[Senate Hearing 109-406] [From the U.S. Government Printing Office] S. Hrg. 109-406 REGARDING SPYWARE ======================================================================= HEARING before the SUBCOMMITTEE ON TRADE, TOURISM, AND ECONOMIC DEVELOPMENT OF THE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION UNITED STATES SENATE ONE HUNDRED NINTH CONGRESS FIRST SESSION __________ OCTOBER 5, 2005 __________ Printed for the use of the Committee on Commerce, Science, and Transportation U.S. GOVERNMENT PRINTING OFFICE 27-822 WASHINGTON : 2006 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001 0SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION ONE HUNDRED NINTH CONGRESS FIRST SESSION TED STEVENS, Alaska, Chairman JOHN McCAIN, Arizona DANIEL K. INOUYE, Hawaii, Co- CONRAD BURNS, Montana Chairman TRENT LOTT, Mississippi JOHN D. ROCKEFELLER IV, West KAY BAILEY HUTCHISON, Texas Virginia OLYMPIA J. SNOWE, Maine JOHN F. KERRY, Massachusetts GORDON H. SMITH, Oregon BYRON L. DORGAN, North Dakota JOHN ENSIGN, Nevada BARBARA BOXER, California GEORGE ALLEN, Virginia BILL NELSON, Florida JOHN E. SUNUNU, New Hampshire MARIA CANTWELL, Washington JIM DeMint, South Carolina FRANK R. LAUTENBERG, New Jersey DAVID VITTER, Louisiana E. BENJAMIN NELSON, Nebraska MARK PRYOR, Arkansas Lisa J. Sutherland, Republican Staff Director Christine Drager Kurth, Republican Deputy Staff Director David Russell, Republican Chief Counsel Margaret L. Cummisky, Democratic Staff Director and Chief Counsel Samuel E. Whitehorn, Democratic Deputy Staff Director and General Counsel Lila Harper Helms, Democratic Policy Director ------ SUBCOMMITTEE ON TRADE, TOURISM, AND ECONOMIC DEVELOPMENT GORDON H. SMITH, Oregon, Chairman TED STEVENS, Alaska BYRON L. DORGAN, North Dakota, JOHN McCAIN, Arizona Ranking CONRAD BURNS, Montana DANIEL K. INOUYE, Hawaii JOHN ENSIGN, Nevada JOHN D. ROCKEFELLER IV, West GEORGE ALLEN, Virginia Virginia JOHN E. SUNUNU, New Hampshire JOHN F. KERRY, Massachusetts JIM DeMint, South Carolina MARIA CANTWELL, Washington DAVID VITTER, Louisiana FRANK R. LAUTENBERG, New Jersey BILL NELSON, Florida E. BENJAMIN NELSON, Nebraska MARK PRYOR, Arkansas C O N T E N T S ---------- Page Hearing held on October 5, 2005.................................. 1 Statement of Senator Allen....................................... 3 Statement of Senator Burns....................................... 3 Statement of Senator Bill Nelson................................. 2 Statement of Senator Smith....................................... 1 Witnesses Majoras, Hon. Deborah P., Chairman, Federal Trade Commission..... 5 Prepared statement........................................... 9 Appendix Response to Written Questions Submitted by Hon. Frank R. Lautenberg to Hon. Deborah P. Majoras.......................... 25 REGARDING SPYWARE ---------- WEDNESDAY, OCTOBER 5, 2005 U.S. Senate, Subcommittee on Trade, Tourism, and Economic Development, Committee on Commerce, Science, and Transportation, Washington, DC. The Subcommittee met, pursuant to notice, at 2:35 p.m. in room SD-562, Dirksen Senate Office Building, Hon. Gordon H. Smith, Chairman of the Subcommittee, presiding. OPENING STATEMENT OF HON. GORDON H. SMITH, U.S. SENATOR FROM OREGON Senator Smith. I want to thank my colleagues for being here, I know they share with me a deep interest and concern about the matter of spyware. I want to thank Chairman Majoras for rearranging her schedule to be here today. As Chairman of the Subcommittee on Trade, Tourism, and Economic Development, which has primary jurisdiction over the Federal Trade Commission and online-privacy issues, I have a deep interest as colleagues do in spyware and have continually worked on these issues to ensure protection of consumers and businesses. The FTC also has a responsibility to protect American consumers from all types of fraud and deception, including spyware. According to a recent survey by the National Cyber Security Alliance, 93 percent of people feel that spyware is a serious problem, and 61 percent believe that Congress should be doing more to combat the problem. Consumers have now downloaded free versions of the two most widely used anti-spyware programs over 45 million times. Although spyware has been used for many deceitful purposes, including theft of personal information, the technology behind it is being used also toward legitimate ends as well. I strongly believe that a total ban of an entire category of technology or product can have many unintended and serious consequences. If the definition of spyware becomes too broad, legislation adopted in haste might not take into account the evolution of future technologies, and in turn, it could stifle innovation. I believe we must limit the abusive and deceitful practices which are allowing industry the ability to build on and improve existing technologies. To that end, I introduced the U.S. SAFE WEB Act to expand the Federal Trade Commission's current authority to enforce existing laws and allow the agency to coordinate with foreign law enforcement officials to prosecute deceptive online activities. I have also co-sponsored legislation with Senator Allen to increase the FTC's current authority to enforce existing laws to prevent deceitful acts of spyware. We need to give the FTC the necessary tools to go after the individuals who are already violating current Federal law. We need to address the most egregious activities and behaviors online without placing unnecessary restrictions on the entire technology industry. Americans must be proactive in keeping our high-tech industry on the cutting edge in the world market. I believe that an appropriate balance can be found between limiting the illegitimate use of existing technologies and allowing for technology industry to grow, expand, and innovate. As we continue to address this issue, I look forward to working with all of my colleagues to confront this growing problem appropriately and in a timely manner. With that I'll go to Senator Nelson. STATEMENT OF HON. BILL NELSON, U.S. SENATOR FROM FLORIDA Senator Nelson. I'll go to praising you Senator Burns, because you and I have sponsored the bill to address spyware problems. Senator Burns. That's right. Senator Nelson. Everything that Senator Smith has said is accurate. Spyware invades our privacy, leads to identity theft, exposes children to pornography, aids corporate espionage, threatens E-Commerce, and it clearly has national security implications. And technology and the private marketplace haven't found a solution to stop spyware, so we now need a tough Federal law Mr. Chairman, that clearly defines illegal conduct and gives the government more tools to go after the spyware companies. And so Senator Burns and I are sponsoring this bill called the Spy Block Act, along with Senators Wyden, Snowe and Boxer. And last year we reported this bill out of the Committee on a unanimous vote. And it has one simple principle, empower consumers to decide for themselves what software is installed on their computers. Now Senator Allen and others have introduced another spyware bill, I think that one is a little narrow in scope but it has some very strong components. So what I want to do is, all of us to work together to merge the two approaches and get a spyware bill marked up, so we can get it moving. The House has already passed two such bills, but it continues to wait on the Senate to act. Thank you Mr. Chairman. Senator Smith. Thank you Senator Nelson, and I do look forward to working with you on this. I think we both share the belief that this is a security issue that is beyond just our individual victimization of spies and those who would invade our homes, but it also has national security implications. We simply have to work on how broad it is, so that we don't stifle the future, but that we protect people presently in our country as well. Senator Burns. STATEMENT OF HON. CONRAD BURNS, U.S. SENATOR FROM MONTANA Senator Burns. Thank you very much. And thank you Mr. Chairman, for taking the leadership on this hearing today. We had a hearing before, and with most of that hearing was with the folks in the industry and consumer groups. Today I think we'll get a chance to hear from the Federal Trade Commission, which is--and will continue to have, an important role in anti- spyware enforcement actions. So the two hearings are complementary in that respect, and will help us learn more about the problem of spyware. Also just a note, our technologies continue to grow, and the use of those technologies goes into many fields, especially in the area of electronic information and communications, with Voice over IP prominent now in the marketplace, national emergency numbers of 911 and how we apply those and protect those and the safety of 911 in emergency conditions are challenges that continue to grow for safety and security. And we must never lose sight of that. So we will continue to have problems in those areas. Spyware, as you know, is an increasingly dangerous threat to our everyday activities in cyberspace. As was the case with spam several years ago, I believe the solution lies in the right mix of technical solutions and tougher legislation. Both will be necessary to make a meaningful dent in the quantity and the types of malicious code that gets downloaded into the private computers of businesses and citizens without their consent. We also have to be careful not to throw out the baby with the bathwater, by making many ordinary and positive types of online business practices illegal. The area of adware in particular is an important gray area to keep an eye on: how exactly online advertisements are served up to users, and what kind of consent is most appropriate. Most adware models are good for cyberspace, because it is important to have a robust and responsive advertising component for online businesses, but when it comes to installing software on private computers, we have to make sure we don't allow some of the more unscrupulous players out there to spoil the field for all the good actors that are just trying to make cyberspace more efficient. So I thank the Chairman of the FTC for coming up today, and I look forward to how she responds to questions, and the information she can share with us, and again to Senator Smith for setting up today's hearing, because I think it's very appropriate, and it is something that we have to get these bills moving and we need something passed and on the President's desk before Christmastime. Senator Smith. Thank you Senator Burns. Senator Allen. STATEMENT OF HON. GEORGE ALLEN, U.S. SENATOR FROM VIRGINIA Senator Allen. Thank you Mr. Chairman, I especially want to thank you for calling today's hearing, and I thank Chairman Majoras for being with us today. And I enjoyed listening to my colleagues, and maybe there will be a way that we can work together on this issue. Because the spyware issue is one of great importance. Just to set the parameters here of what kind of a problem we have--according to the Pew Internet and American Life Project study in July of this year, in 2005 approximately 59 million American adults, nearly half of the Internet users, 43 percent say they have had spyware on their home computer. It's irritating. It is a dangerous approach which is negatively impacting consumers confidence and harming the Internet as a viable mode, or medium for communications and also electronic commerce. And none of us here want to allow this to continue. All of us can agree that under no circumstance is it acceptable to deceptively monitor a consumer's activities online. Unfortunately we do not all agree on how best to deal with this problem legislatively. Now in examining this offensive spyware issue, which causes so much aggravation and degrades computer performance, we need to encourage to the greatest extent possible, market driven technologies solutions, as well as strengthen the enforcement of existing laws. In my view, every legitimate business associated with the Internet has a very important interest in eliminating spyware. A recent