1 edit | reply to eburger68
Re: FTC Spyware Workshop: 1st Impressions Hi All:
At the end of my review of Panel 4 of the FTC's Spyware Workshop, I looked forward to the release of the official transcript of the workshop's sessions and noted that:
said by Eric L. Howes:
I am already anticipating that the transcript will underscore the wiliness of human memory, and I will be happy to make corrections and emendations to these posted remarks where my own memory of the workshop has proved to be less than completely reliable.
Having now looked over the entire transcript, I see that I was not wrong in thinking that I would have some corrections to make. Thus, I want to call attention to claims I made about the workshop, its participants, and what was said that were either wrong or not entirely correct. I'll also offer a run-down of the claims that I made that were correct and provide pointers to the appropriate pages from the transcipt where you can find the discussions I was referring to.
Note: the official transcript of the Spyware Workshop can be downloaded from the FTC's site here:
»www.ftc.gov/bcp/workshops/spywar···ript.pdf
The transcript is 298 pages long and lacks bookmarks or hyperlinks. For a more navigable, easy-to-use version of the transcript with bookmarks, use this version:
»www.staff.uiuc.edu/~ehowes/trans···-idx.pdf
**What I Got Wrong...**
First, the errors that I made.
In my review of Panel 1, I complained about the performance of Ari Schwartz of the Center for Democracy and Technology (CDT). I wrote:
said by Eric L. Howes:
Indeed, that pretty much sums up this panel: instead of working to protect consumers, this panel was more interested in protecting themselves. And to its great shame and discredit, the Center for Democracy and Technology (CDT) did almost nothing to challenge that agenda (more on the CDT in a bit).
Having reviewed the transcript of Panel 1, I now must admit that my characterization of the CDT's performance was not entirely fair. Late in the discussion of Panel 1, Ari Schwartz noted that the spyware vs. adware distinction urged by all the other panelists had problems (pp. 38-39):
said by Ari Schwartz:
MR. SCHWARTZ: I do think that there's a reason that Adware has gotten a bad name. And a lot of it has to do with the fact that some companies have basically decided that they will do anything they possibly can to get their software onto the user's computer, and that they don't really -- and we found that a lot of those are Adware companies. (...)
And so therefore, when Marty says, you know, there's no overlap between Adware and Spyware, I don't think that that's true. There is certainly companies that are engaging in bad practices. It's not Adware itself that makes it a bad practice, but we have seen -- Adware companies seem to push the lines by using these affiliate kind of programs in order to make it happen.
Still later, after listening to Avi Naider's response to a question about PC Pitstop's findings that over 80 percent of users were not aware of the software on their systems, Mr. Schwartz summarized the problems with software bundling and concluded (pp. 55-56):
said by Ari Schwartz:
MR. SCHWARTZ: We haven't done our own research on this yet, but, I mean, anything in the 80 percent sounds very high. If it's really that high, there is a major problem.
Now, I wish that Mr. Schwartz had taken a stronger, more unambiguous stance on the question of adware vs. spyware and simply rejected the definitional distinction outright, as several participants on other panels did (see Bryson Gordon's rejection of this distinction on p. 85; see also the discussion on pp. 97-102 of the connection between adware/spyware and traditional malware, Austin Hill's discussion of consumer confusion with adware on p. 106, Ray Everett-Church's questioning of the privacy claims of adware on pp. 120-121, and Steve Urquhart's characterization of adware "victims" on p. 270). And I still have strong reservations about the CDT's work with the Consumer Software Working Group, the CDT's advocacy of P3P-like self-regulatory measures, and its enthusiasm for "industry self-regulation" more generally. But the CDT did not completely cave in the industry representatives on Panel 1, who were all too eager to exempt their software from the discussion of spyware, and I am happy to note that here.
In my review of Panel 4 I decried one of the statements made by a panelist about the "flexibility" of "best practices" and "industry self-regulation":
said by Eric L. Howes:
Indeed, one of the industry reps on the panel remarked that "best practices" would necessarily have to be pluralistic and flexible -- that there could be no single set of "best practices" because we couldn't impose inflexible solutions on corporations. That kind of talk should leave no doubt in anyone's mind that "best practices" are simply not intended to set high standards for corporate behavior, but rather to allow corporations to make them into whatever happens to be convenient.
To my embarrassment, no such comment exists in the transcript of Panel 4, though Panel 4 does include a discussion about preventing any single company from monopolizing the establishment of "best practices" and using them for competitive advantage (see pp. 192-194). Rather, the comment I was thinking of comes from Daniel Weitzner on Panel 5 (pp. 235-236):
said by Daniel Weitzner:
MR. WEITZNER: I'm going to just make one suggestion. I think that best practices are great if they describe a set of practices among which application writers and users can choose.
