said by Eric L. Howes:

---

I am already anticipating that the transcript will underscore the wiliness of human memory, and I will be happy to make corrections and emendations to these posted remarks where my own memory of the workshop has proved to be less than completely reliable.

---

said by Eric L. Howes:

---

Indeed, that pretty much sums up this panel: instead of working to protect consumers, this panel was more interested in protecting themselves. And to its great shame and discredit, the Center for Democracy and Technology (CDT) did almost nothing to challenge that agenda (more on the CDT in a bit).

---

said by Ari Schwartz:

---

MR. SCHWARTZ: I do think that there's a reason that Adware has gotten a bad name. And a lot of it has to do with the fact that some companies have basically decided that they will do anything they possibly can to get their software onto the user's computer, and that they don't really -- and we found that a lot of those are Adware companies. (...)

And so therefore, when Marty says, you know, there's no overlap between Adware and Spyware, I don't think that that's true. There is certainly companies that are engaging in bad practices. It's not Adware itself that makes it a bad practice, but we have seen -- Adware companies seem to push the lines by using these affiliate kind of programs in order to make it happen.

---

said by Ari Schwartz:

---

MR. SCHWARTZ: We haven't done our own research on this yet, but, I mean, anything in the 80 percent sounds very high. If it's really that high, there is a major problem.

---

said by Eric L. Howes:

---

Indeed, one of the industry reps on the panel remarked that "best practices" would necessarily have to be pluralistic and flexible -- that there could be no single set of "best practices" because we couldn't impose inflexible solutions on corporations. That kind of talk should leave no doubt in anyone's mind that "best practices" are simply not intended to set high standards for corporate behavior, but rather to allow corporations to make them into whatever happens to be convenient.

---

said by Daniel Weitzner:

---

MR. WEITZNER: I'm going to just make one suggestion. I think that best practices are great if they describe a set of practices among which application writers and users can choose.

I think that it would be unfortunate even if a diverse group, an open group, got together and said here are the things we'll allow; here are the things we won't allow. And I don't think you're suggesting that, Jeffrey, but just to be clear. Best practices doesn't mean a single list of the good things and the bad things.

Best practices I think means doing the sort of thing that the now much-mentioned CDT report -- it should have been on Amazon. It would have done really well today -- would identify a set of problematic behaviors and could identify a set of other behaviors and then let people make choices.

---

said by Eric L. Howes:

---

Moll went on to describe a portable security scanner that Webroot has developed. It's an ActiveX control that users can download and run while on potentially insecure machines (a PC in an Internet cafe, for example). This portable security application scans the entire box for malicious code (keyloggers, system monitors, trojans, etc). Moll billed it as a way for users ensure that boxes they don't control are secure.

---

said by Eric L. Howes:

---

Unfortunately, three members of Panel 6 rejected calls for new legislation to address these inadequate installation practices, insisting that current law is adequate to the task of addressing spyware problems. Mark Eckenwiler of the Department of Justice, Mary Engle of the Federal Trade Commission, and Elizabeth Prostic of the Department of Commerce all disputed the need for new legislation and claimed that U.S. regulatory agencies have sufficient authority and leeway under current law to go after spyware vendors. Each was asked the same question: "Do you think new laws are needed to address the spyware problem?" Each looked straight at the audience and said clearly and firmly, "No."

---

said by Eric L. Howes:

---

The key question is whether the FTC, under current laws against "unfair" and "deceptive" trade practices, will be able to reign in the advertising software industry, which by and large does present users with EULAs. Even a month now after the Spyware Workshop we have heard nothing whatsoever from the FTC to indicate: a) whether it thinks it can pursue enforcement action under current law against companies that use EULAs and other inadequate forms of notice and disclosure; or b) under what criteria and in what situations it thinks it could go after such companies. Although current law does allow the FTC to go after companies for "unfair" and "deceptive" trade practices, the presence of a EULA such as that used by WhenU, Gator, and C2 Media during installation enormously complicates the picture, casting doubt on the ability of the FTC to address the widespread problems with advertising software.

---

said by Mary Engle:

---

MS. ENGLE: And can I just follow up on that from -- from our perspective. The FTC law is pretty clear that, if you're going to give notice to consumers of something, it has to be clear and conspicuous, and we have actually issued a long -- you know, several years ago now, guidance to the online community called "Dot Com Disclosure," that gives you a pretty good understanding of how to make disclosures clear and conspicuous to consumers, and that includes things like, if they've got to click on a button to find out the information, that the button has to be clearly labeled, and also, labeled with the import, so that they know why they should be clicking, not -- not just click here for more info, or something like that. So, from our perspective, just because some term is buried in a four-page ULA doesn't mean that consumers have necessarily given their consent to it.

---

said by Mark Eckenwiler:

---

MR. ECKENWILER: I think the point is well taken that, if we were to try to charge somebody with, you know, a Computer Fraud and Abuse Act violation for putting up -- you know, one of these "Do you want to accept this" screens that's, you know, 25 pages long in six-point type, in a very narrow column, totally unreadable, it's not the most attractive circumstance for us to bring a criminal prosecution, remembering that we actually have a Constitutional burden to prove beyond a reasonable doubt that, as I said before, this was under 1030, without or in excess of authorization.

I think the first line of defense in such a case is going to be that the defendant was, in fact, acting within the scope of authorization, and that becomes a kind of ugly jury question. If we're going to pick and choose cases to prosecute, I think we are more likely to take cases like the Jon case, or this newly- indicted case, the Ropp case, where there just -- there's no argument that that was -- there was never any constructive notice. Never even any attempt at notice. This was, you know, purely a -- a clandestine installation.

---

said by Eric L. Howes:

---

Panel 1 (definitions of spyware/adware) was as bad as I expected it to be. Dominated by industry representatives or those friendly to the industry, the panel came to a consensus very early (and even noted that they were all essentially in agreement).

---

said by Avi Naider:

---

MR. NAIDER: And speaking for WhenU, I can say that we're quite pleased that there's unanimity on this on the panel in the sense that we're also a member of this working group.

---

said by Eric L. Howes:

---

Avi Naider from WhenU pursued exactly this line, claiming that most WhenU users were quite aware of the installed software on their computers. In a somewhat bizarre move, Naider attempted to back this claim up by pointing out that of roughly 100 million WhenU installations, 80 million had been uninstalled. He claimed that the fact that users had uninstalled WhenU demonstrated that they were aware of the installations. There are all kinds of problems with this argument, which I won't bother to cover here.

Suffice it to say it was at that moment that Rob Cheng and Dave Methvin of PC Pitstop (the outfit sued by Gator/Claria last fall, by the way) began distributing their new survey of WhenU users that tells quite another story: over 80% of WhenU users are NOT even aware that the software is installed on their computers.

---

said by Avi Naider:

---

MR. NAIDER: I'm not sure that the PC Pitstop refers to WhenU specifically. I haven't seen that information. But just answering the question in general, there are certainly software applications out there that are not installed with user consent. We would agree to it. Very specifically, it's all in how you do it. (...)

And what I can say very specifically is in the case of WhenU, we've done over 100 million unique installations of our software. Eighty million consumers have removed it.

Now, what does that tell you? What it tells you is that we still have to make sure that the software that we bundle with is better and better value for consumers, because not all consumers want to see advertising supported by software if they don't value the software highly enough.

But what it tells you is that 80 million people can remove it. Clearly, 80 million people means that you have a mass market audience that makes a choice and makes a decision, and consents both upon the installation and consents on an ongoing basis to the software. And by that definition, if you adhere to standards, it's a very consent-driven type of model.

---

said by Eric L. Howes:

---

The low point for WhenU must have come during Panel 3, when Chris Jay Hoofnagle from the Electronic Privacy Information Center (EPIC.org) pointed out that Ben Edelman's research, which reported the results of some extremely clever and tenacious packet sniffing, raised the prospect that WhenU was violating its own privacy policy by collecting and transmitting certain personally sensitive data.

---

said by Eric L. Howes:

---

Audience members (including this author) were allowed to put questions to the panelists, but we had to do so via question cards submitted to an FTC employee for vetting. Of the five questions I submitted over the course of the day, one was accepted and read to one of the panels. (I asked how panelists could place such faith in consumer education when 10 plus years of education on viruses and antivirus software has been a demonstrable failure. None of the panelists addressed the question square-on.) Some of the other anti-spyware folks got some of their own questions accepted as well, though the answers they received were often less than responsive.

---

said by Eric L. Howes:

---

A few of the panelists were quite open about what they were attempting to do, stating flatly that "adware is simply different than spyware, and people have got to understand that" -- as if they alone could establish the difference through some sort of declarative fiat without the input or suggestions of others. This was but one of several moments during the day when the arrogant, obstructionist, anti-consumer agendas of those represented on various panels were nakedly on display and visible to all who cared to look.

---

said by Marty Lafferty:

---

MR. LAFFERTY: And I'll just add that there is no overlap between Adware and Spyware. They're mutually exclusive. Adware is presumptively legitimate. It's a terrific business model for providing valuable software to consumers at no cost in exchange for accepting some advertising.

---

said by Eric L. Howes:

---

One of those commercial interests was WhenU.com, represented by its chief executive Avi Naider, who insisted at one point that the word spyware "was never meant to include software-based advertising...It's pro-consumer; it's pro-competition; it's pro-competitive. (It's) one of the most promising technologies that exists on the Internet today."

---

said by Avi Naider:

---

MR. NAIDER: Spyware was never meant to include software-based advertising, which is what legitimate Adware is. And very specifically, it's software on a consumer's computer that has been installed at the consent of the computer -- of the consumer, makes it very clear to the consumer what it's doing, can be removed easily by the consumer, and effectively gives the consumer potentially relevant valuable information. Specifically, as the consumer traverses the web, software-based advertising can deliver things like retail coupons. (...)

