[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]



                COMBATING SPYWARE: H.R. 29, THE SPY ACT

=======================================================================

                                HEARING

                               before the

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                            JANUARY 26, 2005

                               __________

                           Serial No. 109-10

                               __________

      Printed for the use of the Committee on Energy and Commerce


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house


                    U.S. GOVERNMENT PRINTING OFFICE
99-899                      WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                               __________
                    COMMITTEE ON ENERGY AND COMMERCE

                      JOE BARTON, Texas, Chairman

RALPH M. HALL, Texas                 JOHN D. DINGELL, Michigan
MICHAEL BILIRAKIS, Florida             Ranking Member
  Vice Chairman                      HENRY A. WAXMAN, California
FRED UPTON, Michigan                 EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida               RICK BOUCHER, Virginia
PAUL E. GILLMOR, Ohio                EDOLPHUS TOWNS, New York
NATHAN DEAL, Georgia                 FRANK PALLONE, Jr., New Jersey
ED WHITFIELD, Kentucky               SHERROD BROWN, Ohio
CHARLIE NORWOOD, Georgia             BART GORDON, Tennessee
BARBARA CUBIN, Wyoming               BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois               ANNA G. ESHOO, California
HEATHER WILSON, New Mexico           BART STUPAK, Michigan
JOHN B. SHADEGG, Arizona             ELIOT L. ENGEL, New York
CHARLES W. ``CHIP'' PICKERING,       ALBERT R. WYNN, Maryland
Mississippi, Vice Chairman           GENE GREEN, Texas
VITO FOSSELLA, New York              TED STRICKLAND, Ohio
ROY BLUNT, Missouri                  DIANA DeGETTE, Colorado
STEVE BUYER, Indiana                 LOIS CAPPS, California
GEORGE RADANOVICH, California        MIKE DOYLE, Pennsylvania
CHARLES F. BASS, New Hampshire       TOM ALLEN, Maine
JOSEPH R. PITTS, Pennsylvania        JIM DAVIS, Florida
MARY BONO, California                JAN SCHAKOWSKY, Illinois
GREG WALDEN, Oregon                  HILDA L. SOLIS, California
LEE TERRY, Nebraska                  CHARLES A. GONZALEZ, Texas
MIKE FERGUSON, New Jersey            JAY INSLEE, Washington
MIKE ROGERS, Michigan                TAMMY BALDWIN, Texas
C.L. ``BUTCH'' OTTER, Idaho          MIKE ROSS, Arkansas
SUE MYRICK, North Carolina
JOHN SULLIVAN, Oklahoma
TIM MURPHY, Pennsylvania
MICHAEL C. BURGESS, Texas
MARSHA BLACKBURN, Tennessee

                      Bud Albright, Staff Director

      James D. Barnette, Deputy Staff Director and General Counsel

      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel

                                  (ii)






                            C O N T E N T S

                               __________
                                                                   Page

Testimony of:
    Baker, David N., Vice President, Law and Public Policy, 
      Earthlink, Inc.............................................    14
    Rubinstein, Ira, Associate General Counsel, Microsoft 
      Corporation................................................    17
    Schmidt, Howard A., President and Chief Executive Officer, 
      R&H Security Consulting....................................    24
    Schwartz, Ari, Associate Director, Center for Democracy and 
      Technology.................................................    28
Material submitted for the record by:
    Information Technology Association of America, white paper 
      entitled, Spyware, Supportware, Noticeware, Adware and the 
      Internet...................................................    57
    Webroot Software, Inc., prepared statement of................    54

                                 (iii)

  

 
                COMBATING SPYWARE: H.R. 29, THE SPY ACT

                              ----------                              


                      WEDNESDAY, JANUARY 26, 2005

                  House of Representatives,
                  Committee on Energy and Commerce,
                                            Washington, DC.
    The committee met, pursuant to notice, at 10:23 a.m., in 
room 2123 of the Rayburn House Office Building, Hon. Joe Barton 
(chairman) presiding.
    Members present: Representatives Barton, Hall, Stearns, 
Gillmor, Deal, Whitfield, Cubin, Shimkus, Shadegg, Pickering, 
Buyer, Radanovich, Pitts, Walden, Terry, Ferguson, Rogers, 
Otter, Myrick, Murphy, Burgess, Blackburn, Markey, Towns, 
Eshoo, Stupak, Wynn, Green, Strickland, Schakowsky, Solis, 
Gonzalez, Inslee, Baldwin, and Ross.
    Staff present: Bud Albright, staff director; Andy Black, 
deputy staff director; David Cavicke, chief counsel; Chris 
Leahy, policy coordinator; Shannon Jacquot, counsel; Will 
Carty, professional staff; Billy Harvard, legislative clerk; 
Julie Fields, special assistant to policy coordinator; Consuela 
Washington, minority senior counsel; and Ashley Groesbeck, 
research assistant.
    Chairman Barton. The committee will come to order.
    Good morning, and welcome to all members and guests for the 
first hearing of the Energy and Commerce Committee for the 
109th Congress.
    I want to welcome our new members on both sides of the 
aisle. We will have a formal recognition of each of you at the 
appropriate time when the former Chairman Dingell is here. He 
is in a Democratic Leadership meeting and may not be able to 
attend. So we will save the formal introductions for another 
time.
    Today, our committee is going to receive testimony on 
legislation to protect consumers against Internet spying. 
Legislation, I should add, that last year passed through this 
committee on a 45-5 vote, and then on the House floor 399-1. 
Not only did the bill receive overwhelming support from our 
members, but from many technology companies and associations, 
including Yahoo, eBay, AOL TimeWarner, Dell, Microsoft, 
EarthLink, and the U.S. Telecom Association.
    The reason for the broad support of the bill is evident: 
the problem of Internet spying has grown to a critical point. 
Internet and technology companies are swamped by complaints and 
calls from their customers, not only asking for help in 
cleaning their computers of these programs, but also expressing 
real anger that their machines are continually slowed or 
stopped by simply navigating the Internet.
    I have a personal experience of this. My daughter, Kristen, 
who just graduated from college, bought a brand-new computer 
last year, and it is totally worthless today because of spyware 
that has infected her computer. She recently decided to junk 
that computer and buy a new computer.
    Many consumers remain unaware of how these applications end 
up on their computers and remain unable to remove them because 
of deceptive or nonexistent instructions for un-installing 
them.
    Losing some level of control of your own personal property 
is bad enough, but when added to the likelihood that these 
programs are monitoring your computer usage and transferring, 
possibly, your own private information to third parties without 
your permission, the spyware problem rises to a dangerous 
level. Many of these violations constitute a trespass-like 
offense, and in the worst cases, facilitate theft and fraud. 
Information gathered by spyware programs can be used to further 
slow your computer by bombarding you with pop-up ads and the 
collection of personal information can be used to steal your 
money, your identity, or both.
    All members, their families, and their constituents have 
become susceptible to this problem. Even many of our committee 
computers here on the Hill have been hampered by spyware's ill 
effects. This is a problem that must be addressed quickly, and 
given the interstate nature of e-commerce, it must be addressed 
by Federal legislation. I am encouraged that the Federal Trade 
Commission is finally beginning to take action against some of 
the worst actors in the spyware area, but Congress must also 
act quickly to give the FTC the additional power it needs to 
stem the tide of Internet monitoring. Last year, as I 
mentioned, we succeeded in passing this bill through the House, 
but the Senate failed to act. I am hopeful that that will not 
be the case this year, and I have been in contact with several 
Democrat and Republican Senators, and they say that they are 
going to move the bill very quickly.
    I want to commend a number of members for their outstanding 
leadership on this issue. Our No. 1 leader, Congresswoman Mary 
Bono of California, is not here today, because she is ill in 
California with a severe case of bronchitis, so she couldn't 
make it back to Washington for the hearing today. But I do want 
to commend her for her leadership. She introduced this 
legislation in 2003, when most of us had never heard of 
spyware, and has worked tirelessly to ensure its passage. I 
also want to commend Congressman Ed Towns, he is here today, 
for his leadership. He co-sponsored with Congresswoman Bono 
this legislation in our committee, and he, too, has worked 
tirelessly in a bipartisan manner to make this an excellent 
piece of legislation. I also want to thank our subcommittee 
chairman Congressman Stearns and also our ranking member, the 
gentlelady from Illinois, Mrs. Schakowsky. She has done an 
excellent job in drafting this bill.
    These members, as well as Congressman Dingell, have worked 
diligently to bring this legislation to the floor last year, 
and I hope we can move just as quickly and just as 
cooperatively this year to put this legislation through the 
House and send it to the Senate and encourage the Senate to 
act.
    I am also encouraged by the participation of a number of 
industry groups. We have drawn on their expertise in crafting 
this legislation. I encourage them to continue to work with us 
to combat spyware on a technological and a consumer educational 
level. It will take a mix of technology, consumer awareness, 
industry best practices, and strong enforcement to effectively 
fight spyware. I want to thank those who have worked with us 
throughout the process and those that are participating in our 
hearing today.
    I would now yield, since Mr. Dingell is not here, to Ms. 
Schakowsky, the subcommittee ranking member, for an opening 
statement, and then we will go to Mr. Stearns.
    Ms. Schakowsky. Thank you, Mr. Chairman. I would like to 
first also welcome our new members and particularly thank the 
new Democratic members who made it possible for me to rise to 
this lofty position in the second row and close to the 
chairman. This is a big day for me. And I wanted you--to thank 
you, Chairman Barton, for holding this hearing on H.R. 29, the 
SPY ACT, a strong, pro-consumer, bipartisan piece of 
legislation, which addresses one of the newest and most 
troublesome consumer and privacy issue: spyware. And I would 
also like to thank Ranking Member Dingell, who is unable to be 
here today. And as the ranking Democrat on the Commerce Trade 
and Consumer Protection Subcommittee in the 108th Congress, I 
had the privilege of working closely with my Chairman, Chairman 
Stearns, along with Representative Towns and Bono on the first 
version of the SPY ACT.
    As we learned last year, spyware, while not yet a household 
word, is a household phenomenon. The recent--a recent study by 
America Online found that 80 percent of families with broadband 
access had spyware on their computers. EarthLink, one of our 
witnesses here today, along with Web Route, an anti-spyware 
software provider, found that in 3 million scans of computers, 
there was an average of 26 instances of spyware on each and 
every computer. With those kinds of numbers, spyware will soon 
be a part of everyone's vocabulary.
    However, because of the surreptitious nature of spyware, 
because of the furtive practices of the spyware purveyors, many 
people have no idea that their computers have been infected 
with the software. People notice that pop-up ads will not go 
away and they notice when their computers are much slower. And 
of course, they notice when their home pages have been changed, 
but not by them. Consumers tend to blame viruses, their--on 
their old computer or their Internet service providers. But 
because spyware is bundled with software people do want to 
download, and because it is drive-by downloaded from 
unknowingly visiting the wrong website, people do not know 
that, in many cases, the real cause of their headaches is 
spyware.
    As we pointed out last year, spyware is much more than 
merely annoying. Slow computers and pop-up ads are just 
symptoms of the real trouble spyware can cause. The software is 
so ``resourceful'' that it can snatch personal information from 
computer hard drives, track every website visited, and log 
every keystroke entered. Spyware is a serious threat to 
consumer privacy and potentially a powerful tool for identity 
theft, a serious crime that is on the rise. Although we do not 
want to stop legitimate uses of the software underlying 
spyware, like allowing easy access to online newspapers, we do 
want consumers to have control of their computers and personal 
information and to stop truly nefarious uses of the programs.
    The SPY ACT finds the balance that helps protect consumers 
from truly bad acts and actors while preserving the pro-
consumer functions of the software. It prohibits indefensible 
uses of the software, like keystroke logging, and it gives 
consumers the choice to opt in to the installation or 
activation of information-collection software on their 
computers, but only when consumers know exactly what 
information will be collected and how it will be used.
    Furthermore, the SPY ACT gives the FTC the power it needs, 
on top of laws already in place, to pursue predatory uses of 
the software. The SPY ACT puts the control of computers and 
privacy back in consumers' hands, and I am glad that we are 
moving the bill forward once again.
    And once again, I thank my colleagues for this pro-
consumer, pro-privacy, and bipartisan piece of legislation, and 
I look forward to working with you again this year.
    Thank you, Mr. Chairman.
    Chairman Barton. Thank you.
    We would now like to recognize the subcommittee chairman, 
Mr. Stearns, for an opening statement.
    Mr. Stearns. Good morning. And thank you, Mr. Chairman.
    I am pleased that H.R. 29 is the first order of business. I 
commend you for bringing it forward. I also hope that the 
Senate will pass this anti-spyware legislation so that we can 
arm the Federal Trade Commission with a strong Federal response 
to combat this growing problem before it gets out of control. 
The elimination of spyware and the preservation of privacy for 
the consumer are critical goals if the Internet is to remain 
safe, reliable, and a credible means of commerce for the United 
States and the rest of the world.
    We know ``spyware'' is loosely defined as ``malicious 
software'' downloaded from the Internet that spies on the 
computer owner or user, usually to provide information to third 
parties. And while I would like to believe that something this 
egregious should fall easily into the ``I know it when I see 
it'' category, spyware is a little bit different, my 
colleagues. It allows unwanted software programs or spies to 
break, undetected, into our private lives to snoop, steal, and 
manipulate our online activities right under our noses.
    The spy and this software also makes identifying and 
finding those unwelcome guests a challenge. In fact, the burden 
of disinfecting corrupt computers usually falls on the 
consumer, who, in turn, usually contacts the closest available 
support center, often thinking they have had--they have a 
hardware or software problem. The typical scenario takes an 
obvious toll on our productivity and the engine of commerce.
    It is important to note that the bill before us today, H.R. 
29, is identical to the one that we passed in Congress by a 45-
5 vote in the full committee, and in the House, 399-1. This 
bill has been crafted to target obvious spyware abuses, like 
keystroke logging. The bill also goes after offenders hidden in 
the shadow of confusing licensing agreements and other less 
obvious means of deception and trickery intended to defraud the 
computer. Specifically, the bill does the following: prohibit 
deceptive practices, like keystroke logging, web page 
hijacking, and unsolicited ads that can't be deleted; 
establishes a clear opt-in for consumers wishes to download 
monitoring software, and requires that such software be easily 
disabled; three, creates penalties with heavy monetary 
penalties that should make fraudsters think twice before they 
act; and finally, reestablishes a uniform, national rule 
regulating spyware because of the inherently interstate nature 
of interstate commerce--Internet commerce.
    Another challenge we face is ensuring that a response to 
the growing spyware problem does not penalize legitimate uses 
of similar information technology designed to monitor and 
prevent unauthorized activity. For example, programs designed 
to help parents monitor the online activity of their children 
and legitimate online marketing techniques all use similar 
technologies in an inoffensive and legal manner. This committee 
understands that there are gray areas, Mr. Chairman, with 
spyware, and as a result has worked very hard and it is a 
credit to the subcommittee staff and what they have done here 
to try to negotiate to focus this bill on the bad actors while 
preserving the legitimate use of these technologies.
    But there are some concerns to H.R. 29: examining the need 
for an exception for cookies and the issue raises--raised by 
third-party cookies, since the bill is intended to apply only 
to software; two, looking at ways to compute damages that are 
realistic and not excessive so that we don't obstruct and stop 
the Internet explosion; and finally assessing whether the 
definition of ``information collection program'' adequately 
captures advances in the technology. These are obtuse, very 
difficult to understand a third-party cookie and how it works 
in the computer, but again, we do not want to necessarily stop 
these third-party cookies from working.
    This is a balanced bill, though, and I think we need to 
move forward. I think it will achieve our goals. I would like 
to thank the distinguished witnesses this morning for attending 
and assisting us in discussing and debating this. And I also 
want to recognize Chairman Barton for his vision and his 
leadership, and of course, as he has mentioned, Ms. Bono of 
California and Mr. Towns. I would also like to thank my 
subcommittee ranking member, Ms. Schakowsky and Mr. Dingell for 
his support.
    And with that, Mr. Chairman, I conclude.
    [The prepared statement of Hon. Clifford Stearns follows:]

   Prepared Statement of Hon. Clifford Stearns, a Representative in 
                   Congress from the State of Florida

    Thank you Mr. Chairman.
    Good morning. I am very pleased that H.R. 29, the ``Securely 
Protect Yourself Against Cyber Trespass Act'' or ``Spy Act'' is the 
first order of business for this great Committee as we start the 109th 
Congress. Enacting meaningful anti-spyware legislation is a priority, 
and therefore, it is fitting that the Committee get focused early on 
the important work necessary to pass this bipartisan bill during this 
Congress. I also would like to call on our Senate colleagues to pass 
similar anti-spyware legislation soon so that we can arm the Federal 
Trade Commission with a strong federal response to combat this growing 
problem before it gets out of control. The elimination of spyware and 
the preservation of privacy for the consumer are critical goals if the 
Internet is to remain a safe, reliable, and credible means of commerce 
for the United States and the rest of the world.
    As we now know, spyware is loosely defined as malicious software, 
downloaded from the Internet, that ``spies'' on the computer owner or 
user, usually to provide information to third parties. And while I'd 
like to believe that something this brazen and egregious should easily 
fall into the ``I know it when I see it category,'' spyware is 
different--it allows unwanted software programs or ``spies'' to break 
undetected into our private lives to snoop, steal, and manipulate our 
online activities right under our noses. The ``spy'' in this software 
also makes identifying and finding these unwelcome guests a challenge. 
In fact, the burden of disinfecting corrupted computers usually falls 
on the consumer, who in turn usually contacts the closest available 
support center often thinking they have a hardware or software problem. 
This typical scenario takes an obvious toll on our productivity and the 
engine of commerce.
    It is important to note that the bill before us today, H.R. 29, is 
identical to the one that passed in the last Congress by a 45-5 vote in 
this Committee and by 399-1 in the full House. And while H.R. 29 has 
been crafted to target obvious spyware abuses, like keystroke logging, 
the bill also goes after offenders hidden in the shadows of confusing 
licensing agreements and other less obvious means of deception and 
trickery intended to defraud the consumer. Specifically, H.R. 29 does 
the following:

 Prohibits deceptive practices like keystroke logging, web page 
        hijackings, and unsolicited ads that can't be deleted.
 Establishes a clear opt-in for consumers wishing to download 
        monitoring software, and requires that such software be easily 
        disabled.
 Creates penalties with teeth- heavy monetary penalties that should 
        make fraudsters think twice before they act.
 And reestablishes a uniform national rule regulating spyware because 
        of the inherently interstate nature of Internet commerce.
    Another challenge that we face as legislators is ensuring that our 
responses to the growing spyware problem don't penalize legitimate uses 
of similar information technology designed to monitor and prevent 
unauthorized activity. For example, programs designed to help parents 
monitor the online activity of their children and legitimate online 
marketing techniques all use similar technology in an inoffensive and 
legal manner. This Committee understands that there is a gray area with 
spyware, and as a result, has worked very hard to focus this bill on 
the bad actors while preserving the legitimate use of these 
technologies. Among some of the concerns expressed regarding H.R. 29 
that will be examined as we continue to work on the bill are:

 Examining the need for an exception for cookies and the issues raised 
        by third party cookies since the bill is intended to apply only 
        to software.
 Looking at ways to compute damages that are realistic and not 
        excessive.
 Assessing whether the definition of ``information collection 
        program'' adequately captures advances in the technology.
    This is a good, balanced bill that is needed to protect the online 
consumer from those with malicious intentions and to blow the cover of 
the ``spies'' residing in our personal property - our PERSONAL 
computers. I believe that H.R. 29 will achieve just that, and I 
continue to support its passage.
    I would like to thank the distinguished panel of witnesses before 
us today for assisting the Committee's important work to discuss, 
debate, and explore the issues at hand to achieve a balanced but 
aggressive solution.
    In closing, I'd like to recognize Chairman Barton for his vision 
and leadership on this issue. I'd also like to commend, in particular, 
Ms. Bono of California, for bringing the issue of spyware to the fore, 
and for her dedication to protecting the consumer. I also would like to 
recognize my Democratic colleagues, especially Mr. Dingell, Ms. 
Schakowsky, and Mr. Towns and their staffs for their help in making 
H.R. 29 a truly bipartisan effort and a pleasure to work on.
    Once again, I would like to welcome the witnesses today and look 
forward to their testimony. Thank you.