I think that it would be unfortunate even if a diverse group, an open group, got together and said here are the things we'll allow; here are the things we won't allow. And I don't think you're suggesting that, Jeffrey, but just to be clear. Best practices doesn't mean a single list of the good things and the bad things.
Best practices I think means doing the sort of thing that the now much-mentioned CDT report -- it should have been on Amazon. It would have done really well today -- would identify a set of problematic behaviors and could identify a set of other behaviors and then let people make choices.
I made a similar error in my review of Panel 5, where I discussed a portable ActiveX-based security scanner that I thought had been announced by David Moll of Webroot:
said by Eric L. Howes:
Moll went on to describe a portable security scanner that Webroot has developed. It's an ActiveX control that users can download and run while on potentially insecure machines (a PC in an Internet cafe, for example). This portable security application scans the entire box for malicious code (keyloggers, system monitors, trojans, etc). Moll billed it as a way for users ensure that boxes they don't control are secure.
In fact, that portable security scanner is being developed by X-Block, not Webroot, and was described by Wayne Porter of SpywareGuide.com -- see pp. 216-217 for Porter's discussion of the X-Block portable security scanner.
Finally, in my review of Panel 6 I incorrectly attributed a claim about there being no need for new legislation to cover spyware to Elizabeth Prostic, formerly of the Dept. of Commerce:
said by Eric L. Howes:
Unfortunately, three members of Panel 6 rejected calls for new legislation to address these inadequate installation practices, insisting that current law is adequate to the task of addressing spyware problems. Mark Eckenwiler of the Department of Justice, Mary Engle of the Federal Trade Commission, and Elizabeth Prostic of the Department of Commerce all disputed the need for new legislation and claimed that U.S. regulatory agencies have sufficient authority and leeway under current law to go after spyware vendors. Each was asked the same question: "Do you think new laws are needed to address the spyware problem?" Each looked straight at the audience and said clearly and firmly, "No."
In fact, only Mr. Eckenwiler of the DOJ and Ms. Engle of the FTC were asked that question, and both gave the answer I described (see p. 261 for Mr. Eckenwiler's answer and pp. 262-263 for Ms. Engle's answer). Ms. Prostic was likely not asked the question because, as was noted at the start of the discussion on Panel 6 (see p. 255), Ms. Prostic had left the Dept. of Commerce 4 days earlier for a private law practice.
Finally, when discussing the problem of enforcing existing laws with advertising software vendors who use EULAs, I wrote:
said by Eric L. Howes:
The key question is whether the FTC, under current laws against "unfair" and "deceptive" trade practices, will be able to reign in the advertising software industry, which by and large does present users with EULAs. Even a month now after the Spyware Workshop we have heard nothing whatsoever from the FTC to indicate: a) whether it thinks it can pursue enforcement action under current law against companies that use EULAs and other inadequate forms of notice and disclosure; or b) under what criteria and in what situations it thinks it could go after such companies. Although current law does allow the FTC to go after companies for "unfair" and "deceptive" trade practices, the presence of a EULA such as that used by WhenU, Gator, and C2 Media during installation enormously complicates the picture, casting doubt on the ability of the FTC to address the widespread problems with advertising software.
While it is true, strictly speaking, that the FTC has not offered specific comments on the application of existing law to these "difficult" cases in which inadequate notice and disclosure is provided, Mary Engle of the FTC did address the issue (pp. 291-292):
said by Mary Engle:
MS. ENGLE: And can I just follow up on that from -- from our perspective. The FTC law is pretty clear that, if you're going to give notice to consumers of something, it has to be clear and conspicuous, and we have actually issued a long -- you know, several years ago now, guidance to the online community called "Dot Com Disclosure," that gives you a pretty good understanding of how to make disclosures clear and conspicuous to consumers, and that includes things like, if they've got to click on a button to find out the information, that the button has to be clearly labeled, and also, labeled with the import, so that they know why they should be clicking, not -- not just click here for more info, or something like that. So, from our perspective, just because some term is buried in a four-page ULA doesn't mean that consumers have necessarily given their consent to it.
