Broadband Tech > Security > Security > FTC Spyware Workshop: 1st Impressions

reply to eburger68

Re: FTC Spyware Workshop: 1st Impressions

reply to eburger68
Hi All:

Before I commence with my review of Panel 4 of the FTC's Spyware Workshop, let me point out that the FTC has posted a few more comments on its web site (#212-17):

»www.ftc.gov/os/comments/spyware/index.html

This new batch of comments includes a response from PC Pitstop to the submissions from WhenU and Gator.

# 216 PC Pitstop-2 (04/27/04)
»www.ftc.gov/os/comments/spyware/···onse.pdf

PC Pitstop points out that Gator's and WhenU's expressed interest in providing consumers forthright notice of installation (see »www.ftc.gov/os/comments/spyware/···-com.pdf and »www.ftc.gov/os/comments/spyware/···tion.pdf ) is completely undercut by PC Pitstop's research results on (unwitting) users of these software programs (see »www.ftc.gov/os/comments/spyware/···stop.pdf and »www.ftc.gov/os/comments/spyware/···stop.pdf ), who are largely unaware of the software running on their computers.

Also of interest in this small batch is the submission from Pest Patrol, which had two representatives at the FTC's Workshop, including one on Panel 2.

# 213 PestPatrol, Inc. (04/23/04)
»www.ftc.gov/os/comments/spyware/···ment.pdf

Pest Patrol's statement is short (4 pages), but it usefully makes several important points, the most noteworthy of which is a call for consumer protection legislation to buttress or supplement other efforts and solutions:

said by Pest Patrol:

---

We contend that only a combination of consumer education and protection, disclosure through legislation, and active prosecution will provide the answer needed to address the spyware threat, right now. None of these solutions by themselves is enough, and while we advocate and applaud industry self-regulation, we do not believe that it alone will be speedy enough or dramatic enough to address the spyware problem.

---

said by Eric L. Howes:

---

(This advertising) technology is promising -- at least from the perspective of the advertising community. This technology -- hijackware, spyware, ad-ware, or whatever you choose to call it -- has an enormous potential attraction for advertisers: the ability to put advertising right on users' desktops, to convert their computers into fancy direct marketing machines, and to capture eyeballs in a way no other form of online advertising has yet been able to do.

Remember the rage in the media some years ago over "push" technology? (And this enthusiasm for "push" technology was largely confined to the media -- ordinary actual users hated it.) "Push" technology promised to solve one nasty problem for traditional media folks -- esp. advertisers -- created by the internet: namely, the independence and autonomy of internet users. Commercial advertisers prefer a captive audience with little autonomy. Despite all the blather about responding to consumer demand, they'd rather control a medium where they can "push" content down to users rather than respond to the demands of users -- it's simply much easier and less expensive to do it that way. "Push" technology died a predictable death because users hated it -- they wanted to be in control of their online experience, not let their use of the internet turn into a high-tech version of TV.

In truth, "push" technology hasn't completely died: it went into hibernation or incubation and was reborn as "spyware" or "hijackware" or "ad-ware" -- whatever you prefer to call it. "Hijackware" is merely the latest incarnation of "push" technology. And it is enormously attractive to advertisers. This kind of software technology allows advertisers to grab eyeballs, so to speak, right on the desktop and push unwanted commercial content down on users who have tremendous difficulty escaping it. For advertisers it's a dream come true: the ultimate captive audience. For normal web surfers it's the ultimate nightmare.

As I said, the technology has a bad reputation right now, and many advertisers have stayed away -- for now. But that's changing. At the moment this kind of technology is more prevalent on porn sites and crackz/warez sites. But remember: it is well known that the online porn industry serves as a kind of "test bed" for new technologies and business practices. Technologies and practices that were once the exclusive province of porn sites just a few years ago are now commonplace on the "mainstream" internet. Moreover, as any number of spyware distributors themselves have argued, spyware could very well become an attractive means for large, "mainstream" online entities to push their commercial messages on users, especially given the problems that have plagued the online advertising industry over the past few years.

We're already seeing signs of this growing interest among "mainstream" commercial entities, as I pointed out above. Not only are outfits like WhenU and Claria attracting investors and clients, but very large and respected online entities have gone to bat against the anti-spyware legislation recently introduced into the Utah state legislature and the U.S. House of Representatives. (...) If you read carefully, you'll notice that once you get past the usual nonsense about "stifling innovation" and so forth their real concern becomes quite clear: that such anti-spyware legislation could kill the hijackware advertising market.

---

said by Eric L. Howes:

---

At the risk of sounding alarmist, I would say that we stand on the threshold of a potentially enormous change in the way normal folks use the internet and the kind of autonomy they have -- the amount of control they can exert over their online experience. There are powerful entities who would prefer to turn the free, open internet into one vast corporate playground -- a high tech version of TV -- and "hijackware"/"spyware"/"adware" could very well be one of the technologies that allows them to realize their radical agenda.

---

said by Commissioner Swindle:

---

The debate that has ensued about spyware reminds me of the early dialogue we had about privacy policies, that was filled with a lot of emotion and calls for regulation. As a result of a continuing and energetic dialogue between industry, government, and consumer groups, industry responded to the public’s demand for greater disclosure and better privacy notices — without legislation. Today, almost 100% of the most frequently visited websites offer some form of privacy notice.

---

reply to eburger68
Hi All:

Before I review the discussion on Panel 5 of the FTC's Spyware Workshop, I want to return briefly to a point that I made in my review of Panel 4 ( »FTC Spyware Workshop: 1st Impressions ), where I remarked that large online corporations like AOL and Microsoft could not be completely trusted to protect the interests of consumers because of their own continuing interest in putting advertising before their customers. These kinds of large online entities often see themselves as gateways between advertisers and the millions of customers who populate their networks and services. When such companies stand to benefit from putting advertising in front of their customers, then there are good reasons to be skeptical of their commitment to protecting consumers from unwanted commercial messages, esp. as the free, open internet becomes an increasingly privatized oligopoly of large proprietary networks owned by a few media firms.

If you doubt the potential dangers of this scenario or arrangement, then you ought to read the following report from Reuters about Microsoft's plans to sell space on a "whitelist" of "legitimate marketers" whose unsolicited commercial messages will be allowed past Microsoft's spam filters on Hotmail and MSN:

»money.excite.com/jsp/nw/nwdt_rt.···20040505

Replace "spam" with "spyware" or even "advertising software" and convert the "spam"/"legitimate marketing" dichotomy into "spyware"/"adware" and you'll begin to get a sense for why I am wary of the efforts of large ISPs to assume the role of protecting their customers from "spyware."

Panel Five: Technological Responses to Spyware

Panelists:

U - Steven Bellovin, AT&T Fellow with AT&T Labs-Research
U - Jeffrey Friedberg, Director of Windows Privacy, Microsoft
P - David Moll, President, WebRoot (maker of SpySweeper)
P - Wayne Porter, Co-Founder and Primary Editor, SpywareGuide.com (distributor of X-Cleaner)
U - Daniel Weitzner, Technology & Society Domain Leader, World Wide Web Consortium; Researcher at MIT

Key:

X - industry/corporate friendly
U - unknown/undetermined
P - privacy friendly

Note: be sure to take a look at the photos of Panel 5 as well as the other other panels at Bill Pytlovany's blog page and Declan McCullagh's site:

Declan McCullagh - FTC Spyware Workshop Photos
»www.mccullagh.org/theme/ftc-spyw···r04.html

Bill Pytlovany's Blog from the Workshop
»www.mysteryware.com/blog.html

A Familiar Discussion

Of all the panels at the FTC's Spyware Workshop of April 19, this is the panel that covered topics that would be most familiar to the readers of DSLR/BBR and other online security forums. The discussion of this panel was dominated by the topic of ActiveX controls -- a special class of browser plug-ins that are the primary components in the automated online installations of "spyware" by unscrupulous web sites and services, installations often dubbed "drive-by-downloads." The panelists discussed the problems with "drive-by-downloads" of ActiveX controls as well as a few potential solutions. While there was nothing overtly problematic or objectionable about the points made by the panelists (unlike Panels 1 and 4), Panel 5's discussion of technological solutions was lacking in some regard.

Microsoft & ActiveX Controls

The most important component of Panel 5 was the presentation by Jeffrey Friedberg of Microsoft, who offered a useful overview of the problems with automated installations of ActiveX controls as well as the changes that Microsoft is making to that download and installation process in Service Pack 2 for Windows XP, due to be released in the very near future. (See »www.ftc.gov/bcp/workshops/spywar···berg.pdf for a PDF version of Friedberg's PowerPoint presentation.)

Friedberg first demonstrated what he called the "normal download experience," which is user-initiated. Those familiar with "drive-by-downloads" of "spyware" will know that so many of the unscrupulous web sites that foist unwanted advertising software on users employ web pages that themselves initiate the download and installation of software, instead of users -- a large part of the reason that users find this software so disorienting and confusing.

Even with this user-initiated "normal download experience," however, there are still significant problems, because the ActiveX Security Warning box provides almost no useful information about the software to be installed or the potential security problems -- a point that I made in my "Anatomy of a Drive-by-Download" ( »www.staff.uiuc.edu/~ehowes/dbd-anatomy.htm ), which was one of the documents that I submitted to the FTC. Friedberg said almost nothing about this lack of useful information, though the gentleman sitting next to me at the workshop (identity unknown) provided a running commentary on Friedberg's presentation, muttering under his breath at such omissions.

