[Senate Hearing 109-406]
[From the U.S. Government Publishing Office]
S. Hrg. 109-406
REGARDING SPYWARE
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TRADE, TOURISM, AND ECONOMIC DEVELOPMENT
OF THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
OCTOBER 5, 2005
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
U.S. GOVERNMENT PRINTING OFFICE
27-822 WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
0SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
TED STEVENS, Alaska, Chairman
JOHN McCAIN, Arizona DANIEL K. INOUYE, Hawaii, Co-
CONRAD BURNS, Montana Chairman
TRENT LOTT, Mississippi JOHN D. ROCKEFELLER IV, West
KAY BAILEY HUTCHISON, Texas Virginia
OLYMPIA J. SNOWE, Maine JOHN F. KERRY, Massachusetts
GORDON H. SMITH, Oregon BYRON L. DORGAN, North Dakota
JOHN ENSIGN, Nevada BARBARA BOXER, California
GEORGE ALLEN, Virginia BILL NELSON, Florida
JOHN E. SUNUNU, New Hampshire MARIA CANTWELL, Washington
JIM DeMint, South Carolina FRANK R. LAUTENBERG, New Jersey
DAVID VITTER, Louisiana E. BENJAMIN NELSON, Nebraska
MARK PRYOR, Arkansas
Lisa J. Sutherland, Republican Staff Director
Christine Drager Kurth, Republican Deputy Staff Director
David Russell, Republican Chief Counsel
Margaret L. Cummisky, Democratic Staff Director and Chief Counsel
Samuel E. Whitehorn, Democratic Deputy Staff Director and General
Counsel
Lila Harper Helms, Democratic Policy Director
------
SUBCOMMITTEE ON TRADE, TOURISM, AND ECONOMIC DEVELOPMENT
GORDON H. SMITH, Oregon, Chairman
TED STEVENS, Alaska BYRON L. DORGAN, North Dakota,
JOHN McCAIN, Arizona Ranking
CONRAD BURNS, Montana DANIEL K. INOUYE, Hawaii
JOHN ENSIGN, Nevada JOHN D. ROCKEFELLER IV, West
GEORGE ALLEN, Virginia Virginia
JOHN E. SUNUNU, New Hampshire JOHN F. KERRY, Massachusetts
JIM DeMint, South Carolina MARIA CANTWELL, Washington
DAVID VITTER, Louisiana FRANK R. LAUTENBERG, New Jersey
BILL NELSON, Florida
E. BENJAMIN NELSON, Nebraska
MARK PRYOR, Arkansas
C O N T E N T S
----------
Page
Hearing held on October 5, 2005.................................. 1
Statement of Senator Allen....................................... 3
Statement of Senator Burns....................................... 3
Statement of Senator Bill Nelson................................. 2
Statement of Senator Smith....................................... 1
Witnesses
Majoras, Hon. Deborah P., Chairman, Federal Trade Commission..... 5
Prepared statement........................................... 9
Appendix
Response to Written Questions Submitted by Hon. Frank R.
Lautenberg to Hon. Deborah P. Majoras.......................... 25
REGARDING SPYWARE
----------
WEDNESDAY, OCTOBER 5, 2005
U.S. Senate,
Subcommittee on Trade, Tourism, and Economic
Development,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:35 p.m. in
room SD-562, Dirksen Senate Office Building, Hon. Gordon H.
Smith, Chairman of the Subcommittee, presiding.
OPENING STATEMENT OF HON. GORDON H. SMITH,
U.S. SENATOR FROM OREGON
Senator Smith. I want to thank my colleagues for being
here, I know they share with me a deep interest and concern
about the matter of spyware. I want to thank Chairman Majoras
for rearranging her schedule to be here today.
As Chairman of the Subcommittee on Trade, Tourism, and
Economic Development, which has primary jurisdiction over the
Federal Trade Commission and online-privacy issues, I have a
deep interest as colleagues do in spyware and have continually
worked on these issues to ensure protection of consumers and
businesses.
The FTC also has a responsibility to protect American
consumers from all types of fraud and deception, including
spyware.
According to a recent survey by the National Cyber Security
Alliance, 93 percent of people feel that spyware is a serious
problem, and 61 percent believe that Congress should be doing
more to combat the problem. Consumers have now downloaded free
versions of the two most widely used anti-spyware programs over
45 million times.
Although spyware has been used for many deceitful purposes,
including theft of personal information, the technology behind
it is being used also toward legitimate ends as well. I
strongly believe that a total ban of an entire category of
technology or product can have many unintended and serious
consequences. If the definition of spyware becomes too broad,
legislation adopted in haste might not take into account the
evolution of future technologies, and in turn, it could stifle
innovation.