The "Dot Com Disclosures" document that she refers to can be found here:
Dot Com Disclosures: Information About Online Advertising
HTML: »www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/
PDF: »www.ftc.gov/bcp/conline/pubs/bus···ndex.pdf
That document was the product of another workshop that the FTC conducted back in 2000:
Rules and Guides: Electronic Media Issues
»www.ftc.gov/bcp/rulemaking/elecm···ndex.htm
Just before Engle's remarks, however, Mark Eckenwiler of the DOJ seemed a bit more skeptical of using existing law with these kinds of cases (pp. 290-291):
said by Mark Eckenwiler:
MR. ECKENWILER: I think the point is well taken that, if we were to try to charge somebody with, you know, a Computer Fraud and Abuse Act violation for putting up -- you know, one of these "Do you want to accept this" screens that's, you know, 25 pages long in six-point type, in a very narrow column, totally unreadable, it's not the most attractive circumstance for us to bring a criminal prosecution, remembering that we actually have a Constitutional burden to prove beyond a reasonable doubt that, as I said before, this was under 1030, without or in excess of authorization.
I think the first line of defense in such a case is going to be that the defendant was, in fact, acting within the scope of authorization, and that becomes a kind of ugly jury question. If we're going to pick and choose cases to prosecute, I think we are more likely to take cases like the Jon case, or this newly- indicted case, the Ropp case, where there just -- there's no argument that that was -- there was never any constructive notice. Never even any attempt at notice. This was, you know, purely a -- a clandestine installation.
Those interested in notice and disclosure issues should see the following documents on the FTC's web site:
FTC Policy Statement Regarding Advertising Substantiation
»www.ftc.gov/bcp/guides/ad3subst.htm
FTC Policy Statement On Deception
»www.ftc.gov/bcp/policystmt/ad-decept.htm
FTC Policy Statement On Unfairness
»www.ftc.gov/bcp/policystmt/ad-unfair.htm
So far as I can tell, that is the extent of the outright errors that I made in my review of the six panels at the FTC's Spyware Workshop.
**What I Got Right...**
Throughout my reviews of those six panels I described or summarized a number of comments made by panelists. In the space that remains, I want to provide pointers to the comments I was referring to in the transcript of the workshop.
In my original post about the workshop, I noted:
said by Eric L. Howes:
Panel 1 (definitions of spyware/adware) was as bad as I expected it to be. Dominated by industry representatives or those friendly to the industry, the panel came to a consensus very early (and even noted that they were all essentially in agreement).
Indeed, Avi Naider of WhenU noted early in the discussion (p. 21):
said by Avi Naider:
MR. NAIDER: And speaking for WhenU, I can say that we're quite pleased that there's unanimity on this on the panel in the sense that we're also a member of this working group.
Still later in the original post, I described Mr. Naider's claim that the number of uninstallations of WhenU's software indicated that users were being given adequate notice and choice:
said by Eric L. Howes:
Avi Naider from WhenU pursued exactly this line, claiming that most WhenU users were quite aware of the installed software on their computers. In a somewhat bizarre move, Naider attempted to back this claim up by pointing out that of roughly 100 million WhenU installations, 80 million had been uninstalled. He claimed that the fact that users had uninstalled WhenU demonstrated that they were aware of the installations. There are all kinds of problems with this argument, which I won't bother to cover here.
Suffice it to say it was at that moment that Rob Cheng and Dave Methvin of PC Pitstop (the outfit sued by Gator/Claria last fall, by the way) began distributing their new survey of WhenU users that tells quite another story: over 80% of WhenU users are NOT even aware that the software is installed on their computers.
Here is Mr. Naider's reasoning (pp. 53-54):
said by Avi Naider:
MR. NAIDER: I'm not sure that the PC Pitstop refers to WhenU specifically. I haven't seen that information. But just answering the question in general, there are certainly software applications out there that are not installed with user consent. We would agree to it. Very specifically, it's all in how you do it. (...)
And what I can say very specifically is in the case of WhenU, we've done over 100 million unique installations of our software. Eighty million consumers have removed it.
Now, what does that tell you? What it tells you is that we still have to make sure that the software that we bundle with is better and better value for consumers, because not all consumers want to see advertising supported by software if they don't value the software highly enough.
But what it tells you is that 80 million people can remove it. Clearly, 80 million people means that you have a mass market audience that makes a choice and makes a decision, and consents both upon the installation and consents on an ongoing basis to the software. And by that definition, if you adhere to standards, it's a very consent-driven type of model.
Still further, I called attention to Chris Jay Hoofnagle's discussion of Ben Edelman's finding that WhenU may have violated its privacy policy:
said by Eric L. Howes:
The low point for WhenU must have come during Panel 3, when Chris Jay Hoofnagle from the Electronic Privacy Information Center (EPIC.org) pointed out that Ben Edelman's research, which reported the results of some extremely clever and tenacious packet sniffing, raised the prospect that WhenU was violating its own privacy policy by collecting and transmitting certain personally sensitive data.
You can find Mr. Hoofnagle's discussion of Ben Edelman's research on pp. 151-152.