Federal Trade Commission report suggested that the rapid technology advancements, and this is consistent with your comments, Mr. Chairman, that there are a lot of advances in technologies to combat spyware such as firewalls, filters, anti-spyware tools and improved Internet browsers and operating systems are all the time providing easy and more affordable protections to consumers, whether at their homes or at their place of business. I think that the Internet's viability is being challenged by this deceptive spyware though, and because of these fraudulent and deceptive installations of spyware programs being a concern, it is not a concern though whether this is legal or not; this already is illegal under Federal law, it's a violation of Federal law. Such as the Federal Trade Commission Act, and the Computer Fraud and Abuse Act. So I think Congress needs to focus its efforts on adequate resources and penalties to combat this criminal activity. I've determined that Federal officials, and we'll hear from the Chairman, believe that they already have adequate authority under existing statutes to prosecute spyware purveyors. Law enforcement is not stymied by the lack of Federal jurisdiction but rather a lack of overall resources. That's why my legislation, S. 1004 with the support of you Mr. Chairman, Senators Smith, Sununu, Ensign, and Enzi, provides Federal law enforcement officials with the resources and the tool necessary to increase the breadth and the strength of anti-spyware enforcement efforts. Our legislation strikes a careful balance that you talked about Mr. Chairman, between pursuing illegal wrongful behavior while not stifling or limiting technology, innovation or legitimate online transactions. Specifically, since spyware violators are not limited to state or national borders to perpetrate their illegal activity, our legislation sets a national standard. It doesn't matter what state you're in, or territory of the United States. There ought to be that national standard for the unfair and deceptive practices associated with spyware. Additionally, our legislation provides the FTC with the authority to share and coordinate information with foreign law enforcement officials to improve their ability to bring cases and prosecute international spyware purveyors, your separate bill, Mr. Chairman, this is just a component of our bill, but yours covers it as well. But lastly, our legislation addresses the most egregious activities and wrongful behavior conducted via spyware, by significantly increasing civil and criminal penalties including disgorgement. We need to ensure that law enforcement officials can get after the illegal gains of these criminals. You can fine them, but if they have any assets that are traceable to this illegal activity it is an enterprise on their part, and they're selling this information. And we ought to get after those ill gotten gains. I don't care what it is, bank accounts, yachts, art objects, whatever they've bought, we need to get after these enterprises as well as the criminal and civil fines. I believe again, that we need to find some market driven solutions, technology solutions that will ultimately solve this problem. I want to help the FTC have the resources they need to get after this criminal and illegal behavior, and I look forward Mr. Chairman to hearing from the Chairman of the FTC, but most importantly if there is a way, and I'm not sure there is, there are some just fundamental differences, but we need to act. The Senate a lot of the times is the last to act, but I think there's enough will here that I hope working with my good friend Senator Burns that we can hopefully find a common ground to have the Federal Government help the FTC do its job, set a national standard and get you the resources to get after this illegal behavior. And I thank you again Mr. Chairman. Senator Smith. Thank you very much Senator Allen. Madam Chairman, the mike is yours, we look forward to your testimony. STATEMENT OF HON. DEBORAH P. MAJORAS, CHAIRMAN, FEDERAL TRADE COMMISSION Ms. Majoras. Thank you very much Mr. Chairman, and Members of the Subcommittee, and good afternoon. The Federal Trade Commission appreciates this opportunity to provide the Commission's views on the serious problems that spyware is causing to consumers and the steps that the FTC has taken to address the problem. Although the views expressed in the written testimony present the views expressed of the Commission, my oral presentation and responses to questions are my own, and may not necessarily represent the views of the Commission. As the Subcommittee is aware, the Commission has a broad mandate to prohibit unfair competition, and unfair or deceptive practices in the marketplace. We have actively used this authority to address consumer problems on the Internet, including Internet fraud, privacy, spam and spyware. The term spyware can be difficult to define. It is ordinarily thought of as including programs such as keyloggers, that can copy information from consumers' computers, as well as some types of adware, software that monitors computers' surfing habits and then serves up pop-up advertisements. At the FTC, our focus is on spyware and other malware that is downloaded without authorization, and causes consumers harm. The consumer harm from spyware can range from the capture of sensitive personal information to degradation of computer performance, to the nuisance and distraction of popup ads. To address spyware, we implemented an active program, combining law enforcement and consumer education supplemented by our research. Much of the harmful conduct associated with spyware is already illegal. Indeed the FTC has brought several cases, and today is announcing it has filed another action, FTC versus Odysseus Marketing. In this case, we filed a complaint in Federal District Court in New Hampshire against Odysseus Marketing and its principal, Walter Rines, charging them with secretly installing spyware on consumers' computers. Our complaint alleges that the defendants deceptively market and distribute a bogus program called Kazanon, which defendants claim will make users anonymous when using peer-to- peer file-sharing programs. Not only does Kazanon not work as promised, which itself a violation of the FTC Act, but it also automatically installs a spyware program called Clientman on the users' computer. Clientman in turn automatically installs numerous adware and other programs on behalf of others. And this spyware, among other things, replaces or reformats Internet search engine results, generates pop-up ads, and captures and transmits information which may include personal information. Our complaint alleges that defendants have failed to disclose adequately that downloading Kazanon will install this spyware. In fact, the only place that Clientman's virtual takeover of the host computer is disclosed is in the end user license agreement, or as we call it the EULA. Consumers, however, do not need to view the EULA in order to download Kazanon, and even if they did they would have to wade through five paragraphs of dense text before they reached information even approaching the disclosure. We further allege that once Clientman is installed, consumers cannot remove Kazanon and Clientman from their computers through reasonable means. Programs do not appear on the desktop or in the start menu, and because they avoid being detected by the Microsoft Windows operating system, consumers cannot use Microsoft's default uninstall utilities to remove them. And defendants claim to provide an uninstall tool, but it doesn't work. In fact, we allege in the complaint that if you activate defendants' uninstall tool, typically that will result in having additional files being added to your computer. Now as we bring each spyware case, we learn more about the technology and tricks in the industry and we increase our ability to bring future cases. We've made spyware investigations and prosecutions an enforcement priority and we will file more law enforcement actions. There's no question however that attacking spyware is challenging. Given its surreptitious nature, it is often difficult to ascertain from whom, from where, and how spyware is disseminated. Many who distribute spyware are adept at hiding, covering their tracks, and evading responsibility. Further, consumer complaints about spyware are less likely to lead us directly to law enforcement targets than some other complaints. Consumers often do not know from where the spyware has come, or even that it was spyware that caused the problems to their computers in the first place. There are five additional points that the Commission believes are important to our continuing efforts to combat the dissemination of spyware. First, many spyware distributors and other Internet scam artists are located abroad, or mask their location by using foreign intermediaries to peddle their scams. A majority of spyware programs distributed to the United States consumers come from foreign distributors. In the FTC's investigations, staff finds that regardless of where the spyware distributors are physically located they are often using foreign Internet service providers, or web hosting companies, or domain registrars, which makes it difficult to crack down on who's ultimately responsible. Our ability to pursue distributors of spyware, and spam and other Internet threats would be significantly improved if Congress were pass the U.S. SAFE WEB Act. And Chairman Smith, we thank you for introducing S. 1608 which would give us that needed authority. Second, coordinated effort at the Federal and State level is essential. The Commission is continuing to cooperate with Federal and state partners, which now are bringing law enforcement actions against spyware distributors. At the Federal level, the Department of Justice is able to prosecute criminally those who distribute spyware in certain circumstances. And at the State level, state attorneys general are bringing civil law enforcement actions and both are critical complements to the FTC's actions. Third, an educated consumer is perhaps the best defense against online fraud and spyware. Over the last few months the FTC has taken a broader look at its educational materials and tactics related to cyber security, online privacy, and Internet fraud, and we've updated our messages and outreach strategies to better educate consumers about these important issues. Just last week the Commission launched a new consumer ed initiative, OnGuard Online. It has general information on online safety, as well as sections with specific information on a range of topics, including spyware, and with the Chairman's indulgence in a few moments we'll give you a quick demonstration of this new website. Fourth, the Commission believes that legislation granting the Commission authority to seek civil penalties against spyware distributors would be useful in deterring the dissemination of spyware. The Commission has the authority, as Senator Allen referred, to file actions against those engaged in conduct in Federal Court, and we have the authority to obtain injunctive relief, including monetary relief in the form of consumer redress, or disgorgement of ill gotten profits. But in some instances it may be difficult for us to prove the sort of financial harm that we would need to in order to get that sort of redress. A civil penalty is often then the most appropriate remedy in those cases, and we believe it could serve as a strong deterrent as well. And finally, as with any technology problem, the most comprehensive response may have to come from new technology. Technology is what got us here, and technology should be able to bring us out eventually. As in other areas like spam and data security, it is essential that industry continue to develop technology to assist their own customers in combating the threats of spyware and other malware. We know that ISPs and other industry members are developing responses to consumer concerns about spyware and we also are appreciative that they have