3 edits | Telling the FTC About Spyware: A Few Tips... Hi All:
As noted in a previous thread ( »Tired of being hijacked? TELL the FTC! ), the FTC (Federal Trade Commission) is conducting a workshop on the topic of "spyware" on April 19 -- just one month away. You can read about that workshop on these pages:
FTC To Host Spyware Workshop
»www.ftc.gov/opa/2004/02/spyware.htm
Monitoring Software on Your PC: Spyware, Adware, and Other Software
»www.ftc.gov/bcp/workshops/spyware/index.htm
The FTC is now taking statements and comments about the problem of "spyware," and these statements are being published on the FTC's web site:
»www.ftc.gov/os/comments/spyware/index.html
If you've grown tired about complaining about "spyware" in forums such as this one only to see the problem get worse, and if would like the opportunity to contribute to a national discussion that actually could make difference, this is your chance. You can submit your comments via the link on this FTC page (see the "Public Comments" section):
»www.ftc.gov/bcp/workshops/spyware/index.htm
The FTC has already received a few comments, however, the majority of those comments are inadequate because they simply fail to describe the problem of "spyware" in effective, compelling, credible terms. Those of you who are familiar with the problem of "spyware" and who could contribute substantive, enlightening comments on the topic would do well to make your voice heard.
Although we discuss "spyware" all the time in this forum, we need to take care when talking about the problem with others outside of this community -- especially with people who aren't as familiar with the topic as we are. In what follows, I offer a few tips for crafting an effective statement to submit to the FTC on the topic of "spyware."
1. Lead off your statement by briefly describing your education, background, and training, especially if you're a computer professional of some sort. If you're an IT director, network administrator, programmer, or website developer, let the FTC know that. Doing so can help establish your credibility and authority.
2. After describing your qualifications to speak to the issue of spyware, describe your experience with "spyware" in simple, direct, concrete terms. Tell the FTC how you come into contact with "spyware" and what behavior and consequences you've observed.
3. Connect your statement with the issues and topics that the FTC wants to discuss. The FTC has already started to set an agenda for the Workshop, and your comments and points should be directed towards those issues. The topics announced for the Workshop include ( »www.ftc.gov/opa/2004/02/spyware.htm ):
* Defining and Understanding Spyware, including a discussion of how spyware may differ from adware;
* Distribution of Spyware, including the role that peer-to-peer file-sharing may
play;
* The Effects of Spyware, including the extent to which spyware affects the functioning of personal computers and raises privacy or security concerns; and
* Possible Responses to Spyware Concerns, including a discussion of what consumers, government, and industry have been doing and intend to do, by themselves or together, to address the harms associated with spyware.
Here's another summary of the questions the FTC hopes to address in the Workshop:
* how should spyware be defined? (e.g., adware v. malware v. other bundled software v. tracking cookies v. viruses, etc.)
* how does spyware get distributed, and in particular, what role does P2P software play in distributing spyware?
* what are the privacy issues associated with spyware?
* what security issues and "control of one's own PC" issues does spyware raise?
* are there technological solutions to spyware issues?
* what is the role of government, consumer education efforts or industry self-regulation?
As I emphasized in my previous musings on this Workshop ( »Tired of being hijacked? TELL the FTC! ), we should anticipate that the agenda for the Workshop is already being shaped and defined -- and not necessarily in ways that protect citizens and consumers. Wherever possible we should address the assumptions and arguments that lie back of the agenda points. To wit:
* Defining and Understanding Spyware
The commercial "spyware" industry wants to use a definitional distinction between "adware" vs. "spyware" to define themselves right out of the debate. We know that using a strict definition of "spyware" would mean ignoring the vast majority of obnoxious, malicious commercial "spyware" that exists (Lop.com and CoolWebSearch, for example, technically do not spy on users, yet they are the most prolific and abusive "spyware" apps that consumers face). We also know that the EULAs (End User License Agreements) used by "adware" companies are completely inadequate as notice or protection. Most of the commercial "spyware" or "adware" on the Net already carries a EULA of some sort, yet that hasn't prevented consumers' computers from being trashed by these very same applications. The "adware" vs. "spyware" distinction is a red herring that only distracts us from addressing the real problems that consumers face.
* Distribution of Spyware
Some folks at this workshop may want to use it as a venue to give the RIAA yet another platform to wage war against P2P apps, and the discussion could be side-tracked by an agenda that has very little to do with protecting citizens and consumers. We know that while some P2P apps do install "spyware," not all of them do. Still further, "spyware" is foisted on users' computers via many more avenues beyond just P2P apps such as KaZaA or Grokster. We could outlaw P2P apps tomorrow, and the "spyware" problem would continue unabated. (The same points, by the way, hold true for porn: porn sites certainly are venues for the distribution of "spyware," yet we could eliminate porn sites tomorrow and still have a "spyware" problem.) P2P file sharing apps are a needless distraction from the real business of figuring out ways to protect consumers.