So in theory, the concept of Adware or software-based advertising is extremely pro-consumer. It's pro-competition. It's pro-competitive. And if done with proper notification, consent, and the consumer's ultimate control over the computer, which is the key point -- and I think Ari said it before -- the consumer has to understand that they have this type of software, has to have the ability to remove the software, has to be made clear when the software is generating coupons and ads. In that case, you have a very legitimate, a very promising technology that actually promises to reduce prices for consumers and to make the Internet a more competitive place. (...)

But it's very important to understand that legitimate software-based advertising, not only is it very clearly not within the definition of Spyware, but it's actually one of the most promising technologies that exists on the Internet today. And if allowed to evolve, it will make the Internet a very, very exciting place over the next decade.

---

said by Eric L. Howes:

---

The Utah bill's requirement of an uninstallation method provoked still more comments from one of the panelists, who warned users to "be careful what you ask for."

---

said by Mark Bohannon:

---

MR. BOHANNON: Ironically, if you give across-the-board ability to uninstall, we have got to have a very strong caveat emptor. Because many things are put in place to insure the continued functionality of software, and that the ability of a consumer -- and because I believe this issue is about more than consumers, but also about business users uninstalling. Just be careful what you're asking for here, because you could, in fact, lead to greater frustration, less security, less ability to manage your personally-identifiable information if it is, in fact, a categorical right to uninstall.

---

said by Eric L. Howes:

---

Chris Jay Hoofnagle of the Electronic Privacy Information Center (EPIC.org) did manage to bring the discussion around to several useful points, though. First, Hoofnagle was the only panelist at the entire workshop to point the finger at Microsoft for providing the technological means for advertising software vendors to confuse and bamboozle users, install software without their full knowledge and understanding or meaningful consent, and hijack their browsers and PCs. Hoofnagle rightly noted that Microsoft's overly powerful ActiveX technology -- with its integration of mobile code straight into the operating system as well as the confusing manner in which ActiveX controls are installed through Internet Explorer -- opens too many doors for advertising software vendors to walk through and puts users on the defensive.

---

said by Chris Jay Hoofnagle:

---

MR. HOOFNAGLE: One, I think it's hard to look at this issue without looking at Microsoft. I think it's probably too easy to write to the critical areas of the registry that allow programs to start at boot. Similarly, it's too easy and there is not enough user understanding of the start up folders, which trigger software that you might not want to run.

---

said by Eric L. Howes:

---

Second, though, Hoofnagle usefully pointed out that Panel 3's discussion of privacy principles -- or, more formally, Fair Information Practices -- tended to reduce those principles to but two of four (notice and choice), when in fact internet users ought to be extended protection through a full range of Fair Information Practices.

---

said by Chris Jay Hoofnagle:

---

MR. HOOFNAGLE:The Federal Trade Commission defines substantive privacy rights as notice, choice, access, security and accountability.

I think it's very important that we not allow privacy to be watered down to this idea of notice and choice in this debate or in others.

---

said by Eric L. Howes:

---

Hoofnagle's comments were a refreshing change from those of several of the other panelists, who enthused over the privacy initiatives of industry front groups like the Network Advertising Initiative (NAI), as if these organizations could be trusted or expected to do anything substantive to protect users' privacy in the face of voracious industry demands for access to users' desktops -- the next frontier or market in online advertising -- and all manner of data about users and their online behavior.

---

said by Ronald Plesser:

---

MR. PLESSER: I don't know that I -- I think a notice is a notice. Some are better than others. I think we have seen -- I don't know that I've seen any in the privacy area, in spyware. I've seen some where the computer will serve you ads that they think will be of interest to you. I think those are usually pretty straightforward. When those ads come in, those alternative ads come in, they have little logos on them, or some of them do, that say this is being served to you by XYZ network, and it's different from where you originally went.

I don't think it's all that difficult, but I think there can be notices that can be workable. Again, I think the DMA is working on this stuff. I think it's important. I think one of the principles that we are working on with the DMA is to make sure these notices are obviously out there before the stuff comes onto the system, that the notice is given prior to installation.

---

said by Eric L. Howes:

---

In one of the more nauseating moments of the afternoon, FTC Commissioner Mozelle Thompson quipped that the FTC was happy to hear the views of the large companies represented on the panel because they were truly the "elected" representatives of consumers. The corporate reps smiled at this bit of bureaucratic groveling before business interests, as Thompson was in fact chirpily parroting one of Corporate America's most cherished and noxious propaganda lines -- namely that the market is equivalent to democracy, and that the public, democratic institutions in which citizens actually participate (or are supposed to participate) are comparatively illegitimate. On this view, America is a democracy of consumers -- one dollar, one vote -- rather than a democracy of citizens.

---

said by Mozelle Thompson:

---

COMMISSIONER THOMPSON: At the same time, you have many of those same pressures, because even though you're not elected, they elect you every day when they decide whether to buy or not to buy or to participate or not to participate. And that's where we have the same challenge.

---

said by Eric L. Howes:

---

In other words, "consumer education" in this scheme of things isn't really education as we normally understand it; rather, it's public relations and propaganda -- manipulating consumers into the "correct" ways of thinking about the software. And this was made perfectly clear by the several industry representatives on Panels 1 and 4, who insisted over and over that we get it into our heads that their software is "adware" not "spyware." Indeed, one of the representatives on Panel 4 (though just who I am at a loss to recall) let the cat out of the bag when he or she helpfully explained that "we need to educate consumers so that they understand what this software really is." A more naked, forthright statement of just what the industry has in mind for consumers would be hard to come by.

---

said by Chris Kelly:

---

MR. KELLY: So I think that that can go hand-in-hand with a consumer education campaign oriented towards explaining to people the difference between client software and spyware.

---

said by Jules Polonetsky:

---

MR. POLONETSKY: I'd comment on a couple of different levels, one on the comparison to some of the other self-regulatory processes. I think one of the reasons why on the network advertising initiative side of the world things end up working is you could really could sit most of the relevant players who were doing this on any scale around the table.

They all were public or soon-to-be public companies that were, you know, part of the civil debate part of the world, and you could say to them, look, you all need to do an awful lot more to explain your business practices, because people have concerns about them. So step up, do more, work harder, bother your customers, make them do more.

---

said by Eric L. Howes:

---

The irony of this "security application" was not lost on Steven Bellovin, Fellow with AT&T Labs-Research, also on the panel. Noting that mobile code is one of the biggest security problems in Windows, he quipped that Webroot's portable security scanner was one of the "scariest things" he had yet heard about at the workshop.

And Bellovin was right, of course, because what Moll had unwittingly pointed out is that ActiveX controls can be used to import and run completely foreign code of unknown provenance at the user's discretion on boxes that the user ostensibly shouldn't control.

---

said by Steven Bellovin:

---

MR. BELLOVIN: I think there are a number of mistakes we can point to, but to me the biggest mistake the industry made was deploying mobile code without adequate safeguards.

The scariest thing that I heard today was it's possible to write an ActiveX control to scan a machine for spyware. You have a control that's that powerful that can roll with those permissions, my God, what else could it have done?

---

said by Eric L. Howes:

---

To his credit, Daniel Weitzner of the World Wide Web Consortium (W3C), one of the prime forces behind the P3P specification, expressed his skepticism of such an adaptation of P3P, though he said he wouldn't completely dismiss the idea.

---

said by Daniel Weitzner:

---

MR. WEITZNER: I have to say, I'm slightly on the fence here about how much a labeling approach can really accomplish when it comes to spyware. And I think it can probably help some, but the history of trying to label things on the web I think is really instructive here. I think if you look at both privacy on the one hand and things like pornography and spam on the other hand, you see the sort of limits and benefits of labeling.

---

said by Eric L. Howes:

---

Although at times appearing a bit uncomfortable with speaking to such a large audience, Ms. Baird nonetheless made her boss's position quite clear: that new legislation is needed to protect consumers against the invasive, destructive software currently being distributed by the advertising software industry. While she acknowledged the potential benefit of "industry self-regulation," consumer education, and enforcement of existing laws against the more unscrupulous spyware distributors, Ms. Baird firmly and unambiguously insisted that those actions were simply not adequate to the job. Moreover, she rejected calls from the industry and others to study the issue more and allow the industry itself to address the problem. "That's just not how things work in Congress," she said, and went on to describe Rep. Bono's work on her own anti-spyware bill...

---

said by Jennifer Baird:

---

MS. BAIRD: Another thing has been -- another thing that we heard from industry has been, you know, self-regulation is the answer, but we can't really come up with best practices yet.

So, in other words, what we're hearing is, this is a problem, it needs to be solved, but we don't know how, so just hold on.

And that's not how it works in Congress, and, you know, as a member of Congress, my boss has the responsibility to do all she can to protect her constituents from downloading onto their computer that they use for personal, you know, banking and for credit - - you know, buying things through their credit card and so on and so on. She has the responsibility to make sure that they have confidence when they're using their computer, and that that information won't be shared.

And another thing that, of course, has been said is, legislation is just the wrong answer. This can only be done through self-regulation.

I would say that we can't sit around and just think about it and talk about it for days and nights in a year, we do have to act. But that being said, I do think that industry self-regulation is a very important aspect of this, and my boss understands that legislation by itself will not stop the problem, but it is a step in the right direction. It is a step in the right direction that people know what they're downloading onto their computer before they download it.

---

said by Eric L. Howes:

---

Thus, it was helpful and encouraging to listen to the remarks of Utah State Rep. Stephen Urquhart, the principle force behind the Utah bill. Urquhart was quite impressive throughout his comments. Demonstrating a firm grasp of the issues, Urquhart rejected the flim-flam objections and diversions from the industry, quickly batting them down. Describing his own experience drafting the Utah bill, Urquhart remarked that he and his colleagues in the Utah House received no useful input from the industry, which simply wanted to kill the bill, as should be apparent from the several industry comments publicly available (see the NetCoalition above, for example).

