[Senate Hearing 108-1002]
[From the U.S. Government Publishing Office]
S. Hrg. 108-1002
S. 2145, ``THE SPY BLOCK ACT''
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMUNICATIONS
OF THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
__________
MARCH 23, 2004
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
20-672 PDF WASHINGTON : 2016
_______________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
JOHN McCAIN, Arizona, Chairman
TED STEVENS, Alaska ERNEST F. HOLLINGS, South
CONRAD BURNS, Montana Carolina, Ranking
TRENT LOTT, Mississippi DANIEL K. INOUYE, Hawaii
KAY BAILEY HUTCHISON, Texas JOHN D. ROCKEFELLER IV, West
OLYMPIA J. SNOWE, Maine Virginia
SAM BROWNBACK, Kansas JOHN F. KERRY, Massachusetts
GORDON H. SMITH, Oregon JOHN B. BREAUX, Louisiana
PETER G. FITZGERALD, Illinois BYRON L. DORGAN, North Dakota
JOHN ENSIGN, Nevada RON WYDEN, Oregon
GEORGE ALLEN, Virginia BARBARA BOXER, California
JOHN E. SUNUNU, New Hampshire BILL NELSON, Florida
MARIA CANTWELL, Washington
FRANK R. LAUTENBERG, New Jersey
Jeanne Bumpus, Republican Staff Director and General Counsel
Robert W. Chamberlin, Republican Chief Counsel
Kevin D. Kayes, Democratic Staff Director and Chief Counsel
Gregg Elias, Democratic General Counsel
------
SUBCOMMITTEE ON COMMUNICATIONS
CONRAD BURNS, Montana, Chairman
TED STEVENS, Alaska ERNEST F. HOLLINGS, South
TRENT LOTT, Mississippi Carolina, Ranking
KAY BAILEY HUTCHISON, Texas DANIEL K. INOUYE, Hawaii
OLYMPIA J. SNOWE, Maine JOHN D. ROCKEFELLER IV, West
SAM BROWNBACK, Kansas Virginia
GORDON H. SMITH, Oregon JOHN F. KERRY, Massachusetts
PETER G. FITZGERALD, Illinois JOHN B. BREAUX, Louisiana
JOHN ENSIGN, Nevada BYRON L. DORGAN, North Dakota
GEORGE ALLEN, Virginia RON WYDEN, Oregon
JOHN E. SUNUNU, New Hampshire BARBARA BOXER, California
BILL NELSON, Florida
MARIA CANTWELL, Washington
C O N T E N T S
----------
Page
Hearing held on March 23, 2004................................... 1
Statement of Senator Allen....................................... 27
Statement of Senator Boxer....................................... 4
Prepared statement........................................... 5
Statement of Senator Burns....................................... 1
Statement of Senator Wyden....................................... 3
Witnesses
Berman, Jerry, President, The Center for Democracy & Technology.. 15
Prepared statement........................................... 17
Holleyman II, Robert W., President and CEO, Business Software
Alliance (BSA)................................................. 11
Prepared statement........................................... 12
Levine, Dr. John, President and CEO, Taughannock Networks, and
Author, The Internet for Dummies............................... 22
Prepared statement........................................... 24
Naider, Avi Z. President and Chief Executive Officer, WhenU.Com,
Inc............................................................ 5
Prepared statement........................................... 7
S. 2145, ``THE SPY BLOCK ACT''
----------
TUESDAY, MARCH 23, 2004
U.S. Senate,
Subcommittee on Communications,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:30 p.m. in
room SR-253, Russell Senate Office Building, Hon. Conrad Burns,
Chairman of the Subcommittee, presiding.
OPENING STATEMENT OF HON. CONRAD BURNS,
U.S. SENATOR FROM MONTANA
Senator Burns. We will call the Committee to order. Thank
you for coming today as we look at another problem we face in
the world of Internet. In the world of worms and viruses, you'd
think this would be the Ag Committee but it's not. Cookies and
implants, you can put that it in any committee. But today's
hearing concerns a topic of critical importance to the future
of consumer privacy and electronic commerce in the digital age,
and I refer to the flood of spyware, which has been
increasingly burrowing itself into consumers' computers, often
without their knowledge.
I'm pleased to benefit from the hard work and expertise of
my friend, Senator Wyden. We've worked together on many issues
and I look forward on working with him on this one. We passed
CAN SPAM, which after 4 years finally became law, and we may be
a little bit ahead of the curve whenever we start talking about
the subject that we're visiting about today. I'm convinced that
spyware is potentially an even greater concern than junk e-
mail, given its invasive nature.
I appreciate the support of another one of my colleagues on
the Committee who has been an ardent defender of consumers'
rights online, and of course, that's Senator Boxer of
California. Together we have crafted legislation aimed at
ending the insidious operation of spyware, and it is the SPY
BLOCK Act of 2004.
Spyware refers to the software that is downloaded onto
users' computers without their knowledge or consent. It's a
sneaky way of software that is often used to track the
movements of consumers online and even steal passwords. The
porous gaps of spyware creates in a computer's security may be
difficult to close.
For example, one popular peer-to-peer file sharing network
routinely installs spyware to track users' information and
retrieves targeted banner ads and pop-ups. As noted by the
recent article in PC Magazine, these file sharing networks may
be free, they may be free but at the cost of privacy and not
money.
Of the 60 million users, few know that they are being
watched, and those who discover spyware, uninstalling it may
prove to be difficult other than the software programs. Some
spyware includes tricklers. Now we've got a new word in
vocabulary now, tricklers, which reinstall the files as you
delete them. Users may think that they are getting rid of the
problem, but the reality of the situation is far different.
So creators of spyware have engineered the technology so
that once it is installed on a computer, it is difficult and
sometimes impossible to remove, in some cases requires the
entire hard drive to be erased to get rid of the poisonous
product. Such drastic measures may be taken, because often
spyware tells the installer what websites the user visits, it
steals the passwords or other sensitive documents on a personal
computer, and also redirects Internet traffic through certain
websites.
One of the most disturbing aspects about the spyware
problem is that so few consumers are aware of it. Bearing this
in mind, the SPY BLOCK bill relies on a common sense approach,
which prohibits the installation of software on consumers'
computers without notice, consent, and reasonable uninstall
procedures. The notice and consent approach which SPY BLOCK
takes would end the practice of so-called drive-by downloads,
which some bad actors use to secretly download programs onto
users' computers without their knowledge.
Under SPY BLOCK, software providers must give the consumers
clear and conspicuous notice that a software program will be
downloaded in their computers and requires user consent. This
simple provision could be fulfilled by clicking yes in the
dialogue box, for example.
SPY BLOCK also requires notice and consent from other types
of software. In the case of adware, another here we got,
providers are required to tell consumers what types of ads will
pop up on the users' screens and at what frequency. Consent is
required for software that modifies user settings or uses
distributed computing methods by utilizing the processing power
of individual computers to create larger networks.
And finally, software providers must allow for their
programs to be easily uninstalled by users after they are
downloaded. As with CAN SPAM law, enforcement authority would
be given to the Federal Trade Commission. The state's attorney
general would also take action against purveyors of spyware,
and it also empowers the users.
Clearly, the right balance must be reached between
punishing bad actors and not impeding legitimate e-commerce. I
am open to discussing with my colleagues ways to craft this
legislation as to capture the truly malicious offenders. Make
no mistake about it. The intent of SPY BLOCK is to bring back a
little truth in advertising. Clearly, accountability needs to
be brought to bear on this issue.
I'm anxious to hear exactly how using the unique brands of
trusted companies to redirect consumers to their commerce sites
is a legitimate business practice. While I understand this may
be explained as a high-tech form of contextual marketing, I am
very leery on the broad types of questionable business
practices that could be legitimized by this line of thinking.
Working closely with my good friends, Senator Wyden and
Senator Boxer, I'm confident that we can make major progress on
this legislation before spyware infects a critical mass of
computers and renders them useless. Just trying to keep up with
the latest anti-spyware software imposes a tremendous cost to
business, let alone individuals who have to spend their time
online worried about the next spyware infestation.
I look forward to hearing the testimony today and I
appreciate our witnesses, and now Senator Wyden. And thank you
so much for your good help.
STATEMENT OF HON. RON WYDEN,
U.S. SENATOR FROM OREGON
Senator Wyden. Thank you, Mr. Chairman. It's great to have
a chance to team up with you. I think once again we're showing
that work in this area clearly can be bipartisan and we have
gone this way on a host of initiatives. It's great to team up
with you and then, of course, to have Senator Boxer, who's such
an articulate and strong advocate, not just of consumers, but
the technology sector. To have her with us as well is a great
pleasure.
You said it very well and I'm just going to make a couple
of quick comments. In fact, Mr. Chairman, if I could, I've got
a longer statement and I'd like to have that placed in the
record.
Senator Burns. Without objection.
Senator Wyden. Mr. Chairman, it just seems to me what is
going on here is that snoops and spies are really trying to set
up base camp in millions of computers across the country, and
what we are in effect saying is that the owners of computers in
this Nation ought to have control over what software gets
placed on that computer. It really is just that simple. That
really belongs to the computer user, and so what you have is in
effect all these sneak, covert kinds of programs that are
really trying to take those rights away from the owners of
computers around the country. It seems to me that this will
ensure that computer owners have knowledge and control over
what gets placed on their computers, and given the
sophistication of people who try to take advantage of the
public, it seems to me that this is important legislation to
move on now.
In effect, what these individuals who are engaging in this
activity that we think is violative of the computer owners'
rights, what they are doing is they're acting as parasites,
they're acting as people who would put parasites on computers,
put unwanted software that can burrow in and install itself on
a hard drive where it proceeds to use the computer and the
Internet connection for its own purposes. And as you have
noted, the owner of the computer frequently doesn't know the
intruder is there and very often has no way to get rid of it
once he or she finds out.
So I think as we go forward in this debate, for those who
may have reservations about this and want to oppose it, I want
them to answer the central question. How can it be that those
who own computers and have access to the Internet shouldn't
have that treated as private property? That is what this is
really all about. You don't get opportunities to come into
somebody's home without their knowledge and permission, and you
shouldn't expect others to be able to take advantage of you in
the kind of way that these parasites and snoops and spies are
doing.
I think we've written this bill carefully. I'd like to put
into the record an editorial from the New York Times that I
think makes an important point in the sense that it's important
not to write the definitions of what we're going to be doing to
protect the consumer in too narrow a fashion. The Center for
Democracy and Technology has done some very good work in terms
of trying to ensure we have enough flexibility in those
definitions so as to address the issue in a responsible way,
and I'd very much like to have the editorial from the New York
Times warning about the danger of making sure that you don't
write this bill in too narrow a fashion put into the record.
I think this is a good bill and the fact that you and I and
Senator Boxer have a chance to team up on it means that we can
make this a priority even though this session is short, and I
hope that we will be able to move it quickly to the full
committee.
Senator Burns. Thank you, Senator Wyden, and I do too. I
share your concerns. It's my computer, it is private property,
I bought it and paid for it, and for my use only, not some
leech. Senator Boxer.
STATEMENT OF HON. BARBARA BOXER,
U.S. SENATOR FROM CALIFORNIA
Senator Boxer. Mr. Chairman, I couldn't top that, I really
couldn't. I am so pleased to work with you and Senator Wyden
and our staffs have worked together and I'm proud to be on the
SPY BLOCK Act, and I'd ask unanimous consent that my full
statement be placed in the record.
Senator Burns. Without objection.
Senator Boxer. And I will summarize it very briefly. If we
saw someone with a binoculars looking in someone else's window,
we'd call the cops, and I think that in many ways what we're
doing is very similar to that, but it's even worse than looking
in a window. It's really getting into someone's head and
someone's life.
So this is really important, it's very important, and I do
hope we can prevail and get this done pretty quickly. You know,
it is a pro-consumer bill, but I want to say to my colleagues
it's also a pro-industry bill in my opinion. We're going to
have people say it isn't, but it is, because I got news for
you. If people think that they're being spied upon, they're
going to use that computer a lot less than they normally would,
and we're going to have people running away from using their
computer just because this is America and we don't like that.
So I think what we're doing is pro-consumer but it's pro-
business as well. And basically the rest of my statement goes
into how it's very important to clearly talk about software,
not just spyware, and that's what we try to do in the bill so
people can't say, well, my definition doesn't fit to what
you're doing. We want to make sure we cover everybody and that
this bill is really going to do the job that it set out to do.
So again, I'm very pleased to be with you in this fight and
I hope we can get it done. And I'm going to be running out for
a minute and coming back to hear the testimony and look forward
to our partnership on this.
[The prepared statement of Senator Boxer follows:]
Prepared Statement of Hon. Barbara Boxer, U.S. Senator from California
Mr. Chairman, thank you for holding this hearing. Last month, I
joined you and Senator Wyden in introducing the ``SPY BLOCK Act'' (S.
2145). Our legislation is designed to address increasing concerns that
I have heard coming from California and other states over ``spyware.''
Spyware, and other types of software called ``Adware,'' are
delivered into the homes and offices of consumers and onto their
computers often without their knowledge and consent.
These invisible snoops follow consumers everywhere they go on the
Internet and they bombard consumers with targeted pop-up ads.
Our bill simply says that software makers, including spyware
makers, cannot sneak into your computer. Specifically, the SPY BLOCK
Act prohibits the installation of software without notice and consent
of an authorized user. Additionally, the software must provide clear
procedures to uninstall the software and must be capable of being
completely and easily removed.
The most common objection to the bill we have heard is that it
should focus only on ``spyware.'' But as this hearing will show, nobody
thinks the software they produce IS spyware.
The reason the legislation targets software is because the people
who produce spyware will always try to define themselves out of the
category by claiming that their particular software is not spyware. By
applying common principles of consumer rights for all software, we deal
with the spyware problem and enhance consumer rights on the Internet
more broadly.
Mr. Chairman, I am proud to work with you on this issue and look
forward to working with the witnesses here today to make the
legislation as effective as possible.
Senator Burns. Thank you, Senator Boxer. We'll keep you up
to date.
Senator Boxer. I'll be right back.
Senator Burns. OK. We'd ask our witnesses to come to the
table now. We have Mr. Avi Naider, President and CEO of
WhenU.com Inc. from New York; Mr. Robert Holleyman, President
and CEO of Business Software Alliance, we worked a lot with
that group of people and with extreme pleasure; Mr. Jerry
Berman, President of the Center for Democracy and Technology,
and, of course, if there has been a man who has been around the
Internet any longer than this man then they had to come before
dirt almost, Jerry, so thank you for coming today.
Mr. Berman. Are you talking about my age or my expertise?
Senator Burns. Both, I think. And Dr. John Levine,
President and CEO of Taughannock Networks from up in New York,
and we appreciate you coming today too and I'll try and get
that networks pronunciation down much better so I'll have to
apologize for that.
We'll start with you, Mr. Naider, if you're ready, and we
look forward to hearing your testimony.
STATEMENT OF AVI Z. NAIDER, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, WHENU.COM, INC.
Mr. Naider. Good afternoon, Mr. Chairman and Members of the
Subcommittee. I thank you for the opportunity to appear before
your Subcommittee as it examines the issues surrounding
spyware. I am Avi Naider, President and Chief Executive Officer
of WhenU.com. WhenU is an online contextual marketing company.
WhenU makes software that recognizes the immediate interests of
an online consumer and automatically displays highly pertinent
coupons and advertisements in response to the consumers'
expressed interest.
Consumers visiting the Staples website who have WhenU
software might be presented with a coupon to save $30 off a
$150 purchase at Staples. Consumers researching a trip to
London who have WhenU software might be shown a pop-up with a
special $99 fare on British Airways. This is why we named the
company WhenU. It provides you with relevant and timely
information when you shop online, when you travel to London,
and so on.
Our software presents information to consumers that is
targeted and timely. At the same time, our software
aggressively protects consumer privacy. In the past, targeted
marketing in the U.S. has been enabled by collecting
information about households and individual consumers into
large data bases. These data bases are replete with information
about who we are, what we buy, how affluent we are, and lots of
other personal information.
We started WhenU because we believe that targeted marketing
can be done without collecting personal information about
consumers and building profiles. WhenU does not have a database
of consumers or any consumer profiles at all. Instead, our
software uses a proprietary directory of the Internet that
categorizes various indicators of consumer interest and
delivers precisely targeted messages that inform the consumer's
decisionmaking process.
The software does all this without sending individual
consumer activity back to WhenU. WhenU's software-based
advertising is a promising technology that begins to fulfill
the potential of the Internet as a rich, personalized, one-to-
one marketing and information delivery experience. We believe
that WhenU software and other methods of contextual marketing
are likely to emerge as engines of major growth for the
Internet in the future.