Also in my original post, I noted that one of my questions was put to Panel 4:
said by Eric L. Howes:
Audience members (including this author) were allowed to put questions to the panelists, but we had to do so via question cards submitted to an FTC employee for vetting. Of the five questions I submitted over the course of the day, one was accepted and read to one of the panels. (I asked how panelists could place such faith in consumer education when 10 plus years of education on viruses and antivirus software has been a demonstrable failure. None of the panelists addressed the question square-on.) Some of the other anti-spyware folks got some of their own questions accepted as well, though the answers they received were often less than responsive.
You can find Panel 4's response to that question on pp. 194-198.
Panel 1
While reviewing Panel 1's sorry performance, I denounced the agendas being pursued by several of the panelists:
said by Eric L. Howes:
A few of the panelists were quite open about what they were attempting to do, stating flatly that "adware is simply different than spyware, and people have got to understand that" -- as if they alone could establish the difference through some sort of declarative fiat without the input or suggestions of others. This was but one of several moments during the day when the arrogant, obstructionist, anti-consumer agendas of those represented on various panels were nakedly on display and visible to all who cared to look.
To understand what I was reacting to, see the comment from Marty Lafferty on pp. 33-34:
said by Marty Lafferty:
MR. LAFFERTY: And I'll just add that there is no overlap between Adware and Spyware. They're mutually exclusive. Adware is presumptively legitimate. It's a terrific business model for providing valuable software to consumers at no cost in exchange for accepting some advertising.
Other panelists made similar claims. I called attention to Avi Naider's similar comments:
said by Eric L. Howes:
One of those commercial interests was WhenU.com, represented by its chief executive Avi Naider, who insisted at one point that the word spyware "was never meant to include software-based advertising...It's pro-consumer; it's pro-competition; it's pro-competitive. (It's) one of the most promising technologies that exists on the Internet today."
Mr. Naider's full comments appear on pp. 32-33:
said by Avi Naider:
MR. NAIDER: Spyware was never meant to include software-based advertising, which is what legitimate Adware is. And very specifically, it's software on a consumer's computer that has been installed at the consent of the computer -- of the consumer, makes it very clear to the consumer what it's doing, can be removed easily by the consumer, and effectively gives the consumer potentially relevant valuable information. Specifically, as the consumer traverses the web, software-based advertising can deliver things like retail coupons. (...)
So in theory, the concept of Adware or software-based advertising is extremely pro-consumer. It's pro-competition. It's pro-competitive. And if done with proper notification, consent, and the consumer's ultimate control over the computer, which is the key point -- and I think Ari said it before -- the consumer has to understand that they have this type of software, has to have the ability to remove the software, has to be made clear when the software is generating coupons and ads. In that case, you have a very legitimate, a very promising technology that actually promises to reduce prices for consumers and to make the Internet a more competitive place. (...)
But it's very important to understand that legitimate software-based advertising, not only is it very clearly not within the definition of Spyware, but it's actually one of the most promising technologies that exists on the Internet today. And if allowed to evolve, it will make the Internet a very, very exciting place over the next decade.
Later in my review of Panel 1, I described how several of the panelists claimed that there would be collateral damage from the Utah anti-spyware bill because of the overbroadness of its definition of spyware. For that discussion, see pp. 23-27 of the transcript.
One of the other common objections to anti-spyware legislation is the requirement for an uninstallation method. I noted:
said by Eric L. Howes:
The Utah bill's requirement of an uninstallation method provoked still more comments from one of the panelists, who warned users to "be careful what you ask for."
The comment I described angered many people, including Mike Healan of SpywareInfo, who wrote that he "wanted to rise up out of my chair at that rubbish" ( »www.spywareinfo.com/newsletter/a···4/24.php ). Here is Mark Bohannon's actual comment (pp. 58-59):
said by Mark Bohannon:
MR. BOHANNON: Ironically, if you give across-the-board ability to uninstall, we have got to have a very strong caveat emptor. Because many things are put in place to insure the continued functionality of software, and that the ability of a consumer -- and because I believe this issue is about more than consumers, but also about business users uninstalling. Just be careful what you're asking for here, because you could, in fact, lead to greater frustration, less security, less ability to manage your personally-identifiable information if it is, in fact, a categorical right to uninstall.
Panel 2
Moving on to Panel 2, readers will be interested in taking a look at both the comments from some of these panelists as well as their presentations, which are available in PDF format.
* Maureen Cushman, Dell: Comments, pp. 69-72.
* Bryson Gordon, McAfee: Comments, pp. 72-76; Presentation ( »www.ftc.gov/bcp/workshops/spyware/gordon.pdf ).