Friedberg next presented what he dubbed "some common tricks" that software vendors use when foisting unwanted advertising software on unwitting users of Microsoft's Internet Explorer web browser (Microsoft's browser is currently one of the primary vehicles through which unwanted software is delivered to consumers' desktops).

Trick # 1 was "Program Name More Than Just a Name." MS designed the ActiveX Security Warning box to allow software vendors to insert the names for their programs into the box and provide a link which users can click on to get more information about the program, perhaps even the End User License Agreement. Some vendors, however, have gone well beyond supplying just a name for their software, inserting entire sentences of descriptions and information about their software, which I noted myself in my "Anatomy of a Drive-by-Download" ( »www.staff.uiuc.edu/~ehowes/dbd-anatomy.htm ). I understand why some vendors are doing this -- to supply consumers with more information about their programs right up front, though Friedberg is surely right to note that the ActiveX Security Warning box was simply not designed for this purpose, nor is it the ideal means or method for vendors to supply notice and disclosure about the functionality of their software. Still further, the practice of linking to the EULA through the Security Warning box is problematic because users might not know to click the link and thus may not ever see a license agreement, even though they effectively agree to its terms by clicking through the Security Warning box to consent to the software installation.

Trick # 2 was a "Pop-Under Exploit" in which web pages use a pop-under window (which appears behind the current browser window) that contains Object tags to initiate a "drive-by-download." What is so confusing about this "exploit" for consumers is that the software installation appears as if out of nowhere, with no warning whatsoever. Many consumers mistakenly assume that the software mentioned in the Security Warning box originates from the site they are visiting and mistake it for a plug-in of some sort necessary to view the content of the site. Indeed, so common is it for web sites to require the installation of special programs -- often in the form of ActiveX controls -- that it is completely understandable that many consumers would have gotten into the habit of simply clicking "Yes" whenever such a box appears. Nonetheless, this kind of installation arrangement is a dubious, even deceptive way for vendors to push their software on internet users.

Tricks # 3 and # 4 ("Cancel Means Yes" and "Faux Security Alert") were but two examples of the myriad ways that unscrupulous software vendors and web sites use deceptive GUI elements to trick users into "consenting" to the installation of otherwise unwanted advertising software. These kinds of abusive installation practices are really bottom of the barrel, but they are quite common among the advertising software industry, unfortunately.

Before turning to the changes made in Windows XP Service Pack 2 (SP2), Friedberg noted that IE users can unwittingly role out the welcome mat for unwanted software by lowering the Security settings for the Internet zone from the default "Medium" setting, which at least ensures that users see the ActiveX Security warning box. When users lower the Security settings for the Internet zone, they won't even see the Security Warning box -- unwanted software will simply install on their systems whenever they land on web pages that initiate the download and installation of ActiveX controls.

Friedberg's point was a good one, however, Friedberg didn't fully address the full range of problems with automated installations of ActiveX controls. Even at the Medium setting, users are being tricked into consenting to the installation of software they don't want or need. Still further, there is plenty of software that exploits security holes in Microsoft's software to bypass the Security Warning box altogether.

A better approach to Internet Explorer security is to lock down the Internet zone altogether -- making it at least as secure as the Restricted sites zone -- and add trustworthy sites that require the use of active content (ActiveX controls, Java applets, scripting) to the Trusted sites zone (see »www.staff.uiuc.edu/~ehowes/btw/i···opts.htm for instructions and »www.staff.uiuc.edu/~ehowes/resource6.htm for a small program to automate the configuration process). If users are loath to tighten the Security settings for the Internet zone (which can lead to a raft of burdensome, inconvenient warnings and notices), then they should look into a Restricted sites "blacklist," which adds web sites and domains associated with advertisers and advertising software vendors to the Restricted sites zone (see »www.staff.uiuc.edu/~ehowes/resource.htm for one such list). Once added to the Restricted sites zone, these sites and domains will be unable to perform automated installations of ActiveX controls (among other things).

And, of course, users of alternative browsers such as Mozilla ( »www.mozilla.org/releases/ ), Firefox ( »www.mozilla.org/products/firefox/ ), and Opera ( »www.opera.com/ ) will not hesitate to point out that not only have all of these non-MS browsers offered pop-up blocking for several years now, but they are simply not vulnerable to the ActiveX exploits used by advertising software vendors to foist their software on Internet Explorer users.

Friedberg next turned to the "enhancements" Microsoft has made to Windows XP SP2. First, Microsoft has added a pop-up blocker to Internet Explorer, though it is turned off by default. When turned on, most pop-ups are suppressed and a discrete notice about the blocked pop-up is provided in an information bar just under the URL Address bar. As with Mozilla's built-in pop-up blocker, users have the ability to configure pop-up blocking site-by-site. Given that so many "drive-by-downloads" are initiated by pop-ups, this feature alone will improve the security of Internet Explorer users.

Second, SP2's Internet Explorer will suppress all automated installations of software not initiated by the user. Instead of popping up the well-known Security Warning box, SP2's Internet Explorer will display yet another discrete notice in the information bar near the top of the main browser window, which users can click on for more information and options.

Even when users do decide to initiate the download of ActiveX controls themselves, they will see a new and improved Security Warning box. Of interest is the ability for users to specify that software from certain vendors (identified by the digital certificates used to sign ActiveX controls) always be installed or never be installed. (Internet Explorer currently does provide something resembling this feature through the "Publishers" box on the Internet Options "Content" tab, however, users only have the option to trust software vendors/publishers, not distrust them.)

This feature has enormous potential for anti-spyware activists and vendors, who could build lists of digital certificates from known spyware vendors and add them to the Registry to automatically block the installation of unwanted software, much as the SpywareGuide block list ( »www.spywareguide.com/blockfile.php ) and JavaCool's SpywareBlaster ( »www.wilderssecurity.net/spywareblaster.html ) do already by setting the "kill-bit" for the CLSIDs of known spyware.

SP2's Internet Explorer also comes with a new "Add-on Manager," which gives user a convenient and powerful way to view and control the ActiveX controls that are installed on their systems. (Although current versions of Internet Explorer do provide something like this already through the Downloaded Program Files folder, that functionality is difficult to find for most users and occasionally unreliable.)

All in all, these new enhancements should significantly improve the security of Internet Explorer users who download and install SP2. There are, of course, several important caveats to this picture, which I will return to shortly. Those interested in getting more information about SP2 for Windows XP should consult the following documents and web pages at Microsoft's web site:

Windows XP Service Pack 2 - Security Information for Developers
»msdn.microsoft.com/security/prod···ult.aspx

Windows XP Service Pack 2 - Technical Preview Program
»www.microsoft.com/technet/prodte···iew.mspx

Changes to Functionality in Microsoft Windows XP Service Pack 2
»www.microsoft.com/downloads/deta···yLang=en
or »www.microsoft.com/technet/prodte···sp2.mspx

Windows XP Service Pack 2: A Developer's View
»msdn.microsoft.com/security/prod···psp2.asp

Other Notes About ActiveX Controls

Although Friedberg's presentation was the highlight of Panel 5 and overshadowed almost everything else that was discussed, several of the other panelists did address ActiveX controls.

First, Wayne Porter of SpywareGuide ( »www.spywareguide.com/ ) explained the purpose and functionality of the ActiveX block list distributed by SpywareGuide. JavaCool, it should be noted, makes a similar block list available through his excellent SpywareBlaster program ( »www.wilderssecurity.net/spywareblaster.html ). Both of these block lists "inoculate" Internet Explorer against the installation of unwanted spyware by setting the "kill-bit" on the CLSIDs of known spyware programs distributed as ActiveX controls. Combined with strengthened Security settings in Internet Explorer (see »www.staff.uiuc.edu/~ehowes/btw/i···opts.htm ) or a Restricted sites block list (see »www.staff.uiuc.edu/~ehowes/resource.htm ), such a block list can provide strong protection against the automated installation of unwanted software on the internet, though these block lists must be updated regularly to keep pace with the new varieties of spyware that appear on the Net almost daily.

Second, David Moll of Webroot, maker of the anti-spyware program Spy Sweeper ( »www.webroot.com/wb/products/spys···ndex.php ) as well as the Spy Audit program used by Earthlink ( »www.earthlink.net/spyaudit/ ), discussed one of Webroot's new products. After dissing the "hobbyists" who had dominated the anti-spyware scene/market before the entry of Webroot with its Spy Sweeper product, Moll went on to describe a portable security scanner that Webroot has developed. It's an ActiveX control that users can download and run while on potentially insecure machines (a PC in an Internet cafe, for example). This portable security application scans the entire box for malicious code (keyloggers, system monitors, trojans, etc). Moll billed it as a way for users ensure that boxes they don't control are secure.

The irony of this "security application" was not lost on Steven Bellovin, Fellow with AT&T Labs-Research, also on the panel. Noting that mobile code is one of the biggest security problems in Windows, he quipped that Webroot's portable security scanner was one of the "scariest things" he had yet heard about at the workshop.

And Bellovin was right, of course, because what Moll had unwittingly pointed out is that ActiveX controls can be used to import and run completely foreign code of unknown provenance at the user's discretion on boxes that the user ostensibly shouldn't control.

Indeed, Moll was too focused on promoting his own products, unfortunately. Another of his gaffes was his off-hand remark to the audience that the topic of spyware was one that "none of us here had even heard about two years ago" (or something very close to that effect). DSLR/BBR regulars will know that "spyware" was a topic of discussion here almost four years ago. Where was Moll?