The WhenU desktop advertising network represents millions
of consumers who have installed WhenU software on their
computers. Typically, consumers download WhenU contextual
marketing software as part of a bundle that contains free
popular software. Developers of such free software rely on the
revenue generated by companies like WhenU often as their sole
or primary revenue model. They view WhenU as win-win technology
that offers consumers free coupons, relevant advertising, and
free software, all while protecting consumer privacy.
WhenU software is anything but spyware. WhenU follows a
strict privacy policy, and in addition, respects the principles
of consumer choice in the following ways. The consumer always
receives a clearly visible notice that WhenU software is part
of a download. The consumer is given easy access to a clear and
concise license agreement that he must affirmatively accept to
proceed with the installation of WhenU software.
WhenU-generated ads, offers, and coupons are boldly and
conspicuously branded by WhenU, and WhenU software is easy to
uninstall. WhenU fully supports the principles underlying the
SPY BLOCK Act. We also favor further and detailed study of the
complex issues presented in order to enable Congress to craft
an effective national legislative solution.
Many of the legislative issues currently proposed, both at
the state and the Federal level, are either overly broad or
lack the necessary nuance to address the problem effectively,
and yet still allow promising technology to develop. As a
result, they potentially regulate or even restrict consumer-
friendly, privacy-protective, and mainstream software, while
failing to protect consumers against software that truly
threatens privacy and security.
Ironically, carelessly-worded spyware legislation that
lacks nuance will do more to promote the spyware problem than
solve it. Because if legitimate advertising models that truly
give choice to consumers are lumped in with nefarious software
that intends to deceive, rogue and unscrupulous companies who
play by no rules and adhere to no standards of consumer
protection will be given the upper hand in the marketplace, and
this outcome would be devastating.
On the other hand, carefully worded and nuanced legislation
can set standards for the online industry and serve as a beacon
for the marketplace and for advertisers looking to use
legitimate technologies that can reach their target consumers.
We believe that the proceedings today and the FTC workshop to
be held in April will produce a detailed record that will
undoubtedly help inform future legislative efforts.
We look forward to continuing to work with you, Mr.
Chairman and the members of the subcommittee to develop a
comprehensive and effective solution to this pervasive problem.
Thank you.
[The prepared statement of Mr. Naider follows:]
Prepared Statement of Avi Z. Naider, President and Chief Executive
Officer, WhenU.com, Inc.
Introduction
Good afternoon, Mr. Chairman and members of the Subcommittee. I
thank you for the opportunity to appear before your Subcommittee as it
examines the issues surrounding ``spyware.'' I am Avi Naider, President
and Chief Executive Officer of WhenU.com, Inc. (``WhenU'').
WhenU and the Evolution of Contextual Marketing on the Internet
WhenU is an online contextual marketing company. Our software
delivers information about products and services to consumers online at
the moment that information is most relevant to them. WhenU addresses
an age-old problem: consumers' lack of access to potentially valuable
market information when they need it most. Although consumers are
inundated on a daily basis with information of all sorts, including
offers from advertisers, the value of such information is reduced
because it is not shown to the consumer at the right moment in time.
WhenU's software delivers highly pertinent coupons and advertisements
based on consumers' immediate interests, as reflected in their
immediate Internet browsing activity, yet is highly protective of
consumer privacy.
Contextual marketing technology as developed by WhenU evolved
naturally from the decades old, multi-billion dollar database marketing
industry, which at its core, relies on behavioral targeting of
consumers. Database marketing has been used for years by numerous
companies to analyze individual consumers' past purchasing behavior in
an attempt to determine what discounts and offers would be most
attractive to those consumers in the future. For example, American
Express tracks and analyzes the purchasing behavior of its credit card
holders and uses the information gleaned from such analysis to mail
potentially pertinent offers to such consumers.
More recently, companies have advanced the field of behavioral
marketing by deploying new technology-driven solutions. For instance,
Catalina Marketing has developed technology that links to the point-of-
sale (POS) systems of many grocery stores and analyzes the purchases of
individual consumers as they are scanned by the cashier. Based on the
particular products purchased by the consumer, targeted offers and
incentives for competing products are then immediately printed for the
consumer (typically on the back of his or her grocery store receipt).
Software-based contextual marketing technology as developed by
WhenU is a further evolution in the field of behavioral marketing.
Whereas traditional database marketing companies, and even innovators
such as Catalina Marketing, analyze a consumer's past and current
purchases to predict what the consumer will purchase in the future,
software-based online marketing technology assesses the activity of the
consumer in real time, at the very moment the consumer is researching a
certain product or category of products on the Internet. Essentially,
WhenU's technology utilizes the unique capabilities of the Internet
environment to offer the consumer information that might assist him or
her in making a purchase decision before the decision is made, at a
time when the information is most useful. Imagine that while you are
looking in a store window at a new DVD player, someone approaches you
with an offer to get a DVD player at a better price at a store down the
street. WhenU's technology allows the same thing to happen millions of
times per day by providing consumers with offers to purchase all types
of goods and services on the Internet.
The Internet by its very nature enables real-time contextual
marketing in a robust and scalable manner. Since the Internet is a
medium in which all activity is transmitted electronically, WhenU
software can scan the Internet browsing activities of a participating
consumer to determine his or her immediate interests, and connect
thousands of advertisers and millions of participating consumers with
the right advertisement or coupon when it is most relevant to the
consumer. WhenU's software effectively provides consumers with
comparative advertising that presents them with a choice. The idea
behind the WhenU software was to revolutionize targeted marketing from
the old model in which interests are deduced based on who a consumer is
and what their personal information is, to a new software-based system
that focuses on actual interests as reflected in their Internet
browsing activity-when you shop, when you travel, when you invest. In
fact, that's why we named the company WhenU. ``When you'' are about to
book a trip to London, WhenU software will deliver a relevant offer to
you.
Best of all, WhenU is able to deliver precisely targeted
advertisements that are highly relevant while at the same time
protecting consumer privacy. From the beginning, consumer privacy has
been important to WhenU. WhenU does not collect any personally-
identifiable information. The WhenU software does not track user data,
does not use cookies to track consumers, does not track users'
clickstream data, does not create anonymous user profiles, and does not
compile a centralized database of users. All of the activity takes
place on the user's computer (or ``desktop''). The only information
that is transmitted back to WhenU is information that allows us to show
advertisements and coupons to the consumer and make sure the offers we
do show are shown at the moment that they are likely to be most useful
to the consumer. We are proud of our privacy policy and explain it in
detail on our website.
WhenU's software represents a significant departure from the way
advertising online initially started. In general, early methods of
online advertising were not able to deliver on the promise of the
Internet as a rich, personalized consumer contact point. Poorly
targeted e-mails, banner ads, and non-contextual pop-ups have yielded
click through rates of less than one percent (1 percent), and millions
of wasted advertiser dollars. To leverage the full power of the
Internet and continue to develop the Internet into the kind of rich
revenue-generating medium it should be, advertisers have begun to
understand that successful online advertising must take advantage of
the Internet's unique potential to deliver targeted and relevant
advertising in response to what consumers are looking for.
As an example, paid online search, a model promoted currently by
companies such as Yahoo! and Google, represented as little as 3 percent
of the online advertising market in the year 2000, but this year is
expected to reach 37 percent as advertisers recognize the power of
delivering relevant ads to consumers seeking specific products. When U
believes that software-based advertising will similarly emerge as an
engine of major growth for the Internet in the future, as advertisers
and consumers continue to experience the power and richness of software
as a medium for delivering highly targeted and useful information and
advertising online.
WhenU's Desktop Advertising Network
The WhenU Desktop Advertising Network represents millions of
consumers who have installed the WhenU software on their computers.
Typically, consumers download the software as part of a package, or
``bundle,'' of software that enables consumers to get popular software
for free. Software companies routinely bundle revenue-generating,
advertising software (known as ``adware'') with free software programs
(known as ``freeware'') to enable them to offer the freeware to
consumers at no cost. In some instances, software developers might give
consumers the choice between paying for the software or agreeing to
receive ads from WhenU in exchange for getting the software for free.
Developers of such free software applications rely on the revenue
generated by software companies like WhenU to enable them to continue
to offer their software free of charge. In any event, consumers are
given a clear notice and choice whether or not to download WhenU
software.
Once downloaded, the WhenU software (called SaveNow, or Save!, but
referred to generally as SaveNow) resides on the consumer's computer
and generates advertisements through the use of a proprietary directory
that is delivered to and saved on the consumers' desktop when the
consumer installs the software. This proprietary directory is compiled
and updated by categorizing the Internet in much the same way as a
local Yellow Pages indexes merchants into various categories.
As a participating consumer ``surfs'' the Internet, the SaveNow
software studies page content, keywords, web addresses, and search
terms from the consumer's web browser to determine whether any of those
terms, web addresses and/or content match the information in the
directory. If the software finds a match, it identifies the associated
product or service category and determines whether an appropriate
advertisement for that category is available to be displayed, subject
to timing and frequency restrictions contained in the software.
With the WhenU software, it is ultimately the consumer who drives
whether a particular element will be included in the WhenU directory,
because the directory is intended to contain terms that reflect the
interests of the consuming public. Similarly, it is the user's actions
on his or her desktop that ultimately determine whether an
advertisement is eligible to be seen. Since its founding in February
2000, WhenU has delivered online marketing for more than four hundred
advertisers, including such well known companies as Priceline, British
Airways, Delta Airlines, JPMorgan Chase, Kraft, Cingular, Ford, and ING
Bank.
In short, WhenU provides a useful and privacy-protective opt-in
service to participating consumers, provides a revenue model for
popular free software, and contributes to the development of the
Internet-enabled desktop as a comparative shopping medium.
What is Spyware?
``Spyware'' generally refers to software that appears harmless but,
once downloaded, operates differently than its stated functionality,
such as by stealing or transmitting personal data about the consumer
and his or her browsing habits, keystroke data, or clickstream
behavior. Spyware also can refer to software that sneaks onto user's
computers, masks its operations once it has been installed on the
computer, and is nearly impossible to uninstall. Sometimes programs
that are surreptitiously downloaded onto user's computers and show ads
whose source is not easily identifiable are referred to as spyware.
WhenU has sometimes been accused of being ``spyware.'' It is not
surprising that some people who do not understand the WhenU technology
think that it is invasive to privacy how else, they wonder, can it
alert a consumer to a discount hotel site when that consumer is looking
at hotel rates in Washington, D.C.? However, properly understood,
WhenU's unique proprietary technology cannot be considered spyware.
WhenU's software-based advertising model respects the principles of
consumer choice and consumer privacy, in three distinct ways.
First, regardless of the method of distribution, during the
installation process, the consumer always receives a prior notice that
SaveNow is part of the download. To proceed with the installation of
SaveNow, the consumer must affirmatively accept a clear and concise
license agreement. The license agreement explains that the software
generates contextually relevant advertisements and coupons, utilizing
``pop-up'' and various other formats.
Second, once a user has installed the SaveNow software, it is easy
for a user to identify what the WhenU software does. WhenU makes the
ads, offers and coupons served by WhenU easy to identify. Ads on the
WhenU Desktop Advertising Network are displayed in a separate, WhenU-
branded window, including the marks ``Save!'' or ``SaveNow'', depending
on the particular download partner, and other elements specially
included in the WhenU window. In addition to WhenU's unique branding,
every WhenU offer also contains a notice on its face that: ``This is a
WhenU offer and is not sponsored or displayed by the websites you are
visiting.'' And, with WhenU's highly-protective privacy policy, users
do not have to be concerned about privacy, since no personal
information is transmitted to or collected by WhenU. In fact, WhenU's
strict privacy policy far exceeds current standards in the Internet
advertising industry.
Finally, after accepting a license agreement and downloading the
software, consumers can easily remove or ``uninstall'' the software
from their computers if they no longer wish to keep it. Every ad shown
by WhenU contains inks to further information about the software and
information about how to uninstall it. In addition, these links also
allow consumers to easily contact WhenU by e-mail for more information.
The software can be easily uninstalled through the computer's Control
Panel Add/Remove Programs menu, the standard process used for
uninstalling most Windows-based software. Once properly uninstalled,
the WhenU software will cease to operate or show advertisements or
coupons on the consumer's computer.
The Threat of Spyware and the Solutions to Spyware
Spyware is a serious problem affecting millions of computer users
every day. If the spyware problem continues to grow, unabated, it may
deter computer users from the Internet and slow the creation and
dissemination of new and innovative software programs available to
users from the Internet.
As discussed above, WhenU is very different from ``spyware.'' But
notwithstanding these significant differences, WhenU is often swept in
with software that threatens user security and privacy. That is why we
believe that it is necessary and desirable for Congress and the FTC to
regulate this area in order to protect consumers from spyware and
protect the development of the Internet as a rich and promising medium.
Current efforts being employed to address consumer concerns are
helpful, but they typically fail to get at the real problems presented
by spyware. For instance, the marketplace is replete with ``anti-
spyware'' software, but many of these software programs are
indiscriminate in their identification of so-called ``spyware'' and, as
a result, often identify benign programs or even files such as cookies,
which are commonly employed by Internet websites to identify users who
have accessed the site previously. Moreover, most of these programs
prompt users to uninstall any software identified as spyware or as a
threat. As a result, consumers may be prompted to unknowingly uninstall
software that is far from nefarious and that they or another member of
their household quite deliberately installed. Users may even have paid
for software they are prompted to uninstall, or they may be required to
keep such software to support free software that they have also
installed. If marketplace solutions unduly burden the revenue model
that software providers rely on to continue to offer their software for
free, it will discourage the creation and distribution of free
software, and force consumers to have to pay for such programs.
At the same time, State legislative solutions are being proposed to
respond to the growing menace of spyware, but many of these proposed
solutions suffer from the same problems created by ``anti-spyware''
software: They inadvertently regulate or even restrict consumer-
friendly, privacy-protective and mainstream software while failing to
protect consumers against software that truly threatens consumer
privacy and security. They are also subject to the concerns of local
businesses and may not address the problem from a national perspective.
As a consequence, these solutions, such as the one recently proposed
and passed by the legislature in Utah, are generally ineffective and
overly broad.
WhenU is in favor of Federal efforts to combat spyware, and fully
supports the principles behind the SPY BLOCK Act. As per our practice,
WhenU believes that users should receive notice about any application
before they download it, should be required to affirmatively accept a
clear license agreement that discloses the nature of the application
and its functionality, should be presented with information that
identifies the source of every window that is generated by software on
their desktop, and should be able to uninstall any software application
through standard and easily accessible means. WhenU also is in favor of
legislation that provides that the Attorney General, States Attorneys
General and the FTC should be solely responsible for implementing and
enforcing its provisions. However, WhenU first supports careful study
and consideration of the problems surrounding spyware. How to combat
``spyware'' is a complex issue, and we believe the approach lawmakers
should take to address the issue should be as nuanced as the problem
itself.
Ironically, carelessly worded spyware legislation that lacks nuance
will do more to promote the spyware problem than solve it. If
legitimate advertising models that truly give choice to consumers are
lumped in with nefarious software that intends to deceive, rogue and
unscrupulous companies who play by no rules and adhere to no standards
of consumer protection will be given the upper hand in the marketplace.
And this outcome would be tragic. On the other hand, carefully worded
and nuanced legislation can set standards for the online industry and
serve as a beacon for the marketplace and for advertisers looking to
use legitimate technologies that can reach their target consumers.
We believe that the proceedings today and the FTC Workshop to be
held in April will produce a detailed record that will undoubtedly help
inform future legislative efforts. We look forward to continuing to
work with you, Mr. Chairman, and the members of the Subcommittee, to
develop a comprehensive and effective solution to this pervasive
problem. Thank you.
Senator Burns. Thank you very much. Robert Holleyman, thank
you for coming today, Software Alliance.
STATEMENT OF ROBERT W. HOLLEYMAN II, PRESIDENT AND CEO,
BUSINESS SOFTWARE ALLIANCE (BSA)
Mr. Holleyman. Mr. Chairman, Senator Wyden, it's indeed a
pleasure to be here this afternoon testifying on behalf of the
member companies of the Business Software Alliance. Our
organization works for leading developers of personal computer
software, enterprise software, our key hardware partners and
Internet technology developers on public policy issues in the
United States, where we're headquartered, and in more than 65
countries around the world.
I am delighted to be able to talk with you today about
options to provide the best way to protect consumers from the
problems associated with spyware. At the Business Software
Alliance, we applaud the intent of the SPY BLOCK Act that you
have introduced along with Senators Wyden and Boxer.