---

said by Steve Urquhart:

---

MR. URQUHART: I mean, constituents, they demand results. They're sick of this stuff. And so I've heard a lot of handwringing here today, and I think it is great that we do need best practices, we need education, we need technology, but we also need regulation.

I mean, how do you stop bad guys? You have a neighborhood watch? You have education to pick up your newspapers. Don't leave them sitting around. You have technology, you have alarms and bars, but at the end of the day, you've got to have laws and a cop on the beat. And so we've put a cop on the beat.

---

said by Steve Urquhart:

---

MR. URQUHART: Yeah, let me point out that, in Utah, like in most states, we don't write our laws into - - in stone. We don't chisel them in stone, we write them on paper, and so, we have made it plenty clear to industry, and to all parties, that we wanted their input.

And about the only input we got during the sessions was, don't do it. Let -- for Heaven's sake, let the feds deal with this, and, you know, that -- that's not acceptable to my consumers. And so, this was brought forward by an industry member, saying put in an operating system, and currently, in the law, they could argue that this is a vital component of the operating system, then it would be exempted out.

---

said by Declan McCullagh:

---

A bill sponsored by Rep. Mary Bono, R-Calif., to ban spyware, goes much further. Bono defines spyware as "any software" that "transmits" personal information -- a category that would include any e-mail client (because it transmits a "From: address") and many Unix utilities. FTC officials recently criticized it as a bad idea.

---

said by Will Rodger:

---

Sometimes, it feels good to pass these laws, but they're not going to have an effect on the problem...We often see bills come through with the greatest of intentions. But as they say elsewhere, you can't suspend the laws of physics.

---

said by Michael Cowden, CBS Marketwatch:

---

Beales also argued that the Bono bill didn't provide a workable definition of "spyware." "We need to determine if there is a definable class of software that can truly be called 'spyware,' " he said.

---

said by Pest Patrol:

---

We contend that only a combination of consumer education and protection, disclosure through legislation, and active prosecution will provide the answer needed to address the spyware threat, right now. None of these solutions by themselves is enough, and while we advocate and applaud industry self-regulation, we do not believe that it alone will be speedy enough or dramatic enough to address the spyware problem.

---

said by Eric L. Howes:

---

(This advertising) technology is promising -- at least from the perspective of the advertising community. This technology -- hijackware, spyware, ad-ware, or whatever you choose to call it -- has an enormous potential attraction for advertisers: the ability to put advertising right on users' desktops, to convert their computers into fancy direct marketing machines, and to capture eyeballs in a way no other form of online advertising has yet been able to do.

Remember the rage in the media some years ago over "push" technology? (And this enthusiasm for "push" technology was largely confined to the media -- ordinary actual users hated it.) "Push" technology promised to solve one nasty problem for traditional media folks -- esp. advertisers -- created by the internet: namely, the independence and autonomy of internet users. Commercial advertisers prefer a captive audience with little autonomy. Despite all the blather about responding to consumer demand, they'd rather control a medium where they can "push" content down to users rather than respond to the demands of users -- it's simply much easier and less expensive to do it that way. "Push" technology died a predictable death because users hated it -- they wanted to be in control of their online experience, not let their use of the internet turn into a high-tech version of TV.

In truth, "push" technology hasn't completely died: it went into hibernation or incubation and was reborn as "spyware" or "hijackware" or "ad-ware" -- whatever you prefer to call it. "Hijackware" is merely the latest incarnation of "push" technology. And it is enormously attractive to advertisers. This kind of software technology allows advertisers to grab eyeballs, so to speak, right on the desktop and push unwanted commercial content down on users who have tremendous difficulty escaping it. For advertisers it's a dream come true: the ultimate captive audience. For normal web surfers it's the ultimate nightmare.

As I said, the technology has a bad reputation right now, and many advertisers have stayed away -- for now. But that's changing. At the moment this kind of technology is more prevalent on porn sites and crackz/warez sites. But remember: it is well known that the online porn industry serves as a kind of "test bed" for new technologies and business practices. Technologies and practices that were once the exclusive province of porn sites just a few years ago are now commonplace on the "mainstream" internet. Moreover, as any number of spyware distributors themselves have argued, spyware could very well become an attractive means for large, "mainstream" online entities to push their commercial messages on users, especially given the problems that have plagued the online advertising industry over the past few years.

We're already seeing signs of this growing interest among "mainstream" commercial entities, as I pointed out above. Not only are outfits like WhenU and Claria attracting investors and clients, but very large and respected online entities have gone to bat against the anti-spyware legislation recently introduced into the Utah state legislature and the U.S. House of Representatives. (...) If you read carefully, you'll notice that once you get past the usual nonsense about "stifling innovation" and so forth their real concern becomes quite clear: that such anti-spyware legislation could kill the hijackware advertising market.

---

said by Eric L. Howes:

---

At the risk of sounding alarmist, I would say that we stand on the threshold of a potentially enormous change in the way normal folks use the internet and the kind of autonomy they have -- the amount of control they can exert over their online experience. There are powerful entities who would prefer to turn the free, open internet into one vast corporate playground -- a high tech version of TV -- and "hijackware"/"spyware"/"adware" could very well be one of the technologies that allows them to realize their radical agenda.

---

said by Commissioner Swindle:

---

The debate that has ensued about spyware reminds me of the early dialogue we had about privacy policies, that was filled with a lot of emotion and calls for regulation. As a result of a continuing and energetic dialogue between industry, government, and consumer groups, industry responded to the public’s demand for greater disclosure and better privacy notices — without legislation. Today, almost 100% of the most frequently visited websites offer some form of privacy notice.

---

said by Eric L. Howes:

---

My system slowed dramatically, becoming increasingly sluggish as more programs executed and loaded into memory. ... Web surfing speed also declined, presumably because there were so many programs exchanging data with external network entities (uploading information, downloading advertisements) and consuming bandwidth. I even experienced random browser crashes, undoubtedly because of the sheer number of pop-ups, toolbars, and programs clambering for attention on my system.

---

said by C2 Media:

---

A number of (the) public comments (to the FTC about spyware) indicate a misperception about "adware" and how it differs from "spyware" ... Legitimate adware is installed with an EULA and uninstaller --- usually in exchange for a free software product or service. Adware does not monitor or "spy" on a user. Adware only exists as an advertising channel to a subscriber base, much like cable networks retain time blocks on all channels on their network to display advertising. The user has agreed to be a subscriber of that particular advertising network in exchange for a product or service. With the acceptance of an EULA, this becomes a binding contractual agreement between the two parties. If a user believes his computer has been "invaded" by an advertising network associated with software he previously had chosen to install, he remains free at all times to simply uninstall it and "opt out" of the advertising network.

---

said by B :

---

Huh? I thought you said this was your own home PC? Don't you trust your own habits?

---

said by Bobby_Peru :

---

Do you think the chances of success of taking the Utah statue as a starting point in a net-based campaign to gather support for lobbying for serious legislation are as dismal as they may appear?

---

said by B :

---

What about Option 3: surf safely and/or use a browser other than IE, don't install garbage software infested with spyware, and be careful with all executable files and e-mail attachments? (Working as a non-admin is a good idea too, but is unworkable for most.)

---

Ahh yes, the "stay above the fray" approach. Sorry, not practical. Not even based in reality. This isn't a problem you can blame-shift to user behavior.]]> http://www.dslreports.com/forum/remark,10047454 Thu, 22 Apr 2004 23:10:04 EDT http://www.dslreports.com/forum/remark,10047359 B :

said by jap :

---

Bingo. Though at the public machines I used to admin a local system image re-cast every night - or when someone hit the "rebuild this PC" button on the desktop. I'm -tonight- trying to decide which approach will be less work for my homePC: try to unhook all the MScrap from the sys partition & maintain a clean, updated image or keep constantly sweeping with 4-8 scanners that don't get everything anyway.

---

What about Option 3: surf safely and/or use a browser other than IE, don't install garbage software infested with spyware, and be careful with all executable files and e-mail attachments? (Working as a non-admin is a good idea too, but is unworkable for most.)

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,10047359 Thu, 22 Apr 2004 22:59:04 EDT http://www.dslreports.com/forum/remark,10047320 jap : Damonlab said:
"Maybe it is time to start thinking about ghosting every machine and pushing out a clean image once a month."

Bingo. Though at the public machines I used to admin a local system image re-cast every night - or when someone hit the "rebuild this PC" button on the desktop. I'm -tonight- trying to decide which approach will be less work for my homePC: try to unhook all the MScrap from the sys partition & maintain a clean, updated image or keep constantly sweeping with 4-8 scanners that don't get everything anyway.]]> http://www.dslreports.com/forum/remark,10047320 Thu, 22 Apr 2004 22:55:57 EDT http://www.dslreports.com/forum/remark,10046770 Bobby_Peru : Thanks Eric for _all_ of your many efforts, including taking the time for such informative updates as these. It's tough to find the positive in such experiences when they only serve to highlight just how far every aspect of life has been commodified, and democracy distorted. We are no longer even citizens, as much as "consumers" "between the forceps and the stone." So few seem sufficiently aware enough to care, far less to resist.