Wayne Porter also discussed Xblock's own X-Cleaner ( see »www.ftc.gov/bcp/workshops/spyware/porter.pdf ), yet another anti-spyware application ( »www.xblock.com/ ) distributed by SpywareGuide.

Misc. Topics

There were a few other topics that were discussed on this "technological solutions" panel. Steve Bellovin addressed the role of firewalls in network security. A few of the other panelists exchanged remarks on improving notice and disclosure during software installations, including P3P-like measures that could be used to provide more information about software functionality to users during installations. To his credit, Daniel Weitzner of the World Wide Web Consortium (W3C), one of the prime forces behind the P3P specification (see »www.w3.org/P3P/ ), expressed his skepticism of such an adaptation of P3P, though he said he wouldn't completely dismiss the idea.

DSLR/BBR readers will know that I have nothing but contempt for P3P as a solution to online privacy problems, esp. its partial implementation in Internet Explorer 6.0's Privacy controls (and I am not alone in this regard). See:

"IE6 & P3P Are Not Panaceas"
»www.staff.uiuc.edu/~ehowes/priv-···#ie6-p3p

"Internet Privacy w/ IE6 & P3P: A Summary of Findings"
»www.staff.uiuc.edu/~ehowes/ie6-p3p.htm

Internet Explorer 6.0 Resources
»www.staff.uiuc.edu/~ehowes/resource5.htm

P3P & Internet Explorer 6.0 Privacy Info
»www.staff.uiuc.edu/~ehowes/info2.htm

To my thinking, regarding P3P as a solution to consumer privacy problems is a bit like thinking the solution to shady car dealerships and crooked mechanics is to give all consumers an 800 page Chilton's Auto Repair manual, with the idea that they could learn about cars and "negotiate" their "choices" with businesses from a strong position.

Problems Not Addressed

As useful and informative as the discussion of technological solutions on Panel 5 was, it failed to address several key issues.

First, all of the discussion of automated ActiveX control installations overshadowed the fact that another major route for the installation of spyware is through software bundling, where unwanted advertising software piggybacks on other "free" software that consumers want. I have yet to see a good proposal for improving notice, disclosure, and choice during the installation of bundled software.

Second, as welcome as Microsoft's Windows XP SP2 will be, its immediate effect will be limited. Many consumers with Windows XP will not know to download and install it. Still further, many consumers are still running older versions of Windows, and MS will apparently not be incorporating the enhancements to IE detailed above into older versions of Internet Explorer for other versions of Windows, leaving millions of consumers vulnerable. Even after OEMs begin pre-installing Windows XP SP2, the percentage of consumers who benefit from these new IE features will be comparatively small, so I don't anticipate that advertising software vendors will dispense with "drive-by-downloads" in the foreseeable future.

Third, none of the panelists discussed the problems with current anti-spyware software, which many consumers find too complex and confusing, and which must be updated constantly in order to be effective against the heavy barrage of new spyware on the Net. As I noted in my comments to the FTC (see Myths #5 and #6 in »www.staff.uiuc.edu/~ehowes/ftc-c···tm#myths ), even computer savvy users who diligently keep up with spyware developments struggle to keep this class of unwanted software off their systems. And anti-spyware vendors themselves often struggle to provide protection against the deluge of new advertising software on the Net.

All of these problems should have been addressed more forthrightly on Panel 5 in order to give the audience and the FTC a realistic picture of the potential uses of anti-spyware technology in the fight to keep users' desktops free of unwanted advertising software.

Concluding Remarks on Panel 5

Panel 5 offered some small amount of hope for users of Windows XP SP2, however, there was nothing from Panel 5 to suggest that radical improvements in anti-spyware technology may be in the offing, which is what is needed if such technology is to play a decisive role in solving the problems with spyware. Anti-spyware technology currently resembles that used by the anti-virus industry for its software. Indeed, I often tell beginning users that anti-spyware applications like Ad-aware ( »www.lavasoft.de/ ) and Spybot Search & Destroy ( »spybot.safer-networking.de/ ) work much like an anti-virus program, only they scan for spyware, not traditional malware (viruses, trojans, and worms).

As such, anti-spyware technology has all the same vulnerabilities and shortcomings as anti-virus software, which has been around much longer, achieved much higher levels of market penetration and consumer adoption, and which is much more mature in some respects. Anti-spyware programs can provide strong protection against unwanted advertising software for a certain class of technically proficient users, but it is hardly a panacea -- at least not in its current forms. Those tempted to place too much faith in anti-spyware technology as a non-regulatory solution to the spyware problem would do well to remember the problems with anti-virus technology the next time a worm or virus swamps the internet and infests the computers of their friends, family, and co-workers, all of whom will probably have an anti-virus program.

On an unrelated note, I should report that my earlier comments on the Center for Democracy and Technology (see »FTC Spyware Workshop: 1st Impressions ) have prompted the CDT to get in touch with me. Not surprisingly, the CDT was less than thrilled with my assessment of their contributions to the fight against spyware. I am currently considering posting a more detailed explanation of my skepticism of the CDT's several actions and positions on the topic of spyware. If I do decide to post, it will be in this thread.

Also, I discovered that my name appears on one of WhenU's web pages:

»www.whenu-advertising-info.com/other.html

On that site -- which is primarily devoted to presenting WhenU's software as "consumer friendly" -- WhenU reprints an article from The New York Times (without attribution, by the way) for which I was interviewed almost two years ago. Presumably WhenU reprinted that article on its site to hold up its own software as an alternative, "consumer-friendly" form of "adware" that is radically different from the "spyware" discussed in that article. That's certainly not a distinction that I would make, though.

In fact, in my comments to the FTC (see »www.staff.uiuc.edu/~ehowes/ftc-c···#typical ) I told the story of having to clean yet another of my students' computers of unwanted software ("spyware," "adware," whatever you choose to call it). One of the more obnoxious programs on that student's box was WhenU's advertising software, though she had no idea how or when it was installed. That's not too surprising, given the results of PC Pitstop's survey of WhenU users, most of whom were unaware of the software on their PCs (see »www.ftc.gov/os/comments/spyware/···stop.pdf ).

There is but one panel left for me to discuss: Panel 6 (Government Responses to Spyware). This was an important panel, given the current amount of legislative activity on the issue of spyware. See the news links on my FTC Spyware Workshop page for more information on the several bills currently winding their way through Congress as well as several state legislatures:

The FTC's Spyware Workshop
»www.staff.uiuc.edu/~ehowes/ftc-spyware.htm

I anticipate that I will be posting my comments on that panel in the next few days.

All the best,

Eric L. Howes

reply to eburger68
Hi All:

Over four weeks after the FTC's Spyware Workshop on April 19, I will finally review the last of the six panels at the workshop. This review will go beyond discussing the particular comments and points made by the panelists, however, and will discuss the issues surrounding governmental action generally and anti-spyware legislation specifically.

It seems appropriate, then, to note that at the time of this writing legislative pressure is mounting on the spyware industry. Not only has the Utah bill passed, but the first enforcement action under its provisions has been taken by Overstock.com, whose web site was targeted by contextual advertising:

Utah sees first spyware case
»www.theregister.co.uk/2004/05/19···spyware/

The text of the Utah anti-spyware bill can be found here:

Utah Spyware Control Act
»www.le.state.ut.us/~2004/bills/h···0323.htm

Additionally, the California anti-spyware bill moved a step closer to enactment when the California State Senate sent the bill to the Assembly on May 18:

Consumers would have to be told before installation
»msnbc.msn.com/id/5014546/

The text of the California anti-spyware bill can be found here:

California SB 1436: CONSUMER PROTECTION AGAINST COMPUTER SPYWARE ACT
»www.leginfo.ca.gov/pub/bill/sen/···sen.html

As a recent Washington Post article noted, vigorous state action only increases the pressure on lawmakers in Washington D.C. to pass a federal anti-spyware bill:

States Speed up Spyware Race
»www.washingtonpost.com/wp-dyn/ar···y13.html

But state legislators aren't the only ones driving the fight against spyware. Several other actions have been taken by private parties, putting still more pressure on the spyware industry. L.L. Bean recently sued several companies for using contextual pop-up advertising, such as that delivered by Claria's Gator and WhenU's SaveNow software, to target its web site:

L.L. Bean sues pop-up advertisers
»www.cnn.com/2004/TECH/internet/0···dex.html

What sets the L.L. Bean law suit apart from some of the other well-known law suits over contextual advertising (such as that by Hertz and others against Claria) is that the aggrieved party is going after the companies who took out the advertising (Nordstrom's and others), not the company who delivered it (Claria). L.L. Bean isn't the first company to do so, but it is a large, prominent company and its actions should get the attention of the advertising industry.

And still further, Google has stepped forward to insist on better behavior from advertising software vendors. Last week Google booted WhenU from its search listings for engaging in banned behavior ("cloaking") to improve its rankings:

Search engines delete adware company
»news.com.com/2100-1024_3-5212479.html

This "cloaking" behavior was uncovered by Ben Edelman of Harvard University, who has testified in several anti-spyware law suits and who was at the FTC's Spyware Workshop:

WhenU Spams Google, Breaks Google "No Cloaking" Rules
»www.benedelman.org/spyware/whenu-spam/

Shortly after exposing WhenU's "cloaking" tactics on Google, Edelman also brought to light a significant number of copyright violations on WhenU's sites, which improperly reproduce news articles from a variety of news agencies and web sites:

WhenU Copies 26+ Articles from 20+ News Sites
»www.benedelman.org/spyware/whenu-copy/

And, finally, the FTC has indicated that it is interested in pursuing enforcement action under existing federal law against companies that engage in "unfair" and "deceptive" behavior. The Center for Democracy and Technology has already filed one complaint against MailWiper, the company behind the notorious "anti-spyware" product SpyWiper, which used heavy-handed scare tactics and browser hijacking on its web sites to stampede clueless users into accepting "drive-by-downloads" of its software (see »www.cdt.org/privacy/20040210cdt.pdf ). No official action from the FTC has yet been taken in response to the CDT's complaint, though.