This afternoon I'd like to make three key points. First,
computer snooping or spying on computer users is reprehensible
behavior that invades our privacy. However, the problem is with
bad behavior, not bad software tools or products.
Second, for this very reason, Congress should ban only the
behavior and not the technology. And third, we believe that the
bill as introduced can be enhanced by focusing more directly on
punishing such behavior. Doing so would accomplish the current
intent of the bill without placing Congress in the position of
approving or disapproving technologies.
Indeed, Mr. Chairman, you and the other Members of this
Committee have been leaders in adapting laws to the information
age. You've done so carefully, deliberately, and in a well
thought out fashion. We agree fully that we need to stop e-
spying and that it will harm the consumer experience in using
their computers and the Internet. It is wrong and it should be
stopped.
But it's also essential that we recognize that the problem
comes from bad people, bad actors, not from bad products. That
same underlying technology that can enable spyware also may
power many legitimate applications that benefit millions of
computer users every day.
Mr. Chairman, I feel like I'm preaching to the choir. Last
year Congress stopped unwanted telemarketing, not telephones.
You canned SPAM by criminalizing fraudulent conduct, not by
banning commercial e-mail. And in the 1990s, you wisely
recognized it was unwise to try to ban encryption technology,
choosing instead to focus on those who might use encryption to
commit crimes.
Your Committee and the Congress as a whole has wisely and
consistently avoided technology mandates. You understand that
the U.S. technology industry and our own leadership in high-
tech innovation are crucial to America's economic future.
We appreciate the author's clear intent to protect
legitimate software from being swept into the bill and you've
done so through a series of definitions and exceptions that the
bill employs. However, at the same time, the BSA feels that
these definitions can be fraught with peril in the current
software environment, especially as new technological
developments occur.
As an alternative, we suggest that the Congress focus on
the most egregious practice of commercialization of information
from electronic spying. Congress should prohibit the
distribution of user information obtained electronically from
an individual's computer unless one of two tests are met.
Either the person seeking to sell the information must show
that it was collected with the user's permission or that it was
obtained from an entity that collected the information with
such permission.
Such an approach would achieve the main objective of
stopping e-spying while significantly avoiding the tough
definitional issues and their implications for the future
development of technology.
With respect to enforcement, we agree that the FTC should
be given primary responsibility. The FTC should treat
violations as an unfair or deceptive activity under the FTC
Act. We also believe that the Justice Department should be
authorized and empowered to subject those who violate the
legislation to criminal fees and imprisonment under Title 18 of
the United States Code. That would send a clear message that
the commercialization of information from electronic spying
will not be tolerated.
However, we think that state attorneys general should be
given enforcement authority in this area only if we have a
Federal standard. Remote access electronic spying through
spyware is a national problem and we think it should be treated
as such.
I'd like to thank you again, Mr. Chairman, for the
opportunity to talk today on the issue of spyware and the SPY
BLOCK bill. We believe that working together this bill can be
enhanced to directly and effectively address the issue we're
all most concerned about, electronic spying. The BSA is eager
and willing to work with you and the other members of the
Committee in that regard, Mr. Chairman. Thank you for this
opportunity to testify.
[The prepared statement of Mr. Holleyman follows:]
Prepared Statement of Robert W. Holleyman II, President and CEO,
Business Software Alliance (BSA)
Good morning. Thank you very much for the opportunity to testify
here today. My name is Robert Holleyman and I am President and CEO of
the Business Software Alliance (BSA).\1\
---------------------------------------------------------------------------
\1\ The Business Software Alliance (www.bsa.org) is the foremost
organization dedicated to promoting a safe and online world. The BSA is
the voice of the world's software and Internet industry before
governments and with consumers in the international market place. Its
members represent the fastest growing industry in the world. The BSA
members include: Adobe, Apple, Autodesk, Avid, Bentley Systems,
Borland, Cisco Systems, CNC Software/Mastercam, HP, IBM, Intel,
Internet Security Systems, Intuit, Macromedia, Microsoft, Network
Associates, PeopleSoft, RSA Security, SolidWorks, Sybase, Symantec, UGS
PLM Solutions Inc. and VERITAS Software.
---------------------------------------------------------------------------
BSA represents the world's leading developers of software, hardware
and Internet technologies both in the U.S. and internationally. Our
mission is to educate computer users on software copyrights and cyber
security, advance public policy that fosters innovation and expands
trade opportunities, and fight software piracy. We are headquartered in
Washington, D.C., and are active in over 65 countries internationally.
It is a pleasure to be with you today to discuss a serious issue of
consumer protection: protecting millions of computer users from those
who secretly install software on computers in order to obtain
information about those users. Such software goes by the name of
``spyware.'' That is clearly the intent of the SPY BLOCK Act (S.2145)
introduced by Chairman Burns and Senators Wyden and Boxer. It is also
the intent of the Safeguard Against Privacy Invasions Act (H.R. 2929)
introduced by Representatives Bono and Towns.
Mr. Chairman, you and the other members of this Committee have been
leaders in adapting our laws to the information age--carefully and
deliberately, with a scalpel not a saw. This morning I would like to
make three points.
First, computer snooping, or spying on computer users, is a
reprehensible practice that invades our privacy. However, the problem
is with bad behavior, not bad software tools or products.
Second, for that reason Congress should continue to ban the
behavior not the technology. The problem is with abuse, not use, of
technology.
Third, we believe the bills as introduced can be improved by
focusing more directly on punishing the behavior rather than the means
by which it is accomplished. Such an approach enables Congress to avoid
having to make very difficult decisions about the design and operation
of technology.
Stop E-Spying
We agree with the members of this Committee, other Members of
Congress, and the public who rightfully complain about those who hijack
computers. There is no policy rationale to justify the actions of those
who secretly insert a computer program into someone's PC in order to
collect information about that individual or his or her computer
habits. It is, pure and simple, an invasion of our privacy. It is wrong
and it should be stopped. It is also a national problem and needs a
national solution.
Clearly some of these invasions of privacy are intended to, and do,
cause economic harm. Someone might be trying to gain insider business
information or corporate secrets. Others might be engaged in identity
theft--a practice that is estimated to cost American consumers more
than $50 billion each year. But electronic snooping is no less invasive
if the information is being gathered ``only'' for marketing or research
purposes.
Ban Behavior Not Technology
It is essential that we recognize that the problem comes from bad
people, not bad products. The same underlying technology that can
enable spyware also may power many legitimate applications that benefit
millions of computer users everyday.
Let me put it a different way. We don't ban crowbars because some
people use them to break into houses. We don't ban cars because some
people use them to flee from a crime. And last year Congress did not
ban telephones because some people use them to make unwanted marketing
calls. Instead, Congress addressed the offensive behavior and
established procedures to control telemarketing.
Mr. Chairman, I feel like I am preaching to the choir. The Commerce
Committee has been a leader in applying this principle to developing
computer technologies.
Just last year you moved aggressively and appropriately to ``CAN-
SPAM.'' That legislation criminalized fraudulent conduct and
established clear rules for legitimate business to follow. It made it
illegal to access a computer without authorization and use it to send
out bulk unsolicited commercial electronic mail or to hide or falsify
information about the sender or subject matter of spam. The Act also
required the inclusion of a functioning return e-mail address and a
prohibition on sending messages to recipients who opt not to receive
them. It also addressed more ``aggravated violations'' such as the use
of harvested addresses or the automated creation of multiple electronic
mail accounts. But what the bill did not do is to get in the way of the
continued development of innovative technological solutions to combat
spam and protect consumers.
Mr. Chairman, this committee also successfully applied this
principle during the encryption battles of the 1990s. You understood
well that it was pointless to try and ban a technology prevalent around
the world. Your ``PRO-CODE'' bill in 1996 prohibited the government
from designing and mandating encryption standards and promoted the use
of commercial encryption. At the same time, you also agreed with
Senator Leahy in his legislation, as well as the House bill introduced
by Representatives Goodlatte and Lofgren (the ``SAFE'' Bill), that it
was unlawful to use encryption in the commission of a crime.
Even the Communications Decency Act of 1996 (Title V of the
Telecommunications Act of 1996), which among other things sought to
address the problem of on-line pornography and minors, did not ban the
then emerging ``interactive computer service.'' Instead the Act
criminalized the use of such a service to send or display obscene and
indecent content to those under 18. The Act also established a defense
for those who in good faith took reasonable, effective and appropriate
actions to restrict or prevent access by minors (including
technological means to do so--) but precluded the FCC from endorsing,
approving, sanctioning or permitting particular products.
This built on the underlying approach of the 1984 Computer Fraud &
Abuse Act which has been amended many times since to expand and
strengthen its criminal and civil penalties against computer abusers.
This statute penalizes those who access a computer without appropriate
authorization and cause broadly defined damage. This statute addresses
both those who trespass in cyberspace for commercial gain as well as
those who seek to cause harm by launching computer viruses. Indeed, one
possible solution to the problem of electronic snooping would be to
make illegal the act of commercializing information obtained through
surreptitious means.
Why has Congress consistently prohibited conduct not technology?
Why has Congress refrained from interfering with the marketplace by
dictating the design or operations of computers and consumer
electronics?
Congress has wisely avoided technology mandates because you
understand that the U.S. technology industry is the envy of the world.
It has been responsible for incredible improvements in productivity,
millions of jobs, billions of dollars in exports, and immense benefits
to every consumer. Government intervention that replaces marketplace
solutions with governmental decisions endangers America's technology
leadership and hurts users of technology products by stifling
innovation, freezing in place particular technologies, impairing
product performance, and increasing consumer costs.
Focus and Improve The Legislation
We believe the pending legislation should be changed to focus even
more clearly on what we are trying to stop, not the technology tools to
do so. We also think that the most immediate, concrete and compelling
problem is electronic spying--the unauthorized acquisition and use of
information from individuals.
Currently the SPY BLOCK bill has numerous definitions, requirements
and exemptions which involve making technical decisions about the
operations of today's computers--as well as the direction of future
technology. The bill:
attempts to define computer software, cookie, install;
network information; information collection feature,
advertising feature, distributed computing feature, and
settings modification feature;
in the case of advertising, distributed computing, and
settings modification features requires descriptions of how
those features will operate on, and with, a particular computer
(e.g., ``the nature, volume of information or messages, and the
likely impact on the computer's processing capacity of any
computational or processing tasks the computer software will
cause the computer to perform . . .'') ;
directs certain technical uninstall operations; and
necessarily seeks to exempt ``any feature of computer
software that is reasonably needed to provide capability for
general purpose online browsing, electronic mail, or instant
messaging . . . determine whether or not the user of computer
is licensed or authorized to use the computer software and
provide technical support for the use of the computer software
by the user of the computer.''
We believe the problems inherent in such an approach can be avoided
if Congress instead focuses directly on the behavior we are trying to
stop: the unauthorized acquisition and commercialization of
information.
We suggest that Congress simply prohibit the distribution in
interstate commerce of user information obtained electronically from an
individual's computer, unless the person seeking to sell the
information can show that it was collected with user's explicit
permission or that it was obtained from an unaffiliated entity that
represents it had collected the information with such permission. Such
an approach significantly mitigates the definitional issues in the bill
as introduced--and their implications for the development and use of
technology--while achieving the objectives of the legislation.
We also believe that what the bill calls advertising, distributed
computing, and settings modification features should not be included in
this legislation. None of these issues has risen to the same level of
concern or been examined nearly as much as electronic spying. Each of
these areas also raises separate and distinct substantive and political
issues.
For example, having just spent nearly a year implementing
legislation to control spam, we are concerned that additional
legislation on advertising at this point would detract from the current
focus on spying. We also think it is worthwhile to more closely examine
existing laws that address deceptive advertising and business
practices. Similarly, the case of distributed computing raises new
questions. We understand the concern about ``zombie'' machines utilized
without consent--as opposed to the enthusiastic voluntary participation
of tens of thousands in the search for extraterrestrial intelligence
(the SETI project). But the concept of ``grid computing'' is just
emerging as a serious commercial enterprise and we would be hesitant to
casually address it in this bill. Finally, we believe the area of
settings as well as their modification is integrally related to on-
going efforts to address cybersecurity concerns. Once again, we would
be reluctant to address those issues in this bill. As many of the
Committee's members know, BSA has been extremely active in efforts to
making computing safer and more secure. BSA was one of the hosts and
cosponsors of the Department of Homeland Security Cybersecurity Summit
last December and throughout this month we are announcing the
significant results from private sector efforts initiated at the
summit.
More generally, we note that each of these areas may also be
amenable to technological and business practices. We think Congress
should be careful not to preclude the evolution of tools and
marketplace solutions.
With respect to enforcement, we agree that the FTC should be given
primary responsibility. The FTC should treat violations as an unfair or
deceptive act under the FTC Act. We understand that other regulatory
agencies may have enforcement responsibility in other areas.
We also believe that the Department of Justice should be authorized
and empowered to subject those who violate the legislation to criminal
fees and imprisonment under Title 18 of the United States Code. We
should send a clear message that engaging in electronic spying is
reprehensible and will not be tolerated.
However, we think that the State Attorneys General should be given
enforcement authority in this area only if we have a Federal standard.
Remote access electronic spying through ``spyware'' is a national
problem. We think it should be treated as such. The obvious problems
with empowering State Attorneys General in the absence of a Federal
standard is the prospect for many different enforcement actions based
on many different theories and many different standards.
Conclusion
Thank you again for this opportunity to comment on the issue of
``spyware'' and the SPY BLOCK bill. Working together, I believe the
bill can be improved to more directly and effectively address the issue
we are all most concerned about: electronic spying.
Senator Burns. Thank you. We appreciate that very much. Now
Jerry Berman, President of the Center for Democracy and
Technology, and welcome Mr. Berman.
STATEMENT OF JERRY BERMAN, PRESIDENT, THE CENTER FOR DEMOCRACY
& TECHNOLOGY
Mr. Berman. Thank you, Senator and Senator Burns, Senator
Wyden, again, you are in the forefront of trying to protect
privacy and user control of their computers on the Internet and
we applaud you, both for your earlier efforts on behalf of
trying to pass general privacy legislation, which I think is
also involved in this issue, and also to try and craft a bill
to deal with this very pernicious problem.
But I want to caution that before we rush to judgment we
need Federal intervention here. We don't need a plethora of
state statutes, but we really have to spend a little time, take
a deep breath, and try and define what we're after here,
because if we're over-broad and include all computer software,
I think it will be a nightmare to carve out the exceptions of
what we're really worried about, and spyware has been defined
very broadly. Your bill begins to carve down and deal with the
real problems.
But in all of these cases, they may be over inclusive and
only talk about privacy when the problem may be broader than
that and go beyond privacy to whether, as you point out,
consumers can control their own computers and whether they're
being hijacked, and that doesn't fit under this, quote,
spyware, it's something bigger than that. And I think we've got
to put some of this terminology around and not get confused by
it.
I agree with Mr. Holleyman that we need to step back and
say, what is the behavior that we're worried about here, what
gets us upset about software which performs functions which is
being downloaded on your computer when you click on an ad, when
you go and get a free service like Kazaa or in a peer-to-peer
network or through e-mail or just by browsing on the Internet.
Suddenly software is being downloaded on your computer and it
is performing certain functions. What is the behavior that's
being performed by specific software, not all software but
specific software that we care about?
One, I give you three categories. One is software of
spyware, if you like, that is collecting information, personal
information from you on your site without notice or consent at
all and delivering it to another party. That's a clear snoopy
privacy violation and it applies to keystroke loggers and a
whole bunch of other technologies, but rather than focus on the
technology, focus on the behavior.
The second category is information that is being collected
about you and delivered to another site or to another person
with inadequate notice and consent. They're saying, you
consented, you clicked on the site, it popped up an end user
licensing agreement six pages long, somewhere in there it said
you're consenting to receive ads, you're consenting to give us
information, and as part of your Web browsing experience
someone clicked on it, maybe your son clicked on it at night,
my son clicked on it at night and now a software program is
resident in my computer that's collecting information and
sending it to another party. I don't think that we need to deal
with inadequate notice and consent.
There's a third category which goes beyond spyware and
privacy altogether. It goes into user control over computer. If
I don't have enough notice and consent and I am now--resident
on my computer is a program that's popping up ads, they may not
collect information, but if I don't really transparently deal
with that company when I click and download that software, and
I now have a computer that's serving up ads and I may not know
anything about it, someone in my family may have clicked on it,
but if I agreed to that, is it popping up and letting every
user in that family agree to it?