    Chairman Barton. I thank the gentleman.
    I would now like to recognize Mr. Markey of the World 
Champion Boston Red Sox and, perhaps, the World Champion New 
England Patriots for an opening statement.
    Mr. Markey. Mr. Chairman, we are the World Champion Boston 
Patriots, and we are going to continue being the World Champion 
Boston Patriots. So we are----
    Chairman Barton. I ask unanimous consent to revise.
    Mr. Markey. We are--we can't believe it, either, so thank 
you, Mr. Chairman. And thank you for having this hearing today, 
and Mr. Dingell. Mr. Stearns and Ms. Schakowsky have done an 
excellent job in shepherding this bill through, and I want to 
congratulate Mr. Towns and Ms. Bono for their leadership on 
this very important issue.
    The online villains who spread spyware deceive computer 
uses through disingenuous download requests, phony icons and 
covert tricks to induce users to permit the installation of 
programs that computer users do not want or require. In 
contrast to software applications from reputable online 
companies, surreptitiously installed spyware programs are 
designed to thwart a user's ability to control their own 
computers. Rather than improving a computer's online 
experience, the installed features often deliver annoying pop-
up ads, hijack home pages, and can secretly monitor a 
consumer's use of their computer and their travels across the 
Internet. Hopefully we can move this consensus bill through the 
process and have the Senate side produce spyware legislation 
this session as well.
    In addition, I would also like to note that I look forward 
to working with Chairman Barton and our other committee 
colleagues on privacy legislation this year. In the last 
session, I offered legislation to extend the Cable Act's 
privacy protections to other similar entities. I was successful 
in getting one portion of my bill enacted, namely extending 
these consumer privacy protections to satellite providers, such 
as DirectTV and EcoStar, as part of the Home Satellite Viewer 
Act legislation that became law last year. Yet, we need to pass 
the remaining part of my bill to close the current loophole, 
which leaves consumers of services such as Replay TV with no 
legal privacy protections. What consumers watch at home, how 
they use the Internet, who they call or e-mail, and what 
services they may subscribe to are nobody's business. And 
companies should not monitor, collect, and disclose such 
personal information without the prior knowledge and express 
approval of consumers.
    So I intend to reintroduce my privacy bill regarding Replay 
TV and other such devices, and I hope that we can work on that 
and similar online privacy legislation this year. I thank you, 
again, Mr. Chairman, for having this very important hearing 
today.
    Chairman Barton. Thank you, Mr. Markey.
    We would now like to recognize the gentleman from Ohio, Mr. 
Gillmor, for a 3-minute opening statement.
    Mr. Gillmor. Mr. Chairman, I will waive, other than to say 
that I am very happy to see the opt-in requirement in this 
legislation.
    Chairman Barton. Okay.
    We would recognize the gentleman from New York, the 
original cosponsor of the bill in the last Congress, Mr. Towns.
    Mr. Towns. Thank you very much, Mr. Chairman, for holding 
this hearing today.
    I greatly appreciate the commitment you have shown to 
address this important issue and this legislation. As the 
primary Democratic sponsor, I have been proud to work with 
Congresswoman Mary Bono, the author of this bill, and I hope 
she recovers really, really soon from her illness. Her 
leadership, insight, and persistence on the spyware problem 
have been unmatched. I salute her for her continued hard work 
on this legislation.
    When we first embarked on this legislative process, spyware 
was a growing consumer nuisance. Most people had no idea what 
it was. They had no idea that software could be downloaded on 
their computer without their knowledge and record and transmit 
their personal information. Now the problem is so widespread, 
it is hard to find someone who has not been negatively affected 
by spyware. In fact, the day the spyware act was on the House 
floor last year, my daughter called me to say that a computer 
had just crashed due to spyware and indicated that something 
needs to be done to rectify this problem. And I informed her 
that we were working on it as we were talking.
    Last year, with Chairman Barton and Ranking Member 
Dingell's leadership----
    Chairman Barton. You just lost your microphone.
    Mr. Towns. Last year----
    Chairman Barton. Oh, I am sorry. I inadvertently hit the 
mute button.
    Mr. Towns. So you are part of spyware.
    Last year, with the chairman and the Ranking Member 
Dingell's leadership, the bill passed the House floor. This 
year, by getting a much earlier start, I believe Congress can 
put a bill on the President's desk to provide consumers with 
additional tools to protect the consumer from spyware.
    This is not only critical for consumer privacy, but it is 
also essential to ensure the integrity of e-commerce. 
Throughout this process, we have made several modifications to 
the bill to target bad actors while preserving technological 
applications. I look forward to hearing from today's witnesses 
on this.
    And of course, Mr. Chairman, on that note, I yield back.
    Chairman Barton. I thank the distinguished gentleman from 
New York and point out that is the first time in my tenure as 
Chairman that I have used the mute button, even if 
inadvertently, and I hope it is the last time.
    Does the gentlelady from Wyoming seek to make an opening 
statement?
    Ms. Cubin. I will submit.
    Chairman Barton. Okay. Does the gentlelady from California, 
Ms. Eshoo, seek to make an opening statement?
    Ms. Eshoo. Mr. Chairman, I am going to place my statement 
in the record. I want to thank everyone that was involved in 
this. As some members might recall, when the bill was being 
marked up last year, I had some serious concerns and expressed 
those to my colleagues on the committee, and I thank them for 
paying attention to what we have put forward. And I think that 
we have a strengthened effort, and this should be not only 
passed by our committee but by the full House, and I look 
forward to that. So thank you, and here is to the 109th 
Congress to this committee distinguishing itself, as it has in 
the past. And I wish you and all of the subcommittee chairmen 
and ranking members my best and will do everything I can to 
bring even more credit to this committee and welcome to the new 
members.
    Chairman Barton. Thank you.
    Ms. Eshoo. Thank you.
    [The prepared statement of Hon. Anna G. Eshoo follows:]

Prepared Statement of Hon. Anna G. Eshoo, a Representative in Congress 
                      from the State of California

    Mr. Chairman, I'm very pleased that the Committee is considering 
H.R. 29, the Spy Act, a bill which I'm proud to support.
    The word ``spyware'' raises eyebrows and causes anxiety for almost 
anyone that uses computers and the Internet, particularly those of us 
that have had their computer's hijacked, or know someone that has. But 
as we've learned, there are many ``monitoring'' or ``information 
gathering'' activities that are really benign and actually enhance a 
user's experience on the Net or with their computer. In fact, some of 
these activities are essential to protect personal computers from 
hackers or viruses.
    As my colleagues will recall, I was very concerned about the 
spyware legislation considered by the Committee during the last 
Congress (H.R. 2929), and I opposed this bill during Committee markup. 
I believed our consideration then was rushed, and that too many 
important issues were left unresolved, putting at risk many of the 
services and security features that consumers value and rely on.
    Subsequent to the Committee's consideration, Representative Issa 
and I se nt a letter to the Chairman and Ranking Member identifying our 
most significant concerns. I'm pleased that the Chairman, Mr. Dingell, 
and the bill's sponsors were very responsive to these concerns and that 
we were successful in putting an improved bill before the House last 
session. Unfortunately, the Senate never acted on this legislation.
    Once again, I'd like to thank the Chairman, the Ranking Member, 
Rep. Bono, Rep. Towns, and their staffs for their hard work on this 
legislation and their willingness to work with me to improve this bill 
and eliminate any unintended consequences.
    I look forward to hearing from the witnesses and working with my 
colleagues to pass H.R. 29 through Committee, and bring it back to the 
House floor.

    Chairman Barton. Thank you.
    Does the gentleman from Pennsylvania, Mr. Pitts, wish to 
make an opening statement?
    Mr. Pitts. No, thank you.
    Chairman Barton. Does the gentleman from Michigan, Mr. 
Stupak, wish to make an opening statement?
    Mr. Stupak. No, thank you.
    Chairman Barton. Does the gentleman from Oregon wish to 
make an opening statement?
    Mr. Walden. No, thank you, Mr. Chairman. I will reserve.
    Chairman Barton. Does the gentleman from Maryland, Mr. 
Wynn, wish to make an opening statement?
    Mr. Wynn. No.
    Chairman Barton. Okay. Does the gentleman from Nebraska, 
Mr. Terry? Okay. The gentleman from Texas, Mr. Green?
    Mr. Green. Mr. Chairman, I just am glad we are considering 
this bill, and I will waive and ask for extra time on 
questions.
    Chairman Barton. Okay. Does the distinguished vice-
chairman, Mr. Pickering, wish to make an opening statement?
    Mr. Pickering. I just wish you a good morning, and I will 
pass.
    Chairman Barton. All right.
    The gentlelady from California, Ms. Solis?
    Ms. Solis. Yes, I will pass and just include something for 
the record, and want to also welcome the new members of the 
Energy and Commerce Committee.
    Chairman Barton. The gentleman from New Jersey, Mr. 
Burgess?
    Mr. Burgess. For fear of the mute button, I will pass, Mr. 
Chairman.
    Chairman Barton. Okay. The gentleman from Texas, Mr. 
Gonzalez?
    Mr. Gonzalez. No, thank you.
    Chairman Barton. The gentleman from Michigan, Mr. Rogers?
    Mr. Rogers. I will waive.
    Chairman Barton. My gosh, we are doing great.
    The gentleman from Washington, Mr. Inslee, a new member?
    Mr. Inslee. No, thank you.
    Chairman Barton. The gentleman from Idaho, Mr. Otter?
    Mr. Otter. No.
    Chairman Barton. Okay. The gentlelady from Wisconsin is 
going to waive. Okay. The gentlelady from North Carolina, Ms. 
Myrick? Okay. Does the gentleman from Arkansas wish to make an 
opening statement? Welcome to the committee. Okay. And I do 
want to tell our new members, we are giving you name tags, so I 
am--I apologize if we don't have them ready today, but they are 
on the way.
    Let us see, the gentleman from Pennsylvania, Mr. Murphy?
    Mr. Murphy. I would like to waive, but since this is my 
opportunity, and in lieu of a nametag, I would just like to 
mention a few things. This is the first hearing I am attending, 
and I am grateful to be a member of this committee now.
    Chairman Barton. The gentleman is recognized for 3 minutes.
    Mr. Murphy. Thank you.
    I am grateful to be a member of this committee because of 
issues such as this. Spyware is such an insidious problem in 
computers where the multibillion-dollar industry of people 
having systems in their own home have been destroyed by 
unscrupulous folks. Now these go by many names, and sometimes 
they even appear to be legitimate systems, but anything that 
does not allow the owner of their own computer to opt-in fully 
informed is wrong and should be made illegal. The points have 
been made earlier, but I know some of them, and being the 
father of a teenage daughter, I see this myself, too. It seems 
whenever she gets an e-mail from someone, some spyware might be 
attached to it as well, Gator being one of the more insidious 
ones, which suddenly find every time I--it is on the computer, 
I would have to work to get it off. And that is wrong that 
companies are using this, that they are able to download 
information, they are able to put software on computers, and I 
am grateful that this committee is moving forward on that.
    With that being said, I enthusiastically look forward to 
the remainder of this hearing.
    Thank you, Mr. Chairman.
    Chairman Barton. We thank the gentleman from Pennsylvania.
    Does the gentleman from Texas, Dr. Burgess, wish to make an 
opening statement? Mr. Whitfield of Kentucky, do you wish to 
make an opening statement? Mr. Whitfield waives.
    Seeing no other member present, the Chair would ask 
unanimous consent that all members not present have the regular 
number of days to enter a written statement into the record. 
Without objection, so ordered.
    [Additional statements submitted for the record follow:]

    Prepared Statement of Hon. Paul E. Gillmor, a Representative in 
                    Congress from the State of Ohio

    I thank the Chairman for holding this hearing today, kicking off 
another successful and productive year for our panel.
    With regard to H.R. 29, the SPY ACT, I am happy to add my name as a 
cosponsor this year, which is identical to the measure that the full 
House approved overwhelmingly last October.
    This legislation represents yet another effort by our committee to 
protect personal privacy, as it aims to curb computer programs that 
literally spy on its users. ``Spyware'' can easily high-jack our 
computers by downloading unrelated software when we simply click on a 
banner or pop-up ad. It then has the ability to silently record our 
every click, keystroke, and Internet search, gathering information such 
as passwords and credit card numbers. I particularly appreciate the 
provision in the SPY Act providing for a prominent ``opt-in'' for 
consumers prior to downloading any monitoring software onto that user's 
computer.
    I look forward to the input of our well-balanced panel of 
witnesses, welcome the new members of the Energy and Commerce 
Committee, and remain hopeful that H.R. 29 will soon be considered for 
swift approval in the 109th Congress.
    Again, I thank the Chairman and yield back the remainder of my 
time.

                                 ______
                                 
    Prepared Statement of Hon. Charlie Norwood, a Representative in 
                   Congress from the State of Georgia

    Thank you Mr. Chairman.
    Before I start my statement I'd like to extend a warm welcome to 
the new members of the committee. I look forward to working with all of 
you throughout this Congress.
    Mr. Chairman, I'd like to thank you for holding this hearing today 
on H.R. 29, the SPY Act. This is a very clear-cut consumer privacy 
issue, one that I think is vital that we address for our constituents 
back home.
    Last year, Ms. Bono's SPY Act passed overwhelmingly in the House, 
but got tangled up in the other body. As we all know, ``spyware'' in 
its most intrusive form can invade a constituent's computer, steal 
their social security number and credit card information. On the other 
hand, spyware can also provide legitimate businesses with a vital tool 
for increasingly productivity.
    Striking a balance is vital for the SPY Act to succeed. I want to 
make sure the citizens of the Ninth District of Georgia are protected 
from fraud, but I do not want to overburden businesses with lengthy 
federal regulations. I believe H.R. 29 strikes this balance. That being 
said, I look forward to our witnesses' testimony today to weigh in 
their opinions.
    Thank you Mr. Chairman, I yield back.

                                 ______
                                 
Prepared Statement of Hon. Mary Bono, a Representative in Congress from 
                        the State of California

    Good morning, and thank you Mr. Chairman for holding this hearing 
today and for your continued interest and support in Cybersecurity. I 
would like to thank Congressman Towns for his support and efforts on 
this bill. He has been a champion of this issue and legislation from 
the beginning. I would also like to thank Ranking Member Congressman 
Dingell for his continued leadership on this issue, as well as 
Congressman Stearns and Congresswoman Schakowsky for their hard work to 
make this legislation a reality. I am hopeful that the testimony today 
from our witnesses is instrumental in helping the Committee formulate 
effective legislation on the issue of Spyware. Cybersecurity and the 
protection of personal data of consumers is a very real issue that 
warrants the attention and action of government, businesses, and 
consumers alike.
    There are many things that consumers can do to protect themselves. 
Anti-virus software and patches are regularly available for downloading 
and updating. Moreover, one should always be cautious while downloading 
software from unknown or un-trusted sources. Consumers should avoid 
opening e-mails from strangers and should be hesitant to disclose 
personally identifiable information over non-secure sites. However, the 
methods of hackers are evolving into misrepresentations to the consumer 
and tricking them into divulging their private information. Moreover, 
the methods and practices of these hackers and spyware users are 
getting past expert computer users and the most diligent anti-spyware 
customers--reflecting the true vulnerability of all computer users.
    Due to the overwhelming support (399-1) of H.R. 2929 last year, I 
reintroduced H.R. 29, ``The Securely Protect Yourself Against Cyber 
Trespass Act (``the SPY Act'').'' This bill aims to empower consumers 
to help safeguard them from bad actors. Unfortunately, consumers 
regularly and unknowingly download software programs that have the 
ability to track their every move. Consumers are sometimes informed 
when they download such software. However, the notice is often buried 
in multi-thousand word documents that are filled with technical terms, 
and legalese that would confuse even a high tech expert. Many spyware 
programs are surreptitiously designed to shut off any anti-virus or 
firewall software program it detects.
    The SPY Act would help prevent Internet spying by requiring spyware 
entities to inform computer users of the presence of such software, the 
nature of spyware, and its intended function. Moreover, before 
downloading such software, spyware companies would first have to obtain 
permission from the computer user.
    This is a very basic concept. The PC has become our new town square 
and global marketplace as well as our private database. If a consumer 
downloads software that can monitor the information shared during 
transactions, for the sake of the consumer as well as e-commerce, it is 
imperative that the consumer be informed of whom he or she is inviting 
into their computer and what he or she is capable of doing with their 
private information. After being informed, the consumer should have the 
chance to decide whether to continue with the download or reject the 
presence of such software. In short, consumers should be put in a 
position where they can make an informed choice about their private 
personal information.
    Once installed on computers, some spyware programs, like viruses, 
become imbedded among code for other programs and affect how those 
programs function on the user's computer. Additionally, spyware is 
becoming more and more difficult to detect and remove. Usually, such 
programs are bundled with another unrelated application and cannot be 
easily removed, even after the unrelated application has been removed.
    Moreover, the advertisements may not always be forthcoming. Many 
times, spyware entities contract with companies to post advertisements 
and in turn, post such advertisements on the websites of competitors. 
The result is confusion. In other words, while visiting the website for 
Company A, you may be browsing to purchase a product. However, while 
browsing a pop up link may appear informing you of a great sale. Under 
the impression that you are looking at a link for Company A, you may 
purchase the product, all the while uninformed that the product was 
purchased via a pop-up link from Company B.
    According to a recent study, many problems with computer 
performance can be linked in some way to spyware and its applications. 
Additionally, some computers have several hundred spyware advertising 
applications running, which inevitably slow down computers and can 
cause lockups. Some spyware can literally shut down your computer 
forcing the user to spend time and money getting their computer to 
function normally again. If you have spyware on your computer, you most 
likely are getting more pop-up advertisements than you would if you had 
no such software on your computer. I know the effects of spyware from 
personal experience as my daughter's computer has been completely shut 
down by this software.
    All of these consumer disadvantages can be decreased or eliminated 
if disclosures surrounding spyware are required and enforced. If 
consumers are informed about spyware, chances are they may not choose 
to download the software. Upon choosing not to download spyware: 
consumer's computers will run more efficiently; their anti-virus 
programs and firewalls will function better; they can decide which 
information to share and not share; and consumers will not be deceived 
into buying a product or service from unknown entities.
    Since the introduction of H.R. 29, I have had the opportunity to 
speak with many different sectors of the technology industry and retail 
businesses that operate on the Internet. Through these discussions, I 
have received meaningful feedback. I am currently working on refining 
H.R. 29. Some of these refinements include the following--

 Prohibiting the unauthorized downloading of spyware without 
        prohibiting the downloading of beneficial programs such as 
        anti-virus software;
 Prohibiting the unauthorized use of spyware without prohibiting 
        authorized uses and the use of cookies;
 Requiring spyware programs to be easily removable after they have 
        been downloaded;
 Ensuring that the ``clear and conspicuous'' notices required in H.R. 
        29 are very clear; and
 Preventing deceptive advertisements that are facilitated through 
        spyware.
    I look forward to continually working with the technology industry 
in order to produce a bill that protects consumers and legitimate uses 
of that information. Government and private enterprise must team up as 
one because the war against spyware cannot be done alone.
    Thank you, and I look forward to the testimony of the witnesses on 
this issue.

                                 ______
                                 
  Prepared Statement of Hon. Gene Green, a Representative in Congress 
                        from the State of Texas

    Thank you Chairman Barton and Ranking Member Dingell for your 
leadership on this issue. Our colleagues, Representatives Bono and 
Towns did a great job moving this legislation through this committee 
and the House with overwhelming bi-partisan support. I hope in this 
Congress, we see this bill sent to the President and enacted.
    As a co-sponsor of the Anti-SPAM bill with our colleague Heather 
Wilson, I understand the importance of this issue. In fact, earlier 
this month, in my home state of Texas, the Attorney General has filed 
the first state suit against a SPAM operation which is listed in the 
top five SPAM operations in the world. Thanks to the Anti-SPAM 
legislation this committee passed, each person behind this operation 
now faces fines of up to $2 million each.
    Given our success with Anti-SPAM legislation, I believe we are on 
the right track with the Spyware legislation.
    We live in an age when technological breakthroughs bring us better, 
more efficient lives. However, these breakthroughs also entice people 
to take advantage of others for personal and financial gain.
    Congress needs to address these types of issues quickly because as 
we all know, the fast pace of technological growth will always bring 
with it new issues for Congress.
    During our experience with the Anti-SPAM bill, we all came to an 
understanding that technology itself is not the problem--it is the way 
some people and businesses use technology that is harmful to consumers.
    We were able to move this legislation quickly last Congress and I 
hope we are able to address any issues that may help this Committee 
send an even better bill to the Floor to ensure passage in the Senate.
    I think this legislation as it stands is strong. With the 
commitment Congresswoman Bono and Congressman Towns have made to make 
this legislation fair and enforceable, I'm confident we can see this 
bill become a law in the near future.
    Thank you Mr. Chairman. I yield back the balance of my time.

                                 ______
                                 
Prepared Statement of Hon. Hilda L. Solis, a Representative in Congress 
                      from the State of California

    Chairman Barton and Ranking Democrat Dingell, thank you for holding 
this hearing today. The issue of privacy is one that is important to 
me. Privacy is one of the civil liberties we have as Americans that 
makes this nation so special. Too often I hear from my constituents 
that they fear their privacy is being invaded and they are powerless to 
defend themselves.
    I believe legislation is critical to provide consumers the tools 
they need to regain their right to privacy. Last year I supported H.R. 
2929 because I felt it provided the resources consumers needed. It is 
good to be supporting legislation that would not only strengthen 
security but also strengthen privacy--one of America's key civil 
liberties.
    I want to thank Ed Towns, Jan Schakowsky, Mary Bono, Cliff Stearns 
and others for their leadership on this issue, and I look forward to 
hearing comments on this legislation in the hopes that it too can help 
our consumers protect themselves. I look forward to working with my 
colleagues this year to hopefully take steps to make today's America a 
better America.

