[Congressional Record (Bound Edition), Volume 146 (2000), Part 17]
[Extensions of Remarks]
[Pages 25078-25079]
[From the U.S. Government Publishing Office, www.gpo.gov]



                   ELECTRONIC PRIVACY PROTECTION ACT

                                 ______
                                 

                           HON. RUSH D. HOLT

                             of new jersey

                    in the house of representatives

                       Thursday, October 26, 2000

  Mr. HOLT. Mr. Speaker, as a member of the House Internet and Privacy 
Caucuses I rise to call my colleagues attention to a bill I introduced 
today to protect consumers from software more commonly known as 
``spyware.''
  Mr. Speaker, I would like to submit a July 14th article in the 
Washington Post that outlined this problem. In this article entitled 
``Your PC Is Watching,'' the Post writer points out that companies like 
Mattel who make interactive computer toys like the Reader Rabbit and 
Arthur's Reading Games are using spyware to track the habits and usage 
of children. She also points out that companies like Intuit Inc. who 
make the popular home accounting program Quicken employ spyware.
  Spyware is a computer program, usually embedded in another program, 
that can take information from a person's computer without their 
knowledge or consent. That's right. Information can be removed from a 
computer without the consent of the user. What this software does is 
take information stored on a person's computer and transmits it to the 
operator of the spyware while a person is online.
  This information is typically sent to the manufacturer of the 
software, a marketing company or an advertising agency to aid in the 
development of new products or advertising campaigns. Spyware often 
collects the cookies that a person accumulates while browsing the net.
  Let me make this clear, Mr. Speaker. This legislation does not affect 
the issuance of cookies by Internet companies. Cookies, do not by 
themselves act as spyware. A cookie is an identifier for a particular 
Web site that allows among other things a host to recognize a user. 
Protections for people who want to guard against cookies are built into 
the major Web browsing programs.
  What my legislation does is protect the American people from 
intrusion. None of us let strangers into the house without first 
checking who is at the door. Surely, we do not want intruders coming 
into our computers without first giving our consent and, for example, 
misusing cookies. With the increasing use of home computers for 
personal business like taxes and financial planning people are storing 
more and more sensitive personal data on their PCs.
  What this legislation does is require the Federal Trade Commission to 
issue regulations within 120 days of the bill's passage to do a few 
common-sense things. The regulations will require that any piece of 
software that contains spyware be clearly marked with a label. Also, it 
would make it unlawful to knowingly install spyware on a computer or 
use spyware without obtaining consent from the primary user of the 
computer.
  Mr. Speaker, there is one other important thing that this legislation 
will do. It will double the penalty for any person or company to use or 
install spyware on a computer that is known to be under the control of 
a minor.
  Mr. Speaker the practice of strangers tracking the activities of our 
children is deplorable. I understand that most companies argue that 
they do not use these programs for sinister reasons. I also understand 
the argument that this software allows them to tailor products and 
services to the needs of the consumer.
  Mr. Speaker I also understand that it is not a far stretch from this 
to the unintended uses of this software to cyber-stalk children, steal 
financial or medical information or even steal a person's identity.
  It is time we stopped talking and studying the problem of privacy 
protection and start acting to protect our constituents. I urge my 
colleagues to join me in this effort.

            [From the Washington Post, Fri., July 14, 2000]

                        (By Ariana Eunjung Cha)