There's this third category where your computer's being
hijacked. They take over your Web browsing experience. We have
just filed a complaint at the Federal Trade Commission about a
company that you click, you download the software, it opens up
your disk drive, it pops up a note and says your computer lacks
a lot of security and it advertises on your Web page for spy
block and it's Spy Wiper and it's saying you need to buy this
software. That is privacy, that's hijacking my computer, and it
almost amounts, I think, to computer fraud and abuse under the
computer fraud and abuse statute.
Which brings us--all of this behavior--I want to cut my
testimony short but say, if we define the behaviors, then we
can begin to pick at several different solutions bases. What
needs to be covered by general privacy legislation? It would be
interesting to only cover spyware when the notice and
collection of information unfairly applies to websites too and
other outliers. Why don't we go back to principle one?
The second issue is we need to look at what--is our Federal
Trade Commission complaint going to work? If it is, or the
computer fraud and abuse statute applies or ECBA applies, we
need to sort that out so we're not duplicating and creating
another law.
Beyond that, we need to look at how technology being
offered by AOL and Earthlink allows us to sweep spyware. It's a
combination again, as in the spam area. We need legislation, we
need technology, we need industry practices, but we need to
come together and help define that problem. That's why we've
written a report, that's why we have a working group, that's
why we're here today, that's why we're going to the Federal
Trade Commission on April 9.
That's enough for now. I'm anxious to work with all of you
to try and resolve this issue. Thank you.
[The prepared statement of Mr. Berman follows:]
Prepared Statement of Jerry Berman, President,
The Center for Democracy & Technology
Mr. Chairman and members of the Committee, the Center for Democracy
& Technology (CDT) is pleased to have this opportunity to speak to you
about the growing threat to consumers and Internet users posed by
spyware and other invasive or deceptive software applications.
CDT is a non-profit, public interest organization dedicated to
preserving and promoting privacy and other democratic values and civil
liberties on the Internet. CDT has been deeply engaged in the policy
debate about the issues raised by so-called ``spyware.'' In November,
2003, CDT released a report ``Ghosts in Our Machines: Background and
Policy Proposals on the `Spyware' Problem,'' \1\ providing background
on the spyware issue, evaluating policy and other solutions, and
presenting advice for Internet users about how to protect their
personal information and their computers from these programs. At the
same time, CDT launched our public ``Campaign Against Spyware,''
calling for Internet users to send us descriptions of the problems they
have encountered with these invasive applications.\2\ CDT is also
engaging in in-depth meetings with the wide range of stakeholders in
the spyware issue, including ISPs, software companies, and consumer
groups.
---------------------------------------------------------------------------
\1\ http://www.cdt.org/privacy/031100spyware.pdf
\2\ http://www.cdt.org/action/spyware
---------------------------------------------------------------------------
The proliferation of invasive software referred to as ``spyware''
is a large and rapidly growing concern. These deceptive applications
compromise users' control over their own computers and Internet
connections, and over the collection and sharing of their personal
information. We praise the chairman and this Committee for holding this
hearing on S. 2145--the SPY BLOCK Act--and thereby bringing public
attention to this serious and complex issue.
In our testimony today, we hope to address three principal
questions:
What is ``spyware?'' The term spyware is extremely difficult
to define precisely, and can itself be misleading. The term has
been used to describe a wide and diverse range of software.
What these programs have in common is a lack of transparency
and an absence of respect for users' ability to control their
own computers and Internet connections.
How bad is the problem? It is difficult to precisely
quantify the damage caused by these invasive applications--but
it is clear that the problem is severe. Spyware is widespread
and can threaten privacy, security, and computer performance.
Even the less invasive forms of spyware can seriously
inconvenience users and impose serious strains on the technical
support resources of schools and legitimate businesses.
How can we respond to the problem? Responding to the problem
of spyware requires a multifaceted approach.
Existing law could go a long way toward reducing the
problem of spyware. While longstanding fraud statutes
already cover many of the issues raised by these
applications, currently they are rarely enforced against
spyware programmers and distributors. We encourage Congress
to provide law enforcement with the necessary resources to
understand the phenomenon of spyware and to bring to bear
strong enforcement of these laws.
Fundamental to the issue of spyware is the overarching
concern about online Internet privacy. Legislation to
address the collection and sharing of information on the
Internet would resolve many of the privacy issues raised by
spyware. We look to Congress to seize this important
opportunity to address this larger issue. If we do not deal
with the broad Internet privacy concerns now, in the
context of spyware, we will undoubtedly find ourselves
confronted by them yet again when they are raised anew by
some other, as yet unanticipated, technology.
To be effective, legislation and enforcement
approaches will have to be carried out concurrently with
better consumer education, industry self-regulation and the
development of new anti-spyware technologies.
Legislation directed at some of the specific issues raised by
software--such as notice and consent for installation--may also
have a role to play. While crafting such legislation will be
difficult, the SPY BLOCK Act demonstrates the progress that has
already been made in our understanding of the spyware problem.
The bill plays a critical role in advancing the inquiry about
spyware and developing approaches to addressing the issue.
We address each of these questions in more detail in turn below.
I. Understanding and Defining Spyware
No precise definition of spyware exists. The term has been applied
to software ranging from ``keystroke loggers'' that capture every key
typed on a particular computer; to advertising applications that track
users' web browsing; to programs that hijack users' system settings. In
some cases, it has even been applied to web cookies or system update
utilities designed to provide security patches directly to users.
Spyware programs can be installed on users' computers in a variety of
ways, and can have widely differing functionalities.
What the growing array of invasive programs have in common is a
lack of transparency and an absence of respect for users' ability to
control their own computers and Internet connections. The debate over
precisely how to define the term spyware (as well as other related
terms such as ``malware'' or ``adware'') has been contentious, in some
cases even leading to legal threats between companies.\3\ But this
semantic dispute diverts attention from the underlying question: Are
consumers offered meaningful notice and choice about the programs
installed on their computers and the ways in which their computers and
Internet connections are used?
---------------------------------------------------------------------------
\3\ See, e.g., Paul Festa, ``See you later, anti-Gators,''
CNET.com, October 22, 2003 (available at: http://news.com.com/2100-
1032_3-5095051.html)
---------------------------------------------------------------------------
The most egregious forms of spyware (sometimes called ``snoopware''
to distinguish them from other categories) are typically stand-alone
programs installed intentionally by one user onto a computer used by
others. Some capture all keystrokes and record periodic screen shots,
while others are more focused, collecting lists of websites visited or
suspected passwords. These programs have legal uses (e.g., for certain
narrow kinds of employee monitoring) as well as many clearly illegal
ones.
The more widespread spyware problem is that of applications
installed on Internet users' computers in the course of browsing online
or downloading other unrelated software. Users are typically unaware
that these programs are being installed on their computers. Many
``piggyback'' on other free applications, such as screen savers, system
utilities, or peer-to-peer filesharing programs. In many cases, the
only notice to the user about installation of such a secondary program
is buried in a long and legalistic ``end user licensing agreement.'' In
some instances, no notice of the bundling is provided at all. Other
programs trick users into authorizing installations through deceptive
browser pop-ups, or exploit security holes to install themselves
automatically when a user visits a particular website. In some
instances, once a program is installed, it begins to download and
install other software with no notice to the end user.
Spyware programs perform a variety of functions once they have
gained access to a computer. Many track users' web browsing and deliver
pop-up advertisements. While there is nothing inherently objectionable
about using advertising, including targeted advertising, as a means to
support free software, advertising software must function in a way that
is transparent to users, and users must have control over its
installation and the ability to remove it.
Other spyware programs can change the appearance of websites,
modify users' ``start'' and ``search'' pages in their browsers, or
change low level system settings without notifying users or obtaining
their consent. Some will even co-opt users' Internet connections to
send out spam. Such software is often responsible for significant
reductions in computer performance and system stability.
Although much of the discussion about the spyware problem to date
has focused on the privacy dimension of the issue, clearly many of
these behaviors raise concerns beyond privacy. The term spyware itself
can be misleading in some of these cases; arguably, a better term would
be ``trespassware.''
Many spyware applications resist uninstallation. For example,
advertising programs that are originally installed as part of a
``bundle'' with other free software may not be removed when the main
application is uninstalled. In some cases, spyware applications do not
appear in the standard ``Add/Remove'' programs or other uninstallation
feature of the system. In egregious instances, some programs reportedly
even reinstall themselves after the user has made deliberate efforts to
eliminate them.
No single behavior of this kind defines ``spyware.'' However,
together they characterize the transparency and control problems common
to such applications. Disagreements will continue about whether
particular applications do or not deserve this label. In the end, it
may be best to think of spyware not as a discrete and well defined
category, but as the bad end of a spectrum of software practices,
ranging from industry best practices for transparency, notice, and
control on one end, to clearly deceptive and fraudulent behaviors on
the other. Unfortunately, the resistance of spyware to easy definition
makes writing legislation to address the problem difficult, as we
discuss in detail in Section III below.
II. Severity of the Spyware Threat
It is difficult to quantify the spyware problem because of the
definitional questions mentioned above, and because the speed with
which new spyware applications can appear and change makes reliable
detection of the programs difficult. However, several indicators point
toward the severity of the problem.
Since CDT launched our public ``Campaign Against Spyware'' in
November 2003, we received over 300 accounts of problems encountered
with various spyware applications. The sources of the responses
demonstrate that the problem is pervasive--respondents included
individuals dealing with the issue on corporate networks, on computers
in schools, and on government networks. These users name a wide array
of specific programs and identify several categories of concerns,
including loss of privacy, decreased stability, and the inability to
use their computer, either because of barrages of pop-ups, or as a
result of severely diminished performance.
System administrators also responded to our ``Campaign Against
Spyware.'' One of the biggest concerns raised by network administrators
relates to the security holes created by these applications. Some
spyware programs open major vulnerabilities by including the capability
to automatically download and install additional pieces of code with
minimal security safeguards. This capability is often part of an
``auto-update'' component.\4\
---------------------------------------------------------------------------
\4\ See, e.g., Saroiu, Stefan, Steven Gribble, and Henry Levy.
``Measurement and Analysis of Spyware in a University Environment''
Proceedings of the First Symposium on Networked Systems Design and
Implementation, March 2004 (available at: http://www.cs.washington.edu/
homes/gribble/papers/spyware.pdf).
---------------------------------------------------------------------------
Network administrators report that spyware is as much or more of a
problem than spam, viruses, or other security maintenance. One
administrator told us that as many as 90 percent of the computers on
the networks he manages have been infected with some variety of
``spyware.'' Another technical support worker reported that the
majority of the problems he encounters can be traced back to
``spyware,'' and that his first recommendation to correct stability or
performance problems is to run one of the free spyware search and
removal utilities available on the Internet.
In our discussions with industry, CDT learned that invasive spyware
applications also cause substantial harm to ISPs and distributors of
legitimate software. In many cases, consumers are mistakenly led to
believe that the problems resulting from spyware applications are a
problem with another, more visible application or with their Internet
provider. This confusion places a substantial burden on the support
departments of providers of those legitimate applications and services.
Not only are affected users required to pay for otherwise unnecessary
technical support calls, but those calls impose significant costs on
businesses offering the support. Some industry representatives we
talked to estimated that the additional costs run in the millions or
tens of millions of dollars.
III. Responses to Spyware
Combating the most invasive spyware technologies will require a
combination of approaches. First and foremost, vigorous enforcement of
existing anti-fraud laws should result in a significant reduction of
the spyware problem.
Addressing the problem of spyware also offers an important
opportunity to establish in law baseline standards for privacy for
online collection and sharing of data. Providing these protections
would not only address the privacy concerns that current forms of
spyware raise, but would put in place standards that would apply to
future technologies that might challenge online privacy. Anti-spyware
tools, better consumer education, and self-regulatory policies are also
all necessary elements of a spyware solution.
Legislation to establish standards for privacy, notice, and consent
specifically for software, such as the SPY BLOCK act currently before
this Committee, may play an important role as well. The challenge to
such efforts is in crafting language that effectively addresses the
spyware issue without unnecessarily burdening legitimate software
developers or unintentionally hindering innovation. We believe the
current bill represents a major step forward, although several concerns
still exist.
So far the efforts to address the spyware issue are all in very
preliminary stages. They will each require cooperation among
government, private sector, and public interest initiatives. We discuss
each approach in turn below.
Enforcement of Existing Law
CDT believes that three existing Federal laws already prohibit many
of the invasive or deceptive practices employed by malevolent software
makers. Better enforcement of these statutes could have an immediate
positive effect on the spyware problem.
Title 5 of the Federal Trade Commission Act is most directly
applicable to the most common varieties of spyware. We believe that
many of the more invasive forms of spyware discussed above clearly fall
under the FTC's jurisdiction over unfair and deceptive trade
practices.\5\ To our knowledge, the FTC so far has not brought any
major actions against spyware makers or spyware distributing companies.
In February, CDT filed a complaint with the FTC against two companies
for engaging in ``browser hijacking'' to display deceptive
advertisements to consumers for software sold by one of the
companies.\6\
---------------------------------------------------------------------------
\5\ Examples of clearly deceptive or unfair practices include:
installing unwanted applications without giving users
notice in the end user license agreement or another form;
providing notice only in a license agreement that is
misleading or unclear, leading consumers to think they are downloading
one program when in fact they are downloading and installing an
application that does something completely different;
utilizing consumer resources such as computer power or
bandwidth or that capture personal information without consent; or
distributing programs that evade uninstallation.
\6\ Complaint and Request for Investigation, Injunction, and Other
Relief, in the Matter of MailWiper, Inc., and Seismic Entertainment
Productions, Inc., February 11, 2004 (available at http://www.cdt.org/
privacy/20040210cdt.pdf).
---------------------------------------------------------------------------
The FTC's plans for a workshop in April on ``Monitoring Software on
Your PC: Spyware, Adware, and Other Software,'' is an encouraging
indication that the Commission is devoting greater attention to this
issue. CDT hopes that the clear message emerges from this workshop that
the FTC must take a more prominent role in addressing this issue.
We believe that one of the most immediate ways in which Congress
could have a positive impact on the spyware problem is by directing the
FTC to increase enforcement against unfair and deceptive practices in
the use or distribution of downloadable software and by providing
increased resources for such efforts.
Several laws besides the FTC Act may also have relevance. The
Electronic Communications Privacy Act (ECPA), which makes illegal the
interception of communications without a court order or permission of
one of the parties, may cover programs that collect click-through data
and other web browsing information without consent. The Computer Fraud
and Abuse Act (CFAA) also applies to some uses of spyware. Distributing
of programs by exploiting security vulnerabilities in network software,
co-opting control of users' computers, or exploiting their Internet
connection can constitute violations of the CFAA, especially in cases
where spyware programs are used to steal passwords and other
information.
In addition to Federal laws, many states have long-standing fraud
statutes that would allow state attorneys general to take action
against invasive or deceptive software. Like their Federal
counterparts, these laws have not been strongly enforced to date.
New Legislation
CDT has argued that the most effective way to address the spyware
problem through legislation is in the context of online privacy
generally. Specifically, we believe that the privacy dimension of
spyware would best be addressed through baseline Internet privacy
legislation that is applicable to online information collection and
sharing irrespective of the technology or application. CDT has
advocated such legislation before the Senate Commerce Committee and in
other fora. Until we address the online privacy concern, new privacy
issues will arise as we encounter new online technologies and
applications.
At the same time, certain aspects of the spyware problem extend
beyond the privacy issues. Privacy legislation would not, for example,
apply to software that commandeers computing resources but does not
collect or share user information. A comprehensive legislative solution
to spyware should address the user-control aspects of the issue--
piggybacking, avoiding uninstallation, and so on.
The SPY BLOCK Act currently before this Committee represents an
important first step towards addressing some of these problems. We
appreciate the desire to craft targeted legislation focusing on some of
the specific problems raised by spyware, and CDT applauds Senators
Burns, Wyden, and Boxer for bringing attention to these important
questions. CDT strongly supports the goal of the SPY BLOCK Act--to
assure that users are provided with meaningful notice and choice about
the applications that run on their computers.
At the same time, we wish to emphasize the complexity of such
efforts. The broad industry opposition to an anti-spyware bill recently
passed in the Utah legislature, based on potential unintended
consequences of the bill for legitimate software companies,
demonstrates the difficulties that can be introduced by such
legislation if it is not carefully drafted.\7\
---------------------------------------------------------------------------
\7\ See, e.g., Ross Fadner, ``Leading Internet Providers Oppose
Passage of Spyware Control Act,'' MediaPost, March 15, 2004 (available
at: http://www.mediapost.com/dtls_dsp_news.cfm?news
ID=242077)
---------------------------------------------------------------------------
Recognizing that development of appropriate standards for consumer
software notice is still in preliminary stages, we suggest two areas of
the SPY BLOCK Act that warrant further consideration and may require
revision.