I believe we must limit the abusive and deceitful practices
which are allowing industry the ability to build on and improve
existing technologies. To that end, I introduced the U.S. SAFE
WEB Act to expand the Federal Trade Commission's current
authority to enforce existing laws and allow the agency to
coordinate with foreign law enforcement officials to prosecute
deceptive online activities. I have also co-sponsored
legislation with Senator Allen to increase the FTC's current
authority to enforce existing laws to prevent deceitful acts of
spyware.
We need to give the FTC the necessary tools to go after the
individuals who are already violating current Federal law. We
need to address the most egregious activities and behaviors
online without placing unnecessary restrictions on the entire
technology industry.
Americans must be proactive in keeping our high-tech
industry on the cutting edge in the world market. I believe
that an appropriate balance can be found between limiting the
illegitimate use of existing technologies and allowing for
technology industry to grow, expand, and innovate.
As we continue to address this issue, I look forward to
working with all of my colleagues to confront this growing
problem appropriately and in a timely manner.
With that I'll go to Senator Nelson.
STATEMENT OF HON. BILL NELSON,
U.S. SENATOR FROM FLORIDA
Senator Nelson. I'll go to praising you Senator Burns,
because you and I have sponsored the bill to address spyware
problems.
Senator Burns. That's right.
Senator Nelson. Everything that Senator Smith has said is
accurate. Spyware invades our privacy, leads to identity theft,
exposes children to pornography, aids corporate espionage,
threatens E-Commerce, and it clearly has national security
implications. And technology and the private marketplace
haven't found a solution to stop spyware, so we now need a
tough Federal law Mr. Chairman, that clearly defines illegal
conduct and gives the government more tools to go after the
spyware companies.
And so Senator Burns and I are sponsoring this bill called
the Spy Block Act, along with Senators Wyden, Snowe and Boxer.
And last year we reported this bill out of the Committee on a
unanimous vote. And it has one simple principle, empower
consumers to decide for themselves what software is installed
on their computers. Now Senator Allen and others have
introduced another spyware bill, I think that one is a little
narrow in scope but it has some very strong components. So what
I want to do is, all of us to work together to merge the two
approaches and get a spyware bill marked up, so we can get it
moving.
The House has already passed two such bills, but it
continues to wait on the Senate to act.
Thank you Mr. Chairman.
Senator Smith. Thank you Senator Nelson, and I do look
forward to working with you on this. I think we both share the
belief that this is a security issue that is beyond just our
individual victimization of spies and those who would invade
our homes, but it also has national security implications. We
simply have to work on how broad it is, so that we don't stifle
the future, but that we protect people presently in our country
as well.
Senator Burns.
STATEMENT OF HON. CONRAD BURNS,
U.S. SENATOR FROM MONTANA
Senator Burns. Thank you very much. And thank you Mr.
Chairman, for taking the leadership on this hearing today. We
had a hearing before, and with most of that hearing was with
the folks in the industry and consumer groups. Today I think
we'll get a chance to hear from the Federal Trade Commission,
which is--and will continue to have, an important role in anti-
spyware enforcement actions. So the two hearings are
complementary in that respect, and will help us learn more
about the problem of spyware.
Also just a note, our technologies continue to grow, and
the use of those technologies goes into many fields, especially
in the area of electronic information and communications, with
Voice over IP prominent now in the marketplace, national
emergency numbers of 911 and how we apply those and protect
those and the safety of 911 in emergency conditions are
challenges that continue to grow for safety and security. And
we must never lose sight of that. So we will continue to have
problems in those areas.
Spyware, as you know, is an increasingly dangerous threat
to our everyday activities in cyberspace. As was the case with
spam several years ago, I believe the solution lies in the
right mix of technical solutions and tougher legislation. Both
will be necessary to make a meaningful dent in the quantity and
the types of malicious code that gets downloaded into the
private computers of businesses and citizens without their
consent.
We also have to be careful not to throw out the baby with
the bathwater, by making many ordinary and positive types of
online business practices illegal. The area of adware in
particular is an important gray area to keep an eye on: how
exactly online advertisements are served up to users, and what
kind of consent is most appropriate. Most adware models are
good for cyberspace, because it is important to have a robust
and responsive advertising component for online businesses, but
when it comes to installing software on private computers, we
have to make sure we don't allow some of the more unscrupulous
players out there to spoil the field for all the good actors
that are just trying to make cyberspace more efficient.