Do you think the chances of success of taking the Utah statue as a starting point in a net-based campaign to gather support for lobbying for serious legislation are as dismal as they may appear?]]> http://www.dslreports.com/forum/remark,10046770 Thu, 22 Apr 2004 22:02:55 EDT http://www.dslreports.com/forum/remark,10038251 eburger68 : Hi All:

Now that I've a bit more time, let me extend and expand upon my earlier comments on the FTC Spyware Workshop. I'll organize these comments around the six panels. Since I've now had a chance to see the panelists in action and listen to their contributions, I'll update where appropriate the "rating" that I assigned each panelist in a previous thread ( »FTC Spyware Workshop Panelists - Worries... ):

X - industry/corporate friendly
U - unknown/undetermined
P - privacy friendly

Panel 1: Defining, Understanding, and Disseminating Spyware

Panelists:

X - Ed Black, President & Chief Executive Officer, Computer & Communications Industry Association
X - Mark Bohannon, General Counsel & Senior Vice President Public Policy, Software & Information Industry Association
X - Marty Lafferty, Chief Executive Officer, Distributed Computing Industry Association
X - Avi Naider, President & Chief Executive Officer, WhenU.com, Inc.
X - Ari Schwartz, Associate Director, Center for Democracy and Technology

Note: see Bill Pytlovany's blog ( »www.mysteryware.com/blog.html ) for photos of the panel one participants.

Protecting Commercial Interests, not the Public

In the first post of this thread I described how this panel initially described the term "spyware" as too difficult to pin down, only to do a complete about-face when they sought to distinguish their own software (or the software of the interests that they represented) from "spyware."

This panel was not only predictable, but frustrating and even enraging. In my own comments on the term "spyware" ( »www.staff.uiuc.edu/~ehowes/junkware.htm ) I wrote: "Definitions and terms ought to help us understand the world and grapple with the problems that it presents, not stand in the way of our efforts to solve those problems." None of the panelists for panel one was interested in crafting a definition of "spyware" that would address the problems of consumers, however.

This panel should have been striving to define spyware (technologically, behaviorally, or otherwise) in order to help the FTC and legislators identify the kinds of software that consumers are complaining about so as to give those consumers relief from the obnoxious, destructive business practices of advertising software vendors. Instead what these panelists did was attempt to exempt their own software and the software of their clients from the category of "spyware" in order to protect their own interests. Indeed, that pretty much sums up this panel: instead of working to protect consumers, this panel was more interested in protecting themselves. And to its great shame and discredit, the Center for Democracy and Technology (CDT) did almost nothing to challenge that agenda (more on the CDT in a bit).

A few of the panelists were quite open about what they were attempting to do, stating flatly that "adware is simply different than spyware, and people have got to understand that" -- as if they alone could establish the difference through some sort of declarative fiat without the input or suggestions of others. This was but one of several moments during the day when the arrogant, obstructionist, anti-consumer agendas of those represented on various panels were nakedly on display and visible to all who cared to look.

Just why the FTC would choose for a panel charged with defining "spyware" panelists whose only contribution would be the plea "whatever it is, it's not what we're doing" is beyond me. The public was not represented on this panel at all (despite the presence of the CDT, for reasons I provide below), and the panel did nothing to protect or advance the interests of the public, only a narrow class of commercial interests.

WhenU's Avi Naider

One of those commercial interests was WhenU.com, represented by its chief executive Avi Naider, who insisted at one point that the word spyware "was never meant to include software-based advertising...It's pro-consumer; it's pro-competition; it's pro-competitive. (It's) one of the most promising technologies that exists on the Internet today" ( »zdnet.com.com/2100-1104_2-5195222.html ). Setting aside the fact that the term "spyware" was first used in this context during the summer of 2000 to describe advertising software from such companies as Aureate/Radiate and Cydoor, Naider's assertions are simply preposterous.

Nothing about WhenU's software is "pro-consumer." Rob Cheng and Dave Methvin of PC Pitstop have effectively demonstrated ( »www.ftc.gov/os/comments/spyware/···stop.pdf ) that the vast majority of consumers with WhenU's software are simply not aware of its existence on their computers. Moreover, Ben Edelman's research on WhenU ( »www.ftc.gov/os/comments/spyware/···lman.pdf ) strongly suggests that WhenU is likely violating its own privacy policy by collecting and transmitting personally sensitive data. Finally, Stephen Urquhart, State Representative in the Utah House of Representatives, showed WhenU's license box during panel 6 -- a box so small that it effectively discourages users from looking too closely at the terms of agreement. Given that Naider consistently maintained that what sets "adware" (and WhenU's software) apart from "spyware" is the provision of notice and disclosure during installation that allows consumers to make an informed choice to voluntarily install WhenU's software, these failings are quite damning.

Naider claimed that, contrary to the numbers presented by PC Pitstop, most users do knowingly consent to the installation of WhenU's software. As evidence he offered the fact that of 100 million WhenU installations, consumers had uninstalled WhenU's software in 80 million of those cases. Naider reasoned that if 80 percent of users who installed his software were able to uninstall it, then the consumers must have been aware of the software from the outset. This argument is extremely flawed, however, because Naider provided no information about the nature and performance of those uninstallations or even how WhenU managed to calculate the number of uninstallations (Does the uninstaller report back to WhenU? Is WhenU simply subtracting the number of active users from the number of known installations?).

I strongly suspect that the vast majority of those WhenU uninstallations represent consumers who discovered WhenU's software on their systems after the fact and somehow managed to uninstall it. Many of those users may have discovered WhenU's software through the use of an anti-spyware app such as Ad-aware or Spybot Search & Destroy. Still others may have discovered the software when they turned to a knowledgeable third party (a friend, a computer repair shop) for help with their computers. Whatever the case, the number of uninstallations tells us very little about the circumstances of the installations themselves and whether consumers were properly informed of the software installation and the functionality of that software. On this issue as with so many others, Naider was simply spinning fairy tales.

Naider's claim that his software is represents one of "most promising technologies that exists on the Internet today" would be laughable were it not indicative of the enormity of the threat that this class of software poses to consumer autonomy on the internet. As I remarked in an earlier post ( »What's the *motivation* for hijack-ware? ), this software technology is indeed regarded as "promising" by advertisers and media companies because it seems to offer commercial interests the ability to control consumers' experience of the internet through "push technology." For consumers themselves, however, nothing about this technology is "promising" -- it is an unmitigated disaster.

Indeed, in my own comments to the FTC ( »www.staff.uiuc.edu/~ehowes/ftc-comments.htm ), I told the story of helping one of my students remove unwanted software from her PC -- software that had all but trashed the computer and rendered it unusable. One of the more obnoxious pieces of software on that box was WhenU, which interfered with my student's use of her computer and which she no idea how to remove (much less an idea how it had gotten on her box in the first place).

That the first panel at the FTC's Spyware Workshop offered Naider's WhenU as a representative example of "adware" (as opposed to "spyware") is instructive, given what else was demonstrated about WhenU's software by later panelists and other workshop participants. Even this lame attempt to distinguish "adware" from "spyware" fell through because the software in question turns out to be exactly the kind of software that consumers are complaining about. Anyone working daily in trenches to protect the public against "spyware" could have explained this problem to the panel, but the panel did not have any reliable, recognized representatives of the public's interest.

Anti-Spyware Legislation

Almost all of the panelists expressed their strong disapproval of anti-spyware legislation such as the bill recently passed in the Utah House, citing potential problems with an overly broad definition of "spyware" that could make illegal perfectly innocuous, and even popular types of software. The examples offered up by the panel, were simply laughable. One panelist asserted that instant messaging software" would become illegal under the Utah bill, yet failed to explain just how or why such would be the case. Another example pointed to was security software and updates; again, the panelist failed to explain clearly how such software would be illegal under the Utah bill.

One other type of software offered up as an example of "collateral damage" resulting from the Utah bill was parental control software (i.e., software used by parents to censor porn on home computers to protect children). The panelist who used this example asserted that since the Utah bill requires software to "provide a method ... by which a user may quickly and easily disable and remove the software from the user's computer" ( »www.le.state.ut.us/~2004/bills/h···0323.htm ), parental control software would be illegal since it protects itself against uninstallation by children. This argument is, of course, absurd on its face because such software does provide an uninstallation method to the parents who install the software in the first place.

The Utah bill's requirement of an uninstallation method provoked still more comments from one of the panelists, who warned users to "be careful what you ask for." His argument was that most consumers are unaware of the vast majority of software that is installed on their systems because a good part of that software is installed as part of a larger program (e.g., Microsoft Office or Windows). Indeed, the uninstallation requirement raises the question of just how "software" itself, which is almost infinitely modular, is to be defined. (Interestingly, this very question was at the heart of the Microsoft anti-trust case because MS asserted that Internet Explorer was not a separate software program, but rather an integral part of the Windows operating system.) If software vendors were required to provide uninstallation methods for all software, it was argued, they might be forced to provide uninstallers for software that was critical to the functioning of programs that consumers knowingly installed and even the operating system and computer itself. Thus, consumers would be at risk of uninstalling critical software components and rendering their programs and computers inoperable.

This objection has some merit, but at the end of the day it cannot be taken as a reason to reject the uninstallation requirement. At best, it means that legislators need to take care that the uninstallation requirement apply only to uniquely defined software modules that are installed independently of other software on the computer, and that software manufacturers be given leeway to protect software modules that are indeed critical to the functioning of the PC.

Allowing software vendors to install software behind consumers' backs without providing an uninstallation method is simply bad business. Indeed, it is precisely because so many advertising software vendors have neglected to provide conspicuous, reliable uninstallation methods that consumers have resorted to questionable, ad hoc uninstallation methods that risk damaging their computers or rendering them unusable. An uninstallation requirement for advertising software would only reduce the likelihood that consumers would unwittingly damage their systems.

Bad Behavior vs. Bad Technology

Almost all of the panelists urged FTC to focus on "bad behavior" or "practices" instead of technology. Although this distinction does have much to recommend it, such a distinction still needs to be fleshed out with concrete examples, none of which were offered by the panelists themselves. Is homepage hijacking, for example, a technology or a behavior? Is the use of contextual pop-up advertising a technology or a behavior? Is the addition of porn-related toolbars to users' browsers a technology or a behavior?