Standards for Notice--Providing consumers with informative,
accurate notice is a challenging task. Ongoing efforts to craft
``short notices'' in the context of privacy statements under
the Gramm-Leach-Bliley Act both demonstrate the complexity of
this problem and may provide a valuable model for the kind of
notices that are appropriate in the context of downloadable
software. Many so-called ``spyware'' applications already
provide minimal notice to consumers buried in legalistic
licensing agreements that come with bundled software. (Programs
that do not provide even this level of notice are probably
already illegal, as described above.) However, such minimal
notice does not provide consumers the opportunity to make
meaningful and informed choices. To be effective, legislation
will have to address the difficult issue of how best to ensure
that the information that accompanies software is appropriately
clear, distilled, and contextualized to allow users to make
informed decisions. Simply requiring that programs list
information prior to installation may not be enough. However, a
bill that will burden users by prompting users for choice too
often will not be effective either.
Scope--As currently structured, the SPY BLOCK Act covers
almost all software, but provides specific exemptions for
certain kinds of ``general purpose'' software and certain
specific uses of information. CDT is concerned that this
approach creates difficulties for software developers while
imposing unrealistic burdens on legislators. This tack requires
that legislators develop a comprehensive list of functions for
which the requirements of the bill are not appropriate.
Creating such a list for existing technologies is challenging
in itself. Moreover, such a list will likely become outdated as
soon as new technologies are developed, or as the categories
defined in the law shift. CDT has argued that privacy laws
should be neutral with respect to technologies, and we believe
the same principle applies here.
We believe that valuable insight into the questions of scope and
appropriate notice for consumer software are likely to emerge from
ongoing industry and public interest efforts to define best practices,
discussed below, and from the FTC's April Workshop in spyware. We
encourage the Committee to incorporate the results of these efforts
into refinements of the current bill.
Non-Regulatory Approaches
Technology measures, self-regulation and user education must work
in concert, and will be critical components of any spyware solution.
Companies must do a better job of helping users understand and control
how their computers and Internet connections are used, and users must
become better educated about how to protect themselves from spyware.
The first step is development of industry best practices for
downloadable software. Although not all software manufacturers will
abide by best practices, certification programs will allow consumers to
quickly identify those that do and to avoid those that do not. In the
current environment consumers cannot easily determine which programs
post a threat, especially as doing so can involve wading through long
and unwieldy licensing agreements.
Technologies to deal with invasive applications and related privacy
issues are in various stages of development. Several programs exist
that will search a hard-drive for these applications and attempt to
delete them. Some companies are experimenting with ways to prevent
installation of the programs in the first place. However, even these
technologies encounter difficulties in determining which applications
to block or remove. Clear industry best practices are crucial in this
regard as well.
Standards such as the Platform for Privacy Preferences (P3P) may
also play an important role in technical efforts to increase
transparency and provide users with greater control over their
computers and their personal information. P3P is a specification
developed by the World Wide Web Consortium (W3C) to allow websites to
publish standard, machine-readable statements of their privacy policies
for easy access by a user's browser. If developed further, standards
like P3P could help facilitate privacy best practices to allow users
and anti-spyware technologies distinguish legitimate software from
unwanted or invasive applications.
The IT industry has initially been slow to undertake such efforts.
However, increasing public concern about spyware and the growing burden
placed on the providers of legitimate software by these invasive
applications has led to more industry attention on this front.\8\
---------------------------------------------------------------------------
\8\ See, e.g., Earthlink press release: ``Earthlink Offers Free
Spyware Analysis Tool to All Internet Users,'' January 14, 2004
(available at: http://www.earthlink.net/about/press/pr_analysis/);
America Online press release: ``America Online Announces Spyware
Protection for Members,'' January 6, 2004 (available at: http://
media.aoltimewarner.com/media/newmedia/
cb_press_view.cfm?release_num=55253697).
---------------------------------------------------------------------------
CDT believes Congress can have an immediate positive impact by
encouraging industry to continue to develop these efforts toward self
regulation.
IV. Conclusion
Users should have control over what programs are installed on their
computers and over how their Internet connections are used. They should
be able to rely on a predictable web-browsing experience to remove for
any reason and at any time programs they don't want. The widespread
proliferation of invasive software applications takes away this
control.
Better consumer education, industry self-regulation, and new anti-
spyware tools are all key to addressing this problem. New laws, if
carefully crafted, may also have a role to play. Many spyware
practices, however, are already illegal. Even before passing new
legislation, existing fraud statutes should be robustly enforced
against the distributors of these programs.
The potential of the Internet will be substantially harmed if users
come to believe that they cannot use the Internet without being at risk
of ``infection'' from spyware applications. We must find creative ways
to address this problem through law, technology, public education and
industry initiatives if the Internet is to continue to flourish.
Senator Burns. Thank you, Mr. Berman. Dr. John Levine,
thank you for coming today.
STATEMENT OF DR. JOHN LEVINE, PRESIDENT AND CEO, TAUGHANNOCK
NETWORKS, AND AUTHOR, THE INTERNET FOR DUMMIES
Dr. Levine. Thank you, Mr. Chairman, Senators. I'm John
Levine, I'm the president of Taughannock Networks, named after
a local waterfall, and I've written a variety of books,
including the recent, Fighting Spam for Dummies, which I hope
CAN SPAM will soon make obsolete.
Senator Burns. That's just what I need.
Dr. Levine. Well, this one's for you. And I am the Chair or
Co-Chair of a variety of grass roots organizations like the--I
serve on the board of the Coalition Against Unsolicited
Commercial E-mail and I Co-Chair the Anti-Spam Research Group,
which is a technical research group.
But you've asked me to come today and talk about spyware,
which I'm happy to do, because I happened to read the user mail
sent to the Anti-Spam Coalition and every day I get mail from
people saying spam is bad, but spyware is worse, how do I get
rid of this junk? So although it has not been my primary
interest in the past, it's certainly one that's coming up and
one that's very interesting for many of the same reasons
related to privacy and consumer protection.
I can divide spyware into a variety of sub-areas, which I
think I don't need to do, because in the previous comments it's
clear that everybody understands what they are. But I would
like to back off and echo some of Mr. Berman's comments that
computers in everyday life, and the way they work and they way
they integrate into people's lives is very new and we don't yet
have laws and customs that describe how people react with
software and if you have a computer which has some software
from the vendor and some software from a website and some
software from third parties, how they all react and what the
experience for a computer user is.
And it's sort of as though, if somebody came and said, I
have a great new business plan, I'm going to open up newspaper
boxes and I'm going to stick my own ads in the paper and
somebody says, you can't do that. He says, of course I can, I
paid 50 cents to get into the box. That kind of argument
somewhat reminds me of some of the things I hear about spyware.
It's just like, well, you can do it, and down in paragraph 73
of some click-through agreement we said it was OK.
I mean, to me, I see two issues. The first is an issue of
consumer protection. With the adware that pops up ads and
replaces ads in websites, consumers are completely confused.
They don't know where the ads are coming from. All they know is
they don't like them and they dislike ads that are popped up by
websites that actually place them, they dislike ads that are
popped up by software like WhenU's, they feel like they're
totally out of control and they don't know whom to blame. So in
that case there's a real issue of consumer confusion. I think
it's a consumer protection issue.
Beyond that, spyware presents a privacy problem because
people click and say, yes, you can install your program and
then it collects vast amounts of information very
indiscriminately, and I have a bunch of scenarios in my written
testimony. For example, if you are applying for a bank account
online and a piece of spyware scrapes the data from that
application and sends it off to the spyware vendor, the spyware
vendor now knows enough about you to commit identify theft. Or
if you are conferring with a close relative or with your doctor
or with your lawyer, they can collect information to do
anything from sending you bogus ads saying, oh forget that
chemotherapy for your tumor, we have apricot seeds, to
blackmail.
These are enormous privacy issues and I think that we
really need to step back and look at them as an overall issue
of consumers and computers, and although the spyware issue is
important, I think it's just one step on the way to coming up
with sort of a general privacy and consumer protection policy
that will affect all the ways that vendors and consumers and
computers interrelate.
I have some comments on the individual bill. It's a very
well-crafted bill dealing with the specific issue of notice of
spyware. I have two concerns. First is that I am concerned how
realistic it is to expect people to understand the notice
they're given and to click through, particularly when you have
computers that are used by adults and by children, particularly
when frequently the notice is down in page after page of boring
boilerplate.
And I would encourage you to consider allowing consumers to
create a spy-free zone, just the way the Do Not Call list and
the possible Do Not Spam list will allow people to put on
notice once saying, we don't want this particular kind of
violation here, rather than having to negotiate each time a
vendor comes in and says I want to do this.
My other concern is with enforcement. The Do Not Call list
is very effective because the enforcement ranges from the FCC
down through the attorney generals down through individual
suits, and I think that this broad range of enforcement is
really very effective in making Do Not Call effective, and I
would encourage you to consider a similar provision for this
bill. Thank you.
[The prepared statement of Dr. Levine follows:]
Prepared Statement of Dr. John R. Levine, President and CEO,
Taughannock Networks, and Author, The Internet for Dummies
It is my honor and privilege to submit these comments to the
Subcommittee on Communications of the Senate Committee on Commerce,
Science, and Transportation for consideration during their hearing on
S. 2145, the SPY BLOCK Act.
I am a consultant and author specializing in consumer-oriented
Internet topics. I am the primary author of The Internet for Dummies,
the world's best selling book on the Internet, which has sold over
seven million copies in nine editions in over two dozen languages since
1993. I am also the co-author of numerous other books including the
recent Internet Privacy for Dummies (2002) and Fighting Spam for
Dummies (2004). In these books, my co-authors and I educate readers
regarding online marketing and advertising practices that threaten the
privacy of their personal information and/or present the risk of
unauthorized collection, use, and abuse, of information about their
online activities.
I co-chair the Anti-Spam Research Group (ASRG) of the Internet
Research Task Force under the oversight of the Internet Activities
Board of the Internet Society. The ASRG is a coordinating forum to
coordinate research into and development of technical measures to deal
with unwanted e-mail, with broad participation of industry, academia,
and independent researchers. I serve on the board of the Coalition
Against Unsolicited Commercial E-mail (CAUCE), the leading grass roots
anti-spam advocacy organization.
I have spoken at many professional, trade, and government fora such
as the 2003 Federal Trade Commission Spam Forum and the upcoming
Enterprise Messaging Decisions conference in Chicago, May 4-6, 2004,
and the E-mail Technology Conference in San Francisco, June 16-18,
2004.
I serve on advisory boards related to consumer Internet issues at
companies ranging from Orbitz, one of the big three online travel
agencies based in Chicago, to Habeas, a small anti-spam certification
startup in Palo Alto, CA.
What is Spyware?
Spyware is a general term used to describe software that runs on
consumers' personal computers and performs actions that the consumer
considers undesirable or hostile. The term has been applied to a wide
variety of different applications, ranging from the arguably legitimate
to the egregiously fraudulent. The three most common types of spyware
are the following:
Adware monitors the pages fetched by a user's Web browser or
other material on the consumer's computer and when it sees
particular pages or terms, displays other pages containing
advertisements paid for by the spyware's sponsors. So called
``Browser Helper Objects'' install themselves as part of the
Internet Explorer web browser and change the way it works. The
changes can be as simple as switching to a different home page,
or as complex as redirecting web searches to the spyware
vendor's search system rather than the consumer's desired
system, or adding new ``click here'' buttons that lead to
sponsors' advertisements.
In some cases, the adware rewrites the web pages displayed by the
browser, substituting ads from adware vendor for the ads
originally in the page. This technique has been likened to
opening newspaper boxes and pasting one's own ads on top of the
ads in the papers.
Key loggers record every key pressed by the computer's user
and send the stream of keystrokes back to the spyware's author.
More generally, ``Activity Monitors'' can log and report on any
type of consumers' computer usage, such as e-mail send and
received, web pages visited, and instant messages exchanged.
The data can be used for anything from consumer preference
statistics to identity theft.
Trojan Horses allow the spyware author or vendor to remotely
control the consumer's computer for the author's purposes. At
the point, the most common purpose is probably to send spam.
Although these are the most common current varieties of spyware,
variations on these themes and new and different spyware programs are
released frequently. We can expect different varieties of spyware to
appear in the future.
How Is Spyware Installed on Consumers' PCs?
Spyware distribution is made possible by a combination of the weak
security of Microsoft Windows and the inability of consumers to
understand the many security-related warnings that their computers
currently present to them.
MS Windows generally makes it very easy to install software
remotely onto a consumer's PC. While this facility is useful in a
corporate environment where an IT department manages computers all over
the company, hostile parties can also use it to install spyware without
the consumer understanding what's happening. In some cases, whenever a
consumer visits a spyware vendor's web page, programming in the web
page automatically installs the spyware. In other cases the spyware is
installed as part of a program that performs a desirable function
unrelated to the spyware features.
Sometimes, the consumer is presented with a warning screen asking
whether to install the new program. The warning screen is nearly
identical to the warning screens that appear when a web page needs a
benign application such as one to display ``flash'' animations.
Consumers see such warnings so often, and have so little information
with which to evaluate any particular installation request, that they
rarely reject an installation request. In many other cases, security
weaknesses in Windows make it possible to install spyware without the
consumer's knowledge or consent.
Some computer manufacturers are now shipping PCs with spyware pre-
installed. This means that users will have to go to extra time and
expense to remove the spyware from their new computers to bring it to a
normal usable state.
Is All Software that Communicates with Remote Computers Spyware?
No. In some cases, consumers deliberately install software with
remote communication features to participate in a large-scale computing
project or a multi-player game or other activity. For example, many of
my computers run a program from the volunteer-run distributed.net that
solves large mathematical and cryptographic problems. Another well-
known project called Seti@Home, coordinated at the University of
California at Berkeley, uses consumers' computers to analyze data from
radio telescopes, looking for evidence of intelligent signals from
outer space. In both of these cases, the consumer runs the program
because he or she actively wants to participate in the projects, the
programs make no changes to the computer's configuration (other than an
optional screen saver with Seti@Home) and the programs return no data
about the consumer other than an optional e-mail address or ``handle''
if he or she wants to be counted in the statistics that the projects
publish.
Another common situation is straightforward advertisement supported
software. For example, the popular Eudora e-mail program and Opera web
browser are distributed in free versions that display small
advertisements in clearly labelled windows within the application. The
ads do not interfere with the normal operation of the program. The
consumer is clearly informed that if he or she purchases a paid
registration for the program, the ads will go away.
Any legislation related to spyware should be crafted so as not to
interfere with legitimate applications such as these.
How Do Consumers Feel about Spyware?
They hate it. Although spyware has never been my primary area of
activity, in my role as online postmaster for CAUCE, I get mail almost
daily from consumers complaining about spyware and asking what they can
do about it. On the Internet Privacy for Dummies website at http://
www.privacyfordummies.com, a page about dealing with spyware is the
most frequently visited on the entire site.
A small anti-spyware industry has arisen with programs like
Adaware, from http://www.lavasoftusa.com, and Spybot Search and
Destroy, from http://www.safer-networking.org, that detect and remove
spyware from consumers' computers. Companies now routinely recommend
that their employees install and use one of these programs on a regular
basis to clean off any spyware that may have installed itself.
Spyware is frequently written so as to be difficult or impossible
to remove from consumers' computers. It rarely comes with an uninstall
program, as is standard with other PC software, or it comes with an
uninstaller that doesn't actually remove the spyware. Some of the more
egregious spyware attempts to delete anti-spyware programs such as
Adaware and Spybot from computers, and to reconfigure web browsers to
make it impossible to reach anti-spyware websites or to install anti-
spyware software from those sites.
Consumers clearly perceive spyware as an illegitimate use of their
computers, and spyware is rarely if ever installed with the informed
consent of the computer's owner.
What Policy Problems Does Spyware Present?
Spyware presents two separate policy issues, consumer protection
and privacy.
The consumer protection issue is that consumers don't provide
consent when spyware is installed on their computers, they don't
understand what the spyware on their computer is doing, and when they
become aware of its presence, they invariably want to get rid of it. In
principle, this issue could be addressed by better disclosure at the
time the spyware is downloaded, installed, or activated. But in
practice, I am skeptical that disclosure would be effective. The
behavior of spyware is often quite complex, and a disclosure of that
behavior equally complex, to the point that many consumers would see
the disclosure but wouldn't understand its implications and would be
unable to make an informed decision whether to accept it or not.
