[Senate Hearing 108-1002]
[From the U.S. Government Publishing Office]


                                                      S. Hrg. 108-1002

                     S. 2145, ``THE SPY BLOCK ACT''

=======================================================================

                                HEARING

                               BEFORE THE

                     SUBCOMMITTEE ON COMMUNICATIONS

                                 OF THE

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 23, 2004

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation


[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


                           U.S. GOVERNMENT PUBLISHING OFFICE
20-672 PDF                       WASHINGTON : 2016                           

_______________________________________________________________________________________       
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].  
      
       
       
       
       
       
       
       
       
       
       
       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                     JOHN McCAIN, Arizona, Chairman
TED STEVENS, Alaska                  ERNEST F. HOLLINGS, South 
CONRAD BURNS, Montana                    Carolina, Ranking
TRENT LOTT, Mississippi              DANIEL K. INOUYE, Hawaii
KAY BAILEY HUTCHISON, Texas          JOHN D. ROCKEFELLER IV, West 
OLYMPIA J. SNOWE, Maine                  Virginia
SAM BROWNBACK, Kansas                JOHN F. KERRY, Massachusetts
GORDON H. SMITH, Oregon              JOHN B. BREAUX, Louisiana
PETER G. FITZGERALD, Illinois        BYRON L. DORGAN, North Dakota
JOHN ENSIGN, Nevada                  RON WYDEN, Oregon
GEORGE ALLEN, Virginia               BARBARA BOXER, California
JOHN E. SUNUNU, New Hampshire        BILL NELSON, Florida
                                     MARIA CANTWELL, Washington
                                     FRANK R. LAUTENBERG, New Jersey
      Jeanne Bumpus, Republican Staff Director and General Counsel
             Robert W. Chamberlin, Republican Chief Counsel
      Kevin D. Kayes, Democratic Staff Director and Chief Counsel
                Gregg Elias, Democratic General Counsel
                                 
                                 
                                 ------                                

                     SUBCOMMITTEE ON COMMUNICATIONS

                    CONRAD BURNS, Montana, Chairman
TED STEVENS, Alaska                  ERNEST F. HOLLINGS, South 
TRENT LOTT, Mississippi                  Carolina, Ranking
KAY BAILEY HUTCHISON, Texas          DANIEL K. INOUYE, Hawaii
OLYMPIA J. SNOWE, Maine              JOHN D. ROCKEFELLER IV, West 
SAM BROWNBACK, Kansas                    Virginia
GORDON H. SMITH, Oregon              JOHN F. KERRY, Massachusetts
PETER G. FITZGERALD, Illinois        JOHN B. BREAUX, Louisiana
JOHN ENSIGN, Nevada                  BYRON L. DORGAN, North Dakota
GEORGE ALLEN, Virginia               RON WYDEN, Oregon
JOHN E. SUNUNU, New Hampshire        BARBARA BOXER, California
                                     BILL NELSON, Florida
                                     MARIA CANTWELL, Washington
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on March 23, 2004...................................     1
Statement of Senator Allen.......................................    27
Statement of Senator Boxer.......................................     4
    Prepared statement...........................................     5
Statement of Senator Burns.......................................     1
Statement of Senator Wyden.......................................     3

                               Witnesses

Berman, Jerry, President, The Center for Democracy & Technology..    15
    Prepared statement...........................................    17
Holleyman II, Robert W., President and CEO, Business Software 
  Alliance (BSA).................................................    11
    Prepared statement...........................................    12
Levine, Dr. John, President and CEO, Taughannock Networks, and 
  Author, The Internet for Dummies...............................    22
    Prepared statement...........................................    24
Naider, Avi Z. President and Chief Executive Officer, WhenU.Com, 
  Inc............................................................     5
    Prepared statement...........................................     7

 
                     S. 2145, ``THE SPY BLOCK ACT''

                              ----------                              


                        TUESDAY, MARCH 23, 2004

                               U.S. Senate,
                    Subcommittee on Communications,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:30 p.m. in 
room SR-253, Russell Senate Office Building, Hon. Conrad Burns, 
Chairman of the Subcommittee, presiding.

            OPENING STATEMENT OF HON. CONRAD BURNS, 
                   U.S. SENATOR FROM MONTANA

    Senator Burns. We will call the Committee to order. Thank 
you for coming today as we look at another problem we face in 
the world of Internet. In the world of worms and viruses, you'd 
think this would be the Ag Committee but it's not. Cookies and 
implants, you can put that it in any committee. But today's 
hearing concerns a topic of critical importance to the future 
of consumer privacy and electronic commerce in the digital age, 
and I refer to the flood of spyware, which has been 
increasingly burrowing itself into consumers' computers, often 
without their knowledge.
    I'm pleased to benefit from the hard work and expertise of 
my friend, Senator Wyden. We've worked together on many issues 
and I look forward on working with him on this one. We passed 
CAN SPAM, which after 4 years finally became law, and we may be 
a little bit ahead of the curve whenever we start talking about 
the subject that we're visiting about today. I'm convinced that 
spyware is potentially an even greater concern than junk e-
mail, given its invasive nature.
    I appreciate the support of another one of my colleagues on 
the Committee who has been an ardent defender of consumers' 
rights online, and of course, that's Senator Boxer of 
California. Together we have crafted legislation aimed at 
ending the insidious operation of spyware, and it is the SPY 
BLOCK Act of 2004.
    Spyware refers to the software that is downloaded onto 
users' computers without their knowledge or consent. It's a 
sneaky way of software that is often used to track the 
movements of consumers online and even steal passwords. The 
porous gaps of spyware creates in a computer's security may be 
difficult to close.
    For example, one popular peer-to-peer file sharing network 
routinely installs spyware to track users' information and 
retrieves targeted banner ads and pop-ups. As noted by the 
recent article in PC Magazine, these file sharing networks may 
be free, they may be free but at the cost of privacy and not 
money.
    Of the 60 million users, few know that they are being 
watched, and those who discover spyware, uninstalling it may 
prove to be difficult other than the software programs. Some 
spyware includes tricklers. Now we've got a new word in 
vocabulary now, tricklers, which reinstall the files as you 
delete them. Users may think that they are getting rid of the 
problem, but the reality of the situation is far different.
    So creators of spyware have engineered the technology so 
that once it is installed on a computer, it is difficult and 
sometimes impossible to remove, in some cases requires the 
entire hard drive to be erased to get rid of the poisonous 
product. Such drastic measures may be taken, because often 
spyware tells the installer what websites the user visits, it 
steals the passwords or other sensitive documents on a personal 
computer, and also redirects Internet traffic through certain 
websites.
    One of the most disturbing aspects about the spyware 
problem is that so few consumers are aware of it. Bearing this 
in mind, the SPY BLOCK bill relies on a common sense approach, 
which prohibits the installation of software on consumers' 
computers without notice, consent, and reasonable uninstall 
procedures. The notice and consent approach which SPY BLOCK 
takes would end the practice of so-called drive-by downloads, 
which some bad actors use to secretly download programs onto 
users' computers without their knowledge.
    Under SPY BLOCK, software providers must give the consumers 
clear and conspicuous notice that a software program will be 
downloaded in their computers and requires user consent. This 
simple provision could be fulfilled by clicking yes in the 
dialogue box, for example.
    SPY BLOCK also requires notice and consent from other types 
of software. In the case of adware, another here we got, 
providers are required to tell consumers what types of ads will 
pop up on the users' screens and at what frequency. Consent is 
required for software that modifies user settings or uses 
distributed computing methods by utilizing the processing power 
of individual computers to create larger networks.
    And finally, software providers must allow for their 
programs to be easily uninstalled by users after they are 
downloaded. As with CAN SPAM law, enforcement authority would 
be given to the Federal Trade Commission. The state's attorney 
general would also take action against purveyors of spyware, 
and it also empowers the users.
    Clearly, the right balance must be reached between 
punishing bad actors and not impeding legitimate e-commerce. I 
am open to discussing with my colleagues ways to craft this 
legislation as to capture the truly malicious offenders. Make 
no mistake about it. The intent of SPY BLOCK is to bring back a 
little truth in advertising. Clearly, accountability needs to 
be brought to bear on this issue.
    I'm anxious to hear exactly how using the unique brands of 
trusted companies to redirect consumers to their commerce sites 
is a legitimate business practice. While I understand this may 
be explained as a high-tech form of contextual marketing, I am 
very leery on the broad types of questionable business 
practices that could be legitimized by this line of thinking.
    Working closely with my good friends, Senator Wyden and 
Senator Boxer, I'm confident that we can make major progress on 
this legislation before spyware infects a critical mass of 
computers and renders them useless. Just trying to keep up with 
the latest anti-spyware software imposes a tremendous cost to 
business, let alone individuals who have to spend their time 
online worried about the next spyware infestation.
    I look forward to hearing the testimony today and I 
appreciate our witnesses, and now Senator Wyden. And thank you 
so much for your good help.

                 STATEMENT OF HON. RON WYDEN, 
                    U.S. SENATOR FROM OREGON

    Senator Wyden. Thank you, Mr. Chairman. It's great to have 
a chance to team up with you. I think once again we're showing 
that work in this area clearly can be bipartisan and we have 
gone this way on a host of initiatives. It's great to team up 
with you and then, of course, to have Senator Boxer, who's such 
an articulate and strong advocate, not just of consumers, but 
the technology sector. To have her with us as well is a great 
pleasure.
    You said it very well and I'm just going to make a couple 
of quick comments. In fact, Mr. Chairman, if I could, I've got 
a longer statement and I'd like to have that placed in the 
record.
    Senator Burns. Without objection.
    Senator Wyden. Mr. Chairman, it just seems to me what is 
going on here is that snoops and spies are really trying to set 
up base camp in millions of computers across the country, and 
what we are in effect saying is that the owners of computers in 
this Nation ought to have control over what software gets 
placed on that computer. It really is just that simple. That 
really belongs to the computer user, and so what you have is in 
effect all these sneak, covert kinds of programs that are 
really trying to take those rights away from the owners of 
computers around the country. It seems to me that this will 
ensure that computer owners have knowledge and control over 
what gets placed on their computers, and given the 
sophistication of people who try to take advantage of the 
public, it seems to me that this is important legislation to 
move on now.
    In effect, what these individuals who are engaging in this 
activity that we think is violative of the computer owners' 
rights, what they are doing is they're acting as parasites, 
they're acting as people who would put parasites on computers, 
put unwanted software that can burrow in and install itself on 
a hard drive where it proceeds to use the computer and the 
Internet connection for its own purposes. And as you have 
noted, the owner of the computer frequently doesn't know the 
intruder is there and very often has no way to get rid of it 
once he or she finds out.
    So I think as we go forward in this debate, for those who 
may have reservations about this and want to oppose it, I want 
them to answer the central question. How can it be that those 
who own computers and have access to the Internet shouldn't 
have that treated as private property? That is what this is 
really all about. You don't get opportunities to come into 
somebody's home without their knowledge and permission, and you 
shouldn't expect others to be able to take advantage of you in 
the kind of way that these parasites and snoops and spies are 
doing.
    I think we've written this bill carefully. I'd like to put 
into the record an editorial from the New York Times that I 
think makes an important point in the sense that it's important 
not to write the definitions of what we're going to be doing to 
protect the consumer in too narrow a fashion. The Center for 
Democracy and Technology has done some very good work in terms 
of trying to ensure we have enough flexibility in those 
definitions so as to address the issue in a responsible way, 
and I'd very much like to have the editorial from the New York 
Times warning about the danger of making sure that you don't 
write this bill in too narrow a fashion put into the record.
    I think this is a good bill and the fact that you and I and 
Senator Boxer have a chance to team up on it means that we can 
make this a priority even though this session is short, and I 
hope that we will be able to move it quickly to the full 
committee.
    Senator Burns. Thank you, Senator Wyden, and I do too. I 
share your concerns. It's my computer, it is private property, 
I bought it and paid for it, and for my use only, not some 
leech. Senator Boxer.

               STATEMENT OF HON. BARBARA BOXER, 
                  U.S. SENATOR FROM CALIFORNIA

    Senator Boxer. Mr. Chairman, I couldn't top that, I really 
couldn't. I am so pleased to work with you and Senator Wyden 
and our staffs have worked together and I'm proud to be on the 
SPY BLOCK Act, and I'd ask unanimous consent that my full 
statement be placed in the record.
    Senator Burns. Without objection.
    Senator Boxer. And I will summarize it very briefly. If we 
saw someone with a binoculars looking in someone else's window, 
we'd call the cops, and I think that in many ways what we're 
doing is very similar to that, but it's even worse than looking 
in a window. It's really getting into someone's head and 
someone's life.
    So this is really important, it's very important, and I do 
hope we can prevail and get this done pretty quickly. You know, 
it is a pro-consumer bill, but I want to say to my colleagues 
it's also a pro-industry bill in my opinion. We're going to 
have people say it isn't, but it is, because I got news for 
you. If people think that they're being spied upon, they're 
going to use that computer a lot less than they normally would, 
and we're going to have people running away from using their 
computer just because this is America and we don't like that.
    So I think what we're doing is pro-consumer but it's pro-
business as well. And basically the rest of my statement goes 
into how it's very important to clearly talk about software, 
not just spyware, and that's what we try to do in the bill so 
people can't say, well, my definition doesn't fit to what 
you're doing. We want to make sure we cover everybody and that 
this bill is really going to do the job that it set out to do.
    So again, I'm very pleased to be with you in this fight and 
I hope we can get it done. And I'm going to be running out for 
a minute and coming back to hear the testimony and look forward 
to our partnership on this.
    [The prepared statement of Senator Boxer follows:]

 Prepared Statement of Hon. Barbara Boxer, U.S. Senator from California
    Mr. Chairman, thank you for holding this hearing. Last month, I 
joined you and Senator Wyden in introducing the ``SPY BLOCK Act'' (S. 
2145). Our legislation is designed to address increasing concerns that 
I have heard coming from California and other states over ``spyware.''
    Spyware, and other types of software called ``Adware,'' are 
delivered into the homes and offices of consumers and onto their 
computers often without their knowledge and consent.
    These invisible snoops follow consumers everywhere they go on the 
Internet and they bombard consumers with targeted pop-up ads.
    Our bill simply says that software makers, including spyware 
makers, cannot sneak into your computer. Specifically, the SPY BLOCK 
Act prohibits the installation of software without notice and consent 
of an authorized user. Additionally, the software must provide clear 
procedures to uninstall the software and must be capable of being 
completely and easily removed.
    The most common objection to the bill we have heard is that it 
should focus only on ``spyware.'' But as this hearing will show, nobody 
thinks the software they produce IS spyware.
    The reason the legislation targets software is because the people 
who produce spyware will always try to define themselves out of the 
category by claiming that their particular software is not spyware. By 
applying common principles of consumer rights for all software, we deal 
with the spyware problem and enhance consumer rights on the Internet 
more broadly.
    Mr. Chairman, I am proud to work with you on this issue and look 
forward to working with the witnesses here today to make the 
legislation as effective as possible.

    Senator Burns. Thank you, Senator Boxer. We'll keep you up 
to date.
    Senator Boxer. I'll be right back.
    Senator Burns. OK. We'd ask our witnesses to come to the 
table now. We have Mr. Avi Naider, President and CEO of 
WhenU.com Inc. from New York; Mr. Robert Holleyman, President 
and CEO of Business Software Alliance, we worked a lot with 
that group of people and with extreme pleasure; Mr. Jerry 
Berman, President of the Center for Democracy and Technology, 
and, of course, if there has been a man who has been around the 
Internet any longer than this man then they had to come before 
dirt almost, Jerry, so thank you for coming today.
    Mr. Berman. Are you talking about my age or my expertise?
    Senator Burns. Both, I think. And Dr. John Levine, 
President and CEO of Taughannock Networks from up in New York, 
and we appreciate you coming today too and I'll try and get 
that networks pronunciation down much better so I'll have to 
apologize for that.
    We'll start with you, Mr. Naider, if you're ready, and we 
look forward to hearing your testimony.

   STATEMENT OF AVI Z. NAIDER, PRESIDENT AND CHIEF EXECUTIVE 
                    OFFICER, WHENU.COM, INC.