Needless to say, spyware is now a national issue, and it will be difficult for the spyware or advertising software industry to avoid reform and action of some kind. Just what those reforms ultimately will be, though, is an open question, and it is not at all certain that the reforms enacted will be useful ones that significantly change the unscrupulous practices of the spyware industry and provide consumers with strong protection against its invasive software.

The FTC's Spyware Workshop of April 19 is best understood as one attempt to get ahead of the legislative reform game and shape its movement and direction by giving the advertising software industry and its allies a prominent platform on which to showcase its own preferred non-solution -- "industry self-regulation." The final panel at the workshop, though, did offer panelists the chance to discuss potential governmental actions, including legislation.

Panel Six: Government Responses to Spyware - Law Enforcement, Consumer
Education, and Coordinating with Industry

Panelists:

P - Jennifer Baird, Legislative Counsel, Office of Rep. Mary Bono
U - Mark Eckenwiler, Deputy Chief, Computer Crime and Intellectual Property Section, Department of Justice
U - Mary Engle, Associate Director, Division of Advertising Practices, Federal Trade Commission
U - Elizabeth Prostic, Chief Privacy Officer, U.S. Department of Commerce
P - Matthew Sarrel, Technical Director, PC Magazine
P - Stephen Urquhart, State Representative, Utah House of Representatives

Key:

X - industry/corporate friendly
U - unknown/undetermined
P - privacy friendly

Note: be sure to take a look at the photos of Panel 5 as well as the other panels at Bill Pytlovany's blog page and Declan McCullagh's site:

Declan McCullagh - FTC Spyware Workshop Photos
»www.mccullagh.org/theme/ftc-spyw···r04.html

Bill Pytlovany's Blog from the Workshop
»www.mysteryware.com/blog.html

A Divided Panel

The panelists on this last panel of the workshop generally fell into two camps: those in favor of new legislation to address the threat of spyware, and those opposed. All the panelists agreed on the need to enforce current laws against "unfair" and "deceptive" practices in order to reign in the more objectionable practices of some advertising software vendors, however, they disagreed as to whether current laws were adequate to the job of making a significant difference in the fight against spyware.

A Strong Call for Legislation

Two of the panelists made clear, unambiguous calls for strong, new legislation to address the spyware issue: Jennifer Baird, Legislative Counsel in the office of Rep. Mary Bono (the principal sponsor of one of the major anti-spyware bills currently before Congress), and Steve Urquhart, State Representative from the Utah House of Representatives (the major force behind the anti-spyware bill that was recently passed in Utah).

Although at times appearing a bit uncomfortable with speaking to such a large audience, Ms. Baird nonetheless made her boss's position quite clear: that new legislation is needed to protect consumers against the invasive, destructive software currently being distributed by the advertising software industry. While she acknowledged the potential benefit of "industry self-regulation," consumer education, and enforcement of existing laws against the more unscrupulous spyware distributors, Ms. Baird firmly and unambiguously insisted that those actions were simply not adequate to the job. Moreover, she rejected calls from the industry and others to study the issue more and allow the industry itself to address the problem. "That's just not how things work in Congress," she said, and went on to describe Rep. Bono's work on her own anti-spyware bill, the text of which can be found here:

HR 2929: Safeguard Against Privacy Invasions Act (S.P.I. Act)
»thomas.loc.gov/cgi-bin/bdquery/z···.r.02929

Rep. Bono's S.P.I. Act is but one of three different bills in Congress right now. The others are:

H.R. 4255 (Rep. Jay Inslee): Computer Software Privacy and Control Act
»frwebgate.access.gpo.gov/cgi-bin···55ih.txt

S. 2145 (Sen. Conrad Burns): SPY BLOCK Act
»thomas.loc.gov/cgi-bin/query/z?c108:s.2145

The Bono bill and the SPY BLOCK bill have both received a fair amount of press coverage, esp. after the House subcommittee hearings a few weeks ago, where several committee members angrily responded to the FTC's insistence that no new legislation was needed:

»FTC Goes to Bat for Spyware Industry

The Inslee bill has received much less attention, though, as it was the last to be introduced (April 30). While all three bills have problems of one sort or another, my initial review of the Inslee bill suggests that it may actually be the most promising (more on which later).

The industry, of course, has stubbornly rejected all calls for legislation, including the first anti-spyware bill of its kind to pass anywhere -- the Utah bill:

NetCoalition Letter Against Utah Anti-Spyware Bill
»www.netcoalition.com/index.asp?T···898DF83}

And see also the Business Software Alliance's statement to a Senate subcommittee back in March:

Testimony of Robert Holleyman, Business Software Alliance (BSA)
On E-SPYING: BAN BEHAVIOR NOT TECHNOLOGY
»www.ftc.gov/os/comments/spyware/···mony.pdf

Thus, it was helpful and encouraging to listen to the remarks of Utah State Rep. Stephen Urquhart, the principle force behind the Utah bill. Urquhart was quite impressive throughout his comments. Demonstrating a firm grasp of the issues, Urquhart rejected the flim-flam objections and diversions from the industry, quickly batting them down. Describing his own experience drafting the Utah bill, Urquhart remarked that he and his colleagues in the Utah House received no useful input from the industry, which simply wanted to kill the bill, as should be apparent from the several industry comments publicly available (see the NetCoalition above, for example).

Notice & Disclosure During Software Installation

Although the majority of his comments concerned the Utah bill, Urquhart did address the question of installation practices -- a critical topic for those struggling to find solutions to the problem of spyware. At the start of his remarks Urquhart went through a short PowerPoint presentation, using screenshots to highlight the inadequate forms of notice and disclosure provided by firms such as WhenU, who shoehorn the long, dense blocks legalese from their EULAs into tiny, confusing scroll boxes in order to pressure users to click through and consent to the installation of software they do not fully understand (see my "Anatomy of a Drive-by-Download" for an extended consideration of this problem: »www.staff.uiuc.edu/~ehowes/dbd-anatomy.htm ).

Given these kinds of installation practices -- which are primarily designed to cover the legal backsides of spyware vendors without actually impacting their installation rates -- no one should be surprised that most "users" of Gator and WhenU are completely unaware of the software on their systems, because the EULAs provided by those companies simply do not serve as adequate forms of notice and disclosure. (See PC Pitstop's surveys of Gator and WhenU users for the numbers: »www.ftc.gov/os/comments/spyware/···stop.pdf and »www.ftc.gov/os/comments/spyware/···stop.pdf ).

Urquhart contrasted these shady installation practices with those used by Google for its popular Google Toolbar ( »toolbar.google.com/ ). As Urquhart pointed out, the difference between Google's installation and the installations of so many advertising sotfware vendors is that Google does not regard the mere presentation of information about software behavior as adequate notice and disclosure. To craft adequate forms of notice and disclosure that actually ensure that users understand the software to be installed on their computers, the installation practices themselves much change. Put another way: we've got to stop regarding the notice/disclosure problem as merely one of the amount and kinds of information provided to users. In addition to the quality of the information provided, we've also got to consider the manner in which that information is presented, and that means taking a hard look at installation practices.

Google has done just that with its Google Toolbar, taking several steps to ensure that users are presented helpful, usable information in an easy-to-read format that simply cannot be missed. Google's installation practices ensure that the notice and disclosure afforded users is not simply full and forthright, but "clear" and "conspicuous."

Interestingly, Google announced yesterday a set of "software principles" that it thinks the industry ought to adopt to guide the provision of notice and disclosure during software installations:

Google defines good manners for adware
»news.com.com/2100-1029_3-5215941.html

Feedback requested: A proposal to help fight deceptive Internet software
»www.google.com/corporate/softwar···les.html

Unfortunately, the majority of those "software principles" address only the amount and type of information provided, not the actual practices through which that information is delivered. While Google's document does insist on "clear" and "conspicuous" notice, it largely neglects to lay out just what that would mean. Indeed, I strongly suspect that companies like Gator and WhenU would claim that they already abide by these principles and point to their EULAs, which are presented to users during the installation of Gator, SaveNow, and their other software applications. In my own analysis of the automated, online installation of C2 Media's Lop.com software (see »www.staff.uiuc.edu/~ehowes/dbd-anatomy.htm ), it was clear that C2 Media's collection of EULAs and privacy policies had in fact covered all of the major functionality and behavior of the software installed, just as Google's "software principles" insist. The problem was that the notice and disclosure of such functionality took the form of a 9400 word EULA that most users could make no sense of and that the EULA was presented in a completely confusing, even misleading, context.

While insisting on "clear" and "conspicuous" notice and disclosure, Google's "software principles" document does not outright reject such installation practices and does almost nothing to spell out what it would consider an adequate alternative. Until such proposals start addressing installation practices beyond the amount and kind of information provided, companies such as WhenU and Claria will continue to be able to insist that they do provide users with adequate notice and disclosure, despite the fact most users don't even know the software is installed on their systems.