Furthermore, adware that shows its own advertisements in connection
with web pages that a computer's user has requested causes severe
consumer confusion. The consumer cannot easily tell what ads are part
of the web page, and what ads may have been added or replaced by the
spyware. Consumers incorrectly assume that advertisements are provided
or endorsed by the author of the web page, rather than by the spyware
vendor. If the advertisements are inappropriate or offensive, the
consumer blames the web page author, rather than the spyware vendor
that actually provided the advertisements. In some cases, the
advertisements inserted by adware are for sexually oriented materials,
although the spyware vendor has no way of knowing the age of the
computer's user.
I am aware of at least one group of lawsuits filed by mainstream
advertisers against Claria, formerly Gator, a vendor of adware that is
typically installed with peer-to-peer applications such as Kazaa, due
to its advertisement insertion practices.
The privacy issue is that spyware often collects personal
information about the users of computers on which it is installed. This
is an issue for any computer user, and is doubly so for users under the
age of 13 who can't consent to collection of information about
themselves.
One could argue that in principle this problem could also be
addressed by better disclosure, but I believe there are public policy
reasons that it's not a good idea to let people sell their privacy
rights. The law has long forbidden certain kinds of consumer
transactions (selling parts of one's own body, for example) as contrary
to the public interest, even if the consumer wishes to enter into such
a transaction voluntarily and with full notice. I believe that there
are sound reasons to treat the sale of one's privacy as contrary to
public policy. The value of one's privacy is great, and the amounts
offered in exchange for it are rarely large. Once one's privacy is
traded away, it is difficult or impossible to regain, and the
implications of giving it up are frequently far greater than what a
consumer would foresee.
Since spyware can and often does collect information about all of a
computer user's activities on the computer, and software cannot tell
private from non-private information on a computer, the opportunities
for abuse are vast. For example, consumers often apply for mortgages,
bank accounts, brokerage accounts, and other financial accounts online.
If spyware sends the information from one of these applications back to
the spyware vendor, the vendor has everything necessary to commit
identity theft. Consumers often use e-mail or instant messages to
communicate privately with friends and relatives, or with trusted
personal advisors such as lawyers, accountants, and doctors. If spyware
collects the contents of those messages, which is technically easy to
do, the possibilities for abuse range from medical fraud (``our apricot
seeds will cure your cancer better than old fashioned chemotherapy'')
to blackmail.
Many consumers underestimate the damage from privacy invasions on
the assumption that if they conduct their lives in a legal and ethical
fashion, they have nothing to hide. The reality is that some areas of
everyone's life are private, and the damage from invading those private
areas is real, substantial, and very difficult to cure.
S.2145 as currently written is a well-crafted attempt to deal with
spyware problems by mandating disclosure and minimal good software
practices. I have two reservations about the bill in its current form.
The first is that I am not confident that disclosure is the most
effective way to deal with spyware problems. In view of the universal
distaste of consumers for spyware, and their invariable desire to get
rid of it when they find it installed on their computers, it would make
far more sense to ban spyware outright, or to provide a simple way,
analogous to the telemarketer do-not-call system, that a consumer could
provide one-time permanent notice that spyware is unwelcome on his or
her computer, rather than having to wade through notices and
disclosures every time a spyware vendor wants to sneak something onto
the consumer's PC.
My other concern is for enforcement. The current draft leaves
enforcement primarily to the FTC and to state Attorneys General without
providing any new funding for enforcement. In view of the large number
of spyware authors and vendors, and the budget pressures on all
enforcement agencies, it seems unlikely that they will be able to take
action against any but the largest violators. One of the reasons that
the existing do-not-call system is so effective against telemarketers
is that the law specifies statutory damages for consumers who are the
victims of illegal telemarketing calls, and allows consumers who are
sufficiently motivated to sue for modest but meaningful amounts. A
similar provision to let consumers recover for spyware violations would
make an anti-spyware law far more effective without requiring new
funding for the FTC or other agencies.
Senator Burns. Thank you. We've been joined by Senator
Allen of Virginia, who chairs our high-tech conference and does
a great job at that and, of course, represents a great
technology community here in Northern Virginia. Thank you,
Senator Allen. Do you want to make a statement or ask a
question or do you want to play football?
STATEMENT OF HON. GEORGE ALLEN,
U.S. SENATOR FROM VIRGINIA
Senator Allen. I'd rather play football but I didn't bring
the ball. It's back in my office. I want to thank you, Mr.
Chairman and Senator Wyden for bringing this issue to
attention. I was listening to Mr. Berman's nightmare scenario,
and I said, God, I was telling my staff, I said, that's what
was happening on our computers. It was not just the spyware,
it's the pop-ups and things shooting out of the side of it and
all the rest and you put it back in, restart it, it all comes
through again and it's just--this is broadband that we're all
trying to get deployed and so forth, and I'm thinking, God,
dial-up was better than this.
Finally, we got someone in there who could install the
right technologies to stop it and now being on the Internet and
reading articles and so forth is a pleasure without all that
interference of pop-up ads and notices that you're being
monitored and all the rest.
And when you get to this issue of spyware; I was hearing
several of the gentlemen talking about the definition. I think
your definition is one that makes pretty much common sense,
like a lot of the things you do, Senator, which is very rare
around here having some common sense. But it seems to me it
would be a software that monitors a computer user's activities,
it collects personal information, and shares it without the
user's or the consumer's knowledge or their consent.
I look at this from a perspective of a privacy issue,
because what you are doing is an invasion of an individual's
privacy. I approach this whole debate on what we ought to do
similar to the way we handle the online privacy debate in this
committee last year.
There's a few points I want to make. Number one, I think
that all of us ought to be able to agree as a matter of
principle that under no circumstances is it acceptable for
someone to secretly or deceptively monitor a consumer's
activities online without that consumer's knowledge or consent,
and any sort of misleading or false practices associated with
spyware, in my view it threatens consumer confidence, I think
it ruins, it harms the Internet's viable and usefulness,
whether it's for commerce or for access to information. And in
that regard, Senator Burns and Senator Wyden, I thank you for
identifying this problem with your measure.
Now second, as we examine this legislation and how to
handle it, I think we ought to consider all the different
options. Like online privacy, I think it's important that we
empower individual consumers to make sure they have the
information necessary to make reasonable decisions and choices.
I think we ought to encourage to the greatest extent possible
market-driven solutions to this, and this has been a committee
that doesn't like to always dictate the technologies because we
like to see the advances in technologies.
Third, as you go through all of these, and listening to the
concerns we do have existing laws. You're talking about
identify theft. That is currently, presently a crime. We ought
to find out how we--maybe those laws need to be made better,
but the question of privacy is governed by law, identity theft,
fraud, deceptive marketing practices, all are part of the law.
Now, it may be that we have to find a way in the midst of
this legislation as we discuss it to make those more
enforceable, but those basic principles are there, and just
because it's spyware or adware or whatever it may be, it
doesn't mean that they're immune from those laws. And so with
the technological advances that have grown, I think we ought to
be looking at those approaches, enforce the laws we have. I
think it's in the interests of the broad technology or Internet
community to get this done, to make sure that you don't have
people frustrated, aggravated, or sometimes insulted with some
of the spyware and the adware with some of the pop-ups that
come up that are inappropriate, and we all know what I'm
talking about here.
So I'd like to see a market-driven approach or solution. I
want us to find ways to enforce our current laws and I do want
to work with you as I have, both of you, great leaders in
technology. What we all did with spam, what we've been able to
do with Internet privacy matters, I think those would be the
guidelines and philosophy I'd like to follow, and thank you
again, Mr. Chairman and Senator Wyden for your sterling
leadership once again.
Senator Burns. Thank you, Senator Allen. I have just a
couple of questions. Every time we start in on this kind of
legislation, and I think Senator Wyden would concur that we
spend a lot of time working on definitions, people define
different terms and words differently. And we tried to do that
in this, and especially it's very important whenever you start
talking about this business of privacy. It's a very personal
thing.
Now, given what's been happening with the software that's
downloaded into your computer that has basically set your
computer to be a tool of somebody else and not always of your
own, and we know that probably out of the millions of users of
computers, probably less than a third of them read PC Magazine.
What tool do we use to make people aware of this problem? And
I'll let anybody comment on that.
Mr. Berman. Well, certainly we have to let people know
about the problem, and I think that hearings like this and the
press coverage and so forth, but I think it's consumer
education down at the, at the basic level. Last year and over
the last couple of years, industry and public interest
organizations like CDT created the Get Net Wise site, which
provides information on privacy and what consumers can do
about, even about spyware. It's just a beginning, but it's a
consumer education program.
But I don't think that we can begin there. We have to give
people and the consumers some clear definitions of what we're
talking about, and I think that some of the tools that are in
your legislation are going to be necessary. It is one thing to
find spyware or adware or a software program that takes over
your computer and you can't uninstall it, and I don't know any
consumer education program outside of a technical manual that's
going to help you do that, and you got a technical person.
Not everyone has a Web master like I do to take spyware off
of my computer, so we need to, as in CAN SPAM, to provide some
requirements. That if software is installed on your computer
that it has to be, even with your consent, that it has to be
removable, and SPY BLOCK moves in that direction. That's one of
the things that no notice bill and no FTC proceeding is going
to solve. It is going to require some legislative action.
Senator Burns. Mr. Holleyman?
Mr. Holleyman. Mr. Chairman, a couple of things. One, I do
think that raising public awareness about this is critical.
It's like this hearing, things that have been held in the
House, the FTC workshop next month, the publicity on this I
think is very important.
Second, I think there will be more tools that will be made
available by software developers that will be easily deployed
that will let people track this. Third, I think we need
aggressive enforcement, and we don't need to wait until a new
law is passed, and a new law may be needed. But what we need is
aggressive enforcement of existing laws to try to dry up the
practice of commercialization of information that's seized in
this fashion.
Then I think there are other steps such as industry best
practices, working with sort of new upgrades of software that
will all yield hopefully to a much better environment than the
status quo.
Senator Burns. Mr. Naider?
Mr. Naider. Yes, I'd like to follow up specifically what
Mr. Holleyman said in the sense that industry standard-setting
is really one of the major opportunities that the SPY BLOCK
legislation presents in the sense that one of the themes that
you hear emerging from this panel is the notion of consumer
control.
Dr. Levine made an interesting point, which is that whether
its spyware or adware, a lot of consumers will say they don't
like it, and I will readily confess that even WhenU software,
we get many consumers who say they don't like it. We've done
tens of millions of installs, but many consumers choose to
remove it.
The point is, that if you give consumers control and you
set a standard by which a consumer makes a choice to install
when they have this type of software, particularly adware that
shows them ads, each ad is very conspicuously branded and
addressed and makes it clear where it's coming from, the user
is then easily able to uninstall.
What you then do is you create a standard by which you
don't undermine the technology, you don't take the 25 percent
of the market that benefits from the technology, but you allow
a set of standards to be set that the consumers ultimately do
control, and that's ultimately what really infuriates
consumers, when they don't have control, when they don't know
what's happening to their computer, and when they can't do
anything about it, and we do have the opportunity right here to
address that.
Senator Burns. Mr. Levine?
Dr. Levine. If I may digress slightly, on the plane down I
was reading a funny article about a fellow talking about the
1930s and 1940s appliances in his house. He was talking about a
toaster or something, and he said that he learned the hard way
that the control on the toaster had a little rubber knob on the
end which you had to hold, because if you touched any other
part of the toaster, you'd be electrocuted. And we don't build
toasters that way anymore, and no doubt at the time the toaster
was built, there was a sign saying, only touch the knob.
And I think a certain amount of labeling is useful, but I
think that if you have a practice that consumers find so
noxious and so uniformly contrary to what they expect, it's
like with my example of the newspaper boxes. We could have a
campaign to put signs on the boxes saying, danger, don't read
newspapers with other people's stickers on them, but I think
what we really need is a consistent policy about what sort of
data collection is appropriate for computer software and what
isn't so that users don't have to be worried every time they
click somebody might steal their data, that they can be
confident that their computers will work in a way they think is
reasonable.
Senator Burns. Well, I get the feeling that I'm going to
have a follow up question for Mr. Holleyman, but I first want
to get to my colleagues and we'll probably have a couple of
rounds of questions here, but Senator Wyden.
Senator Wyden. Mr. Chairman, gentlemen, the first question
I'd like to start off with is whether or not you all feel there
are legitimate reasons for software that doesn't allow a
computer owner to delete it. Let's go right down to it. Maybe
some technical reasons and that's what I'm interested in, but I
mean, as a general rule it seems to me if the computer owner
can choose to install it, he or she ought to be free to
uninstall it, but I'd like to see if we can kind of just go
right down the row and see if as a general proposition you all
share that view. Start with you, Mr. Naider.
Mr. Naider. We completely agree with that. Computer owners
should have the right to install software and uninstall
software. Occasionally, as in our business, for example, you
see instances in where a consumer downloads a free piece of
software, and in addition to that free piece of software,
there's another piece of software that supports the free piece
of software, for example, providing coupons and advertising. In
those cases, we think the consumer should have the choice to
uninstall as well by uninstalling the free piece of software
and that goes with it.
But under no circumstances can we imagine a scenario where
a computer user shouldn't ultimately be the one to control what
is and what is not on their computer.
Senator Wyden. Anybody on the panel disagree with that? We
can just go right down the row and save some time. I just want
to see if as a general rule you feel that that's appropriate.
Mr. Holleyman. I agree with your general rule, with your
caveat that there may be technical reasons at times where you
cannot uninstall something without harming the operating
system, for example.
Senator Wyden. Jerry?
Mr. Berman. I agree that you ought to be able to uninstall
and the principle--the right to uninstall, but right now you
don't have the right to uninstall a lot of spyware.
Senator Wyden. Right. Dr. Levine?
Dr. Levine. As a general principle, I agree with everybody
else. You need to be able to uninstall stuff. But I think what
consumers are more interested in is the possibility of breaking
stuff apart. For example, they'll install a program that does
some useful thing and then it's bundled in with something else
that they consider to be spyware, and they consider the program
to be useful and the spyware to be useless and they'd like to
be able to get rid of one without the other. That's where I
think you run into these issues of what's uninstallable and
what's not.
Senator Wyden. I put into the record something that struck
me as very plausible in one of the New York Times pieces
calling for something similar to what we've introduced. They
start--and I'll quote here--a good start would be to require
all such programs to announce themselves clearly and define
their functions, allowing the users to reject software that
strikes them as intrusive. Anybody disagree with that?
Mr. Berman. The issue is, what software under the, say, for
example, legislative rule would have to announce itself and
then you get to decide what is intrusive?
Senator Wyden. Covert, secret.
Mr. Berman. Well, if we define it that way, but some of the
legislation unintentionally or even intentionally has defined
the computer software to include any software resident on your
computer and then you get to software that does some monitoring
functions, diagnostics and so on, can be covered. It's not
defined clearly in terms of computer software that does
something that we would consider bad behavior.
Mr. Naider. If I could follow up Mr. Berman's comment, I
think one of the concerns with the legislation as currently
worded is exactly what Mr. Berman is saying, which is that it
doesn't say this explicitly in the legislation, but at least
with regards to the advertising copy in the legislation, it's
implicit that's it talking about pop-up advertising, just some
of the language that's used to say it has to have a notice and
each ad has to have a link to an uninstall.
When you think about the future of this type of technology,
many in the industry believe that software on your desktop,
legitimate advertising software, will be done in many, many
different ways. It may be in the form of toolbars that are on
your computer, it may be embedded within your browser, it maybe
is part of the interface of your ISP so that this notion of
every piece of software announcing itself in the same way that
would be contemplated for something, for example, that does
pop-ups may be inappropriate.
And one of the things that we think needs to be studied and
looked at in detail with regards to any legislation is not what
is the current practice of adware or software-based
advertising, but what is the potential future universe of
different activities that could take place that are very, very
legitimate, very empowering to consumers. Can this bill broadly
worded actually hinder that, and that's I think one of the
concerns we have with the bill.
Senator Wyden. Those are legitimate points. What we're
trying to do is get at the secrecy, the secrecy that really
invades the rights of the consumer that we've all been talking
about.
The third area I wanted to ask you about, Dr. Levine, was
drive-by downloads and how easy it is to set them up. It
strikes me as pretty good target, pretty fertile area for shady
kind of people, but why don't you tell us about that?
Dr. Levine. It's extremely easy, and it's easy for two
reasons. One is that Microsoft Windows, which everybody uses,
is just designed in a way that makes it really easy for third
parties to install software into it, and in many cases that's
fine. If you have a corporate network, the ability of the IT
department to maintain all the computers in the company is
fine.
And if you have a website that uses a particular kind of
audio or animation or something, the ability to say, oops, you
need the Flash Player, would you like me to install it for you
so you can see this cartoon, that's fine too.