* Austin Hill, Zero Knowledge: Comments, pp. 96-97.
In my review of Panel 2 I also called attention to several other comments from panelists:
* Roger Thompson on the number of new additions to Pest Patrol's database: see p. 76
* Roger Thompson on impact of spyware boot times: see p. 78.
* John Gilroy on consumer difficulties with spyware: see pp. 78-80.
And, as I also noted, Commission Swindle's videotaped remarks were shown to us just before the start of Panel 2 -- see pp. 62-67 of the transcript and »www.ftc.gov/bcp/workshops/spywar···ndle.pdf for a separate copy.
Panel 3
As I remarked in my review of Panel 3, the discussion on this panel was at times a bit dry and abstract. Nonetheless, there were a few noteworthy moments.
Chris Jay Hoofnagle's contributions were esp. useful, as I noted:
said by Eric L. Howes:
Chris Jay Hoofnagle of the Electronic Privacy Information Center (EPIC.org) did manage to bring the discussion around to several useful points, though. First, Hoofnagle was the only panelist at the entire workshop to point the finger at Microsoft for providing the technological means for advertising software vendors to confuse and bamboozle users, install software without their full knowledge and understanding or meaningful consent, and hijack their browsers and PCs. Hoofnagle rightly noted that Microsoft's overly powerful ActiveX technology -- with its integration of mobile code straight into the operating system as well as the confusing manner in which ActiveX controls are installed through Internet Explorer -- opens too many doors for advertising software vendors to walk through and puts users on the defensive.
Mr. Hoofnagle's actual comments on Microsoft (p. 130):
said by Chris Jay Hoofnagle:
MR. HOOFNAGLE: One, I think it's hard to look at this issue without looking at Microsoft. I think it's probably too easy to write to the critical areas of the registry that allow programs to start at boot. Similarly, it's too easy and there is not enough user understanding of the start up folders, which trigger software that you might not want to run.
I also appreciated Hoofnagle's comments on Fair Information Practices:
said by Eric L. Howes:
Second, though, Hoofnagle usefully pointed out that Panel 3's discussion of privacy principles -- or, more formally, Fair Information Practices -- tended to reduce those principles to but two of four (notice and choice), when in fact internet users ought to be extended protection through a full range of Fair Information Practices.
In Mr. Hoofnagle's own words (p. 132):
said by Chris Jay Hoofnagle:
MR. HOOFNAGLE:The Federal Trade Commission defines substantive privacy rights as notice, choice, access, security and accountability.
I think it's very important that we not allow privacy to be watered down to this idea of notice and choice in this debate or in others.
I also contrasted Hoofnagle's constructive comments with those of others:
said by Eric L. Howes:
Hoofnagle's comments were a refreshing change from those of several of the other panelists, who enthused over the privacy initiatives of industry front groups like the Network Advertising Initiative (NAI), as if these organizations could be trusted or expected to do anything substantive to protect users' privacy in the face of voracious industry demands for access to users' desktops -- the next frontier or market in online advertising -- and all manner of data about users and their online behavior.
Ronald Plesser provided one of the better examples of this when he at once dismissed the issue of notice as not that big of a deal and recommended the Direct Marketing Association's (DMA) work on standards for notice (p. 138):
said by Ronald Plesser:
MR. PLESSER: I don't know that I -- I think a notice is a notice. Some are better than others. I think we have seen -- I don't know that I've seen any in the privacy area, in spyware. I've seen some where the computer will serve you ads that they think will be of interest to you. I think those are usually pretty straightforward. When those ads come in, those alternative ads come in, they have little logos on them, or some of them do, that say this is being served to you by XYZ network, and it's different from where you originally went.
I don't think it's all that difficult, but I think there can be notices that can be workable. Again, I think the DMA is working on this stuff. I think it's important. I think one of the principles that we are working on with the DMA is to make sure these notices are obviously out there before the stuff comes onto the system, that the notice is given prior to installation.
"Notice is notice" fairly sums up the industry's attitude toward the problem of inadequate notice and disclosure during the installation of advertising software.
Panel 4
As readers of my comments will have noticed, Panel 4 was chock full of interesting moments.