provided the Commission with important assistance in our investigations. In conclusion, Mr. Chairman, I assure you that the FTC will continue to aggressively attack spyware with law enforcement actions and with innovative consumer education. And we look forward to working with the Committee on the problem of spyware. Now I look forward to answering any questions you have, but before we begin, if it's still all right with you, Mr. Chairman, I'd like to ask Nat Wood, who's our Assistant Director for Consumer and Business Education, to just give you a brief demonstration of our new OnGuardOnline.gov website, particularly as it relates to spyware. All right. What you're seeing before you is the result of team work. The FTC, a number of other Federal agencies, and the technology community have teamed up to create OnGuardOnline.gov, which is a new site to help computer users guard against Internet fraud, secure their computers and protect their personal information. We're encouraging companies and other organizations to help fight spyware, spam, identity theft and the like, by sharing the tips on this website with their employees, their customers, members and constituents. Interestingly, this website is branded independently of the FTC. We are not making it FTC materials, because we want any organization with an interest, whether it's government, business, consumer groups, whatever, to take this, make it their own and distribute it widely across our country. Indeed, we now have a lot of interest that's coming from other organizations around the world who would like to be able to use these materials. So just quickly looking at the home page, probably the most important part of this is the seven practices for safer computing. These are practices that we want consumers to be using regardless of what they're doing online. These are general tips. The site also contains a link on which consumers can click if they want to receive free e-mail alerts from the Department of Homeland Security on various threats to the online world. Then we have the ``Learn About'' section, in which consumers can click on various modules to learn about different threats and the like, so there you see we clicked on identity theft, there's one on phishing, we've done this in a flexible way, so that as new threats develop we can add them to the website. And then we have an ``About Us'' page, which if you click on that gives you, gives the consumer, a description of all of the various Federal agencies and other organizations that they can turn to for help with respect to their online problems. So going back to the modules, we'll just turn quickly to the spyware section, and what you can see if you click on this section, is first and foremost you get a quick tips section, which tells consumers very quickly what they should do, then below that we have a much longer article, so that if consumers want to read further about spyware, its dangers and what they can do about it, they have that there. We have a place for links and resources so that they can link to additional anti-spyware resources, including if they want to learn about what anti-spyware tools are available. And then we have a section that tells the consumer where to report spyware problems and, not surprisingly, the FTC is listed there. Then because we know and experts have told us, and we did a lot of consumer testing, and the like, we know the folks who spend a lot of time online like to be interactive online, so if they think they're experts we have a quiz. So you click on this to begin the quiz. You get a little bit of information about spyware and then the quiz goes on to ask various questions to educate the consumers. So this one says a pop-up ad appears on your computer screen offering an anti-spyware product, ``what's your best course of action? '' And then gives various answers, I would click on ``C'' which says ``close the window if you want spyware protection software, get it from a provider you know and trust.'' And that would be--I would then hear, ``Excellent choice. The scammers will have to get up pretty early in the morning to pull one over on you,'' and the quiz goes on. And obviously if you get the answer wrong we explain why, in fact that would be wrong, and give the better course. So this is--we will have quizzes on all of the modules very soon, and I'm also pleased to report that this is also available in Spanish. So thank you very much Mr. Chairman. [The prepared statement of Ms. Majoras follows:] Prepared Statement of Hon. Deborah P. Majoras, Chairman, Federal Trade Commission I. Introduction Mr. Chairman and Members of the Committee, the Federal Trade Commission (``Commission'' or ``FTC'') appreciates this opportunity to provide the Commission's views on ``spyware.'' \1\ Spyware is a serious and growing problem that is causing substantial harm to consumers and to the Internet as a medium of communication and commerce. Preventing spyware that causes such harms is a priority for the Commission. We welcome this chance to describe what the FTC is doing to try to protect consumers from these harms. --------------------------------------------------------------------------- \1\ The written statement presents the views of the Federal Trade Commission. Oral statements and responses to questions reflect the views of the speaker and do not necessarily reflect the views of the Commission or any other Commissioner. --------------------------------------------------------------------------- The Commission has a broad mandate to prevent unfair competition and unfair or deceptive acts or practices in the marketplace. Section 5 of the Federal Trade Commission Act gives the agency the authority to challenge acts and practices in or affecting commerce that are unfair or deceptive. \2\ The FTC's law enforcement activities against unfair or deceptive acts and practices are generally designed to promote informed consumer choice, because an informed consumer is an empowered consumer. --------------------------------------------------------------------------- \2\ 15 U.S.C. Sec. 45. --------------------------------------------------------------------------- Spyware and other ``malware'' that is downloaded without authorization can cause a range of problems for computer users, from nuisance adware that delivers pop-up ads, to software that causes sluggish computer performance, to keystroke loggers that capture sensitive information. As described below, the Commission has an active program to address concerns about spyware and other malware, including research, law enforcement and consumer education. In the past year, the Commission has initiated five law enforcement actions addressing spyware and malware, and has ongoing investigations. Moreover, as in other areas such as spam and data security, we believe that it is essential that industry continue to develop technology to assist its customers in combatting spyware. II. Spyware Law Enforcement One of the FTC's first steps in responding to the spyware problem was to educate ourselves in order to develop, implement, and advocate effective policies to respond to it. In 2004, the FTC sponsored a public workshop entitled ``Monitoring Software on Your PC: Spyware, Adware, and Other Software.'' The agency received almost 800 comments in connection with the workshop, and 34 representatives from the computer and software industries, trade associations, consumer advocacy groups and various governmental entities participated as panelists. In March 2005, the FTC released a staff report based on the information received in connection with the workshop. \3\ Notwithstanding significant challenges in defining ``spyware,'' \4\ the staff report recommended that the government should: (1) increase, using existing laws, criminal and civil prosecution of those who distribute spyware; and (2) increase efforts to educate consumers about the risks of spyware. The Commission is pleased to be able to describe today what we are doing to implement these recommendations. --------------------------------------------------------------------------- \3\ The workshop agenda, transcript, panelist presentations, and public comments received by the Commission are available at http:// www.ftc.gov/bcp/workshops/spyware/index.htm. The FTC Staff Report, Monitoring Software on Your PC: Spyware, Adware, and Other Software, released Mar. 2005, is available at http://www.ftc.gov/os/2005/03/ 050307spywarerpt.pdf. \4\ At the FTC workshop, there was ``broad agreement that spyware should be defined to include software installed without adequate consent from the user,'' yet there remained ``substantial differences of opinion as to what distributors must do to obtain such consent.'' See FTC Staff Report, supra note 3, at 4-5. In addition, there was agreement that ``to avoid inadvertently including software that is benign or beneficial, the term spyware should be limited to software that causes some harm to consumers,'' although there were ``substantial differences of opinion as to when software has caused the type and magnitude of harm to warrant being treated as spyware.'' Id. The FTC staff therefore concluded that ``these fundamental issues of consent and harm need to be resolved before any common definition of spyware can be developed.'' Id. at 5. --------------------------------------------------------------------------- The Commission's spyware law enforcement strategy focuses on three key questions. First, were consumers aware of the installation of the software on their computers? Second, what harm did the installation of the software cause? Third, how difficult was it for consumers to uninstall the software after it had been installed? A. Did Consumers Know? A common problem with spyware is that it is installed on consumers' computers without their knowledge. Some spyware distributors use so- called ``drive-by'' downloads to install their software on computers without even any pretense of obtaining consent. In FTC v. Seismic Entertainment, \5\ for example, the Commission alleged that the defendants exploited a known vulnerability in the Internet Explorer web browser to download spyware to users' computers without their knowledge. The FTC alleged that this was an unfair act or practice in violation of Section 5 of the FTC Act, and a Federal district court entered a preliminary injunction that prohibited the defendants from using this method to distribute their software. --------------------------------------------------------------------------- \5\ FTC v. Seismic Entertainment, Inc., No. 04-377-JD, 2004 U.S. Dist. LEXIS 22788 (D.N.H. Oct. 21, 2004). --------------------------------------------------------------------------- In other instances, software distributors may violate Section 5 of the FTC Act by failing to disclose clearly and conspicuously to consumers the software that is being installed. In FTC v. Odysseus Marketing, Inc., \6\ the defendants offered consumers a free software program that purported to make the consumers anonymous when using peer- to-peer file sharing programs. The Commission alleged, however, the distributors failed to disclose to consumers that this program, in turn, would install other, harmful software on their computers. The Commission recently filed a complaint in Federal court alleging that this failure to disclose was deceptive in violation of Section 5 of the FTC Act, and we are awaiting a ruling on our motion for a temporary restraining order. Similarly, in the Advertising.com, Inc. case, \7\ the respondents allegedly offered free security software, but failed to clearly and conspicuously disclose to consumers that bundled with it was software that traced consumers' Internet browsing and force-fed them pop-up advertising. The Commission recently issued a final consent order to resolve administrative complaint allegations that this failure to disclose was deceptive in violation of Section 5 of the FTC Act. --------------------------------------------------------------------------- \6\ FTC v. Odysseus Marketing, Inc., No. 05-CV-330 (D.N.H. filed Sept. 21, 2005). \7\ In the Matter of Advertising.com, FTC File No. 042 3196 (filed Sept. 12, 2005), available at http://www.ftc.gov/os/caselist/0423196/ 0423196.htm. --------------------------------------------------------------------------- The Commission's spyware law enforcement actions reaffirm the principle that consumers have the right to decide whether to install new software on their computers. Acts and practices that undermine their ability to make this choice will be vigorously prosecuted. B. Substantial Harm to Consumers As the Agency learned at the workshop, and through our enforcement actions and subsequent investigations, spyware can cause a broad range of injury to consumers. The harm from spyware may vary significantly in both type and severity. The allegations in the Seismic case describe a prime example of software causing several types of serious harm to consumers. The software allegedly changed the consumer's browser home page and default search engine, displayed an incessant stream of pop-up ads, and caused the user's computer to malfunction, slow down, or crash. But perhaps the most serious harm alleged was that the spyware secretly installed a number of additional software programs, including programs that could monitor Internet activity and capture personal information entered into online forms. Another example of serious harm to consumers allegedly caused by spyware arose in the Odysseus case. According to the Commission's complaint, the defendants surreptitiously install a spyware program called ``Clientman `' on the computers of consumers. Clientman, in turn, installs a number of adware and other programs. It also replaces or reformats Internet search engine results, generates pop-up ads, and captures and transmits information, which may include personal information. In the Advertising.com case, the Commission alleged that software bundled with free security software collected information about consumers, including the websites they visited, and then was used to send a substantial number of pop-up ads. Although the harm to an individual consumer from receiving such pop-ups ads may be less egregious than the harm in other FTC spyware cases to date, the harm to consumers in the aggregate from these pop-up ads was sufficient to warrant law enforcement action. The Commission alleged a violation of Section 5 of the FTC Act because the presence of bundled adware that collected information about consumers' computer use and led to numerous pop-up ads clearly would have been material to consumers in determining whether to install the free security software. As stated in the FTC staff spyware report, it is the combination of lack of knowledge and consumer harm that makes certain installation of software illegal under the FTC Act. \8\ --------------------------------------------------------------------------- \8\ See generally, FTC Staff Report, supra note 3, at 20-21. --------------------------------------------------------------------------- C. Uninstalling and Deleting Spyware Problems As described above, spyware often is installed without consumers' knowledge and causes consumers substantial harm. This type of installation should not occur, but once it has, consumers should be able to uninstall or disable such software. Unfortunately, the FTC's law enforcement experience and research shows that some software distributors take improper advantage of consumers' concerns about spyware and market bogus anti-spyware tools. In addition, in the FTC's experience, some spyware programs are difficult to identify and uninstall or disable. Many consumers who want to determine whether there is spyware on their personal computers acquire and run an anti-spyware program. An anti-spyware program usually identifies each software program that it concludes is spyware and then gives the consumer the option of deleting it. Some software distributors, however, take advantage of consumers looking for anti-spyware products by falsely representing to consumers that spyware resides on their computers and making false claims about the ability of their products to remove spyware. In two recent cases, FTC v. MaxTheater and FTC v. Trustsoft, \9\ the FTC alleged that the defendants made false claims to consumers about the existence of spyware on their machines. According to the FTC's complaint, the defendants then used these false claims to convince consumers to conduct free ``scans'' of their computers. These scans identified innocuous software as spyware, helping to persuade consumers to purchase defendants' spyware removal products at a cost of between $30 and $40. Moreover, the FTC alleged, the defendants claimed their spyware removal products could effectively uninstall many different types of known spyware programs, but the defendants' products did not perform as promised. The Commission filed actions alleging that the perpetrators of these scams violated Section 5 of the FTC Act, and the courts have entered preliminary injunctions in both cases that prohibit the claims. --------------------------------------------------------------------------- \9\ FTC v. MaxTheater, Inc., No. 05-CV-0069 (E.D. Wa. filed Mar. 7, 2005), available at http://www.ftc.gov/opa/2005/03/maxtheater.htm; FTC v. Trustsoft, Inc., No. H-05-1905 (S.D.Tex. filed May 31, 2005), available at http://www.ftc.gov/opa/2005/06/trustsoft.htm. --------------------------------------------------------------------------- Software falsely billed as an anti-spyware product certainly can make it difficult for consumers to identify and uninstall or disable spyware programs. Furthermore, even if consumers can identify spyware programs, some of them are particularly difficult to remove or disable. In the Odysseus case, the complaint alleged that consumers could not uninstall the software through any reasonable means, such as by using the standard ``Add/Remove'' program on the Microsoft Windows operating system. According to the Commission's complaint, although the defendants purport to provide instructions for uninstalling the program, those instructions are not only extremely difficult for consumers to find, they simply do not work. The complaint alleged that the defendants' failure to provide users with a reasonable means to locate and remove the program is an unfair act or practice in violation of Section 5 of the FTC Act. The FTC's law enforcement actions under Section 5 of the FTC Act have focused on preserving consumers' ability to decide what software programs to install and retain on their computers, and preventing substantial harm from software programs installed or remaining against the consumers' wishes. III. Additional Steps to Address Spyware Given the prevalence of spyware and the consumer harm it inflicts, the FTC has made spyware investigations and prosecutions an enforcement priority, and we will continue to file law enforcement actions against those who distribute spyware in violation of the FTC Act. The Commission would like to emphasize four additional measures that it believes would enhance its efforts to combat the dissemination of spyware. First, the FTC supports legislation that would enhance its ability to investigate and prosecute spyware distributors that are located abroad or who try to mask their location by using foreign intermediaries to peddle their scams. Webroot, a well-known anti- spyware product distributor, recently reported that a majority of spyware programs distributed to United States consumers come from foreign distributors. \10\ In the FTC's investigations, staff finds that, regardless of where spyware distributors are physically located, they often use foreign Internet service providers, web hosting companies, and domain registrars to create their websites, so that it is difficult for the agency to track down who is ultimately responsible. --------------------------------------------------------------------------- \10\ Webroot Software, Inc., State of Spyware Q2 2005, released Aug. 2005, at 26, available at http://www.webroot.com/land/ sosreport.php. --------------------------------------------------------------------------- The FTC's ability to pursue distributors of spyware, spam, and other Internet threats to consumers would be significantly improved if the Congress were to pass the U.S. SAFE WEB Act, introduced by Chairman Smith in the Senate as S. 1608. The Act makes it easier for the FTC to share information and otherwise cooperate with foreign law enforcement officials. The Internet knows no boundaries, and it is critical to improve the FTC's ability to work with the officials of other countries to prevent online conduct that undermines consumer confidence in the Internet as a medium of communication and commerce. Second, the Commission will continue to coordinate with its Federal and state partners who are starting to bring their own law enforcement actions against spyware distributors to make law enforcement as effective as possible. At the Federal level, the Department of Justice is able to prosecute criminally those who distribute spyware in certain circumstances. In August 2005, for instance, the Department announced the indictments of the creator and marketer of a spyware program called ``Loverspy `' and four others who used the program to break into computers and illegally intercept the electronic communications of others. \11\ At the state level, state attorneys general are bringing civil law enforcement actions. Federal criminal and state law enforcement actions are a critical complement to the FTC's law enforcement actions. --------------------------------------------------------------------------- \11\ Press Release, Department of Justice, Office of the United States Attorney, Southern District of California Carol C. Lam, News Release Summary (Aug. 26, 2005), available at http://www.usdoj.gov/usao/cas/pr/cas50826.1.pdf. --------------------------------------------------------------------------- Third, the FTC and others need to continue to play an active role in educating consumers about the risks of spyware and anti-spyware tools. The FTC has issued a Consumer Alert specifically on spyware, as well as four other Alerts addressing other online security issues such as viruses and peer-to-peer file sharing. The Spyware Alert lists clues that indicate spyware may have been installed and also discusses measures consumers can take to get rid of spyware or to reduce their chances of getting spyware in the first place. The Spyware Alert has been accessed over 100,000 times since it was released in October 2004, and the tips it includes have been repeated in dozens of print and broadcast media stories. And, just last week, the Commission launched a new consumer education initiative, OnGuard Online. Over the past few months, the FTC staff has taken a broader look at its education materials and tactics related to cybersecurity, online privacy, and Internet fraud, and updated its messages and outreach strategies to better educate computer users about these important issues. The FTC's new website-- OnGuardOnline.gov--has general information on online safety, as well as sections with specific information on a range of topics, including spyware. This structure allows us to add to the site as new topics arise. The spyware module includes up-to-date information, as well as interactive features like quizzes and videos. The FTC has also printed a million copies of a brochure, ``Stop Think Click: 7 Practices for Safer Computing,'' with information on spyware and other computer safety topics. The site and the brochure have information on various technologies, but the agency is also emphasizing behavioral changes that computer users can make to stay safe online--for example ``protect your personal information,'' and ``know who you're dealing with.'' By taking this approach, the FTC can ensure that the tips remain relevant even as technology evolves. Our partners in the OnGuard Online initiative include: the Department of Homeland Security, the U.S. Postal Inspection Service, the Department