I would argue that each of these examples represents behavior in the sense that they are business practices embodied in code. I strongly suspect, however, that the panelists who urged a focus on "behavior" over "technology" would prefer a much narrower definition of "behavior" so as to hamstring legislatures and governmental agencies and prevent them from taking action against the more obnoxious business practices of the advertising software vendors.

The Center for Democracy and Technology (CDT)

This seems a good point to address the performance of the Center for Democracy and Technology (CDT), represented on panel one by Associate Director Ari Schwartz. Careful readers of my previous comments on the workshop panelists ( »FTC Spyware Workshop Panelists - Worries... ) will note that I have changed the CDT's rating from U (unknown/undetermined) to X (industry/corporate friendly). There are several good reasons for that change.

In the several documents that the CDT has released over the past six months (see »www.cdt.org/privacy/spyware/ ), including its comments to the FTC ( »www.ftc.gov/os/comments/spyware/···tech.pdf ), the CDT has attempted to position itself as the leading representative of the public's interest on the issue of spyware. The CDT has even filed one complaint with the FTC against the company behind SpyWiper, a notorious software vendor that used deceptive scare tactics to stampede users into buying its "anti-spyware" product.

While it is tempting to regard the CDT as a potentially useful voice on this issue, its several actions and initiatives cast doubt on its ability to represent the public's interest. The CDT's performance on panel one was simply abysmal, as it did nothing to resist the agenda being advanced by the commercial interests represented on the panel, effectively leaving the public without a strong voice on a question (how to define "spyware") that is absolutely critical to addressing the problems with "spyware." Instead of challenging the other panelists' attempts to protect their own commercial interests, Ari Schwartz sat silently by, blithely allowing one panelist after another to exempt themselves and their software from the category of "spyware" and enabling them to promote an obstructionist agenda that threatens to prevent any action whatsoever being taken to protect the public's interest.

The CDT's preferred course of action, it would seem, is "industry self-regulation" -- an absurd concept that I disparaged in an earlier post. To this end, the CDT has put together a "Consumer Software Working Group," outlined in a position paper that it distributed at the workshop (also available online: »www.cdt.org/publications/pp_10.07.shtml ). At the outset of that paper, the CDT states:

said by CDT:

---

The Consumer Software Working Group is a diverse community of public interest groups, software companies, Internet service providers, hardware manufacturers, and others that
are seeking consensus responses to the concerns raised by practices that harm consumers.

---

The name of this "working group" is extremely misleading, though. Among the industry interests represented are:

America Online
Business Software Alliance
Claria Corporation
Dell, Inc.
Distributed Computing Industry Association
EarthLink
eBay
Google
Information Technology Industry Council
Internet Commerce Coalition
Microsoft
Network Advertising Initiative
Privacilla.org
Sharman Networks
TRUSTe
WhenU
Yahoo!

In fact, two of these members were on panel one with the CDT (the DCIA and WhenU).

There are several other members of this "working group":

Center for Democracy and Technology
Consortium of Anti-Spyware Technology Vendors
Consumer Action
CryptoRights Foundation
Electronic Frontier Foundation
Lavasoft
Peter Swire, Moritz College of Law of the Ohio State University2
Webroot Software

Several of these individuals, organizations, and companies certainly do represent the public's interest in some way. Still others are of dubious and questionable value as advocates for the public interest, however, either because their stance on spyware is unknown (Peter Swire) or because their statements to date cast doubt on their ability to fully understand the threat of spyware to the public interest (EFF, CDT).

However one chooses to tally up this list of members, it is clear that this is not a "consumer" group that represents the interests of the public, but rather an industry protection racket whose sole goal is to use the false promise of "industry self-regulation" as a roadblock to strong governmental action that might give consumers relief from the bad practices and intrusive technologies of commercial interests.

As I have noted in several other places (see »www.staff.uiuc.edu/~ehowes/priv-pol.htm#that) "industry self-regulation" initiatives -- including privacy policies, as well as such complementary efforts as 3rd party trustmarks (e.g., Truste and the like) and P3P compact policies -- are best understood not as strong policy initiatives designed to curb unscrupulous business practices, but rather as public relations efforts designed to allow the advertising and marketing industry to continue using its preferred practices and technologies with a minimum of public protest. Rather than reigning in objectionable corporate behavior, these efforts are designed to minimize public resistance to invasive advertising technologies and thus support the ability of commercial interests to use those technologies, of which one of the more "promising" instances is "spyware" or advertising software itself.

These public relations campaigns need the support of other reputable organizations, however, to lend such PR efforts credibility and give the appearance that "industry self-regulation" might be a viable alternative to governmental regulation and consumer protection. And that is the role the CDT appears to be playing on this issue. The CDT's working group gives commercial interests the public relations cover they need in order to protect their technologies and business practices from governmental oversight and regulation. Crucially, the CDT's working group provides these companies with the "positive," "consumer friendly" umbrella they so desperately desire when facing critical scrutiny from the media.

I don't doubt that the CDT would take strong exception to these criticisms of its role to date on the spyware issue. Indeed, I would expect that the CDT would protest that their working group is an attempt to find common ground on an issue that threatens to divide commercial interests from the public and that this "common ground" has a much better chance of building solutions that protect the public's interest without crippling the commercial potential of the internet.

It is difficult to discount the value of finding "common ground" on a vexing issue like "spyware," which implicates the interests of a wide variety of people, companies, and organizations. Given the past results of "industry self-regulation," however, it is even more difficult to take this kind of "self-regulatory" effort seriously. The industry headed off previous attempts to provide consumers with strong privacy protection online by using the promise of "industry self-regulation." As I noted in my comments to the FTC ( »www.staff.uiuc.edu/~ehowes/ftc-comments.htm ):

said by Eric L. Howes:

---

What the industry came up with...has been something less than a smashing success. Faced with serious consumer complaints about privacy violations, the industry essentially declared, "Let them eat privacy policies!" Even the addition of a meager supplementary diet of P3P compact policies and third-party trustmarks has done little to satisfy or assuage consumers' privacy concerns.

---

There is very little evidence that these earlier "self-regulatory" initiatives have done much of anything to change the way businesses, esp. those in the advertising industry, ply their trade on the Net ( »www.staff.uiuc.edu/~ehowes/priv-pol.htm#that ). If anything, the advertising industry has become even more aggressive in its efforts to swamp consumers with intrusive advertising, turning even now to "spyware" technology itself to convert users' computers computers into fancy direct marketing platforms. Given that sorry history, there is no reason to think these latest examples of "self-regulation" on the "spyware" issue will be any different. It is difficult to believe that companies the industry groups involved in the CDT's "working group" are at all interested in changing their business practices; it is much more believable that they are simply interested in changing the public's perception of their practices and technologies.

That the CDT would support these kinds of "self-regulatory" initiatives is both depressing and unsurprising. The CDT has been a strong supporter of P3P (see »www.cdt.org/privacy/pet/p3pprivacy.shtml ), for example, despite the lack of evidence that P3P has done anything to protect consumers' privacy online some three years after its implementation in Internet Explorer 6.0 (see »www.staff.uiuc.edu/~ehowes/priv-···#ie6-p3p ). Thus, when the CDT then goes before Senate Communications Subcommittee on the issue of "spyware" and advocates a P3P-like standards initiative to address the problems with spyware (see p. 9 of »www.cdt.org/testimony/20040323berman.pdf ), that organization effectively forfeits any claim to be taken seriously as a representative of the public's interest.

Concluding Remarks on Panel 1

At the end of FTC's Spyware Workshop on Monday I happened to chat up someone else in the anti-spyware camp who had been to several meetings on the "spyware" issue, including at least one meeting of the CDT's working group. Her remarks on the Spyware Workshop and those in attendance were striking. She pointed out that the Spyware Workshop was filled with industry representatives and lobbyists of one sort or another. This group of representatives and lobbyists has participated in many other similar events: they have been at the FTC's previous workshops on online privacy; they have been in the offices of Senators and Representatives whenever legislation was being considered that might threaten the interests they represent; they have been at all the Congressional hearings conducted over the past few years on these kinds of issues. Wherever and whenever things were happening in Washington that might threaten their interests, they've been there to ensure that absolutely nothing happened that might stop their clients from doing exactly what they're doing right now.

The first panel at the FTC's Spyware Workshop was a striking example of how successful these interests can be in protecting their preferred business practices and technologies. This outcome was not unexpected. In the first remarks that I made back in February on the FTC's Spyware Workshop ( »Tired of being hijacked? TELL the FTC! ), I noted that

said by Eric L. Howes:

---

the FTC workshop ... could mean that we're at the start of a Federal discussion of the "spyware" problem, which until now has received almost no attention.

What are the potential outcomes of that process? There are three broad outcomes, so far as I can see:

1) Nothing gets done

The FTC wrings its hands over the problem but eventually agrees with the commercial crapware industry that government regulation is a bad thing; that the industry "self-regulation" is much more effective and even preferable; that consumers are being offered "choice" in the form of EULAs, commercial anti-spyware applications, browsers settings, and vendor provided uninstallers; that consumer education is all that is needed from the FTC for the "spyware" problem to solve itself. Everyone involved will give themselves a pat on the back for protecting consumer choice, respecting the beauty of the market, for committing themselves to self-regulation and consumer education, and then they will go home, having done absolutely nothing.

2) A CAN SPYWARE Act

The FTC works with the commercial crapware industry to craft legislation for Congressional adoption. This legislation will distinguish between "spyware" and "adware" by imposing a minimal set of requirements for software installation (a EULA for example). This minimal set of requirements will not stop the usual suspects from doing what they're already doing, but it will allow the industry to proclaim that their software conforms to strict government regulatory standards. It will also allow the FTC to prosecute a small number of the more unscrupulous "spyware" pushers, thus giving the larger players protection from unwanted competition.