First, there were two sets of comments by industry representatives on the impact of spyware on businesses:
* Brian Arbogast, MSN: Comments, pp. 161-163
* Andrew McLaughlin, Google: Comments, pp. 163-167; Presentation ( »www.ftc.gov/bcp/workshops/spywar···hlin.pdf )
Second, however, the majority of the discussion of Panel 4 focused on "industry self-regulation" and "best practices." Esp. bad were Commissioner Thompson's comments on the industry generally. I wrote:
said by Eric L. Howes:
In one of the more nauseating moments of the afternoon, FTC Commissioner Mozelle Thompson quipped that the FTC was happy to hear the views of the large companies represented on the panel because they were truly the "elected" representatives of consumers. The corporate reps smiled at this bit of bureaucratic groveling before business interests, as Thompson was in fact chirpily parroting one of Corporate America's most cherished and noxious propaganda lines -- namely that the market is equivalent to democracy, and that the public, democratic institutions in which citizens actually participate (or are supposed to participate) are comparatively illegitimate. On this view, America is a democracy of consumers -- one dollar, one vote -- rather than a democracy of citizens.
Thompson's comments appear in his closing remarks on the panel (p. 198-199):
said by Mozelle Thompson:
COMMISSIONER THOMPSON: At the same time, you have many of those same pressures, because even though you're not elected, they elect you every day when they decide whether to buy or not to buy or to participate or not to participate. And that's where we have the same challenge.
I also called attention to one of the panelists remarks about "consumer education":
said by Eric L. Howes:
In other words, "consumer education" in this scheme of things isn't really education as we normally understand it; rather, it's public relations and propaganda -- manipulating consumers into the "correct" ways of thinking about the software. And this was made perfectly clear by the several industry representatives on Panels 1 and 4, who insisted over and over that we get it into our heads that their software is "adware" not "spyware." Indeed, one of the representatives on Panel 4 (though just who I am at a loss to recall) let the cat out of the bag when he or she helpfully explained that "we need to educate consumers so that they understand what this software really is." A more naked, forthright statement of just what the industry has in mind for consumers would be hard to come by.
In fact, two panelists made comments along that line:
1. Chris Kelly (p. 183):
said by Chris Kelly:
MR. KELLY: So I think that that can go hand-in-hand with a consumer education campaign oriented towards explaining to people the difference between client software and spyware.
2. Jules Polonetsky (p. 184):
said by Jules Polonetsky:
MR. POLONETSKY: I'd comment on a couple of different levels, one on the comparison to some of the other self-regulatory processes. I think one of the reasons why on the network advertising initiative side of the world things end up working is you could really could sit most of the relevant players who were doing this on any scale around the table.
They all were public or soon-to-be public companies that were, you know, part of the civil debate part of the world, and you could say to them, look, you all need to do an awful lot more to explain your business practices, because people have concerns about them. So step up, do more, work harder, bother your customers, make them do more.
Panel 5
The highlight of Panel 5 was the presentation by Microsoft on ActiveX controls and the upcoming changes in SP2 for Windows XP:
* Jeffrey Friedberg, Microsoft: Comments, pp. 201-213; Presentation ( »www.ftc.gov/bcp/workshops/spywar···berg.pdf ).
By far the most entertaining panelist of the day, though, was Steven Bellovin, who quipped at one point, "It seems to be my role here to be disagree with people" (p. 250). One of his more notable disagreements with another panelist concerned the portable security scanner application announced by Wayne Porter of SpywareGuide (but which I mistakenly attributed to David Moll and Webroot). As I reported:
said by Eric L. Howes:
The irony of this "security application" was not lost on Steven Bellovin, Fellow with AT&T Labs-Research, also on the panel. Noting that mobile code is one of the biggest security problems in Windows, he quipped that Webroot's portable security scanner was one of the "scariest things" he had yet heard about at the workshop.
And Bellovin was right, of course, because what Moll had unwittingly pointed out is that ActiveX controls can be used to import and run completely foreign code of unknown provenance at the user's discretion on boxes that the user ostensibly shouldn't control.
Mr. Bellovin's actual comments (p. 250):
said by Steven Bellovin:
MR. BELLOVIN: I think there are a number of mistakes we can point to, but to me the biggest mistake the industry made was deploying mobile code without adequate safeguards.
The scariest thing that I heard today was it's possible to write an ActiveX control to scan a machine for spyware. You have a control that's that powerful that can roll with those permissions, my God, what else could it have done?
As I noted, Daniel Weitzner had useful comments on P3P-like solutions to spyware:
said by Eric L. Howes:
To his credit, Daniel Weitzner of the World Wide Web Consortium (W3C), one of the prime forces behind the P3P specification, expressed his skepticism of such an adaptation of P3P, though he said he wouldn't completely dismiss the idea.
Mr. Weitzner's actual comments (pp. 231-232):
said by Daniel Weitzner:
MR. WEITZNER: I have to say, I'm slightly on the fence here about how much a labeling approach can really accomplish when it comes to spyware. And I think it can probably help some, but the history of trying to label things on the web I think is really instructive here. I think if you look at both privacy on the one hand and things like pornography and spam on the other hand, you see the sort of limits and benefits of labeling.