And we should be clear that these companies have every reason to resist providing notice and disclosure that would actually allow users to understand the software to be installed on their systems. It is simply not believable that most users would knowingly consent to the installation of software that clearly and conspicuously disclosed the fact that users would be subjected to:

* frequent, annoying, disruptive pop-up advertising on their desktop
* re-configured browser home page and search settings
* monitoring and reporting of their online behavior
* obnoxious new toolbars and other widgets on their browsers and desktops
* significant decreases in browsing speed and system responsiveness
* scads of new icons and links, many of them pornographic, on their browsers and desktops
* outrageous phone bills from premium rate porn dialers

Were advertising software vendors to disclose such functionality and behavior in a truly clear and conspicuous manner, they would be out of business in no time because most folks simply don't want that kind of software. One of the surest indications of this came from WhenU's own Avi Naider on Panel 1, who noted that of 100 million WhenU installation, 80 million had been uninstalled by consumers. In other words, after putting up with WhenU's obnoxious desktop advertising for some amount of time, 80 percent of users finally managed to remove it. And I strongly suspect that over well over 90 percent of the remaining 20 million installations will be uninstalled once those unwitting victims figure out how to give Mr. Naider's software the boot.

Unfortunately, current law -- at least as it has been explained to me -- allows companies like Gator, WhenU, and C2 Media to persist in the fiction that they provide users with adequate notice and disclosure without actually doing so or cutting into their installation rates. Until we have laws on the books that make it clear that merely sticking a 9400 word EULA in front of confused users does not constitute adequate notice and disclosure, the spyware problem will continue, just as Google itself noted when it remarked, "We do not see this trend reversing itself. In fact, it is getting worse."

Enforcing Existing Laws

Unfortunately, three members of Panel 6 rejected calls for new legislation to address these inadequate installation practices, insisting that current law is adequate to the task of addressing spyware problems. Mark Eckenwiler of the Department of Justice, Mary Engle of the Federal Trade Commission, and Elizabeth Prostic of the Department of Commerce all disputed the need for new legislation and claimed that U.S. regulatory agencies have sufficient authority and leeway under current law to go after spyware vendors for "unfair" and "deceptive" trade practices. Each was asked the same question: "Do you think new laws are needed to address the spyware problem?" Each looked straight at the audience and said clearly and firmly, "No."

While it was interesting to hear their discussion of current laws and the enforcement actions that might be possible under those laws, none of these government officials squarely addressed the real problems with the installation practices used by most advertising software vendors. Instead they talked about marginal or tangential cases, including keyloggers and dangerous porn dialers.

Although the examples offered clearly fit the description of "unfair" and "deceptive" trade practices -- or even, in some cases, outright fraudulent, criminal behavior -- these examples were of software and installation practices far different the typical offerings of the advertising software industry. Moreover, as dangerous and destructive as keyloggers and other such system monitoring software applications are, they are a diversion from the central issue in the "spyware" debate: unwanted advertising software, which is installed by companies not nefarious individuals and which is protected behind EULAs and other confusing installation practices. As I noted in my discussion of Panel 2 ( »FTC Spyware Workshop: 1st Impressions ), McAfee's numbers clearly demonstrated that it is advertising software (adware) that is fueling consumer problems with unwanted software, not keyloggers. Thus my frustration with the term "spyware," which continually distracts public officials and the media from the central issues at hand and which leads to "spyware" discussions that meander into handwringing over keyloggers, identity theft, and other outright criminal actions by individuals. Such discussions simply fail to address the largest problems with advertising software and the installation practices used to foist such software on unwitting victims.

The key question is whether the FTC, under current laws against "unfair" and "deceptive" trade practices, will be able to reign in the advertising software industry, which by and large does present users with EULAs. Even a month now after the Spyware Workshop we have heard nothing whatsoever from the FTC to indicate: a) whether it thinks it can pursue enforcement action under current law against companies that use EULAs and other inadequate forms of notice and disclosure; or b) under what criteria and in what situations it thinks it could go after such companies. Although current law does allow the FTC to go after companies for "unfair" and "deceptive" trade practices, the presence of a EULA such as that used by WhenU, Gator, and C2 Media during installation enormously complicates the picture, casting doubt on the ability of the FTC to address the widespread problems with advertising software.

Moreover, while I think it is certainly possible to go after spyware distributors who either fail to use a EULA or who do not disclose certain key software functionality in a EULA, those companies are marginal at best. With the shining exception of CoolWebSearch -- which is in a category all its own ( »www.spywareinfo.com/~merijn/cwsc···les.html ) -- most of the worst actors spring up out of nowhere, wreak havoc on users' computers for a month or so, and then disappear -- probably because their destructive practices angered enough people that they were effectively run out of town. (Howard Beales of the FTC noted himself in recent testimony before a House subcommittee that the worst actors are often fly-by-night con artists who "ride off into the cyber-hills" -- see »cbs.marketwatch.com/news/story.a···t=google .) The larger, more established advertising software vendors endure, however, racking up tens or even hundreds of millions of installations and attracting mainstream advertisers and venture capitalists ( »What's the *motivation* for hijack-ware? ). Until we address the unscrupulous practices of the largest players in the advertising software industry, we will be simply nibbling around the edges of the problem.

The Complexity of Crafting Effective Legislation

Whatever the limits of enforcing current laws against "unfair" and "deceptive" trade practices, the FTC should be encouraged to do so where possible. (See the CDT's "Consumer Software Working Group" document for examples of "unfair" and "deceptive" software practices that might be actionable under current law: »www.cdt.org/privacy/spyware/20040419cswg.pdf )

If we are serious about addressing the problems with spyware, however, then we will need new legislation to tackle the "tough cases" -- the cases in which advertising software vendors do provide some form of notice/disclosure but in a way that is inadequate and that doesn't truly allow most internet users to make sense of the software they encounter on web sites. But crafting legislation to address the problems with spyware can be tricky business, and casual observers of the debate over spyware frequently underestimate the difficulties involved.

All too often I see online comments from people who are justifiably outraged by spyware and who say something to effect that, "It's my computer! If software is installed without my permission, then it should be illegal! How tough is that!"

The answer is: "Actually, it's a bit tougher than you think, and righteous indignation doesn't even begin to tell us how to make spyware illegal." Put quite simply, the question becomes: "How are we to determine what software was installed without your permission, esp. given that most advertising software presents users with a EULA of some sort?"

Even beyond the question of determining what constitutes adequate notice and disclosure, there are other difficulties that involve targeting unwanted software or software behavior in a way that doesn't unwittingly affect legitimate software that users do want. Still further, we must be careful to construct solutions that don't so severely burden legitimate software vendors that their software becomes unbearably complex and difficult for users to install and use.

In the space that remains, I want to summarize some of the key issues in crafting effective anti-spyware legislation so that those following the debates in Washington over the several anti-spyware bills currently before Congress can make sense of what is going on.

Two General Approaches

There are two broad approaches to crafting anti-spyware legislation, each with its own advantages and disadvantages:

1. The "Go-for-the-Jugular" Approach: this approach cuts to the root of the problem and bans certain key spyware practices outright -- e.g., drive-by-downloads, software bundling, and contextual advertising. The advantage of this approach is that it is unambiguous and allows no wiggle room whatsoever for advertising software vendors. The most objectionable and confusing software practices are simply banned outright. Not only does this approach put a stop to the installation practices so often used to bamboozle users into consenting to the installation of otherwise unwanted software, but it outlaws one of the key revenue sources for this industry, effectively cutting off its financial blood flow.

As attractive as this aggressive approach is, it has several significant problems. First and foremost, it risks making the online installation of legitimate software much tougher, because automated installations (drive-by-downloads) are banned. This could prove to be a significant problem for web sites that depend on special software to provide key functionality or content, and webmasters want to make the experience of using their sites as trouble-free and transparent as possible for users.

Second, though it is difficult if not next to impossible to craft language that bans software bundling (e.g., bundling third-party advertising software with popular, "free" applications such as KaZaA) without severely burdening legitimate software makers, whose software packages are inescapably modular and whose installations often include a wide variety of software modules from several different sources, including third parties. A ban on software bundling could make the distribution of completely legitimate software incredibly difficult and burdensome.

Finally, though, it can be anticipated that many legislators will simply be reluctant to ban outright whole classes of software practices, which comes uncomfortably close to outlawing whole classes of technology. While there is certainly a good case to be made that software practices that are ripe for abuse and prone to causing substantial harm to normal internet users ought to be banned -- whatever the ill effects of the ban on innocent software vendors and users -- most legislators will probably prefer another more flexible approach.

2. The Notice/Disclosure/Choice Approach: this approach seeks to improve notice, choice, and disclosure so that users have a better chance of understanding the software that is installed on their systems. The idea behind this approach is that by requiring better notice, choice, and disclosure from software vendors, we can reduce the likelihood that users are surprised by unwanted software which is installed without their full knowledge, consent, and understanding. All of the legislation currently before Congress takes this approach to solving the spyware problem, though in slightly different ways.

The advantage to the notice/disclosure/choice approach is that it is more flexible because it allows all manner of software to be distributed and installed, provided users are given adequate notice of key functionality and the ability to control the installation. The disadvantage to this approach is that if the requirements for improved notice, disclosure, and choice are not crafted properly, we could wind up with a situation that resembles what we have now -- an online environment in which unscrupulous advertising software vendors use forms of notice, disclosure, and choice that don't truly allow internet users to understand the software to be installed on their systems. The advertising software vendors would effectively be able to continue pushing their software on confused users, only now with the defense that they meet strict federal requirements.

As the notice/disclosure/choice approach is the preferred approach used in the bills currently before Congress, I will next lay out some of the key issues and conundrums for attempts to improve notice, disclosure, and choice for users.