3) Real "Spyware" Regulation

The FTC actually responds to consumer outrage (as it did with the Do Not Call legislation) and, to the horror of the commercial crapware industry, pushes Congress to adopt legislation that would place real restrictions on the abusive tactics of the commercial crapware industry.

Outcomes #1 and #2 are the preferred outcomes for the commercial crapware industry. Outcome #3 would be a disaster.

---

So far, the industry has succeeded in achieving outcome # 1. Several of the news articles written about the Workshop noted just this:

Few solutions pop up at FTC adware workshop
»zdnet.com.com/2100-1104_2-5195222.html

What's the Best Way to Stop Spyware?
»www.pcworld.com/news/article/0,a···5,00.asp

FTC Urges Industry Solutions to Spyware
»www.internetnews.com/xSP/article.php/3342471

FTC commissioner opposes anti-spyware laws
»washingtontimes.com/upi-breaking···186r.htm

'Spyware' Eludes Easy Answers
»www.washingtonpost.com/wp-dyn/ar···r19.html

The FTC's Workshop is but one step in a longer process, though, and I would urge those who care about protecting consumers and Netizens from obnoxious, invasive commercial crapware not to become too discouraged at the outcome of this Workshop, which was entirely expected. There are still two anti-spyware bills in Congress. Moreover, Utah has passed its own anti-spyware bill, and other states are still considering bills of their own.

I do plan to discuss the remaining five panels, though my comments on those later panels won't be nearly as extensive as these comments on the first panel. The first panel was perhaps the most important of the panels; it was also the most discouraging and enraging.

Comments on, criticisms of, and questions about this long post are, as always, most welcome.

All the best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,10038251 Wed, 21 Apr 2004 22:22:59 EDT http://www.dslreports.com/forum/remark,10036562 anon : My notes from the workshop -- a little late, for which I apologize, but better late than never.

»www.benedelman.org/news/042104-1.html

Ben Edelman
»www.benedelman.org]]> http://www.dslreports.com/forum/remark,10036562 Wed, 21 Apr 2004 19:20:13 EDT http://www.dslreports.com/forum/remark,10030273 eburger68 : Hi All:

Just wanted to let you know that I have seen all the responses in this thread to my original post. Unfortunately, I simply don't have time tonight to expand on my initial comments. As is the case with Dave, Rob, Paul, and the other anti-spyware folks who attended the workshop, I'm busy catching up with email and other things that piled up during my absence. I will try to post additional comments tomorrow afternoon or evening, though (and there is plenty still left to be said).

A few quick notes, though:

First, the FTC has posted still more comments (# 172-188). Of interest in this batch is a second submission from Jason Lucas of C2 Media (aka, Lop.com):

# 181: Lucas-2 (04/14/04)
»www.ftc.gov/os/comments/spyware/···cas2.pdf

I opined in an earlier thread about C2 Media's first batch of comments:

»Lop.com Goes to the FTC

And, of course, the longest of the three documents that I submitted to the FTC is a step-by-step analysis of a C2 Media "drive-by-download":

The Anatomy of a Drive-by-Download
»www.staff.uiuc.edu/~ehowes/dbd-anatomy.htm

This second batch of comments from C2 Media is also worth a read, because Lucas frames these new comments as a reponse to the critiques of anti-spyware advocates. Although he doesn't point to my comments by name, it's pretty clear that he is in fact responding to my "drive-by-download" document, which uses a C2 Media as the central example.

I won't bother responding to the several points he makes (though I do intend to after I get some sleep). I think you'll find C2 Media's response less than convincing.

Second, I want to respond quickly to what Dave Leary had to say on the issue of new legislation/regulations:

said by Dave Leary:

---

In all fairness to the FTC, remember they do not create laws, Congress does.

---

Yes, that's quite true, but that doesn't mean that the executive branch, generally, and federal agencies, specifically, don't participate in the creation of new legislation and regulations. In fact, it's quite common for government agencies to work with members of Congress to craft new legislation to address problems and issues that fall within their regulatory purview.

At the close of the workshop I did in fact ask someone from the FTC if we could expect the FTC to work with legislators on anti-spyware legislation or even to encourage its adoption. The answer I received was a quick shake of the head and a very quiet, "No..."

If you go back and look at my earlier postings here at DSLR, that answer shouldn't surprise you at all. Indeed, my reading of this Spyware Workshop is that its main purpose was to bring industry representatives together to talk very publicly about "industry self-regulation" and thus give the industry a bit of PR leverage in their efforts to resist spyware legislation at the state and federal level.

Finally, a quick notice that I have updated my FTC Spyware Workshop page.

»www.staff.uiuc.edu/~ehowes/ftc-spyware.htm

It now includes more news articles and links to still further information and research relevant to this issue. In addition to the PC Pitstop surveys introduced at the workshop, there were several other reports from Dell, Microsoft, McAfee, and others that were presented at the workshop and which I'll be trying to track down so that you all can see some of what we saw on Monday.

Bill P of WinPatrol has been adding more material to his blog as well (including, now, photos of all six panels):

»www.mysteryware.com/blog.html

In any case, I'll be back tomorrow with more comments on several burning issues. And I anticipate that several of the other anti-spyware folks in attendance at the workshop will be posting their own impressions and reactions as well.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,10030273 Wed, 21 Apr 2004 01:50:07 EDT http://www.dslreports.com/forum/remark,10029553 mens rea :

said by eburger68:

---

The FTC is not interested in encouraging new regulations or legislation concerning "spyware" or advertising software. Commissioner Swindle (head of the FTC) indicated as much in the videotaped remarks that were played after the first panel this morning. The FTC is much more interested in encouraging what it calls "industry self-regulation," which involves the advertising industry itself establishing a set of "best practices" that would allow it to "play nice" with consumers

---

Why is it when bureaucrats get together the find new and exciting terminology that essentially allows them to do nothing. It's just "optics".;)

Where is there an incentive anywhere in any type of business for "industry self regulation"? When profits are weighed against personal privacy with no sanction for intrusion upon the latter there is absolutely no reason for "self regulation". Hasn't the position of the adware/spyware camp been all along that there is no problem?

As far "best practices" are concerned I shudder to think how low the standard may go, after all the industry is the one doing the potential regulating and defining what is "best". Again present conduct best exemplifies what now passes for ethical business practices amongst industry proponents. I think the fox is now amongst the chickens.

Thanks for the update Eric.

Regards

]]> http://www.dslreports.com/forum/remark,10029553 Wed, 21 Apr 2004 00:06:06 EDT http://www.dslreports.com/forum/remark,10029441 IBPirate : Eric,
thanks for the in-attendance narrative. My email comment to the FTC, and what I teach all of my users, and whomever else asks, is that our choice must be to make a conscious choice to OPT IN to ANY of these ... things. The choice must be ours, not pushed upon most because of their ignorance. These ...Q$#%%... could easily make a very small page that uses ONE screen to explain their desired activities and the reader can make the choice at the end of that screen to accept, or reject on a Permanent basis, what is being offered.
Mr Naider, or any of the others, regardless of their blandishments of "making the Internet 'FREE' and a 'pleasurable experience' are uninvited guests to my computer (read Home)and I actively choose the right to do with them as I do the rats that attempt to take up residence in my woodpile. Hunt them down and ... um, reduce their life light to 0 lumins:mad:]]> http://www.dslreports.com/forum/remark,10029441 Tue, 20 Apr 2004 23:52:42 EDT http://www.dslreports.com/forum/remark,10028056 GodKhaine : Man I AM LOSING ALL RESPECT FOR THE GOV'T, I had my cd player stolen from my car the day before Easter and I only have liability stuck on the car to pick up a new window, so I ask the cop what would happen if they get caught... a few days in jail if that and a misdemeanor, SOOOO I ask what would happen if I was to assault the thief.... COULD BE SUED. I SWEAR I'M GONNA KILL THE A$$HOLES AND ANY STUPID POLITICIAN/ADWARE/SPYWARE SUPPORTER. ARGH :mad::mad:
I don't care if this is treason I'll gladly tell the FBI or whoever but if the gov't can't aid and listen to the people it's supposed to protect then get rid of the (EXPLETIVELY DELETED by me) POLITICIANS.

P.S. Thanks a million Eric, just wish there was more people like you and everyone else who hates bad companies/politicians.]]> http://www.dslreports.com/forum/remark,10028056 Tue, 20 Apr 2004 21:36:29 EDT http://www.dslreports.com/forum/remark,10027719 linicx : I think before we start talking about FCC and laws we all need to understand there are two types of criminal today: civil and violent. No, I do not mean crimes. If I walk up to you and punch you in the nose I go to jail. If you come to my house and steal my new $5000 mower nothing happens unless I start a civil suit. There is no such thing as criminal prosecution anymore unless you are a drug dealer, killer or pedophile. These sophomoric morons who create havoc in the form of spyware, pop up ads, keystroke loggers, etc., are not going to stop unless they have a list of incentives like the spammer in Michigan received.

Finding them and publishing their name, address, email, phone number, names and ages of their children, type of vehicle they drive, plate number, where they work and shop, etc., is the only kind of incentive they understand. In their world what they do is very cool.

"Do unto others as they would do unto you..." thus said the Lord.

Just my two cents; I'm tired of being ripped off and jerked around.
--
No windows; No gates; Apple inside]]> http://www.dslreports.com/forum/remark,10027719 Tue, 20 Apr 2004 21:01:12 EDT http://www.dslreports.com/forum/remark,10027431 antdude : FYI. »zdnet.com.com/2100-1104_2-5195222.html]]> http://www.dslreports.com/forum/remark,10027431 Tue, 20 Apr 2004 20:34:19 EDT http://www.dslreports.com/forum/remark,10027225 damonlab : This spyware stuff has got to stop. It has worked its way into my home computer, friend's computers, business computers, etc.

