Broadband Tech > Security > Security > FTC Spyware Workshop: 1st Impressions

reply to eburger68

Re: FTC Spyware Workshop: 1st Impressions

Man I AM LOSING ALL RESPECT FOR THE GOV'T, I had my cd player stolen from my car the day before Easter and I only have liability stuck on the car to pick up a new window, so I ask the cop what would happen if they get caught... a few days in jail if that and a misdemeanor, SOOOO I ask what would happen if I was to assault the thief.... COULD BE SUED. I SWEAR I'M GONNA KILL THE A$$HOLES AND ANY STUPID POLITICIAN/ADWARE/SPYWARE SUPPORTER. ARGH
I don't care if this is treason I'll gladly tell the FBI or whoever but if the gov't can't aid and listen to the people it's supposed to protect then get rid of the (EXPLETIVELY DELETED by me) POLITICIANS.

P.S. Thanks a million Eric, just wish there was more people like you and everyone else who hates bad companies/politicians.

reply to eburger68
Eric,
thanks for the in-attendance narrative. My email comment to the FTC, and what I teach all of my users, and whomever else asks, is that our choice must be to make a conscious choice to OPT IN to ANY of these ... things. The choice must be ours, not pushed upon most because of their ignorance. These ...Q$#%%... could easily make a very small page that uses ONE screen to explain their desired activities and the reader can make the choice at the end of that screen to accept, or reject on a Permanent basis, what is being offered.
Mr Naider, or any of the others, regardless of their blandishments of "making the Internet 'FREE' and a 'pleasurable experience' are uninvited guests to my computer (read Home)and I actively choose the right to do with them as I do the rats that attempt to take up residence in my woodpile. Hunt them down and ... um, reduce their life light to 0 lumins

reply to eburger68

said by eburger68:

---

The FTC is not interested in encouraging new regulations or legislation concerning "spyware" or advertising software. Commissioner Swindle (head of the FTC) indicated as much in the videotaped remarks that were played after the first panel this morning. The FTC is much more interested in encouraging what it calls "industry self-regulation," which involves the advertising industry itself establishing a set of "best practices" that would allow it to "play nice" with consumers

---

reply to eburger68
Hi All:

Just wanted to let you know that I have seen all the responses in this thread to my original post. Unfortunately, I simply don't have time tonight to expand on my initial comments. As is the case with Dave, Rob, Paul, and the other anti-spyware folks who attended the workshop, I'm busy catching up with email and other things that piled up during my absence. I will try to post additional comments tomorrow afternoon or evening, though (and there is plenty still left to be said).

A few quick notes, though:

First, the FTC has posted still more comments (# 172-188). Of interest in this batch is a second submission from Jason Lucas of C2 Media (aka, Lop.com):

# 181: Lucas-2 (04/14/04)
»www.ftc.gov/os/comments/spyware/···cas2.pdf

I opined in an earlier thread about C2 Media's first batch of comments:

»Lop.com Goes to the FTC

And, of course, the longest of the three documents that I submitted to the FTC is a step-by-step analysis of a C2 Media "drive-by-download":

The Anatomy of a Drive-by-Download
»www.staff.uiuc.edu/~ehowes/dbd-anatomy.htm

This second batch of comments from C2 Media is also worth a read, because Lucas frames these new comments as a reponse to the critiques of anti-spyware advocates. Although he doesn't point to my comments by name, it's pretty clear that he is in fact responding to my "drive-by-download" document, which uses a C2 Media as the central example.

I won't bother responding to the several points he makes (though I do intend to after I get some sleep). I think you'll find C2 Media's response less than convincing.

Second, I want to respond quickly to what Dave Leary had to say on the issue of new legislation/regulations:

said by Dave Leary:

---

In all fairness to the FTC, remember they do not create laws, Congress does.

---

reply to eburger68

My Notes from the Workshop

reply to eburger68

Re: FTC Spyware Workshop: 1st Impressions

said by CDT:

---

The Consumer Software Working Group is a diverse community of public interest groups, software companies, Internet service providers, hardware manufacturers, and others that
are seeking consensus responses to the concerns raised by practices that harm consumers.

---

said by Eric L. Howes:

---

What the industry came up with...has been something less than a smashing success. Faced with serious consumer complaints about privacy violations, the industry essentially declared, "Let them eat privacy policies!" Even the addition of a meager supplementary diet of P3P compact policies and third-party trustmarks has done little to satisfy or assuage consumers' privacy concerns.