    Chairman Barton. We want to welcome our witness list today. 
We have Mr. David Baker, who is the Vice President, Law and 
Public Policy for EarthLink in Atlanta, Georgia. We have Mr. 
Ira Rubinstein, the Associate General Counsel for Microsoft, 
who represents them here in Washington, DC. We have Mr. Howard 
Schmidt, who is the President and Chief Executive Officer of 
R&H Security Consulting in Issaquah, Washington. And we have 
Mr. Ari Schwartz, who is the Associate Director for the Center 
for Democracy and Technology here in Washington, DC. Gentlemen, 
welcome to the committee. Your statements are in the record in 
their entirety. We are going to start with Mr. Baker and give 
each of you 7 minutes to expand upon your written statement.
    Welcome to the committee, Mr. Baker.

  STATEMENTS OF DAVID N. BAKER, VICE PRESIDENT, LAW AND PUBLIC 
  POLICY, EARTHLINK, INC.; IRA RUBINSTEIN, ASSOCIATE GENERAL 
 COUNSEL, MICROSOFT CORPORATION; HOWARD A. SCHMIDT, PRESIDENT 
 AND CHIEF EXECUTIVE OFFICER, R&H SECURITY CONSULTING; AND ARI 
    SCHWARTZ, ASSOCIATE DIRECTOR, CENTER FOR DEMOCRACY AND 
                           TECHNOLOGY

    Mr. Baker. Thank you.
    Chairman Barton, ladies and gentlemen of the committee, 
thank you for inviting me here today. I am Dave Baker, Vice 
President for Law and Public Policy with EarthLink. 
Headquartered in Atlanta, EarthLink is one of the Nation's 
largest Internet service providers, serving over 5 million 
customers nationwide with broadband, dial-up, web hosting, and 
wireless Internet services. EarthLink is always striving to 
improve its customers' online experience. To that end, we 
appreciate the efforts of this committee to combat the growing 
problem of spyware.
    We have reached a point in time where spyware has equaled, 
if not surpassed, spam as the biggest problem facing Internet 
users. Spyware compromises consumers' online experience and 
security. As the Wall Street Journal noted last April, 
``Indeed, spyware, small programs that install themselves on 
computers to serve up advertising, monitor web surfing and 
other computer activities and carry out other orders, is 
quickly replacing spam as the online annoyance computer users 
most complain about.'' Like spam, we must fight spyware on 
several fronts. Legislation, enforcement, customer education, 
and technology solutions are all needed to combat this growing 
threat. We spoke here last year in support of H.R. 2929, the 
SPY ACT, which passed the House by a 399-1 margin last October. 
Similarly, we appear here today in support of the efforts of 
Congresswoman Bono, Congressman Towns, their cosponsors, and 
this committee to reintroduce this year's H.R. 29, the SPY ACT. 
Prohibiting the installation of software without a user's 
consent, requiring uninstall capability, establishing 
requirements for transmission pursuant to license agreements, 
and requiring notices for collection of personally identifiable 
information, intent to advertise, and modification of user 
settings are all steps that will empower consumers and keep 
them in control of their computers and their online experience.
    Spyware comes in several different forms, each presenting 
unique threats. Adware is advertising-supported software that 
displays pop-up advertisements whenever the program is running. 
Although it is seemingly harmless, adware can install 
components on your computer that track personal information.
    Adware cookies are pieces of software that websites store 
on your hard drive when you visit a site. Some cookies save you 
time, for example, when you check a box for a website to 
remember your password on your computer, but some adware 
cookies store personal information, like your surfing habits, 
user names, and passwords, and areas of interests and share 
that information with other websites.
    System monitors can capture virtually everything you do on 
your computer, from keystrokes, e-mails, and chat room dialog 
to which sites you visit and which programs you run. System 
monitors usually run in the background so that you don't know 
you are being watched. The information gathered by a system 
monitor is stored on your computer in an encrypted log file for 
later retrieval.
    Trojan horses are malicious programs designed to steal or 
encode computer data and to destroy systems. Some Trojan 
horses, called RATs, Remote Administration Tools, give 
attackers unrestricted access to your computer whenever you are 
online. Trojan horses are distributed as e-mail attachments or 
they can be bundled with other software programs.
    As a leading Internet provider, EarthLink is on the front 
lines in combating spyware. EarthLink makes available to both 
its customers and to the general public technology solutions, 
such as EarthLink Spy Audit powered by Webroot. Spy Audit is a 
free service that allows an online user to quickly examine his 
or her computer to detect spyware. A free download of Spy Audit 
is available on EarthLink's website. EarthLink members also 
have access to EarthLink Spyware Blocker, which disables all 
common forms of spyware, including adware, system monitors, 
keystroke loggers, and Trojans. EarthLink Spyware Blocker is 
available for free to EarthLink members as a part of Total 
Access 2005, our Internet access software. In addition to 
Spyware Blocker, Total Access 2005 includes a suite of 
protection tools, such as Spam Blocker, Pop-Up Blocker, Scam 
Blocker, which blocks phisher sites, Virus Blocker, and 
Parental Controls.
    As indicated in the attachment to my testimony, over 3.2 
million Spy Audit scans performed in the first 3 quarters of 
2004 found over 83 million instances of spyware. This 
represents an average of 26 spyware programs per scanned PC. 
While most of these installations were relatively harmless 
adware and adware cookies, the scans revealed over 1 million 
installations of much more serious system monitors and Trojans.
    Spyware is thus a growing problem that demands the 
attention of Congress, enforcement agencies, consumers, and 
industry alike. Through the efforts of Congress to introduce 
legislation like the SPY ACT, enforcement actions by the FTC 
and other agencies, and through industry development of anti-
spyware tools, we can all help protect consumers against a 
threat that is often unseen but very much real.
    Thank you for your time today.
    [The prepared statement of David N. Baker follows:]

 Prepared Statement of David N. Baker, Vice President, Law and Public 
                        Policy, EarthLink, Inc.

    Mr. Chairman, Ladies and Gentlemen of the Committee, thank you for 
inviting me here today. I am Dave Baker, Vice President for Law and 
Public Policy with EarthLink. Headquartered in Atlanta, EarthLink is 
one of the nation's largest Internet Service Providers (ISPs), serving 
over 5 million customers nationwide with broadband (DSL, cable and 
satellite), dial-up, web hosting and wireless Internet services. 
EarthLink is always striving to improve its customers' online 
experience. To that end, we appreciate the efforts of this committee to 
combat the growing problem of spyware.

                       SPYWARE: A GROWING THREAT

    We have reached a point in time where spyware has equaled if not 
surpassed spam as the biggest problem facing Internet users. Spyware 
compromises consumers' online experience and security. As the Wall 
Street Journal noted even last year, ``Indeed, spyware--small programs 
that install themselves on computers to serve up advertising, monitor 
Web surfing and other computer activities, and carry out other orders--
is quickly replacing spam as the online annoyance computer users most 
complain about.'' ``What's That Sneaking Into Your Computer?'' Wall 
Street Journal, April 26, 2004.
    Like spam, we must fight spyware on several fronts. Legislation, 
enforcement, customer education and technology solutions are all needed 
to combat this growing threat. We spoke here last April in support of 
H.R. 2929, the Safeguard Against Privacy Invasions (SPI) Act, which 
became the Securely Protect Yourself Against Cyber Trespass Act (SPY 
ACT) and which passed the House by a 399-1 margin last October. 
Similarly, we appear hear today in support of the efforts of 
Congresswoman Bono, her co-sponsors and this Committee to re-introduce 
this year's H.R. 29 the SPY ACT. Prohibiting the installation of 
software without a user's consent, requiring uninstall capability, 
establishing requirements for transmission pursuant to license 
agreements, and requiring notices for collection of personally 
identifiable information, intent to advertise and modification of user 
settings are all steps that will empower consumers and keep them in 
control of their computers and their online experience.

                        VARIOUS FORMS OF SPYWARE

    Spyware comes in several different forms, each presenting unique 
threats:
    Adware is advertising-supported software that displays pop-up 
advertisements whenever the program is running. Often the software is 
available online for free, and the advertisements create revenue for 
the company. Although it's seemingly harmless (aside from the 
intrusiveness and annoyance of pop-up ads), adware can install 
components onto your computer that track personal information 
(including your age, sex, location, buying preferences, or surfing 
habits) for marketing purposes.
    Adware cookies are pieces of software that Web sites store on your 
hard drive when you visit a site. Some cookies exist just to save you 
time-for example, when you check a box for a Web site to remember your 
password on your computer. But some sites now deposit adware cookies, 
which store personal information (like your surfing habits, usernames 
and passwords, and areas of interest) and share the information with 
other Web sites. This sharing of information allows marketing firms to 
create a user profile based on your personal information and sell it to 
other firms.
    System monitors can capture virtually everything you do on your 
computer, from keystrokes, emails, and chat room dialogue to which 
sites you visit and which programs you run. System monitors usually run 
in the background so that you don't know you're being watched. The 
information gathered by the system monitor is stored on your computer 
in an encrypted log file for later retrieval. Some programs can even 
email the log files to other locations. There has been a recent wave of 
system monitoring tools disguised as email attachments or free software 
products.
    Trojan horses are malicious programs that appear as harmless or 
desirable applications. Trojan horses are designed to steal or encode 
computer data, and to destroy your system. Some Trojan horses, called 
RATs (Remote Administration Tools), give attackers unrestricted access 
to your computer whenever you're online. The attacker can perform 
activities like file transfers, adding or deleting files and programs, 
and controlling your mouse and keyboard. Trojan horses are distributed 
as email attachments, or they can be bundled with other software 
programs.

                         EARTHLINK'S EXPERIENCE

    As a leading Internet provider, EarthLink is on the front lines in 
combating spyware. EarthLink makes available to both its customers and 
the general public technology solutions to spyware such as EarthLink 
Spy Audit powered by Webroot (``Spy Audit''). Spy Audit is a free 
service that allows an online user to quickly examine his or her 
computer to detect spyware. A free download of Spy Audit is available 
at www.earthlink.net/spyaudit. EarthLink members also have access to 
EarthLink Spyware Blocker, which disables all common forms of spyware 
including adware, system monitors, key loggers and Trojans. EarthLink 
Spyware Blocker is available free to EarthLink members as part of Total 
Access 2005, our Internet access software. See www.earthlink.net/home/
software/spyblocker.
    In addition to Spyware Blocker, Total Access 2005 includes a suite 
of protection tools such as spamBlocker, Pop-Up Blocker, Scam Blocker 
(which blocks phisher sites), Virus Blocker, and Parental Controls.
    Over 3.2 million Spy Audit scans performed in the first 3 quarters 
of 2004 found over 83 million instances of spyware. This represents an 
average of 26 spyware programs per scanned PC. While most of these 
installations were relatively harmless adware and adware cookies, the 
scans revealed just over 1 million installations of more serious system 
monitors or Trojans.

                               CONCLUSION

    Spyware is thus a growing problem that demands the attention of 
Congress, enforcement agencies, consumers and industry alike. Through 
the efforts of Congress to introduce legislation like the SPY ACT, 
enforcement actions by the FTC and other agencies, and through industry 
development of anti-spyware tools, we can all help protect consumers 
against a threat that is often unseen, but very much real.
    Thank you for your time today.

    Chairman Barton. Thank you, Mr. Baker.
    And Mr. Rubinstein, before you speak, we are going to lower 
the screen in the back, so we can have the TV picture, and it 
is somewhat noisy. So if you will suspend until we can get the 
screen down in the back.
    We didn't want to interrupt his testimony. So welcome to 
the committee, Mr. Rubinstein, and your testimony is in record. 
We give you 7 minutes to expand upon it.

                   STATEMENT OF IRA RUBINSTEIN

    Mr. Rubinstein. Thank you.
    Chairman Barton, Ranking Member Dingell, and members of the 
committee, my name is Ira Rubinstein, and I am an Associate 
General Counsel at Microsoft. Thank you for the opportunity to 
share our views on spyware, an issue of which you have been at 
the forefront. In particular, I want to acknowledge the 
leadership of Chairman Barton and Ranking Member Dingell, 
Chairman Stearns and Ranking Member Schakowsky of the Consumer 
Protection Subcommittee, and Representatives Bono and Towns, 
the lead sponsors of H.R. 29, the SPY ACT.
    This committee has worked tirelessly to draft legislation 
that targets the bad behavior at the root of the spyware 
problem, without unnecessarily impacting legitimate software 
functionality. We support the SPY ACT, and we look forward to 
working with Congress as the bill moves forward.
    Nine months ago, Microsoft testified on spyware before the 
Consumer Protection Subcommittee. We described a multifaceted 
approached that included technological development, consumer 
education, aggressive enforcement, and industry best practices. 
We also discussed the role of legislation in complementing this 
strategy. Since then, we have made significant headway in each 
of these areas. Today, I want to update the committee on that 
progress and describe how industry and Congress can continue 
working together to give consumers choice and control.
    Spyware is a problem of bad practices, practices that 
mislead, deceive, or even bully users into downloading unwanted 
applications. However, new anti-spyware technology is enabling 
users to fight back. For example, Microsoft recently released a 
Beta, or test version, of Windows AntiSpyware. This is our 
first dedicated anti-spyware solution, and it is available for 
free on www.Microsoft.com/spyware. This tool scans a user's 
computer, locates spyware, and enables----
    Chairman Barton. Mr. Rubinstein, is your microphone turned 
on?
    Mr. Rubinstein. Yes, it is, sir.
    Chairman Barton. Okay. Could you then place it somewhat 
closer? We are having some trouble up here hearing you.
    Mr. Rubinstein. Yes, I will.
    Chairman Barton. Thank you.
    Mr. Rubinstein. This tool scans a user's computer, locates 
spyware, and enables the user to remove it and undo any damage. 
It also provides ongoing protection to computers through 
security checkpoints. These guard against more than 50 separate 
ways that spyware can be downloaded. If known spyware is 
detected at these checkpoints, it is blocked. If an unknown 
program is detected, Windows AntiSpyware informs the user and 
asks whether the download should proceed. We invite the 
committee to download the program and would welcome your 
feedback.
    In addition to technological developments, there has been 
substantial progress in other areas. This progress is 
attributed to the successful collaboration between government 
and industry. Consumer education is a good example. Over the 
past 9 months, through hearings like these, consumers have 
become more aware of the spyware problem and how they can 
protect themselves from these threats. Industry has also played 
an important role. Microsoft's AntiSpyware web site contains 
updated information that is designed to help consumers to 
understand, identify, prevent, and remove spyware. The site 
also includes step-by-step instructions on what consumers can 
do about spyware and an informative 3-minute video covering the 
same materials. Many others in the industry are engaged in 
similar efforts.
    Cooperation between the public and private sectors has also 
led to a successful FTC enforcement action against the spyware 
publisher. Microsoft actively supported this investigation, and 
we will continue to work with government and industry partners 
to go after spyware distributors.
    Industry best practices are another part of our anti-
spyware strategy. They can serve as a foundation for programs 
that help identify the good actors. This, in turn, allows users 
to make more informed decisions about the software they 
download.
    Over the past year, representatives from a broad range of 
companies have been working to develop and implement a set of 
best practices, but more needs to be done. Microsoft is 
dedicated to work with industry in this effort that will help 
optimize user control.
    Federal legislation can be an effective complement to this 
combination of technology, education, enforcement, and industry 
best practices. But as we have stressed throughout the 
legislative progress--process, Congress must proceed cautiously 
to ensure that such legislation targets the deceptive behavior 
of spyware publishers and not features or functionalities that 
have legitimate uses.
    Our success in working together to achieve this goal is 
apparent, and our written testimony sets forth some of the 
scenarios that could have had unintended consequences, but that 
the committee has now addressed. As we move forward, we need to 
make sure that the law does not create disincentives for 
consumers to use these anti-spyware tools or leave anti-spyware 
vendors open to legal action for developing and distributing 
them.
    We want to thank the committee, again, for your attention 
to the spyware problem and for extending Microsoft the 
invitation to share our ideas and experiences with you, both 
today and as the process moves forward. We appreciate that the 
committee solicited further comment from industry on ways the 
clarify the bill, and we encourage the committee to continue 
this collaborative process. Microsoft remains committed to 
supporting legislation that will prevent bad actors from 
deceiving consumers and destroying their computing experience.
    Thank you.
    [The prepared statement of Ira Rubinstein follows:]

   Prepared Statement of Ira Rubinstein, Associate General Counsel, 
                         Microsoft Corporation

    Chairman Barton, Ranking Member Dingell, and Members of the 
Committee: My name is Ira Rubinstein and I am an Associate General 
Counsel at Microsoft Corporation. I want to thank you for the 
opportunity to share with the Committee Microsoft's views on addressing 
spyware--an issue on which this Committee has been at the forefront. In 
particular, I want to thank Chairman Barton and Ranking Member Dingell, 
Representatives Stearns and Schakowsky, the Chairman and Ranking 
Member, respectively, of the Commerce, Trade, and Consumer Protection 
Subcommittee, and Representatives Bono and Towns, the lead Republican 
and Democrat sponsors of H.R. 29, the SPY ACT. This Committee has 
worked tirelessly to raise public awareness of the threat posed by 
spyware, and to draft legislation that is carefully targeted to address 
the bad behavior at the root of the problem--without unnecessarily 
impacting legitimate software applications. Microsoft believes the 
Committee has met this goal: we are therefore pleased to support the 
SPY ACT in its current form, and we look forward to working with 
Congress as the bill moves forward.
    Nine months ago, my colleague Jeffrey Freidberg, who is the 
Director of Windows Privacy at Microsoft, testified at a hearing of 
this Committee's Subcommittee on Commerce, Trade, and Consumer 
Protection on the nature and nuances of spyware, and provided a slide 
presentation demonstrating some common tricks used by nefarious spyware 
publishers to deceive users into downloading unwanted programs. He also 
described Microsoft's commitment to attacking spyware on several 
levels--technology, consumer education, industry best practices, and 
enforcement--and the role of legislation in complementing this 
strategy. Today, I want to tell you about the progress that has been 
made in each of these areas over the past nine months, and the ways in 
which the public and private sectors can continue working together to 
restore choice and control back where it belongs--in the hands of 
consumers.

Spyware Remains a Pervasive Problem.
    As Chairman Barton aptly recognized at last year's hearing, spyware 
represents an ``unwanted intrusion that is used for purposes that we 
have not approved, and most of the time without our even knowing it.'' 
1 Purveyors of spyware manipulate computer users through 
misleading download requests, false icons, and covert practices that 
trick users or override low security settings in order to install 
programs that users do not need or want. Unlike legitimate 
applications, these programs show no respect for users' ability to 
control their own computers, and they misuse many features that can be 
an asset with proper disclosure, user authorization, and control. 
Instead of leading to personalization and better user experiences, 
these features are manipulated to surreptitiously monitor user 
activities, hijack home pages, and deliver an unstoppable barrage of 
pop-up advertisements. In short, spyware is a problem of bad 
practices--practices that mislead, deceive, or even bully users into 
downloading unwanted applications.
---------------------------------------------------------------------------
    \1\ Spyware: What You Don't Know Can Hurt You: Hearing Before the 
House Subcomm. on Commerce, Trade, and Consumer Protection of the Comm. 
on Energy and Commerce, 108th Cong. 77 (2004) (statement of Chairman 
Barton, House Comm. of Energy and Commerce).
---------------------------------------------------------------------------
    Spyware continues to be a primary frustration for our customers and 
industry partners. We receive thousands of calls from customers each 
month directly related to deceptive software, and we continue to 
receive reports that suggest such software is at least partially 
responsible for approximately one-half of all application crashes that 
our customers report to us. In addition, industry partners have 
indicated that unwanted and deceptive software remains one of the top 
support issues they face, and we understand that it costs many of the 
large computer manufacturers millions of dollars per year.
    Other studies demonstrate the continued growth of the problem. A 
study last fall conducted by America Online and the National Cyber 
Security Alliance found that approximately 80 percent of all users had 
some form of spyware or adware on their machines, and that the average 
computer contained 93 spyware or adware components.2 Perhaps 
most troubling, 89 percent of respondents whose computers had tested 
positive were unaware that their systems contained any 
spyware.3 Over the past year, we have also seen a rise in a 
particularly disturbing form of spyware programs--so-called 
``betrayware.'' These applications claim to be anti-spyware detection 
or removal programs, but are in fact spyware; some analysts now 
estimate that there are more than 130 separate betrayware programs 
lurking in cyberspace.4
---------------------------------------------------------------------------
    \2\ See AOL/NCSA Online Safety Study (Oct. 2004), available at 
http://www.staysafeonline.info/news/safety_study_v04.pdf.
    \3\ Id.
    \4\ See Eric L. Howes, The Spyware Warrior List of Rogue/Suspect 
Anti-Spyware Products & Web Sites, available at http://
www.spywarewarrior.com/ rogue--anti-spyware.htm.
---------------------------------------------------------------------------
    The explosion in the volume of spyware, and the accompanying 
increase in the complexity with which those programs operate and the 
damage that they do, has had an enormous impact on Microsoft. As we 
explained last year, many of our customers blame the problems caused by 
these programs on Microsoft software, believing that their systems are 
operating slowly, improperly, or not at all because of flaws in our 
products or other legitimate software. Spyware programs have increased 
our support costs, harmed our reputation and, most importantly, 
thwarted our efforts to optimize our customers' computing experiences.
Anti-Spyware Tools Are Enabling Consumers To Take Back Control.
    Although spyware is becoming more pervasive and complex, the good 
news is that there have also been enormous strides over the past year 
in the fight against spyware--particularly with respect to the 
development of anti-spyware tools that empower users to protect 
themselves. As one example, in January of this year, Microsoft launched 
the Beta version of Windows AntiSpyware--Microsoft's first dedicated 
anti-spyware tool based on technology developed by GIANT Software 
Company, Inc. Microsoft acquired this technology from GIANT and rapidly 
developed and distributed the anti-spyware beta because our customers 
have made clear that spyware represents a major problem to them, and 
that they want Microsoft to deliver effective solutions as quickly as 
possible.
    Windows AntiSpyware works by scanning a customer's computer to 
locate spyware and other known deceptive software threats, and then 
giving users the tools to easily and rapidly remove those programs--as 
well as to quickly restore certain damage done by these programs. Once 
the spyware has been removed, the Windows AntiSpyware Scan Scheduler 
enables the scheduling of regular scans to help users maintain the 
condition of their computers. Windows AntiSpyware can also be 
configured to block known spyware and other unwanted software from 
being installed on the computer in the first place. To do this, the 
program relies on the worldwide SpyNet TM community, which 
plays a crucial role in determining which suspicious programs are 
classified as spyware. A voluntary network of users, SpyNet 
TM helps uncover new threats quickly to ensure that all 
users are better protected, and any user can choose to join SpyNet 
TM and report potential spyware to Microsoft. When new 
spyware programs are confirmed through SpyNet, their unique digital 
identifiers, or ``signatures,'' can be automatically downloaded by 
Windows AntiSpyware, helping to stop these new threats before they gain 
a foothold.
    Windows AntiSpyware also provides continuous protection to 
computers, establishing security checkpoints to guard against more than 
50 separate ways that spyware can be downloaded. These checkpoints are 
monitored by (1) Internet agents that help protect against spyware that 
makes unauthorized connections to the Internet or changes a computer's 
Internet settings; (2) system agents that guard against spyware that 
makes unauthorized changes to a computer's non-Internet settings (such 
as passwords or security levels); and (3) application agents that 
protect against spyware that alters applications (such as modifying 
browsers or launching unwanted programs). If known spyware is detected 
at these checkpoints, it will be blocked. If an unknown program is 
detected, Windows AntiSpyware informs the user and asks whether to let 
the download proceed.
    Another feature of Windows AntiSpyware is its ability to work with 
the security enhancements in Windows XP Service Pack 2 (``XPSP2''). 
When Mr. Friedberg testified before the Subcommittee last April, he 
described a number of ways in which XPSP2 would help block the entry 
points used by spyware programs by better informing users in advance 
about the type of software they would be installing. As promised, 
Microsoft did introduce XPSP2 in 2004, and these enhancements are 
designed to target the particular tricks that spyware distributors use 
to surreptitiously install unwanted programs:

 A new pop-up blocker, turned on by default, that reduces a user's 
        exposure to unsolicited downloads;
 A new download blocker that suppresses unsolicited downloads until 
        the user expresses interest;
 Redesigned security warnings that make it easier for users to 
        understand what software is to be downloaded, make it more 
        obvious when bad practices are used, and allow users to choose 
        to never install certain types of software; and
 A new policy that restricts a user's ability to directly select 
        ``low'' security settings.
    Beyond Windows AntiSpyware and XPSP2, Microsoft will continue 
working collaboratively with all of our security partners: developing 
anti-spyware tools that empower our customers to protect themselves is 
a top priority. In the short term, we want everyone to run some kind of 
anti-spyware solution on a regular basis. In the long term, we want to 
develop and implement solutions so that spyware is no longer a major 
issue for our customers. This is an ambitious goal that will require 
cooperation and dedication, but we believe that the acquisition of 
GIANT and implementation of Windows AntiSpyware and XPSP2 are 
significant strides toward achieving that result.

Advances in Education, Enforcement, and Industry Standards Are Evident.
    Technology is a critical part of the solution to spyware, but it 
cannot work alone. Heightened consumer education, aggressive law 
enforcement, and improved industry self-regulation are also important 
to ending the spyware epidemic. In the nine months since Microsoft last 
testified on spyware, there have been significant developments in each 
of these areas.
    Consumer Education. A year or two ago, only the most sophisticated 
users even knew what spyware was, let alone how to stop it. Now spyware 
is becoming well-known as a critical consumer protection issue. For 
example, in its first day on the Microsoft home page, our new Windows 
AntiSpyware site received more than 130,000 clicks--easily a record for 
a launch on our home page, and an indication of the tremendously 
increased customer interest in and attention to the spyware problem.
    Much of the credit for heightening consumer awareness about spyware 
should go to Congress--and particularly to this Committee. Through 
hearings such as this and determined efforts to enact effective anti-
spyware legislation, Congress has attracted media attention to the 
spyware problem, and has helped educate consumers about the importance 
of the issue and how to protect themselves. Industry should also play a 
role in consumer education, and the Web site we launched in 2004--
www.microsoft.com/spyware--contains information that is specifically 
designed to help consumers understand, identify, prevent, and remove 
spyware. We update this site regularly, and it now includes a 
comprehensive but easy-to-read white paper describing our spyware 
strategy, as well as public newsgroups on spyware that our security-
focused ``most valuable professionals'' monitor to assist the online 
community. We want to provide users with clear, current, and trusted 
resources to help understand, remove, and avoid spyware.
    Representative Bono emphasized last year that ``it is necessary 
that we [government and industry] collectively educate consumers about 
the nature and the threats of spyware,'' and we agree.5 
Although much work has been done over the past year to educate 
consumers about spyware, we are committed to continuing to working with 
you and other industry members in this important effort.
---------------------------------------------------------------------------
    \5\ Spyware: What You Don't Know Can Hurt You: Hearing Before the 
House Subcomm. on Commerce, Trade, and Consumer Protection of the Comm. 
on Energy and Commerce, 108th Cong. 6 (2004) (statement of Rep. Bono, 
House Comm. of Energy and Commerce).
---------------------------------------------------------------------------
    Enforcement of Existing Laws. The use of aggressive enforcement 
actions against spyware purveyors is another critical part of our 
approach to the problem. Targeting the most insidious violators would 
have a significant impact on the amount and type of spyware that is 
produced and distributed--and would serve as a powerful deterrent to 
would-be violators.
    Last April, we explained to the Subcommittee that enforcement 
actions were possible under existing law. In October 2004, the Federal 
Trade Commission demonstrated that this was true, taking the first 
federal enforcement action and obtaining a temporary restraining order 
against a major distributor of spyware for unfair and deceptive 
practices that violated the FTC Act. The defendant in that case, 
Stanford Wallace (who is also known as the ``Spam King''), had 
developed and installed on unsuspecting users' computers code that 
tracked their Internet behavior, changed home pages and search engines, 
and launched a stream of pop-up ads. Wallace then went a step further 
and targeted these users with pop-up advertisements promoting faulty 
anti-spyware remedies that Wallace sold for approximately $30 each.
    Microsoft supported the FTC's investigation in that case, and our 
Internet Safety Enforcement team is committed to enforcing existing 
laws against the distributors of spyware. The team investigates spyware 
threats that are reported by customers or others, working with 
government and industry partners and using advanced technology to find 
the sources of these programs. After the investigation, the team either 
pursues these cases internally or refers them to law enforcement, 
including the FTC, U.S. Attorneys, and State Attorneys General. And as 
in the suit against the Spam King, the team also assists law 
enforcement officials with their spyware investigations. Microsoft 
believes that the public and private sectors should continue to work 
together to hold spyware publishers accountable for their unlawful 
acts, and we look forward to other successful enforcement actions in 
the future.
    Industry Best Practices. Developing a set of industry-wide 
standards is another piece of our spyware strategy. Such best practices 
create an incentive for legitimate software publishers to distinguish 
themselves from bad actors, and can serve as a foundation for programs 
that certify and label the good actors--which in turn empower users to 
make informed decisions about the software they download to their 
computers.
    Representatives from a broad range of companies have been working 
to develop and implement a set of best practices, but more needs to be 
done. Initial efforts have focused on standards for the installation of 
software through the Internet--as well as more broadly with respect to 
the collection and use of personal information, the display of pop-up 
advertisements, and the form and substance of notice and consent. The 
overriding goal of these practices is to empower consumers--allowing 
them to make informed decisions by providing appropriate notice and 
consent experiences, balancing the need for transparency and detail, 
and offering appropriate controls. Self-regulatory measures should 
continue to evolve to account for the complexities and challenges that 
are a result of the ever-changing nature of technology. Microsoft is 
committed to working with industry to formulate best practices and 
believes that these practices can help supplement other efforts.

Targeted Legislation Has a Role To Play.
    Microsoft is optimistic that this combination of technology, 
education, enforcement, and industry standards can effectively combat 
the spyware problem. And significant progress has been made toward this 
goal in the past year: technological solutions to empower consumers to 
protect themselves from spyware are now widely available; consumers are 
much more educated about the nature and scope of spyware; a successful 
enforcement action has been taken against a spyware publisher under 
existing law; and legitimate industry practices are becoming better and 
more consistent.
    Federal legislation can be an effective complement to this 
strategy, providing an additional layer of protection for consumers and 
another tool for enforcement officials. As we stressed at the beginning 
of this process, however, Congress must proceed cautiously to ensure 
that such legislation targets the deceptive behavior of spyware 
publishers--and not features or functionalities that have substantial 
legitimate uses. This distinction is critical to avoid imposing 
unworkable requirements on legitimate applications and adversely 
affecting legions of computer users.

The Proposed Legislation Has Improved Dramatically.
    When we last testified, we offered some scenarios in which well-
intended legislation could have unfortunate and unintended 
consequences. As you know, we were concerned that initial drafts of 
anti-spyware legislation contained provisions that might compromise 
specific functionalities rather than target the bad practices at the 
core of the spyware problem. We have been extremely pleased, however, 
at the willingness of Representatives Bono and Towns and other members 
of this Committee to work with us and others in the private sector to 
create a bill that captures the bad actors without unnecessarily 
impeding the good ones. Representative Towns recognized this when the 
SPY ACT was brought to the House floor last year, noting that ``any 
time we legislate on highly technical matters, there is always a danger 
in stifling innovation or making the use of legitimate software too 
burdensome. It is a very difficult tightrope to walk, but I think we 
have done an excellent job in walking that line.'' 6 That we 
successfully worked together to achieve this balance is apparent when 
we re-examine those scenarios we raised last April.
---------------------------------------------------------------------------
    \6\ 150 Cong. Rec. H8085 (daily ed. Oct. 5, 2004) (statement of 
Rep. Towns).
---------------------------------------------------------------------------
    Disruptive User Experience. As we explained then, many legitimate 
software programs contain an information-gathering functionality that 
these programs need in order to perform properly. These include error 
reporting applications, troubleshooting and maintenance programs, 
security protocols, and Internet browsers. Imposing notice and consent 
requirements every time these legitimate programs collect and transmit 
a piece of information would disrupt the computing experience, because 
users would be flooded with constant, non-bypassable warnings--making 
it impossible to perform routine Internet functions (such as connecting 
to a web page) without intolerable delay and distraction.
    The current version of the SPY ACT understands these issues, and 
takes steps to safeguard the user experience. In particular, the bill 
allows notices to consumers to be tailored to take into account 
different scenarios. It also contains important exceptions for critical 
functionalities--such as security procedures and authentication 
checks--and recognizes circumstances where information-sharing is 
driven by the user. These revisions help the legislation target bad 
actors without impeding legitimate applications.
    Compromised Consent Experience. We were also concerned about ``one 
size fits all'' notice and consent requirements, which may not give 
users sufficient context to make informed decisions. For example, 
requiring notice and consent at the time of installation ignored the 
importance of a technique we refer to as ``just in time'' consent, 
which delays the notice and consent experience until the time most 
relevant to the user--just before the feature is executed. If a program 
crashes, for instance, Windows Error Reporting functionality will ask 
the user whether he or she would like to send crash information to 
Microsoft. At this time, the user is able to examine the type of 
information that will be sent to Microsoft and to assess the actual 
privacy impact, if any, of transmitting such information in light of 
the potential benefit of receiving a possible fix for the problem. 
Presenting the notice and choice experience for Windows Error Reporting 
at the time Windows is first installed, in contrast, would lack this 
critical context.
    As a result of cooperation between Congress and industry, the 
current version of the bill allows for ``just in time'' consent. This 
is an important inclusion that empowers users by providing them with 
notice and requiring choice at the time most appropriate to making an 
informed decision.
    Unrealistic Uninstall Requirements. Finally, we were concerned 
about provisions in the bill that required standardized uninstall 
practices for all software, which we feared would be unworkable in many 
circumstances. For example, there are cases where a full and complete 
uninstall is neither technically possible nor desirable, such as with a 
software component that is in use and shared by other programs. In 
addition, there are other cases where an uninstall may be technically 
possible, but the cost to provide such functionality would be 
prohibitive, such as with complex software systems that may require the 
entire software system to be removed. Finally, there are situations 
where requiring uninstall could actually compromise the security of the 
system, such as backing out security upgrades or removing critical 
services.
    Here again, the Committee has been responsive to industry concerns, 
and the bill has been modified to provide legitimate developers with 
the flexibility necessary to avoid the types of problems outlined 
above. We look forward to continuing to work with the Committee to 
ensure that all appropriate uninstall scenarios are adequately 
addressed.

Legislation Must Be Forward-Thinking.
    As Chairman Barton rightly recognized when bringing the SPY ACT to 
the House floor last term, ``technological development moves quickly, 
much faster than the regulatory or legislative process.'' 7 
We praise the Chairman for his hard work to move the SPY ACT through 
the legislative process so we can rapidly get additional tools in the 
hands of regulators to fight this burgeoning threat. But spyware is a 
relatively new problem, and the list of acts prohibited by the bill 
today might not capture every practice used by bad actors tomorrow. We 
and others in the industry are working to develop and implement new and 
better anti-spyware tools that will empower consumers to make more 
informed choices with respect to their computers. We need to make sure 
that the law does not create disincentives for consumers to use these 
tools, or for companies to develop and distribute them.
---------------------------------------------------------------------------
    \7\ 150 Cong. Rec. H8080-81 (daily ed. Oct. 5, 2004) (statement of 
Rep. Barton).
---------------------------------------------------------------------------
    Congress recognized the importance of enabling consumers to take 
advantage of technological tools in addressing spam. In that context, 
Congress worked to clarify that merely because a message is not 
unlawful under federal law does not mean that consumers are in any way 
precluded from using technology to block the message. Similarly, with 
respect to spyware, simply because a software program complies with the 
SPY ACT should not prohibit consumers from choosing whether to download 
it, nor should it leave vendors of anti-spyware tools open to legal 
action for providing tools that enable consumers to make these choices. 
We think it is self-evident that the SPY ACT should support the 
creation of such tools and not provide disincentives for the 
development of ever more powerful anti-spyware technologies. We look 
forward to working with Congress to ensure that the legislation 
achieves its aims of empowering consumers to maintain control over 
their computer systems and protect themselves as they see fit.
    We want to thank the Committee once again for your attention to the 
spyware problem and for extending Microsoft an invitation to share our 
ideas and experiences with you--both today and as this process moves 
forward. By continuing to attack the problem on several levels--
consumer education, technology solutions, industry best practices, 
aggressive enforcement, and targeted legislation--we believe we can 
thwart the efforts of those who produce and distribute spyware. 
Microsoft remains committed to working with you to prevent bad actors 
from deceiving consumers and destroying their computing experience.

    Mr. Stearns [presiding]. Thank you.
    Mr. Schmidt?

                 STATEMENT OF HOWARD A. SCHMIDT

    Mr. Schmidt. Good morning, Mr. Chairman.
    Mr. Stearns. Good morning.
    Mr. Schmidt. Members of the committee, my name is Howard 
Schmidt. I am the President and CEO of R&H Security Consulting. 
Over the past 20 years, I have served as a computer crime 
investigator with the Chandler, Arizona Police Department. I 
left the FBI's Computer Exploitation Team for the National Drug 
Intelligence Center at Johnstown, Pennsylvania. I served as the 
Director of Computer Crime and Information Warfare at the Air 
Force Office Special Investigations. I have been the Chief 
Security Officer of Microsoft and eBay. And in the aftermath of 
September 11, I was appointed by President Bush as the Vice-
Chairman of the President's Critical Infrastructure Protection 
Board and Special Advisor for Siberia Security.
    I, to this day, continue to serve, as the privilege, on the 
U.S. Army Reserves as a computer crime investigator. And I 
thought I had seen it all until I have seen the effects of what 
happens with spyware today. And I thank you for the opportunity 
to share with you my perspective on the impact, an issue that 
the committee has shown great leadership in working tirelessly 
to raise awareness and--of a potential threat.
    In previous testimony, I have talked about the impact of 
cybersecurity in our day-to-day lives and the protection of 
critical infrastructure. Today, I would like to tell you why 
the threats posed by spyware threaten more than just our 
privacy and protection of personal information, but also speak 
briefly as to the progress that market forces and the private 
sector have made in the past year. It has been proven time and 
time again that by the public and private sectors working 
together to protect innovation as well as to improve end user 
protection.
    As Chairman Barton discussed in previous hearings, spyware 
represents an intrusion into our day-to-day computer experience 
without our knowledge. But I would like to focus my comments 
into two specific areas, the end user/consumer area as well as 
the enterprise.
    As some of the members have stated, I got to see firsthand 
with my own family members the impact that this has. My son is 
a computer crime detective in Arizona. My wife teaches computer 
forensics in Wisconsin to law enforcement, but that is sort of 
where the end of the technology expertise ends in my family. My 
brother-in-law in Wisconsin, who is a great carpenter, wound up 
finding his computer totally unusable after being hijacked--his 
browser was hijacked by a system that even programs designed to 
remove that specific system were unable to do so, which we had 
to completely rebuild the system. On the other end of the 
spectrum, my 88-year-old father lives in Florida and uses the 
Internet for entertainment, communication with friends around 
the country, and digital photography. Within a few moments of 
buying--a few days after buying it, the new computer was akin 
to a 15-year-old computer system.
    To this, we have seen industry respond rapidly to deal with 
the intrusiveness of spyware. We started putting out pop-up 
blockers, making them available for free, and anti-virus 
vendors started to include spyware technology into the security 
suites. As Mr. Rubinstein mentioned, Microsoft recently 
launched a product that, once again, helps deal with these 
products.
    But as we continue to work on the problem of spyware, we 
need to remember that much of the benefits we derive from 
online experience is based on the interactive nature of the 
Internet. In the early days of computing, people used computers 
to do things, and to this day, in many instances, computers 
interact with other computers, so consequently, we want to make 
sure we don't disrupt, and this committee has paid a great deal 
of attention to impacting that interaction on our behalf.
    One of the things that we discussed were the convergence of 
various technologies, voice-over IP, telecommunications, and 
computers. One of the things we have also seen, though, is the 
convergence of the spyware in the more nefarious aspects of it, 
including tools that enable systems to be hacked, identity 
theft, keystroke loggers, and robots, which in turn take over 
computer systems and use those computers to attack other 
computer systems through installation of spyware.
    While the vast majority of these acts are covered under 
provisions such as Title 18, Title 5, Electronic Communications 
Privacy Act, Computer Fraud and Abuse Act, this particular 
bill, H.R. 29, closes an important gap that we don't see in 
some of the other things, and it targets a set of behaviors, 
not specific technologies. It should continue to improve and 
protect the interactive software used for positive purposes 
while indeed holding those accountable for the nefarious acts.
    There are four major areas, though, that I think are very 
important when we combat those areas and the many areas of 
cybersecurity. First, the use of technology and market forces 
are the strongest potential solution when it comes to dealing 
with online threats. Thanks to the freely online anti-spyware 
software, including the new Microsoft product, my father's 
system, as I have cited a moment ago, was free and hopefully 
will stay that way for a long time.
    Second, the efforts of education and awareness go a long 
way in informing users what capabilities they have, whether it 
is Internet phishing threats, Trojans, or spyware, an educated 
and informed public is a vital weapon for protection of these 
things.
    Third, companies, even competitors are working very closely 
together to identify new threats, share information with each 
other, and publish updates to deal with the new threats faster 
than ever in the past. As a matter of fact, many of the 
industry leaders are now working together to deal with the 
factor of two-factor authentication, basically something akin 
to an ATM card where we can better protect ourselves as well.
    And fourthly, is the--as with many other issues harming 
society, technology, education, and information are not going 
to be 100 percent solution. To that end, we need to have 
penalties and trained, equipped, and staffed law environment 
personnel to enforce these penalties. And while our online 
safety continues to improve day-by-day, hour-by-hour, this 
committee's work is crucial to help us get close to that 100-
percent level.
    The provisions of the SPY ACT should continue to encourage 
companies to develop and distribute ever more effective and 
powerful anti-spyware and security technologies, and I look 
forward to our continued great working relationship with 
Congress to ensure that the legislation achieves its aims of 
protecting and empowering consumers in order to protect 
themselves in the situation to fit them.
    I would like to also thank the committee for their 
continued leadership and attention to this problem and for 
inviting me to appear before this committee and talk about this 
issue. I would like to thank you for the ability and look 
forward to any questions you might have.
    Thank you.
    [The prepared statement of Howard A. Schmidt follows:]

    Prepared Statement of Howard A. Schmidt, President and CEO, R&H 
                        Security Consulting LLC

    Chairman Barton, Ranking Member Dingell, and Members of the 
Committee: My name is Howard A. Schmidt and I am President & CEO of R & 
H Security Consulting LLC. Over the past 20 years I have served as a 
Computer Crime Investigator, with the Chandler Arizona Police 
Department, led the computer exploitation team for the FBI at the 
National Drug Intelligence Center as well as the Director of Computer 
Crime and Information Warfare at Air Force Office Special 
Investigations. I have also been the Chief Security Officer for the 
Microsoft Corporation and Chief Information Security Officer and Chief 
Security Strategist for eBay Inc. In the aftermath of 9/11, I was 
appointed by President Bush as the Vice Chairman of the President's 
Critical Infrastructure Protection Board and Special Advisor for Cyber 
Security.
    I want to thank you for the opportunity to share with the Committee 
my perspective on the impact of Spyware--an issue on which this 
Committee has shown great leadership by working tirelessly to raise 
public awareness of the potential threat posed by Spyware and by 
drafting legislation that is carefully targeted to address the bad 
behavior at the root of the problem, without unnecessarily impacting 
legitimate software applications. As citizens, we owe a debt of 
gratitude to Chairman Barton, Representatives Stearns and Schakowsky, 
the Chairman and Ranking Member, respectively, of the Commerce, Trade, 
and Consumer Protection Subcommittee, and Representatives Bono and 
Towns, the lead Republican and Democrat sponsors of H.R. 29, the SPY 
ACT. Your willingness to work closely with the private and public 
sector makes your contribution to this issue even more valuable.
    During my previous testimony before House Committees, I have 
discussed the implications of cyber security on our day to day lives 
and the protection of critical infrastructure. Today, I would like to 
tell you why the threats proposed by Spyware threaten more than just 
our privacy and protection of personal information, but also speak 
briefly as to the progress that market forces and the private sector 
have made in the past year. It has been proven time and time again, the 
tremendous value that results when the public and private sectors work 
together to protect innovation as well as to improve end user 
protection.

