanted, unauthorized, and/or inappropriate \ncode and use vital system resources. Spyware programs can be used to \nfacilitate the unauthorized use of your machine for things like:\n\n\x01 Email Forwarding to Send Spam\n\x01 Background Computing\n\x01 Hacker Attacks\n    While some argue that spyware is installed with the user's \nknowledge (although the user may not understand exactly what s/he has \ndone), most of the time it is installed surreptitiously as part of \nanother program installation. Even if the bundling of software and \ninformation tracking practices are disclosed to the consumer through \nthe End User License Agreement (EULA), such disclosures are rarely \nclear and conspicuous. Even when they exist, notices often fail to \nprovide users with a real understanding of what information will be \ncollected and how the entity collecting the information will use it.\n\nA Real and Growing Problem\n    Earthlink and Webroot collaborated in the first quarter of 2004 to \noffer a free SpyAudit to Earthlink subscribers. On April 15, 2004 the \ncompanies jointly released the findings for January 1, 2004 through \nMarch 31, 2004. During that timeframe, 1,062,756 spyware scans were \nrun, identifying a total of 29,540,618 instances of spyware, meaning \nroughly 28 instances of spyware per PC. Of particular concern, were the \nlarge number of System Monitors and Trojans found which accounted for \n369,478 of all the spyware instances found.\n    Expert reports have estimated that 9 out of 10 PCs in the United \nStates are infected with spyware. Studies have often showed that \nspyware is growing at a much faster rate than computer viruses.\n\nResponding to Spyware\n    The unfortunate reality is that there is probably no way to \ncompletely eradicate spyware. The Internet is global, which makes \nestablishing and enforcing legal standards challenging. There are also \nsignificant economic drivers that make the creation and dissemination \nof spyware very appealing to many people, both in the U.S. and abroad. \nThe combination of a profit-driven motivation, coupled with the \nvulnerability of personal information, makes spyware unique and more \nthreatening than many other online security and privacy concerns, like \nviruses and spam, which the government has addressed in the past \nseveral years.\n    It is clearly going to take a combination of technology, public \neducation, sound public policy and strong enforcement to address this \nproblem. To that end, we applaud the efforts of Congresswoman Bono, \nCongressman Towns, Senators Burns, Boxer and Wyden and the FTC to call \nattention to the serious negative impacts that spyware can have on the \npublic and the economy. Increased awareness and education about spyware \nis essential to effectively deal with the problem.\n    Certainly, regulating technology-related issues is inherently \ntricky, but this is not an issue that will go away by itself, and \nindustry self-regulation is unlikely to adequately address the issue in \na reasonable time frame. Congress has an opportunity to address this \nissue before it becomes debilitating. H.R. 2929 and S. 2145 offer \nalternative approaches, both with good qualities. We urge that this \nissue not be set aside to resolve itself--because it won't. We are on \nthe front lines of this arms race, and we need reinforcement in the \nform of clear rules related to spyware to help us effectively fight for \nbusinesses and consumers who need to retain control over their PCs.\n    We appreciate the opportunity to share our views with the \nSubcommittee.\n\n Glossary of Spyware Related Terms Developed by the Consortium of Anti-\n                       Spyware Technology Vendors\n\n    Adware: Often used as a term for spyware, it is preferred and used \nby makers of software that include ad-serving mechanisms. Adware is \nadvertising-supported software that displays pop-up advertisements \nwhenever the program is running.\n    Browser Helper Object (BHO): A small program that runs \nautomatically every time an Internet browser is launched. Generally, a \nBHO is placed on the system by another software program and is \ntypically installed by toolbar accessories. They can track usage data \nand collect any information displayed on the Internet.\n    Bundled: An arrangement in which one or more software programs are \nincluded with another program, for technical reasons or because of a \nbusiness partnership. Many instances of spyware installations come \nthrough bundling.\n    Cookie: A mechanism for storing a user's information--such as login \ninformation and passwords, or a user's previous activity on a site--on \na local drive.\n    Dialers: Dialers are software that, once downloaded, disconnects \nthe user from his or her modem's usual Internet service provider, \nconnect to another phone number, and the user is then billed.