    Mr. Naider. Good afternoon, Mr. Chairman and Members of the 
Subcommittee. I thank you for the opportunity to appear before 
your Subcommittee as it examines the issues surrounding 
spyware. I am Avi Naider, President and Chief Executive Officer 
of WhenU.com. WhenU is an online contextual marketing company. 
WhenU makes software that recognizes the immediate interests of 
an online consumer and automatically displays highly pertinent 
coupons and advertisements in response to the consumers' 
expressed interest.
    Consumers visiting the Staples website who have WhenU 
software might be presented with a coupon to save $30 off a 
$150 purchase at Staples. Consumers researching a trip to 
London who have WhenU software might be shown a pop-up with a 
special $99 fare on British Airways. This is why we named the 
company WhenU. It provides you with relevant and timely 
information when you shop online, when you travel to London, 
and so on.
    Our software presents information to consumers that is 
targeted and timely. At the same time, our software 
aggressively protects consumer privacy. In the past, targeted 
marketing in the U.S. has been enabled by collecting 
information about households and individual consumers into 
large data bases. These data bases are replete with information 
about who we are, what we buy, how affluent we are, and lots of 
other personal information.
    We started WhenU because we believe that targeted marketing 
can be done without collecting personal information about 
consumers and building profiles. WhenU does not have a database 
of consumers or any consumer profiles at all. Instead, our 
software uses a proprietary directory of the Internet that 
categorizes various indicators of consumer interest and 
delivers precisely targeted messages that inform the consumer's 
decisionmaking process.
    The software does all this without sending individual 
consumer activity back to WhenU. WhenU's software-based 
advertising is a promising technology that begins to fulfill 
the potential of the Internet as a rich, personalized, one-to-
one marketing and information delivery experience. We believe 
that WhenU software and other methods of contextual marketing 
are likely to emerge as engines of major growth for the 
Internet in the future.
    The WhenU desktop advertising network represents millions 
of consumers who have installed WhenU software on their 
computers. Typically, consumers download WhenU contextual 
marketing software as part of a bundle that contains free 
popular software. Developers of such free software rely on the 
revenue generated by companies like WhenU often as their sole 
or primary revenue model. They view WhenU as win-win technology 
that offers consumers free coupons, relevant advertising, and 
free software, all while protecting consumer privacy.
    WhenU software is anything but spyware. WhenU follows a 
strict privacy policy, and in addition, respects the principles 
of consumer choice in the following ways. The consumer always 
receives a clearly visible notice that WhenU software is part 
of a download. The consumer is given easy access to a clear and 
concise license agreement that he must affirmatively accept to 
proceed with the installation of WhenU software.
    WhenU-generated ads, offers, and coupons are boldly and 
conspicuously branded by WhenU, and WhenU software is easy to 
uninstall. WhenU fully supports the principles underlying the 
SPY BLOCK Act. We also favor further and detailed study of the 
complex issues presented in order to enable Congress to craft 
an effective national legislative solution.
    Many of the legislative issues currently proposed, both at 
the state and the Federal level, are either overly broad or 
lack the necessary nuance to address the problem effectively, 
and yet still allow promising technology to develop. As a 
result, they potentially regulate or even restrict consumer-
friendly, privacy-protective, and mainstream software, while 
failing to protect consumers against software that truly 
threatens privacy and security.
    Ironically, carelessly-worded spyware legislation that 
lacks nuance will do more to promote the spyware problem than 
solve it. Because if legitimate advertising models that truly 
give choice to consumers are lumped in with nefarious software 
that intends to deceive, rogue and unscrupulous companies who 
play by no rules and adhere to no standards of consumer 
protection will be given the upper hand in the marketplace, and 
this outcome would be devastating.
    On the other hand, carefully worded and nuanced legislation 
can set standards for the online industry and serve as a beacon 
for the marketplace and for advertisers looking to use 
legitimate technologies that can reach their target consumers. 
We believe that the proceedings today and the FTC workshop to 
be held in April will produce a detailed record that will 
undoubtedly help inform future legislative efforts.
    We look forward to continuing to work with you, Mr. 
Chairman and the members of the subcommittee to develop a 
comprehensive and effective solution to this pervasive problem. 
Thank you.
    [The prepared statement of Mr. Naider follows:]

  Prepared Statement of Avi Z. Naider, President and Chief Executive 
                        Officer, WhenU.com, Inc.
Introduction
    Good afternoon, Mr. Chairman and members of the Subcommittee. I 
thank you for the opportunity to appear before your Subcommittee as it 
examines the issues surrounding ``spyware.'' I am Avi Naider, President 
and Chief Executive Officer of WhenU.com, Inc. (``WhenU'').
WhenU and the Evolution of Contextual Marketing on the Internet
    WhenU is an online contextual marketing company. Our software 
delivers information about products and services to consumers online at 
the moment that information is most relevant to them. WhenU addresses 
an age-old problem: consumers' lack of access to potentially valuable 
market information when they need it most. Although consumers are 
inundated on a daily basis with information of all sorts, including 
offers from advertisers, the value of such information is reduced 
because it is not shown to the consumer at the right moment in time. 
WhenU's software delivers highly pertinent coupons and advertisements 
based on consumers' immediate interests, as reflected in their 
immediate Internet browsing activity, yet is highly protective of 
consumer privacy.
    Contextual marketing technology as developed by WhenU evolved 
naturally from the decades old, multi-billion dollar database marketing 
industry, which at its core, relies on behavioral targeting of 
consumers. Database marketing has been used for years by numerous 
companies to analyze individual consumers' past purchasing behavior in 
an attempt to determine what discounts and offers would be most 
attractive to those consumers in the future. For example, American 
Express tracks and analyzes the purchasing behavior of its credit card 
holders and uses the information gleaned from such analysis to mail 
potentially pertinent offers to such consumers.
    More recently, companies have advanced the field of behavioral 
marketing by deploying new technology-driven solutions. For instance, 
Catalina Marketing has developed technology that links to the point-of-
sale (POS) systems of many grocery stores and analyzes the purchases of 
individual consumers as they are scanned by the cashier. Based on the 
particular products purchased by the consumer, targeted offers and 
incentives for competing products are then immediately printed for the 
consumer (typically on the back of his or her grocery store receipt).
    Software-based contextual marketing technology as developed by 
WhenU is a further evolution in the field of behavioral marketing. 
Whereas traditional database marketing companies, and even innovators 
such as Catalina Marketing, analyze a consumer's past and current 
purchases to predict what the consumer will purchase in the future, 
software-based online marketing technology assesses the activity of the 
consumer in real time, at the very moment the consumer is researching a 
certain product or category of products on the Internet. Essentially, 
WhenU's technology utilizes the unique capabilities of the Internet 
environment to offer the consumer information that might assist him or 
her in making a purchase decision before the decision is made, at a 
time when the information is most useful. Imagine that while you are 
looking in a store window at a new DVD player, someone approaches you 
with an offer to get a DVD player at a better price at a store down the 
street. WhenU's technology allows the same thing to happen millions of 
times per day by providing consumers with offers to purchase all types 
of goods and services on the Internet.
    The Internet by its very nature enables real-time contextual 
marketing in a robust and scalable manner. Since the Internet is a 
medium in which all activity is transmitted electronically, WhenU 
software can scan the Internet browsing activities of a participating 
consumer to determine his or her immediate interests, and connect 
thousands of advertisers and millions of participating consumers with 
the right advertisement or coupon when it is most relevant to the 
consumer. WhenU's software effectively provides consumers with 
comparative advertising that presents them with a choice. The idea 
behind the WhenU software was to revolutionize targeted marketing from 
the old model in which interests are deduced based on who a consumer is 
and what their personal information is, to a new software-based system 
that focuses on actual interests as reflected in their Internet 
browsing activity-when you shop, when you travel, when you invest. In 
fact, that's why we named the company WhenU. ``When you'' are about to 
book a trip to London, WhenU software will deliver a relevant offer to 
you.
    Best of all, WhenU is able to deliver precisely targeted 
advertisements that are highly relevant while at the same time 
protecting consumer privacy. From the beginning, consumer privacy has 
been important to WhenU. WhenU does not collect any personally-
identifiable information. The WhenU software does not track user data, 
does not use cookies to track consumers, does not track users' 
clickstream data, does not create anonymous user profiles, and does not 
compile a centralized database of users. All of the activity takes 
place on the user's computer (or ``desktop''). The only information 
that is transmitted back to WhenU is information that allows us to show 
advertisements and coupons to the consumer and make sure the offers we 
do show are shown at the moment that they are likely to be most useful 
to the consumer. We are proud of our privacy policy and explain it in 
detail on our website.
    WhenU's software represents a significant departure from the way 
advertising online initially started. In general, early methods of 
online advertising were not able to deliver on the promise of the 
Internet as a rich, personalized consumer contact point. Poorly 
targeted e-mails, banner ads, and non-contextual pop-ups have yielded 
click through rates of less than one percent (1 percent), and millions 
of wasted advertiser dollars. To leverage the full power of the 
Internet and continue to develop the Internet into the kind of rich 
revenue-generating medium it should be, advertisers have begun to 
understand that successful online advertising must take advantage of 
the Internet's unique potential to deliver targeted and relevant 
advertising in response to what consumers are looking for.
    As an example, paid online search, a model promoted currently by 
companies such as Yahoo! and Google, represented as little as 3 percent 
of the online advertising market in the year 2000, but this year is 
expected to reach 37 percent as advertisers recognize the power of 
delivering relevant ads to consumers seeking specific products. When U 
believes that software-based advertising will similarly emerge as an 
engine of major growth for the Internet in the future, as advertisers 
and consumers continue to experience the power and richness of software 
as a medium for delivering highly targeted and useful information and 
advertising online.
WhenU's Desktop Advertising Network
    The WhenU Desktop Advertising Network represents millions of 
consumers who have installed the WhenU software on their computers. 
Typically, consumers download the software as part of a package, or 
``bundle,'' of software that enables consumers to get popular software 
for free. Software companies routinely bundle revenue-generating, 
advertising software (known as ``adware'') with free software programs 
(known as ``freeware'') to enable them to offer the freeware to 
consumers at no cost. In some instances, software developers might give 
consumers the choice between paying for the software or agreeing to 
receive ads from WhenU in exchange for getting the software for free. 
Developers of such free software applications rely on the revenue 
generated by software companies like WhenU to enable them to continue 
to offer their software free of charge. In any event, consumers are 
given a clear notice and choice whether or not to download WhenU 
software.
    Once downloaded, the WhenU software (called SaveNow, or Save!, but 
referred to generally as SaveNow) resides on the consumer's computer 
and generates advertisements through the use of a proprietary directory 
that is delivered to and saved on the consumers' desktop when the 
consumer installs the software. This proprietary directory is compiled 
and updated by categorizing the Internet in much the same way as a 
local Yellow Pages indexes merchants into various categories.
    As a participating consumer ``surfs'' the Internet, the SaveNow 
software studies page content, keywords, web addresses, and search 
terms from the consumer's web browser to determine whether any of those 
terms, web addresses and/or content match the information in the 
directory. If the software finds a match, it identifies the associated 
product or service category and determines whether an appropriate 
advertisement for that category is available to be displayed, subject 
to timing and frequency restrictions contained in the software.
    With the WhenU software, it is ultimately the consumer who drives 
whether a particular element will be included in the WhenU directory, 
because the directory is intended to contain terms that reflect the 
interests of the consuming public. Similarly, it is the user's actions 
on his or her desktop that ultimately determine whether an 
advertisement is eligible to be seen. Since its founding in February 
2000, WhenU has delivered online marketing for more than four hundred 
advertisers, including such well known companies as Priceline, British 
Airways, Delta Airlines, JPMorgan Chase, Kraft, Cingular, Ford, and ING 
Bank.
    In short, WhenU provides a useful and privacy-protective opt-in 
service to participating consumers, provides a revenue model for 
popular free software, and contributes to the development of the 
Internet-enabled desktop as a comparative shopping medium.
What is Spyware?
    ``Spyware'' generally refers to software that appears harmless but, 
once downloaded, operates differently than its stated functionality, 
such as by stealing or transmitting personal data about the consumer 
and his or her browsing habits, keystroke data, or clickstream 
behavior. Spyware also can refer to software that sneaks onto user's 
computers, masks its operations once it has been installed on the 
computer, and is nearly impossible to uninstall. Sometimes programs 
that are surreptitiously downloaded onto user's computers and show ads 
whose source is not easily identifiable are referred to as spyware.
    WhenU has sometimes been accused of being ``spyware.'' It is not 
surprising that some people who do not understand the WhenU technology 
think that it is invasive to privacy how else, they wonder, can it 
alert a consumer to a discount hotel site when that consumer is looking 
at hotel rates in Washington, D.C.? However, properly understood, 
WhenU's unique proprietary technology cannot be considered spyware. 
WhenU's software-based advertising model respects the principles of 
consumer choice and consumer privacy, in three distinct ways.
    First, regardless of the method of distribution, during the 
installation process, the consumer always receives a prior notice that 
SaveNow is part of the download. To proceed with the installation of 
SaveNow, the consumer must affirmatively accept a clear and concise 
license agreement. The license agreement explains that the software 
generates contextually relevant advertisements and coupons, utilizing 
``pop-up'' and various other formats.
    Second, once a user has installed the SaveNow software, it is easy 
for a user to identify what the WhenU software does. WhenU makes the 
ads, offers and coupons served by WhenU easy to identify. Ads on the 
WhenU Desktop Advertising Network are displayed in a separate, WhenU-
branded window, including the marks ``Save!'' or ``SaveNow'', depending 
on the particular download partner, and other elements specially 
included in the WhenU window. In addition to WhenU's unique branding, 
every WhenU offer also contains a notice on its face that: ``This is a 
WhenU offer and is not sponsored or displayed by the websites you are 
visiting.'' And, with WhenU's highly-protective privacy policy, users 
do not have to be concerned about privacy, since no personal 
information is transmitted to or collected by WhenU. In fact, WhenU's 
strict privacy policy far exceeds current standards in the Internet 
advertising industry.
    Finally, after accepting a license agreement and downloading the 
software, consumers can easily remove or ``uninstall'' the software 
from their computers if they no longer wish to keep it. Every ad shown 
by WhenU contains inks to further information about the software and 
information about how to uninstall it. In addition, these links also 
allow consumers to easily contact WhenU by e-mail for more information. 
The software can be easily uninstalled through the computer's Control 
Panel Add/Remove Programs menu, the standard process used for 
uninstalling most Windows-based software. Once properly uninstalled, 
the WhenU software will cease to operate or show advertisements or 
coupons on the consumer's computer.
The Threat of Spyware and the Solutions to Spyware
    Spyware is a serious problem affecting millions of computer users 
every day. If the spyware problem continues to grow, unabated, it may 
deter computer users from the Internet and slow the creation and 
dissemination of new and innovative software programs available to 
users from the Internet.
    As discussed above, WhenU is very different from ``spyware.'' But 
notwithstanding these significant differences, WhenU is often swept in 
with software that threatens user security and privacy. That is why we 
believe that it is necessary and desirable for Congress and the FTC to 
regulate this area in order to protect consumers from spyware and 
protect the development of the Internet as a rich and promising medium.
    Current efforts being employed to address consumer concerns are 
helpful, but they typically fail to get at the real problems presented 
by spyware. For instance, the marketplace is replete with ``anti-
spyware'' software, but many of these software programs are 
indiscriminate in their identification of so-called ``spyware'' and, as 
a result, often identify benign programs or even files such as cookies, 
which are commonly employed by Internet websites to identify users who 
have accessed the site previously. Moreover, most of these programs 
prompt users to uninstall any software identified as spyware or as a 
threat. As a result, consumers may be prompted to unknowingly uninstall 
software that is far from nefarious and that they or another member of 
their household quite deliberately installed. Users may even have paid 
for software they are prompted to uninstall, or they may be required to 
keep such software to support free software that they have also 
installed. If marketplace solutions unduly burden the revenue model 
that software providers rely on to continue to offer their software for 
free, it will discourage the creation and distribution of free 
software, and force consumers to have to pay for such programs.
    At the same time, State legislative solutions are being proposed to 
respond to the growing menace of spyware, but many of these proposed 
solutions suffer from the same problems created by ``anti-spyware'' 
software: They inadvertently regulate or even restrict consumer-
friendly, privacy-protective and mainstream software while failing to 
protect consumers against software that truly threatens consumer 
privacy and security. They are also subject to the concerns of local 
businesses and may not address the problem from a national perspective. 
As a consequence, these solutions, such as the one recently proposed 
and passed by the legislature in Utah, are generally ineffective and 
overly broad.
    WhenU is in favor of Federal efforts to combat spyware, and fully 
supports the principles behind the SPY BLOCK Act. As per our practice, 
WhenU believes that users should receive notice about any application 
before they download it, should be required to affirmatively accept a 
clear license agreement that discloses the nature of the application 
and its functionality, should be presented with information that 
identifies the source of every window that is generated by software on 
their desktop, and should be able to uninstall any software application 
through standard and easily accessible means. WhenU also is in favor of 
legislation that provides that the Attorney General, States Attorneys 
General and the FTC should be solely responsible for implementing and 
enforcing its provisions. However, WhenU first supports careful study 
and consideration of the problems surrounding spyware. How to combat 
``spyware'' is a complex issue, and we believe the approach lawmakers 
should take to address the issue should be as nuanced as the problem 
itself.
    Ironically, carelessly worded spyware legislation that lacks nuance 
will do more to promote the spyware problem than solve it. If 
legitimate advertising models that truly give choice to consumers are 
lumped in with nefarious software that intends to deceive, rogue and 
unscrupulous companies who play by no rules and adhere to no standards 
of consumer protection will be given the upper hand in the marketplace. 
And this outcome would be tragic. On the other hand, carefully worded 
and nuanced legislation can set standards for the online industry and 
serve as a beacon for the marketplace and for advertisers looking to 
use legitimate technologies that can reach their target consumers.
    We believe that the proceedings today and the FTC Workshop to be 
held in April will produce a detailed record that will undoubtedly help 
inform future legislative efforts. We look forward to continuing to 
work with you, Mr. Chairman, and the members of the Subcommittee, to 
develop a comprehensive and effective solution to this pervasive 
problem. Thank you.

    Senator Burns. Thank you very much. Robert Holleyman, thank 
you for coming today, Software Alliance.