         A. SPYWARE CONTINUES TO BE A THREAT TO CYBER SECURITY.

    As Chairman Barton discussed in the previous hearing, Spyware 
represents an intrusion into our day-to-day computing experience 
without our knowledge. I would like to focus my testimony in two very 
similar areas, the ``end user/consumer'' and the enterprise. Other 
witnesses in previous testimony, as well as today's testimony, have 
described what Spyware is and some of it's effects, so I will not delve 
into what Spyware is and how it works again I do not have to go much 
further then my own family to see first hand the impact Spyware has on 
the online experience. While my son is a computer crime detective and 
my wife teaches computer forensics to law enforcement, the technology 
expertise stops there. My first example was when my brother-in-law was 
not able to use his computer for anything because a piece of Spyware 
had hijacked his browser. Normally it would have been just a matter of 
resetting the ``home page'' to the page one would prefer, but this 
piece of Spyware was so invasive that even using programs specifically 
designed to remove this application did not function and eventually 
resulted in his system not functioning at all. He had to send the 
computer to me in another state and I had to rebuild the entire system.
    The second personal example is the PC of my 88 year old father, who 
uses the PC and the internet for daily entertainment, communications 
with friends and digital photography. Within a short period of time of 
him purchasing his new computer, it went from being a high-speed piece 
of technology to something akin to a 15-year-old computer running so 
slow it was almost useless. I am sure that these examples are nothing 
new to many of us in the IT/Security business, but to ``normal'' users 
this is very troubling.
    To deal with this, industry, using market forces, has responded 
rapidly to deal with the intrusiveness of Spyware. It started with pop-
up blockers being made available for free and then anti-virus vendors 
started to include anti-Spyware technology into their ``security 
suites.'' We now have many ``toolbars'' that have built in pop-up and 
spy protection. Recently, Microsoft has launched a Spyware product that 
is in beta form that shows tremendous promise in providing a technology 
solution to dealing with a large part of the problem.
    As we continue to work on the problem of Spyware, we need to 
remember that much of the benefits we derive from the online experience 
is based on the interactive nature of the internet. In the early days 
of internet use, people interacted with computers. However, in the 
recent past it has become more of an issue of computers interacting 
with other computers on behalf of people. Although there are those that 
would exploit computer-to-computer interaction, we should be very 
sensitive as to not disrupt the legitimate interactive nature of 
computers acting on behalf of people.
    The key difference, as this Committee has learned by working well 
with the private sector, between good and bad software is not the means 
by which it is distributed, but the intent and the behavior of the 
software. As we move towards a computing environment where we develop 
self-healing, self-repairing, and self-configuring computers, we must 
ensure the need to, without end-user intervention, have the ability to 
download upgrades, security fixes, and protective software. Clearly 
this type of software installation should not and would not fit into 
the category as Spyware. A classic example is the use of anti-fraud/id 
theft software updates, these installations are very important to the 
integrity of the experience on the internet., The concern that many of 
us have is when the software is introduced in a deceptive manner and 
performs functions that are annoying or harmful and difficult, if not 
impossible, to remove.
    At the same time that we are discussing the benefits of convergence 
of modern day technology, there is also a negative convergence of 
``traditional'' hacking, identity theft, key loggers, and ``bots'' 
being installed using what we traditionally call Spyware.
    While the vast majority of these acts are covered by provisions of 
Title 18, Title 5, Electronic Communications Privacy Act (ECPA), 
Computer Fraud and Abuse Act, the FTC's existing authority to pursue 
unfair or deceptive trade practices, or international law, H.R. 29, the 
SPY Act, makes an important contribution to supplementing these laws, 
and I believe will be successful to the extent that it targets a set of 
behaviors and not a class of technology. This bill should continue to 
protect interactive software that is used for positive purposes 
including where the users have agreed to an end user license agreements 
(EULA) and understands what their choices are. In short, the end users 
should be empowered to make their own choices on how they interact with 
software applications as ``one size does not fit all.'' As many of us 
said when dealing with many issues of cyber security, we agree that 
there are four major steps that must be taken to protect end users.
    First, the uses of technology and market forces are the strongest 
potential solution when it comes to dealing with online threats. As I 
testified earlier, industry has developed a number of technologies to 
combat not only Spyware but other threats. Industry's efforts are to be 
commended and these efforts work for the vast majority of the routine 
cases we face today. Thanks to freely available anti-Spyware software, 
including the new Microsoft anti-Spyware beta application, my father's 
computer is now Spyware free and all indications suggest that it will 
stay that way.
    Second, the education and awareness of ALL users is vital to 
reducing problems associated with many of the internet threats, whether 
it is ``Phishing,'' virus and Trojans or Spyware, an educated and 
informed public is one of the best weapons. Many companies have created 
``Security Centers'' on their web sites to better educate their users 
as to how protect their computers and their privacy. The National Cyber 
Security Alliance (NCSA) has consumer tips on its website http://
www.stafesafeonline.info. Additional information can be found at http:/
/www.personalfirewallday.org, which provides information for users. The 
FTC has been a leader in the awareness and education about online 
security.
    Third, companies, even competitors, are working closely together to 
identify new threats, share information with each other and publish 
updates to deal with new threats faster than ever in the past. Online 
companies now are providing free anti-virus services, pop up blockers, 
and anti-Spyware applications to their customers. Additionally, many of 
the industry leaders in identity management such as RSA, Verisign, 
Entrust and Geotrust are providing tools to improve 2 factor 
authentication to protect privacy and identity. The National Cyber 
Security Partnership has brought together leaders in this space across 
various sectors to better coordinate and publicize the industry and 
government accomplishments.
    Fourth, as with many other issues harming society, technology, 
education and information are not 100% effective in solving problems To 
that end, the need to have penalties and trained, equipped and staffed 
law enforcement personnel to enforce those penalties are essential. 
While online safety continues to improve day-by-day, hour-by-hour the 
work of this Committee is beneficial to help us get closer to the 100% 
level.
    The provisions of the SPY ACT should continue to encourage 
companies to develop and distribute ever more effective and powerful 
anti-Spyware and security technologies. I look forward to continuing 
our great working relationship with Congress to ensure that the 
legislation achieves its aims of protecting and empowering consumers to 
control their computer systems and to exercise valuable protective 
measures which fit their situation.
    I again would like to thank the Committee for your leadership and 
attention to the Spyware problem and for extending the invitation for 
me to appear before you to share my experiences with you today and as 
in the future as this process evolves. Cyber security has always and 
always will employed using a ``layered defense'' perspective. By 
working with this body, technology companies, law enforcement agencies, 
and diplomatic leaders, I believe we can continue to reduce the impact 
that bad actors have on our online experience and we can continue to 
strengthen national security, public safety, and economic advancements, 
while providing for a rich and robust online experience for us all.
    I thank you again for the ability to appear here before you today 
and I look forward to any questions that you may have.

    Mr. Stearns. I thank the gentleman.
    Mr. Schwartz, welcome.

                    STATEMENT OF ARI SCHWARTZ

    Mr. Schwartz. Chairman Stearns, Ranking Member Schakowsky, 
members of the committee, thank you very much for having CDT 
testify today.
    Since the Center for Democracy and Technology last 
testified on this issue in front of the Consumer Protection 
Subcommittee in April of last year, the spyware problem has 
only gotten worse. Just this week, a study was released that 
showed that \2/3\ of information technology managers now 
consider spyware to be the biggest threat to network security.
    On a personal note, following the holiday season, I can 
count myself among the tens of thousands of technically--
consumers and computer professionals, and from what we have 
heard, members of this committee who have tried to help a 
family member or friend fix a computer that has been plagued by 
spyware. And in my case, it was my father-in-law. I also came 
to the conclusion that it would be better to buy a new computer 
and reformat the hard drive than to continue to try and remove 
the spyware through the existing tools that were supposed to be 
able to remove the software, as Mr. Schmidt had suggested in 
his case.
    Over a year ago, CDT asked consumers to send us complaints 
about specific spyware programs so we can investigate them more 
fully. We now receive so many complaints that we have had to 
create a prioritizing system in order to try and figure out 
which ones to prioritize and even which ones to read.
    Fortunately, there is also some positive news. On the 
technology front, companies such as EarthLink and American 
Online and Microsoft, as we have heard, have begun to 
distribute anti-spyware tools more actively. The case that CDT 
brought to the Federal Trade Commission against spyware 
purveyor Seismic Entertainment last February has come to trial 
in New Hampshire. This is the first FTC case against a spyware 
company. The Seismic case highlights the growing complexity of 
a marketplace that allows mainstream companies to fund illegal 
activities through a maze of distributors and affiliates. As I 
document in my written testimony, the relationships are usually 
so complex that the companies involved do not know more than 
one player in what becomes a six or seven-level chain of 
distributors and affiliates.
    CDT sees three major areas where action is necessary to 
stem the disturbing trends for the loss of control and 
transparency for Internet users in the environment that we now 
face. First, it is clear that we need stronger enforcement of 
existing law. CDT brought the Seismic case in February to the 
FTC's attention. The FTC took action in October. And court 
proceedings continue through today. If each case takes such a 
singular focus over such a long period of time, the enforcement 
will not be able to serve as a real deterrent in this area.
    Second, we need even better consumer education, industry 
self-regulation, and improved technologies to give consumers 
real control. We have only seen the beginning of what industry 
can do to help solve this problem on their own.
    Last, CDT strongly believes that many of the privacy 
concerns of spyware, some of which fall out of the scope of 
current legal protections, could be clearly addressed with an 
online privacy law. As members of this committee know, CDT has 
long argued that until we have an online privacy law that 
addresses all of the basic fair information practices, the 
privacy issues that we first saw 9 years ago in the collection 
of information via the web and then with cookies and then with 
spam and now with spyware and RFID and phishing will only 
repeat with new technologies in the future. A privacy law that 
could get at a root concern rather than trying to define and 
scope each new technology in a limiting way.
    This kind of privacy legislation would provide businesses 
with guidance about their responsibilities as they deploy new 
technologies and business models that involve the collection of 
information. At the same time, privacy assurances and law would 
give consumers a measure of confidence that their privacy is 
protected as companies roll out new ventures.
    The legislation at hand today, H.R. 29, can serve as an 
important launching point that CDT generally supports. 
Representatives Bono and Towns deserve credit for raising the 
profile of this important issue in such a constructive manner. 
In particular, raising the penalties on bad practices can help 
the FTC create real deterrence.
    On the other hand, CDT is less enthusiastic about the 
notice and other requirements on information collection 
programs in the current bill. We are concerned that the 
definitions are vague and may bring unintended consequences in 
the regulatory process that could serve to harm consumers. 
Instead, we would prefer to see this issue addressed in 
baseline privacy legislation so that consumers have a 
consistent framework for privacy and notice and consent across 
all technologies.
    CDT is committed to working with the committee as your 
efforts continue, and I look forward to answering your 
questions.
    [The prepared statement of Ari Schwartz follows:]

  Prepared Statement of Ari Schwartz, Associate Director, Center for 
                        Democracy and Technology

    Chairman Barton and Ranking Member Dingell, thank you for holding 
this hearing on spyware, an issue of growing concern for consumers and 
businesses alike. CDT is honored to have the opportunity to participate 
in the Committee's first hearing of this new Congress.
    CDT is a non-profit, public interest organization devoted to 
promoting privacy, civil liberties, and democratic values online. CDT 
has been widely recognized as a leader in the policy debate surrounding 
so-called ``spyware'' applications.1 We have been engaged in 
the legislative, regulatory, and self-regulatory efforts to deal with 
the spyware problem, and have been active in public education efforts 
through the press and our own grassroots network.
---------------------------------------------------------------------------
    \1\ See, e.g., CDT's ``Campaign Against Spyware,'' http://
www.cdt.org/action/spyware/action (calling on users to report their 
problems with spyware to CDT; since November 2003, CDT has received 
over 650 responses). Center for Democracy & Technology, Complaint and 
Request for Investigation, Injunction, and Other Relief, in the Matter 
of MailWiper, Inc., and Seismic Entertainment Productions, Inc., 
February 11, 2004, available at http://www.cdt.org/privacy/
20040210cdt.pdf (hereafter CDT Complaint Against MailWiper and 
Seismic). ``Eye Spyware,'' Christian Science Monitor Editorial, April 
21, 2004 (``Some computer-focused organizations, like the Center for 
Democracy and Technology, are working to increase public awareness of 
spyware and its risks.''). ``The Spies in Your Computer,'' New York 
Times Editorial, February 18, 2004 (arguing that ``Congress will miss 
the point [in spyware legislation] if it regulates specific varieties 
of spyware, only to watch the programs mutate into forms that evade 
narrowly tailored law. A better solution, as proposed recently by the 
Center for Democracy and Technology, is to develop privacy standards 
that protect computer users from all programs that covertly collect 
information that rightfully belongs to the user.''). John Borland, 
``Spyware and its discontents,'' CNET.com, February 12, 2004 (``In the 
past few months, Ari Schwartz and the Washington, D.C.-based Center for 
Democracy and Technology have leapt into the front ranks of the Net's 
spyware-fighters.'')
---------------------------------------------------------------------------
    As an organization dedicated both to protecting consumer privacy 
and to preserving openness and innovation online, CDT has sought to 
promote responses to the spyware epidemic that provide meaningful 
protection for users while avoiding unintended consequences that could 
harm the open, decentralized Internet. Last year we testified before 
the Subcommittee on Commerce, Trade, and Consumer Protection on the 
issue of spyware, attempting to define the problem and suggest the 
range of responses required to address it. Since that time, we have 
worked closely with the Committee toward legislation to target spyware. 
We have appreciated the Committee's open, deliberative approach to this 
complex and important issue.

Summary
    The alarming rate of growth of the spyware problem is a major 
threat to Internet users, as well as to the long-term health of the 
open and decentralized Internet. Of particular concern is the growing 
complexity of a marketplace that allows mainstream companies to 
unwittingly fund illegal activities through a maze of distributors and 
affiliates.
    CDT sees three major areas where action is necessary to stem this 
disturbing trend toward a loss of control and transparency for Internet 
users: 1) enforcement of existing law; 2) better consumer education, 
industry self-regulation, and anti-spyware technologies; and 3) 
baseline Internet privacy legislation.
    H.R. 29 marks a substantial step forward in addressing many of the 
concerns of consumer groups and companies. CDT is generally supportive 
of the current bill. In particular, we strongly endorse the idea of 
raising penalties on and calling specific attention to the worst types 
of deceptive software practices online. CDT is less enthusiastic about 
the specific notice and consent requirements on adware and information 
collection programs, because of the definitional difficulties in 
crafting such a regime narrowly targeted at certain classes of 
software. We look forward to continuing to work with the Committee to 
help improve these element of the bill.
    On a broader note, we hope that work on the spyware issue will 
provide a jumping off point for efforts to craft baseline standards for 
online privacy, now that many companies have expressed their support 
for such a goal. Privacy legislation would provide businesses with 
guidance about their responsibilities as they deploy new technologies 
and business models that involve the collection of information. At the 
same time, privacy assurances in law would give consumers some measure 
of confidence that their privacy is protected as companies roll out new 
ventures.
    If we do not begin to think about privacy issues more 
comprehensively, the same players will be back in front of this 
Committee in a matter of months to address the next threat to online 
privacy. We hope that we can address these issue up front, rather than 
waiting for each new privacy threat to present itself.

1. Understanding and Combating Spyware
    What is ``spyware?'' No precise definition of spyware exists. The 
term has been applied to software ranging from ``keystroke loggers'' 
that capture every key typed on a particular computer; to advertising 
applications that track users' web browsing; to programs that hijack 
users' system settings. Much attention has been focused on the 
surveillance dimension of the spwyare issue, though it is in fact a 
much broader problem.
    What the growing array of invasive programs known as ``spyware'' 
have in common is a lack of transparency and an absence of respect for 
users' ability to control over their own computers and Internet 
connections.
    In this regard, these programs may be better thought of as 
trespassware.2 Among the host of objectionable behaviors for 
which such nefarious applications can be responsible, are:
---------------------------------------------------------------------------
    \2\ Chairman Barton's statement at last year's Subcommittee hearing 
aptly expressed this idea: ``[Spyware's] installation is often sneaky 
or deceptive and even when it runs, it often goes undetected . . . If I 
want someone to come into my home, I invite them into my home. If they 
come uninvited, it is a trespass.'' Doug Abrahms, ``Anti-spyware bill 
drawing praise, support,'' Gannett News Service, Apr. 30, 2004.

 ``browser hijacking'' and other covert manipulation of users' 
        settings;
 surreptitious installation, including through security holes;
 actively avoiding uninstallation, automatic reinstallation, and 
        otherwise frustrating users' attempts to remove the programs;
 substantially decreasing system performance and speed, in some cases 
        sufficient to render systems unusable; and
 opening security backdoors on users' computers that could be used to 
        compromise their computers or the wider network.
    Each of these behaviors was specifically documented by CDT or 
reported to us by individual users frustrated by their inability to use 
their own systems. Although no single behavior of this kind defines 
``spyware,'' together they characterize the transparency and control 
problems common to such applications.
    How can we respond to the problem? Combating spyware requires a 
multifaceted approach. Significant progress has already been made since 
the spyware issue first began to receive national attention over a year 
ago, but much ground still remains.

 Law enforcement. Under federal law, much spyware is currently covered 
        by Section 5 of the FTC Act, banning unfair and deceptive trade 
        practices, as well as by the Computer Fraud and Abuse Act or 
        the Electronic Communications Privacy Act. Spyware programs may 
        also violate a variety of state statutes.
 Private efforts, including continued consumer education, the 
        continued improvement of anti-spyware technologies, and stepped 
        up efforts to close the security holes exploited by spyware 
        purveyors, are all necessary. In particular, sound best 
        practices for downloadable software are sorely needed.
 Legislative approaches to fighting spyware fall into two broad 
        categories--attempts to narrowly address the issues raised by 
        spyware, and attempts to deal, in a coherent and long-term 
        fashion, with the underlying privacy issues. H.R. 29, which we 
        address in detail below, is an example of the first approach. 
        CDT has appreciated the opportunity to work with the Committee 
        on this bill and is supportive of this effort. However, we 
        remain firmly committed to idea that a long-term solution to 
        spyware and other similar issues requires baseline online 
        privacy legislation. Many of the issues raised by spyware may 
        be easier to deal with in this context.
    This framework represented our starting point on the spyware issue 
a year ago, and remains largely unchanged today. There have, however, 
been important developments in the problem, and in our research on the 
issue, since we appeared before the House Subcommittee last year. We 
address these in the following sections.