So I thank the Chairman of the FTC for coming up today, and
I look forward to how she responds to questions, and the
information she can share with us, and again to Senator Smith
for setting up today's hearing, because I think it's very
appropriate, and it is something that we have to get these
bills moving and we need something passed and on the
President's desk before Christmastime.
Senator Smith. Thank you Senator Burns.
Senator Allen.
STATEMENT OF HON. GEORGE ALLEN,
U.S. SENATOR FROM VIRGINIA
Senator Allen. Thank you Mr. Chairman, I especially want to
thank you for calling today's hearing, and I thank Chairman
Majoras for being with us today.
And I enjoyed listening to my colleagues, and maybe there
will be a way that we can work together on this issue. Because
the spyware issue is one of great importance. Just to set the
parameters here of what kind of a problem we have--according to
the Pew Internet and American Life Project study in July of
this year, in 2005 approximately 59 million American adults,
nearly half of the Internet users, 43 percent say they have had
spyware on their home computer.
It's irritating. It is a dangerous approach which is
negatively impacting consumers confidence and harming the
Internet as a viable mode, or medium for communications and
also electronic commerce. And none of us here want to allow
this to continue.
All of us can agree that under no circumstance is it
acceptable to deceptively monitor a consumer's activities
online. Unfortunately we do not all agree on how best to deal
with this problem legislatively. Now in examining this
offensive spyware issue, which causes so much aggravation and
degrades computer performance, we need to encourage to the
greatest extent possible, market driven technologies solutions,
as well as strengthen the enforcement of existing laws. In my
view, every legitimate business associated with the Internet
has a very important interest in eliminating spyware.
A recent Federal Trade Commission report suggested that the
rapid technology advancements, and this is consistent with your
comments, Mr. Chairman, that there are a lot of advances in
technologies to combat spyware such as firewalls, filters,
anti-spyware tools and improved Internet browsers and operating
systems are all the time providing easy and more affordable
protections to consumers, whether at their homes or at their
place of business.
I think that the Internet's viability is being challenged
by this deceptive spyware though, and because of these
fraudulent and deceptive installations of spyware programs
being a concern, it is not a concern though whether this is
legal or not; this already is illegal under Federal law, it's a
violation of Federal law. Such as the Federal Trade Commission
Act, and the Computer Fraud and Abuse Act.
So I think Congress needs to focus its efforts on adequate
resources and penalties to combat this criminal activity. I've
determined that Federal officials, and we'll hear from the
Chairman, believe that they already have adequate authority
under existing statutes to prosecute spyware purveyors. Law
enforcement is not stymied by the lack of Federal jurisdiction
but rather a lack of overall resources. That's why my
legislation, S. 1004 with the support of you Mr. Chairman,
Senators Smith, Sununu, Ensign, and Enzi, provides Federal law
enforcement officials with the resources and the tool necessary
to increase the breadth and the strength of anti-spyware
enforcement efforts.
Our legislation strikes a careful balance that you talked
about Mr. Chairman, between pursuing illegal wrongful behavior
while not stifling or limiting technology, innovation or
legitimate online transactions.
Specifically, since spyware violators are not limited to
state or national borders to perpetrate their illegal activity,
our legislation sets a national standard. It doesn't matter
what state you're in, or territory of the United States. There
ought to be that national standard for the unfair and deceptive
practices associated with spyware. Additionally, our
legislation provides the FTC with the authority to share and
coordinate information with foreign law enforcement officials
to improve their ability to bring cases and prosecute
international spyware purveyors, your separate bill, Mr.
Chairman, this is just a component of our bill, but yours
covers it as well.
But lastly, our legislation addresses the most egregious
activities and wrongful behavior conducted via spyware, by
significantly increasing civil and criminal penalties including
disgorgement. We need to ensure that law enforcement officials
can get after the illegal gains of these criminals. You can
fine them, but if they have any assets that are traceable to
this illegal activity it is an enterprise on their part, and
they're selling this information. And we ought to get after
those ill gotten gains. I don't care what it is, bank accounts,
yachts, art objects, whatever they've bought, we need to get
after these enterprises as well as the criminal and civil
fines.
I believe again, that we need to find some market driven
solutions, technology solutions that will ultimately solve this
problem. I want to help the FTC have the resources they need to
get after this criminal and illegal behavior, and I look
forward Mr. Chairman to hearing from the Chairman of the FTC,
but most importantly if there is a way, and I'm not sure there
is, there are some just fundamental differences, but we need to
act.
The Senate a lot of the times is the last to act, but I
think there's enough will here that I hope working with my good
friend Senator Burns that we can hopefully find a common ground
to have the Federal Government help the FTC do its job, set a
national standard and get you the resources to get after this
illegal behavior.
And I thank you again Mr. Chairman.