    STATEMENT OF ROBERT W. HOLLEYMAN II, PRESIDENT AND CEO, 
                BUSINESS SOFTWARE ALLIANCE (BSA)

    Mr. Holleyman. Mr. Chairman, Senator Wyden, it's indeed a 
pleasure to be here this afternoon testifying on behalf of the 
member companies of the Business Software Alliance. Our 
organization works for leading developers of personal computer 
software, enterprise software, our key hardware partners and 
Internet technology developers on public policy issues in the 
United States, where we're headquartered, and in more than 65 
countries around the world.
    I am delighted to be able to talk with you today about 
options to provide the best way to protect consumers from the 
problems associated with spyware. At the Business Software 
Alliance, we applaud the intent of the SPY BLOCK Act that you 
have introduced along with Senators Wyden and Boxer.
    This afternoon I'd like to make three key points. First, 
computer snooping or spying on computer users is reprehensible 
behavior that invades our privacy. However, the problem is with 
bad behavior, not bad software tools or products.
    Second, for this very reason, Congress should ban only the 
behavior and not the technology. And third, we believe that the 
bill as introduced can be enhanced by focusing more directly on 
punishing such behavior. Doing so would accomplish the current 
intent of the bill without placing Congress in the position of 
approving or disapproving technologies.
    Indeed, Mr. Chairman, you and the other Members of this 
Committee have been leaders in adapting laws to the information 
age. You've done so carefully, deliberately, and in a well 
thought out fashion. We agree fully that we need to stop e-
spying and that it will harm the consumer experience in using 
their computers and the Internet. It is wrong and it should be 
stopped.
    But it's also essential that we recognize that the problem 
comes from bad people, bad actors, not from bad products. That 
same underlying technology that can enable spyware also may 
power many legitimate applications that benefit millions of 
computer users every day.
    Mr. Chairman, I feel like I'm preaching to the choir. Last 
year Congress stopped unwanted telemarketing, not telephones. 
You canned SPAM by criminalizing fraudulent conduct, not by 
banning commercial e-mail. And in the 1990s, you wisely 
recognized it was unwise to try to ban encryption technology, 
choosing instead to focus on those who might use encryption to 
commit crimes.
    Your Committee and the Congress as a whole has wisely and 
consistently avoided technology mandates. You understand that 
the U.S. technology industry and our own leadership in high-
tech innovation are crucial to America's economic future.
    We appreciate the author's clear intent to protect 
legitimate software from being swept into the bill and you've 
done so through a series of definitions and exceptions that the 
bill employs. However, at the same time, the BSA feels that 
these definitions can be fraught with peril in the current 
software environment, especially as new technological 
developments occur.
    As an alternative, we suggest that the Congress focus on 
the most egregious practice of commercialization of information 
from electronic spying. Congress should prohibit the 
distribution of user information obtained electronically from 
an individual's computer unless one of two tests are met. 
Either the person seeking to sell the information must show 
that it was collected with the user's permission or that it was 
obtained from an entity that collected the information with 
such permission.
    Such an approach would achieve the main objective of 
stopping e-spying while significantly avoiding the tough 
definitional issues and their implications for the future 
development of technology.
    With respect to enforcement, we agree that the FTC should 
be given primary responsibility. The FTC should treat 
violations as an unfair or deceptive activity under the FTC 
Act. We also believe that the Justice Department should be 
authorized and empowered to subject those who violate the 
legislation to criminal fees and imprisonment under Title 18 of 
the United States Code. That would send a clear message that 
the commercialization of information from electronic spying 
will not be tolerated.
    However, we think that state attorneys general should be 
given enforcement authority in this area only if we have a 
Federal standard. Remote access electronic spying through 
spyware is a national problem and we think it should be treated 
as such.
    I'd like to thank you again, Mr. Chairman, for the 
opportunity to talk today on the issue of spyware and the SPY 
BLOCK bill. We believe that working together this bill can be 
enhanced to directly and effectively address the issue we're 
all most concerned about, electronic spying. The BSA is eager 
and willing to work with you and the other members of the 
Committee in that regard, Mr. Chairman. Thank you for this 
opportunity to testify.
    [The prepared statement of Mr. Holleyman follows:]

   Prepared Statement of Robert W. Holleyman II, President and CEO, 
                    Business Software Alliance (BSA)
    Good morning. Thank you very much for the opportunity to testify 
here today. My name is Robert Holleyman and I am President and CEO of 
the Business Software Alliance (BSA).\1\
---------------------------------------------------------------------------
    \1\ The Business Software Alliance (www.bsa.org) is the foremost 
organization dedicated to promoting a safe and online world. The BSA is 
the voice of the world's software and Internet industry before 
governments and with consumers in the international market place. Its 
members represent the fastest growing industry in the world. The BSA 
members include: Adobe, Apple, Autodesk, Avid, Bentley Systems, 
Borland, Cisco Systems, CNC Software/Mastercam, HP, IBM, Intel, 
Internet Security Systems, Intuit, Macromedia, Microsoft, Network 
Associates, PeopleSoft, RSA Security, SolidWorks, Sybase, Symantec, UGS 
PLM Solutions Inc. and VERITAS Software.
---------------------------------------------------------------------------
    BSA represents the world's leading developers of software, hardware 
and Internet technologies both in the U.S. and internationally. Our 
mission is to educate computer users on software copyrights and cyber 
security, advance public policy that fosters innovation and expands 
trade opportunities, and fight software piracy. We are headquartered in 
Washington, D.C., and are active in over 65 countries internationally.
    It is a pleasure to be with you today to discuss a serious issue of 
consumer protection: protecting millions of computer users from those 
who secretly install software on computers in order to obtain 
information about those users. Such software goes by the name of 
``spyware.'' That is clearly the intent of the SPY BLOCK Act (S.2145) 
introduced by Chairman Burns and Senators Wyden and Boxer. It is also 
the intent of the Safeguard Against Privacy Invasions Act (H.R. 2929) 
introduced by Representatives Bono and Towns.
    Mr. Chairman, you and the other members of this Committee have been 
leaders in adapting our laws to the information age--carefully and 
deliberately, with a scalpel not a saw. This morning I would like to 
make three points.
    First, computer snooping, or spying on computer users, is a 
reprehensible practice that invades our privacy. However, the problem 
is with bad behavior, not bad software tools or products.
    Second, for that reason Congress should continue to ban the 
behavior not the technology. The problem is with abuse, not use, of 
technology.
    Third, we believe the bills as introduced can be improved by 
focusing more directly on punishing the behavior rather than the means 
by which it is accomplished. Such an approach enables Congress to avoid 
having to make very difficult decisions about the design and operation 
of technology.
Stop E-Spying
    We agree with the members of this Committee, other Members of 
Congress, and the public who rightfully complain about those who hijack 
computers. There is no policy rationale to justify the actions of those 
who secretly insert a computer program into someone's PC in order to 
collect information about that individual or his or her computer 
habits. It is, pure and simple, an invasion of our privacy. It is wrong 
and it should be stopped. It is also a national problem and needs a 
national solution.
    Clearly some of these invasions of privacy are intended to, and do, 
cause economic harm. Someone might be trying to gain insider business 
information or corporate secrets. Others might be engaged in identity 
theft--a practice that is estimated to cost American consumers more 
than $50 billion each year. But electronic snooping is no less invasive 
if the information is being gathered ``only'' for marketing or research 
purposes.
Ban Behavior Not Technology
    It is essential that we recognize that the problem comes from bad 
people, not bad products. The same underlying technology that can 
enable spyware also may power many legitimate applications that benefit 
millions of computer users everyday.
    Let me put it a different way. We don't ban crowbars because some 
people use them to break into houses. We don't ban cars because some 
people use them to flee from a crime. And last year Congress did not 
ban telephones because some people use them to make unwanted marketing 
calls. Instead, Congress addressed the offensive behavior and 
established procedures to control telemarketing.
    Mr. Chairman, I feel like I am preaching to the choir. The Commerce 
Committee has been a leader in applying this principle to developing 
computer technologies.
    Just last year you moved aggressively and appropriately to ``CAN-
SPAM.'' That legislation criminalized fraudulent conduct and 
established clear rules for legitimate business to follow. It made it 
illegal to access a computer without authorization and use it to send 
out bulk unsolicited commercial electronic mail or to hide or falsify 
information about the sender or subject matter of spam. The Act also 
required the inclusion of a functioning return e-mail address and a 
prohibition on sending messages to recipients who opt not to receive 
them. It also addressed more ``aggravated violations'' such as the use 
of harvested addresses or the automated creation of multiple electronic 
mail accounts. But what the bill did not do is to get in the way of the 
continued development of innovative technological solutions to combat 
spam and protect consumers.
    Mr. Chairman, this committee also successfully applied this 
principle during the encryption battles of the 1990s. You understood 
well that it was pointless to try and ban a technology prevalent around 
the world. Your ``PRO-CODE'' bill in 1996 prohibited the government 
from designing and mandating encryption standards and promoted the use 
of commercial encryption. At the same time, you also agreed with 
Senator Leahy in his legislation, as well as the House bill introduced 
by Representatives Goodlatte and Lofgren (the ``SAFE'' Bill), that it 
was unlawful to use encryption in the commission of a crime.
    Even the Communications Decency Act of 1996 (Title V of the 
Telecommunications Act of 1996), which among other things sought to 
address the problem of on-line pornography and minors, did not ban the 
then emerging ``interactive computer service.'' Instead the Act 
criminalized the use of such a service to send or display obscene and 
indecent content to those under 18. The Act also established a defense 
for those who in good faith took reasonable, effective and appropriate 
actions to restrict or prevent access by minors (including 
technological means to do so--) but precluded the FCC from endorsing, 
approving, sanctioning or permitting particular products.
    This built on the underlying approach of the 1984 Computer Fraud & 
Abuse Act which has been amended many times since to expand and 
strengthen its criminal and civil penalties against computer abusers. 
This statute penalizes those who access a computer without appropriate 
authorization and cause broadly defined damage. This statute addresses 
both those who trespass in cyberspace for commercial gain as well as 
those who seek to cause harm by launching computer viruses. Indeed, one 
possible solution to the problem of electronic snooping would be to 
make illegal the act of commercializing information obtained through 
surreptitious means.
    Why has Congress consistently prohibited conduct not technology? 
Why has Congress refrained from interfering with the marketplace by 
dictating the design or operations of computers and consumer 
electronics?
    Congress has wisely avoided technology mandates because you 
understand that the U.S. technology industry is the envy of the world. 
It has been responsible for incredible improvements in productivity, 
millions of jobs, billions of dollars in exports, and immense benefits 
to every consumer. Government intervention that replaces marketplace 
solutions with governmental decisions endangers America's technology 
leadership and hurts users of technology products by stifling 
innovation, freezing in place particular technologies, impairing 
product performance, and increasing consumer costs.
Focus and Improve The Legislation
    We believe the pending legislation should be changed to focus even 
more clearly on what we are trying to stop, not the technology tools to 
do so. We also think that the most immediate, concrete and compelling 
problem is electronic spying--the unauthorized acquisition and use of 
information from individuals.
    Currently the SPY BLOCK bill has numerous definitions, requirements 
and exemptions which involve making technical decisions about the 
operations of today's computers--as well as the direction of future 
technology. The bill:

   attempts to define computer software, cookie, install; 
        network information; information collection feature, 
        advertising feature, distributed computing feature, and 
        settings modification feature;

   in the case of advertising, distributed computing, and 
        settings modification features requires descriptions of how 
        those features will operate on, and with, a particular computer 
        (e.g., ``the nature, volume of information or messages, and the 
        likely impact on the computer's processing capacity of any 
        computational or processing tasks the computer software will 
        cause the computer to perform . . .'') ;

   directs certain technical uninstall operations; and

   necessarily seeks to exempt ``any feature of computer 
        software that is reasonably needed to provide capability for 
        general purpose online browsing, electronic mail, or instant 
        messaging . . . determine whether or not the user of computer 
        is licensed or authorized to use the computer software and 
        provide technical support for the use of the computer software 
        by the user of the computer.''

    We believe the problems inherent in such an approach can be avoided 
if Congress instead focuses directly on the behavior we are trying to 
stop: the unauthorized acquisition and commercialization of 
information.
    We suggest that Congress simply prohibit the distribution in 
interstate commerce of user information obtained electronically from an 
individual's computer, unless the person seeking to sell the 
information can show that it was collected with user's explicit 
permission or that it was obtained from an unaffiliated entity that 
represents it had collected the information with such permission. Such 
an approach significantly mitigates the definitional issues in the bill 
as introduced--and their implications for the development and use of 
technology--while achieving the objectives of the legislation.
    We also believe that what the bill calls advertising, distributed 
computing, and settings modification features should not be included in 
this legislation. None of these issues has risen to the same level of 
concern or been examined nearly as much as electronic spying. Each of 
these areas also raises separate and distinct substantive and political 
issues.
    For example, having just spent nearly a year implementing 
legislation to control spam, we are concerned that additional 
legislation on advertising at this point would detract from the current 
focus on spying. We also think it is worthwhile to more closely examine 
existing laws that address deceptive advertising and business 
practices. Similarly, the case of distributed computing raises new 
questions. We understand the concern about ``zombie'' machines utilized 
without consent--as opposed to the enthusiastic voluntary participation 
of tens of thousands in the search for extraterrestrial intelligence 
(the SETI project). But the concept of ``grid computing'' is just 
emerging as a serious commercial enterprise and we would be hesitant to 
casually address it in this bill. Finally, we believe the area of 
settings as well as their modification is integrally related to on-
going efforts to address cybersecurity concerns. Once again, we would 
be reluctant to address those issues in this bill. As many of the 
Committee's members know, BSA has been extremely active in efforts to 
making computing safer and more secure. BSA was one of the hosts and 
cosponsors of the Department of Homeland Security Cybersecurity Summit 
last December and throughout this month we are announcing the 
significant results from private sector efforts initiated at the 
summit.
    More generally, we note that each of these areas may also be 
amenable to technological and business practices. We think Congress 
should be careful not to preclude the evolution of tools and 
marketplace solutions.
    With respect to enforcement, we agree that the FTC should be given 
primary responsibility. The FTC should treat violations as an unfair or 
deceptive act under the FTC Act. We understand that other regulatory 
agencies may have enforcement responsibility in other areas.
    We also believe that the Department of Justice should be authorized 
and empowered to subject those who violate the legislation to criminal 
fees and imprisonment under Title 18 of the United States Code. We 
should send a clear message that engaging in electronic spying is 
reprehensible and will not be tolerated.
    However, we think that the State Attorneys General should be given 
enforcement authority in this area only if we have a Federal standard. 
Remote access electronic spying through ``spyware'' is a national 
problem. We think it should be treated as such. The obvious problems 
with empowering State Attorneys General in the absence of a Federal 
standard is the prospect for many different enforcement actions based 
on many different theories and many different standards.
Conclusion
    Thank you again for this opportunity to comment on the issue of 
``spyware'' and the SPY BLOCK bill. Working together, I believe the 
bill can be improved to more directly and effectively address the issue 
we are all most concerned about: electronic spying.

    Senator Burns. Thank you. We appreciate that very much. Now 
Jerry Berman, President of the Center for Democracy and 
Technology, and welcome Mr. Berman.

STATEMENT OF JERRY BERMAN, PRESIDENT, THE CENTER FOR DEMOCRACY 
                          & TECHNOLOGY

    Mr. Berman. Thank you, Senator and Senator Burns, Senator 
Wyden, again, you are in the forefront of trying to protect 
privacy and user control of their computers on the Internet and 
we applaud you, both for your earlier efforts on behalf of 
trying to pass general privacy legislation, which I think is 
also involved in this issue, and also to try and craft a bill 
to deal with this very pernicious problem.
    But I want to caution that before we rush to judgment we 
need Federal intervention here. We don't need a plethora of 
state statutes, but we really have to spend a little time, take 
a deep breath, and try and define what we're after here, 
because if we're over-broad and include all computer software, 
I think it will be a nightmare to carve out the exceptions of 
what we're really worried about, and spyware has been defined 
very broadly. Your bill begins to carve down and deal with the 
real problems.
    But in all of these cases, they may be over inclusive and 
only talk about privacy when the problem may be broader than 
that and go beyond privacy to whether, as you point out, 
consumers can control their own computers and whether they're 
being hijacked, and that doesn't fit under this, quote, 
spyware, it's something bigger than that. And I think we've got 
to put some of this terminology around and not get confused by 
it.
    I agree with Mr. Holleyman that we need to step back and 
say, what is the behavior that we're worried about here, what 
gets us upset about software which performs functions which is 
being downloaded on your computer when you click on an ad, when 
you go and get a free service like Kazaa or in a peer-to-peer 
network or through e-mail or just by browsing on the Internet. 
Suddenly software is being downloaded on your computer and it 
is performing certain functions. What is the behavior that's 
being performed by specific software, not all software but 
specific software that we care about?
    One, I give you three categories. One is software of 
spyware, if you like, that is collecting information, personal 
information from you on your site without notice or consent at 
all and delivering it to another party. That's a clear snoopy 
privacy violation and it applies to keystroke loggers and a 
whole bunch of other technologies, but rather than focus on the 
technology, focus on the behavior.
    The second category is information that is being collected 
about you and delivered to another site or to another person 
with inadequate notice and consent. They're saying, you 
consented, you clicked on the site, it popped up an end user 
licensing agreement six pages long, somewhere in there it said 
you're consenting to receive ads, you're consenting to give us 
information, and as part of your Web browsing experience 
someone clicked on it, maybe your son clicked on it at night, 
my son clicked on it at night and now a software program is 
resident in my computer that's collecting information and 
sending it to another party. I don't think that we need to deal 
with inadequate notice and consent.
    There's a third category which goes beyond spyware and 
privacy altogether. It goes into user control over computer. If 
I don't have enough notice and consent and I am now--resident 
on my computer is a program that's popping up ads, they may not 
collect information, but if I don't really transparently deal 
with that company when I click and download that software, and 
I now have a computer that's serving up ads and I may not know 
anything about it, someone in my family may have clicked on it, 
but if I agreed to that, is it popping up and letting every 
user in that family agree to it?
    There's this third category where your computer's being 
hijacked. They take over your Web browsing experience. We have 
just filed a complaint at the Federal Trade Commission about a 
company that you click, you download the software, it opens up 
your disk drive, it pops up a note and says your computer lacks 
a lot of security and it advertises on your Web page for spy 
block and it's Spy Wiper and it's saying you need to buy this 
software. That is privacy, that's hijacking my computer, and it 
almost amounts, I think, to computer fraud and abuse under the 
computer fraud and abuse statute.
    Which brings us--all of this behavior--I want to cut my 
testimony short but say, if we define the behaviors, then we 
can begin to pick at several different solutions bases. What 
needs to be covered by general privacy legislation? It would be 
interesting to only cover spyware when the notice and 
collection of information unfairly applies to websites too and 
other outliers. Why don't we go back to principle one?
    The second issue is we need to look at what--is our Federal 
Trade Commission complaint going to work? If it is, or the 
computer fraud and abuse statute applies or ECBA applies, we 
need to sort that out so we're not duplicating and creating 
another law.
    Beyond that, we need to look at how technology being 
offered by AOL and Earthlink allows us to sweep spyware. It's a 
combination again, as in the spam area. We need legislation, we 
need technology, we need industry practices, but we need to 
come together and help define that problem. That's why we've 
written a report, that's why we have a working group, that's 
why we're here today, that's why we're going to the Federal 
Trade Commission on April 9.
    That's enough for now. I'm anxious to work with all of you 
to try and resolve this issue. Thank you.
    [The prepared statement of Mr. Berman follows:]