2. Spyware Continues to Grow as a Threat to Internet Users
    When CDT first became involved in the spyware issue, we launched a 
``Campaign Against Spyware,'' calling on Internet users to send us 
their experiences with these invasive applications.3 We 
indicated that we would investigate the complaints received and, where 
we believed appropriate, file complaints with the FTC. In our 
appearance before the Consumer Protection Subcommittee, we testified 
regarding the dramatic response to our campaign. In the nine months 
since our last appearance, CDT has continued to receive complaints 
through our online submission form. Among what are now hundreds of 
complaints, a total which continues to grow daily, are regular reports 
of new spyware programs arising.
---------------------------------------------------------------------------
    \3\ See http://www.cdt.org/action/spyware
---------------------------------------------------------------------------
    While it is exceptionally difficult to obtain precise data on the 
prevalence of the spyware problem, the best study done to date, 
conducted by AOL and the Nation CyberSecurity Alliance, found that 80% 
of broadband and dial-up users had adware or spyware programs running 
on their computers.4 Our perception based on the complaints 
we have received and our own research is that the prevalence of 
egregious spyware violations, including many mentioned in Section 2 of 
H.R. 29 before this Committee, has increased dramatically. Of 
particular concern is the use of security holes in web browsers to 
silently force software onto users computers. We believe many Internet 
users may simply be turning off the Internet in response to these 
threats.5
---------------------------------------------------------------------------
    \4\ http://www.staysafeonline.info/news/safety_study_v04.pdf
    \5\ See, e.g. Joseph Menn, ``No More Internet for Them,'' Los 
Angeles Times, January 14, 2005, p. A1.
---------------------------------------------------------------------------
    CDT was very pleased to see the first public enforcement action 
brought in October by the FTC against Samford Wallace and Seismic 
Entertainment on the basis of a complaint filed earlier by 
CDT.6 This case included many of the clearly unfair and 
deceptive activities mentioned above, including browser hijacking and 
covert installation through security holes. We applaud the Commission 
for its work on the case, which has led to an injunction against 
further exploitative practices by Seismic.
---------------------------------------------------------------------------
    \6\ There were instances of private enforcement against spyware 
purveyors that preceded the FTC's case. For example, in July of last 
year, 180solutions, a large adware vendor, sued a distributor that was 
using security holes to force 180solutions' software onto Internet 
user's computers in order to collect per-install commissions.
---------------------------------------------------------------------------
    The Commission's initial action against Seismic must be only the 
first step, however. First, many other parties were involved in the 
unfair and deceptive activities which CDT highlighted in our complaint 
to the FTC. We believe that the FTC's discovery in the Seismic case 
will provide ample basis to pursue these connections, and we expect 
that the Commission will announce further actions as other bad actors 
come to light. We discuss this affiliate issue in more detail below.
    In addition, both the FTC and other national and state level law 
enforcement agencies must actively pursue further cases. While the 
FTC's first spyware case was an important milestone, both the number 
and frequency of cases must be dramatically increased if law 
enforcement is to provide a significant deterrent to purveyors of 
spyware. Currently, we believe law enforcement is still losing the 
battle against egregious spyware purveyors clearly guilty of violating 
existing law.

3. The Affiliate Problem is at the Center of the Spyware Issue
    In CDT's complaint to the FTC regarding Seismic Entertainment and 
Mail Wiper, we asked the FTC to specifically investigate the affiliate 
relationships between the parties involved. We highlighted the problem 
of affiliate relationship being ``exploited by companies to deflect 
responsibility and avoid accountability.'' 7
---------------------------------------------------------------------------
    \7\ CDT Complaint Against MailWiper and Seismic at 2.
---------------------------------------------------------------------------
    Since CDT testified before the Consumer Protection Subcommittee 
last year, it has become increasingly clear to us that the affiliate 
issue is at the heart of several aspects of the spyware problem. We 
want to take the opportunity in our testimony today to highlight and 
explain this issue, which has not been given sufficient attention to 
date.
    Adware companies have a superficially simple business model: they 
provide a means of support for free software programs in a similar way 
that commercials support free television. Advertisers pay adware 
companies a fee to have their advertisements included in the adware 
program's rotation. The adware company then passes on a portion of that 
fee to distributors in exchange for bundling the adware program with 
other free software--such as gaming programs, screen savers, or peer-
to-peer applications. Finally, the consumer downloads the bundle, 
agreeing to receive the advertising served by the adware program in 
exchange for the free software.
    In fact, this simple description of how distribution of adware and 
other bundled software takes place is often a radical 
oversimplification. In fact, many adware companies and other software 
bundlers operate through much more complex networks of affiliate 
arrangements, which dilute accountability, make it difficult for 
consumers to understand what is going on, and frustrate law enforcement 
efforts.
    The diagram below presents some of the actors and relationships in 
the online advertising world as we currently understand it. These 
include:

 product and service vendors, who have contracts with adware vendors 
        and advertising brokers to distribute ads for their offerings;
 adware companies, who have multi-tier affiliate arrangements with 
        other adware companies, software producers, website owners, and 
        advertising brokers;
 software makers and website owners, who enter into bundling and 
        distribution agreements with adware companies and advertising 
        brokers, as well as with other software makers and website 
        owners; and
 advertising brokers, who serve as middlemen in the full array of 
        affiliate arrangements.
    The consequence of these ubiquitous affiliate arrangements is that 
when an adware program ends up on a user's computer, it may be many 
steps removed from the maker of the software itself. The existence of 
this complex network of intermediaries exacerbates the spyware problem 
in several ways. For example:

 Industry Responsibility--Adware companies, advertising brokers, and 
        others all may disclaim responsibility for attacks on users' 
        computers, while encouraging these behaviors through their 
        affiliate schemes and doing little to police the networks of 
        affiliates acting on their behalf. Advertisers, too, should be 
        pushed to take greater responsibility for the companies they 
        advertise with.8
---------------------------------------------------------------------------
    \8\ Examples of steps in this direction include public policies by 
Major League Baseball and Verizon setting standards for what software 
companies they will advertise with. Similarly, Google has drafted a 
specific public policy on what other applications it will bundle its 
utilities with.
---------------------------------------------------------------------------
 Enforcement--Complex webs of affiliate relationships obstruct law 
        enforcement efforts to track back parties responsible for 
        attacks. The complexity of these cases puts an extreme strain 
        on enforcement agencies, which struggle to tackle the problem 
        with limited resources.
 Consumer Notice--Adware companies and their affiliates have been 
        reluctant to clearly disclose their relationships in a way that 
        is transparent to consumers. Appendix A excerpts a recent CDT 
        submission to the FTC on this issue, demonstrating ways that 
        adware companies could begin to improve transparency in 
        bundling and ad-support arrangements. Companies have resisted 
        these changes. Efforts to bring transparency to the full chain 
        of affiliate and distribution arrangements have met with even 
        greater opposition.
    For these reasons, the affiliate issue has become a central aspect 
of the spyware epidemic. Finding ways to effectively reform affiliate 
relationships will remove a lynchpin of spyware purveyors' operations.

4. Comments on H.R. 29, the ``SPY ACT''
    H.R. 29, before this Committee, represents the outcome of an 
extended drafting effort to target bad practices and bring 
responsibility back to the distribution of downloadable software.
    The overwhelming support for this bill in the last Congress 
demonstrates the desire to craft targeted legislation focusing on some 
of the specific problems raised by spyware. CDT commends 
Representatives Bono and the Committee for your work raising the 
profile of this formerly silent plague on our computers. The focus of 
this Committee has allowed consumer groups and companies to bring the 
attention of the public and law enforcement agencies to this issue.
    The current bill marks a substantial step forward in addressing 
many of the concerns of consumer groups and companies and CDT is 
generally supportive of the current bill. In particular, CDT believes 
that Section 2's focus on bad practices and its increase of the 
penalties for violators will serve as a valuable deterrent. H.R. 29 
will give the Federal Trade Commission the clear authority and explicit 
mandate to pursue spyware purveyors. To this end, CDT also strongly 
supports the reporting requirement under Section 7.
    CDT has been more hesitant to embrace Section 3 of this bill. The 
notice and other requirements on adware and information collection 
programs raise extremely difficult definitional issues which, if 
handled wrong, could have unintended consequences in the regulatory 
process that could ultimately harm consumers.
    For this reason, the bill may be well served by another round of 
input from a wide range of parties in order to limit unintended 
consequences--especially in Section 3, where H.R. 29 deviates from the 
effort to focus on bad practices. CDT still believes that it would be 
most effective to address notice and consent issues in a general online 
privacy bill rather than a software specific bill, but we understand 
the desire to attempt to address this acute concern first, despite the 
complexities involved. We look forward to working with the Committee on 
this process.
    CDT main concern is actually not with the bill itself, but the 
political process to move the bill forward. We do not want to see the 
passage of this bill be used to diminish efforts by this Committee or 
others in Congress to address online privacy in a long-term and 
coherent way. Rather we hope that the current effort on spyware can 
provide a jumping off point for efforts to craft baseline standards for 
online privacy now that many companies have expressed their support for 
such a goal. Otherwise, we will simply be back in this same place when 
we confront the next privacy-invasive technology.
    We have very much appreciated the Committee's hard work and 
openness to comment in the anti-spyware legislation process, and we 
look forward to continuing to work with you on this and other digital 
privacy issues.

                               Appendix A

    Adware companies face a particular hurdle in making their 
operations and value proposition transparent to users because adware 
programs typically do not run at the same time as the applications they 
support. In general, adware programs display advertisements while the 
user is surfing the web, regardless of whether the bundled game or 
file-sharing program is even running. This behavior can obscure the 
connection between the adware program and its bundled affiliate.
    As one way to help address this issue, CDT has pushed adware 
companies--and the software companies they bundle with--to implement 
co-branding, putting the names and logos of supported applications on 
all advertisements. Although advertisements would still appear to users 
out-of-context, separated from the applications they support, co-
branding would at least provide an immediately visible indication of 
the connection between the advertisements users see and the 
applications those ads support.
    The mock-ups below show some ways that co-branding might be 
implemented. CDT submitted these same examples to the FTC's workshop on 
peer-to-peer file sharing applications. Some of these examples 
demonstrate more consumer-friendly labeling than others, but they all 
illustrate the fundamental principle of creating a visible link between 
adware and their co-bundled partners. Co-branding is needed because 
notice and consent at the time of installation is not enough. The 
ongoing operations of adware programs must also be made transparent.
    To date, no adware company of which we are aware co-brands its 
advertisements.