The problem is that the technical line between the Flash
Player, which just shows you pretty pictures, and spyware that
does malevolent things, is very narrow. It is both easy for
people to install stuff without notice, and the other problem
is that people install stuff so often, 3 hours it pops up and
says, oh, here's a little component we'd like to give you. And
from the consumer's point of view, it's very difficult to tell
the notice between something malicious.
Senator Wyden. Just a couple of other quick questions. I
know my colleagues want to get into it. Mr. Holleyman,
gentlemen, came out for going after electronic spying, but
essentially felt that adware wasn't a major concern right now.
He said it hadn't risen to the same level of concern. Mr.
Berman and Dr. Levine, do you two view the proposition that
pop-up ad software isn't yet a key consumer concern?
Mr. Berman. I think because there are companies that are
providing these programs and without clear notice and consent
to the consumer or to all the users of a particular community,
I mentioned the family example, that the pop-up ads are
becoming in a consumer's mind another form of pop-up spam. In
fact some of these programs also allow you to serve spam, but
it's the pop-up ads are, I think, a nuisance to computers and
interfering. If they don't have consent they are being served
content which they really don't want.
Now, the difference between what they want and whether
they've consented is really how explicit the notice is, how
clear it is, and how simple we make it, and there are no
standards for that right now.
Senator Wyden. Dr. Levine, you?
Dr. Levine. There's no question that people hate pop-ups. I
consult for one of the large travel websites that's used what
we could call ``legitimate pop-ups'' extensively in their
advertising, and they're legitimate in the sense that if you go
to a site like ESPN, a site, the pop-ups ads that pop up are
actually placed by ESPN and support the website, and even
though they're, you know, by any business standard they're
legal, people hate them, you know.
And then we go on to the kinds of third party ads where,
ads that--advertisements that weren't part of the original
website, people hate those even more because they don't know
who to blame. So I'd say from the point of view of consumers,
it is a very big issue, and it's one that they really would
like to have somebody fix.
Senator Wyden. Yes, I don't want to jump on you on this
point, Mr. Holleyman. I know you're sincere on it. But I think
if you were to go out across the land today and ask people
about pop-up ads software, they'd say, that stuff drives me
nuts, I'm outraged by it. And we want to work with you, I mean,
you're raising a lot of practical concerns about how to do it.
But I got to tell you that we're not jumping you here today.
Mr. Holleyman. Sir, I think there are two things here. One
is we were trying to focus on what we think is the biggest
current problem where we can both start deploying current laws
and then fill in gaps with new legislation. Second, there's a
pending bill before the Utah Governor that she has until, I
think, midnight tonight to decide whether to sing or veto,
there was a spyware bill passed by the Utah state legislature.
Senator Wyden. I understand.
Mr. Holleyman. There was a very broad group of technology
companies and associations who met with the Governor last week
to urge her to veto that bill to give their legislature another
chance to look at this when they come back in session next
year.
One of the comments she made, that was made in the letter,
and I do not represent advertisers per se, but I will simply
pass this along, was talking about pop-up ads and talking about
the importance of enabling local advertisers in Utah to be able
to properly tailor advertisements to Utah-based citizens rather
than only allowing broad-based national advertisers to have
that broad reach.
I don't know what the answer to that is, but I would
encourage you to look at the letter that we submitted to the
Utah Governor as one of the issues associated with this.
Senator Wyden. One last question if I might. You, Mr.
Holleyman, said that state AGs ought to be given enforcement
authority in the area only if we have what you call, you quote,
a ``Federal standard.'' So obviously what we think we're doing
in the bill is establishing a Federal standard, and what I was
curious about was whether this was really something that you
want to just deal with as a preemption issue. Are you all
calling for preemption? Is that something you'd support,
Federal standard preempts states?
Mr. Holleyman. If Congress moves in this area and
determines if legislation is needed to close existing gaps,
then there should be a Federal single standard that preempts
inconsistent state laws.
Senator Wyden. Mr. Chairman, thank you.
Senator Burns. Senator Boxer.
Senator Boxer. As a pop-up ad victim, those things are
really the worst, and it's the whole point, I mean, and it
shocks you. It's a very disconcerting deal, because when I'm
working on my computer I'm working on something, and it's just
like, I mean, my grandson knows don't bother Grandma right now.
I'd rather be disturbed by him than these idiotic things, some
of which are foul.
But here's the point. I think if we do work together and we
can make this happen right, you'll wind up being happy because
you don't want Utah doing their thing and you don't want
California doing their thing and so on and so on and Virginia.
We've got to get together here and have some answer to this
thing.
Mr. Holleyman, when you say you don't represent advertisers
per se, what does that exactly mean?
Mr. Holleyman. I represent companies who certainly
advertise, as most commercial businesses do, but I'm not
speaking on the adware issues or representing companies who are
making a profit out of selling advertising.
Senator Boxer. Say that--you represent advertisers, but----
Mr. Holleyman. I represent major companies who all
advertise their products, but I'm not representing companies
such as the colleague at my right, who are in the business of
providing advertising services.
Senator Boxer. OK. Well, you know, I don't want to prolong
this because I just, for me certain issues are a no-brainer.
This--for what--it's simple. You know, this is not a good thing
that's happening to folks, and in the end it's going to drive
people away from their computers and that's not a good thing. I
am very much in favor of all of this information-gathering, and
I can tell you, you're sitting there, you're trying to do some
work, you're trying to get information, and you're just
bombarded and it all happened because somebody spied on what
you were looking and I looked at shoes and they're advertising
shoes. This thing has got to go. This is not a good thing. And
so, yes, Mr. Berman, I don't have----
Mr. Berman. I have problems with pop-up ads from downloaded
spyware. I actually have an ad program that runs on my mail
program, it's serving me ads, and the reason I'm getting the
free mail service is they're serving me ads, they're getting
some revenue from it.
I consented to it. It's very clear on my desktop what's
happening and if I don't want it I can pay for a different
program and the ads disappear. And if I want to uninstall it, I
just take that program and get another program. That kind of
transparency I think is where consumers want to go.
Also, while we may not like pop-up ads, that is a much
larger and different, and sometimes different issue than
spyware. Pop-up ads are being served without spyware, and so we
got to put things in boxes and say what is the most important
thing that we want to deal with.
And I got to one more time make this point, that the
privacy issue, which is only one part of this spyware problem,
is the collection of information without your consent. It may
be through a program on your--but it goes back to Senator
Allen, the privacy bill that passed out of the Commerce
Committee, it may need--maybe there wasn't a giant
Congressional consensus, is still not law. We do not have
online privacy legislation which defines the fair information
practice for online privacy for websites, for companies doing
business on the Internet.
We are relying on important self-regulation. Good companies
are doing a great job at trying to give you privacy notices on
their website. But I point out when you're dealing with
spyware, you're finding out that there are always outlaws and
outliers using new technology to do the same thing, take
information without notice and consent. And until we have some
rules about that, which goes back to Burns/Wyden 1, we're not
going to solve the privacy problem, and to try and do it for
spyware, like say, well, we have a cookies bill and a spyware
bill and a spam bill, it begins to become a crazy quilt, which
is what we want to try to avoid when we ask for Federal
legislation, some coherent, overall policy.
And we need privacy policy in this area. It doesn't have to
be, you know, terribly burdensome, but it has to inform both
good companies and bad companies what the rules are here for
collecting information about consumers and users on the
Internet. We don't have that.
Senator Boxer. Mr. Berman, let me just say, I have no
disagreement with anything you said, but I'm also a practical
legislator.
Mr. Berman. Right.
Senator Boxer. And I can tell you now, the reason I was so
proud of my colleagues and teamed up with them on spam and
these other issues is because sometimes you can't get that
overall, but I agree with you, it's all a matter of consent,
that's really the bottom line. But also consent that's obvious,
that is easy to figure out, so that it's not such a difficult
hurdle that you have to do 17 things to get out of this deal.
That isn't any good. It's got to be something straightforward.
That's what we've been trying to do.
Mr. Berman. This may be one time when consumers are going
to become so outraged by this kind of behavior that different
laws are going to pass in Utah, pass like that, may not be
signed into law, that it may be the better part of valor to
revisit, maybe not in an election year but maybe early next
year, trying to develop some baseline standards again as part
of the tradeoff of resolving a set of issues that surround,
that beg for a solution, but do not beg for a solution that is
technology-specific, because that is anathema to innovation and
to the Internet to go technology by technology.
Mr. Naider. If I can add, specifically for Senator Boxer's
very good point about consumers hating pop-ups. I think one of
the things that we have to all recognize is that these types of
bills are strangely affected by consumers' general dislike for
pop-up advertising. For example, if you said to an average
consumer, do you like pop-ups, most consumers would say no, I
dislike pop-ups. If you said to a consumer, would you want a
piece of software that alerts you to a $30-off coupon when
you're about to make a purchase, most consumers would say yes.
The important thing is to recognize that the pop-up problem
is a much, much, much larger problem online than sort of a
narrow problem as a result of either spyware or adware, et
cetera, and that in the course of trying to address consumers'
concerns with pop-ups, specifically a sense of feeling
bombarded or being hit with pop-ups that don't come from
anywhere, we have to be very careful about not affecting or
ruling out software that can actually be tremendously
beneficial.
And when you think about where the Internet is in 5 or 7
years, is it desirable for most computers to have software on
their machines that, as a consumer's navigating the Web, in
some way, shape, or form is alerting them to maybe three other
places where they can buy a mortgage or to a great deal on
travel? When you're looking at a hotel in New York City, should
a piece of software be allowed to tell you about a place where
you can get that hotel for 50 percent off? Many people would
say yes, and we just want to make sure that this legislation
covers that.
Mr. Berman. But there's a problem. It's when, who's saying
yes and consenting to this software being loaded on your
computer? Many of these pop-up adware programs are added as
piggy-backed on top of peer-to-peer network software. I mention
these, there are a number of adults in different offices had
their computers swept for spyware, and there are just many,
many programs there. And how did they get there? It's because
their teenagers are out in peer-to-peer networks signing up for
file-sharing programs, for music and so on, and maybe that's--
put aside the copyright issues, but still, that software is
being loaded on your computer and it's there delivering ads to
a lot of people who don't' want them.
It's how clear is the consent and can you really get out of
these programs? WhenU says it's easy to uninstall their
programs. I know some programs which are really hard to
uninstall. I don't know how we can do this except by Congress
saying that some of this behavior on hijacking computers is
unacceptable.
Dr. Levine. If I could add a little bit there. Something
that's sort of unique about software is that you consent once
but then it annoys you forever, which is somewhat different
from other software.
Senator Burns. Sounds like marriage, doesn't it?
Dr. Levine. I plead nolo contendere, sir. But with most
software you install the software and you consent, but once
it's installed, it only runs when you tell it to. Spyware is
unusual in that it sits there and it gives you, you know, it
gives you stuff that may or may not be helpful, you know,
whether you ask for it or not. In my case, I don't want Windows
to pop up and tell me when I can get cheaper hotels because I
know if I want a hotel comparison website I know where to find
one.
Senator Burns. Senator Allen?
Senator Allen. Thank you, Mr. Chairman. You know, you all
did a great job on spam. My general view though is pop-ups are
worse than spam. I had an account set up with Yahoo--huh?
Senator Burns. It's a form of spam.
Senator Allen. It is, but the spam is usually associated
with e-mail, and I finally found this e-mail account and said,
all right, go in there, use it through Yahoo, it's what I use
as my website, or home page. And this is I don't know how many
months, there are just hundreds and hundreds of e-mails in
there and they were on mortgages, travel bargains, gambling,
pharmaceuticals, pornography, whatever all it was, all these e-
mails. And it's very easy to get rid of them. You select all
and delete and that's it.
Pop-ups you have to click them off. As far as advertising,
I like to read the newspapers. I read the Richmond Times-
Dispatch or the Post or the Washington Times, whatever it may
be, the Bristol paper. At any rate, they have advertising for
realtors there and whatever other things they may want to
advertise, but that's not invasive, that's just on the side of
the article. You go on, say, Buccaneers.com, they're selling
stuff, Raiders.com, Chiefs.com, whatever it may be, they're
selling things, jerseys and whatever, and that's not a problem,
the pop-ups are.
Now, in listening to all of this maybe we can get this
agreement from this hearing and why we may need to have Federal
legislation in light of Utah. Will you all agree that any
legislative approach should establish a national standard,
avoid a patchwork of state regulations, and target bad actors,
not necessarily harm legitimate online business? Do you all
agree on that?
Mr. Holleyman. Absolutely.
Mr. Berman. Yes.
Senator Allen. Well, that's where we're going to have to go
now. The details of some of these, the definition and so forth,
there is that agreement on it. And, of course, Mr. Holleyman, I
like your approach, e-spying, ban behavior not technology,
that's the approach.
Now, we've heard about all these statistics regarding the
amount of spyware on consumers' computers, which is all very
disturbing and worrisome. According to Mr. Holleyman, spyware
amounts to an abuse of technology. Clearly that is the case.
Now, can any of you all share with us and the public what is
the technology industry doing to help address this problem? If
we're trying to educate the public, what is the technology
industry doing to address it, other than dragging some guy
who's an expert or person who's an expert to try to stop it?
Mr. Berman. There are a number of technologies which are
being offered. Earthlink has a spy audit and America Online is
also offering a package which helps users of their services
sweep, detect, and eliminate spyware, so there's a technology
solution. I know that Microsoft is working on part of those
solutions. We've been trying to convene a group of industry and
public interest organizations to try and sort out what's being
done, what can we do through self-regulation, what can we do
through standards, what falls into the need for legislation and
can we define bad behavior. And it's, I think it's going to be
a mix of all those.
We've also worked on a standard called P3P, which allows
companies to express their privacy policies in code, which can
be read by a consumer who can set their settings to what they
want, and if that was widely adopted, it would be much more
transparent to deal with companies like, that promote spyware
or adware. You would be able to do a lot of negotiation or at
least be able to say this is consistent with what I want as a
consumer and say yes or say no.
And so there are technology solutions that are out there,
but I think that it's going to have to be a mix of technology,
self-regulation, and legislation. But the self-regulation in
this area I don't think is going to come until we have some
clear standards, and if we have some clear standards, some of
it's going to have to be put in the legislation.
Senator Allen. Mr. Holleyman?
Mr. Holleyman. There are technological solutions that are
both being made available now and that companies are actively
working on for their next generation of products. I agree with
everything that Mr. Berman said that a combination of consumer
education, technology tools, and best practices that we're
eagerly working on with Mr. Berman's group and others. It may
well take targeted legislation, and also enforcement of
existing laws. I want to reiterate that the status quo is not
acceptable. Something needs to be done. It's just a question of
how do you then tailor that new legislation to deal with it.
Senator Allen. Dr. Levine, what's your perspective of the
technologies that are available, and maybe people are not
availing themselves of them?
Dr. Levine. There are certainly some technologies. There's
the programs Mr. Berman referred to. There's also some fairly
nice free programs called Adaware and Spybot. But I'm still
concerned that it's difficult for consumers to make rational
tradeoffs here. I can't tell you how many times I talk to
someone, I say, do you believe that your personal privacy
online is important? Of course. But then they say, well, you
know, would you provide your name, address, Social Security
number, mother's maiden name, and annual income in exchange for
a raffle ticket for a $5 plush animal, and they all do.
Senator Allen. Well, that's----
Dr. Levine. Well, and I realize we can't keep people from
being naive, but I think people don't appreciate sort of the
value of what they're giving away and the risks they're
entering into. So, I realize none of us are interested in
having a nanny state here, but I do think that it's important
to recognize the value of the data these things can collect and
I think it's reasonable to put some fairly strong hurdles in
the way of saying, you know, do you really want to give this
up, is what you're being offered really valuable enough to be
worth this exchange?
Mr. Berman. One point on that, which is that the risk
involved and the tradeoffs, sometimes consumers are given the
opportunity to get a free program or free service in exchange
for signing up for an adware program which is essentially
downloaded on their computer, but they're not necessarily up
front, and this is something that SPY BLOCK tries to deal with.
They're not given up front any knowledge of what that adware
program is going to do and how many ads and how intrusive it's
going to be and when it's going to come, so they're signing up
without real knowledge of what they're getting into. Maybe
that's solved by the ability to uninstall, but uninstall is----
Dr. Levine. No, because once you've given your data away,
since the U.S. has no tradition of strong data protection laws,
once somebody's collected your data, they've got it, and if
they then transfer it from place to place to place, we all know
stories, we've all heard stories about somebody who disclosed
information one place and it ended up someplace really much
worse and far away.