of Commerce, Technology Administration, the Internet Education Foundation, the National Cyber Security Alliance, the Anti- Phishing Working Group, TRUSTe, iSafe, AARP, the National Consumers League, and the Better Business Bureaus. In an effort to ensure maximum distribution of these materials, we have not branded them as our own. Instead, we are encouraging any organization interested in computer security to link to OnGuardOnline.gov, distribute our free brochure, or reprint the OnGuard Online materials. Fourth and finally, the Commission believes that legislation granting the Commission authority to seek civil penalties against spyware distributors may be useful in deterring the dissemination of spyware. As described above, the Commission has challenged conduct related to spyware dissemination as unfair or deceptive acts or practices in violation of Section 5 of the FTC Act. Under Section 13(b) of the FTC Act, the Commission has the authority to file actions against those engaged in this conduct in Federal district court and obtain injunctive relief, including monetary relief in the form of consumer redress or disgorgement of ill-gotten profits. However, it may be difficult in some instances for the FTC to prove the sort of financial harm to consumers needed to order consumer redress, or the ill-gotten gains necessary to order disgorgement. A civil penalty is often the most appropriate remedy in such cases, and serves as a strong deterrent. IV. Technological Solutions Reducing the problems associated with spyware and other malware will require the efforts of government, consumers, and industry acting both individually and in concert. As in other high-technology areas, the best and most comprehensive responses to misuse of technology will often be improved technology. At this time there are certain technologies consumers can use to help protect themselves, but none is completely effective and further developments are needed to enhance security. The primary technological tools that consumers can use right now to protect themselves from spyware are detection programs. These programs can scan consumers' computers, inform them whether there is spyware, and offer them the option of disabling it, deleting it, or leaving it alone. To be effective, however, these programs must be updated on a regular basis. In addition, they are inherently variable depending on what they classify as ``spyware.'' Furthermore, they only detect spyware once it has been installed; they do not prevent its installation. Some Internet service providers have made spyware scanners and removers available to their subscribers. Firewalls also provide some protection from spyware, but, like scanners, they do not prevent spyware from being installed. Rather, they alert consumers if installed spyware attempts to send out information it has collected. Other technological solutions at the browser and operating system level are being developed. The Commission's experience in other technological areas suggests that market forces will provide the high- tech industry with incentives to develop technological solutions, although it is not clear exactly what that technology will be or when it will be available. V. Conclusion The FTC will continue to execute aggressive law enforcement and innovative consumer education programs in the spyware arena. The FTC thanks this Committee for focusing attention on this important issue, and for giving me an opportunity to discuss the Commission's enforcement program. The Commission looks forward to working with the Committee on the problem of spyware. Senator Smith. Thank you Ms. Majoras. I assume from your testimony that the FTC could use some more authority, because it supports the Allen bill that I've introduced with him. Is that accurate, you could use some more authority to do more rulemaking on this issue? Ms. Majoras. Well, we could, as you and Senator Allen have pointed out, we do believe that we have legal authority to attack spyware and we've already done it in five different cases, but we would like additional authority to work with our counterparts overseas, we think that's absolutely critical and we think we really could use civil penalty authority to assist us in bringing actions and remedying them. Senator Smith. And how about more resources? If you had your druthers would you be getting more authority or more resources to prosecute cases? Ms. Majoras. That's always a tough question whether we need more resources. We work very hard on the budget process with Congress to get whatever resources we think we're going to need for the year. It's tough for me to turn down more resources if they're being offered. But I don't think--resources have been less a problem than I think, folks are concerned about the bigger problem, which has been finding the folks who are distributing the spyware and then being able to serve them. They obviously can hide behind the Internet, they can skip town, they can skip the country, they go to other countries and hide, and that has actually been the biggest problem. We are using our resources as wisely as we can. We are squeezing every bit we can out of every dollar, and our anti-spyware program is part of the larger program that includes spam, and Internet fraud, on which we're devoting substantial resources. Senator Smith. What percentage would be coming into our country from abroad, and what percentage starts here in the United States? Ms. Majoras. We don't have exact percentages, it's very hard to tell. But certainly we think a great majority of spyware is either coming in from outside the United States, or is making use of a foreign intermediary in some way to attack consumers in the United States. Senator Smith. And in the global economy in which we live, you need more authority to deal with the international component, I think that has been very clearly demonstrated. Senator Nelson. Senator Bill Nelson. Good afternoon Madam Chairman. Tell me if you agree with the following statement of principles, that software should not be installed without a consumers knowledge and consent. Ms. Majoras. If it harms consumers, I do agree with that. Senator Bill Nelson. Consumers should know who is installing the software on their computer. Ms. Majoras. Generally, yes. Senator Bill Nelson. Consumers should have the ability to completely remove software from their computers. Ms. Majoras. Again, most of it, yes. Senator Bill Nelson. If software is going to collect information about a consumer, the software should inform the consumer first. Ms. Majoras. Generally yes. Senator Bill Nelson. If software is going to cause ads to appear it should make clear what is causing the ads. Ms. Majoras. That one is a little bit trickier, we have taken that on a case-by-case basis. Senator Bill Nelson. In your testimony, we're going to-- you've addressed it and we've got to confront the question of preemption. Do you think that it's important to preserve general state consumer protection laws as potential state-level tools against software? Ms. Majoras. We do. In almost any context, we support allowing the state attorneys general to continue to enforce their consumer protection statutes. Having said that, there are certainly instances in which businesses really need consistent--if businesses are going to get guidance, we all benefit if it's consistent across the Nation. Senator Bill Nelson. Do you think it would be helpful to have some baseline standards for what kind of behavior is acceptable, what disclosures should be given to consumers, and a statement of the right to uninstall software? Ms. Majoras. Well, with respect to disclosures, the FTC has provided general guidance to companies for a number of years in the form of something we call Dot Com Disclosures, so we've already provided some general guidance. Our only concern about making the guidance too specific Senator Nelson, is that the landscape keeps changing and those who insist on perpetrating fraud and harming consumers find new ways to do it. And so the concern with being too specific about what is permitted and what isn't, not only is you have to get the words exactly right, so that you don't prevent what should be legal conduct, but also we have to worry about the future, and we don't want to bring a case, and only to be told, well, because that particular practice wasn't specifically listed in the piece of legislation, therefore the FTC cannot attack it. Senator Bill Nelson. I understand. I'm talking about more baseline standards, on behaviors, on disclosures, and on the right to uninstall. Ms. Majoras. We think the FTC has put a lot of that out there, but yes, there's no question that business can always use guidance, and those businesses who actually have an interest in complying with the law. Senator Bill Nelson. And give us your opinion about the basic right of a consumer to have the ability to remove software from his or her computer? Ms. Majoras. Well, we've actually brought cases in which we have alleged violations of the FTC Act because consumers do not have that right, including the case that I mentioned earlier today, Odysseus Marketing. So we do think it is a violation if software is downloaded to a consumer's computer that is causing some harm, and the consumer cannot find a reasonable means to remove it. Senator Bill Nelson. Thank you. Senator Smith. Senator Burns. Senator Burns. Madam Chairman, thank you again for coming today. You're probably aware that there are several industry groups working on definitions of spyware. It always seems like when we get into these kind of situations we all define the same thing in different ways and usually definitions are what lawyers make a living at, and enforcement becomes more difficult. To what degree, do you think the FTC can work with these industry groups, and to get efforts underway and do you think it is important that we have a public rulemaking process? We all say awareness is everything, and a public process in which we make the rules and then we define the terms. What's your attitude toward a situation like that? Ms. Majoras. Well, I certainly think that working together with industry is critical in attacking spyware and obviously if legislation is being considered it's critical because these folks are the experts. And they can tell us, not only explain to us not only what's out there today, but they're also thinking several steps ahead. And that can be very important if we're trying to put in place rules that are going to work on a going forward basis. So I think that can be very important. One thing I would caution against though is I know that many in industry have been anxious to really come up with the definition of spyware. And I think part of the reason why it's been difficult to come up with a definition that everyone can agree on is again, because we have a bit of a moving target. And so what we've tried to do at the FTC is we're really looking at two things: whether the software has been downloaded without the consumer's permission, and causes some substantial harm to the consumer; that is really what we've been operating under. Call it spyware, call it adware, call it malware, that is what we have been looking at when we bring a case. Senator Burns. And also on the awareness, that same thing, now you've got some proceedings going on for consumers. Can you tell us how those proceedings are going, were there fines levied where if individual consumers, their computers were hurt, or crashed, did they get compensated, their computers back up and running again, or new hard drive, or whatever. Did they get their money back on their software of whatever, can you give us some kind of an idea of the results you've had in these proceedings? Ms. Majoras. Yes Senator, we've brought five cases since last October, both the first case, and the last case we brought are still in litigation. In the first case we brought we were able to get a preliminary injunction against the conduct and that was a case in which we alleged in the complaint that in fact, yes, the