See pp. 228-235 for the complete discussion of P3P-like anti-spyware solutions, problems w/ labeling schemes, and the similarity of problems with spyware and spam.
Panel 6
Though Panel 6 was a long time in coming (or so it seemed at the time), it too had its noteworthy moments.
In my review of Panel 6 I called attention to the remarks of Jennifer Baird of Rep. Mary Bono's office:
said by Eric L. Howes:
Although at times appearing a bit uncomfortable with speaking to such a large audience, Ms. Baird nonetheless made her boss's position quite clear: that new legislation is needed to protect consumers against the invasive, destructive software currently being distributed by the advertising software industry. While she acknowledged the potential benefit of "industry self-regulation," consumer education, and enforcement of existing laws against the more unscrupulous spyware distributors, Ms. Baird firmly and unambiguously insisted that those actions were simply not adequate to the job. Moreover, she rejected calls from the industry and others to study the issue more and allow the industry itself to address the problem. "That's just not how things work in Congress," she said, and went on to describe Rep. Bono's work on her own anti-spyware bill...
Ms. Baird's actual comments (pp. 266-267):
said by Jennifer Baird:
MS. BAIRD: Another thing has been -- another thing that we heard from industry has been, you know, self-regulation is the answer, but we can't really come up with best practices yet.
So, in other words, what we're hearing is, this is a problem, it needs to be solved, but we don't know how, so just hold on.
And that's not how it works in Congress, and, you know, as a member of Congress, my boss has the responsibility to do all she can to protect her constituents from downloading onto their computer that they use for personal, you know, banking and for credit - - you know, buying things through their credit card and so on and so on. She has the responsibility to make sure that they have confidence when they're using their computer, and that that information won't be shared.
And another thing that, of course, has been said is, legislation is just the wrong answer. This can only be done through self-regulation.
I would say that we can't sit around and just think about it and talk about it for days and nights in a year, we do have to act. But that being said, I do think that industry self-regulation is a very important aspect of this, and my boss understands that legislation by itself will not stop the problem, but it is a step in the right direction. It is a step in the right direction that people know what they're downloading onto their computer before they download it.
I also applauded the remarks of State Rep. Steve Urquhart of Utah:
said by Eric L. Howes:
Thus, it was helpful and encouraging to listen to the remarks of Utah State Rep. Stephen Urquhart, the principle force behind the Utah bill. Urquhart was quite impressive throughout his comments. Demonstrating a firm grasp of the issues, Urquhart rejected the flim-flam objections and diversions from the industry, quickly batting them down. Describing his own experience drafting the Utah bill, Urquhart remarked that he and his colleagues in the Utah House received no useful input from the industry, which simply wanted to kill the bill, as should be apparent from the several industry comments publicly available (see the NetCoalition above, for example).
Here are two choice quotes from Mr. Urquhart:
1. p. 274:
said by Steve Urquhart:
MR. URQUHART: I mean, constituents, they demand results. They're sick of this stuff. And so I've heard a lot of handwringing here today, and I think it is great that we do need best practices, we need education, we need technology, but we also need regulation.
I mean, how do you stop bad guys? You have a neighborhood watch? You have education to pick up your newspapers. Don't leave them sitting around. You have technology, you have alarms and bars, but at the end of the day, you've got to have laws and a cop on the beat. And so we've put a cop on the beat.
2. pp. 287-88
said by Steve Urquhart:
MR. URQUHART: Yeah, let me point out that, in Utah, like in most states, we don't write our laws into - - in stone. We don't chisel them in stone, we write them on paper, and so, we have made it plenty clear to industry, and to all parties, that we wanted their input.
And about the only input we got during the sessions was, don't do it. Let -- for Heaven's sake, let the feds deal with this, and, you know, that -- that's not acceptable to my consumers. And so, this was brought forward by an industry member, saying put in an operating system, and currently, in the law, they could argue that this is a vital component of the operating system, then it would be exempted out.
For more of Mr. Urquhart's comments, see pp. 269-275 and pp. 287-290.