---

said by Eric L. Howes:

---

the FTC workshop ... could mean that we're at the start of a Federal discussion of the "spyware" problem, which until now has received almost no attention.

What are the potential outcomes of that process? There are three broad outcomes, so far as I can see:

1) Nothing gets done

The FTC wrings its hands over the problem but eventually agrees with the commercial crapware industry that government regulation is a bad thing; that the industry "self-regulation" is much more effective and even preferable; that consumers are being offered "choice" in the form of EULAs, commercial anti-spyware applications, browsers settings, and vendor provided uninstallers; that consumer education is all that is needed from the FTC for the "spyware" problem to solve itself. Everyone involved will give themselves a pat on the back for protecting consumer choice, respecting the beauty of the market, for committing themselves to self-regulation and consumer education, and then they will go home, having done absolutely nothing.

2) A CAN SPYWARE Act

The FTC works with the commercial crapware industry to craft legislation for Congressional adoption. This legislation will distinguish between "spyware" and "adware" by imposing a minimal set of requirements for software installation (a EULA for example). This minimal set of requirements will not stop the usual suspects from doing what they're already doing, but it will allow the industry to proclaim that their software conforms to strict government regulatory standards. It will also allow the FTC to prosecute a small number of the more unscrupulous "spyware" pushers, thus giving the larger players protection from unwanted competition.

3) Real "Spyware" Regulation

The FTC actually responds to consumer outrage (as it did with the Do Not Call legislation) and, to the horror of the commercial crapware industry, pushes Congress to adopt legislation that would place real restrictions on the abusive tactics of the commercial crapware industry.

Outcomes #1 and #2 are the preferred outcomes for the commercial crapware industry. Outcome #3 would be a disaster.

---

Thanks Eric for _all_ of your many efforts, including taking the time for such informative updates as these. It's tough to find the positive in such experiences when they only serve to highlight just how far every aspect of life has been commodified, and democracy distorted. We are no longer even citizens, as much as "consumers" "between the forceps and the stone." So few seem sufficiently aware enough to care, far less to resist.

Do you think the chances of success of taking the Utah statue as a starting point in a net-based campaign to gather support for lobbying for serious legislation are as dismal as they may appear?

reply to damonlab
Damonlab said:
"Maybe it is time to start thinking about ghosting every machine and pushing out a clean image once a month."

Bingo. Though at the public machines I used to admin a local system image re-cast every night - or when someone hit the "rebuild this PC" button on the desktop. I'm -tonight- trying to decide which approach will be less work for my homePC: try to unhook all the MScrap from the sys partition & maintain a clean, updated image or keep constantly sweeping with 4-8 scanners that don't get everything anyway.

said by jap:

---

Bingo. Though at the public machines I used to admin a local system image re-cast every night - or when someone hit the "rebuild this PC" button on the desktop. I'm -tonight- trying to decide which approach will be less work for my homePC: try to unhook all the MScrap from the sys partition & maintain a clean, updated image or keep constantly sweeping with 4-8 scanners that don't get everything anyway.

---

said by B:

---

What about Option 3: surf safely and/or use a browser other than IE, don't install garbage software infested with spyware, and be careful with all executable files and e-mail attachments? (Working as a non-admin is a good idea too, but is unworkable for most.)

---

Ahh yes, the "stay above the fray" approach. Sorry, not practical. Not even based in reality. This isn't a problem you can blame-shift to user behavior.

Huh? I thought you said this was your own home PC? Don't you trust your own habits?

-- B
--
In a realm outside causality and function

reply to B
from one of Eric's links
Mozelle Thompson, a commissioner at the Federal Trade Commission, said it is too early for Congress and the states to pass laws to ban "spyware," the Washington Post reported Tuesday. Rather, technology businesses should teach consumers how to avoid falling victim to identity theft scams and other dangers spyware poses, he said.
My opinion only...
So it seems to me Mozelle Thompson acknowledges the existence of "spyware", but believes it's someone elses responsibility to clean it up. I can remember when my own children thought that way too. Thankfully they have shed that immaturity & have since grown into responsible adults.
--
Dave said "By the way, 4294967295 is just another way to write -1".

reply to Bobby_Peru
Bobby:

You wrote:

said by Bobby_Peru:

---

Do you think the chances of success of taking the Utah statue as a starting point in a net-based campaign to gather support for lobbying for serious legislation are as dismal as they may appear?