purveyor of the spyware hijacked the consumers' computers and changed their settings and the like, changed their home pages, and downloaded personal information. That case is still in litigation, similarly obviously we've just announced the case we filed last week, in which spyware was downloaded without consumers' permission and again, essentially in this case what we allege in the complaint is that it has taken over the consumer's computer. That's still in litigation. We've brought a couple of cases against those who claim that they're selling an anti-spyware solution, when in fact it's a solution that doesn't work, and so in those two instances both of those respondents did settle those cases with us, and we were able to get some consumer redress, if I recall correctly. And we brought one additional case in which the respondent advertised a free download of security software. But then didn't tell consumers that if they downloaded this free security software they would also get adware attached to their computer, so then they would be barraged with pop-up ads and the like and that case also settled. Senator Burns. In other words they used the spy block technology to implant their own adware stuff without telling the customers, is that correct? Ms. Majoras. I'm not sure which technology they used, but without sufficient disclosure to the consumer they did download adware to the computer. Senator Burns. Now since these proceedings have been filed and you've been in them, are there any surprises about--do you have resources to take the case to final? Ms. Majoras. We do have resources I think to take these cases to final. The biggest surprises probably have been-- really probably came in the beginning. We started trying to figure out a way how we were going to investigate these cases and we infected two of our own computers so badly with spyware that they couldn't be used anymore and so we learned a lot. And so one of the things we've done during this time period as we've been bringing these cases is, we've bought some new computers, some new software, and some new hardware to assist us in going forward. As I said, we're learning as we go through this. Senator Burns. Well, I thank you for your work. And I don't think there's a person up here today that doesn't want to get you some legislation and empower with you a little more power than you have now, because I think you're on the right track. And also the differences that we have, we'll get those worked out and I would hope that we could have something on the President's desk and for you to look at pretty quickly. So thank you for your testimony. I read your testimony, and I concur in a lot of the subjects that you brought up there, so thank you for coming today. Mr. Chairman, thank you. Senator Smith. Thank you Senator Burns. Senator Allen. Senator Allen. Thank you Mr. Chairman, four different things, trying to get some clarification here. One is authority, second is resources, third is penalties, and fourth is what jurisdiction or standards we should be applying. Insofar as authority, and I'll ask you some questions, it seems like you have all the authority you need. Resources, you say you don't need more, but you--then on authority, the area that you need it more in, is not necessarily domestic but international. Resources you say you have enough, penalties, you need stronger penalties, particularly civil penalty standards. The question is whether you have 50 or 40 different standards, or a standard for all the United States and its territories. Now has there ever been a situation where the FTC could not bring a case because you don't have sufficient authority under existing laws, other than, aside from the U.S. SAFE WEB Act, which is incorporated in part, and this is Senator Smith's measure. Is there any new authority that the FTC needs if you find in other words that somebody regardless of what their doing, if it's fraudulent and deceptive you can prosecute them, if it is misleading, if it is false and so forth. Has there ever been a situation where you didn't have the legal authority to prosecute within the United States? Ms. Majoras. With respect to spyware, I'm not aware of any, no. Senator Allen. So you feel that other than internationally, but within these orders of the United States, and our territories, you feel the FTC has the authority regardless of what the technology or method of deception is utilized? Ms. Majoras. Well, we've successfully brought cases, we've got more in the pipeline. So that's correct. Other than what I've said about civil penalty authority, yes. Senator Allen. What you do want is you want more civil authority. Civil penalties, I guess you could call that authority as well. Ms. Majoras. We think that could be very helpful. Senator Allen. And that's included in the measure the Chairman and I have introduced. Now if the Congress codified prescriptive definitions of illegal behavior that are specific to current technology, could we run the risk that this law could be obsolete as new technology continues to develop. In other words by defining a specific illegal behavior, are we creating loopholes for spyware purveyors who figure out ways to get around the law? Ms. Majoras. Well, that is possible. I mean, obviously Section 5 of the FTC Act would still be in effect, so we would hope that there was something that [inaudible] cracks, but we'd be able to use our broad authority to go after them. But what we wouldn't want is for a court to say, well it's not on the list, so therefore, sorry FTC, you can't go after them. That's really our only reservation. Senator Allen. Because in effect, you could end up with a safe harbor for those using these fraudulent deceptive practices if they're not on that list, the court could say, well they're not on the list, so therefore you cannot prosecute. Ms. Majoras. It's possible, we can't say for sure that's how a court would interpret it. Senator Allen. Now so far, on the issue of jurisdiction, in the standard, so far 18 states have enacted legislation regarding spyware and many new laws are pending in several states. Since spyware, clearly by its nature is national, in fact it's international in its scope. Do you agree that a national framework is necessary to ensure a patchwork of state laws do not unnecessarily confuse and burden consumers and legitimate software providers? Ms. Majoras. I think it's possible, depending on the differences among the various state laws that--probably consumers, less so--but that those who are actually trying to comply with the law. I mean they simply can't in the Internet context comply with multiple standards. I mean basically they would have to figure out what the highest standard is, I believe, and then comply with that one. And so--and if that weren't the Federal, if there are Federal standards, and that ends up not being the highest one, then I suppose whichever state had the highest standard would become the de facto standard for the Nation. Senator Allen. Well, for your enforcement would it not be best to have a--the best standard, the strongest standard, the most effective standard that's set for the Nation by the Federal Government and Congress? Ms. Majoras. Well, I think a consistent standard would help all of us. And the fact of the matter is the state attorneys general are critical partners to us in this fight, but if we're all singing from the same hymn book sort of speak, I think we can be very effective. Senator Allen. Well, our measure does have the attorneys general of the states involved, with a national standard, but have them helping enforce it, because in some cases the Federal Government can't do it all. Ms. Majoras. That's exactly right. We would want the states to absolutely have authority. Senator Allen. All right. Now on the questions of notice, and the notice and consent regime. According to this July 2005 Pew Internet and American Life Project, 73 percent they found according to them, 73 percent of Internet users do not always read user agreements, privacy statements, or other disclaimers, before downloading, or installing programs. There are some of us who will click through things real quickly because you want to read something. In fact, one study of a user agreement included a clause that promised $1,000 to the first person to write in and request that $1,000. The agreement was downloaded more than 3,000 times before somebody finally read the fine print and claimed the reward. Now do you believe that subjecting the entire software industry to a new notice and consent regime will help combat spyware? Ms. Majoras. Overall, no, I don't think that would be the most effective tool. Our experience, while I don't have statistics, comports very closely with the conclusion of that survey. And that is, for better or for worse, consumers don't read these disclosures, and the more they are bombarded with similar disclosures, the less likely they are to read them. And what our concern has been is that we could have a spyware distributor who is distributing spyware that is very, very harmful to consumers, but then can just say, well I disclosed it to consumers that this is what I was going to do, so too bad for them. And while that has, no question, sensational appeal, because none of us want to be extraordinarily paternalistic to American consumers. When we know that they don't read these disclosures when they're downloading software, it makes it hard to say that's what we think would truly, would truly protect consumers. What we're doing in our casework, is looking at disclosures on a case-by-case basis to see if we think they're adequate. Senator Allen. Thank you, Mr. Chairman. Senator Smith. Thank you, Senator Allen. Senator Allen. Thank you, Madam Chairman. Senator Smith. To Senator Allen's point and your answer, that you today announced the Odysseus case that you're pursuing, and is this not a company that offers through peer- to-peer enticements to children, free music and other things that they readily go past the disclosures to get what's free, but in the end it's maybe very promotional, and a very degrading thing? Ms. Majoras. It's similar, they were working in the peer- to-peer realm. And the representation they made was that by downloading their software, your peer-to-peer presence would be anonymous and no one would be able to trace you. That, we alleged, isn't true. And then, in addition, they've downloaded a lot of other software, which in essence as we say in the complaint, just to summarize it here, hijacks the consumer's computer. Senator Smith. Isn't that already illegal? Ms. Majoras. Yes. We've filed a suit under Section 5 of the FTC Act. Senator Smith. Do you think you'll win, if it's already illegal? Because I want to make sure it's illegal. [Laughter.] Ms. Majoras. Well, I certainly understand that Senator, and I can't--I couldn't tell you that nobody would ever challenge our authority or that a judge would never--you know could never find that we didn't have such authority, but it's not been a problem to date. And we feel that this isn't a close call under Section 5 of the FTC Act and so we brought the case. Senator Smith. So the people who are maybe here, or interested in it. I understand that the software actually changes your search results that consumers get from search engines, like Google and Yahoo, and that this is done without the consumers knowledge. Ms. Majoras. That's exactly right. I mean we don't think that they have a way necessarily of knowing. So as you know it's important to some, to be the first in a Google search results, or what have you, and this apparently can change the results around, but again, no, the consumers wouldn't necessarily know that was even happening to them. Senator Smith. Well, if you find out it isn't illegal, let us know. Ms. Majoras. You would be the first call we would make. Senator Smith. I mean our bill does address this very kind of thing. And so you know, that's why we keep asking you if you need any more resources, do you need more authorities? Because this really