\n    Drive-by Download: While not a piece of spyware itself, this \nmisleading dialogue box serves as a gateway for the stealth \ninstallation of spyware applications. In some cases, spyware can be \ninstalled even if the user does not choose the ``yes'' or ``accept'' \nbutton.\n    File-sharing programs: These are software applications that allow \nthe exchange of files (especially music, games, and video) over a \npublic or private network. See Peer-to-Peer.\n    Freeware: Software that can be downloaded and shared at no cost.\n    Hijacker: Hijackers typically come in two categories, Browser/Page \nHijackers and System Hijackers:\n\nBrowser/Page Hijackers: Applications that attempt to take control over \n        a user's home page or desktop icons, resetting them to a pre-\n        determined website destination.\nSystem Hijacker: Software that uses the host computer's resources to \n        proliferate itself or use the system as a resource for other \n        activities. This taxes the host computer's resources, \n        negatively affecting computer and Internet speeds.\n    KeyLoggers--See System Monitors.\n    Opt-in: An online process by which a user chooses to receive \ninformation (such as e-mail newsletters) or software, often by checking \na check box on a Web page or software installation screen.\n    Opt-out: An online process (such as un-checking a pre-checked box) \nby which a user actively chooses not to receive information, such as e-\nmail newsletters or software. Actively opting out will prevent a user's \ninformation from being a shared with businesses.\n    Users should be warned that most ``opt-out'' options are actually a \nscam that serves to confirm legitimate/active email addresses. Privacy \nexperts recommend that users do not use the ``opt-out'' option unless \nthey are personally familiar with the company where the email \noriginated.\n    Parasite: A parasite is unsolicited commercial software or programs \ninstalled on a computer for profit without the consent or knowledge of \nthe user.\n    Parasiteware: Parasiteware is the term for any Adware that by \ndefault overwrites affiliate-tracking links. This behavior is viewed as \nparasitic because this software diverts affiliate commissions and \ncredits the affiliate's income to another party. To the end user, \nParasiteware is not a serious security threat. See Thiefware.\n    Peer-to-peer (P2P): A method of file sharing over a network in \nwhich individual computers are linked via the Internet or a private \nnetwork to share programs/files, often illegally. Users download files \ndirectly from other users' computers, rather than from a central \nserver.\n    Many P2P programs bundle third-party advertising programs, and are \ncurrently the second largest source of virus, Trojan and data mining \ninfections.\n    Remote Administration Tools/ RATs: Some Trojans, called RATs \n(Remote Administration Tools), allow an attacker to gain unrestricted \naccess of a computer whenever the user is online. The attacker can \nperform activities such as file transfers, adding/deleting files, and \ncontrolling the mouse and keyboard.\n    Scumware: A slang term for spyware or any unwanted software/\nprograms installed on your computer.\n    Shareware: Software that is distributed--usually via the Internet \nand or CD-Rom--for free and on a trial basis.\n    System Monitors/Keyloggers: These applications are designed to \nmonitor computer activity to various degrees. They can capture \nvirtually everything a user does on his or her computer, including \nrecording all keystrokes, emails, chat room conversations, web sites \nvisited, and programs run.\n    Thiefware: Thiefware applications steal affiliate commissions by \neither overwriting tracking cookies or spawning new windows to redirect \ntraffic from search engine keywords or other websites. This practice, \nwhile not currently illegal, is considered unethical among those in the \nmerchant/affiliate community. See Parasiteware.\n    Tracking Cookies: Not to be confused with personalization cookies \n(which allow users to customize pages and remember passwords), some web \nsites now issue tracking cookies. Tracking cookies allow multiple web \nsites to store and access records that may contain personal information \n(including surfing habits, user names and passwords, areas of interest, \netc.), and subsequently share this information with other web sites and \nmarketing firms.\n    Trojan Horses: Trojans are malicious programs that appear as \nharmless or desirable applications. Trojans are designed to be actively \nharmful to PCs by intentionally damaging PC operating systems, other \nsoftware or hard drives. Trojans are generally distributed as email \nattachments or bundled with another software program (often fraudulent \nversions of legitimate software).\n    Web bugs: A file, usually a small or invisible graphic image, that \nis placed on a Web page or in e-mail to allow a third party to monitor \nuser behavior.