---

reply to B

said by B:

---

Huh? I thought you said this was your own home PC? Don't you trust your own habits?

---

reply to eburger68
Hi All:

Let me continue my review of and comments on the remaining five panels at the FTC's Spyware Workshop this past Monday (April 19). As with my review of Panel 1, I'll update where appropriate the "rating" that I assigned each panelist in a previous thread ( »FTC Spyware Workshop Panelists - Worries... ):

X - industry/corporate friendly
U - unknown/undetermined
P - privacy friendly

Panel Two: Security Risks and PC Functionality

Panelists:

U - Maureen Cushman, Legal Counsel, U.S. Consumers, Dell
P - John Gilroy, Technology Contributor for The Washington Post and Co-Host of WAMU’s “The Computer Guys” program
U - Bryson Gordon, Senior Manager, Product Management Group, McAfee Security, Consumer Division
P - Austin Hill, Co-Founder and Chief Privacy Expert, Zero-Knowledge Systems
P - Roger Thompson, Vice President, Product Development, Pest Patrol
P - Michael Wood, Vice President of Sales, USA and Canada, Lavasoft

Note: be sure to take a look at Bill Pytlovany's blog for photos of Panel 2 as well as the other other panels:

»www.mysteryware.com/blog.html

Following the frustrating opening of the FTC's Spyware Workshop with Panel 1's industry consensus view, Panel 2 was encouraging in that the effects of spyware on consumers were finally laid on the table. Where the discussion on Panel 1 had at times seemed completely disconnected from the reality of consumers' experience with spyware, Panel 2 not only returned the discussion to a solid grounding in the actual impact of spyware on hapless internet victims, but it demonstrated that spyware is imposing serious costs on many businesses as well.

Effects on Businesses

Maureen Cushman led off this panel by describing the impact of spyware on Dell and Dell's customers and support services. As reported in Declan McCullagh's report on the workshop ( »zdnet.com.com/2100-1104_2-5195222.html ), Cushman stated that spyware has become "a huge technical support issue" for Dell, which is inundated with technical support calls from users whose systems have been trashed by spyware. One has to assume that other OEMs and their customers are similarly affected, however, it was important to hear from Dell, one of the largest of the OEMs.

Readers here at DSLR/BBR might remember that just a few months ago Dell was in the news because of an unfortunate -- and quickly reversed -- decision to refuse to give customers information about how to remove spyware when customers called Dell customer support (see the our discussion here: »Dell does not support the removal of spyware ). After an enormous outcry and a wave of bad publicity on the Net (see esp. the open letter to Dell organized by SpywareInfo: »www.spywareinfo.com/articles/del···tter.pdf ), Dell backtracked and announced that it would partner with Pest Patrol to provide spyware removal support for its customers ( »www.spywareinfo.com/newsletter/a···php#Dell ). As deplorable as Dell's original decision was, it should give us yet another indication of the severity of the problems that spyware causes for Dell.

Unfortunately, Cushman contributed very little beyond her opening statement, listening quietly for most of the remainder of the panel. Nonetheless, Dell's contribution was an important one, for it puts the lie to the ubiquitous line from the advertising software industry that its software is simply a benign, "pro-consumer" form of advertising that merely supports free content on the Net. In fact, spyware imposes real costs on individuals, organizations, and businesses outside advertising software vendors and their immediate customers and victims.

Two other panelists on Panel 2 reinforced this important point. Bryson Gordon of McAfee brought with him a line graph detailing the growth of unwanted software installations on users' computers over an 8 month period. From August 2003 to March 2004, the number of installations detected by McAfee exploded from 2 million to 14 million, with roughly 85% of those installations being what the industry prefers to call "adware." What was notable about McAfee's numbers was what they demonstrated about the growth of "adware" versus other forms of unwanted software (e.g., "spyware," keyloggers," etc.). Where the lines for these other forms of unwanted software remained relatively flat over the 8 month period (with installations of keyloggers so comparatively small as to be almost not worth mentioning), the yellow line for "adware" installations soared dramatically above the others, leaving no doubt as to what is driving the problems behind consumer complaints about installations of unwanted software.