            Prepared Statement of Jerry Berman, President, 
                 The Center for Democracy & Technology
    Mr. Chairman and members of the Committee, the Center for Democracy 
& Technology (CDT) is pleased to have this opportunity to speak to you 
about the growing threat to consumers and Internet users posed by 
spyware and other invasive or deceptive software applications.
    CDT is a non-profit, public interest organization dedicated to 
preserving and promoting privacy and other democratic values and civil 
liberties on the Internet. CDT has been deeply engaged in the policy 
debate about the issues raised by so-called ``spyware.'' In November, 
2003, CDT released a report ``Ghosts in Our Machines: Background and 
Policy Proposals on the `Spyware' Problem,'' \1\ providing background 
on the spyware issue, evaluating policy and other solutions, and 
presenting advice for Internet users about how to protect their 
personal information and their computers from these programs. At the 
same time, CDT launched our public ``Campaign Against Spyware,'' 
calling for Internet users to send us descriptions of the problems they 
have encountered with these invasive applications.\2\ CDT is also 
engaging in in-depth meetings with the wide range of stakeholders in 
the spyware issue, including ISPs, software companies, and consumer 
groups.
---------------------------------------------------------------------------
    \1\ http://www.cdt.org/privacy/031100spyware.pdf
    \2\ http://www.cdt.org/action/spyware
---------------------------------------------------------------------------
    The proliferation of invasive software referred to as ``spyware'' 
is a large and rapidly growing concern. These deceptive applications 
compromise users' control over their own computers and Internet 
connections, and over the collection and sharing of their personal 
information. We praise the chairman and this Committee for holding this 
hearing on S. 2145--the SPY BLOCK Act--and thereby bringing public 
attention to this serious and complex issue.
    In our testimony today, we hope to address three principal 
questions:

   What is ``spyware?'' The term spyware is extremely difficult 
        to define precisely, and can itself be misleading. The term has 
        been used to describe a wide and diverse range of software. 
        What these programs have in common is a lack of transparency 
        and an absence of respect for users' ability to control their 
        own computers and Internet connections.

   How bad is the problem? It is difficult to precisely 
        quantify the damage caused by these invasive applications--but 
        it is clear that the problem is severe. Spyware is widespread 
        and can threaten privacy, security, and computer performance. 
        Even the less invasive forms of spyware can seriously 
        inconvenience users and impose serious strains on the technical 
        support resources of schools and legitimate businesses.

   How can we respond to the problem? Responding to the problem 
        of spyware requires a multifaceted approach.

     Existing law could go a long way toward reducing the 
            problem of spyware. While longstanding fraud statutes 
            already cover many of the issues raised by these 
            applications, currently they are rarely enforced against 
            spyware programmers and distributors. We encourage Congress 
            to provide law enforcement with the necessary resources to 
            understand the phenomenon of spyware and to bring to bear 
            strong enforcement of these laws.

     Fundamental to the issue of spyware is the overarching 
            concern about online Internet privacy. Legislation to 
            address the collection and sharing of information on the 
            Internet would resolve many of the privacy issues raised by 
            spyware. We look to Congress to seize this important 
            opportunity to address this larger issue. If we do not deal 
            with the broad Internet privacy concerns now, in the 
            context of spyware, we will undoubtedly find ourselves 
            confronted by them yet again when they are raised anew by 
            some other, as yet unanticipated, technology.

     To be effective, legislation and enforcement 
            approaches will have to be carried out concurrently with 
            better consumer education, industry self-regulation and the 
            development of new anti-spyware technologies.

    Legislation directed at some of the specific issues raised by 
        software--such as notice and consent for installation--may also 
        have a role to play. While crafting such legislation will be 
        difficult, the SPY BLOCK Act demonstrates the progress that has 
        already been made in our understanding of the spyware problem. 
        The bill plays a critical role in advancing the inquiry about 
        spyware and developing approaches to addressing the issue.

    We address each of these questions in more detail in turn below.
I. Understanding and Defining Spyware
    No precise definition of spyware exists. The term has been applied 
to software ranging from ``keystroke loggers'' that capture every key 
typed on a particular computer; to advertising applications that track 
users' web browsing; to programs that hijack users' system settings. In 
some cases, it has even been applied to web cookies or system update 
utilities designed to provide security patches directly to users. 
Spyware programs can be installed on users' computers in a variety of 
ways, and can have widely differing functionalities.
    What the growing array of invasive programs have in common is a 
lack of transparency and an absence of respect for users' ability to 
control their own computers and Internet connections. The debate over 
precisely how to define the term spyware (as well as other related 
terms such as ``malware'' or ``adware'') has been contentious, in some 
cases even leading to legal threats between companies.\3\ But this 
semantic dispute diverts attention from the underlying question: Are 
consumers offered meaningful notice and choice about the programs 
installed on their computers and the ways in which their computers and 
Internet connections are used?
---------------------------------------------------------------------------
    \3\ See, e.g., Paul Festa, ``See you later, anti-Gators,'' 
CNET.com, October 22, 2003 (available at: http://news.com.com/2100-
1032_3-5095051.html)
---------------------------------------------------------------------------
    The most egregious forms of spyware (sometimes called ``snoopware'' 
to distinguish them from other categories) are typically stand-alone 
programs installed intentionally by one user onto a computer used by 
others. Some capture all keystrokes and record periodic screen shots, 
while others are more focused, collecting lists of websites visited or 
suspected passwords. These programs have legal uses (e.g., for certain 
narrow kinds of employee monitoring) as well as many clearly illegal 
ones.
    The more widespread spyware problem is that of applications 
installed on Internet users' computers in the course of browsing online 
or downloading other unrelated software. Users are typically unaware 
that these programs are being installed on their computers. Many 
``piggyback'' on other free applications, such as screen savers, system 
utilities, or peer-to-peer filesharing programs. In many cases, the 
only notice to the user about installation of such a secondary program 
is buried in a long and legalistic ``end user licensing agreement.'' In 
some instances, no notice of the bundling is provided at all. Other 
programs trick users into authorizing installations through deceptive 
browser pop-ups, or exploit security holes to install themselves 
automatically when a user visits a particular website. In some 
instances, once a program is installed, it begins to download and 
install other software with no notice to the end user.
    Spyware programs perform a variety of functions once they have 
gained access to a computer. Many track users' web browsing and deliver 
pop-up advertisements. While there is nothing inherently objectionable 
about using advertising, including targeted advertising, as a means to 
support free software, advertising software must function in a way that 
is transparent to users, and users must have control over its 
installation and the ability to remove it.
    Other spyware programs can change the appearance of websites, 
modify users' ``start'' and ``search'' pages in their browsers, or 
change low level system settings without notifying users or obtaining 
their consent. Some will even co-opt users' Internet connections to 
send out spam. Such software is often responsible for significant 
reductions in computer performance and system stability.
    Although much of the discussion about the spyware problem to date 
has focused on the privacy dimension of the issue, clearly many of 
these behaviors raise concerns beyond privacy. The term spyware itself 
can be misleading in some of these cases; arguably, a better term would 
be ``trespassware.''
    Many spyware applications resist uninstallation. For example, 
advertising programs that are originally installed as part of a 
``bundle'' with other free software may not be removed when the main 
application is uninstalled. In some cases, spyware applications do not 
appear in the standard ``Add/Remove'' programs or other uninstallation 
feature of the system. In egregious instances, some programs reportedly 
even reinstall themselves after the user has made deliberate efforts to 
eliminate them.
    No single behavior of this kind defines ``spyware.'' However, 
together they characterize the transparency and control problems common 
to such applications. Disagreements will continue about whether 
particular applications do or not deserve this label. In the end, it 
may be best to think of spyware not as a discrete and well defined 
category, but as the bad end of a spectrum of software practices, 
ranging from industry best practices for transparency, notice, and 
control on one end, to clearly deceptive and fraudulent behaviors on 
the other. Unfortunately, the resistance of spyware to easy definition 
makes writing legislation to address the problem difficult, as we 
discuss in detail in Section III below.
II. Severity of the Spyware Threat
    It is difficult to quantify the spyware problem because of the 
definitional questions mentioned above, and because the speed with 
which new spyware applications can appear and change makes reliable 
detection of the programs difficult. However, several indicators point 
toward the severity of the problem.
    Since CDT launched our public ``Campaign Against Spyware'' in 
November 2003, we received over 300 accounts of problems encountered 
with various spyware applications. The sources of the responses 
demonstrate that the problem is pervasive--respondents included 
individuals dealing with the issue on corporate networks, on computers 
in schools, and on government networks. These users name a wide array 
of specific programs and identify several categories of concerns, 
including loss of privacy, decreased stability, and the inability to 
use their computer, either because of barrages of pop-ups, or as a 
result of severely diminished performance.
    System administrators also responded to our ``Campaign Against 
Spyware.'' One of the biggest concerns raised by network administrators 
relates to the security holes created by these applications. Some 
spyware programs open major vulnerabilities by including the capability 
to automatically download and install additional pieces of code with 
minimal security safeguards. This capability is often part of an 
``auto-update'' component.\4\
---------------------------------------------------------------------------
    \4\ See, e.g., Saroiu, Stefan, Steven Gribble, and Henry Levy. 
``Measurement and Analysis of Spyware in a University Environment'' 
Proceedings of the First Symposium on Networked Systems Design and 
Implementation, March 2004 (available at: http://www.cs.washington.edu/
homes/gribble/papers/spyware.pdf).
---------------------------------------------------------------------------
    Network administrators report that spyware is as much or more of a 
problem than spam, viruses, or other security maintenance. One 
administrator told us that as many as 90 percent of the computers on 
the networks he manages have been infected with some variety of 
``spyware.'' Another technical support worker reported that the 
majority of the problems he encounters can be traced back to 
``spyware,'' and that his first recommendation to correct stability or 
performance problems is to run one of the free spyware search and 
removal utilities available on the Internet.
    In our discussions with industry, CDT learned that invasive spyware 
applications also cause substantial harm to ISPs and distributors of 
legitimate software. In many cases, consumers are mistakenly led to 
believe that the problems resulting from spyware applications are a 
problem with another, more visible application or with their Internet 
provider. This confusion places a substantial burden on the support 
departments of providers of those legitimate applications and services. 
Not only are affected users required to pay for otherwise unnecessary 
technical support calls, but those calls impose significant costs on 
businesses offering the support. Some industry representatives we 
talked to estimated that the additional costs run in the millions or 
tens of millions of dollars.
III. Responses to Spyware
    Combating the most invasive spyware technologies will require a 
combination of approaches. First and foremost, vigorous enforcement of 
existing anti-fraud laws should result in a significant reduction of 
the spyware problem.
    Addressing the problem of spyware also offers an important 
opportunity to establish in law baseline standards for privacy for 
online collection and sharing of data. Providing these protections 
would not only address the privacy concerns that current forms of 
spyware raise, but would put in place standards that would apply to 
future technologies that might challenge online privacy. Anti-spyware 
tools, better consumer education, and self-regulatory policies are also 
all necessary elements of a spyware solution.
    Legislation to establish standards for privacy, notice, and consent 
specifically for software, such as the SPY BLOCK act currently before 
this Committee, may play an important role as well. The challenge to 
such efforts is in crafting language that effectively addresses the 
spyware issue without unnecessarily burdening legitimate software 
developers or unintentionally hindering innovation. We believe the 
current bill represents a major step forward, although several concerns 
still exist.
    So far the efforts to address the spyware issue are all in very 
preliminary stages. They will each require cooperation among 
government, private sector, and public interest initiatives. We discuss 
each approach in turn below.
Enforcement of Existing Law
    CDT believes that three existing Federal laws already prohibit many 
of the invasive or deceptive practices employed by malevolent software 
makers. Better enforcement of these statutes could have an immediate 
positive effect on the spyware problem.
    Title 5 of the Federal Trade Commission Act is most directly 
applicable to the most common varieties of spyware. We believe that 
many of the more invasive forms of spyware discussed above clearly fall 
under the FTC's jurisdiction over unfair and deceptive trade 
practices.\5\ To our knowledge, the FTC so far has not brought any 
major actions against spyware makers or spyware distributing companies. 
In February, CDT filed a complaint with the FTC against two companies 
for engaging in ``browser hijacking'' to display deceptive 
advertisements to consumers for software sold by one of the 
companies.\6\
---------------------------------------------------------------------------
    \5\ Examples of clearly deceptive or unfair practices include:

       installing unwanted applications without giving users 
notice in the end user license agreement or another form;

       providing notice only in a license agreement that is 
misleading or unclear, leading consumers to think they are downloading 
one program when in fact they are downloading and installing an 
application that does something completely different;

       utilizing consumer resources such as computer power or 
bandwidth or that capture personal information without consent; or

       distributing programs that evade uninstallation.

    \6\ Complaint and Request for Investigation, Injunction, and Other 
Relief, in the Matter of MailWiper, Inc., and Seismic Entertainment 
Productions, Inc., February 11, 2004 (available at http://www.cdt.org/
privacy/20040210cdt.pdf).
---------------------------------------------------------------------------
    The FTC's plans for a workshop in April on ``Monitoring Software on 
Your PC: Spyware, Adware, and Other Software,'' is an encouraging 
indication that the Commission is devoting greater attention to this 
issue. CDT hopes that the clear message emerges from this workshop that 
the FTC must take a more prominent role in addressing this issue.
    We believe that one of the most immediate ways in which Congress 
could have a positive impact on the spyware problem is by directing the 
FTC to increase enforcement against unfair and deceptive practices in 
the use or distribution of downloadable software and by providing 
increased resources for such efforts.
    Several laws besides the FTC Act may also have relevance. The 
Electronic Communications Privacy Act (ECPA), which makes illegal the 
interception of communications without a court order or permission of 
one of the parties, may cover programs that collect click-through data 
and other web browsing information without consent. The Computer Fraud 
and Abuse Act (CFAA) also applies to some uses of spyware. Distributing 
of programs by exploiting security vulnerabilities in network software, 
co-opting control of users' computers, or exploiting their Internet 
connection can constitute violations of the CFAA, especially in cases 
where spyware programs are used to steal passwords and other 
information.
    In addition to Federal laws, many states have long-standing fraud 
statutes that would allow state attorneys general to take action 
against invasive or deceptive software. Like their Federal 
counterparts, these laws have not been strongly enforced to date.
New Legislation
    CDT has argued that the most effective way to address the spyware 
problem through legislation is in the context of online privacy 
generally. Specifically, we believe that the privacy dimension of 
spyware would best be addressed through baseline Internet privacy 
legislation that is applicable to online information collection and 
sharing irrespective of the technology or application. CDT has 
advocated such legislation before the Senate Commerce Committee and in 
other fora. Until we address the online privacy concern, new privacy 
issues will arise as we encounter new online technologies and 
applications.
    At the same time, certain aspects of the spyware problem extend 
beyond the privacy issues. Privacy legislation would not, for example, 
apply to software that commandeers computing resources but does not 
collect or share user information. A comprehensive legislative solution 
to spyware should address the user-control aspects of the issue--
piggybacking, avoiding uninstallation, and so on.
    The SPY BLOCK Act currently before this Committee represents an 
important first step towards addressing some of these problems. We 
appreciate the desire to craft targeted legislation focusing on some of 
the specific problems raised by spyware, and CDT applauds Senators 
Burns, Wyden, and Boxer for bringing attention to these important 
questions. CDT strongly supports the goal of the SPY BLOCK Act--to 
assure that users are provided with meaningful notice and choice about 
the applications that run on their computers.
    At the same time, we wish to emphasize the complexity of such 
efforts. The broad industry opposition to an anti-spyware bill recently 
passed in the Utah legislature, based on potential unintended 
consequences of the bill for legitimate software companies, 
demonstrates the difficulties that can be introduced by such 
legislation if it is not carefully drafted.\7\
---------------------------------------------------------------------------
    \7\ See, e.g., Ross Fadner, ``Leading Internet Providers Oppose 
Passage of Spyware Control Act,'' MediaPost, March 15, 2004 (available 
at: http://www.mediapost.com/dtls_dsp_news.cfm?news
ID=242077)
---------------------------------------------------------------------------
    Recognizing that development of appropriate standards for consumer 
software notice is still in preliminary stages, we suggest two areas of 
the SPY BLOCK Act that warrant further consideration and may require 
revision.