Senator Smith. Thank you very much Senator Allen. Madam
Chairman, the mike is yours, we look forward to your testimony.
STATEMENT OF HON. DEBORAH P. MAJORAS, CHAIRMAN, FEDERAL TRADE
COMMISSION
Ms. Majoras. Thank you very much Mr. Chairman, and Members
of the Subcommittee, and good afternoon.
The Federal Trade Commission appreciates this opportunity
to provide the Commission's views on the serious problems that
spyware is causing to consumers and the steps that the FTC has
taken to address the problem.
Although the views expressed in the written testimony
present the views expressed of the Commission, my oral
presentation and responses to questions are my own, and may not
necessarily represent the views of the Commission.
As the Subcommittee is aware, the Commission has a broad
mandate to prohibit unfair competition, and unfair or deceptive
practices in the marketplace. We have actively used this
authority to address consumer problems on the Internet,
including Internet fraud, privacy, spam and spyware.
The term spyware can be difficult to define. It is
ordinarily thought of as including programs such as keyloggers,
that can copy information from consumers' computers, as well as
some types of adware, software that monitors computers' surfing
habits and then serves up pop-up advertisements.
At the FTC, our focus is on spyware and other malware that
is downloaded without authorization, and causes consumers harm.
The consumer harm from spyware can range from the capture of
sensitive personal information to degradation of computer
performance, to the nuisance and distraction of popup ads.
To address spyware, we implemented an active program,
combining law enforcement and consumer education supplemented
by our research. Much of the harmful conduct associated with
spyware is already illegal. Indeed the FTC has brought several
cases, and today is announcing it has filed another action, FTC
versus Odysseus Marketing. In this case, we filed a complaint
in Federal District Court in New Hampshire against Odysseus
Marketing and its principal, Walter Rines, charging them with
secretly installing spyware on consumers' computers.
Our complaint alleges that the defendants deceptively
market and distribute a bogus program called Kazanon, which
defendants claim will make users anonymous when using peer-to-
peer file-sharing programs.
Not only does Kazanon not work as promised, which itself a
violation of the FTC Act, but it also automatically installs a
spyware program called Clientman on the users' computer.
Clientman in turn automatically installs numerous adware and
other programs on behalf of others. And this spyware, among
other things, replaces or reformats Internet search engine
results, generates pop-up ads, and captures and transmits
information which may include personal information.
Our complaint alleges that defendants have failed to
disclose adequately that downloading Kazanon will install this
spyware. In fact, the only place that Clientman's virtual
takeover of the host computer is disclosed is in the end user
license agreement, or as we call it the EULA.
Consumers, however, do not need to view the EULA in order
to download Kazanon, and even if they did they would have to
wade through five paragraphs of dense text before they reached
information even approaching the disclosure.
We further allege that once Clientman is installed,
consumers cannot remove Kazanon and Clientman from their
computers through reasonable means. Programs do not appear on
the desktop or in the start menu, and because they avoid being
detected by the Microsoft Windows operating system, consumers
cannot use Microsoft's default uninstall utilities to remove
them.
And defendants claim to provide an uninstall tool, but it
doesn't work. In fact, we allege in the complaint that if you
activate defendants' uninstall tool, typically that will result
in having additional files being added to your computer.
Now as we bring each spyware case, we learn more about the
technology and tricks in the industry and we increase our
ability to bring future cases. We've made spyware
investigations and prosecutions an enforcement priority and we
will file more law enforcement actions. There's no question
however that attacking spyware is challenging.
Given its surreptitious nature, it is often difficult to
ascertain from whom, from where, and how spyware is
disseminated. Many who distribute spyware are adept at hiding,
covering their tracks, and evading responsibility.
Further, consumer complaints about spyware are less likely
to lead us directly to law enforcement targets than some other
complaints. Consumers often do not know from where the spyware
has come, or even that it was spyware that caused the problems
to their computers in the first place.
There are five additional points that the Commission
believes are important to our continuing efforts to combat the
dissemination of spyware.
First, many spyware distributors and other Internet scam
artists are located abroad, or mask their location by using
foreign intermediaries to peddle their scams. A majority of
spyware programs distributed to the United States consumers
come from foreign distributors. In the FTC's investigations,
staff finds that regardless of where the spyware distributors
are physically located they are often using foreign Internet
service providers, or web hosting companies, or domain
registrars, which makes it difficult to crack down on who's
ultimately responsible.
Our ability to pursue distributors of spyware, and spam and
other Internet threats would be significantly improved if
Congress were pass the U.S. SAFE WEB Act. And Chairman Smith,
we thank you for introducing S. 1608 which would give us that
needed authority.