These numbers, it should be noted, come on the heels of the recent report by Earthlink and Webroot that consumers' computers are simply being overrun by spyware ( »www.earthlink.net/about/press/pr_spyAudit/ ), with most internet connected computers having some sort of spyware and the average number of spyware items per computer being 28. Such numbers are unsurprising. From my work with college students at the University of Illinois at Urbana-Champaign, I know that almost every single one of their computers is infested with spyware, and the vast majority of them either don't know it (they usually attribute their computers' problems to "viruses") or don't know how to remove it. Still further, McAfee's numbers on the dramatic growth of unwanted software installations mirror my own, admittedly "soft" numbers on the spyware explosion over the past year (see »www.staff.uiuc.edu/~ehowes/crap-···m#table1 ).

As with Dell's comments, McAfee's presentation was important inasmuch as it confirmed what those of us who work in the trenches every day know from hard experience: that the problem with unwanted advertising software has exploded in the past year or so, and that the key factor in driving waves of distraught users into support forums like ComputerCops.biz and SpywareInfo.com (to name but two of many on the Net devoted to spyware removal) is what the industry would have us believe is a harmless form of commercial software that consumers knowingly and willingly install and which is radically different in its effects than "spyware." We know differently, however, and McAfee's numbers lend our position support because they demonstrate that it is the dramatic growth of "adware" that lies behind the surge in consumer complaints, not some narrow class of "spyware" or other more traditional forms of "malware." Indeed, Gordon commented that "spyware" and "adware" now represent "a larger technical support problem than viruses" -- a judgment that most volunteers who toil away at SpywareInfo and ComputerCops would readily agree with. Despite what the advertising software industry would have the public (and the FTC believe), it is "adware" -- their products -- that consumers are largely complaining about, not some narrowly construed class of "spyware."

This damning picture of "spyware" and "adware" and its effects on users and businesses was buttressed by Austin Hill of Zero-Knowledge Systems. After arriving a bit late to the panel, Hill explained how spyware causes ISPs an enormous amount of grief because internet users usually turn to their internet providers as a first line of support when they encounter problems with their use of the internet. Even though ISPs are not technically responsible for the damage that spyware and adware cause its customers, those customers often do not know where else to turn when their browsers are hijacked, their internet connections slowed or broken, or their desktops deluged with pop-ups. Thus, advertising software vendors effectively shift or impose major costs on to innocent third parties, who have very little choice but to shoulder the technical support burden if they wish to retain their businesses and their good name. The ISP business, it should be noted, is a cut-throat one with narrow margins, and technical support calls for spyware-related problems are far more costly and involved than typical support incidents, averaging 25 minutes according to Hill. OEMs who provide technical support to end users reportedly try to keep technical support calls under 10 minutes, so calls of 25 minutes and over can only represent a major burden to ISPs, many of whom are struggling to stay in the black.

Not surprisingly, larger ISPs have started to partner with anti-spyware vendors to offer their customers spyware detection and removal support, as Dell has through its partnership with Pest Patrol. Earthlink was the first major ISP to offer its customers anti-spyware software ( »www.earthlink.net/home/software/···blocker/ ), and AOL and MSN have also recently incorporated anti-spyware software into their software packages or offerings ( »www.washingtonpost.com/ac2/wp-dy···=printer ). What smaller, less established ISPs -- esp. mom-and-pop dial-up operations -- are doing is not known. There is no reason to think that the smaller players in the ISP business are any less affected by spyware and adware than the major players such as Earthlink, AOL, and MSN.

One aspect of the effects of spyware that was not directly addressed on this panel was the impact on businesses and organizations that maintain their own computer networks. The FTC's collection of comments from the public ( »www.ftc.gov/os/comments/spyware/index.html ) is filled with complaints from IT staff at large corporations as well as small business owners, many of whom are spending an inordinate amount of time repairing damage to their companies' PCs and deploying anti-spyware solutions on their systems and networks to minimize the ill-effects of this invasive, destructive advertising software. (See this article for advice to corporate IT staff on minimizing the effects of spyware on corporate computer networks: »www.windowsecurity.com/articles/···ams.html ; and see this article for numbers on the prevalence of spyware on corporate networks: »www.websense.com/company/news/pr···30205122 ). Spyware and adware can also pose serious problems for university computer networks, as documented by a recent study at the University of Washington ( »www.cs.washington.edu/homes/tzoo···are.html ).