**Errors in the Transcript**
Yes, the transcript itself does contain a few errors that readers should be aware of, though most of them are minor.
p. 78: here Roger Thompson of Pest Patrol is misidentified as "Commissioner Thompson." (Commissioner Thompson did actually offer remarks just after Panel 3 and went on to host Panel 4. The Thompson on Panel 2, though, was Roger Thompson.)
p. 218: "sharistic" should be "heuristic"
p. 223-224: the transcript misattributes David Moll's comments to Daniel Weitzner. That this is so should be clear from context, because the remarks cover the partnership between the maker of Spy Sweeper and Earthlink (misspelled "Earthlinks" in the transcript).
p. 226: "wy" should be "way"
pp. 257-258: these two pages contain a series of interconnected errors of attribution. The transcript attributes question on p. 257 ("Could you just sketch out for us,...") to Mary Engle by tacking on the question to the end of Engle's response to a previous question, and the answer ("Well, to bring a case,...") to Beth Delaney, who was actually the host asking the questions. The next question on p. 258 ("Mark, we'd like to hear about...") then bleeds into the end of the response and is correctly attributed to Beth Delaney, however, the preceding response is Engle's. In other words, 257-258 should have question by Delaney, response by Engle, question by Delaney. Instead what we get is question by Engle (at the end of her response to a previous question), a response by Delaney, and then a question by Delaney.
There are undoubtedly other minor errors, but those are the ones I spotted.
**Concluding Remarks**
In going through the transcript for the FTC's Spyware Workshop I happened across a number of interesting comments that deserve attention, and I'll be posting a list of them in the next few days. You can think of that list as my own selection of key highlights from the workshop for those who don't have the time or inclination to plow through all 298 pages of the transcript.
Also, the FTC has finished posting comments from the public about "spyware," and the comment period is now closed (the last day to submit was May 21). Here's a short breakdown of the comments posted in the past few weeks (#212-359):
# 212-349: these are mainly short comments from consumers, many of them angry and frustrated at spyware and, occasionally, the FTC itself
# 350-359: the last ten submissions include a number of comments worth noting.
(Note: see »A Guide to Spyware Comments Filed w/ the FTC for pointers to earlier comments posted to the FTC's site.)
# 350 Recording Industry Association of America (04/23/04)
»www.ftc.gov/os/comments/spyware/···peer.pdf
The RIAA weighs in with a hefty document linking spyware to P2P file sharing software.
# 351 Lavasoft (05/17/04)
»www.ftc.gov/os/comments/spyware/···soft.pdf
Lavasoft, makers of Ad-ware, provides straightforward answers to the main questions on the FTC's agenda.
# 352 Association of Shareware Professionals, Inc.-2 (05/20/04)
»www.ftc.gov/os/comments/spyware/···ff-2.pdf
In its second submission this industry organization dismisses the purported difference between adware and spyware.
# 356 The National Network to End Domestic Violence (05/21/04)
»www.ftc.gov/os/comments/spyware/···viol.pdf
Providing an object lesson on the problems with the term "spyware," which leads people to confuse advertising software with system monitoring programs, this non-profit organization advises the FTC on why keyloggers are a threat to battered women.
# 357 Webroot Software, Inc. (05/21/04)
»www.ftc.gov/os/comments/spyware/···ware.pdf
Like Lavasoft, Webroot addresses all the main questions on the FTC's announced agenda.
# 358 WhenU.com (05/21/04)
»www.ftc.gov/os/comments/spyware/···ents.pdf
A "must read": WhenU finally replies to Ben Edelman's finding that WhenU's SaveNow software transmits URLs in violation of its privacy policy (see »www.benedelman.org/spyware/ftc-031904.pdf ) and PC Pitstop's survey of WhenU users, which revealed that over 80 percent of WhenU "users" were unaware of the software installed on their systems (see »www.ftc.gov/os/comments/spyware/···stop.pdf ).
Edelman has already posted a response to WhenU's reply on his web site:
WhenU Violates Own Privacy Policy
»www.benedelman.org/spyware/whenu···response
PC Pitstop will undoubtedly be posting a response of its own.
Having looked over WhenU's reply, I must say that WhenU's attorney isn't the sharpest knife in the drawer. Her argument against Edelman's findings is completely inadequate, as she seeks to downplay the plain language of the EULA itself, which WhenU was forced to revise in the past few days. Moreover, her reply to PC Pitstop's survey effectively supplies the reasoning necessary to underscore the ultimate point of PC Pitstop's survey. In other places, she contradicts herself, misstates or misdescribes PC Pitstop's survey, and simply ignores evidence when it isn't convenient. All in all a sorry performance.
# 359 Howes-2 (05/21/04)
»www.ftc.gov/os/comments/spyware/···es-2.pdf
My response to C2 Media's reply to its critics -- see # 181 Lucas-2 (04/14/04) ( »www.ftc.gov/os/comments/spyware/···cas2.pdf ) -- is the very last posted comment for the workshop. I should have an HTML version of this up on my FTC Spyware Workshop page in the next few days:
The FTC's Spyware Workshop
»www.staff.uiuc.edu/~ehowes/ftc-spyware.htm
Best regards,
Eric L. Howes |
