Few solutions pop up at FTC adware workshop

Spyware and adware have become the top complaint in customer service calls to computer makers, but a workshop convened by the Federal Trade Commission yields few answers.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
6 min read
WASHINGTON--Spyware, adware and other code that lurks on hard drives has become so pervasive it's bedeviling home users, driving corporate technology managers to distraction and has become the top complaint in customer service calls to computer makers.

But participants in a one-day workshop convened Monday by the Federal Trade Commission couldn't decide what to do about it.

Attendees at a Federal Trade Commission workshop on spyware fill a room.

Software companies warned of poorly written laws targeting spyware that could inadvertently affect legitimate products like smut-filtering software or security update mechanisms. Microsoft suggested that technology in a forthcoming Windows XP Service Pack might do the trick, while other participants touted third-party rating systems and voluntary codes of conduct.

Politicians and their aides defended laws targeting spyware, citing the example of last year's federal law regulating spam. But some advertising companies claim their business model is perfectly legitimate, and law enforcement representatives acknowledged they already had sufficient legal authority under computer crime laws to put the most noxious spyware makers in prison.

When asked whether new laws were needed to place spyware authors in prison, Mark Eckenwiler, a senior computer crime prosecutor at the U.S. Justice Department, replied: "By and large, the answer is no. In our quiver, we have a number of arrows we can use in prosecutions."

While spyware and adware started to become a public concern about a year ago, only in the past few months have some variants become the Internet equivalent of Public Enemy No. 1.

Spyware and adware problems became the largest single customer service complaint late last year, Dell attorney Maureen Cushman told the FTC workshop. It's become "a huge technical support issue for us," Cushman said, resulting in "slow performance, inability to access the Internet, extra icons and pop-up ads. This damages our brand and, most importantly, impairs the customer experience."

McAfee Security manager Bryson Gordon, whose company sells the McAfee AntiSpyware utility, says his company detected fewer than 2 million adware or spyware products in August 2003. By March 2004, the total number had zoomed to just more than 14 million. It's become "a larger technical support problem than viruses," Gordon said.

Much of the simmering disagreement on Monday arose from participants not being able to agree on a definition that would permit ad-supported software--while prohibiting parasitical spyware that quietly embeds itself in a personal computer and records keystrokes or sends out spam.

Complicating any definition is that adware from companies like Claria (formerly Gator) and WhenU typically seeks permission from users, though critics charge that the companies intentionally make the terms of service agreement difficult to understand so most people don't know what they're getting. The company's utilities monitor a user's Web browsing activity and display relevant advertisements in pop-up windows.

An anecdotal survey that antispyware company PC Pitstop described on Monday said that "75 percent of the respondents did not even recall installing (Claria's Gator Advertising Information Network) application on their PC...Adding the tally for users that did not know GAIN was installed to those that read the 20-page license for less than five minutes, an incredible 97 percent of GAIN users are largely unaware of what the application is doing on their system."

Growing regulatory attention
Avi Naider, chief executive of WhenU, defended his company's business practices, saying the word spyware "was never meant to include software-based advertising...It's pro-consumer; it's pro-competition; it's pro-competitive. (It's) one of the most promising technologies that exists on the Internet today."

Naider was especially pointed in his criticism of Utah, which last month became the first state to restrict spyware. Other regulatory efforts are afoot: Two similar proposals have been introduced in the U.S. Congress, and the Center for Democracy and Technology has filed a complaint against Mail Wiper before the FTC, alleging it engaged in illegal "browser hijacking."

Special report
Out of the shadows
A growing movement aims
to stop or regulate
software that
surreptitiously monitors
computer use.

Last week, WhenU filed suit to block Utah's spyware law, saying it was unconstitutionally broad. Naider said, "there's been a lot of mixing of the issues," and claimed that the Utah law was unreasonably aimed at WhenU even though its customers wanted the product.

Speaking later in the day, Utah state representative Stephen Urquhart said of WhenU that "we concluded it's parasitic...Unless there is regulation in this area, the butcher, the baker, the candlestick maker will stick to bricks and mortar." The Utah law generally bars companies from installing software that reports its users' online actions, sends any personal data to other companies, or pops up advertisements without permission.

Jennifer Baird, legislative counsel to Rep. Mary Bono, R-Calif., said the technology industry was naive to think that politicians would sit idle while companies debated definitions. "What we're hearing is that, 'This is a problem, it should be solved, but we don't know how to do that, hold on,'" said Baird, whose boss has introduced an antispyware bill. "That's not how it works in Congress."

Technology approaches
While they might disagree about details, representatives of the technology companies who showed up at the FTC event did appear to be uniformly skeptical of new laws singling out spyware or adware.

Mark Bohannon, general counsel of the Software and Information Industry Association, suggested that Congress should stay out of trying to craft definitions to sort software into good and bad categories. Otherwise it could create more of the problems caused by Utah's measure and ban "routine, benign Internet communications such as instant messaging." The association's members include AOL Time Warner, Credit Suisse First Boston, eBay, Intuit, Novell and Sun Microsystems.

J. Trevor Hughes, executive director of the Network Advertising Initiative, was more blunt, warning of "hasty legislative responses...A legislative response is probably the worst first response." Hughes and other industry participants suggested that educating users not to install software from Web sites they don't trust would be a wiser approach, coupled with improvements in technology similar to what antivirus and antispam products have experienced.

In a bid to organize the technology industry against the threat of buggy legislation, the nonprofit Center for Democracy and Technology distributed a five-page paper from an ad hoc "Consumer Software Working Group" that was signed by companies including Microsoft, Google, America Online, Yahoo, Claria and WhenU. But it was focused on pointing out examples--such as a dialer that secretly calls a long-distance number and runs up phone bills--that are already illegal, and it didn't try to come up with a consensus definition.

Google senior policy counsel Andrew McLaughlin said his employer is "probably a little less allergic to legislation," but went on to say, "the more that I look at the text of the bills that are floating around, the more nervous I become." Google makes available a toolbar utility for Web browsers that eliminates pop-up ads and, if the user chooses, sends information about Web sites visited back to the company.

Nearly all known spyware programs infect Microsoft Windows, not Apple's OS X operating system or other Unix or Linux variants. "There are a lot of things we can do at the software level to make it harder for users to get tricked," said Microsoft Vice President Brian Arbogast.

Jeff Friedberg, Microsoft's director of Windows privacy, said that the next release of Windows XP Service Pack takes major steps to limit malicious code. Those are: a pop-up blocker in Windows, a mechanism to prevent unsolicited downloads, an option to never install software from a particular company, and an Active X manager that permits certain controls to be disabled. In addition to bugs in Windows, many spyware programs rely on Active X to take control of a computer.