Second, coordinated effort at the Federal and State level
is essential. The Commission is continuing to cooperate with
Federal and state partners, which now are bringing law
enforcement actions against spyware distributors. At the
Federal level, the Department of Justice is able to prosecute
criminally those who distribute spyware in certain
circumstances. And at the State level, state attorneys general
are bringing civil law enforcement actions and both are
critical complements to the FTC's actions.
Third, an educated consumer is perhaps the best defense
against online fraud and spyware. Over the last few months the
FTC has taken a broader look at its educational materials and
tactics related to cyber security, online privacy, and Internet
fraud, and we've updated our messages and outreach strategies
to better educate consumers about these important issues.
Just last week the Commission launched a new consumer ed
initiative, OnGuard Online. It has general information on
online safety, as well as sections with specific information on
a range of topics, including spyware, and with the Chairman's
indulgence in a few moments we'll give you a quick
demonstration of this new website.
Fourth, the Commission believes that legislation granting
the Commission authority to seek civil penalties against
spyware distributors would be useful in deterring the
dissemination of spyware. The Commission has the authority, as
Senator Allen referred, to file actions against those engaged
in conduct in Federal Court, and we have the authority to
obtain injunctive relief, including monetary relief in the form
of consumer redress, or disgorgement of ill gotten profits.
But in some instances it may be difficult for us to prove
the sort of financial harm that we would need to in order to
get that sort of redress. A civil penalty is often then the
most appropriate remedy in those cases, and we believe it could
serve as a strong deterrent as well.
And finally, as with any technology problem, the most
comprehensive response may have to come from new technology.
Technology is what got us here, and technology should be able
to bring us out eventually. As in other areas like spam and
data security, it is essential that industry continue to
develop technology to assist their own customers in combating
the threats of spyware and other malware.
We know that ISPs and other industry members are developing
responses to consumer concerns about spyware and we also are
appreciative that they have provided the Commission with
important assistance in our investigations.
In conclusion, Mr. Chairman, I assure you that the FTC will
continue to aggressively attack spyware with law enforcement
actions and with innovative consumer education. And we look
forward to working with the Committee on the problem of
spyware.
Now I look forward to answering any questions you have, but
before we begin, if it's still all right with you, Mr.
Chairman, I'd like to ask Nat Wood, who's our Assistant
Director for Consumer and Business Education, to just give you
a brief demonstration of our new OnGuardOnline.gov website,
particularly as it relates to spyware.
All right. What you're seeing before you is the result of
team work. The FTC, a number of other Federal agencies, and the
technology community have teamed up to create
OnGuardOnline.gov, which is a new site to help computer users
guard against Internet fraud, secure their computers and
protect their personal information. We're encouraging companies
and other organizations to help fight spyware, spam, identity
theft and the like, by sharing the tips on this website with
their employees, their customers, members and constituents.
Interestingly, this website is branded independently of the
FTC. We are not making it FTC materials, because we want any
organization with an interest, whether it's government,
business, consumer groups, whatever, to take this, make it
their own and distribute it widely across our country. Indeed,
we now have a lot of interest that's coming from other
organizations around the world who would like to be able to use
these materials.
So just quickly looking at the home page, probably the most
important part of this is the seven practices for safer
computing. These are practices that we want consumers to be
using regardless of what they're doing online. These are
general tips. The site also contains a link on which consumers
can click if they want to receive free e-mail alerts from the
Department of Homeland Security on various threats to the
online world.
Then we have the ``Learn About'' section, in which
consumers can click on various modules to learn about different
threats and the like, so there you see we clicked on identity
theft, there's one on phishing, we've done this in a flexible
way, so that as new threats develop we can add them to the
website. And then we have an ``About Us'' page, which if you
click on that gives you, gives the consumer, a description of
all of the various Federal agencies and other organizations
that they can turn to for help with respect to their online
problems. So going back to the modules, we'll just turn quickly
to the spyware section, and what you can see if you click on
this section, is first and foremost you get a quick tips
section, which tells consumers very quickly what they should
do, then below that we have a much longer article, so that if
consumers want to read further about spyware, its dangers and
what they can do about it, they have that there.
We have a place for links and resources so that they can
link to additional anti-spyware resources, including if they
want to learn about what anti-spyware tools are available. And
then we have a section that tells the consumer where to report
spyware problems and, not surprisingly, the FTC is listed
there. Then because we know and experts have told us, and we
did a lot of consumer testing, and the like, we know the folks
who spend a lot of time online like to be interactive online,
so if they think they're experts we have a quiz.