Three Classes of Software

Improving notice, disclosure, and choice largely means that we need to reform the installation processes used by software vendors. When we consider problems with installation processes, there are currently three classes of programs:

1. Stealth installers -- programs that exploit security holes and use other rogue, deceptive installation methods to completely bypass all forms of warning, notice, and disclosure or trick users into installations. Still other programs fail to disclose key functionality in EULAs or provide no EULAs whatsoever. The FTC and others (e.g., the CDT -- see »www.cdt.org/privacy/spyware/20040419cswg.pdf ) suggest that most of these "devious" are probably illegal already. These are likely to be the kinds of programs that the FTC finds it easiest to target for enforcement because the nature of their "unfair" and "deceptive" practices is much clearer than others.

2. Obfuscated installers -- programs that do use do present a EULA and/or privacy policy of some sort, but which do so in confusing circumstances, which present agreements that few users can make any sense of, and which exploit users' impatience and/or confusion to pressure them into installation. These EULAs and installation practices are, for the most part, currently considered legally adequate means of notice and disclosure, however, experience and evidence suggest that they are not adequate means for providing users with meaningful notice and disclosure.

3. Clear and conspicuous installers -- installers (like that for Google's Toolbar) which not only disclose key terms and practices, but which also employ carefully constructed installation processes to force users to notice this information. This kind of "clear" and "conspicuous" notice protects users by ensuring that software cannot be installed without their full knowledge, consent, and understanding.

Currently Class 2 is the one giving users the biggest problem because it allows unscrupulous software vendors to exploit users' ignorance and confusion while remaining on the right side of the law. They give just enough notice to stay on the right side of the law, but not enough notice that they damage their installation rates.

Current law makes EULAs a minimally sufficient contract for notice and consent, however, this form of notice and consent is clearly insufficient for most consumers. Junkware vendors cling to this minimal standard because it gives them wide leeway to push installations on hapless users -- through contexts and environments that consumers find confusing -- and secure the widest possible distribution of their software, which is critical to their business models. They then insist that their satisfaction of this minimal legal standard ought to mean that consumers have no legitimate complaint and that nothing ought to be done.

But this is a specious argument. Once cannot argue that the law ought not to change by insisting that one is already following the current law itself. We insist that this minimal legal standard no longer serves its intended purpose, and the complaints of consumers -- not to mention the damage inflicted on individuals, businesses, and organizations -- ought to tell us as much. We insist on a change in the law to reform the installation practices used by software vendors so that they actually provide adequate notice and secure meaningful consent. When installation practices no longer provide for meaningful knowledge and consent from users, the laws governing notice, choice, and consent need to be strengthened to reflect that reality of the environment in which they are used.

The Difficulties w/ Improving Notice, Disclosure, & Choice

As we have seen, any legislative approach to the spyware problem must address the difficult cases -- the software that uses a EULA of some sort to satisfy a minimal legal standard for notice, choice, and disclosure but which doesn't actually provide users the information they need in a usable fashion to allow them to make an informed choice about the software they encounter on the Net. Even when we define the problem in these narrow terms, we are still left a number of issues, some more serious and problematic than others.

1. Spyware vs. Adware

The first issue arises from a distinction that the advertising software industry makes between "adware" and "spyware." On this definitional distinction, "spyware" is said to be unwanted software that installs without providing users notice and disclosure and which gathers and transmits personally identifiable information (PII) without users' knowledge and consent. By contrast, it is argued, "adware" is an innocuous form of advertising software that does provide notice and disclosure of key functionality and which usually doesn't gather and transmit PII -- if it does, full notice and disclosure is provided.

The problem with this adware vs. spyware distinction is that it seeks to use the inadequate forms of notice and disclosure currently employed by advertising software vendors as an excuse to exempt a whole group of software from critical scrutiny. Put another way, the adware vs. spyware distinction essentially declares closed the entire question of whether installation practices currently used by advertising software vendors actually provide meaningful notice and disclosure, when the question ought to remain open to investigation and action. Thus the industry seeks to short-circuit efforts to improve notice and disclosure by insisting that current forms of notice and disclosure used by advertising software vendors are adequate, when we have good evidence to believe they are not.

The industry's adware vs. spyware distinction doesn't help us address consumer complaints with abusive installation practices -- it is merely a dodge. The self-serving distinction between adware vs. spyware urged by advertising software vendors simply needs to abandoned by those serious about reforming installation practices and providing consumers protection against unwanted software.

2. Technology vs. Behavior

A second issue raised by advertising software vendors and the computer software industry more generally is the insistence that we avoid banning or mandating particular technologies and instead focus on reforming behaviors. The distinction between technology and behavior is usually coupled with the observation that it is difficult to define a particular class software known as "spyware."

This distinction between technology and behavior does have something to recommend it. Not only is it completely uncontroversial among most folks that we would not want to ban whole classes of technology, but an unduly narrow focus on particular technologies could actually undermine reform efforts by making notice/disclosure/choice requirements too specific.

For example, a bill that required software vendors to supply an uninstallation entry in the Add/Remove Programs Control Panel applet would neglect to cover other operating systems without that particular applet, making it impossible for some software vendors to satisfy the requirement. Moreover, if the Add/Remove Programs applet were to disappear or change in future versions of Windows, the law would essentially mandate the impossible. By turns, a ban on using certain defined JavaScript commands to hijack web pages would fail to cover other forms of browser hijacking, including those not yet invented.

As useful as such observations about particular technologies are, the more general technology vs. behavior distinction is not as clear-cut as its proponents would have us believe. Is homepage hijacking, for example, a technology or a behavior? Is the use of contextual pop-up advertising a technology or a behavior? Is the addition of porn-related toolbars to users' browsers a technology or a behavior?

I would argue that each of these examples represents behavior in the sense that they are business practices embodied in code. It is not the particular combinations of code that we seek target; it's the larger behavior that such code embodies. I strongly suspect, however, that those who urge a focus on "behavior" over "technology" would prefer a much narrower definition of "behavior" so as to hamstring legislatures and governmental agencies and prevent them from taking action against the more obnoxious business practices of the advertising software vendors.

Moreover, an exclusive focus on "behavior" risks becoming overly broad in its focus (as opposed to the overly narrow focus on "technology"). For example, a simple ban on the practice or behavior of transmitting personally indentifiable information (PII) could ensnare completely legitimate types of software, as Declan McCullagh recently pointed out ( »news.com.com/2010-1014_3-5209091.html ):

said by Declan McCullagh:

---

A bill sponsored by Rep. Mary Bono, R-Calif., to ban spyware, goes much further. Bono defines spyware as "any software" that "transmits" personal information -- a category that would include any e-mail client (because it transmits a "From: address") and many Unix utilities. FTC officials recently criticized it as a bad idea.

---

said by Will Rodger:

---

Sometimes, it feels good to pass these laws, but they're not going to have an effect on the problem...We often see bills come through with the greatest of intentions. But as they say elsewhere, you can't suspend the laws of physics.

---

said by Michael Cowden, CBS Marketwatch:

---

Beales also argued that the Bono bill didn't provide a workable definition of "spyware." "We need to determine if there is a definable class of software that can truly be called 'spyware,' " he said.

---

Mahalo for the wealth of information in this most recent update. It's great to see that actions relating to "Unfair & Deceptive" trade practices are coming into play regarding crapware.
I believe it's only a matter of time before some State Attorney General ups the stakes & prosecutes with the power & flexibility of the RICO Act.
--
Dave said "By the way, 4294967295 is just another way to write -1".

reply to eburger68
Hi All:

At the end of my review of Panel 4 of the FTC's Spyware Workshop, I looked forward to the release of the official transcript of the workshop's sessions and noted that:

said by Eric L. Howes:

---

I am already anticipating that the transcript will underscore the wiliness of human memory, and I will be happy to make corrections and emendations to these posted remarks where my own memory of the workshop has proved to be less than completely reliable.

---

said by Eric L. Howes:

---

Indeed, that pretty much sums up this panel: instead of working to protect consumers, this panel was more interested in protecting themselves. And to its great shame and discredit, the Center for Democracy and Technology (CDT) did almost nothing to challenge that agenda (more on the CDT in a bit).

---

said by Ari Schwartz:

---

MR. SCHWARTZ: I do think that there's a reason that Adware has gotten a bad name. And a lot of it has to do with the fact that some companies have basically decided that they will do anything they possibly can to get their software onto the user's computer, and that they don't really -- and we found that a lot of those are Adware companies. (...)

And so therefore, when Marty says, you know, there's no overlap between Adware and Spyware, I don't think that that's true. There is certainly companies that are engaging in bad practices. It's not Adware itself that makes it a bad practice, but we have seen -- Adware companies seem to push the lines by using these affiliate kind of programs in order to make it happen.

---

said by Ari Schwartz:

---

MR. SCHWARTZ: We haven't done our own research on this yet, but, I mean, anything in the 80 percent sounds very high. If it's really that high, there is a major problem.

---

said by Eric L. Howes:

---

Indeed, one of the industry reps on the panel remarked that "best practices" would necessarily have to be pluralistic and flexible -- that there could be no single set of "best practices" because we couldn't impose inflexible solutions on corporations. That kind of talk should leave no doubt in anyone's mind that "best practices" are simply not intended to set high standards for corporate behavior, but rather to allow corporations to make them into whatever happens to be convenient.

---

said by Daniel Weitzner:

---

MR. WEITZNER: I'm going to just make one suggestion. I think that best practices are great if they describe a set of practices among which application writers and users can choose.