   Standards for Notice--Providing consumers with informative, 
        accurate notice is a challenging task. Ongoing efforts to craft 
        ``short notices'' in the context of privacy statements under 
        the Gramm-Leach-Bliley Act both demonstrate the complexity of 
        this problem and may provide a valuable model for the kind of 
        notices that are appropriate in the context of downloadable 
        software. Many so-called ``spyware'' applications already 
        provide minimal notice to consumers buried in legalistic 
        licensing agreements that come with bundled software. (Programs 
        that do not provide even this level of notice are probably 
        already illegal, as described above.) However, such minimal 
        notice does not provide consumers the opportunity to make 
        meaningful and informed choices. To be effective, legislation 
        will have to address the difficult issue of how best to ensure 
        that the information that accompanies software is appropriately 
        clear, distilled, and contextualized to allow users to make 
        informed decisions. Simply requiring that programs list 
        information prior to installation may not be enough. However, a 
        bill that will burden users by prompting users for choice too 
        often will not be effective either.

   Scope--As currently structured, the SPY BLOCK Act covers 
        almost all software, but provides specific exemptions for 
        certain kinds of ``general purpose'' software and certain 
        specific uses of information. CDT is concerned that this 
        approach creates difficulties for software developers while 
        imposing unrealistic burdens on legislators. This tack requires 
        that legislators develop a comprehensive list of functions for 
        which the requirements of the bill are not appropriate. 
        Creating such a list for existing technologies is challenging 
        in itself. Moreover, such a list will likely become outdated as 
        soon as new technologies are developed, or as the categories 
        defined in the law shift. CDT has argued that privacy laws 
        should be neutral with respect to technologies, and we believe 
        the same principle applies here.

    We believe that valuable insight into the questions of scope and 
appropriate notice for consumer software are likely to emerge from 
ongoing industry and public interest efforts to define best practices, 
discussed below, and from the FTC's April Workshop in spyware. We 
encourage the Committee to incorporate the results of these efforts 
into refinements of the current bill.
Non-Regulatory Approaches
    Technology measures, self-regulation and user education must work 
in concert, and will be critical components of any spyware solution. 
Companies must do a better job of helping users understand and control 
how their computers and Internet connections are used, and users must 
become better educated about how to protect themselves from spyware.
    The first step is development of industry best practices for 
downloadable software. Although not all software manufacturers will 
abide by best practices, certification programs will allow consumers to 
quickly identify those that do and to avoid those that do not. In the 
current environment consumers cannot easily determine which programs 
post a threat, especially as doing so can involve wading through long 
and unwieldy licensing agreements.
    Technologies to deal with invasive applications and related privacy 
issues are in various stages of development. Several programs exist 
that will search a hard-drive for these applications and attempt to 
delete them. Some companies are experimenting with ways to prevent 
installation of the programs in the first place. However, even these 
technologies encounter difficulties in determining which applications 
to block or remove. Clear industry best practices are crucial in this 
regard as well.
    Standards such as the Platform for Privacy Preferences (P3P) may 
also play an important role in technical efforts to increase 
transparency and provide users with greater control over their 
computers and their personal information. P3P is a specification 
developed by the World Wide Web Consortium (W3C) to allow websites to 
publish standard, machine-readable statements of their privacy policies 
for easy access by a user's browser. If developed further, standards 
like P3P could help facilitate privacy best practices to allow users 
and anti-spyware technologies distinguish legitimate software from 
unwanted or invasive applications.
    The IT industry has initially been slow to undertake such efforts. 
However, increasing public concern about spyware and the growing burden 
placed on the providers of legitimate software by these invasive 
applications has led to more industry attention on this front.\8\
---------------------------------------------------------------------------
    \8\ See, e.g., Earthlink press release: ``Earthlink Offers Free 
Spyware Analysis Tool to All Internet Users,'' January 14, 2004 
(available at: http://www.earthlink.net/about/press/pr_analysis/); 
America Online press release: ``America Online Announces Spyware 
Protection for Members,'' January 6, 2004 (available at: http://
media.aoltimewarner.com/media/newmedia/
cb_press_view.cfm?release_num=55253697).
---------------------------------------------------------------------------
    CDT believes Congress can have an immediate positive impact by 
encouraging industry to continue to develop these efforts toward self 
regulation.
IV. Conclusion
    Users should have control over what programs are installed on their 
computers and over how their Internet connections are used. They should 
be able to rely on a predictable web-browsing experience to remove for 
any reason and at any time programs they don't want. The widespread 
proliferation of invasive software applications takes away this 
control.
    Better consumer education, industry self-regulation, and new anti-
spyware tools are all key to addressing this problem. New laws, if 
carefully crafted, may also have a role to play. Many spyware 
practices, however, are already illegal. Even before passing new 
legislation, existing fraud statutes should be robustly enforced 
against the distributors of these programs.
    The potential of the Internet will be substantially harmed if users 
come to believe that they cannot use the Internet without being at risk 
of ``infection'' from spyware applications. We must find creative ways 
to address this problem through law, technology, public education and 
industry initiatives if the Internet is to continue to flourish.

    Senator Burns. Thank you, Mr. Berman. Dr. John Levine, 
thank you for coming today.

 STATEMENT OF DR. JOHN LEVINE, PRESIDENT AND CEO, TAUGHANNOCK 
         NETWORKS, AND AUTHOR, THE INTERNET FOR DUMMIES

    Dr. Levine. Thank you, Mr. Chairman, Senators. I'm John 
Levine, I'm the president of Taughannock Networks, named after 
a local waterfall, and I've written a variety of books, 
including the recent, Fighting Spam for Dummies, which I hope 
CAN SPAM will soon make obsolete.
    Senator Burns. That's just what I need.
    Dr. Levine. Well, this one's for you. And I am the Chair or 
Co-Chair of a variety of grass roots organizations like the--I 
serve on the board of the Coalition Against Unsolicited 
Commercial E-mail and I Co-Chair the Anti-Spam Research Group, 
which is a technical research group.
    But you've asked me to come today and talk about spyware, 
which I'm happy to do, because I happened to read the user mail 
sent to the Anti-Spam Coalition and every day I get mail from 
people saying spam is bad, but spyware is worse, how do I get 
rid of this junk? So although it has not been my primary 
interest in the past, it's certainly one that's coming up and 
one that's very interesting for many of the same reasons 
related to privacy and consumer protection.
    I can divide spyware into a variety of sub-areas, which I 
think I don't need to do, because in the previous comments it's 
clear that everybody understands what they are. But I would 
like to back off and echo some of Mr. Berman's comments that 
computers in everyday life, and the way they work and they way 
they integrate into people's lives is very new and we don't yet 
have laws and customs that describe how people react with 
software and if you have a computer which has some software 
from the vendor and some software from a website and some 
software from third parties, how they all react and what the 
experience for a computer user is.
    And it's sort of as though, if somebody came and said, I 
have a great new business plan, I'm going to open up newspaper 
boxes and I'm going to stick my own ads in the paper and 
somebody says, you can't do that. He says, of course I can, I 
paid 50 cents to get into the box. That kind of argument 
somewhat reminds me of some of the things I hear about spyware. 
It's just like, well, you can do it, and down in paragraph 73 
of some click-through agreement we said it was OK.
    I mean, to me, I see two issues. The first is an issue of 
consumer protection. With the adware that pops up ads and 
replaces ads in websites, consumers are completely confused. 
They don't know where the ads are coming from. All they know is 
they don't like them and they dislike ads that are popped up by 
websites that actually place them, they dislike ads that are 
popped up by software like WhenU's, they feel like they're 
totally out of control and they don't know whom to blame. So in 
that case there's a real issue of consumer confusion. I think 
it's a consumer protection issue.
    Beyond that, spyware presents a privacy problem because 
people click and say, yes, you can install your program and 
then it collects vast amounts of information very 
indiscriminately, and I have a bunch of scenarios in my written 
testimony. For example, if you are applying for a bank account 
online and a piece of spyware scrapes the data from that 
application and sends it off to the spyware vendor, the spyware 
vendor now knows enough about you to commit identify theft. Or 
if you are conferring with a close relative or with your doctor 
or with your lawyer, they can collect information to do 
anything from sending you bogus ads saying, oh forget that 
chemotherapy for your tumor, we have apricot seeds, to 
blackmail.
    These are enormous privacy issues and I think that we 
really need to step back and look at them as an overall issue 
of consumers and computers, and although the spyware issue is 
important, I think it's just one step on the way to coming up 
with sort of a general privacy and consumer protection policy 
that will affect all the ways that vendors and consumers and 
computers interrelate.
    I have some comments on the individual bill. It's a very 
well-crafted bill dealing with the specific issue of notice of 
spyware. I have two concerns. First is that I am concerned how 
realistic it is to expect people to understand the notice 
they're given and to click through, particularly when you have 
computers that are used by adults and by children, particularly 
when frequently the notice is down in page after page of boring 
boilerplate.
    And I would encourage you to consider allowing consumers to 
create a spy-free zone, just the way the Do Not Call list and 
the possible Do Not Spam list will allow people to put on 
notice once saying, we don't want this particular kind of 
violation here, rather than having to negotiate each time a 
vendor comes in and says I want to do this.
    My other concern is with enforcement. The Do Not Call list 
is very effective because the enforcement ranges from the FCC 
down through the attorney generals down through individual 
suits, and I think that this broad range of enforcement is 
really very effective in making Do Not Call effective, and I 
would encourage you to consider a similar provision for this 
bill. Thank you.
    [The prepared statement of Dr. Levine follows:]

     Prepared Statement of Dr. John R. Levine, President and CEO, 
       Taughannock Networks, and Author, The Internet for Dummies
    It is my honor and privilege to submit these comments to the 
Subcommittee on Communications of the Senate Committee on Commerce, 
Science, and Transportation for consideration during their hearing on 
S. 2145, the SPY BLOCK Act.
    I am a consultant and author specializing in consumer-oriented 
Internet topics. I am the primary author of The Internet for Dummies, 
the world's best selling book on the Internet, which has sold over 
seven million copies in nine editions in over two dozen languages since 
1993. I am also the co-author of numerous other books including the 
recent Internet Privacy for Dummies (2002) and Fighting Spam for 
Dummies (2004). In these books, my co-authors and I educate readers 
regarding online marketing and advertising practices that threaten the 
privacy of their personal information and/or present the risk of 
unauthorized collection, use, and abuse, of information about their 
online activities.
    I co-chair the Anti-Spam Research Group (ASRG) of the Internet 
Research Task Force under the oversight of the Internet Activities 
Board of the Internet Society. The ASRG is a coordinating forum to 
coordinate research into and development of technical measures to deal 
with unwanted e-mail, with broad participation of industry, academia, 
and independent researchers. I serve on the board of the Coalition 
Against Unsolicited Commercial E-mail (CAUCE), the leading grass roots 
anti-spam advocacy organization.
    I have spoken at many professional, trade, and government fora such 
as the 2003 Federal Trade Commission Spam Forum and the upcoming 
Enterprise Messaging Decisions conference in Chicago, May 4-6, 2004, 
and the E-mail Technology Conference in San Francisco, June 16-18, 
2004.
    I serve on advisory boards related to consumer Internet issues at 
companies ranging from Orbitz, one of the big three online travel 
agencies based in Chicago, to Habeas, a small anti-spam certification 
startup in Palo Alto, CA.
What is Spyware?
    Spyware is a general term used to describe software that runs on 
consumers' personal computers and performs actions that the consumer 
considers undesirable or hostile. The term has been applied to a wide 
variety of different applications, ranging from the arguably legitimate 
to the egregiously fraudulent. The three most common types of spyware 
are the following:

   Adware monitors the pages fetched by a user's Web browser or 
        other material on the consumer's computer and when it sees 
        particular pages or terms, displays other pages containing 
        advertisements paid for by the spyware's sponsors. So called 
        ``Browser Helper Objects'' install themselves as part of the 
        Internet Explorer web browser and change the way it works. The 
        changes can be as simple as switching to a different home page, 
        or as complex as redirecting web searches to the spyware 
        vendor's search system rather than the consumer's desired 
        system, or adding new ``click here'' buttons that lead to 
        sponsors' advertisements.

    In some cases, the adware rewrites the web pages displayed by the 
        browser, substituting ads from adware vendor for the ads 
        originally in the page. This technique has been likened to 
        opening newspaper boxes and pasting one's own ads on top of the 
        ads in the papers.

   Key loggers record every key pressed by the computer's user 
        and send the stream of keystrokes back to the spyware's author. 
        More generally, ``Activity Monitors'' can log and report on any 
        type of consumers' computer usage, such as e-mail send and 
        received, web pages visited, and instant messages exchanged. 
        The data can be used for anything from consumer preference 
        statistics to identity theft.

   Trojan Horses allow the spyware author or vendor to remotely 
        control the consumer's computer for the author's purposes. At 
        the point, the most common purpose is probably to send spam.

    Although these are the most common current varieties of spyware, 
variations on these themes and new and different spyware programs are 
released frequently. We can expect different varieties of spyware to 
appear in the future.
How Is Spyware Installed on Consumers' PCs?
    Spyware distribution is made possible by a combination of the weak 
security of Microsoft Windows and the inability of consumers to 
understand the many security-related warnings that their computers 
currently present to them.
    MS Windows generally makes it very easy to install software 
remotely onto a consumer's PC. While this facility is useful in a 
corporate environment where an IT department manages computers all over 
the company, hostile parties can also use it to install spyware without 
the consumer understanding what's happening. In some cases, whenever a 
consumer visits a spyware vendor's web page, programming in the web 
page automatically installs the spyware. In other cases the spyware is 
installed as part of a program that performs a desirable function 
unrelated to the spyware features.
    Sometimes, the consumer is presented with a warning screen asking 
whether to install the new program. The warning screen is nearly 
identical to the warning screens that appear when a web page needs a 
benign application such as one to display ``flash'' animations. 
Consumers see such warnings so often, and have so little information 
with which to evaluate any particular installation request, that they 
rarely reject an installation request. In many other cases, security 
weaknesses in Windows make it possible to install spyware without the 
consumer's knowledge or consent.
    Some computer manufacturers are now shipping PCs with spyware pre-
installed. This means that users will have to go to extra time and 
expense to remove the spyware from their new computers to bring it to a 
normal usable state.
Is All Software that Communicates with Remote Computers Spyware?
    No. In some cases, consumers deliberately install software with 
remote communication features to participate in a large-scale computing 
project or a multi-player game or other activity. For example, many of 
my computers run a program from the volunteer-run distributed.net that 
solves large mathematical and cryptographic problems. Another well-
known project called Seti@Home, coordinated at the University of 
California at Berkeley, uses consumers' computers to analyze data from 
radio telescopes, looking for evidence of intelligent signals from 
outer space. In both of these cases, the consumer runs the program 
because he or she actively wants to participate in the projects, the 
programs make no changes to the computer's configuration (other than an 
optional screen saver with Seti@Home) and the programs return no data 
about the consumer other than an optional e-mail address or ``handle'' 
if he or she wants to be counted in the statistics that the projects 
publish.
    Another common situation is straightforward advertisement supported 
software. For example, the popular Eudora e-mail program and Opera web 
browser are distributed in free versions that display small 
advertisements in clearly labelled windows within the application. The 
ads do not interfere with the normal operation of the program. The 
consumer is clearly informed that if he or she purchases a paid 
registration for the program, the ads will go away.
    Any legislation related to spyware should be crafted so as not to 
interfere with legitimate applications such as these.
How Do Consumers Feel about Spyware?
    They hate it. Although spyware has never been my primary area of 
activity, in my role as online postmaster for CAUCE, I get mail almost 
daily from consumers complaining about spyware and asking what they can 
do about it. On the Internet Privacy for Dummies website at http://
www.privacyfordummies.com, a page about dealing with spyware is the 
most frequently visited on the entire site.
    A small anti-spyware industry has arisen with programs like 
Adaware, from http://www.lavasoftusa.com, and Spybot Search and 
Destroy, from http://www.safer-networking.org, that detect and remove 
spyware from consumers' computers. Companies now routinely recommend 
that their employees install and use one of these programs on a regular 
basis to clean off any spyware that may have installed itself.
    Spyware is frequently written so as to be difficult or impossible 
to remove from consumers' computers. It rarely comes with an uninstall 
program, as is standard with other PC software, or it comes with an 
uninstaller that doesn't actually remove the spyware. Some of the more 
egregious spyware attempts to delete anti-spyware programs such as 
Adaware and Spybot from computers, and to reconfigure web browsers to 
make it impossible to reach anti-spyware websites or to install anti-
spyware software from those sites.
    Consumers clearly perceive spyware as an illegitimate use of their 
computers, and spyware is rarely if ever installed with the informed 
consent of the computer's owner.
What Policy Problems Does Spyware Present?
    Spyware presents two separate policy issues, consumer protection 
and privacy.
    The consumer protection issue is that consumers don't provide 
consent when spyware is installed on their computers, they don't 
understand what the spyware on their computer is doing, and when they 
become aware of its presence, they invariably want to get rid of it. In 
principle, this issue could be addressed by better disclosure at the 
time the spyware is downloaded, installed, or activated. But in 
practice, I am skeptical that disclosure would be effective. The 
behavior of spyware is often quite complex, and a disclosure of that 
behavior equally complex, to the point that many consumers would see 
the disclosure but wouldn't understand its implications and would be 
unable to make an informed decision whether to accept it or not.
    Furthermore, adware that shows its own advertisements in connection 
with web pages that a computer's user has requested causes severe 
consumer confusion. The consumer cannot easily tell what ads are part 
of the web page, and what ads may have been added or replaced by the 
spyware. Consumers incorrectly assume that advertisements are provided 
or endorsed by the author of the web page, rather than by the spyware 
vendor. If the advertisements are inappropriate or offensive, the 
consumer blames the web page author, rather than the spyware vendor 
that actually provided the advertisements. In some cases, the 
advertisements inserted by adware are for sexually oriented materials, 
although the spyware vendor has no way of knowing the age of the 
computer's user.
    I am aware of at least one group of lawsuits filed by mainstream 
advertisers against Claria, formerly Gator, a vendor of adware that is 
typically installed with peer-to-peer applications such as Kazaa, due 
to its advertisement insertion practices.
    The privacy issue is that spyware often collects personal 
information about the users of computers on which it is installed. This 
is an issue for any computer user, and is doubly so for users under the 
age of 13 who can't consent to collection of information about 
themselves.
    One could argue that in principle this problem could also be 
addressed by better disclosure, but I believe there are public policy 
reasons that it's not a good idea to let people sell their privacy 
rights. The law has long forbidden certain kinds of consumer 
transactions (selling parts of one's own body, for example) as contrary 
to the public interest, even if the consumer wishes to enter into such 
a transaction voluntarily and with full notice. I believe that there 
are sound reasons to treat the sale of one's privacy as contrary to 
public policy. The value of one's privacy is great, and the amounts 
offered in exchange for it are rarely large. Once one's privacy is 
traded away, it is difficult or impossible to regain, and the 
implications of giving it up are frequently far greater than what a 
consumer would foresee.
    Since spyware can and often does collect information about all of a 
computer user's activities on the computer, and software cannot tell 
private from non-private information on a computer, the opportunities 
for abuse are vast. For example, consumers often apply for mortgages, 
bank accounts, brokerage accounts, and other financial accounts online. 
If spyware sends the information from one of these applications back to 
the spyware vendor, the vendor has everything necessary to commit 
identity theft. Consumers often use e-mail or instant messages to 
communicate privately with friends and relatives, or with trusted 
personal advisors such as lawyers, accountants, and doctors. If spyware 
collects the contents of those messages, which is technically easy to 
do, the possibilities for abuse range from medical fraud (``our apricot 
seeds will cure your cancer better than old fashioned chemotherapy'') 
to blackmail.
    Many consumers underestimate the damage from privacy invasions on 
the assumption that if they conduct their lives in a legal and ethical 
fashion, they have nothing to hide. The reality is that some areas of 
everyone's life are private, and the damage from invading those private 
areas is real, substantial, and very difficult to cure.
    S.2145 as currently written is a well-crafted attempt to deal with 
spyware problems by mandating disclosure and minimal good software 
practices. I have two reservations about the bill in its current form.
    The first is that I am not confident that disclosure is the most 
effective way to deal with spyware problems. In view of the universal 
distaste of consumers for spyware, and their invariable desire to get 
rid of it when they find it installed on their computers, it would make 
far more sense to ban spyware outright, or to provide a simple way, 
analogous to the telemarketer do-not-call system, that a consumer could 
provide one-time permanent notice that spyware is unwelcome on his or 
her computer, rather than having to wade through notices and 
disclosures every time a spyware vendor wants to sneak something onto 
the consumer's PC.
    My other concern is for enforcement. The current draft leaves 
enforcement primarily to the FTC and to state Attorneys General without 
providing any new funding for enforcement. In view of the large number 
of spyware authors and vendors, and the budget pressures on all 
enforcement agencies, it seems unlikely that they will be able to take 
action against any but the largest violators. One of the reasons that 
the existing do-not-call system is so effective against telemarketers 
is that the law specifies statutory damages for consumers who are the 
victims of illegal telemarketing calls, and allows consumers who are 
sufficiently motivated to sue for modest but meaningful amounts. A 
similar provision to let consumers recover for spyware violations would 
make an anti-spyware law far more effective without requiring new 
funding for the FTC or other agencies.