So you click on this to begin the quiz. You get a little
bit of information about spyware and then the quiz goes on to
ask various questions to educate the consumers. So this one
says a pop-up ad appears on your computer screen offering an
anti-spyware product, ``what's your best course of action? ''
And then gives various answers, I would click on ``C'' which
says ``close the window if you want spyware protection
software, get it from a provider you know and trust.'' And that
would be--I would then hear, ``Excellent choice. The scammers
will have to get up pretty early in the morning to pull one
over on you,'' and the quiz goes on. And obviously if you get
the answer wrong we explain why, in fact that would be wrong,
and give the better course.
So this is--we will have quizzes on all of the modules very
soon, and I'm also pleased to report that this is also
available in Spanish.
So thank you very much Mr. Chairman.
[The prepared statement of Ms. Majoras follows:]
Prepared Statement of Hon. Deborah P. Majoras, Chairman,
Federal Trade Commission
I. Introduction
Mr. Chairman and Members of the Committee, the Federal Trade
Commission (``Commission'' or ``FTC'') appreciates this opportunity to
provide the Commission's views on ``spyware.'' \1\ Spyware is a serious
and growing problem that is causing substantial harm to consumers and
to the Internet as a medium of communication and commerce. Preventing
spyware that causes such harms is a priority for the Commission. We
welcome this chance to describe what the FTC is doing to try to protect
consumers from these harms.
---------------------------------------------------------------------------
\1\ The written statement presents the views of the Federal Trade
Commission. Oral statements and responses to questions reflect the
views of the speaker and do not necessarily reflect the views of the
Commission or any other Commissioner.
---------------------------------------------------------------------------
The Commission has a broad mandate to prevent unfair competition
and unfair or deceptive acts or practices in the marketplace. Section 5
of the Federal Trade Commission Act gives the agency the authority to
challenge acts and practices in or affecting commerce that are unfair
or deceptive. \2\ The FTC's law enforcement activities against unfair
or deceptive acts and practices are generally designed to promote
informed consumer choice, because an informed consumer is an empowered
consumer.
---------------------------------------------------------------------------
\2\ 15 U.S.C. Sec. 45.
---------------------------------------------------------------------------
Spyware and other ``malware'' that is downloaded without
authorization can cause a range of problems for computer users, from
nuisance adware that delivers pop-up ads, to software that causes
sluggish computer performance, to keystroke loggers that capture
sensitive information. As described below, the Commission has an active
program to address concerns about spyware and other malware, including
research, law enforcement and consumer education. In the past year, the
Commission has initiated five law enforcement actions addressing
spyware and malware, and has ongoing investigations. Moreover, as in
other areas such as spam and data security, we believe that it is
essential that industry continue to develop technology to assist its
customers in combatting spyware.
II. Spyware Law Enforcement
One of the FTC's first steps in responding to the spyware problem
was to educate ourselves in order to develop, implement, and advocate
effective policies to respond to it. In 2004, the FTC sponsored a
public workshop entitled ``Monitoring Software on Your PC: Spyware,
Adware, and Other Software.'' The agency received almost 800 comments
in connection with the workshop, and 34 representatives from the
computer and software industries, trade associations, consumer advocacy
groups and various governmental entities participated as panelists. In
March 2005, the FTC released a staff report based on the information
received in connection with the workshop. \3\ Notwithstanding
significant challenges in defining ``spyware,'' \4\ the staff report
recommended that the government should: (1) increase, using existing
laws, criminal and civil prosecution of those who distribute spyware;
and (2) increase efforts to educate consumers about the risks of
spyware. The Commission is pleased to be able to describe today what we
are doing to implement these recommendations.
---------------------------------------------------------------------------
\3\ The workshop agenda, transcript, panelist presentations, and
public comments received by the Commission are available at http://
www.ftc.gov/bcp/workshops/spyware/index.htm. The FTC Staff Report,
Monitoring Software on Your PC: Spyware, Adware, and Other Software,
released Mar. 2005, is available at http://www.ftc.gov/os/2005/03/
050307spywarerpt.pdf.
\4\ At the FTC workshop, there was ``broad agreement that spyware
should be defined to include software installed without adequate
consent from the user,'' yet there remained ``substantial differences
of opinion as to what distributors must do to obtain such consent.''
See FTC Staff Report, supra note 3, at 4-5. In addition, there was
agreement that ``to avoid inadvertently including software that is
benign or beneficial, the term spyware should be limited to software
that causes some harm to consumers,'' although there were ``substantial
differences of opinion as to when software has caused the type and
magnitude of harm to warrant being treated as spyware.'' Id. The FTC
staff therefore concluded that ``these fundamental issues of consent
and harm need to be resolved before any common definition of spyware
can be developed.'' Id. at 5.