I think that it would be unfortunate even if a diverse group, an open group, got together and said here are the things we'll allow; here are the things we won't allow. And I don't think you're suggesting that, Jeffrey, but just to be clear. Best practices doesn't mean a single list of the good things and the bad things.

Best practices I think means doing the sort of thing that the now much-mentioned CDT report -- it should have been on Amazon. It would have done really well today -- would identify a set of problematic behaviors and could identify a set of other behaviors and then let people make choices.

---

said by Eric L. Howes:

---

Moll went on to describe a portable security scanner that Webroot has developed. It's an ActiveX control that users can download and run while on potentially insecure machines (a PC in an Internet cafe, for example). This portable security application scans the entire box for malicious code (keyloggers, system monitors, trojans, etc). Moll billed it as a way for users ensure that boxes they don't control are secure.

---

said by Eric L. Howes:

---

Unfortunately, three members of Panel 6 rejected calls for new legislation to address these inadequate installation practices, insisting that current law is adequate to the task of addressing spyware problems. Mark Eckenwiler of the Department of Justice, Mary Engle of the Federal Trade Commission, and Elizabeth Prostic of the Department of Commerce all disputed the need for new legislation and claimed that U.S. regulatory agencies have sufficient authority and leeway under current law to go after spyware vendors. Each was asked the same question: "Do you think new laws are needed to address the spyware problem?" Each looked straight at the audience and said clearly and firmly, "No."

---

said by Eric L. Howes:

---

The key question is whether the FTC, under current laws against "unfair" and "deceptive" trade practices, will be able to reign in the advertising software industry, which by and large does present users with EULAs. Even a month now after the Spyware Workshop we have heard nothing whatsoever from the FTC to indicate: a) whether it thinks it can pursue enforcement action under current law against companies that use EULAs and other inadequate forms of notice and disclosure; or b) under what criteria and in what situations it thinks it could go after such companies. Although current law does allow the FTC to go after companies for "unfair" and "deceptive" trade practices, the presence of a EULA such as that used by WhenU, Gator, and C2 Media during installation enormously complicates the picture, casting doubt on the ability of the FTC to address the widespread problems with advertising software.

---

said by Mary Engle:

---

MS. ENGLE: And can I just follow up on that from -- from our perspective. The FTC law is pretty clear that, if you're going to give notice to consumers of something, it has to be clear and conspicuous, and we have actually issued a long -- you know, several years ago now, guidance to the online community called "Dot Com Disclosure," that gives you a pretty good understanding of how to make disclosures clear and conspicuous to consumers, and that includes things like, if they've got to click on a button to find out the information, that the button has to be clearly labeled, and also, labeled with the import, so that they know why they should be clicking, not -- not just click here for more info, or something like that. So, from our perspective, just because some term is buried in a four-page ULA doesn't mean that consumers have necessarily given their consent to it.

---

said by Mark Eckenwiler:

---

MR. ECKENWILER: I think the point is well taken that, if we were to try to charge somebody with, you know, a Computer Fraud and Abuse Act violation for putting up -- you know, one of these "Do you want to accept this" screens that's, you know, 25 pages long in six-point type, in a very narrow column, totally unreadable, it's not the most attractive circumstance for us to bring a criminal prosecution, remembering that we actually have a Constitutional burden to prove beyond a reasonable doubt that, as I said before, this was under 1030, without or in excess of authorization.

I think the first line of defense in such a case is going to be that the defendant was, in fact, acting within the scope of authorization, and that becomes a kind of ugly jury question. If we're going to pick and choose cases to prosecute, I think we are more likely to take cases like the Jon case, or this newly- indicted case, the Ropp case, where there just -- there's no argument that that was -- there was never any constructive notice. Never even any attempt at notice. This was, you know, purely a -- a clandestine installation.

---

said by Eric L. Howes:

---

Panel 1 (definitions of spyware/adware) was as bad as I expected it to be. Dominated by industry representatives or those friendly to the industry, the panel came to a consensus very early (and even noted that they were all essentially in agreement).

---

said by Avi Naider:

---

MR. NAIDER: And speaking for WhenU, I can say that we're quite pleased that there's unanimity on this on the panel in the sense that we're also a member of this working group.

---

said by Eric L. Howes:

---

Avi Naider from WhenU pursued exactly this line, claiming that most WhenU users were quite aware of the installed software on their computers. In a somewhat bizarre move, Naider attempted to back this claim up by pointing out that of roughly 100 million WhenU installations, 80 million had been uninstalled. He claimed that the fact that users had uninstalled WhenU demonstrated that they were aware of the installations. There are all kinds of problems with this argument, which I won't bother to cover here.

Suffice it to say it was at that moment that Rob Cheng and Dave Methvin of PC Pitstop (the outfit sued by Gator/Claria last fall, by the way) began distributing their new survey of WhenU users that tells quite another story: over 80% of WhenU users are NOT even aware that the software is installed on their computers.

---

said by Avi Naider:

---

MR. NAIDER: I'm not sure that the PC Pitstop refers to WhenU specifically. I haven't seen that information. But just answering the question in general, there are certainly software applications out there that are not installed with user consent. We would agree to it. Very specifically, it's all in how you do it. (...)

And what I can say very specifically is in the case of WhenU, we've done over 100 million unique installations of our software. Eighty million consumers have removed it.

Now, what does that tell you? What it tells you is that we still have to make sure that the software that we bundle with is better and better value for consumers, because not all consumers want to see advertising supported by software if they don't value the software highly enough.

But what it tells you is that 80 million people can remove it. Clearly, 80 million people means that you have a mass market audience that makes a choice and makes a decision, and consents both upon the installation and consents on an ongoing basis to the software. And by that definition, if you adhere to standards, it's a very consent-driven type of model.

---

said by Eric L. Howes:

---

The low point for WhenU must have come during Panel 3, when Chris Jay Hoofnagle from the Electronic Privacy Information Center (EPIC.org) pointed out that Ben Edelman's research, which reported the results of some extremely clever and tenacious packet sniffing, raised the prospect that WhenU was violating its own privacy policy by collecting and transmitting certain personally sensitive data.

---

said by Eric L. Howes:

---

Audience members (including this author) were allowed to put questions to the panelists, but we had to do so via question cards submitted to an FTC employee for vetting. Of the five questions I submitted over the course of the day, one was accepted and read to one of the panels. (I asked how panelists could place such faith in consumer education when 10 plus years of education on viruses and antivirus software has been a demonstrable failure. None of the panelists addressed the question square-on.) Some of the other anti-spyware folks got some of their own questions accepted as well, though the answers they received were often less than responsive.

---

said by Eric L. Howes:

---

A few of the panelists were quite open about what they were attempting to do, stating flatly that "adware is simply different than spyware, and people have got to understand that" -- as if they alone could establish the difference through some sort of declarative fiat without the input or suggestions of others. This was but one of several moments during the day when the arrogant, obstructionist, anti-consumer agendas of those represented on various panels were nakedly on display and visible to all who cared to look.

---

said by Marty Lafferty:

---

MR. LAFFERTY: And I'll just add that there is no overlap between Adware and Spyware. They're mutually exclusive. Adware is presumptively legitimate. It's a terrific business model for providing valuable software to consumers at no cost in exchange for accepting some advertising.

---

said by Eric L. Howes:

---

One of those commercial interests was WhenU.com, represented by its chief executive Avi Naider, who insisted at one point that the word spyware "was never meant to include software-based advertising...It's pro-consumer; it's pro-competition; it's pro-competitive. (It's) one of the most promising technologies that exists on the Internet today."

---

said by Avi Naider:

---

MR. NAIDER: Spyware was never meant to include software-based advertising, which is what legitimate Adware is. And very specifically, it's software on a consumer's computer that has been installed at the consent of the computer -- of the consumer, makes it very clear to the consumer what it's doing, can be removed easily by the consumer, and effectively gives the consumer potentially relevant valuable information. Specifically, as the consumer traverses the web, software-based advertising can deliver things like retail coupons. (...)

So in theory, the concept of Adware or software-based advertising is extremely pro-consumer. It's pro-competition. It's pro-competitive. And if done with proper notification, consent, and the consumer's ultimate control over the computer, which is the key point -- and I think Ari said it before -- the consumer has to understand that they have this type of software, has to have the ability to remove the software, has to be made clear when the software is generating coupons and ads. In that case, you have a very legitimate, a very promising technology that actually promises to reduce prices for consumers and to make the Internet a more competitive place. (...)

But it's very important to understand that legitimate software-based advertising, not only is it very clearly not within the definition of Spyware, but it's actually one of the most promising technologies that exists on the Internet today. And if allowed to evolve, it will make the Internet a very, very exciting place over the next decade.

---

said by Eric L. Howes:

---

The Utah bill's requirement of an uninstallation method provoked still more comments from one of the panelists, who warned users to "be careful what you ask for."

---

said by Mark Bohannon:

---

MR. BOHANNON: Ironically, if you give across-the-board ability to uninstall, we have got to have a very strong caveat emptor. Because many things are put in place to insure the continued functionality of software, and that the ability of a consumer -- and because I believe this issue is about more than consumers, but also about business users uninstalling. Just be careful what you're asking for here, because you could, in fact, lead to greater frustration, less security, less ability to manage your personally-identifiable information if it is, in fact, a categorical right to uninstall.