       Keith Little, a computer technician who makes house calls 
     on the apple farms of central Washington state, says more and 
     more of his clients are asking him to take steps to protect 
     their online privacy. So he scans their computers for any 
     mischievous programs and installs security software.
       What surprises people is how often Little finds programs 
     designed to funnel bits of their personal information from 
     their computers and into giant corporate databases. He says 
     more than half of the 20 or so computers he inspects each 
     week are running stealthy programs he calls ``spyware.''
       The electronic eavesdroppers usually come attached to the 
     software people install on their personal computers. Whenever 
     a user connects to the Internet, these programs take 
     advantage of the opening to pass on information that has been 
     stored on the PC's hard drive. The data--it could be details 
     of Web surfing habits or identifying personal information--
     are then typically sent to the manufacturer of the software 
     or a marketer to be used in developing new products or 
     advertising campaigns.
       At a time when concerns about online privacy have spread 
     from Interent bulletin boards to Capitol Hill, this tracking 
     software has become a flash point for the debates about how 
     to balance consumer rights with the business models of the 
     digital age.
       Little has found the programs in children's software such 
     as Mattel Interactive's Reader Rabbit and Arthur's Reading 
     Games, Intuit Inc.'s financial planner Quicken, and dozens of 
     other packages. The electronic hitchhiker also is part of a 
     program associated with the Netscape browser that millions of 
     people use to travel the Internet.
       One Web site has identified more than 4000 of these data-
     gathering and tracking programs. Most are free ``shareware'' 
     that people download off the Web, but an increasing number 
     are mainstream programs, even those people pay for.
       ``When people find out, they are livid,'' said Little, 42. 
     ``They say, `Get it out of there'. Then they become very 
     afraid to use their computers, afraid of what personal stuff 
     it's sending out. The problem is that they were not 
     informed.''
       The companies that use the programs say they were created 
     not for nefarious reasons but to help tailor information 
     consumers want. The programs work by collecting data from a 
     hard drive or from the electronic ``cookies'' many users pick 
     up when they visit Web sites. A marketing company might then 
     use the information about what Web sites you frequent to 
     decide whether you would be interested in an ad for a 
     sporting-goods retailer or one for opera tickets. A software 
     manufacturer often wants to know who has purchased its 
     products so it can alert users to problems or update them 
     about new goodies.
       Most companies say they do not seek out information that 
     would identify a person by name. Further, they say the 
     information is not disseminated publicly, but only used for 
     internal corporate purposes.
       Privacy advocates, though, equate the programs to taps on 
     phone lines. Rep. Edward J. Markey (D-Mass.) recently 
     introduced a bill that would require companies to give 
     ``conspicuous notice'' of any information they are collecting 
     and to allow users to decline to participate. A New Jersey 
     photographer last week filed a lawsuit against Netscape 
     Communications, an America Online Inc. subsidiary, accusing 
     the company of using its SmartDownload program to 
     ``eavesdrop.''

[[Page 25079]]