You show me a Windows computer with no spyware, and I will show you a computer that is a clean install without the user having more than 5 minutes online.

So far, the best tools I have found to combat spyware are AdAware and Spybot. Both are good to recommend for personal use. Spybot is free for commercial use. AdAware requires a licensing fee for commercial use. Most businesses are always tight on budget, so very few will pay for AdAware.

Even with AdAware and Spybot, some spyware simply can not be eliminated. I have seen systems with NO VIRUSES, NO TROJANS, and they were just hosed with spyware. Far too much spyware for even AdAware or Spybot to take care of.

Maybe it is time to start thinking about ghosting every machine and pushing out a clean image once a month. ]]> http://www.dslreports.com/forum/remark,10027225 Tue, 20 Apr 2004 20:13:30 EDT http://www.dslreports.com/forum/remark,10026438 ctceo : Commissioner Swindle? My My Isn't that an ironic last name for the head of the Federal Trade Commision, ROFLMAO!!!

courtesy, dictionary.com:

swin·dle ( P ) Pronunciation Key (swndl)
v. swin·dled, swin·dling, swin·dles
v. tr.
To cheat or defraud of money or property.
To obtain by fraudulent means: swindled money from the company.

v. intr.
To practice fraud as a means of obtaining money or property.

n.
The act or an instance of swindling.

--------------------------------------------------------------------------------
[Back-formation from swindler, one who swindles, from German Schwindler, giddy person, cheat, from schwindeln, to be dizzy, swindle, from Middle High German, from Old High German swintiln, frequentative of swintan, to disappear.]
--
K8T Neo - 2GB DCDDR400 - AXP 64 3400+ - 3DLabs WC4 7210 - CL Audigy 2 PP - WD SATA150 36GB + Hitachi GST 250GB - Plextor PX708A + Sony CRX300A - Dual 535 Watt PSU's, Full Tower El Cheapo Case W/ Sound Padding & Thermal vents.]]> http://www.dslreports.com/forum/remark,10026438 Tue, 20 Apr 2004 18:52:38 EDT http://www.dslreports.com/forum/remark,10022493 anon : In all fairness to the FTC, remember they do not create laws, Congress does.



If you would like to learn about the Commissioners you can find their bios at »www.ftc.gov/bios/commissioners.htm. The Chairman is Timmothy Muris. The term is seven years and there can be no more than three from either party. When there is a vacancy, the President nominates and the Senate approves the candidate.]]> http://www.dslreports.com/forum/remark,10022493 Tue, 20 Apr 2004 10:58:12 EDT http://www.dslreports.com/forum/remark,10022439 Bubba : Yes Eric....As always, Thanks for keeping us well informed about the adware workshop and what appears to be a brain fart by the FTC. The foxes protecting the chicken coop ?

Kind of OT

said by BillPStudios :

---

This could be an entirely different thread but the Coalition of Anti-Spyware Technology vendors proudly announced their newest member today. New.net

---

Agree about a new thread since 99.9 % of the malware software\reg file entries discussed in this Forum have New.net listed as badware in one form or another. Tell me your throwing out a belated April Fool's :)
--
*Team Z* Member]]> http://www.dslreports.com/forum/remark,10022439 Tue, 20 Apr 2004 10:51:35 EDT http://www.dslreports.com/forum/remark,10022076 dmethvin : Hi guys, this is Dave Methvin from PC Pitstop. I just wanted to say it was great getting together with Eric, BillP, and the others at this meeting. Too bad we couldn't slap the cuffs on some of those folks while we had them in the room. ;)

Although Eric's probably right that the FTC won't take any quick action to create new rules, I think there is a good chance that some of the active lawsuits are going to make headway. Also, the paper from Ben Edelman that Eric mentions could be the basis for some action against Whenu for violating their own privacy policy.

All this political lobbying has put me a bit behind in posting content and impressions on the PC Pitstop site, so I guess I should get cracking on that! ]]> http://www.dslreports.com/forum/remark,10022076 Tue, 20 Apr 2004 09:55:52 EDT http://www.dslreports.com/forum/remark,10020976 Link Logger : I don't think its possible to regulate this industry, how would you enforce it, so anything that comes out of this is certainly a step in the right direction, be it likely a very small step, but a step never the less and likely a short lived step as adware, spyware, etc have competition as well and if the competition ignores the rules then its likely everything is back to free for all mode, or some companies go out of business and then everything is back to free for all mode so there is really no escaping this continuing adventure.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,10020976 Tue, 20 Apr 2004 03:12:07 EDT http://www.dslreports.com/forum/remark,10020947 SnowyOne : There isn't any panacea.
But getting together a bunch of S**Ware Advocates to at least define what is not acceptable to even THEM gives a solid baseline for further discussion.
The whole idea is you gotta learn to crawl before you walk & learn to walk before you run.
I'd rather see delayed well thought out regulations than knee-jerk reactions that are either unenforceable or won't survive a contested lawsuit.
--
Dave said "By the way, 4294967295 is just another way to write -1". ]]> http://www.dslreports.com/forum/remark,10020947 Tue, 20 Apr 2004 03:00:55 EDT http://www.dslreports.com/forum/remark,10020902 B :

said by Link Logger :

---

operation offshore (a lot of it already has moved) to where people think FTC is the name of a boy band or something.

---

And the girls love the hit single 2Cool2Spy4U.

I Googled Swindle a bit (not that there's anything wrong with that) and found an interesting set of quotes at »zdnet.com.com/2100-1105-956708.html:

quote:

---

Why would someone who is breaking the law pay any attention to the law? It's so difficult to catch 'em. You just wonder what the effect would be. Good people who obey laws probably don't send out a whole lot of spam. Bad people who like to rip people off probably won't pay a lot of attention to the law, since they'll do it anyway.[...]You're going to hear the First Amendment argument, "I have a right to market." They're going to continue to do this until they're taught that it's destructive, that it's harmful. That's one of the principles of the OECD guidelines that talks about democracy and ethics. Be aware that you can hurt other people.

---

He's talking about spam here, but how, exactly, are spyware companies more trustworthy? Can you believe this is the same person talking as the one Eric described above regarding spyware "self-regulation"? Does this man have ANY idea of the scum he's dealing with?

-- B]]> http://www.dslreports.com/forum/remark,10020902 Tue, 20 Apr 2004 02:44:47 EDT http://www.dslreports.com/forum/remark,10020848 SnowyOne : The reason Commissioner Swindle is not Congressman Swindle is that he calls'em as he sees them.
His refusal to pander to special interest concerns doomed his political (elected) career.
Betcha didn't know that when he ran for Congress someone cybersat his name. He is still a little hissed off over that. That's the type of expierience & oversite I like to see in that position of authority.
--
Dave said "By the way, 4294967295 is just another way to write -1". ]]> http://www.dslreports.com/forum/remark,10020848 Tue, 20 Apr 2004 02:28:19 EDT http://www.dslreports.com/forum/remark,10020803 Link Logger :

said by eburger68 :

---

The FTC is much more interested in encouraging what it calls "industry self-regulation," which involves the advertising industry itself establishing a set of "best practices" that would allow it to "play nice" with consumers.

---

Is this guy on glue or something??? What motivation does this industry have for any form of self-regulation, best practices or to play nice with consumers and why hasn't this motivation already self-regulated the industry? Next question, who exactly does the FTC think they are and I think this is the point they realize in that there really isn't anything they can do to regulate this cr@p, as the internet doesn't understand borders, so its easy to move this sort of operation offshore (a lot of it already has moved) to where people think FTC is the name of a boy band or something.

I fully wish and dream about the day when some of this junk goes buh-bye, but its too easy and the money is too good, so it won't ever go away, and it is slowly killing the internet IMHO (I'm talking about more then just adware, spyware etc, but the whole concept of the internet as nothing more then a huge scam marketing tool).

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,10020803 Tue, 20 Apr 2004 02:18:55 EDT http://www.dslreports.com/forum/remark,10020462 B :
I guess so, although frankly it sounds disingenuous. I mean, many Internet transactions are already taxed (e.g. whenever your vendor has a local presence); and there are already plenty of massive databases of our buying habits -- they're called credit agencies; and as far as I understand (which is not a lot) it's up to the individual vendors to handle the bookkeeping.... It really just sounds as if he was playing to his audience there...

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,10020462 Tue, 20 Apr 2004 01:18:00 EDT http://www.dslreports.com/forum/remark,10020248 SnowyOne : "I'm ignorant here; does the FTC get flushed out if there's a different President come January?"

I don't know the answer to that question, but I hope not.
The following quote is from Commissioner Swindle.
"According to Orson Swindle, a Federal Trade Commission member and past Hawaii political candidate, taxing Internet transactions "is not a nice scenario."
"By tracking individual transactions, the government would create a massive database that knows all your finances, your buying patterns and your personal preferences -- and all that is controlled by the government," Swindle told a Tax Foundation of Hawaii luncheon crowd this week. He also gave a radio address and spoke to the Rotary Club of Honolulu on the issue during his most recent visit to our state."
That type of position is a very healthy one.
For the full transcript (short) visit here.
--
Dave said "By the way, 4294967295 is just another way to write -1". ]]> http://www.dslreports.com/forum/remark,10020248 Tue, 20 Apr 2004 00:41:56 EDT http://www.dslreports.com/forum/remark,10020189 B :
Wow, they must have had a lot of spyware in Windows 3.1.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,10020189 Tue, 20 Apr 2004 00:33:01 EDT http://www.dslreports.com/forum/remark,10020094 BillPStudios : Nope, I didn't get Eric on my camera.
I'm still so stunned about the Coast welcoming New.net that I couldn't sleep so I'll expand on some of Eric's comments.