---

said by Eric L. Howes:

---

Chris Jay Hoofnagle of the Electronic Privacy Information Center (EPIC.org) did manage to bring the discussion around to several useful points, though. First, Hoofnagle was the only panelist at the entire workshop to point the finger at Microsoft for providing the technological means for advertising software vendors to confuse and bamboozle users, install software without their full knowledge and understanding or meaningful consent, and hijack their browsers and PCs. Hoofnagle rightly noted that Microsoft's overly powerful ActiveX technology -- with its integration of mobile code straight into the operating system as well as the confusing manner in which ActiveX controls are installed through Internet Explorer -- opens too many doors for advertising software vendors to walk through and puts users on the defensive.

---

said by Chris Jay Hoofnagle:

---

MR. HOOFNAGLE: One, I think it's hard to look at this issue without looking at Microsoft. I think it's probably too easy to write to the critical areas of the registry that allow programs to start at boot. Similarly, it's too easy and there is not enough user understanding of the start up folders, which trigger software that you might not want to run.

---

said by Eric L. Howes:

---

Second, though, Hoofnagle usefully pointed out that Panel 3's discussion of privacy principles -- or, more formally, Fair Information Practices -- tended to reduce those principles to but two of four (notice and choice), when in fact internet users ought to be extended protection through a full range of Fair Information Practices.

---

said by Chris Jay Hoofnagle:

---

MR. HOOFNAGLE:The Federal Trade Commission defines substantive privacy rights as notice, choice, access, security and accountability.

I think it's very important that we not allow privacy to be watered down to this idea of notice and choice in this debate or in others.

---

said by Eric L. Howes:

---

Hoofnagle's comments were a refreshing change from those of several of the other panelists, who enthused over the privacy initiatives of industry front groups like the Network Advertising Initiative (NAI), as if these organizations could be trusted or expected to do anything substantive to protect users' privacy in the face of voracious industry demands for access to users' desktops -- the next frontier or market in online advertising -- and all manner of data about users and their online behavior.

---

said by Ronald Plesser:

---

MR. PLESSER: I don't know that I -- I think a notice is a notice. Some are better than others. I think we have seen -- I don't know that I've seen any in the privacy area, in spyware. I've seen some where the computer will serve you ads that they think will be of interest to you. I think those are usually pretty straightforward. When those ads come in, those alternative ads come in, they have little logos on them, or some of them do, that say this is being served to you by XYZ network, and it's different from where you originally went.

I don't think it's all that difficult, but I think there can be notices that can be workable. Again, I think the DMA is working on this stuff. I think it's important. I think one of the principles that we are working on with the DMA is to make sure these notices are obviously out there before the stuff comes onto the system, that the notice is given prior to installation.

---

said by Eric L. Howes:

---

In one of the more nauseating moments of the afternoon, FTC Commissioner Mozelle Thompson quipped that the FTC was happy to hear the views of the large companies represented on the panel because they were truly the "elected" representatives of consumers. The corporate reps smiled at this bit of bureaucratic groveling before business interests, as Thompson was in fact chirpily parroting one of Corporate America's most cherished and noxious propaganda lines -- namely that the market is equivalent to democracy, and that the public, democratic institutions in which citizens actually participate (or are supposed to participate) are comparatively illegitimate. On this view, America is a democracy of consumers -- one dollar, one vote -- rather than a democracy of citizens.

---

said by Mozelle Thompson:

---

COMMISSIONER THOMPSON: At the same time, you have many of those same pressures, because even though you're not elected, they elect you every day when they decide whether to buy or not to buy or to participate or not to participate. And that's where we have the same challenge.

---

said by Eric L. Howes:

---

In other words, "consumer education" in this scheme of things isn't really education as we normally understand it; rather, it's public relations and propaganda -- manipulating consumers into the "correct" ways of thinking about the software. And this was made perfectly clear by the several industry representatives on Panels 1 and 4, who insisted over and over that we get it into our heads that their software is "adware" not "spyware." Indeed, one of the representatives on Panel 4 (though just who I am at a loss to recall) let the cat out of the bag when he or she helpfully explained that "we need to educate consumers so that they understand what this software really is." A more naked, forthright statement of just what the industry has in mind for consumers would be hard to come by.

---

said by Chris Kelly:

---

MR. KELLY: So I think that that can go hand-in-hand with a consumer education campaign oriented towards explaining to people the difference between client software and spyware.

---

said by Jules Polonetsky:

---

MR. POLONETSKY: I'd comment on a couple of different levels, one on the comparison to some of the other self-regulatory processes. I think one of the reasons why on the network advertising initiative side of the world things end up working is you could really could sit most of the relevant players who were doing this on any scale around the table.

They all were public or soon-to-be public companies that were, you know, part of the civil debate part of the world, and you could say to them, look, you all need to do an awful lot more to explain your business practices, because people have concerns about them. So step up, do more, work harder, bother your customers, make them do more.

---

said by Eric L. Howes:

---

The irony of this "security application" was not lost on Steven Bellovin, Fellow with AT&T Labs-Research, also on the panel. Noting that mobile code is one of the biggest security problems in Windows, he quipped that Webroot's portable security scanner was one of the "scariest things" he had yet heard about at the workshop.

And Bellovin was right, of course, because what Moll had unwittingly pointed out is that ActiveX controls can be used to import and run completely foreign code of unknown provenance at the user's discretion on boxes that the user ostensibly shouldn't control.

---

said by Steven Bellovin:

---

MR. BELLOVIN: I think there are a number of mistakes we can point to, but to me the biggest mistake the industry made was deploying mobile code without adequate safeguards.

The scariest thing that I heard today was it's possible to write an ActiveX control to scan a machine for spyware. You have a control that's that powerful that can roll with those permissions, my God, what else could it have done?

---

said by Eric L. Howes:

---

To his credit, Daniel Weitzner of the World Wide Web Consortium (W3C), one of the prime forces behind the P3P specification, expressed his skepticism of such an adaptation of P3P, though he said he wouldn't completely dismiss the idea.

---

said by Daniel Weitzner:

---

MR. WEITZNER: I have to say, I'm slightly on the fence here about how much a labeling approach can really accomplish when it comes to spyware. And I think it can probably help some, but the history of trying to label things on the web I think is really instructive here. I think if you look at both privacy on the one hand and things like pornography and spam on the other hand, you see the sort of limits and benefits of labeling.

---

said by Eric L. Howes:

---

Although at times appearing a bit uncomfortable with speaking to such a large audience, Ms. Baird nonetheless made her boss's position quite clear: that new legislation is needed to protect consumers against the invasive, destructive software currently being distributed by the advertising software industry. While she acknowledged the potential benefit of "industry self-regulation," consumer education, and enforcement of existing laws against the more unscrupulous spyware distributors, Ms. Baird firmly and unambiguously insisted that those actions were simply not adequate to the job. Moreover, she rejected calls from the industry and others to study the issue more and allow the industry itself to address the problem. "That's just not how things work in Congress," she said, and went on to describe Rep. Bono's work on her own anti-spyware bill...

---

said by Jennifer Baird:

---

MS. BAIRD: Another thing has been -- another thing that we heard from industry has been, you know, self-regulation is the answer, but we can't really come up with best practices yet.

So, in other words, what we're hearing is, this is a problem, it needs to be solved, but we don't know how, so just hold on.

And that's not how it works in Congress, and, you know, as a member of Congress, my boss has the responsibility to do all she can to protect her constituents from downloading onto their computer that they use for personal, you know, banking and for credit - - you know, buying things through their credit card and so on and so on. She has the responsibility to make sure that they have confidence when they're using their computer, and that that information won't be shared.

And another thing that, of course, has been said is, legislation is just the wrong answer. This can only be done through self-regulation.

I would say that we can't sit around and just think about it and talk about it for days and nights in a year, we do have to act. But that being said, I do think that industry self-regulation is a very important aspect of this, and my boss understands that legislation by itself will not stop the problem, but it is a step in the right direction. It is a step in the right direction that people know what they're downloading onto their computer before they download it.

---

said by Eric L. Howes:

---

Thus, it was helpful and encouraging to listen to the remarks of Utah State Rep. Stephen Urquhart, the principle force behind the Utah bill. Urquhart was quite impressive throughout his comments. Demonstrating a firm grasp of the issues, Urquhart rejected the flim-flam objections and diversions from the industry, quickly batting them down. Describing his own experience drafting the Utah bill, Urquhart remarked that he and his colleagues in the Utah House received no useful input from the industry, which simply wanted to kill the bill, as should be apparent from the several industry comments publicly available (see the NetCoalition above, for example).

---

said by Steve Urquhart:

---

MR. URQUHART: I mean, constituents, they demand results. They're sick of this stuff. And so I've heard a lot of handwringing here today, and I think it is great that we do need best practices, we need education, we need technology, but we also need regulation.

I mean, how do you stop bad guys? You have a neighborhood watch? You have education to pick up your newspapers. Don't leave them sitting around. You have technology, you have alarms and bars, but at the end of the day, you've got to have laws and a cop on the beat. And so we've put a cop on the beat.

---

said by Steve Urquhart:

---

MR. URQUHART: Yeah, let me point out that, in Utah, like in most states, we don't write our laws into - - in stone. We don't chisel them in stone, we write them on paper, and so, we have made it plenty clear to industry, and to all parties, that we wanted their input.

And about the only input we got during the sessions was, don't do it. Let -- for Heaven's sake, let the feds deal with this, and, you know, that -- that's not acceptable to my consumers. And so, this was brought forward by an industry member, saying put in an operating system, and currently, in the law, they could argue that this is a vital component of the operating system, then it would be exempted out.

---

reply to Link Logger
spyware on my pc is certanly the begining of the end of my on-line purchasing, you can `count^ on it.