Whether we look at businesses with customers to support (ISPs, OEMs, software vendors, et al) or businesses and organizations who are supporting employees with internet access through corporate networks, spyware and adware cut a wide swath of destruction, imposing significant costs on a wide variety of innocent third-parties.

Effects on Users

Though they focused less on the costs of spyware to businesses, John Gilroy (radio host and tech journalist), Roger Thompson (Pest Patrol), and Michael Wood (Lavasoft) all made key contributions to the discussion of spyware's ill effects on users. Gilroy was esp. good, as he explained in forthright, even dramatic terms, how overwhelmed users struggle with spyware. Gilroy's anecdotes of his dealings with spyware victims should be familiar to anyone who works with average users on a daily basis, and he confirmed what we know: that normal internet users have little idea how to keep this software off their systems or how to repair the damage when it is installed, usually without their full knowledge, consent, and understanding. Average computer and internet users are utterly at the mercy of spyware/adware vendors, who have essentially built business models on exploiting people's ignorance of computers and the internet. Thus it is little wonder that they would be turning in droves to their ISPs and OEMs as well as online forums such as ComputerCops.biz and SpywareInfo.com for assistance. As Gilroy and several of those who contributed comments to the FTC noted (see, for example, my own comments: »www.staff.uiuc.edu/~ehowes/ftc-c···#typical ), end users can even face expensive bills from computer repair shops and services in order to clean up the mess left by spyware and adware.

Roger Thompson of Pest Patrol backed up Gilroy's account by supplying a view from inside a major anti-spyware vendor. Thompson noted that Pest Patrol has added an enormous number of detections for new "pests" to its detection database in the past year or so, far outstripping the number of new detections added in previous years. He also described the serious effects of spyware on the usability of computer systems. In one test that he ran, Thompson reported seeing a dramatic increase in boot time on a test PC loaded with one type of spyware (115 seconds to 415 seconds) as well as a similar increase in web page loading time (4-5 seconds to 20-30 seconds). These anecdotal numbers agree with my own experiences with spyware. In my comments to the FTC ("The Anatomy of a Drive-by-Download" -- »www.staff.uiuc.edu/~ehowes/dbd-anatomy.htm ), I described the effects of C2 Media's software package on my own test PC in similar terms:

said by Eric L. Howes:

---

My system slowed dramatically, becoming increasingly sluggish as more programs executed and loaded into memory. ... Web surfing speed also declined, presumably because there were so many programs exchanging data with external network entities (uploading information, downloading advertisements) and consuming bandwidth. I even experienced random browser crashes, undoubtedly because of the sheer number of pop-ups, toolbars, and programs clambering for attention on my system.

---

said by C2 Media:

---

A number of (the) public comments (to the FTC about spyware) indicate a misperception about "adware" and how it differs from "spyware" ... Legitimate adware is installed with an EULA and uninstaller --- usually in exchange for a free software product or service. Adware does not monitor or "spy" on a user. Adware only exists as an advertising channel to a subscriber base, much like cable networks retain time blocks on all channels on their network to display advertising. The user has agreed to be a subscriber of that particular advertising network in exchange for a product or service. With the acceptance of an EULA, this becomes a binding contractual agreement between the two parties. If a user believes his computer has been "invaded" by an advertising network associated with software he previously had chosen to install, he remains free at all times to simply uninstall it and "opt out" of the advertising network.

---

reply to eburger68
Eric, Very Nice Reading Indeed:)
Thank You
--
~9.11.01~~Never Forget~

reply to eburger68
Hi All:

My comments on the remaining panels at the FTC's SpywareWorkshop of April 19 will not be nearly as extensive and involved as those on Panels 1 and 2, which provided plenty of fodder for discussion and dissent.

Before I proceed with my discussion of Panel 3 (Privacy Risks), let me point out that the FTC has now made available on its web site most of the PowerPoint presentations from corporate representatives in PDF format:

»www.ftc.gov/bcp/workshops/spyware/index.htm

Of particular interest is Bryson Gordon's presentation on the "growth of non-viral threats" (courtesy of McAfee), which clearly indicates that the number of adware installations has exploded over the past year. Sometime in the near future the FTC will also be posting a transcript of the panel discussions from the workshop.