    Senator Burns. Thank you. We've been joined by Senator 
Allen of Virginia, who chairs our high-tech conference and does 
a great job at that and, of course, represents a great 
technology community here in Northern Virginia. Thank you, 
Senator Allen. Do you want to make a statement or ask a 
question or do you want to play football?

                STATEMENT OF HON. GEORGE ALLEN, 
                   U.S. SENATOR FROM VIRGINIA

    Senator Allen. I'd rather play football but I didn't bring 
the ball. It's back in my office. I want to thank you, Mr. 
Chairman and Senator Wyden for bringing this issue to 
attention. I was listening to Mr. Berman's nightmare scenario, 
and I said, God, I was telling my staff, I said, that's what 
was happening on our computers. It was not just the spyware, 
it's the pop-ups and things shooting out of the side of it and 
all the rest and you put it back in, restart it, it all comes 
through again and it's just--this is broadband that we're all 
trying to get deployed and so forth, and I'm thinking, God, 
dial-up was better than this.
    Finally, we got someone in there who could install the 
right technologies to stop it and now being on the Internet and 
reading articles and so forth is a pleasure without all that 
interference of pop-up ads and notices that you're being 
monitored and all the rest.
    And when you get to this issue of spyware; I was hearing 
several of the gentlemen talking about the definition. I think 
your definition is one that makes pretty much common sense, 
like a lot of the things you do, Senator, which is very rare 
around here having some common sense. But it seems to me it 
would be a software that monitors a computer user's activities, 
it collects personal information, and shares it without the 
user's or the consumer's knowledge or their consent.
    I look at this from a perspective of a privacy issue, 
because what you are doing is an invasion of an individual's 
privacy. I approach this whole debate on what we ought to do 
similar to the way we handle the online privacy debate in this 
committee last year.
    There's a few points I want to make. Number one, I think 
that all of us ought to be able to agree as a matter of 
principle that under no circumstances is it acceptable for 
someone to secretly or deceptively monitor a consumer's 
activities online without that consumer's knowledge or consent, 
and any sort of misleading or false practices associated with 
spyware, in my view it threatens consumer confidence, I think 
it ruins, it harms the Internet's viable and usefulness, 
whether it's for commerce or for access to information. And in 
that regard, Senator Burns and Senator Wyden, I thank you for 
identifying this problem with your measure.
    Now second, as we examine this legislation and how to 
handle it, I think we ought to consider all the different 
options. Like online privacy, I think it's important that we 
empower individual consumers to make sure they have the 
information necessary to make reasonable decisions and choices. 
I think we ought to encourage to the greatest extent possible 
market-driven solutions to this, and this has been a committee 
that doesn't like to always dictate the technologies because we 
like to see the advances in technologies.
    Third, as you go through all of these, and listening to the 
concerns we do have existing laws. You're talking about 
identify theft. That is currently, presently a crime. We ought 
to find out how we--maybe those laws need to be made better, 
but the question of privacy is governed by law, identity theft, 
fraud, deceptive marketing practices, all are part of the law.
    Now, it may be that we have to find a way in the midst of 
this legislation as we discuss it to make those more 
enforceable, but those basic principles are there, and just 
because it's spyware or adware or whatever it may be, it 
doesn't mean that they're immune from those laws. And so with 
the technological advances that have grown, I think we ought to 
be looking at those approaches, enforce the laws we have. I 
think it's in the interests of the broad technology or Internet 
community to get this done, to make sure that you don't have 
people frustrated, aggravated, or sometimes insulted with some 
of the spyware and the adware with some of the pop-ups that 
come up that are inappropriate, and we all know what I'm 
talking about here.
    So I'd like to see a market-driven approach or solution. I 
want us to find ways to enforce our current laws and I do want 
to work with you as I have, both of you, great leaders in 
technology. What we all did with spam, what we've been able to 
do with Internet privacy matters, I think those would be the 
guidelines and philosophy I'd like to follow, and thank you 
again, Mr. Chairman and Senator Wyden for your sterling 
leadership once again.
    Senator Burns. Thank you, Senator Allen. I have just a 
couple of questions. Every time we start in on this kind of 
legislation, and I think Senator Wyden would concur that we 
spend a lot of time working on definitions, people define 
different terms and words differently. And we tried to do that 
in this, and especially it's very important whenever you start 
talking about this business of privacy. It's a very personal 
thing.
    Now, given what's been happening with the software that's 
downloaded into your computer that has basically set your 
computer to be a tool of somebody else and not always of your 
own, and we know that probably out of the millions of users of 
computers, probably less than a third of them read PC Magazine. 
What tool do we use to make people aware of this problem? And 
I'll let anybody comment on that.
    Mr. Berman. Well, certainly we have to let people know 
about the problem, and I think that hearings like this and the 
press coverage and so forth, but I think it's consumer 
education down at the, at the basic level. Last year and over 
the last couple of years, industry and public interest 
organizations like CDT created the Get Net Wise site, which 
provides information on privacy and what consumers can do 
about, even about spyware. It's just a beginning, but it's a 
consumer education program.
    But I don't think that we can begin there. We have to give 
people and the consumers some clear definitions of what we're 
talking about, and I think that some of the tools that are in 
your legislation are going to be necessary. It is one thing to 
find spyware or adware or a software program that takes over 
your computer and you can't uninstall it, and I don't know any 
consumer education program outside of a technical manual that's 
going to help you do that, and you got a technical person.
    Not everyone has a Web master like I do to take spyware off 
of my computer, so we need to, as in CAN SPAM, to provide some 
requirements. That if software is installed on your computer 
that it has to be, even with your consent, that it has to be 
removable, and SPY BLOCK moves in that direction. That's one of 
the things that no notice bill and no FTC proceeding is going 
to solve. It is going to require some legislative action.
    Senator Burns. Mr. Holleyman?
    Mr. Holleyman. Mr. Chairman, a couple of things. One, I do 
think that raising public awareness about this is critical. 
It's like this hearing, things that have been held in the 
House, the FTC workshop next month, the publicity on this I 
think is very important.
    Second, I think there will be more tools that will be made 
available by software developers that will be easily deployed 
that will let people track this. Third, I think we need 
aggressive enforcement, and we don't need to wait until a new 
law is passed, and a new law may be needed. But what we need is 
aggressive enforcement of existing laws to try to dry up the 
practice of commercialization of information that's seized in 
this fashion.
    Then I think there are other steps such as industry best 
practices, working with sort of new upgrades of software that 
will all yield hopefully to a much better environment than the 
status quo.
    Senator Burns. Mr. Naider?
    Mr. Naider. Yes, I'd like to follow up specifically what 
Mr. Holleyman said in the sense that industry standard-setting 
is really one of the major opportunities that the SPY BLOCK 
legislation presents in the sense that one of the themes that 
you hear emerging from this panel is the notion of consumer 
control.
    Dr. Levine made an interesting point, which is that whether 
its spyware or adware, a lot of consumers will say they don't 
like it, and I will readily confess that even WhenU software, 
we get many consumers who say they don't like it. We've done 
tens of millions of installs, but many consumers choose to 
remove it.
    The point is, that if you give consumers control and you 
set a standard by which a consumer makes a choice to install 
when they have this type of software, particularly adware that 
shows them ads, each ad is very conspicuously branded and 
addressed and makes it clear where it's coming from, the user 
is then easily able to uninstall.
    What you then do is you create a standard by which you 
don't undermine the technology, you don't take the 25 percent 
of the market that benefits from the technology, but you allow 
a set of standards to be set that the consumers ultimately do 
control, and that's ultimately what really infuriates 
consumers, when they don't have control, when they don't know 
what's happening to their computer, and when they can't do 
anything about it, and we do have the opportunity right here to 
address that.
    Senator Burns. Mr. Levine?
    Dr. Levine. If I may digress slightly, on the plane down I 
was reading a funny article about a fellow talking about the 
1930s and 1940s appliances in his house. He was talking about a 
toaster or something, and he said that he learned the hard way 
that the control on the toaster had a little rubber knob on the 
end which you had to hold, because if you touched any other 
part of the toaster, you'd be electrocuted. And we don't build 
toasters that way anymore, and no doubt at the time the toaster 
was built, there was a sign saying, only touch the knob.
    And I think a certain amount of labeling is useful, but I 
think that if you have a practice that consumers find so 
noxious and so uniformly contrary to what they expect, it's 
like with my example of the newspaper boxes. We could have a 
campaign to put signs on the boxes saying, danger, don't read 
newspapers with other people's stickers on them, but I think 
what we really need is a consistent policy about what sort of 
data collection is appropriate for computer software and what 
isn't so that users don't have to be worried every time they 
click somebody might steal their data, that they can be 
confident that their computers will work in a way they think is 
reasonable.
    Senator Burns. Well, I get the feeling that I'm going to 
have a follow up question for Mr. Holleyman, but I first want 
to get to my colleagues and we'll probably have a couple of 
rounds of questions here, but Senator Wyden.
    Senator Wyden. Mr. Chairman, gentlemen, the first question 
I'd like to start off with is whether or not you all feel there 
are legitimate reasons for software that doesn't allow a 
computer owner to delete it. Let's go right down to it. Maybe 
some technical reasons and that's what I'm interested in, but I 
mean, as a general rule it seems to me if the computer owner 
can choose to install it, he or she ought to be free to 
uninstall it, but I'd like to see if we can kind of just go 
right down the row and see if as a general proposition you all 
share that view. Start with you, Mr. Naider.
    Mr. Naider. We completely agree with that. Computer owners 
should have the right to install software and uninstall 
software. Occasionally, as in our business, for example, you 
see instances in where a consumer downloads a free piece of 
software, and in addition to that free piece of software, 
there's another piece of software that supports the free piece 
of software, for example, providing coupons and advertising. In 
those cases, we think the consumer should have the choice to 
uninstall as well by uninstalling the free piece of software 
and that goes with it.
    But under no circumstances can we imagine a scenario where 
a computer user shouldn't ultimately be the one to control what 
is and what is not on their computer.
    Senator Wyden. Anybody on the panel disagree with that? We 
can just go right down the row and save some time. I just want 
to see if as a general rule you feel that that's appropriate.
    Mr. Holleyman. I agree with your general rule, with your 
caveat that there may be technical reasons at times where you 
cannot uninstall something without harming the operating 
system, for example.
    Senator Wyden. Jerry?
    Mr. Berman. I agree that you ought to be able to uninstall 
and the principle--the right to uninstall, but right now you 
don't have the right to uninstall a lot of spyware.
    Senator Wyden. Right. Dr. Levine?
    Dr. Levine. As a general principle, I agree with everybody 
else. You need to be able to uninstall stuff. But I think what 
consumers are more interested in is the possibility of breaking 
stuff apart. For example, they'll install a program that does 
some useful thing and then it's bundled in with something else 
that they consider to be spyware, and they consider the program 
to be useful and the spyware to be useless and they'd like to 
be able to get rid of one without the other. That's where I 
think you run into these issues of what's uninstallable and 
what's not.
    Senator Wyden. I put into the record something that struck 
me as very plausible in one of the New York Times pieces 
calling for something similar to what we've introduced. They 
start--and I'll quote here--a good start would be to require 
all such programs to announce themselves clearly and define 
their functions, allowing the users to reject software that 
strikes them as intrusive. Anybody disagree with that?
    Mr. Berman. The issue is, what software under the, say, for 
example, legislative rule would have to announce itself and 
then you get to decide what is intrusive?
    Senator Wyden. Covert, secret.
    Mr. Berman. Well, if we define it that way, but some of the 
legislation unintentionally or even intentionally has defined 
the computer software to include any software resident on your 
computer and then you get to software that does some monitoring 
functions, diagnostics and so on, can be covered. It's not 
defined clearly in terms of computer software that does 
something that we would consider bad behavior.
    Mr. Naider. If I could follow up Mr. Berman's comment, I 
think one of the concerns with the legislation as currently 
worded is exactly what Mr. Berman is saying, which is that it 
doesn't say this explicitly in the legislation, but at least 
with regards to the advertising copy in the legislation, it's 
implicit that's it talking about pop-up advertising, just some 
of the language that's used to say it has to have a notice and 
each ad has to have a link to an uninstall.
    When you think about the future of this type of technology, 
many in the industry believe that software on your desktop, 
legitimate advertising software, will be done in many, many 
different ways. It may be in the form of toolbars that are on 
your computer, it may be embedded within your browser, it maybe 
is part of the interface of your ISP so that this notion of 
every piece of software announcing itself in the same way that 
would be contemplated for something, for example, that does 
pop-ups may be inappropriate.
    And one of the things that we think needs to be studied and 
looked at in detail with regards to any legislation is not what 
is the current practice of adware or software-based 
advertising, but what is the potential future universe of 
different activities that could take place that are very, very 
legitimate, very empowering to consumers. Can this bill broadly 
worded actually hinder that, and that's I think one of the 
concerns we have with the bill.
    Senator Wyden. Those are legitimate points. What we're 
trying to do is get at the secrecy, the secrecy that really 
invades the rights of the consumer that we've all been talking 
about.
    The third area I wanted to ask you about, Dr. Levine, was 
drive-by downloads and how easy it is to set them up. It 
strikes me as pretty good target, pretty fertile area for shady 
kind of people, but why don't you tell us about that?
    Dr. Levine. It's extremely easy, and it's easy for two 
reasons. One is that Microsoft Windows, which everybody uses, 
is just designed in a way that makes it really easy for third 
parties to install software into it, and in many cases that's 
fine. If you have a corporate network, the ability of the IT 
department to maintain all the computers in the company is 
fine.
    And if you have a website that uses a particular kind of 
audio or animation or something, the ability to say, oops, you 
need the Flash Player, would you like me to install it for you 
so you can see this cartoon, that's fine too.
    The problem is that the technical line between the Flash 
Player, which just shows you pretty pictures, and spyware that 
does malevolent things, is very narrow. It is both easy for 
people to install stuff without notice, and the other problem 
is that people install stuff so often, 3 hours it pops up and 
says, oh, here's a little component we'd like to give you. And 
from the consumer's point of view, it's very difficult to tell 
the notice between something malicious.
    Senator Wyden. Just a couple of other quick questions. I 
know my colleagues want to get into it. Mr. Holleyman, 
gentlemen, came out for going after electronic spying, but 
essentially felt that adware wasn't a major concern right now. 
He said it hadn't risen to the same level of concern. Mr. 
Berman and Dr. Levine, do you two view the proposition that 
pop-up ad software isn't yet a key consumer concern?
    Mr. Berman. I think because there are companies that are 
providing these programs and without clear notice and consent 
to the consumer or to all the users of a particular community, 
I mentioned the family example, that the pop-up ads are 
becoming in a consumer's mind another form of pop-up spam. In 
fact some of these programs also allow you to serve spam, but 
it's the pop-up ads are, I think, a nuisance to computers and 
interfering. If they don't have consent they are being served 
content which they really don't want.
    Now, the difference between what they want and whether 
they've consented is really how explicit the notice is, how 
clear it is, and how simple we make it, and there are no 
standards for that right now.
    Senator Wyden. Dr. Levine, you?
    Dr. Levine. There's no question that people hate pop-ups. I 
consult for one of the large travel websites that's used what 
we could call ``legitimate pop-ups'' extensively in their 
advertising, and they're legitimate in the sense that if you go 
to a site like ESPN, a site, the pop-ups ads that pop up are 
actually placed by ESPN and support the website, and even 
though they're, you know, by any business standard they're 
legal, people hate them, you know.
    And then we go on to the kinds of third party ads where, 
ads that--advertisements that weren't part of the original 
website, people hate those even more because they don't know 
who to blame. So I'd say from the point of view of consumers, 
it is a very big issue, and it's one that they really would 
like to have somebody fix.
    Senator Wyden. Yes, I don't want to jump on you on this 
point, Mr. Holleyman. I know you're sincere on it. But I think 
if you were to go out across the land today and ask people 
about pop-up ads software, they'd say, that stuff drives me 
nuts, I'm outraged by it. And we want to work with you, I mean, 
you're raising a lot of practical concerns about how to do it. 
But I got to tell you that we're not jumping you here today.
    Mr. Holleyman. Sir, I think there are two things here. One 
is we were trying to focus on what we think is the biggest 
current problem where we can both start deploying current laws 