Avi Naider from WhenU said 100 million users have installed WhenU programs and 80 million have removed it.
He was suggesting this was a positive thing in demonstrating users really do have a way to Uninstall the software they had once agreed to install. According to research surveys by PC Pitstop 86% of those remaining users aren't even aware they have it on their system. Interesting business model.

You can call it adware if you want but its still generating complaints. According to Bryson Gordon from McAfee Security, 86% of their problem reports from their VirusScan were not viruses but were Adware. They defined 3% as Spyware.

Microsoft was there showing off features added to Windows XP SP2 which looked good. Their dialog showing BHO's and Toolbar add-ons was pretty cryptic especially when compared the screen we display in our WinPatrol program but it's a step in the right direction. I'm not sure how useful it is showing the GUID to help the average user decide if they want to keep a program or not.

The funniest comment was from Microsoft's Brian Arbogast on Panel Four. According to Microsoft, 50% of system crashes are caused by spyware. I didn't think Windows was suppose to crash anymore but at least now we know it's due to spyware. ;)

Bill Pytlovany
BillP Studios]]> http://www.dslreports.com/forum/remark,10020094 Tue, 20 Apr 2004 00:19:59 EDT http://www.dslreports.com/forum/remark,10019889 B :
No Eric pictures though.

Hey, Avi and Ari look worried. I hope that's a good sign.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,10019889 Mon, 19 Apr 2004 23:54:30 EDT http://www.dslreports.com/forum/remark,10019851 BillPStudios : Eric,

I agree, it was a pleasure to meet you and all the other amazing folks who showed up for this event. Even though I only recently returned to the hotel, and am exhausted but I did update my blog page with a photo of panel six and some other comments. »www.mysteryware.com/blog.html

I also included a link to a press release that wasn't mentioned at the workshop. This could be an entirely different thread but the Coalition of Anti-Spyware Technology vendors proudly announced their newest member today. New.net.

More to come...

Bill Pytlovany
BillP Studios]]> http://www.dslreports.com/forum/remark,10019851 Mon, 19 Apr 2004 23:50:41 EDT http://www.dslreports.com/forum/remark,10019699 anthrorules : Thanks for keeping us updated...I saw a news story about this in Yahoo! yesterday.]]> http://www.dslreports.com/forum/remark,10019699 Mon, 19 Apr 2004 23:34:28 EDT http://www.dslreports.com/forum/remark,10019303 B :
Eric, thank you SO much for keeping us so well informed.

The regulators want to encourage "self-regulation"? Uhhhhh, okay. Like the chilling "self regulation" of FCC fines for poopy jokes, or the self-regulation of car makers left to their own devices and and 10 MPG Escalades? Great stuff.

I'm ignorant here; does the FTC get flushed out if there's a different President come January?

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,10019303 Mon, 19 Apr 2004 22:54:05 EDT http://www.dslreports.com/forum/remark,10018653 eburger68 : Hi All:

I don't have much time to write, but I thought I'd update you on what happened today at the FTC's Spyware Workshop. When I get home I'll post more complete comments.

As most of you know, the FTC's Spyware Workshop was today. We've talked about this workshop in several previous threads:

»Tired of being hijacked? TELL the FTC!
»Telling the FTC About Spyware: A Few Tips...
»Lop.com Goes to the FTC
»What I Told the FTC about Spyware...
»A Guide to Spyware Comments Filed w/ the FTC
»What's the *motivation* for hijack-ware?
»FTC Spyware Workshop Panelists - Worries...

The workshop started today at 9 am and was hosted in the the FTC's Conference Center in Washington D.C. The workshop was structured around six discussion panels, with roughly five panelists per panel. See...

»FTC Spyware Workshop Panelists - Worries...

...for my earlier comments on those panels and panelists.

One question that I might as well answer right now is one that I know many of you will ask: will any new regulations or legislation emerge from today's workshop to regulate or even outlaw spyware or practices associated with the advertising software industry? The answer is a simple one: No.

The FTC is not interested in encouraging new regulations or legislation concerning "spyware" or advertising software. Commissioner Swindle (head of the FTC) indicated as much in the videotaped remarks that were played after the first panel this morning. The FTC is much more interested in encouraging what it calls "industry self-regulation," which involves the advertising industry itself establishing a set of "best practices" that would allow it to "play nice" with consumers. As I've indicated in several previous posts on this board as well as in the comments that I submitted to the FTC, I regard "self-regulation" as oxymoronic doublespeak at its bureaucratic finest.

Rather than belabor the point in the short time I have, let me describe what else happened at this workshop.

Panel 1 (definitions of spyware/adware) was as bad as I expected it to be. Dominated by industry representatives or those friendly to the industry, the panel came to a consensus very early (and even noted that they were all essentially in agreement). What was odd about that consensus is the way is shifted in response to the issues on the table. The panelists initially all agreed that it would be fruitless to get hung up on a term like "spyware," and that it would be much more productive to focus on "bad practices." Now, this is exactly what we anti-spyware folks have been saying for some time. So, for a moment, I almost thought that the something productive might actually be taking place, despite my initial fears.

No such luck. After agreeing that definition disputes would be best avoided, the panel did a complete 180 degree turn when the question of distinguishing "adware" from "spyware" was raised. At that moment every one of them (with the possible exception of Ari Schwartz of the CDT) became suddenly very interested in nailing down a definition of "spyware" so as to distinguish their own software (or the software of the interests they represented) from "spyware." The message from the panel was essentially exactly as I predicted it would be: "Spyware is illegitimate software; adware is legitimate software. We do adware not spyware."

Indeed, Avi Naider from WhenU pursued exactly this line, claiming that most WhenU users were quite aware of the installed software on their computers. In a somewhat bizarre move, Naider attempted to back this claim up by pointing out that of roughly 100 million WhenU installations, 80 million had been uninstalled. He claimed that the fact that users had uninstalled WhenU demonstrated that they were aware of the installations. There are all kinds of problems with this argument, which I won't bother to cover here.

Suffice it to say it was at that moment that Rob Cheng and Dave Methvin of PC Pitstop (the outfit sued by Gator/Claria last fall, by the way) began distributing their new survey of WhenU users that tells quite another story: over 80% of WhenU users are NOT even aware that the software is installed on their computers. See PC Pitstop's 2nd set of comments:

»www.ftc.gov/os/comments/spyware/···stop.pdf

...for the write-up of that survey. And see their 1st set of comments...

»www.ftc.gov/os/comments/spyware/···stop.pdf

...for their earlier survey with Gator/GAIN users, also quite damning.

Needless to say, this caused a minor ruckus with WhenU's attorney, who was not amused that Rob and Dave were distributing numbers that undercut what her client had just told the workshop. Naider himself also approached Rob and Dave, asking why they were picking on WhenU were there were plenty of worse actors out there. What WhenU's official response to Rob and Dave's survey will be is not yet known.

WhenU had a bad day all around. After Avi Naider's appearance on the first panel, things went quickly downhill from there. The low point for WhenU must have come during Panel 3, when Chris Jay Hoofnagle from the Electronic Privacy Information Center (EPIC.org) pointed out that Ben Edelman's research, which reported the results of some extremely clever and tenacious packet sniffing, raised the prospect that WhenU was violating its own privacy policy by collecting and transmitting certain personally sensitive data. See Ben Edelman's research results here:

»www.ftc.gov/os/comments/spyware/···lman.pdf

The fourth panel (industry self-regulation) was almost as bad as the first. Most of the panelists simply talked about what a wonderful success previous self-regulatory efforts had been (privacy polices, P3P, et al), and insisted that the industry be given the time to address the problems of spyware itself.

Beyond the first and fourth panels, though, things went rather well for those hoping to get Washington's attention on this issue. A number of panelists on the second, third, and fifth panels effectively described the problems with spyware and the great difficulties that consumers face in trying to prevent spyware from being installed on their computers or removing after it is installed.

Audience members (including this author) were allowed to put questions to the panelists, but we had to do so via question cards submitted to an FTC employee for vetting. Of the five questions I submitted over the course of the day, one was accepted and read to one of the panels. (I asked how panelists could place such faith in consumer education when 10 plus years of education on viruses and antivirus software has been a demonstrable failure. None of the panelists addressed the question square-on.) Some of the other anti-spyware folks got some of their own questions accepted as well, though the answers they received were often less than responsive.

I must say that the nicest part of this past few days has been meeting with and talking with the many anti-spyware folks who attended. Rob Cheng and Dave Methvin of PC Pitstop organized an informal get together on Sunday afternoon/evening. In attendance were Paul Laudanski of Computer Cops, Mike Healan of SpywareInfo, Bill Pytlovany of WinPatrol, Steve Reutter of Pest Patrol, and Ben Edelman, the Harvard grad student who's done several important studies of GAIN's and WhenU's advertising software. Our conversation was lively and productive. On Monday I got to meet Michael Wood of Lavasoft and several folks from WebRoot (makers of SpySweeper). Needless to say that I found all of these folks to be great fun and right sharp -- just the kinds of people you'd love to spend many hours hanging out with. Too bad it had to end so soon.

I've really not much more time to post right now. I'll have to save other comments (and answers to questions that any of you might have) for a later time. The FTC will be posting transcripts of today's sessions in roughly 10 days time. Also, the FTC plans to issue a report in response to today's workshop. And be sure to check out Bill Pytlovany's blog from the workshop here:

»www.mysteryware.com/blog.html

He's even got a photo of Panel 1 (with WhenU's Avi Naider).

If you do have any questions about today's workshop, feel free to post them here. I'll try to answer them as soon as possible. Perhaps some of the other attendees would care to pitch in with their own observations and reactions.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,10018653 Mon, 19 Apr 2004 21:55:01 EDT