[GRAPHIC] [TIFF OMITTED] T9899.001

[GRAPHIC] [TIFF OMITTED] T9899.002

[GRAPHIC] [TIFF OMITTED] T9899.003

    Mr. Stearns. I thank the panel, and I will take the 
liberty, as Chairman, to start the questioning.
    Mr. Schwartz, you have indicated sort of a little bit of 
concern here. What would you do today to improve the bill?
    Mr. Schwartz. Well, as I said, I mean, the main focus here 
on this bill--we generally support the bill, the--especially 
the focus on the bad--on bad----
    Mr. Stearns. So at this point, there is nothing you would 
change in the bill?
    Mr. Schwartz. Well, the concerns are about the definitions 
and more that a lot of it gets left to the FTC and the 
regulatory process, so it leaves a lot open for the FTC----
    Mr. Stearns. Yeah.
    Mr. Schwartz. [continuing] for FTC interpretation at this 
point.
    Mr. Stearns. Mr. Schwartz, anything in the bill--Mr. 
Schmidt, rather, anything in the bill that you would change 
today?
    Mr. Schmidt. Well, generally, as--like Mr. Schwartz, I 
generally support it, and----
    Mr. Stearns. Support the bill?
    Mr. Schmidt. [continuing] looking at some of the provisions 
that are in there, we have gone through four questions here in 
the past couple of days I would like some better clarity about 
on how those--the definitions are defined and who makes those 
decisions on those as well.
    Mr. Stearns. Mr. Rubinstein, what I am sensing is that 
everybody supports the bill, but they just want clarification 
of the language from our staff. Is that your feeling, too?
    Mr. Rubinstein. Yes, it is. There were a number of 
questions circulated by staff, and several of us testifying 
today are providing comments there.
    Mr. Stearns. Okay.
    Mr. Rubinstein. I think the cookie exception is an area 
worth exploring and should remain in the bill. I also alluded 
in my oral testimony to an issue around not allowing H.R. 29 to 
become a safe harbor for spyware vendors. And what I mean by 
that is, in the case of spam, for example, the fact that spam 
complies with the Act doesn't prevent ISPs from filtering spam 
or end users from deciding whether to accept mail or not. And 
similarly, in the case of spyware, even if a program does 
comply with this act, that shouldn't be viewed as a reason that 
consumers are obligated to download those programs. So in order 
for consumers to have full choice and for vendors to distribute 
very aggressive anti-spyware programs, we need to make clear 
that the bill itself does not change the legality in any way of 
programs that block spyware. So that shouldn't be pleated as a 
sort of defense by a spyware company. You know, I comply with 
the law, therefore the anti-spyware vendors should not be 
permitted to block my program. That should be up to the 
consumer.
    Mr. Stearns. I think that is a good point.
    Mr. Baker, you were nodding your head. You agree with that 
then?
    Mr. Baker. I would generally agree with the comments by Mr. 
Rubinstein and the other witnesses.
    Mr. Stearns. Okay. And no one has any problem with the 
penalty side of this bill? I am assuming that that is 
acceptable, Mr. Schmidt?
    Mr. Schmidt. Yes, I do. As a matter of fact, I think many 
of us have talked for a long time that we have got to raise the 
cost of doing bad things beyond the point where it is no 
longer----
    Mr. Stearns. That the bad actors feel it.
    Mr. Schmidt. Yes, sir.
    Mr. Stearns. Yeah. Mr. Schmidt, I understand that you are a 
consultant to the Homeland Security. Is that true?
    Mr. Schmidt. That is correct, yes.
    Mr. Stearns. Let me ask you, apart from this legislation, 
what steps should the industry and consumers take to enhance 
security on the Internet? If you had to protect a family 
member's computer for use on the Internet, what would you do 
and what functions would you allow to prevent others from 
spying on them?
    Mr. Schmidt. You know, that is a good question. I think 
that breaks into two major categories. There is the maintenance 
piece of that, if you would, which is like an automobile. You 
need to keep oil, check your brakes, et cetera. And that goes 
to the security updates, the anti-virus software, the anti-
spyware portion of the maintenance to the computer itself. The 
other is the educational and where they go. And I will use the 
analogy. One of my staff came up with this at one point. We 
could have the best shopping store in the country, but if you 
get mugged in the parking lot, you are not going to want to go 
there any more. So consequently, we have to do all we can, in 
addition to what enterprises are doing, to make sure that the 
consumers are aware of where to go, how to protect themselves, 
and Ralph there has good experience. And that is about doing 
trust and safety of the online experience as well.
    Mr. Stearns. Mr. Baker, this is a question. Does H.R. 29 
adequately address the phishing problem? Does EarthLink, for 
example, educate its consumers about the phishing, both e-mail 
and web-based?
    Mr. Baker. Yes, Mr. Chairman, we do educate our consumers. 
We educate consumers generally about that and also--both let 
them know about the dangers of it and also provide tools to 
help. We have a program that uses heuristics to detect if 
they----
    Mr. Stearns. How would I----
    Mr. Baker. [continuing] if a website is phishy, if you 
will, and warn consumers away from that.
    Mr. Stearns. Now how would I, as a consumer using 
EarthLink, be told about this and use your program? I mean, do 
you proactively tell the consumer, or do you just tell them to 
go to your website or----
    Mr. Baker. Well, as part of the EarthLink software, we 
include the tools like Scam Blocker that blocks access to 
phisher sites and gives a notice to a consumer when they are--
if they get a phisher--if they get an e-mail that leads to a 
website or if that looks like it is coming from a legitimate 
merchant, but it is actually a phisher site, the Scam Blocker 
program alerts the consumer to that. And we also provide 
information to our consumers as to ways you can also help 
protect yourself by looking, for instance, at the URL or if you 
get an e-mail and you are not sure, rather than just clicking 
on the link that is provided in the e-mail, instead, go to your 
browser and type in the name of the merchant you are trying to 
get to. Whether that is EarthLink or eBay or Citicorp or 
whatever. So instead of just clicking on the link, which could 
take you to the phisher site, and again, they are made to look 
like the real thing, one way the consumer can protect 
themselves is, like I said, going and opening the browser and 
typing in www.Citicorp.com or www.Earthlink.net and that way 
the consumer can have some assurance that they are going to the 
correct website. So those are two of several different ways 
that consumers can protect themselves.
    Mr. Stearns. All right. My time has expired. The ranking 
member on our committee, Ms. Schakowsky, is recognized.
    Ms. Schakowsky. Thank you, Mr. Chairman, and thank you for 
your testimony. I say that to all of our witnesses.
    I wanted to--and we have talked a lot about what spyware 
can do to individual computers and to individual consumers, but 
one thing we really haven't talked about is the potential 
damages that a spyware infection can do to businesses, to 
Congressional offices. And I wondered if any of the panelists 
would like to fill us in a bit on those threats.
    Mr. Schmidt, go ahead.
    Mr. Schmidt. Yeah, I would be happy to. As a matter of 
fact, I alluded to that during my verbal testimony. What we 
have seen is sort of--as I have mentioned, sort of the 
additional pieces of spyware, which include Trojans, which then 
give someone an access to remotely control your system to 
create a bot network out of a robot network, which basically 
then could be used against critical infrastructure as a 
distributed denial service attack, keystroke capture to grab 
passwords, which generally not only relate to what you may be 
doing in your work environment, but also, oftentimes, your 
online banking and everything. So these things become very, 
very insidious as far as their ability to affect more than just 
an individual. And that is why corporations and enterprises are 
working very hard to make sure that they can wipe out the 
spyware on there, because it does affect their ability to 
manufacture, to provide--you know, for example, we have seen 
the situations in the past where airline reservation systems 
have been down for computer problems that could have 
conceivably been affected by spyware as well.
    So it is your--you are quite correct. It is more than just 
about privacy and personal protection.
    Ms. Schakowsky. That terrible situation we had during a 
snowstorm where all of the baggage was tied up, has that been 
attached at all to spyware, do you know?
    Mr. Schmidt. Not to my knowledge, no.
    Ms. Schakowsky. Okay. Mr. Rubinstein, according to a 
September 2004 article by Consumer Reports, Microsoft has found 
that spyware is directly responsible for more than 1/3 of 
application software crashes that might be linked to as many as 
half of the crashes Microsoft customers experience. Let me just 
ask you some basic--what does Microsoft mean by a ``crash''? 
What does this do to a person's computer, to any files that 
they may have? And I am wondering if there is any way that you 
can estimate, in dollar amounts, how much damage this has 
caused for consumers or for businesses or for Microsoft.
    Mr. Rubinstein. It is hard to put precise dollar amounts on 
the damage it has caused. I know that it is probably the 
leading reason for support calls, both to Microsoft and to the 
leading manufacturers, such as Dell, so that imposes, 
certainly, millions of dollars of cost on the providers of 
technology. In terms of crashes, spyware is often responsible 
for either slowing down the performance of a computer or simply 
not allowing the user to navigate to a selected site or even to 
use certain programs to stop pop-ups from interfering and so 
on. So it is certainly quite damaging, and I think the one 
point that I really want to call attention to is that the 
scenarios we have heard where I--the spyware tools are getting 
more sophisticated, but the scenarios we have heard where they 
were ineffective and where the consumer is forced to reformat a 
hard drive or replace a computer are just simply unacceptable, 
and I think that is why I think we need to bring together all 
of these different elements to combat the spyware.
    Ms. Schakowsky. Finally, Mr. Schwartz has emphasized the 
need for baseline privacy legislation. I just wanted to ask the 
other three of you what your feeling was about the need to do 
just that. Mr. Baker?
    Mr. Baker. Privacy legislation?
    Ms. Schakowsky. Baseline privacy legislation.
    Mr. Baker. Well, I think that--meaning this legislation, we 
have already taken a large step to protecting consumers' online 
privacy, because one of the insidious applications of spyware 
is, of course, transmitting personally identifiable information 
to another website without that user's knowledge. So this is--
and so with or without stand-alone privacy legislation, this 
bill will--it takes a big step toward protecting consumers' 
online privacy.
    Mr. Rubinstein. Microsoft is committed to strong consumer 
protection of privacy, and we would be--we would welcome the 
opportunity to talk about legislation.
    Mr. Schmidt. Yes, I think one of the things that I have 
always found very helpful is you look at legislation after 
market forces now, and I think with the collaborative effort 
that we have been looking at from the private sector agreeing 
on some baselines, if you would, for privacy protection, I 
think that would be the first avenue that I would recommend. 
And then if that, indeed, failed within a relatively short 
period of time, then I would look more toward the legislation. 
But even in that vein, I think the dialog that your leadership 
and Mr. Towns and Ms. Bono have done as well basically give us 
that vehicle that--to have the dialog to make sure we do things 
in the proper manner.
    Mr. Stearns. The gentlelady's time has expired. The full 
Chairman, Mr. Barton.
    Chairman Barton. Thank you, Mr. Stearns. We appreciate your 
leadership on this.
    Let--Mr. Baker, your company purportedly has the best anti-
spyware program on the market. Would you care to, in laymen's 
terms, explain to us why your program is reputed to be the 
best?
    Mr. Baker. Thank you. I suppose I should quit while I am 
ahead and not question the source of that assessment. But no, 
we do take our customers' online experience very seriously, and 
so we have developed, either on our own or in conjunction with 
other companies, various applications, like Spy Audit that, 
again, lets a user--it lets anybody, you don't even have to be 
an EarthLink customer, scan their computer to see what spyware 
is on there. And then if you are an EarthLink customer, you 
have a spyware blocker that lets you disable it. And it is--we 
are just always working. It is almost like an arms race. You 
know. We devise tools to block spyware and to remove it and at 
the same time, the folks who write this now-ware, as it is 
sometimes called, spyware and other bad applications are 
always, you know, trying to find ways around the protection. So 
it is just a question of constant innovation and getting 
feedback from customers and finding out where this is coming 
from and designing tools and systems to help consumers enhance 
their online experience.
    Chairman Barton. Why do you think the perpetrators of 
spyware--what is the potential gain that causes them to try so 
hard to get around the anti-spyware programs and to invade 
people's computers? What is it that they gain by successfully 
putting spyware on an individual or corporate computer?
    Mr. Baker. Well, that depends on the form of spyware. In 
the case of the less intrusive and less insidious adware, it is 
just a question of revenue. One site pays--one website will pay 
another website when a cookie or another piece of adware 
indicates that a customer got to website B, having first 
visited website A. So there is--money changes hands there. In 
the case of phisher sites that Mr. Stearns mentioned earlier, 
while those are not strictly spyware, clearly the motivation 
there is that if the perpetrator can steal a consumer's credit 
card number or bank information or other information, then 
obviously there is--money can be gained there. In the case of 
other forms of spyware, it is just malicious. It is online 
vandalism. And I guess----
    Chairman Barton. So there is no financial----
    Mr. Baker. [continuing] in some cases, there is no direct 
monetary benefit, other than just the malicious harm that can 
be done to an online user, their Internet provider, their 
software provider, their----
    Chairman Barton. Well, this is a question for all of the 
panel. Who are the generally guilty parties in the spyware 
business? Are they businesses seeking financial gain, or are 
they college students and teenagers just trying to do it for 
the heck of it? Who are we--who is the enemy?
    Mr. Schwartz. There are a lot more businesses out for 
financial gain at this point than there have been in the past. 
As we map it out in our testimony, this chain of affiliates and 
distributors that has been created through the process of which 
distributor--software gets distributed online, and it has 
created this kind of incentive for making the ends justify the 
means of getting this software on people's computers. So an 
advertiser might not know how this software got on someone's 
computer, and the person who is actually delivering the 
software may not even know. There are--all of these affiliates 
in the middle, six or seven layers worth of affiliates who are 
all getting paid up and down the chain. And so therefore, 
someone in the middle is completely unscrupulous and has no--
doesn't really care how the consumer gets it. The people at the 
top and the bottom may care, however, the website that is 
actually interacting with the consumer may care. The company 
that is advertising may care. But the people creating the 
software and creating the means to try to get it on the 
computer often do not care. And they are making a good deal of 
money out of getting this software onto people's computers.
    Chairman Barton. So in general, you all agree it is 
business. It is that people are in it for some sort of 
propriety gain that are the perpetrators. We have some of them 
that do it just for the heck of it, but most of it is really a 
business for business reasons. Would you all agree with that?
    Mr. Rubinstein. I think that is right, Mr. Chairman. There 
is a sense in which spyware is beginning to replace spam as a--
kind of an opportunity for unscrupulous business people. But I 
think there is also a growing trend for more serious organized 
crime, taking advantage of spyware to create, as Mr. Schmidt 
indicated, these so-called bot nets or zombie networks that 
allow them to take control over a machine, and then sometimes, 
you know, have a group of thousands of machines, which they 
rent or sell to these businesses to further spam schemes or 
phishing schemes. So we are seeing more of that as well.
    Chairman Barton. Well, my time has expired, but I want to 
thank all of you gentlemen for your testimony today. I thank 
the full committee chairman.
    The gentleman from New York, Mr. Towns.
    Mr. Towns. Thank you very much, Mr. Chairman.
    I would like to ask you, Mr. Baker, when a consumer's 
computer crashes, he often calls the software or the hardware 
provider for assistance. This technical assistance costs 
companies in the millions. What types of costs are incurred by 
Internet service providers, such as your company, as a result 
of the spyware? In other words, let me put it this way. How 
much is spyware costing your company?
    Mr. Baker. Congressman Towns, I don't have an exact figure 
on it, but it is literally in the millions and millions of 
dollars, because, as you have pointed out, customers can call 
into their ISP, and you know--an Internet provider kind of 
exists at a crossroads between hardware and software, between 
the user's individual computer and the Internet at large, and 
so any time something affects any of those systems, the 
consumer is going to look to their Internet provider as to why 
they can't get online. And so it generates a call to our call 
center and--or sometimes e-mail or sometimes chat, but it 
drives up the contact rates, it drives up the times that our 
reps are on the phone with customers, and you know, sometimes 
it is easily resolved and sometimes it is not. Obviously that 
causes frustration to the user, and it does increase our costs, 
so again, I don't have an exact figure on it. I would be happy 
to provide that to you and get you an estimate, but again, it 
is in the millions of dollars per year.
    Mr. Towns. I would appreciate it if you would.
    To you, Mr. Rubinstein, first let me thank you, Microsoft, 
for their support of this legislation. We appreciate that. And 
I was pleased that your written testimony noted that we had 
successfully focused on bad practices. Throughout this process, 
it was critical to me that we craft legislation that does not 
hamper legitimate software applications and activities, like 
computer security, diagnostic, and technical support. You 
talked about shared responsibility for tackling spyware, taking 
into account the legislation and the progress in the different 
areas identified in your testimony, how close are we to solving 
the spyware problem, and what more should industry be doing?
    Mr. Rubinstein. Thank you, Congressman Towns.
    I think there has been substantial progress on consumer 
education, making that available. There are a number of 
excellent sites, and I can provide those, if you like. I think 
the anti-spyware tools are becoming more sophisticated as well. 
I think the two areas where there really needs to be more 
attention and focus are first around industry agreeing upon 
best practices for good software. It is very useful, as we have 
found in the spam--in the anti-spam effort to have both safe 
lists and block lists. So if you can have criteria that 
legitimate software follows for installing itself, for example, 
and then have a way of representing that a given program is 
actually safe to install, that aides the anti-spyware tools in 
really focusing on the bad actors and being more effective. So 
I think that is something that industry needs to move ahead on. 
There have been several best practice guidelines distributed 
both Center for Democracy and Technology and the Online Privacy 
Alliance have been active in that, but I think more needs to be 
done.
    I also think that a key technological development is having 
not only a detection and removal capability in the spyware 
tools but also real time protection, which means that as the 
spyware attempts to load itself, the tool is actively blocking 
it in real time, so that you don't have to get hit and then try 
to recover. You are actually protected as you surf the web.
    And finally, I think, from a technology standpoint, the 
important future development will be protection at the 
enterprise level, by which I mean not just at the level of an 
end user's machine, but the ISPs, the large enterprises, like 
the House or the Senate or universities blocking spyware before 
it even enters their systems so that it is not up to the end 
user to do that, but it is instead taken care of at a more 
systemic level.
    Mr. Towns. All right. Thank you very much.
    Mr. Chairman, very quickly. Mr. Schwartz, many consumers 
continue to download software infected with spyware so they can 
illegally trade music or movies. Do you think that most 
consumers know that they are putting at risk the operation of 
computers, which may cost $2,000, $3,000, or $4,000? What more 
can we do to educate the public about the dangers of spyware?
    Mr. Schwartz. In our testimony, we document some examples 
of how we could highlight better how people actually got the 
software down on their--down to their computer, that forcing 
some of the advertisers to start engaging in the best practice 
discussion, as Mr. Rubinstein said earlier, that we are 
starting to move toward a more--a better discussion of best 
practices for advertising I think will illuminate a lot of the 
issues in terms of peer-to-peer in particular. Representative 
Murphy raised the example of Gator or Gain, and that is exactly 
what we are--we mock up on the back of--Kazaa, which is a peer-
to-peer program, now comes with Gain when you--when a consumer 
downloads it, they get Gain, which acts--which runs, actually, 
while the person is on the web, not while they are using the 
other program. So they might even know that it is advertising 
supported, but they wouldn't necessarily know what program it 
is or how it works. It is very confusing to consumers. So we 
are trying--we suggest trying--moving toward best practices of 
making them co-brand, so that when you go to remove the 
software, you know that it came because you had Kazaa. When you 
get the ad itself, you start seeing these pop-ups, you know 
that it came because you have this peer-to-peer software on 
your computer.
    Also, it shows--it should show up on the add/remove file. 
As you know, it does not, today, show--the products in Gain 
does not show up in the add/remove file. It makes it very 
difficult for consumers to be able to remove it. These are just 
common best practices that software should have to file, and 
that is exactly along the lines that we think--where we think 
we should be moving, as Mr. Rubinstein referred to earlier, 
toward best practices.
    Chairman Barton. I thank you, Mr. Schwartz. The gentleman 
from Georgia, Mr. Deal.
    Mr. Deal. Thank you, Mr. Chairman. And first of all, I 
would like to welcome my friend, Mr. Baker, to the panel today 
and for those of you who don't know, he was formally an elected 
public service commissioner of our State survey, I believe, in 
his former life, and we are pleased that he is here taking a 
position on a cutting-edge issue that affects all of us.
    I have been looking at the enforcement provisions of this 
bill, and I would like to ask you a couple of questions, anyone 
on the panel, quite frankly, as to whether or not the 
enforcement provisions we provide are adequate or whether or 
not we have the potential of doing some harm here. And let me 
highlight a few of the issues that I am concerned about. As I 
read the bill, the primary--the exclusive enforcement provision 
is through the FTC. And it only outlines civil penalties, 
financial or civil penalties. Are there potential criminal 
penalties associated with this activity under the referenced 
sections to the existing Federal Trade Communication Act? I 
don't think so since it goes ahead here and it says the 
exclusiveness of the remedies are those outlined here in this 
bill. So are we only talking about civil penalties, as you 
understand the proposed Act? Anybody?
    Mr. Rubinstein. Yes, Congressman, I believe that is 
correct. I would point out, though, that there may be criminal 
complaints that could be brought under the Computer Fraud and 
Abuse Act for at least some of the more egregious bad practices 
that would be viewed as computer abuses under that statute.
    Mr. Deal. Okay. I am concerned that we talk very much here 
about exclusiveness of remedies and we hinge it all to conduct 
defined in this Act and make it the exclusive remedy. Let me 
tell you another concern that I have, too, and that is the 
preemption clause of the statute. As Mr. Baker knows, our 
Governor has recently announced an aggressive State proposal to 
deal with spam through State statute. I believe he is proposing 
to make it a felony. He is mad about it, as you can tell. We 
are here preempting State laws. It is a little bit strangely 
worded to me, however. It talks about preemption of State law, 
and it says anything that is the prohibited conduct described 
in sections two and three. And then it goes, on the next page, 
to talk about that only an attorney general of the State may 
bring a civil action under the law of any State if such action 
is premised in whole or in part upon the defendant violating 
any provision of this Act. Does that take local district 
attorneys at the State level out of the picture of enforcing 
anything that would relate to this? And if so, what is the 
venue? That really, to me, is a primary concern. If it is a 
criminal act, the venue is where the act is committed, not 
where the defendant is located, which is the venue for civil 
penalties. Would somebody expound on that area?
    Mr. Baker. If I may, Congressman, and thank you for your 
kind words.
    As to venue, I believe we have a situation where as long as 
any part of that transaction touches where the consumer is, the 
violator may or may not be in that same jurisdiction, but if 
the harm--where the harm is done is sufficient for venue.
    And to your earlier question as far as the exclusive remedy 
and enforcement and preemption issues, I would look, by 
analogy, to exactly the situation that you mentioned with spam 
where we had Federal legislation in the form of the Can Spam 
Act. And there were some preemption sections in that. However, 
that did not totally preempt State laws, either those that were 
already extent or, as in the case of Georgia, ones that are 
being introduced, so it is possible to still have Federal 
legislation without completely preempting--Federal legislation 
with a preemption clause, it still does not completely preempt 
State laws, which would complement it. And again, to give you 
an example of our own efforts in fighting spammers. Even before 
the introduction and passage of the Can Spam Act, EarthLink 
still sued spammers. We probably sued about 100 to date and 
have various counts in those complaints, whether that is 
Federal laws, like Computer Fraud and Abuse Act, or State laws, 
whether they are rather more recent laws that are specifically 
technology related or whether they are just long-standing 
common law notions of nuisance and trespass. So we have always 
had the ability and maintain the ability, whether it is a 
spammer or a purveyor of spyware, to go after them. But--so we 
view Federal legislation like this as a complement to those 
efforts and notwithstanding preemption clauses that may be in 
it or specific requirements for exclusivity of enforcement as 
pertains to that law. There are still other counts that an 
online provider could use in going after these folks or State 
attorney general or another entity. So----
    Mr. Stearns [pesiding]. The gentleman's time has expired.
    Just a point of information, some of the most egregious 
acts, spyware acts, I think are covered under the Wire Fraud 
Act. So we already have existing statutes to cover that, and 
obviously with the bill we have, since our jurisdiction is the 
Federal Trade Commission, you know, we would not have an 
criminal penalties in it.
    The gentleman from Washington, Mr. Inslee.
    Mr. Inslee. Thank you.
    Ira, I wanted to thank you for Microsoft's effort, but this 
is a little off subject. I would also like to thank a fellow 
who works for Microsoft who made a contribution of $750 million 
to the International Vaccine Effort yesterday. We appreciate 
that effort, the whole Microsoft family.
    But I want to ask you about your Microsoft protection 
efforts. Could you just elaborate on what your experience has 
been on the new product that you have made available in a 
sense? You refer to it generally. How many people have accessed 
it? Has it worked? Have you had any difficulties? Are there 
ways around it? How are you doing with the international folks? 
Just if you can elaborate on it.
    Mr. Rubinstein. Thank you, Congressman Inslee.
    We acquired a company called Giant in late December, and we 
committed to release it as a--release their anti-spyware tool 
as a Microsoft product within a month, and we are very happy 
that we met that goal. And the figures I have are that in the 
last--in the first 2 weeks of January, at least, there have 
been more than 3 million downloads of the tool, so we are very 
pleased to see that positive feedback. We think that the tool 
has a number of interesting features beyond just detect and 
removal. As I pointed out before, it also has a real-time 
protection aspect to block spyware as it is downloaded. And it 
also creates, on an opt-in basis, something we call spynet, 
which allows consumers to report suspected spyware and then 
have that investigated on a priority basis and quickly added to 
the list of spyware programs that the tool detects. So we have 
taken the power of the Internet and turned it, you know, toward 
identifying more spyware and doing so very quickly.
    Our plans are to accept consumer feedback for several 
months to begin working on localization of the product and then 
to release it as a full-fledged product some time probably in 
the first half of this year.
    Mr. Inslee. Got you.
    A question for the whole panel. Talk to us about our 
international efforts from offshore folks. What is our best 
protection against that? What strategies should we be thinking 
about that are not in this bill? What are you doing about it? 
We are looking for brainstorming here.
    Mr. Schmidt. Thank you, Mr. Inslee, and it is good to see 
you again, sir.
    It is interesting, because that is very closely aligned to 
Mr. Deal's question relative to the States where you have, you 
know--what is not in anybody's best interest is 50 different 
statutes or 50 different sets of regulations relative to this. 
You compound that tremendously by going international. So 
currently under the G8 Subcommittee on Cybercrime, which the 
State Department and the Department of Justice have been 
gracious enough to invite many of us from private sector to 
participate in that, we are working on the international realm 
as well, trying to use that same framework that has been 
established in this bill to try and internationalize that. It 
is very, very challenging, because some people view this truly 
as criminal. Some of the countries we deal with don't even have 
any laws close to the cybercrime piece of it, let alone the 
civil penalties, the provisions that this Act provides. So we 
are working that.
    Also, in a private sector perspective, Microsoft, Yahoo, 
eBay, and AOL recently met in Asia with a number of the 
countries in Asia and signed a Memorandum of Understanding on 
working collectively on a proactive basis, as Mr. Rubinstein 
pointed out, to prevent these sort of things from happening.
    So there are a lot of efforts, but none of them have been 
put together in a fashion by week and say in 6 months, we are 
going to have a solution. But it is not being ignored, by any 
stretch of the imagination.
    Mr. Inslee. So if you look forward to the passage of this 
bill, does it just drive these folks from one country to 
another as we increase our international agreement, which I 
presume will start with G8, but I don't know how many countries 
there are, but there are a lot more than eight, is this--are 
they going to be one hopscotch ahead of us constantly until the 
world is under this bill we are going to pass or what do you 
think?
    Mr. Schmidt. Yeah, it is interesting. Mr. Deal was asking a 
question while I wrote a note to myself, and relating back to 
the old issue, we dealt with telemarketers. And actually, we 
were forming, sort of, safe harbors for them, because they were 
hiding under certain States under the provisions where they 
felt they could operate in exemption. And that is correct. And 
we are, indeed, worried about that aspect of it.
    And relative to the G8, by the way, even though it is the 
G8 Subcommittee, we have over 110 nations now that are a part--
participating in that proactively as well as some multilaterals 
as well.
    Mr. Schwartz. But one point to add on to that is that the 
Federal Trade Commission has really been moving, and they 
really recognize exactly this problem that you raise, that as 
we move into more of a network world, we are going to see--
start seeing the bad guys move offshore and move their 
businesses offshore and have--has started to try and build 
alliances and started--start to work on some of these issues. 
This committee dealt with it--this issue in the crossborder 
fraud legislation that came forward, that the FTC has been 
pushing forward. And there have been other efforts that the FTC 
has been working on. So I think this is a question that goes 
beyond just spyware. It is really a question of how are we 
going to do enforcement for the Internet generally. One thing 
to point out, though, is it is going to be very expensive to do 
the kind of forensic works you need--work you need to be able 
to track people across the world--around the world. Just giving 
more power to the FTC is not, alone, going to do it.
    Mr. Inslee. Ira, I think you made reference to you don't 
want to create a safe harbor that doesn't exist now. We always 
want to retain consumer choice here. Have we solved that 
problem or is there specific language you would suggest or----
    Mr. Rubinstein. There is language in the Can Spam Act that 
goes in this direction. There is also a Good Samaritan 
provision in this Act that might be adjusted to deal with the 
issue that I identified.
    Mr. Inslee. Should we use the Can Spam language in this 
bill?
    Mr. Rubinstein. I think that would be appropriate. We have 
just begun to discuss that with staff, so we are in the early 
stages of addressing it.
    Mr. Inslee. Thank you. Thanks, folks.
    Mr. Stearns. I thank the gentleman.
    The gentleman from Arizona, Mr. Shadegg.
    Mr. Shadegg. Thank you, Mr. Chairman. I want to thank the 
full committee chairman for this hearing. I want to thank you 
for your interest in the topic, and I want to thank our 
witnesses. When this legislation appeared before this committee 
before, I made it clear that I view it as of deep concern. 
There are many different versions of spyware and probably far 
too many for me to begin to comprehend, maybe even too many for 
any of you to comprehend in terms of what all is out there. But 
I have at least one basic understanding of spyware, and that is 
keystroke recording, which takes me back all of the way to the 
days when we had wire tapping. I think the American people are 
deeply concerned about their privacy interests, and I think 
that if they understood that someone was wire tapping their 
phone, either at home or at work, they would be deeply upset. 
And I am not certain that when the average American hears the 
word ``spyware'' that they have an understanding that this is 
the electronic, or at least one aspect of spyware, is the 
electronic equivalent of wire tapping, where they record every 
stroke I hit on my computer. I want to--I think it is extremely 
important that we get beyond the internal Congressional 
disputes on this legislation and that we, in fact, pass 
something and that we pressure our friends in the Senate to 
pass something on this topic. I think it would be a serious 
failure if we don't do that. I recognize that the industry has 
reservations about what precisely should be done, and I am more 
than willing to listen carefully to those reservations and try 
to craft the language as carefully as we can. If, as was just 
suggested, there are other definitions that should be lifted 
from other draft legislation and placed in this bill, I would 
support that, but I think it will be inexcusable if this 
Congress fails to act in this area.
    I share Mr. Deal's concern about the issue of preemption. 
It seems to me if the American people understood that this is 
the equivalent of wire tapping and then understood that we were 
preempting a State's attorney general's office from going after 
the equivalent of wire tapping where someone was, essentially, 
gaining access to their personal computer and then recording 
everything they do on that computer, no matter what expectation 
of privacy they had, they would not be happy about that. The 
chairman of the committee indicated that there are other 
penalties. I guess I would like to ask you, Mr. Chairman, or 
counsel, if those penalties include criminal penalties that 
would go at keystroke recording so that we can get at--so that 
we are assured that there is, in fact, a criminal penalty for 
somebody who essentially wire taps through this mechanism.
    Mr. Stearns. The gentleman--I understand from staff it is 
currently a felony.
    Mr. Shadegg. Okay. Is that--if I might as the panel--the 
chairman--the members of the committee--or the panel, is that 
your understanding as well?
    Mr. Schwartz. Yes.
    Mr. Schmidt. That is correct, sir. Yes.
    Mr. Shadegg. And are those penalties currently being 
pursued by either U.S. law enforcement officials, U.S. 
attorneys and others across the country, or are there similar 
penalties at the State level?
    Mr. Schmidt. If I may speak from the perspective of a State 
local law enforcement from my days at Chandler Police 
Department, and of course Arizona was one of the early States 
that passed criminal statutes relative to a vast array of 
computer crimes. I called my son when I was preparing for the 
testimony. I said, ``Well, how many cases do you actually get 
at Tempe on people complaining about spyware?'' And he says he 
gets very few, because they don't understand.
    Mr. Shadegg. Right. They don't even know it is happening.
    Mr. Schmidt. That is correct. They call and they ask how to 
remove it, but not the provisions of how to prosecute someone. 
And I asked him, ``Well, if you were asked to do that, how--
would you be able to do so?'' And he said, ``Right now, there 
is just--the resource is not available for State and local law 
enforcement to be able to successfully do those in any numbers 
at all.''
    Mr. Shadegg. I think it is important that we do that, 
because, as you know, a good part of criminal law enforcement 
is prophylactic. That is to say, you enforce the crime against 
somebody and you make an example out of them, and that 
discourages anybody else from engaging in that conduct. And so 
it seems to me that it is important that we act in that regard. 
And----
    Mr. Schmidt. One quick comment, if I may, Congressman. It 
may be just a little side note to this. And I have been 
encouraging a number of law enforcement folks I have dealt with 
across the country, as part of their crime prevention efforts 
they do is they send out brochures on how to put burglar bars 
to protect yourself. Do something very similar to these sort of 
acts to help do the very preventative nature of it so we can 
reduce the number of activities that take place that need to be 
investigated and prosecuted.
    Mr. Shadegg. Now I think that is important and I think that 
far too many Americans are unaware of the fact that spyware can 
be essentially very criminal conduct that can invade their 
privacy in very specific ways and can be very serious, and in 
the business world, could, in fact, be financially ruinous.
    So I appreciate your testimony here today. I appreciate 
your support of this legislation. I look forward to working 
with you to ensure its passage. It seems to me we have failed 
last year. We dare not fail this year.
    With that, Mr. Chairman, I yield back.
    Mr. Stearns. I thank the gentleman for his good comments.
    The gentlelady from Wisconsin, Ms. Baldwin.
    Ms. Baldwin. Thank you, Mr. Chairman.
    Mr. Stearns. And I would just also welcome you to the 
committee, and we are delighted to have you.
    Ms. Baldwin. Well, it has been a delight, actually, to have 
this as our first hearing of the session, and I will take 
advantage of being a newcomer and ask some questions that 
perhaps I wouldn't get away with as a senior member of the 
committee.
    In this discussion, we do not have a representative of the 
Federal Trade Commission testifying today, and there has been 
some discussion, I think, Mr. Schwartz, in your testimony, you 
were talking about the fact that we have to dramatically 
increase investigations enforcement if law enforcement is going 
to serve as a deterrent. You discussed, also, in your 
testimony, the specific case that you brought before the FTC 
and pleasure that it was taken seriously and investigated and 
will lead to others. But the legislation before us will give 
the FTC more specific power. I would like to hear about the 
resources that go along with that. Are you seeing an increase 
in the investigations, the enforcement efforts that are going 
on at the FTC?
    Also, let me throw a second question out, and any of the 
panelists who feel comfortable answering it, can. We are 
talking about the State level. Have you seen promising 
investigations of enforcement at the State level at this point 
that can add to the dramatic increase that is going to be 
necessary for a sufficient deterrent?
    Mr. Schwartz. To follow-up on the FTC question, we--they 
don't tell us about ongoing investigations. They--it is against 
their rules to do that. So we don't know how many they have. 
They have told us that they are investigating cases, and 
certainly, when we have gone to brief them on certain things 
that we have been seeing, there have been more people in the 
room now than there were a year ago. So that--it seems as 
though that is a positive sign toward doing more--toward doing 
better enforcement.
    The issue, I think, of the complexity, though, of these 
kinds of cases really does go to your point in terms of needing 
more resources to be able to do something like this. Taking 
this on on our own, and when we did the Seismic case, it took 
us a great deal of time just to map out the different players 
and the--that were involved, and still of them we still don't 
know, to this day. It takes the FTC the ability to do the same 
kind of mapping and then go in and get discovery and find out 
all of the players involved and then go through all of their 
files and find out all of those players involved. It is quite 
an extensive process to do one of these--the forensics for one 
of these cases together. And I don't want that to be lost, 
because certainly raising the penalties does give them more 
power, but it doesn't serve as a deterrent if you can't use it.
    Mr. Schmidt. I would like to make two quick comments on 
that. For the FTC, particularly Commissioner Swindle has been a 
leader in this area, from FTC working, not only with the 
Congress as well as private sector, but also the OECD. But it 
is tantamount to drinking from a fire hose is what it boils 
down to, which is why a lot of the efforts we are doing, and we 
are hoping this bill helps, is become an incentive not to do 
these sort of behaviors so we can get it down to something that 
is manageable.
    The other thing relative to FTC, like any other law 
enforcement agency or any investigator or regulatory body, they 
just don't--will never have the resources, which is why they 
are oftentimes augmented by their counterparts in private 
sector. You know, the provisions of Title 182703, which gives 
us the ability to protect our networks, we can collect a lot of 
information and turn that over to FTC or turn it over to law 
enforcement, which they may have the challenges in doing so 
with the lack of resources. So we can actually become very good 
partners, and we have seen that happen on a regular basis.
    Mr. Rubinstein. I would just add, Congresswoman, that 
Microsoft, EarthLink, AOL all now have a long history of 
bringing hundreds of lawsuits in the spam arena, and I think we 
are all starting to gear up additional legal and investigatory 
resources to devote to some of these new threats, such as 
spyware and phishing. So we hope to bring more cases and to 
cooperate both at the Federal and the State level.
    Ms. Baldwin. Any comment about the State level enforcements 
or investigations that have been helpful in this?
    Mr. Schwartz. Well, there haven't really been that many 
State level enforcements. We have been contacted by a few 
attorney generals and a few State district attorneys as well on 
certain cases, but again, it is--cases are extremely complex, 
and we haven't been able to really map out those cases in the 
same way that we could in the Seismic case. I know that they 
have resources that they are putting toward it, but we haven't 
seen the fruits of the labor yet.
    Mr. Stearns. You are all finished? Complete. Okay.
    The gentleman from Pennsylvania.
    Mr. Murphy. Thank you, Mr. Chairman.
    I have a few questions I just want to ask in general and 
see if--who can answer these, but they are--some of the 
specifics have been raised today about the bill.
    Mr. Stearns. Okay.
    Mr. Murphy. For example, does this bill adequately require 
every download of information at the computer software to be an 
opt-in? Does it adequately--is the wording adequate for that? I 
will go a few more, and if you can't get it for me today, maybe 
you can get it to me eventually, or get it to the chairman.
    Does it--Mr. Schwartz, you mentioned the add/remove file. 
Does the wording in the bill adequately address that anything 
that is downloaded has to be visible and it can't be hidden for 
an add/remove file, and further that it be visible in search 
files or in program files when one gets into those areas? Do 
you know if the wording in the bill adequately addresses that?
    Mr. Schwartz. Well, this is some of the difficulty of doing 
this on a technology-specific basis. It is hard to know. I 
mean, this is exactly the--was my point earlier about the 
definitional issues. It is hard to know exactly how this is 
going to lay out, how the definition of software information 
collection programs are going to work themselves out in the 
regulatory process. So it is hard to know today to be able to 
say yes it adequately covers it or not. We would prefer to 
have--to cover this across technologies and say it is the 
collection of information, it is--and it is the transparency 
issue, as you have raised, that are important that consumers 
understand that their information is being used in that way, at 
least for the privacy aspects of this.
    Mr. Murphy. Well, that--and Mr. Chairman, maybe I can just 
state this in general and hopefully have these sent back to the 
committee from our experts. But other areas, too, and that is 
does it prevent some software from lying dormant and then 
sometimes reemerging to do this so that if one is even 
searching for files to find if anything has been downloaded 
that it really is visible at the time of downloads? Does it 
also prevent these things from attaching itself to e-mails, 
because that is oftentimes how things come on computers 
surreptitiously or cloaking itself as a legitimate website, as 
was brought up, too, and then a person thinks they are going to 
a legitimate link and then it turns out to not be or--and I 
guess all of these mechanisms, and more that we can't even 
anticipate yet, because as soon as you make something illegal, 
someone else will come up with a technique to make--to find 
another loophole there. But that is why--although we are 
looking for specifics to still come up with enough general 
ideas to prevent some of these from surreptitiously or 
illegally or at least without informed consent to have some of 
these, and I am hoping these are--this is information that the 
committee can, perhaps, get back to us in writing, back to the 
chairman. I would love to have that review.
    Thank you, Mr. Chairman. No further questions.
    Mr. Stearns. Well, thank you. I think what we can do, Mr. 
Strickland, you are next, and I think we have got a vote, but I 
think we have got sufficient time for you and then----
    Mr. Strickland. One question and then a quick question.
    Mr. Stearns. Okay.
    Mr. Strickland. And I am sorry I wasn't here, but I had a 
meeting earlier for the testimony.
    Mr. Stearns. I understand. We all understand.
    Mr. Strickland. But I just wanted to ask you, do you think 
that this bill, as written, will deter innovation in e-
commerce?
    Mr. Baker. No, I----
    Mr. Strickland. Anyone can answer that. Yes, no, or if you 
want to elaborate.
    Mr. Baker. Let me--that is clearly not the intent of the 
bill, and I don't think it will. What we need to do with this 
bill, or any legislation, is go after the bad actors, and I 
think this bill does a good job of doing that. I mean, clearly, 
it is not meant to apply to the operating system, the Microsoft 
operating system that comes preloaded on the computer or the 
EarthLink software that allows an online user to connect to the 
Internet.
    Mr. Strickland. I understand. And you know, sometimes we 
pass well-intentioned legislation, and then we find out later 
it has adverse consequences, and I was just--you know, thank 
you for your opinion. I don't challenge your conclusion. I just 
wanted to ask the question to see what it was that you thought 
in terms of this particular matter. So thank you, sir. Thank 
you.
    Mr. Rubinstein. If I may supplement that answer, 
Congressman. I think the section two, which focuses on bad 
practices, will not have that impact. But section three, where 
there is some very crucial definitions that try to balance the 
types of scenarios where information needs to be exchanged in 
the background, because it is just the way the Internet works, 
those are very important provisions. In particular, we don't 
want, in the name of going after spyware actors, to have a 
transformation of the user experience so that when you go to a 
website you just get bombarded with consent dialogs: ``Is it 
okay to do this?'' ``Is it okay to do this?'' ``Is it okay to 
do this?'' And as long as we maintain that balance between 
requiring notice and consent in certain cases but accepting it 
in sort of the ordinary use of cookies, just for shopping 
carts, for identifying customers, et cetera, then I don't think 
it will have any adverse consequences.
    Mr. Schmidt. In short, Congressman, it is unlikely that it 
is going to have a bad effect, but we want to make sure, and to 
Mr. Murphy's question about the definitions of some of these 
things, a lot of the things we are working on, for example, I 
am not here on behalf of eBay, but I know eBay is--we have 
launched an account guard, which automatically does sort of the 
delineation between good sites and bad sites to protect 
consumers very proactively that requires that download and in 
the early version of this, it would have inhibited our ability 
to do something like that. So we want to make sure that we 
continue to make sure there is a clear demarcation between the 
bad actions and the things that are a benefit to the consumers. 
Thank you.
    Mr. Schwartz. I basically agree with everything that has 
been said here, but I would also like to point back to Mr. 
Rubinstein's comments earlier that were not part of my 
testimony, but I agree with the idea that we need to be careful 
about the anti-spyware tools and making sure that we are not 
limiting the ability for anti-spyware tools to gain the consent 
of consumers to be able to do this so that they can continue to 
innovate, too. That is an extremely important key to make--to 
this effort to stop spyware is going to be the technologies.
    Mr. Strickland. Thank you, Mr. Chairman.
    Chairman Barton. Thank you, Mr. Strickland.
    We have a series of votes on. There are no other members 
present, and I am told on the Minority side that there are no 
members wishing to come back and ask questions, so I am going 
to conclude the hearing. I want to thank you gentlemen. I will 
make an announcement before we formally adjourn. We are going 
to take the comments on the bill, as introduced. The deadline 
is, I think, close of business today. It is not a mistake that 
the--in the last Congress this bill was H.R. 2929 and in this 
Congress it is H.R. 29. I think that shows you how the priority 
has shifted. We expect to be ready to move this bill very 
quickly, probably, within the next 2 to 3 weeks. If the 
comments come in as favorable as our verbal comments have been, 
we are aware of a few minor issues that we agree need to be 
clarified, but because of jurisdictional reasons, I don't think 
we are going to do that at the committee. We will probably do 
that on the floor or in conference when we go to conference 
with the Senate.
    So this is on the fast track, and we will hope to be 
marking this bill up in the very near future. And gentlemen, I 
wish to thank you and all of you--the interest groups that you 
represent for your attendance and your support for this bill.
    This hearing is adjourned.
    [Whereupon, at 12:07 p.m., the committee was adjourned.]
    [Additional material submitted for the record follows:]