Panel Three: Privacy Risks

Panelists:

P - Ray Everett-Church, Chief Privacy Officer, TurnTide, Inc.
P - Evan Hendricks, Editor-Publisher, “Privacy Times”
P - Chris Jay Hoofnagle, Associate Director, Electronic Privacy Information Center
U - James H. Koenig, Esq., Chief Practice Co-Leader, Privacy Strategy and Compliance, PricewaterhouseCoopers, LLP
X - Ronald Plesser, Esq., Piper Rudnick LLP

Note: be sure to take a look at the photos of Panel 3 as well as the other other panels at Bill Pytlovany's blog page and Declan McCullagh's site:

Declan McCullagh - FTC Spyware Workshop Photos
»www.mccullagh.org/theme/ftc-spyw···r04.html

Bill Pytlovany's Blog from the Workshop
»www.mysteryware.com/blog.html

Compared with the concrete discussion of problems with spyware and adware on Panel 2, Panel 3's discussion of "privacy risks" was much less pointed and, at times, became next to somnolent.

"Spyware" & the Issue of Privacy

I should remark at the outset of my own comments on Panel 3 that I am somewhat suspicious of discussions of "spyware" that put too much emphasis on privacy risks, because I regard such a focus to be a potential distraction from the full array of harms that "spyware" and "adware" impose on victims of all kinds. That's not to say the privacy is not an important topic when discussing "spyware"; it's merely to say that a focus on privacy issues risks forcing a discussion of the impact of "spyware" into overly narrow channels and, at times, even plays right into the hands of the advertising software industry, which above all else seeks to exempt itself and its software from the category of "spyware" or whatever it is that consumers happen to be complaining about.

One of the ways the industry does that is to emphasize the non-invasive, non-intrusive nature of the data gathering and transmission performed by its software. To folks with only a casual familiarity with the issue of "spyware," this may seem like a strange argument to make, but the "spyware" or "adware" industry actually does manage to get quite a bit of traction from this argument. To do so, the advertising software industry makes several points:

1) The data its software gathers is usually not "personally identifiable" -- meaning that the data its software gathers is not uniquely tied to one person or individual. For example, your name, email address, Social Security number, street address, and other similar information are all "personally identifiable" information in that they are uniquely tied to you and tend to allow others to identify or target you specifically from the mass of other people on the Net or in your community. Such information points specifically to you and, in some sense, is actually part of your identity.

By contrast much of the information that advertising software gathers is non-personally identifiable -- meaning that the data may pertain to your demographic characteristics, your computer and its software, or even your behavior on the internet, but that data in and of itself isn't uniquely part of your identity because others will have similar data tied to them. One perfect example of this kind of non-personally identifiable data is click-throughs on banner ads. Another example is certain kinds of demographic data and marketing preferences (age, weight, race, purchasing habits, media interests, etc.). That kind of data in and of itself doesn't uniquely identify you as an individual.

2) The data gathered by advertising software is often anonymous or used in aggregate form. As we just noted, your behavior on the internet or with banner ads isn't personally identifiable, and while advertising software often collects that data, it usually doesn't tie it to you specifically (through your name, email address, SSN#, etc.). The data about your behavior remains "anonymous," as it were, though this software does assign you a unique identifying number (GUID) so that your behavior, marketing preferences, and demographic data can distinguished from that of other anonymous individuals. Thus, advertising software can gather useful data for the purposes of "targeted advertising" while allowing individuals to remain anonymous.

Advertising software vendors also tend to use this kind of data in aggregate form, meaning that they'll take the data from you and others like you and analyze it as a group for marketing purposes. The data about your demogrpahic characteristics and internet behavior is lumped together with others so that marketing firms can conduct research on broad social and cultural trends, preferences, and other behavior that helps advertisers respond to and shape the market.

3) Any data gathered is collected with after giving users prior "notice" and acquiring their "consent" through the use of a EULA and/or privacy policy that users click through before the software is installed, either as a bundled addition to other software (e.g., KaZaA, with all of its piggybacking adware programs) or an automated online installation via a web site (a "drive-by-download").

Note that I've used "scare quotes" for the words "notice" and "consent," because although the law -- at least as it has been explained to me -- currently regards the EULAs and privacy policies used by these programs to be adequate methods to provide notice and acquire consent, I and others see enormous problems with the use of these legal documents in software installations. Users either do not fully understand or recognize what they are in fact consenting to by clicking through these EULA boxes, or they may not even see those boxes under some circumstances. (For more on this problem, see my "The Anatomy of a Drive-by-Download" -- »www.staff.uiuc.edu/~ehowes/dbd-anatomy.htm .)Indeed, these are the primary reasons why, I strongly suspect, so many users report being completely unaware of software like Gator and WhenU on their systems even though both of those pieces of software provide EULAs and privacy policies.