and then fill in gaps with new legislation. Second, there's a 
pending bill before the Utah Governor that she has until, I 
think, midnight tonight to decide whether to sing or veto, 
there was a spyware bill passed by the Utah state legislature.
    Senator Wyden. I understand.
    Mr. Holleyman. There was a very broad group of technology 
companies and associations who met with the Governor last week 
to urge her to veto that bill to give their legislature another 
chance to look at this when they come back in session next 
year.
    One of the comments she made, that was made in the letter, 
and I do not represent advertisers per se, but I will simply 
pass this along, was talking about pop-up ads and talking about 
the importance of enabling local advertisers in Utah to be able 
to properly tailor advertisements to Utah-based citizens rather 
than only allowing broad-based national advertisers to have 
that broad reach.
    I don't know what the answer to that is, but I would 
encourage you to look at the letter that we submitted to the 
Utah Governor as one of the issues associated with this.
    Senator Wyden. One last question if I might. You, Mr. 
Holleyman, said that state AGs ought to be given enforcement 
authority in the area only if we have what you call, you quote, 
a ``Federal standard.'' So obviously what we think we're doing 
in the bill is establishing a Federal standard, and what I was 
curious about was whether this was really something that you 
want to just deal with as a preemption issue. Are you all 
calling for preemption? Is that something you'd support, 
Federal standard preempts states?
    Mr. Holleyman. If Congress moves in this area and 
determines if legislation is needed to close existing gaps, 
then there should be a Federal single standard that preempts 
inconsistent state laws.
    Senator Wyden. Mr. Chairman, thank you.
    Senator Burns. Senator Boxer.
    Senator Boxer. As a pop-up ad victim, those things are 
really the worst, and it's the whole point, I mean, and it 
shocks you. It's a very disconcerting deal, because when I'm 
working on my computer I'm working on something, and it's just 
like, I mean, my grandson knows don't bother Grandma right now. 
I'd rather be disturbed by him than these idiotic things, some 
of which are foul.
    But here's the point. I think if we do work together and we 
can make this happen right, you'll wind up being happy because 
you don't want Utah doing their thing and you don't want 
California doing their thing and so on and so on and Virginia. 
We've got to get together here and have some answer to this 
thing.
    Mr. Holleyman, when you say you don't represent advertisers 
per se, what does that exactly mean?
    Mr. Holleyman. I represent companies who certainly 
advertise, as most commercial businesses do, but I'm not 
speaking on the adware issues or representing companies who are 
making a profit out of selling advertising.
    Senator Boxer. Say that--you represent advertisers, but----
    Mr. Holleyman. I represent major companies who all 
advertise their products, but I'm not representing companies 
such as the colleague at my right, who are in the business of 
providing advertising services.
    Senator Boxer. OK. Well, you know, I don't want to prolong 
this because I just, for me certain issues are a no-brainer. 
This--for what--it's simple. You know, this is not a good thing 
that's happening to folks, and in the end it's going to drive 
people away from their computers and that's not a good thing. I 
am very much in favor of all of this information-gathering, and 
I can tell you, you're sitting there, you're trying to do some 
work, you're trying to get information, and you're just 
bombarded and it all happened because somebody spied on what 
you were looking and I looked at shoes and they're advertising 
shoes. This thing has got to go. This is not a good thing. And 
so, yes, Mr. Berman, I don't have----
    Mr. Berman. I have problems with pop-up ads from downloaded 
spyware. I actually have an ad program that runs on my mail 
program, it's serving me ads, and the reason I'm getting the 
free mail service is they're serving me ads, they're getting 
some revenue from it.
    I consented to it. It's very clear on my desktop what's 
happening and if I don't want it I can pay for a different 
program and the ads disappear. And if I want to uninstall it, I 
just take that program and get another program. That kind of 
transparency I think is where consumers want to go.
    Also, while we may not like pop-up ads, that is a much 
larger and different, and sometimes different issue than 
spyware. Pop-up ads are being served without spyware, and so we 
got to put things in boxes and say what is the most important 
thing that we want to deal with.
    And I got to one more time make this point, that the 
privacy issue, which is only one part of this spyware problem, 
is the collection of information without your consent. It may 
be through a program on your--but it goes back to Senator 
Allen, the privacy bill that passed out of the Commerce 
Committee, it may need--maybe there wasn't a giant 
Congressional consensus, is still not law. We do not have 
online privacy legislation which defines the fair information 
practice for online privacy for websites, for companies doing 
business on the Internet.
    We are relying on important self-regulation. Good companies 
are doing a great job at trying to give you privacy notices on 
their website. But I point out when you're dealing with 
spyware, you're finding out that there are always outlaws and 
outliers using new technology to do the same thing, take 
information without notice and consent. And until we have some 
rules about that, which goes back to Burns/Wyden 1, we're not 
going to solve the privacy problem, and to try and do it for 
spyware, like say, well, we have a cookies bill and a spyware 
bill and a spam bill, it begins to become a crazy quilt, which 
is what we want to try to avoid when we ask for Federal 
legislation, some coherent, overall policy.
    And we need privacy policy in this area. It doesn't have to 
be, you know, terribly burdensome, but it has to inform both 
good companies and bad companies what the rules are here for 
collecting information about consumers and users on the 
Internet. We don't have that.
    Senator Boxer. Mr. Berman, let me just say, I have no 
disagreement with anything you said, but I'm also a practical 
legislator.
    Mr. Berman. Right.
    Senator Boxer. And I can tell you now, the reason I was so 
proud of my colleagues and teamed up with them on spam and 
these other issues is because sometimes you can't get that 
overall, but I agree with you, it's all a matter of consent, 
that's really the bottom line. But also consent that's obvious, 
that is easy to figure out, so that it's not such a difficult 
hurdle that you have to do 17 things to get out of this deal. 
That isn't any good. It's got to be something straightforward. 
That's what we've been trying to do.
    Mr. Berman. This may be one time when consumers are going 
to become so outraged by this kind of behavior that different 
laws are going to pass in Utah, pass like that, may not be 
signed into law, that it may be the better part of valor to 
revisit, maybe not in an election year but maybe early next 
year, trying to develop some baseline standards again as part 
of the tradeoff of resolving a set of issues that surround, 
that beg for a solution, but do not beg for a solution that is 
technology-specific, because that is anathema to innovation and 
to the Internet to go technology by technology.
    Mr. Naider. If I can add, specifically for Senator Boxer's 
very good point about consumers hating pop-ups. I think one of 
the things that we have to all recognize is that these types of 
bills are strangely affected by consumers' general dislike for 
pop-up advertising. For example, if you said to an average 
consumer, do you like pop-ups, most consumers would say no, I 
dislike pop-ups. If you said to a consumer, would you want a 
piece of software that alerts you to a $30-off coupon when 
you're about to make a purchase, most consumers would say yes.
    The important thing is to recognize that the pop-up problem 
is a much, much, much larger problem online than sort of a 
narrow problem as a result of either spyware or adware, et 
cetera, and that in the course of trying to address consumers' 
concerns with pop-ups, specifically a sense of feeling 
bombarded or being hit with pop-ups that don't come from 
anywhere, we have to be very careful about not affecting or 
ruling out software that can actually be tremendously 
beneficial.
    And when you think about where the Internet is in 5 or 7 
years, is it desirable for most computers to have software on 
their machines that, as a consumer's navigating the Web, in 
some way, shape, or form is alerting them to maybe three other 
places where they can buy a mortgage or to a great deal on 
travel? When you're looking at a hotel in New York City, should 
a piece of software be allowed to tell you about a place where 
you can get that hotel for 50 percent off? Many people would 
say yes, and we just want to make sure that this legislation 
covers that.
    Mr. Berman. But there's a problem. It's when, who's saying 
yes and consenting to this software being loaded on your 
computer? Many of these pop-up adware programs are added as 
piggy-backed on top of peer-to-peer network software. I mention 
these, there are a number of adults in different offices had 
their computers swept for spyware, and there are just many, 
many programs there. And how did they get there? It's because 
their teenagers are out in peer-to-peer networks signing up for 
file-sharing programs, for music and so on, and maybe that's--
put aside the copyright issues, but still, that software is 
being loaded on your computer and it's there delivering ads to 
a lot of people who don't' want them.
    It's how clear is the consent and can you really get out of 
these programs? WhenU says it's easy to uninstall their 
programs. I know some programs which are really hard to 
uninstall. I don't know how we can do this except by Congress 
saying that some of this behavior on hijacking computers is 
unacceptable.
    Dr. Levine. If I could add a little bit there. Something 
that's sort of unique about software is that you consent once 
but then it annoys you forever, which is somewhat different 
from other software.
    Senator Burns. Sounds like marriage, doesn't it?
    Dr. Levine. I plead nolo contendere, sir. But with most 
software you install the software and you consent, but once 
it's installed, it only runs when you tell it to. Spyware is 
unusual in that it sits there and it gives you, you know, it 
gives you stuff that may or may not be helpful, you know, 
whether you ask for it or not. In my case, I don't want Windows 
to pop up and tell me when I can get cheaper hotels because I 
know if I want a hotel comparison website I know where to find 
one.
    Senator Burns. Senator Allen?
    Senator Allen. Thank you, Mr. Chairman. You know, you all 
did a great job on spam. My general view though is pop-ups are 
worse than spam. I had an account set up with Yahoo--huh?
    Senator Burns. It's a form of spam.
    Senator Allen. It is, but the spam is usually associated 
with e-mail, and I finally found this e-mail account and said, 
all right, go in there, use it through Yahoo, it's what I use 
as my website, or home page. And this is I don't know how many 
months, there are just hundreds and hundreds of e-mails in 
there and they were on mortgages, travel bargains, gambling, 
pharmaceuticals, pornography, whatever all it was, all these e-
mails. And it's very easy to get rid of them. You select all 
and delete and that's it.
    Pop-ups you have to click them off. As far as advertising, 
I like to read the newspapers. I read the Richmond Times-
Dispatch or the Post or the Washington Times, whatever it may 
be, the Bristol paper. At any rate, they have advertising for 
realtors there and whatever other things they may want to 
advertise, but that's not invasive, that's just on the side of 
the article. You go on, say, Buccaneers.com, they're selling 
stuff, Raiders.com, Chiefs.com, whatever it may be, they're 
selling things, jerseys and whatever, and that's not a problem, 
the pop-ups are.
    Now, in listening to all of this maybe we can get this 
agreement from this hearing and why we may need to have Federal 
legislation in light of Utah. Will you all agree that any 
legislative approach should establish a national standard, 
avoid a patchwork of state regulations, and target bad actors, 
not necessarily harm legitimate online business? Do you all 
agree on that?
    Mr. Holleyman. Absolutely.
    Mr. Berman. Yes.
    Senator Allen. Well, that's where we're going to have to go 
now. The details of some of these, the definition and so forth, 
there is that agreement on it. And, of course, Mr. Holleyman, I 
like your approach, e-spying, ban behavior not technology, 
that's the approach.
    Now, we've heard about all these statistics regarding the 
amount of spyware on consumers' computers, which is all very 
disturbing and worrisome. According to Mr. Holleyman, spyware 
amounts to an abuse of technology. Clearly that is the case. 
Now, can any of you all share with us and the public what is 
the technology industry doing to help address this problem? If 
we're trying to educate the public, what is the technology 
industry doing to address it, other than dragging some guy 
who's an expert or person who's an expert to try to stop it?
    Mr. Berman. There are a number of technologies which are 
being offered. Earthlink has a spy audit and America Online is 
also offering a package which helps users of their services 
sweep, detect, and eliminate spyware, so there's a technology 
solution. I know that Microsoft is working on part of those 
solutions. We've been trying to convene a group of industry and 
public interest organizations to try and sort out what's being 
done, what can we do through self-regulation, what can we do 
through standards, what falls into the need for legislation and 
can we define bad behavior. And it's, I think it's going to be 
a mix of all those.
    We've also worked on a standard called P3P, which allows 
companies to express their privacy policies in code, which can 
be read by a consumer who can set their settings to what they 
want, and if that was widely adopted, it would be much more 
transparent to deal with companies like, that promote spyware 
or adware. You would be able to do a lot of negotiation or at 
least be able to say this is consistent with what I want as a 
consumer and say yes or say no.
    And so there are technology solutions that are out there, 
but I think that it's going to have to be a mix of technology, 
self-regulation, and legislation. But the self-regulation in 
this area I don't think is going to come until we have some 
clear standards, and if we have some clear standards, some of 
it's going to have to be put in the legislation.
    Senator Allen. Mr. Holleyman?
    Mr. Holleyman. There are technological solutions that are 
both being made available now and that companies are actively 
working on for their next generation of products. I agree with 
everything that Mr. Berman said that a combination of consumer 
education, technology tools, and best practices that we're 
eagerly working on with Mr. Berman's group and others. It may 
well take targeted legislation, and also enforcement of 
existing laws. I want to reiterate that the status quo is not 
acceptable. Something needs to be done. It's just a question of 
how do you then tailor that new legislation to deal with it.
    Senator Allen. Dr. Levine, what's your perspective of the 
technologies that are available, and maybe people are not 
availing themselves of them?
    Dr. Levine. There are certainly some technologies. There's 
the programs Mr. Berman referred to. There's also some fairly 
nice free programs called Adaware and Spybot. But I'm still 
concerned that it's difficult for consumers to make rational 
tradeoffs here. I can't tell you how many times I talk to 
someone, I say, do you believe that your personal privacy 
online is important? Of course. But then they say, well, you 
know, would you provide your name, address, Social Security 
number, mother's maiden name, and annual income in exchange for 
a raffle ticket for a $5 plush animal, and they all do.
    Senator Allen. Well, that's----
    Dr. Levine. Well, and I realize we can't keep people from 
being naive, but I think people don't appreciate sort of the 
value of what they're giving away and the risks they're 
entering into. So, I realize none of us are interested in 
having a nanny state here, but I do think that it's important 
to recognize the value of the data these things can collect and 
I think it's reasonable to put some fairly strong hurdles in 
the way of saying, you know, do you really want to give this 
up, is what you're being offered really valuable enough to be 
worth this exchange?
    Mr. Berman. One point on that, which is that the risk 
involved and the tradeoffs, sometimes consumers are given the 
opportunity to get a free program or free service in exchange 
for signing up for an adware program which is essentially 
downloaded on their computer, but they're not necessarily up 
front, and this is something that SPY BLOCK tries to deal with. 
They're not given up front any knowledge of what that adware 
program is going to do and how many ads and how intrusive it's 
going to be and when it's going to come, so they're signing up 
without real knowledge of what they're getting into. Maybe 
that's solved by the ability to uninstall, but uninstall is----
    Dr. Levine. No, because once you've given your data away, 
since the U.S. has no tradition of strong data protection laws, 
once somebody's collected your data, they've got it, and if 
they then transfer it from place to place to place, we all know 
stories, we've all heard stories about somebody who disclosed 
information one place and it ended up someplace really much 
worse and far away.
    Mr. Berman. Well, I put those in box one, which are privacy 
violations. There are also ad services who are not collecting 
information, and I want to make clear that they raise a 
problem. Even though they are not violating privacy, they are 
raising issues of user control over their computer.
    Senator Allen. Mr. Naider?
    Mr. Naider. And we are trying to address it, I guess, at a 
slightly different angle, which is economically. We've put 
together what we call our five points definition of what is the 
difference between legitimate adware versus spyware. 
Interestingly enough, adware used to be a positive word. We put 
out press releases 2 years ago talking about our own adware. I 
wouldn't think of putting out a press release today mentioning 
adware in conjunction with our product because it's become a 
loaded word because there are some folks that claim they're 
adware and actually are spyware.
    We've actually put out a definition that we're trying to 
promulgate within the industry, and that definition has five 
points, and point number one is the disclosure. When you 
initially install it, it has to be visible, right in front of 
the user, that the presence of additional software is something 
that if the user takes the time to read is visible, it's not 
buried six pages down in a license agreement.
    The second thing is that the license itself for this type 
of technology needs to be clear, concise, and understandable. 
We use a two-page license agreement to the dismay of our 
lawyers because we basically said that anybody who reads a 
license agreement should be able to understand it in 5 minutes. 
We think the second point is the disclosure of the license 
agreement and making it clear and concise.
    The third point is the branding, specifically if you 
display Windows or add Windows such that consumers don't wonder 
why I am seeing this ad, whether they may like it, like Dr. 
Levine--they may not like it like Dr. Levine or like it, like 
some other folks, it should be very clear where it's coming 