\n                                 ______\n                                 \n              Downloading Shared Files Threatens Security\n                     by Sgt. 1st Class Eric Hortin\n\n    FORT HUACHUCA, Ariz. (Army News Service, April 22, 2004)--People \nspend hours in front of their computer screen, downloading music or new \nmovies from the Internet, and not paying a cent, the Army considers \nsuch action on government computers to be a security threat.\n    One program that is used to downloaded files is Peer-to-Peer (P2P) \narchitecture. It is a type of network in which each workstation has the \ncapability to function as both a client and a server. It allows any \ncomputer running specific applications to share files and access \ndevices with any other computer running on the same network without the \nneed for a separate server. Most P2P applications allow the user to \nconfigure the sharing of specific directories, drives or devices.\n    In a white paper written by the Army's Computer Network Operations \nIntelligence section, unauthorized P2P applications on government \nsystems, ``represent a threat to network security.''\n    ``The idea of someone else getting unfettered access to anything of \nyours without your explicit consent should scare anybody--and that's \nexactly what P2P authorizes,'' says Zina Justiniano, an intelligence \nanalyst with the U.S. Army Network Enterprise Technology Command's \n(NETCOM) Intelligence Division, G2. ``P2P is freeware. Freeware, \nshareware--most of the stuff that you pay nothing for, has a high \nprice. The fact that it's free says that anybody and their cousin can \nget it; that means that anybody and their cousin can get to your \nmachine.'' P2P applications are configured to use specific ports to \ncommunicate within the file sharing ``network,'' sometimes sidestepping \nfirewalls. This circumvention creates a compromise and potential \nvulnerabilities in the network that, in a worse case scenario, can lead \nto network intrusions, data compromise, or the introduction of illegal \nmaterial and pornography. There is also the issue of bandwidth. Since \nthe start of the global war on terrorism, the most pressing issue from \nservice members in the field has been the shortage of bandwidth to \ntransmit battlefield intelligence to combatant commanders. The average \nfour-minute song converted into an audio file recorded at 128-bit, can \nbe upwards of 5 megabytes. Full-length video MPEG files can easily \nreach 1.6 gigabytes. Depending on the connection speed, even a small \nfile may take several minutes to hours to download, using valuable \nbandwidth. Unauthorized use of P2P applications account for significant \nbandwidth consumption. It limits the bandwidth required for official \nbusiness, and storage capacity on government systems. While those who \nmonitor the Army networks agree that copyright infringement is a valid \nissue, they do have other, more important concerns.\n    There are several known Trojan horses, worms and viruses that use \ncommercial P2P networks to spread and create more opportunities for \nhackers to attack systems. Trojan horse applications record information \nand transmit it to an outside source. They can also install \n``backdoors'' on operating systems, transmit credit card numbers and \npasswords--making these malicious programs a favorite of hackers. Some \nof the malicious codes allow hackers to snoop for passwords, disables \nantivirus and firewall software, and links the infected system to P2P \nnetworks to send large amounts of information (spam) using \nvulnerabilities in Windows operating systems.\n    ``If it's a really good Trojan horse, it will actually run two \nprograms; it will run the program they said they were going to run, so \nthey will not only download it, but they will install it and be very \nhappy that it's there,'' Justiniano said. ``Meanwhile in the \nbackground, another program is doing malicious damage to the computer \nby either damaging files or possibly taking files off the computer \nwithout your knowledge. If it's a really nice program that runs well, \n(the user) will pass that file over to someone else because they really \ngot their money's worth out of it. People will just keep passing it \nalong.''\n    Trojan horses are not the cause of all security issues. Oftentimes, \n``spyware'' applications are installed with the users consent; it's \nburied in the really long agreement that nobody reads that a user must \nclick, ``I Accept,'' in order to begin the installation. This is \nespecially true with free-ware applications downloaded from the \nInternet. According to published reports, a couple of years ago, some \nP2P applications came packaged with a spyware application that acted as \na Trojan horse. This specific program sent information to an online \nlottery server.