---------------------------------------------------------------------------
The Commission's spyware law enforcement strategy focuses on three
key questions. First, were consumers aware of the installation of the
software on their computers? Second, what harm did the installation of
the software cause? Third, how difficult was it for consumers to
uninstall the software after it had been installed?
A. Did Consumers Know?
A common problem with spyware is that it is installed on consumers'
computers without their knowledge. Some spyware distributors use so-
called ``drive-by'' downloads to install their software on computers
without even any pretense of obtaining consent. In FTC v. Seismic
Entertainment, \5\ for example, the Commission alleged that the
defendants exploited a known vulnerability in the Internet Explorer web
browser to download spyware to users' computers without their
knowledge. The FTC alleged that this was an unfair act or practice in
violation of Section 5 of the FTC Act, and a Federal district court
entered a preliminary injunction that prohibited the defendants from
using this method to distribute their software.
---------------------------------------------------------------------------
\5\ FTC v. Seismic Entertainment, Inc., No. 04-377-JD, 2004 U.S.
Dist. LEXIS 22788 (D.N.H. Oct. 21, 2004).
---------------------------------------------------------------------------
In other instances, software distributors may violate Section 5 of
the FTC Act by failing to disclose clearly and conspicuously to
consumers the software that is being installed. In FTC v. Odysseus
Marketing, Inc., \6\ the defendants offered consumers a free software
program that purported to make the consumers anonymous when using peer-
to-peer file sharing programs. The Commission alleged, however, the
distributors failed to disclose to consumers that this program, in
turn, would install other, harmful software on their computers. The
Commission recently filed a complaint in Federal court alleging that
this failure to disclose was deceptive in violation of Section 5 of the
FTC Act, and we are awaiting a ruling on our motion for a temporary
restraining order. Similarly, in the Advertising.com, Inc. case, \7\
the respondents allegedly offered free security software, but failed to
clearly and conspicuously disclose to consumers that bundled with it
was software that traced consumers' Internet browsing and force-fed
them pop-up advertising. The Commission recently issued a final consent
order to resolve administrative complaint allegations that this failure
to disclose was deceptive in violation of Section 5 of the FTC Act.
---------------------------------------------------------------------------
\6\ FTC v. Odysseus Marketing, Inc., No. 05-CV-330 (D.N.H. filed
Sept. 21, 2005).
\7\ In the Matter of Advertising.com, FTC File No. 042 3196 (filed
Sept. 12, 2005), available at http://www.ftc.gov/os/caselist/0423196/
0423196.htm.
---------------------------------------------------------------------------
The Commission's spyware law enforcement actions reaffirm the
principle that consumers have the right to decide whether to install
new software on their computers. Acts and practices that undermine
their ability to make this choice will be vigorously prosecuted.
B. Substantial Harm to Consumers
As the Agency learned at the workshop, and through our enforcement
actions and subsequent investigations, spyware can cause a broad range
of injury to consumers. The harm from spyware may vary significantly in
both type and severity.
The allegations in the Seismic case describe a prime example of
software causing several types of serious harm to consumers. The
software allegedly changed the consumer's browser home page and default
search engine, displayed an incessant stream of pop-up ads, and caused
the user's computer to malfunction, slow down, or crash. But perhaps
the most serious harm alleged was that the spyware secretly installed a
number of additional software programs, including programs that could
monitor Internet activity and capture personal information entered into
online forms.
Another example of serious harm to consumers allegedly caused by
spyware arose in the Odysseus case. According to the Commission's
complaint, the defendants surreptitiously install a spyware program
called ``Clientman `' on the computers of consumers. Clientman, in
turn, installs a number of adware and other programs. It also replaces
or reformats Internet search engine results, generates pop-up ads, and
captures and transmits information, which may include personal
information.
In the Advertising.com case, the Commission alleged that software
bundled with free security software collected information about
consumers, including the websites they visited, and then was used to
send a substantial number of pop-up ads. Although the harm to an
individual consumer from receiving such pop-ups ads may be less
egregious than the harm in other FTC spyware cases to date, the harm to
consumers in the aggregate from these pop-up ads was sufficient to
warrant law enforcement action. The Commission alleged a violation of
Section 5 of the FTC Act because the presence of bundled adware that
collected information about consumers' computer use and led to numerous
pop-up ads clearly would have been material to consumers in determining
whether to install the free security software.
As stated in the FTC staff spyware report, it is the combination of
lack of knowledge and consumer harm that makes certain installation of
software illegal under the FTC Act. \8\
---------------------------------------------------------------------------
\8\ See generally, FTC Staff Report, supra note 3, at 20-21.