Whatever users' problems with these forms of notice -- which are completely inadequate in my view and which allow vendors to exploit users' ignorance of computers, the internet, and the law for proprietary gain -- they do give adware vendors the wherewithal to stand up in front of forums like the FTC's workshop and maintain that they do in fact provide users notice and acquire their consent prior to installation of their software.

Now, there are certainly plenty of exceptions to three points that I summarize above. Some "spyware" or "adware" does collect personally identifiable information, and once collected that personally identifiable information makes other data collected potentially non-anonymous (depending on how all that data is stored and used by the vendor). Even that kind of software, however, almost always uses a EULA and privacy policy, thus giving the vendors in question the ability to claim that their software is not in fact "spyware" because they acquired the user's consent before installation. Still other software exploits known security holes in Microsoft's software to hijack users' browsers and install software without presenting users with a EULA at all.

Nonetheless, the larger, more prominent advertising software vendors -- the ones with the most established business models -- tend to gather data about users and their behavior in the manner I've summarized above. Coupled the use of a EULA, the fact that the data gathered about users is anonymous and non-personally identifiable means that advertising software vendors can tell regulatory agencies like the FTC that its software is "privacy friendly."

This is one of the reasons that I regard an exclusive focus on "privacy risks" when discussing "spyware" -- which the term "spyware" seems to invite, by the way -- to be a potentially useless distraction. The harms and impacts of "spyware" and "adware" go far beyond the collection of data -- whether that data be anonymous and non-personally identifiable or not. Most "spyware" damages users and their computers because of other behavior such as browser hijacking, obnoxious pop-up advertising on the desktop, degradation of PC stability and performance, and the addition of unwanted toolbars and other things to users' desktops and browsers. Indeed, when I tell folks that the biggest problem with "spyware" is not so much the "spying" but the other things that it does to users and their PCs -- in sum, rendering computers nearly unusable and thus denying people the use of their own computers -- I often get a puzzled reaction. But that's one of the effects of the term "spyware," which simply distracts us from the full range of problems with advertising software.

"Contextual Advertising" & Other Distractions

Almost none of these points made it into the discussion on Panel 3 of the FTC's Spyware Workshop, which tended towards abstract discussions of privacy principles and the efforts of advertisers to provide users adequate "notice" and "choice." The discussion (at least as I remember it) even veered into the consideration of the impact of keyloggers and other such system monitoring utilities on corporate networks and the security of corporate secrets. (This is another reason that I hate the word "spyware" -- because it tends to confuse advertising software with other software that is deployed by nefarious individuals for their own purposes and interests.) At such points, the discussion had effectively veered completely off track (undoubtedly much to the delight of companies like WhenU, Claria/Gator, and C2 Media, which delight in distinguishing their own software from keyloggers and the like).

Ray Everett-Church -- who submitted some of the more useful written comments to the FTC (see »www.ftc.gov/os/comments/spyware/···urch.pdf ) and who is an expert witness in one of the lawsuits against Gator/Claria -- also raised the issue of "contextual advertising" and its impact on the internet businesses who see their own web pages and advertising hijacked or overlaid with advertising created by client software on users' systems (e.g., WhenU and Gator).

As obnoxious as this kind of advertising is and as destructive as it may be to some businesses on the internet, I am nonetheless uneasy with its inclusion as a topic in the discussion conducted by Panel 3 on "privacy risks." First, it took the discussion of "privacy risks" to consumers completely off-topic, as the focus was then put on the impact of Gator and WhenU's advertising on other internet advertisers. Second, any discussion of "contextual advertising" tends to narrow the discussion to a small handful of advertising software vendors, leaving many of the biggest offenders completely out of consideration (esp. browser hijackers and the like). Third, when internet advertisers insist that they have some sort of "right" not to have their advertising or web pages obscured or modified by client software installed on users' desktops, I fear that such a principle could be extended to all kinds of software -- including ad blockers and other privacy software installed by users. Put another way, I fear that advertisers could be asserting a right to control what appears on users' systems or in users' browsers, and that this broad right could be used to deny users the ability to control what is displayed on their own PCs. I should note that I have no legal training, so it may be entirely possible within a legal framework to negotiate the Scylla and Charybdis of going after "contextual advertisers" without undercutting users' rights to control their own systems. Just how that would be done, I do not know. Whatever the case, "contextual advertising" takes us far afield from the "privacy risks" to end users.