* The Effects of Spyware
Emphasize concrete consequences, especially financial costs. This is an administration that places a priority on empirical financial costs, so if you can describe the costs associated with spyware -- especially costs to businesses -- then do so. Also, we shouldn't be distracted on this issue by the "spyware" vs. "adware" distinction. There are plenty of "spyware" apps out there that technically do not spy on users but which still represent serious threats because they hijack browsers, add unwanted toolbars, and degrade system performance through unwanted changes and additions to consumers' computers.
* Possible Responses to Spyware Concerns
The commercial "spyware" industry wants to push for industry "self-regulation" (primarily through standards for consumer "notice") and limit the FTC and the Federal government to performing education campaigns. We know that "self-regulation" and consumer "notice" (by way of EULAs) is what the industry is doing RIGHT NOW, and these efforts have been a massive failure. Not surprisingly, the "spyware" problem is quickly becoming unmanageable because commercial entities simply cannot be trusted to regulate themselves. Moreover, consumer education can do only so much: the recent round of viruses (My.Doom, Netsky, Bagle) tells us that even after 6 years (the time since the Melissa virus) of massive public education about the threat of viruses and worms, consumers still do not understand how to defend themselves against malware. When malware distributors use a blizzard of powerful and confusing techniques to foist their software on users and hijack their PCs, and when these techniques are changing so fast that even dedicated professionals struggle keep up, then consumer education will necessarily be of only limited use. The average consumer has not a chance against these "spyware" vendors.
The commercial "spyware" industry also wants to argue that the existence of anti-spyware programs and other privacy applications means that consumers need no further protection because they already have the tools to protect themselves. We know that as good as some of these anti-spyware tools are, many if not most consumers find these programs far too complex and confusing to use effectively. (Again, the history of virus problems is instructive: even after a decade of anti-virus applications, most consumers still do not know how to use anti-virus programs properly and effectively, and these are the security applications that have been around the longest and which have achieved the highest level of market penetration.) Moreover, because "spyware" pushers are so aggressive in developing powerful new techniques to hijack computers and foist their software on consumers, no one anti-spyware application will do the job. Consumers now need an entire suite of anti-spyware applications, and that suite of programs is constantly (even daily) being updated. Finally, some commercial "spyware" vendors are taking aggressive steps to evade, circumvent, and even sabotage anti-spyware applications, further diminishing their effectiveness. Still worse, some commercial "spyware" pushers are attempting to drive anti-spyware advocates and vendors off the Net with the threat of lawsuits and even DDoS attacks, thus preventing consumers from getting the information and tools they need to protect themselves. Anti-spyware apps are no excuse to do nothing.
4. Moderate your language and rhetoric. Your goal is to come across as a calm, professional, credible, thoughtful advocate. If you come across as an angry, paranoid, ignorant boob, then what you say will be all the more easily ignored. If ever there were a time to dispense with the bad communication habits that are often bred in online forums, this is that time. You want to present a rational argument, not an emotional rant.
5. Clean up your text. Do not rely exclusively on a spell-checker. Before submitting your statement, read your text out loud slowly, as if you were giving a speech. By reading it out loud, you can catch and correct errors with punctuation, spelling, and mechanics. Better yet, let someone else you trust read your text and suggest revisions. Then revise your text over the course of a few days. Every stylistic and mechanical aspect of your text should declare your trustworthiness and credibility as a thoughtful, concerned, serious citizen and consumer.
I hope this advice has been helpful. If you would like to look over a few web pages to brush up on your knowledge of what "spyware" is and what it can do, review the following:
and.doxdesk.com - Parasites
»www.doxdesk.com/parasite/
Spyware Guide
»www.spywareguide.com/
SpywareInfo
»www.spywareinfo.com/
Crapware Count
»www.staff.uiuc.edu/~ehowes/crap-count.htm
(note: see esp. the "Overview" and "What Crapware Does" sections)
"Tired of being hijacked? TELL the FTC!"
»Tired of being hijacked? TELL the FTC!
SpyBot Search & Destroy - Target Policy (Patrick Kolla)
»security.kolla.de/index.php?lang···etpolicy
SpywareGuide.com
»www.spywareguide.com/category_list_full.php
Lavasoft Threat Assessment Chart
»www.lavasoftusa.com/support/resources/
Kephyr - Spyware
»www.kephyr.com/spywarescanner/li···re.phtml
"EULA Privacy Statements"
»EULA Privacy Statements.
The Problem with Privacy Policies
»www.staff.uiuc.edu/~ehowes/priv-pol.htm#that
If you have questions or comments on any of the above, please don't hesitate to jump in here and let me know.
All the best,
Eric L. Howes |