Mr. Berman. Well, I put those in box one, which are privacy
violations. There are also ad services who are not collecting
information, and I want to make clear that they raise a
problem. Even though they are not violating privacy, they are
raising issues of user control over their computer.
Senator Allen. Mr. Naider?
Mr. Naider. And we are trying to address it, I guess, at a
slightly different angle, which is economically. We've put
together what we call our five points definition of what is the
difference between legitimate adware versus spyware.
Interestingly enough, adware used to be a positive word. We put
out press releases 2 years ago talking about our own adware. I
wouldn't think of putting out a press release today mentioning
adware in conjunction with our product because it's become a
loaded word because there are some folks that claim they're
adware and actually are spyware.
We've actually put out a definition that we're trying to
promulgate within the industry, and that definition has five
points, and point number one is the disclosure. When you
initially install it, it has to be visible, right in front of
the user, that the presence of additional software is something
that if the user takes the time to read is visible, it's not
buried six pages down in a license agreement.
The second thing is that the license itself for this type
of technology needs to be clear, concise, and understandable.
We use a two-page license agreement to the dismay of our
lawyers because we basically said that anybody who reads a
license agreement should be able to understand it in 5 minutes.
We think the second point is the disclosure of the license
agreement and making it clear and concise.
The third point is the branding, specifically if you
display Windows or add Windows such that consumers don't wonder
why I am seeing this ad, whether they may like it, like Dr.
Levine--they may not like it like Dr. Levine or like it, like
some other folks, it should be very clear where it's coming
from, why it's there, and who is delivering it.
The fourth point is ease of uninstallation. Consumers that
don't want the software should easily be able to uninstall it,
should make a choice. With respect to what the Senator
mentioned before, there is actually a big difference between
spam and legitimate desktop advertising software. Actually I've
tried many times to stop spam to my office mailbox. I can't do
it. But if you want to uninstall software that's legitimate
software, it's actually easy to uninstall it. So if you abide
by that fourth point of uninstall, then we consider that in
keeping with this philosophy of being adware and not spyware.
And the fifth thing is privacy protection, which is,
regardless of whether you get disclosure, regardless of whether
you get a license, regardless of whether you brand and you make
it easy to uninstall, if the practices that you're doing
involve keystroke logging, collection of personal information,
then it doesn't matter that you got all this because there may
unwary consumers that agree to it.
So we believe that by putting out this five points of what
defines legitimate desktop advertising versus spyware, we can
actually create a definition where those who claim that they're
doing legitimate advertising were actually spyware don't
survive economically, because the advertisers who use it
basically say, are you adhering to these five points, are you
doing this legitimately, and if not we're not going to spend
money with you. And that's our approach and we actually hope
that this type of legislation will look at these different
pinnacles of disclosure, license, branding, uninstall, and
privacy, and be able to set that standard as well for the
market.
Senator Allen. Are you saying, final question, I'm like Dr.
Levine. If I want to figure out how to get a flight from one
place to another, again, Yahoo will have Travelocity linked up
with it or whatever. There's a--you can find it, you can search
and find it without somebody saying, here, you can be on a
cruise or you can get these discount rates and so forth. I'd
just as soon not have to click them off and have them covering
up what I'm trying to read.
Now on your--you seem to have some standards, those don't,
which make a great deal of sense. Let me ask you this though.
How easy is it for someone to remove on your software? Say
there's someone like me or Dr. Levine who, I don't care, it is
good to know where it came from, the source of it is good, that
obviously would be wonderful as a way of knowing the source or
you can figure out how they got your name and then blame them
rather than some of the deceptive things, you think it's coming
from AOL or Microsoft when they have absolutely zero to do with
it. And you see AOL or you see Microsoft and it connotes a
certain credibility and credence, so I think it's great to have
that tracing.
But how easy is it, or how would someone who doesn't want
to get your advertising through WhenU.com, how easy is it to
remove it?
Mr. Naider. I think the numbers speak for themselves. We've
done over 100----
Senator Allen. I missed your testimony, so I'm sorry if
you've already said this.
Mr. Naider. That's OK. We've done over 100 million unique
installations of our software and initially about 50 percent of
people kept it and now 80 percent remove it. Now, that's a
challenge for us. Part of the reason that they remove it is
because there are so many other programs not adhering to
standards that they just get an Adaware program and everything
gets removed.
But the answer is, it's very easy to remove. It can be
uninstalled through your control panel add/remove, which is the
standard way for uninstalling software, and more importantly,
each ad unit tells you directly how to get information about
uninstalling where it says, go to your control panel and do it.
So the empirical evidence is that it's very easy to
uninstall, and as a result, we freely acknowledge that there
may be consumers that don't want to see a coupon when they're
about to shop and don't want to see, but to the extent that
there are consumers that do and that it's quite beneficial to
either have that software for its own merit or maybe you're
willing--maybe you don't want to see it but you're willing to
see it because you get a free sports ticker program. There are
many consumers like that. They decide, well, I don't
necessarily love the idea of seeing a coupon or a free travel
ad, but you know something, I get a free sports ticker, so I'm
happy to do that.
We want those consumers to have that choice. By following
these types of standards, you give the consumers a choice. By
making any unilateral decision one way or the other, you don't
give them the choice, and we hope that that's what this
legislation accomplishes.
Senator Allen. Understood. How many others in your business
have the facility of removing pop-ups that you all do?
Mr. Naider. It varies dramatically. There are others--we
are certainly the leader in the industry in terms of the
standards that we set and there's a full spectrum of activity
from folks who don't necessarily adhere to every one of these
points, maybe four or five, to folks who absolutely make it
impossible to know that--or do their best to make the consumer
unwary that they've installed it, once it's on the desktop, no
branding, no idea that these pop-ups might be coming from
software, no easy way to uninstall.
So the answer is that there's a full spectrum of activity
and we hope to combat it both through, you know, we hope that
your efforts, as the Chairman and the Senators of this
Committee through legislation will combat it, and our efforts
from the standpoint of market education will allow certain
models to emerge and to develop and to meet what ultimately can
be very, very, very pro-consumer, pro-competition, pro-
comparative advertising type of standards and other models to
disappear, so that the experience, the nightmare experience
that people have, and I've heard this many, many times, you
know, the nightmare experience that you have is I have 12
things on my computer, I have no idea where they come from, I
don't know how to stop them. We want to see that disappear as
well.
Senator Allen. Thank you, Mr. Naider.
Senator Burns. Mr. Holleyman, I referred to a while ago, do
you think right now there are enough laws on the books with
regard to privacy that we could deal with this SPY BLOCK or
spyware without passing this legislation?
Mr. Holleyman. There are laws related to deceptive
advertising through the FTC Act, the Computer Fraud and Abuse
Act, all of which can be applied and should be applied, and I
am very much holding open the possibility there may need to be
additional legislation that's behavior-based to close the gaps.
Senator Burns. Would you agree with that, Mr. Berman?
Mr. Berman. I agree that we're going to need legislation to
close the gap because there is--we need to look at where it's
clear hijacking of computers and not allowing you to uninstall
and taking over your Web page and a lot of behavior that's in
our FTC complaint against a company or two. We may need to--
existing law may cover it, we need to try and figure out where
it falls short and come back and fill in the gaps working with
you.
With respect to the privacy issue of collection and
dissemination of information without notice and consent in this
area we need legislative standards.
Senator Burns. Whenever you start talking about national
standards and this type thing, we ran into something in spam
and I think that we should also look at it, because with our
visits with our international friends, this just isn't a
national problem. In other words, everything that this spyware
can be installed from not necessarily friendly soil, so to
speak.
Do we need to work with our international partners to also
craft legislation that would work in their countries and
recommend they do so?
Mr. Berman. I would recommend that we try and sort this out
first.
Senator Burns. Here?
Mr. Berman. Here. And so that we know, maybe we have some
consensus about what we're talking about. Right now it's a
tower of Babel as far as I'm concerned. I mean, what's in and
what's out? But I think if we get down to some bad behavior,
which is like CAN SPAM, let's get some real things that we, you
know, res ipso locutor, the thing speaks for itself, we
understand it, this is bad, let's get it. Then I think we can
begin that dialogue.
I agree that this is not something that because we pass a
law it's going to be solved, because spyware can be served from
overseas. That's why, you know, ideas like a do-not-spyware
list won't work, I mean, because we're dealing with a global
network. That's why we need technology solutions as well as----
Senator Burns. Yes, sir.
Mr. Holleyman. Can I make two points on that? One, we were
of the view that a behavioral-based approach would give us the
quickest, fastest tools in this country to try to address the
problems. Second, because we work as BSA on a global basis on
public policy laws, I think there is a reason to look carefully
at trying to avoid having to define what software looks like
and what technology looks like, because if we adopt that
approach in the U.S. rather than the behavioral approach,
presumably we're going to be asking all of our major trade
partners to pass similar legislation that defines the way
software looks, and the same technology that can be used for
bad purposes for spyware may provide good future uses of
technology in areas like diagnostics and security tools.
So if we can avoid having to create here and then around
the world a definition for how we create software and deal with
the behavioral approach, we think we'll be better off.
Senator Burns. You see, it's my thought on this thing that
Mr. Naider is in a legitimate business. He is a legitimate
operator and entrepreneur and runs and business and I think the
standards are very important, because if we get the bad guys
out there doing bad things, it does bad things to you. You get
a bad reputation, and that's what we want to do is for the
industry to come together. Basically that's what we did with
spam is it forced industry to sit down and talk to another and
say, OK, how are we going to deal with this, and then they
said, yes, we need a law, and yes, four of the biggest ISPs
there is in the country filed a lawsuit on some of these people
who are really basically clogging their pipes. In other words,
they just can't handle everything that they throw at them.
So most everybody else has answered my question. I've sat
here very interesting, but I do want to work with all of you--
you had some other--you got a another question? A couple more,
OK. With respect to how we define and to see if we can't do the
same thing with this legislation as we intended with CAN SPAM,
is the industry has to come together to the table and help us
with those standards. You can't let government set the
standards. If we do, we'll be locked into technologies.
I can remember first, when I first come here, we flew out
to the consumers electronics convention in 1990 to Las Vegas
and we were going through this debate on who's going to
standards for high definition television. And there were some
people out there very well-intended that says government has
got to set the standards. And I said, if government sets the
standards, then we're going to be locked into that because it's
hard to change and technology moves too fast, that if
government sets it, then we're locked into that situation.
So we want to work with you very, very closely on
definitions and allow the industry to come together and to
really identify the bad guys and help us a little bit, because
self-policing effect does have a cooling effect on those people
who would do bad things. Senator Wyden.
Senator Wyden. Thank you, Mr. Chairman. You have really
spoken for me in that regard. I think you've laid out the
challenge very well. We're going to need to work closely with
all the people at the table if we're to move this and that's
what we've tried to do so often in the past and I appreciate
your making that comment.
Just a couple of clean-up points that I'm interested in in
terms of where we go. As you all, I think, have picked up, as
Senator Burns and I have really had a little bipartisan island
here where we have tried to kind of prosecute these causes that
obviously are complicated and technical and sort of learn as we
go, and I sort of sense a little bit of a reversal of position
in terms of you, Mr. Holleyman. I just want to kind of make
sure I'm sensing this.
When I see your suggestion that Congress, and I quote here,
simply prohibit the distribution in interstate commerce of user
information obtained electronically from an individual's
computer unless the person seeking to sell the information can
show it was collected with the user's explicit permission, and
explicit would obviously be a definition, that certainly raises
the prospect of your organization supporting a general online
privacy bill.
Now, that's something that you all have been concerned
about in the past and have wanted it to be much narrower, but I
suspect that as this gets more complicated and we deal with the
state and Federal issues and states going off on their own,
people naturally are going to start to look at this differently
without going into all of the issues that that statement raises
about whether it apply only to software downloaded to a user's
computer or to websites a user visits, there's score of issues.
Are you all moving generally in the direction of a general
online privacy bill?
Mr. Holleyman. We're not in a position at this point to
raise a general online privacy bill. We do think that there are
very legitimate privacy issues that are being addressed in part
in the marketplace today and for most online experiences. But
what we do think is, specifically, with regard to spyware is
what we need to do is create a mechanism that dries up the
market for information that's obtained and exploited
commercially, where there is not a clear understanding that
such information can be sold and distributed.
Senator Wyden. I won't belabor this, but other than the
definitions about explicit permission, that sentence I read
sure sounds like the predicate for a general online privacy
bill, which takes us back to Burns/Wyden 1 and would, I think,
be very much worth pursuing. Chairman Burns and I have done all
of this in total lock step along the way, but we tried this
years ago and I personally would be very excited if you and Mr.
Berman possibly could guide the Committee back to what Chairman
Burns and I tried to do years ago. We're going to try and get
this bill passed because I think we've seen tremendous
unhappiness, but I'm sort of trying to, with all of you here,
to sort of lay the groundwork, because when I read that
sentence, it struck me, and I haven't compared your testimony
and everything else. That that was beyond where you all had
been in the past and was sort of encouraged about the
possibility that we might get the two of you to be a bulwark
for--look at Jerry, he's----
[Laughter.]
Mr. Holleyman. I'd be happy to talk about this any time.
Senator Wyden. I won't belabor it. I was encouraged by it.
One other technical kind of question, a security question for
maybe you, for Dr. Levine and Mr. Berman. We haven't talked a
lot about it today, but certainly this issue of security risks
with respect to downloaded software, I mean, even if the
software isn't malicious, isn't is possible that well-meaning
software could, in effect, leave the back door open, making the
computer more vulnerable to viruses and hackers?
Dr. Levine. It happens all the time.
Mr. Berman. In fact, it's the vulnerability of computers
that some of these spyware programs are exploiting, back door
vulnerabilities and creating security breaches of their own, so
that's something that we have under study and which this
working group is looking at, but it is certainly one of the
reasons why, one of the motivating reasons why we have to think
about really closing these loopholes and closing this problem
down.
Senator Wyden. That struck me as something that really
hadn't been mentioned, but we're going to think of this
primarily as something that's intrusive and violative of those
who own computers, but also strikes me as opening up a real
glide path for bad guys and an opportunity to have some real
security vulnerabilities.
Dr. Levine. I think a lot of what these programs do now
should be, probably is illegal already under--in computer
tampering laws, and it's possible that it might be useful to
have a statute that makes it more clear that this particular
kind of tampering is what you contemplated in the existing
tampering acts, so each case doesn't have to come through and
sort of educate the judge and say this sequence of events means
you broke this law.
But in general, yes, the security problems on users' PCs
are enormous and spyware jumps through some of them and causes
others.
Senator Wyden. Mr. Chairman, excellent hearing and I'm
looking forward to working with you and like we've tried so
often to sort of begin another journey and I look forward to
doing it with you.
Senator Burns. Well, and this may take more than four--I
hope it takes less than 4 years, but at least we're started. I
want to reiterate that SPY BLOCK requires notice and consent
for four types of potentially damaging software, software which
collects information about consumers and transmits to third
parties over the Internet, adware providers are required to
tell consumers what types of ads will pop up on users' screen
and what frequency, Software that modified user settings like
changing their home page and software that uses distributed
computing to use part of the computer processing power in the
background.
You know, we've all time--Mr. Naider, and just one follow
up and I thought about, you've given us a good scenario on your
business, legitimate, run professionally. Give us an example of
when you go too far. In other words, just give me an example.
Mr. Naider. I'd be happy to.
Senator Burns. Just for the record.
Mr. Naider. Be happy to. A consumer installs a piece of
software in the course of installing some other piece of
software where there's absolutely no visible disclosure,
there's some disclosure buried perhaps six pages deep in the
license agreement. Once on the desktop, there's no visible
indication to the consumer that they have that piece of
software, whether it shows ads or not. It may show ads, whether
it's pop-ups or other types of ads, but there's absolutely no
indication to the consumer that those ads are coming from
software. The consumer just wonders. Or if it doesn't show ads,
the software captures things like personal information or
keystrokes or zip code location, et cetera. And then the
consumer is not given any information about the software or how
to uninstall it.
These are things that we see every day in our business and
we know that it exists and there's a full spectrum of activity
and we believe that that type of activity needs to be curtailed
for the health of the industry, for the health of consumers'
computers, for the health of the industry as well.
Senator Burns. Well, I know identify theft and of course
credit card numbers are worth lots of money.
Mr. Naider. Absolutely.
Senator Burns. And that's where the bad guys come in. Thank
you for your testimony today. We look forward to working with
all of you. We're going to leave the record open for the next 2
weeks and if there are questions from the other members of the
Committee, please respond to them and the Committee. Thank you
for coming today and these hearings are closed.
[Whereupon, at 4:07 p.m., the hearing was adjourned.]
[all]
This page intentionally left blank.