from, why it's there, and who is delivering it.
    The fourth point is ease of uninstallation. Consumers that 
don't want the software should easily be able to uninstall it, 
should make a choice. With respect to what the Senator 
mentioned before, there is actually a big difference between 
spam and legitimate desktop advertising software. Actually I've 
tried many times to stop spam to my office mailbox. I can't do 
it. But if you want to uninstall software that's legitimate 
software, it's actually easy to uninstall it. So if you abide 
by that fourth point of uninstall, then we consider that in 
keeping with this philosophy of being adware and not spyware.
    And the fifth thing is privacy protection, which is, 
regardless of whether you get disclosure, regardless of whether 
you get a license, regardless of whether you brand and you make 
it easy to uninstall, if the practices that you're doing 
involve keystroke logging, collection of personal information, 
then it doesn't matter that you got all this because there may 
unwary consumers that agree to it.
    So we believe that by putting out this five points of what 
defines legitimate desktop advertising versus spyware, we can 
actually create a definition where those who claim that they're 
doing legitimate advertising were actually spyware don't 
survive economically, because the advertisers who use it 
basically say, are you adhering to these five points, are you 
doing this legitimately, and if not we're not going to spend 
money with you. And that's our approach and we actually hope 
that this type of legislation will look at these different 
pinnacles of disclosure, license, branding, uninstall, and 
privacy, and be able to set that standard as well for the 
market.
    Senator Allen. Are you saying, final question, I'm like Dr. 
Levine. If I want to figure out how to get a flight from one 
place to another, again, Yahoo will have Travelocity linked up 
with it or whatever. There's a--you can find it, you can search 
and find it without somebody saying, here, you can be on a 
cruise or you can get these discount rates and so forth. I'd 
just as soon not have to click them off and have them covering 
up what I'm trying to read.
    Now on your--you seem to have some standards, those don't, 
which make a great deal of sense. Let me ask you this though. 
How easy is it for someone to remove on your software? Say 
there's someone like me or Dr. Levine who, I don't care, it is 
good to know where it came from, the source of it is good, that 
obviously would be wonderful as a way of knowing the source or 
you can figure out how they got your name and then blame them 
rather than some of the deceptive things, you think it's coming 
from AOL or Microsoft when they have absolutely zero to do with 
it. And you see AOL or you see Microsoft and it connotes a 
certain credibility and credence, so I think it's great to have 
that tracing.
    But how easy is it, or how would someone who doesn't want 
to get your advertising through WhenU.com, how easy is it to 
remove it?
    Mr. Naider. I think the numbers speak for themselves. We've 
done over 100----
    Senator Allen. I missed your testimony, so I'm sorry if 
you've already said this.
    Mr. Naider. That's OK. We've done over 100 million unique 
installations of our software and initially about 50 percent of 
people kept it and now 80 percent remove it. Now, that's a 
challenge for us. Part of the reason that they remove it is 
because there are so many other programs not adhering to 
standards that they just get an Adaware program and everything 
gets removed.
    But the answer is, it's very easy to remove. It can be 
uninstalled through your control panel add/remove, which is the 
standard way for uninstalling software, and more importantly, 
each ad unit tells you directly how to get information about 
uninstalling where it says, go to your control panel and do it.
    So the empirical evidence is that it's very easy to 
uninstall, and as a result, we freely acknowledge that there 
may be consumers that don't want to see a coupon when they're 
about to shop and don't want to see, but to the extent that 
there are consumers that do and that it's quite beneficial to 
either have that software for its own merit or maybe you're 
willing--maybe you don't want to see it but you're willing to 
see it because you get a free sports ticker program. There are 
many consumers like that. They decide, well, I don't 
necessarily love the idea of seeing a coupon or a free travel 
ad, but you know something, I get a free sports ticker, so I'm 
happy to do that.
    We want those consumers to have that choice. By following 
these types of standards, you give the consumers a choice. By 
making any unilateral decision one way or the other, you don't 
give them the choice, and we hope that that's what this 
legislation accomplishes.
    Senator Allen. Understood. How many others in your business 
have the facility of removing pop-ups that you all do?
    Mr. Naider. It varies dramatically. There are others--we 
are certainly the leader in the industry in terms of the 
standards that we set and there's a full spectrum of activity 
from folks who don't necessarily adhere to every one of these 
points, maybe four or five, to folks who absolutely make it 
impossible to know that--or do their best to make the consumer 
unwary that they've installed it, once it's on the desktop, no 
branding, no idea that these pop-ups might be coming from 
software, no easy way to uninstall.
    So the answer is that there's a full spectrum of activity 
and we hope to combat it both through, you know, we hope that 
your efforts, as the Chairman and the Senators of this 
Committee through legislation will combat it, and our efforts 
from the standpoint of market education will allow certain 
models to emerge and to develop and to meet what ultimately can 
be very, very, very pro-consumer, pro-competition, pro-
comparative advertising type of standards and other models to 
disappear, so that the experience, the nightmare experience 
that people have, and I've heard this many, many times, you 
know, the nightmare experience that you have is I have 12 
things on my computer, I have no idea where they come from, I 
don't know how to stop them. We want to see that disappear as 
well.
    Senator Allen. Thank you, Mr. Naider.
    Senator Burns. Mr. Holleyman, I referred to a while ago, do 
you think right now there are enough laws on the books with 
regard to privacy that we could deal with this SPY BLOCK or 
spyware without passing this legislation?
    Mr. Holleyman. There are laws related to deceptive 
advertising through the FTC Act, the Computer Fraud and Abuse 
Act, all of which can be applied and should be applied, and I 
am very much holding open the possibility there may need to be 
additional legislation that's behavior-based to close the gaps.
    Senator Burns. Would you agree with that, Mr. Berman?
    Mr. Berman. I agree that we're going to need legislation to 
close the gap because there is--we need to look at where it's 
clear hijacking of computers and not allowing you to uninstall 
and taking over your Web page and a lot of behavior that's in 
our FTC complaint against a company or two. We may need to--
existing law may cover it, we need to try and figure out where 
it falls short and come back and fill in the gaps working with 
you.
    With respect to the privacy issue of collection and 
dissemination of information without notice and consent in this 
area we need legislative standards.
    Senator Burns. Whenever you start talking about national 
standards and this type thing, we ran into something in spam 
and I think that we should also look at it, because with our 
visits with our international friends, this just isn't a 
national problem. In other words, everything that this spyware 
can be installed from not necessarily friendly soil, so to 
speak.
    Do we need to work with our international partners to also 
craft legislation that would work in their countries and 
recommend they do so?
    Mr. Berman. I would recommend that we try and sort this out 
first.
    Senator Burns. Here?
    Mr. Berman. Here. And so that we know, maybe we have some 
consensus about what we're talking about. Right now it's a 
tower of Babel as far as I'm concerned. I mean, what's in and 
what's out? But I think if we get down to some bad behavior, 
which is like CAN SPAM, let's get some real things that we, you 
know, res ipso locutor, the thing speaks for itself, we 
understand it, this is bad, let's get it. Then I think we can 
begin that dialogue.
    I agree that this is not something that because we pass a 
law it's going to be solved, because spyware can be served from 
overseas. That's why, you know, ideas like a do-not-spyware 
list won't work, I mean, because we're dealing with a global 
network. That's why we need technology solutions as well as----
    Senator Burns. Yes, sir.
    Mr. Holleyman. Can I make two points on that? One, we were 
of the view that a behavioral-based approach would give us the 
quickest, fastest tools in this country to try to address the 
problems. Second, because we work as BSA on a global basis on 
public policy laws, I think there is a reason to look carefully 
at trying to avoid having to define what software looks like 
and what technology looks like, because if we adopt that 
approach in the U.S. rather than the behavioral approach, 
presumably we're going to be asking all of our major trade 
partners to pass similar legislation that defines the way 
software looks, and the same technology that can be used for 
bad purposes for spyware may provide good future uses of 
technology in areas like diagnostics and security tools.
    So if we can avoid having to create here and then around 
the world a definition for how we create software and deal with 
the behavioral approach, we think we'll be better off.
    Senator Burns. You see, it's my thought on this thing that 
Mr. Naider is in a legitimate business. He is a legitimate 
operator and entrepreneur and runs and business and I think the 
standards are very important, because if we get the bad guys 
out there doing bad things, it does bad things to you. You get 
a bad reputation, and that's what we want to do is for the 
industry to come together. Basically that's what we did with 
spam is it forced industry to sit down and talk to another and 
say, OK, how are we going to deal with this, and then they 
said, yes, we need a law, and yes, four of the biggest ISPs 
there is in the country filed a lawsuit on some of these people 
who are really basically clogging their pipes. In other words, 
they just can't handle everything that they throw at them.
    So most everybody else has answered my question. I've sat 
here very interesting, but I do want to work with all of you--
you had some other--you got a another question? A couple more, 
OK. With respect to how we define and to see if we can't do the 
same thing with this legislation as we intended with CAN SPAM, 
is the industry has to come together to the table and help us 
with those standards. You can't let government set the 
standards. If we do, we'll be locked into technologies.
    I can remember first, when I first come here, we flew out 
to the consumers electronics convention in 1990 to Las Vegas 
and we were going through this debate on who's going to 
standards for high definition television. And there were some 
people out there very well-intended that says government has 
got to set the standards. And I said, if government sets the 
standards, then we're going to be locked into that because it's 
hard to change and technology moves too fast, that if 
government sets it, then we're locked into that situation.
    So we want to work with you very, very closely on 
definitions and allow the industry to come together and to 
really identify the bad guys and help us a little bit, because 
self-policing effect does have a cooling effect on those people 
who would do bad things. Senator Wyden.
    Senator Wyden. Thank you, Mr. Chairman. You have really 
spoken for me in that regard. I think you've laid out the 
challenge very well. We're going to need to work closely with 
all the people at the table if we're to move this and that's 
what we've tried to do so often in the past and I appreciate 
your making that comment.
    Just a couple of clean-up points that I'm interested in in 
terms of where we go. As you all, I think, have picked up, as 
Senator Burns and I have really had a little bipartisan island 
here where we have tried to kind of prosecute these causes that 
obviously are complicated and technical and sort of learn as we 
go, and I sort of sense a little bit of a reversal of position 
in terms of you, Mr. Holleyman. I just want to kind of make 
sure I'm sensing this.
    When I see your suggestion that Congress, and I quote here, 
simply prohibit the distribution in interstate commerce of user 
information obtained electronically from an individual's 
computer unless the person seeking to sell the information can 
show it was collected with the user's explicit permission, and 
explicit would obviously be a definition, that certainly raises 
the prospect of your organization supporting a general online 
privacy bill.
    Now, that's something that you all have been concerned 
about in the past and have wanted it to be much narrower, but I 
suspect that as this gets more complicated and we deal with the 
state and Federal issues and states going off on their own, 
people naturally are going to start to look at this differently 
without going into all of the issues that that statement raises 
about whether it apply only to software downloaded to a user's 
computer or to websites a user visits, there's score of issues.
    Are you all moving generally in the direction of a general 
online privacy bill?
    Mr. Holleyman. We're not in a position at this point to 
raise a general online privacy bill. We do think that there are 
very legitimate privacy issues that are being addressed in part 
in the marketplace today and for most online experiences. But 
what we do think is, specifically, with regard to spyware is 
what we need to do is create a mechanism that dries up the 
market for information that's obtained and exploited 
commercially, where there is not a clear understanding that 
such information can be sold and distributed.
    Senator Wyden. I won't belabor this, but other than the 
definitions about explicit permission, that sentence I read 
sure sounds like the predicate for a general online privacy 
bill, which takes us back to Burns/Wyden 1 and would, I think, 
be very much worth pursuing. Chairman Burns and I have done all 
of this in total lock step along the way, but we tried this 
years ago and I personally would be very excited if you and Mr. 
Berman possibly could guide the Committee back to what Chairman 
Burns and I tried to do years ago. We're going to try and get 
this bill passed because I think we've seen tremendous 
unhappiness, but I'm sort of trying to, with all of you here, 
to sort of lay the groundwork, because when I read that 
sentence, it struck me, and I haven't compared your testimony 
and everything else. That that was beyond where you all had 
been in the past and was sort of encouraged about the 
possibility that we might get the two of you to be a bulwark 
for--look at Jerry, he's----
    [Laughter.]
    Mr. Holleyman. I'd be happy to talk about this any time.
    Senator Wyden. I won't belabor it. I was encouraged by it. 
One other technical kind of question, a security question for 
maybe you, for Dr. Levine and Mr. Berman. We haven't talked a 
lot about it today, but certainly this issue of security risks 
with respect to downloaded software, I mean, even if the 
software isn't malicious, isn't is possible that well-meaning 
software could, in effect, leave the back door open, making the 
computer more vulnerable to viruses and hackers?
    Dr. Levine. It happens all the time.
    Mr. Berman. In fact, it's the vulnerability of computers 
that some of these spyware programs are exploiting, back door 
vulnerabilities and creating security breaches of their own, so 
that's something that we have under study and which this 
working group is looking at, but it is certainly one of the 
reasons why, one of the motivating reasons why we have to think 
about really closing these loopholes and closing this problem 
down.
    Senator Wyden. That struck me as something that really 
hadn't been mentioned, but we're going to think of this 
primarily as something that's intrusive and violative of those 
who own computers, but also strikes me as opening up a real 
glide path for bad guys and an opportunity to have some real 
security vulnerabilities.
    Dr. Levine. I think a lot of what these programs do now 
should be, probably is illegal already under--in computer 
tampering laws, and it's possible that it might be useful to 
have a statute that makes it more clear that this particular 
kind of tampering is what you contemplated in the existing 
tampering acts, so each case doesn't have to come through and 
sort of educate the judge and say this sequence of events means 
you broke this law.
    But in general, yes, the security problems on users' PCs 
are enormous and spyware jumps through some of them and causes 
others.
    Senator Wyden. Mr. Chairman, excellent hearing and I'm 
looking forward to working with you and like we've tried so 
often to sort of begin another journey and I look forward to 
doing it with you.
    Senator Burns. Well, and this may take more than four--I 
hope it takes less than 4 years, but at least we're started. I 
want to reiterate that SPY BLOCK requires notice and consent 
for four types of potentially damaging software, software which 
collects information about consumers and transmits to third 
parties over the Internet, adware providers are required to 
tell consumers what types of ads will pop up on users' screen 
and what frequency, Software that modified user settings like 
changing their home page and software that uses distributed 
computing to use part of the computer processing power in the 
background.
    You know, we've all time--Mr. Naider, and just one follow 
up and I thought about, you've given us a good scenario on your 
business, legitimate, run professionally. Give us an example of 
when you go too far. In other words, just give me an example.
    Mr. Naider. I'd be happy to.
    Senator Burns. Just for the record.
    Mr. Naider. Be happy to. A consumer installs a piece of 
software in the course of installing some other piece of 
software where there's absolutely no visible disclosure, 
there's some disclosure buried perhaps six pages deep in the 
license agreement. Once on the desktop, there's no visible 
indication to the consumer that they have that piece of 
software, whether it shows ads or not. It may show ads, whether 
it's pop-ups or other types of ads, but there's absolutely no 
indication to the consumer that those ads are coming from 
software. The consumer just wonders. Or if it doesn't show ads, 
the software captures things like personal information or 
keystrokes or zip code location, et cetera. And then the 
consumer is not given any information about the software or how 
to uninstall it.
    These are things that we see every day in our business and 
we know that it exists and there's a full spectrum of activity 
and we believe that that type of activity needs to be curtailed 
for the health of the industry, for the health of consumers' 
computers, for the health of the industry as well.
    Senator Burns. Well, I know identify theft and of course 
credit card numbers are worth lots of money.
    Mr. Naider. Absolutely.
    Senator Burns. And that's where the bad guys come in. Thank 
you for your testimony today. We look forward to working with 
all of you. We're going to leave the record open for the next 2 
weeks and if there are questions from the other members of the 
Committee, please respond to them and the Committee. Thank you 
for coming today and these hearings are closed.
    [Whereupon, at 4:07 p.m., the hearing was adjourned.]

                                  [all]

                  This page intentionally left blank.