\n    Those are just a couple of reasons the Army doesn't want its people \nloading P2P on their systems, and enacted regulations prohibiting \nloading those applications.\n    The Army's regulation on Information Assurance, Army Regulation 25-\n2, specifically prohibits certain activities; sharing files by means of \nP2P applications being one of them. There are some, however, who have \nP2P applications on their Army systems and use them despite the \nprohibition of such activities.\n    Over a two-month period at the end of last year, government \norganizations identified more than 420 suspected P2P sessions on Army \nsystems in more than 30 locations around the globe.\n    It seems some don't understand or haven't read the standard \nDepartment of Defense warning that says, ``Use of this DOD computer \nsystem, authorized or unauthorized, constitutes consent to \nmonitoring.'' For those who think, ``How are they going to know it's \nme? I'm just one person in a network of hundreds of thousands,'' don't \nbe surprised when network access is cut off and the brigade commander \nis calling.\n    It is the role of the Theater Network Operations and Security \nCenter, located in Fort Huachuca, Ariz., to monitor and defend its \nportion of the Army network. This includes identifying potential \nsecurity risks to the network, and unauthorized P2P applications, which \ncreate a considerable risk to those networks.\n    ``People shouldn't assume they are using P2P applications in \nsecrecy,'' said Ronald Stewart, deputy director of the C-TNOSC. ``We \nare able to detect use of P2P, and when we do, we take measures. We can \ndetect and identify systems with P2P software on them; and when we find \nthem, we direct the removal of the software from the system through the \ncommand chain.''\n    Some Soldiers try to work around the Army networks to feed their \nP2P habits. Lt. Col. Roberto Andujar, director of the C-TNOSC, says \nusing the Terminal Server Access Controller System (TSACS) to dial into \nthe military network is not a work-around, because there are tools in \nplace to identify P2P traffic.\n    Methods commonly used by commercial industry, such as Internet \nProtocol (IP) address and port blocking, random monitoring, and \nconfiguring routers are some of the methods the C-TNOSC and \ninstallations take to prevent P2P access. There are other methods used, \nbut specific examples cannot be discussed.\n    Commanders who unwittingly allow P2P to run unchecked on their \nnetworks are not exempt from liability. Commanders may be held \npersonally liable for any illegal possession, storage, copying, or \ndistribution of copyrighted materials that occurs on their networks. \nSoldiers, civilian employees and contractors face even tougher \npenalties.\n    People using P2P on government computers can to look forward to \nother possibly harsher punishments depending on the kinds of files the \nusers are sharing.\n    ``Say you have a Soldier downloading music through P2P, in \nviolation of copyright rules,'' said Tom King, a legal adviser with \nNETCOM. ``The people who own the copyright can actually sue that \nSoldier. Then you have the issue that he's violating a lawful order. \nThen you have the issue that it's a misuse of government time and \nmisuse of a government resource. He can be in a world of hurt. Then \nhe's also exposing the Army network to hacking attacks.''\n    ``Prosecutions are on the rise. Discipline is on the rise. People \nare taking this stuff more and more seriously all the time,'' King \nsaid. ``People just don't understand that there's a price to be paid \nfor this.''\n    Not understanding seems to be the main reason P2P applications keep \nshowing up on Army computer systems.\n    ``User education is one of the keys,'' said Kathy Buonocore, chief \nof the Regional Computer Emergency Response Team. ``Some users don't \nknow it's illegal.''\n    ``When I call some commanders and tell them, they say, `What's \nP2P?' '' Andujar said. ``Commanders have to be educated and take \naction.''\n    Education has to extend down to the organization administrators. \nJustiniano says those who have administrator privileges on government \ncomputer systems are the ones loading the unauthorized programs. To \nprevent this, system and network administrators should configure \nsystems correctly, so users cannot install unauthorized software.\n    ``There are very few benefits that are not addressed somewhere \nelse, that do not include the risk of P2P software,'' Justiniano said, \nadding that the use of Army Knowledge Online knowledge centers and \nsecure File Transfer Protocol sites are their preferred method of file \nsharing.\n    (Editor's note: Sgt. 1st Class Eric Hortin is a journalist for the \nU.S. Army Network Enterprise Technology Command.)\n\n                                 <all>\n\x1a\n</pre></body></html>\n"