gets to the heart of what we're trying to accomplish for the protection of American consumers without stifling innovation in future technologies. Do you see a way? I mean you've heard all of us up here, all agreeing there's a problem we want to fix, and the difference and the difficulty is in the breadth of how we would go about it. I guess as you evaluate the two different bills that are represented here, is there a way to merge them in your mind? Ms. Majoras. Well, I think there's probably, there probably is a way to bring it together and one--I mean if we could classify them, your bill restates the FTC's authority to attack software, but in a more general way. The other bill tries to be a bit more specific about it. And I would just caution that if specifics are going to be added to any legislation that becomes law that it is made absolutely clear that other types of conduct may also be illegal, within this same family and that the FTC's authority is not being narrowed by this. Senator Smith. And if we leave it broad, to the degree you need to make it narrower, do you have rulemaking authorities to make it narrower? Ms. Majoras. Well, we would have rulemaking authority if you gave it to us, if it was needed. The one area where I think it's difficult to reconcile is with respect to notice. Which again I agree has very--has facial appeal, it does to me too, but I just don't--our experience is it doesn't actually protect consumers. And since that's our job, it's hard for me to support that. Senator Smith. And there's a lot of advertising that is actually promoting very valuable things, and useful products and we don't want to get in the way of that. Ms. Majoras. No. No, we don't want to get in the way of it, and in fact there may be First Amendment issues if we tried to go too far. Senator Smith. As I understand the U.S. SAFE WEB Act which you have indicated your support for, its provisions are really not all that new or unusual, there are other agencies in the government that already have these powers, is that your understanding? Ms. Majoras. Absolutely. The SEC, the CFTC, and banking agencies. Senator Smith. You need them too? Ms. Majoras. We do, I can't emphasize it enough Chairman Smith. Senator Smith. Well, Chairwoman Majoras, thank you very much. Yes, please. Senator Allen. My time has expired but may ask some questions. Senator Smith. Yes, please go ahead. Senator Allen. I just want to follow up on your good probative questions. Your caution trying to figure these things out, several things that you asked for, you asked for the international authority, the U.S. SAFE WEB Act, that's part of our measure, it is not part of Senator Burns' measures. So that was one thing where you wanted regular authority. That probably can be merged together. We do have a fundamental difference on the jurisdiction and how you define illegal behavior, which right now is very broad. If it's fraudulent or deceptive, if it's misleading, you know, it's illegal which is what you'd want. You could limit yourself by prosecutorial discretion I suppose, and in a court the trier of fact would say, well no that isn't deceptive. As opposed to specifying a bunch of different specific illegal methods, which could end up with a safe harbor if it's not on that list. And maybe the solution to that, is to say well these are illegal but they are not the only ones that are illegal. Anything is, but then the other side feels like all right, we've at least specified these. I suppose that could be worked out. The notice issue is one that I do think is irreconcilable. Because as I was--there was a reason I asked that question, and why some 3,000 hits are getting $3,000. Folks just simply don't read it, they don't have time for it. Even looking on this--who's going to go through--now I think it's helpful for those in the IT departments of companies, somebody's going through all that, and seeing which are good spyware blocker programs. But a normal person in their home is just generally not going to go through all that. So there does need to be a better business bureau approach. And I see that's what that is. Now you get into the issue of jurisdiction. That's a key one as to whether you have a national standard, or 50 or 40 different states standards. I think to make companies to have to comply with 40 different standards, and maybe different nuances and different case law and all the rest makes it very difficult. To me that is not irreconcilable difference. Now I think it's important to respect the rights, and prerogatives of the states, and prosecution and that's why in our measure we do have the attorneys general brought in. You wanted also the civil fines, which will be helpful. The one thing I find interesting though was your answer on the question of, you don't need any more resources. Here's my perspective of that. Is that this is so pervasive and you have nearly 50 percent of all computers being hit with this spyware, and it's great that you've brought these big cases, and you've knocked down organizations, spyware organizations and you say how difficult it is to prosecute and find these people, well if you're dealing with normal criminal behavior and you have a certain amount of resources, if you actually had more detectives so to speak, more investigators, more funds if there were drug dealing for undercover agents, or making drug buys, or--those resources do matter in combating illegal drug activity. So I find it interesting that you say that you don't need any more resources when this is such a big pervasive problem of this fraudulent and deceptive activity. If you have the civil penalties and I don't know the answer to this, but where do the fines, if fines are--does that go to the general fund, or does that go--would that go to further law enforcement efforts? Ms. Majoras. I believe it goes to the general fund, yes. It goes into the Treasury. It goes into the Treasury. Senator Allen. All right. In drug dealing, with asset forfeiture, for those assets that are traceable to illegal drug dealing, that actually goes Mr. Chairman to law enforcement so that they use it for undercover drug buys, paying overtime, surveillance costs, sometimes paying informants for example, it's like catching the shark and cutting it up for bait. Use the assets to catch more sharks. Why do you say that you don't need more resources with--and maybe this is what the Administration wants you to say and I understand that, having been a Governor, I expected all my agency heads to tow the line. But with something that is so pervasive, and obviously of bipartisan concern, and not just us, but obviously to the American people and to the technology community generally and the Internet, why would it not be helpful for you to have more personnel to actually get after this obviously growing, disruptive, illegal behavior? Ms. Majoras. Well, I appreciate the question and, no, Senator, nobody's asked me to tow any line on this. You know we've actually been very pleased. We think as other agencies have been cut back in the last couple of years, as some belts have been tightened, we think that Congress has been very generous with us, which we appreciate and that they recognize the importance of our work. Look, if you give us more resources, we'll---- Senator Allen. What would you do with them? Ms. Majoras.--certainly use them. Well, probably one of the things I would do, is I would hire some more tech experts, who can help us with some of the difficulties in actually hunting down these folks, or in helping us find ways to push industry in the right direction. Because I do think that ultimately technology will--is what will help us prevail. So I think we can. But the only issue I would say with respect to having a very large amount of new funds, which are actually earmarked for a particular purpose, is that what tends to happen is then if priorities shift and change, because for example new spyware tools come out and that tends to be less a problem, and the bad guys, if you will, have moved on to something else, then we have to come back to you and say, look we have this pot of money, which you wanted us to use for this purpose, but quite frankly priorities have changed, and they would have even changed for you. And so that's part of something that we obviously would have to work with you on, Senator. But obviously our job is to enforce the laws that Congress passes and to take our lead from consumers first, and obviously you are the elected representatives who represent them. So if you want us to have more resources to send the message to us that I've got to put more investigators on this, then obviously we will do that. Senator Allen. Well, in the event you actually solve this problem quickly, obviously appropriations are annual. Even if appropriations actually get done in a timely manner, I suspect that the fines and forfeitures that you will glean from these added--not that the law enforcement is simply to gain money for the government, but I suspect with greater enforcement not only will you have the Internet being more useful and less aggravating and less--fewer computers shut down because they're clogged up with all of this spyware, is that you'll actually end up getting more fines and forfeitures, and assets seized than that $10 million over the period of this measure. And if you didn't need the money, you can always say, we need it more for something else. But I don't see this getting solved in the next few years. I think it could be ameliorated, I think it could be mitigated, but this is--it's too lucrative a business, illegal enterprise right now, and to the extent you drive it out of this country, you're still going to have it overseas, and that's why the U.S. SAFE WEB Act is so important and have the international community caring as much about this as we try to get the international community to care about intellectual property rights for example. Ms. Majoras. That's right. Senator Allen. To the extent you ever get it to that point, fine, we'll save some money there. And you're doing a great job, and you've had some good noteworthy cases, but you also recognize that it's just the tip of the iceberg in this illegal spyware enterprise. Ms. Majoras. Indeed, not only do we recognize it, but we would hate to raise expectations way too high, because we're going to keep at this. I mean, you know, we talk all the time about how the worst thing that could happen to us would be for our consumers to just simply lose faith in this wonderful new medium that we have that is the Internet. And we can't let that happen, and we have to--we really have to guard and protect consumer's confidence in it. So we're going to keep at it. But I point out the difficulties in tracking these folks down and so forth, only to remind us again that it won't be just law enforcement that's going to tackle this problem, we need new technology. And the good news is, that if we do get these additional international resources, we can leverage that. We spend a lot of resources trying to chase down people in countries where we're trying to hire lawyers who know what they're doing over there when we don't, and so on and so forth, and we could use our counterparts and vice versa, then we will be actually a lot more efficient even in our use of resources. So I appreciate your point Senator Allen. Senator Allen. Well, thank you. And thank you, Mr. Chairman, just understand Madam Chairman that the Chairman here and this Senator want to work with you and do this effectively. And we do feel that you need out of jurisdiction as you say, or added authority. And I do feel that you do need more resources to get the job done, and it shouldn't just be the government, it does need to be the technology industry. They are the ones who are the most creative in coming up with the firewalls, and the filters, and the ways to block unwanted spyware, or illegal spyware. There is some spyware which has--and you were very clever answering those questions of Senator Nelson. But you know in some cases it's not