              Prepared Statement of Webroot Software, Inc.
                      experts at combating spyware

    Webroot Software, Inc. appreciates the opportunity to provide 
written comments in conjunction with the Committee's hearing on H.R. 
29, the Spy Act.
    Webroot, a privately held company based in Boulder, Colorado, was 
founded in 1997 to provide computer users with privacy, protection and 
peace of mind. Today, Webroot provides innovative products and services 
for millions of users around the world, ranging from enterprises, 
Internet service providers, government agencies and higher education 
institutions, to small businesses and individuals.
    Webroot, maker of the award-winning Spy Sweeper, is the industry 
leader at combating spyware. Earlier this month, Webroot introduced the 
anti-spyware industry's first automated spyware research system. The 
new system, called Phileas, uses ``bots'' to continuously comb the Web, 
uncovering spyware, adware and other types of potentially unwanted 
software that are deeply embedded on web sites. One hour of automated 
research is the equivalent of approximately 80 hours of manual 
research. The bots visit millions of sites per day, identifying and 
archiving the HTML sources and URLs in Webroot's spyware definition 
database--the largest and most accurate catalog of spyware definitions. 
New definition updates are then developed by the Webroot Threat 
Research Team and distributed to Webroot customers, before their 
systems are infected by these programs.
    In the first production use of the system, it identified more than 
20,000 sites used to deploy spyware through drive-by downloads, as well 
as several new spyware variants. By February 2005, Webroot will deploy 
more than 100 bots online to track all forms of spyware and adware, 
with each bot visiting as many as 10 URLs per second, collectively 
visiting over 80 million URLs per day.

                   THE PROBLEM GROWS LARGER EVERYDAY

    These technological advances are vital to combating spyware, as the 
problem grows larger everyday. Since the committee first began work on 
spyware legislation in Spring 2004, the incidents of spyware have 
mushroomed.
    Seven years ago, Webroot's detection list included about 200 pieces 
of spyware. By March 2003, the detection database included 700 pieces 
of spyware. Today, Webroot's database lists over 2,000 pieces of 
spyware, reflected in over 50,000 traces, and this number continues to 
rise rapidly. Most weeks, Webroot is finding over 250 new spyware 
programs, although only a minority of these are brand new, while the 
others are older versions with subtle changes made as an attempt to 
avoid detection. During 2004, Earthlink and Webroot collaborated to 
offer a free SpyAudit to Earthlink subscribers. From January 1, 2004 to 
September 27, 2004, more than three million scans were performed. The 
scans discovered approximately 83.4 million instances of spyware, for 
an average of 26 traces of spyware per SpyAudit scan. We will send the 
committee a copy of the 2004 year-end report once it is completed over 
the next week.
    Industry analyst organizations like IDC are reporting similar 
findings. IDC's December 2004 report, ``Worldwide Spyware 2004-2008 
Forecast and analysis: Security and System Management Sharing 
Nightmares,'' includes these findings:

 IDC estimates that 67 percent of all computers have some form of 
        spyware, and in most cases, there are multiple spyware 
        programs, even hundreds.
 The impacts of spyware go beyond annoying pop-ups and can be a 
        serious drain on help desks and system management resources. 
        The report estimates that in 2003 one or two out of every 100 
        support calls made by consumers concerned spyware. At the end 
        of 2004, the estimate increased to two out of every five.
 Spyware is often a revenue source for legitimate corporations.
    While the Committee has done an excellent job over the past year of 
articulating the many risks spyware and adware pose to individual 
computer users, little attention to date has been paid to the even more 
serious threat these malicious and unwanted programs can pose to larger 
organizations. When we consider the kinds of trade secrets, 
confidential government information, personnel and other sensitive data 
that can reside on computers used by corporations, government agencies 
and organizations, the economic costs and security risks associated 
with spyware are exponentially greater.
    In the same IDC study mentioned above, they surveyed over 600 
organizations, and found that spyware was the fourth greatest threat to 
a company's enterprise network security.
    A survey of more than 275 IT managers and executives across the 
U.S. commissioned by Webroot in September, 2004 found some alarming 
results:

 Nearly 82 percent reported their desktops are currently infected with 
        spyware, with more than a third noticing an increase in spyware 
        infections in the previous six months.
 More than 70 percent of corporations expressed an increased concern 
        with spyware.
 However, less than 10 percent of businesses have implemented 
        commercially available anti-spyware software.
    Between October 7, 2004 and January 1, 2005, Webroot's free and 
voluntary Corporate SpyAudit scanned more than 23,000 systems across 
more than 5,100 companies, and discovered an average of 17 pieces of 
spyware per corporate desktop computer.
    A recent InformationWeek story entitled, ``Another Fight to Wage,'' 
provides further evidence of these trends. The story, just published on 
January 17, 2005, reports the results from a survey of 400 business-
technology professionals recently completed by its research department:

 Nearly 80 percent of respondents said their organizations have been 
        infiltrated in the last 12 months by spyware.
 Over 70 percent will spend somewhat or significantly more money to 
        manage spyware.
 Sixty percent will spend somewhat or significantly more money to 
        manage adware.

                         THE ROLE OF GOVERNMENT

    Webroot applauds the work of the Committee, your Senate 
counterparts and the Federal Trade Commission in publicizing the 
problems associated with spyware and other programs loaded on users' 
computers without their knowledge or informed consent.
    We realize this committee, in particular, has spent countless hours 
trying to develop legislative language that will help offer consumers a 
higher level of protection and motivate regulatory enforcement actions 
against spyware purveyors.
    The unfortunate reality is that there is no way to eradicate 
spyware through regulatory or enforcement means. The Internet is 
global, which makes establishing and enforcing legal standards very 
difficult. Just as large a challenge in this endeavor is the strong 
economic motivation that underlies the propagation of spyware and 
adware type programs, which is unlikely to be substantially diminished. 
As a further disincentive, we believe the bill should include criminal 
penalties, and we support the lack of a monetary cap in the enforcement 
section.
    Given the growing prevalence of the problem, we support the 
legislation as a clear statement that these acts are covered under the 
law. In particular, many attempt to argue that arcane statements in 
small print buried at the end of lengthy end user license agreements 
constitute the notice and consent of the user. This is clearly not the 
case. Our number one priority is to advocate for our customers and to 
empower users with information they can use to make educated decisions 
about what enters their computers (and thus, their homes, companies and 
lives.)
    To address this current problem, the bill sends a clear signal and 
sets a standard that deceptive practices cannot be used and that users 
must knowingly ``opt-in'' before software is loaded onto their 
computers. Along with these more stringent guidelines, increased 
awareness and public education about spyware is essential to 
effectively deal with the problem.
    The ``Good Samaritan'' provision that is included is very important 
to help assure that companies like Webroot continue to exist and 
provide users with tools to find what is on their machines, and a means 
to remove things that users determine they do not want.
    We also support the preemption provision of the bill. It is 
important that the law related to these practices be consistent 
throughout the U.S.
    There are a few places where we are concerned that the bill 
language might not adequately cover the current practices we see. We 
would be happy to share results of our ongoing research efforts with 
the committee, to ensure that you have the most current information 
about the technology being used to invade computers, track users' 
activities without their knowledge, and undermine system security and 
personal privacy.
    It is clearly going to take a combination of technology, public 
education, sound public policy and strong enforcement to address this 
problem. We are poised to offer any assistance the committee needs as 
you continue to work on this issue.

[GRAPHIC] [TIFF OMITTED] T9899.004

[GRAPHIC] [TIFF OMITTED] T9899.005

[GRAPHIC] [TIFF OMITTED] T9899.006

[GRAPHIC] [TIFF OMITTED] T9899.007

[GRAPHIC] [TIFF OMITTED] T9899.008

[GRAPHIC] [TIFF OMITTED] T9899.009

[GRAPHIC] [TIFF OMITTED] T9899.010

[GRAPHIC] [TIFF OMITTED] T9899.011

[GRAPHIC] [TIFF OMITTED] T9899.012

[GRAPHIC] [TIFF OMITTED] T9899.013

[GRAPHIC] [TIFF OMITTED] T9899.014

[GRAPHIC] [TIFF OMITTED] T9899.015

[GRAPHIC] [TIFF OMITTED] T9899.016

[GRAPHIC] [TIFF OMITTED] T9899.017

[GRAPHIC] [TIFF OMITTED] T9899.018

                                 