EPIC.org & Fair Information Practices

As I noted just above, much of the discussion on Panel 3 tended towards the abstract. Chris Jay Hoofnagle of the Electronic Privacy Information Center (EPIC.org) did manage to bring the discussion around to several useful points, though. First, Hoofnagle was the only panelist at the entire workshop to point the finger at Microsoft for providing the technological means for advertising software vendors to confuse and bamboozle users, install software without their full knowledge and understanding or meaningful consent, and hijack their browsers and PCs. Hoofnagle rightly noted that Microsoft's overly powerful ActiveX technology -- with its integration of mobile code straight into the operating system as well as the confusing manner in which ActiveX controls are installed through Internet Explorer -- opens too many doors for advertising software vendors to walk through and puts users on the defensive.

Second, though, Hoofnagle usefully pointed out that Panel 3's discussion of privacy principles -- or, more formally, Fair Information Practices -- tended to reduce those principles to but two of four (notice and choice), when in fact internet users ought to be extended protection through a full range of Fair Information Practices, which include:

1) Notice -- the right of users to be given adequate information about the behavior, functionality, and information practices of software, web sites, and the companies involved;

2) Choice (consent) -- the ability of users to opt-in or opt-out of the information gathering and other uses of information;

3) Access (control) -- the ability of users to view information collected about them and even correct that information or withdraw it from use;

4) Security -- the right of users to expect that personally sensitive data collected from and about them will be stored in a secure manner.

Third, Hoofnagle specifically pointed to Ben Edelman's research on WhenU (see »www.ftc.gov/os/comments/spyware/···lman.pdf ) and suggested that Edelman may have in fact established a case that WhenU is collecting and transmitting information in violation of its own privacy policy.

Hoofnagle's comments were a refreshing change from those of several of the other panelists, who enthused over the privacy initiatives of industry front groups like the Network Advertising Initiative (NAI), as if these organizations could be trusted or expected to do anything substantive to protect users' privacy in the face of voracious industry demands for access to users' desktops -- the next frontier or market in online advertising -- and all manner of data about users and their online behavior.

Concluding Remarks on Panel 3

Panel 3 was the last panel of the morning before lunch. Although the discussion of this panel was at times a bit dry and disconnected from "privacy risks" to consumers, it did manage in some way to extend the discussion from Panel 2 of "spyware" and its impact on users. The first panel after lunch -- Panel 4 (Industry Responses to Spyware) -- returned us to the "spyware" industry's preferred playing field, a completely imaginary landscape in which "educated" consumers are offered "choice" by well-meaning companies who inundate their desktops with "useful" and "informative" advertising, all under the beneficent gaze of the FTC, which recognizes that its proper role is to step aside and let the industry "self-regulate" its relationship with consumers.

The FTC's transcript of the workshop should be coming out shortly. Even if arrives before I can finish my discussion of Panels 4-6 -- all of which addressed "solutions" of one sort or another to the problem of "spyware" -- I will continue these comments nonetheless.

All the best,

Eric L. Howes

reply to eburger68
Eric,

Thanks very much for taking all this time and effort to summarize what would otherwise be an insurmountable task of analysis of transcripts and news for those of us who were not in attendance to see the testimony and gauge the presenters personally.

I've sent the link to this topic to several who have a stake in reducing the tremendous risks and costs associated with spyware/adware. My hope is that significant pressure will come from the business sector who is presently becoming aware of the negative implications of silently installed code that gathers unspecified information and forwards it to unspecified entities for unspecified uses. For an example of what I mean, readers may want to peruse the BBR news link »Business getting the message on Spyware for an example.

Thanks again - good luck buttonholing the decision makers!

EG
--
Support RFC 1926

reply to eburger68
Hi, again:

Mike Healan has now posted his own extensive comments on the workshop in his latest SpywareInfo newsletter:

»www.spywareinfo.com/newsletter/a···4/24.php

Mike seems a bit more upbeat about the CDT's contribution to Panel 1 -- definitely worth your time to read what Mike has to say.

Best,

Eric L. Howes