harmful, it's not deceptive and so forth. I do think it's going to take a concerted team effort on the part of the technology community and actually probably can--I just have faith in their innovative, creative capabilities to make sure the Internet stays a great invention for the dissemination of information and ideas, and commerce, and education, and tele-medicine, and in so many ways, improving our lives in commerce. So I thank you again Mr. Chairman for your leadership, look forward to working with you, and Madam Chairman, thank you for articulate principled leadership. Ms. Majoras. Thank you very much, Senator Allen. Senator Smith. And Madam Chairman, to Senator Allen's point, I think if you hear anything today it is that this is an enormous problem and it requires urgent effort, and so please know we're counting on you, we appreciate you, and we hope you convey to everyone at the FTC we appreciate their good work. We recognize in our mailboxes that there is growing alarm and we need to be ahead of it. So thank you, and with that we're adjourned. Ms. Majoras. Thank you very much, Senator. [Whereupon, at 3:40 p.m., the Committee adjourned.] A P P E N D I X Response to Written Questions Submitted by Hon. Frank R. Lautenberg to Hon. Deborah P. Majoras Response to Questions One and Three Your letter poses two questions about the nature and efficacy of the FTC's consumer education efforts related to spyware. Your letter commends the FTC and industry for launching a new website, www.OnGuardOnline.gov., but expresses the concern that the website uses technical terms (e.g., updating operating systems, firewalls, and drive-by installations) that consumers, particularly seniors, may not understand. Your letter also cites statistics as to the prevalence of spyware on computers and asks about the Commission's short-term and long-term goals to decrease its prevalence through consumer education. The Commission shares your concern about the importance of educating consumers about problems in electronic commerce, including spyware. To inform consumers about spyware and other threats on the Internet, the Commission launched its OnGuard Online initiative, with the OnGuardOnline.gov website as its primary consumer education tool. The initiative was developed to address the need for a comprehensive, consistent set of educational messages for consumers. It incorporates the best learning of the Internet community and presents it in a complete and accessible format. In consultation with communications experts, it was designed to be usable by consumers with a broad range of familiarity with the Internet and technology. The comprehensive website uses interactive activities, articles, videos, and tips that address topics important to consumers, including ways that consumers can lower their risk of spyware infections, clues as to whether spyware is on their computer, and an informative spyware quiz. Consumers are also able to report via the website if they have been a victim of spyware. Because people learn in a variety of ways, the FTC has made the OnGuard Online information available in many forms. The OnGuardOnline.gov website includes video tutorials prepared by the Internet Education Foundation with visual instructions to ``click here, then here,'' to turn on the security features in various types of software. The site also presents a series of videos prepared by Microsoft with the information presented in an accessible format. Some consumers, including many seniors, may not be familiar with technical terms used to describe technology. The OnGuard Online initiative therefore uses plain language to describe technical concepts. For example, the OnGuard Online brochure explains that ``[f]irewalls help keep hackers from using your computer to send out your personal information without your permission.'' In addition, the OnGuard Online bookmarks and posters have quick tips written in plain language, and the OnguardOnline.gov website includes an extensive glossary of computing terms, for consumers who need more information about the terms used. Finally, the AARP is a partner in the OnGuard Online initiative. Response to Question Two Your letter asks whether it is deceptive to fail to disclose that spyware will be installed. Your letter also asks whether it is deceptive to disclose only in the end-user license agreement that spyware will be installed. It is well-established that a failure to disclose adequately material facts to consumers may be unfair or deceptive in violation of Section 5 of the FTC Act. The FTC has alleged a failure to disclose information in a number of Internet-related deception cases. \1\ The Commission staff also has issued a guidance document that provides advertisers with advice as to how to apply traditional FTC disclosure principles to the online environment, including advertising and marketing software on the Internet. \2\ --------------------------------------------------------------------------- \1\ See, e.g., Juno Online Services, Inc., FTC Dkt. No. C-4016 (June 29, 2001) (failure to disclose that some subscribers to its ISP service would incur long distance telephone charges while connecting to the Internet) (consent order); BUY.COM, Inc., FTC Dkt. No. C-3978 (Sept. 8, 2000) (failure to disclose restrictions and costs associated with purchasing a ``free'' or ``low-cost'' personal computer in exchange for agreeing to purchase Internet service) (consent order); Value America, Inc., FTC Dkt. No. C-3976 (Sept. 8, 2000) (same). \2\ Federal Trade Commission Staff Working Paper, Dot Com Disclosures: Information About Online Advertising (May 3, 2000), available at http://www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/ index.html. --------------------------------------------------------------------------- The Commission has addressed the failure to disclose adequately to consumers the material fact that spyware would be installed on their computers. In particular, disclosing the presence of bundled software, including spyware, only in the end-user licensing agreement may be unfair or deceptive. For example, in FTC v. Odysseus Marketing, Inc., the defendants offered consumers a free software program that purported to make the consumers anonymous when using peer-to-peer file-sharing programs. \3\ The Commission alleged, however, that the distributors failed to disclose to consumers that this program, in turn, would install other, harmful software on their computers. Similarly, in Advertising.com, Inc., the respondents allegedly offered free security software, but bundled with it software that caused consumers to receive a substantial number of pop-up ads. \4\ Although the presence of this software was disclosed in the end-user license agreement, the Commission alleged that this disclosure was inadequate. The Commission therefore is using its authority to prohibit unfair or deceptive acts and practices to take law enforcement action against those who fail to disclose adequately to consumers that spyware will be installed on their computers. It is important to note that, as I indicated in my testimony, such a case-by-case approach that focuses on bringing law enforcement action where a failure to disclose has harmed consumers is preferable to requiring disclosure for all software, no matter how innocuous. --------------------------------------------------------------------------- \3\ The Commission recently filed a complaint in Federal court alleging that this failure to disclose was deceptive in violation of Section 5 of the FTC Act. The parties stipulated to a preliminary injunction order, which was entered on October 11, 2005. FTC v. Odysseus Marketing, Inc., No. 05-CV-330 (D.N.H. filed Sept. 21, 2005), available at http://www.ftc.gov/opa/2005/10/odysseus.htm. \4\ In the Matter of Advertising.com, FTC Dkt. No. C-4147 (consent order Sept. 12, 2005), available at http://www.ftc.gov/os/caselist/ 0423196/0423196.htm. --------------------------------------------------------------------------- Response to Question Four As the Commission indicated in its testimony, \5\ our main tool for combating spyware is bringing law enforcement actions challenging acts and practices as unfair or deceptive in violation of Section 5 of the FTC Act. Your letter asks how many spyware-related law enforcement actions we have brought in 2005, as well as for a description of our efforts to investigate spyware, given that many consumers may not know that they have spyware on their computers. --------------------------------------------------------------------------- \5\ Federal Trade Commission, Prepared Statement Before the Committee on Commerce, Science, and Transportation Subcommittee on Trade, Tourism, and Economic Development, United States Senate (Oct. 5, 2005), available at http://www.ftc.aov/os/testimonv/ 051005spywaretest.pdf. --------------------------------------------------------------------------- Thus far, the FTC has brought six law enforcement actions involving spyware, including five law enforcement actions to date in 2005. The FTC's written testimony at the recent hearing describes the FTC's first five actions. Our sixth law enforcement action was filed after the hearing. \6\ In the Enternet Media, Inc. case, the FTC alleged that the defendants distributed via the Internet exploitive software code dubbed ``Search Miracle'' and ``EliteBar,'' onto the computers of unsuspecting consumers. With the aid of their network of affiliates, the complaint alleged, the defendants trick consumers into downloading and installing their exploitive code by disguising it as harmless, free software, such as Internet browser upgrades, music files, cell phone ring tones, and song lyrics. However, contrary to their representations, the defendants' code is not a browser upgrade or security patch, nor is it any type of harmless free software. Rather, it functions as a type of spyware that substantially interferes with the functionality of consumers' computers, such as by tracking consumers' Internet activity, changing consumers' homepage settings, inserting a new toolbar onto consumers' Internet browsers, inserting an obtrusive window onto consumers' computer screens that displays advertisements, and displaying voluminous pop-up advertisements, even when consumers' Internet browsers are closed. To make matters worse, the FTC alleges, it is extremely difficult for consumers to uninstall the exploitive code, and that the defendants' uninstall instructions do not work. A Federal district court granted a temporary restraining order; a preliminary injunction hearing has been scheduled for the near future. Using this law enforcement approach, we were also able to freeze $2 million in the defendants' bank accounts. --------------------------------------------------------------------------- \6\ FTC v. Enternet Media, Inc., No. CV-05-7777 (C.D. Cal. filed Nov. 1, 2005). --------------------------------------------------------------------------- Spyware investigations and prosecutions are a priority for the Commission. We are actively looking at a wide variety of sources of information about the identity and location of those distributing spyware that is causing harm to American consumers. We are consulting with Federal and state criminal and civil law enforcement agencies. We also are receiving critical information from high-tech companies, such as anti-spyware companies and operating system companies. We further are receiving valuable information from consumer groups, anti-spyware organization websites, academics, and the technology press. I appreciate the assistance that we are receiving from these groups, and I look forward to continue working with them to make our spyware investigations and prosecutions as effective as possible. Thank you for providing me with an opportunity to supplement my answers at the hearing concerning the FTC's law enforcement record as it pertains to spyware. If you would like additional information, please contact Anna Davis, the Director of the Office of Congressional Relations, at (202) 326-3680.