       Concern has grown in the past few months as more Americans, 
     unsettled by high-profile accounts of spreading computer 
     viruses and other hacker attacks, have installed security 
     software--or ``firewalls''--in their personnel computers. The 
     security programs typically alert users with warning messages 
     whenever an unauthorized program is attempting to send 
     information out into the Internet. Many users quickly 
     discover how vulnerable they are.
       Last winter, a Seattle company called RealNetworks Inc. 
     came under fire after customers discovered its music player 
     was collecting information about users' listening habits in 
     order to personalize its services. The company has since 
     stopped the practice and apologized. Intuit, meanwhile, has 
     acknowledged using the tracking programs to target ads. And a 
     few weeks ago, after parent complaints, Mattel Inc. officials 
     apologized for adding a data-gathering program to more than 
     100 titles of its Learning Co. unit's educational programs 
     for children.
       Simson Garfinkel remembers that he was 40,000 feet in the 
     air on a plane from London to Boston in May when he noticed 
     that his laptop kept trying to connect to the Internet. The 
     culprit: an educational program he had installed for his 3-
     year-old daughter. It was trying to send out the producer's 
     code number and other such information to the company so it 
     could better respond to consumer needs, according to Mattel 
     spokeswoman Susan Salminen.
       ``I wouldn't call it spyware exactly. It was more like 
     marketing ware. But even that conveys a lot of personal 
     information to the folks at Mattel and it was upsetting,'' 
     said Garfinkel, a computer network architect from Cambridge, 
     Mass.
       Mattel's Salminen said the program's intentions are 
     benevolent but the company already had decided to eliminate 
     it late last year from all new software because of ``public 
     concern around the privacy issue.''
       Earlier this month, a Netscape user named Christoper Specht 
     filed a class-action suit in U.S. District Court in Manhattan 
     seeking damages of a minimum of $10,000 per person for 
     violating consumers' privacy by tracking which files they 
     download from the Internet.
       A spokeswoman for Dulles-based AOL said the company is 
     aware of SmartDownload's ability to gather customer data but 
     it had ``never used it to access or retain information about 
     users or files.''
       ``The lawsuit is without merit,'' said Ann Brackbill, a 
     senior vice president. As every corner of the Internet 
     becomes increasingly commercialized, many online companies 
     are experimenting with new models for making money in the 
     uncharted new economy.
       One way is to give away products or sell them for below 
     cost and make money through advertising. The tracking 
     programs allow these companies to tout their ability to 
     target specific audiences to potential advertisers. At the 
     same time, many software companies are trying to develop a 
     continuing relationship with their customers, becoming in 
     effect service-oriented companies. The tracking programs 
     allow them to keep in touch.
       For the most part, companies that track consumers say the 
     information they collect is minimal, and it's gathered 
     anonymously so that the data cannot be linked to real names. 
     But security professionals like Travis Haymore of Lanham's 
     Digital Systems International Group. point out that some of 
     the data streams leaving personal computers are so heavily 
     cloaked, or encrypted, that it's practically impossible for 
     anyone to verity or refute such claims. And the programs are 
     more invasive than the electronic cookies that businesses use 
     to track people on the Web because they potentially can scan 
     documents and images on people's hard drives as well as track 
     online habits.
       ``Your tax records, what medical sites you've been looking 
     at, your online banking--if someone has spyware on your 
     machine, they would have access to that data and it would be 
     next to impossible to tell if it was leaving,'' said Haymore, 
     a former federal government computer security investigator.
       Irate computer users also have filled online bulletin 
     boards with complaints about tracking programs that are 
     impossible to remove (even when the original host program is 
     deleted), that crash their computers or clog up their 
     telephone or cable lines, slowing down their Internet 
     connections.
       Two technology marketing companies, Silicon Valley's 
     Radiate.com and Sterling's Conducent Technologies Inc., which 
     have developed ``ad hots,'' software for the most popular ads 
     targeting customers, have been at the heart of the online 
     privacy debate. These ventures partner with software 
     companies and share a cut of the advertising revenue.
       Conducent's director of Marketing, Robert Regular, says 
     participation in its ad-driven programs is ``voluntary'' and 
     offers consumers many advantages, including discounted or 
     free software. People who purchase CD-ROMs made by eGames, 
     for instance, can can get six free programs if they choose to 
     look at ads and give up some personal information. ``We will 
     show ads and will make use of the user's Internet connection 
     and if they agree to that, great. If not, they don't have to 
     use the software,'' he said.
       Regular says the company always has required it partners to 
     disclose in their privacy policies that the programs were 
     ``ad-supported'' but only this month started making them 
     flash separate screens during in the installation process 
     alerting users of the tracking.
       Like other people in the industry, Regular disputes the 
     ``spyware'' characterization.
       ``We don't spy on anyone.'' We don't know any personally 
     identifiable information. We know they are an anonymous user. 
     We don't look at anything that they do,'' he said. ``Because 
     we run in the background, people think we're doing something 
     deceptive and don't understand that its in order to refresh 
     ads.''
       As stories of tracking software and other privacy concerns 
     have circulated throughout the online world in recent months, 
     companies and independent programmers have scrambled to 
     develop protection tools with names such as ZoneAlarm and 
     OptOut. More than 1.1 million people already have downloaded 
     OptOut, freeware that was devloped by Steve Gibson, asecurity 
     consultant in California and a privacy advocate. And personal 
     firewall software has been rushing off store shelves since 
     last fall, with 40,000 to 50,000 copies being sold each 
     month, according to research firm PC Data Inc.
       But even unsophisticated programmers can easily get around 
     the best available electronic firewalls, security experts 
     say.
       Symantec's Steve Cullen, the senior vice president for 
     consumer business, said people using Norton Internet Security 
     2000, the most popular firewall program, for instance, can 
     specify that their names, credit-card numbers and other 
     sensitive information be blocked from leaving the computer. 
     But if that information is electronically masked by one of 
     many easy techniques, it can still get through.
       ``If it's really spyware, certainly encoding or encrypting 
     is something that these guys could do and that makes it much 
     trickier to catch it,'' he said.
       Still Cullen says that scenario is rare. He said about 80 
     percent of the time companies don't bother hiding the data 
     and leave it as plain text, a format that is simple to 
     filter.
       Christopher Kelley, an analyst with Forrester Research, 
     believes that the ``sneakiness'' with which some corporations 
     are acting has exacerbated privacy concerns and damaged the 
     industry's credibility--something that they may come to 
     regret as an increasing number of angry citizens create 
     technological tools that could topple the companies' entire 
     business plans. Added Montreal computer consultant Gilles 
     Lalonde: ``Right now it's now a free-for-all. Anything goes. 
     This is the kind of environment that permits these kinds of 
     intrusive behaviors, allows them to flourish. If we don't 
     start to define some ethical rules, before long people will 
     lose their trust in all online companies and this great 
     technological revolution just stops.''

     

                          ____________________