---------------------------------------------------------------------------
C. Uninstalling and Deleting Spyware Problems
As described above, spyware often is installed without consumers'
knowledge and causes consumers substantial harm. This type of
installation should not occur, but once it has, consumers should be
able to uninstall or disable such software. Unfortunately, the FTC's
law enforcement experience and research shows that some software
distributors take improper advantage of consumers' concerns about
spyware and market bogus anti-spyware tools. In addition, in the FTC's
experience, some spyware programs are difficult to identify and
uninstall or disable.
Many consumers who want to determine whether there is spyware on
their personal computers acquire and run an anti-spyware program. An
anti-spyware program usually identifies each software program that it
concludes is spyware and then gives the consumer the option of deleting
it. Some software distributors, however, take advantage of consumers
looking for anti-spyware products by falsely representing to consumers
that spyware resides on their computers and making false claims about
the ability of their products to remove spyware. In two recent cases,
FTC v. MaxTheater and FTC v. Trustsoft, \9\ the FTC alleged that the
defendants made false claims to consumers about the existence of
spyware on their machines. According to the FTC's complaint, the
defendants then used these false claims to convince consumers to
conduct free ``scans'' of their computers. These scans identified
innocuous software as spyware, helping to persuade consumers to
purchase defendants' spyware removal products at a cost of between $30
and $40. Moreover, the FTC alleged, the defendants claimed their
spyware removal products could effectively uninstall many different
types of known spyware programs, but the defendants' products did not
perform as promised. The Commission filed actions alleging that the
perpetrators of these scams violated Section 5 of the FTC Act, and the
courts have entered preliminary injunctions in both cases that prohibit
the claims.
---------------------------------------------------------------------------
\9\ FTC v. MaxTheater, Inc., No. 05-CV-0069 (E.D. Wa. filed Mar.
7, 2005), available at http://www.ftc.gov/opa/2005/03/maxtheater.htm;
FTC v. Trustsoft, Inc., No. H-05-1905 (S.D.Tex. filed May 31, 2005),
available at http://www.ftc.gov/opa/2005/06/trustsoft.htm.
---------------------------------------------------------------------------
Software falsely billed as an anti-spyware product certainly can
make it difficult for consumers to identify and uninstall or disable
spyware programs. Furthermore, even if consumers can identify spyware
programs, some of them are particularly difficult to remove or disable.
In the Odysseus case, the complaint alleged that consumers could not
uninstall the software through any reasonable means, such as by using
the standard ``Add/Remove'' program on the Microsoft Windows operating
system. According to the Commission's complaint, although the
defendants purport to provide instructions for uninstalling the
program, those instructions are not only extremely difficult for
consumers to find, they simply do not work. The complaint alleged that
the defendants' failure to provide users with a reasonable means to
locate and remove the program is an unfair act or practice in violation
of Section 5 of the FTC Act.
The FTC's law enforcement actions under Section 5 of the FTC Act
have focused on preserving consumers' ability to decide what software
programs to install and retain on their computers, and preventing
substantial harm from software programs installed or remaining against
the consumers' wishes.
III. Additional Steps to Address Spyware
Given the prevalence of spyware and the consumer harm it inflicts,
the FTC has made spyware investigations and prosecutions an enforcement
priority, and we will continue to file law enforcement actions against
those who distribute spyware in violation of the FTC Act. The
Commission would like to emphasize four additional measures that it
believes would enhance its efforts to combat the dissemination of
spyware.
First, the FTC supports legislation that would enhance its ability
to investigate and prosecute spyware distributors that are located
abroad or who try to mask their location by using foreign
intermediaries to peddle their scams. Webroot, a well-known anti-
spyware product distributor, recently reported that a majority of
spyware programs distributed to United States consumers come from
foreign distributors. \10\ In the FTC's investigations, staff finds
that, regardless of where spyware distributors are physically located,
they often use foreign Internet service providers, web hosting
companies, and domain registrars to create their websites, so that it
is difficult for the agency to track down who is ultimately
responsible.
---------------------------------------------------------------------------
\10\ Webroot Software, Inc., State of Spyware Q2 2005, released
Aug. 2005, at 26, available at http://www.webroot.com/land/
sosreport.php.
---------------------------------------------------------------------------
The FTC's ability to pursue distributors of spyware, spam, and
other Internet threats to consumers would be significantly improved if
the Congress were to pass the U.S. SAFE WEB Act, introduced by Chairman
Smith in the Senate as S. 1608. The Act makes it easier for the FTC to
share information and otherwise cooperate with foreign law enforcement
officials. The Internet knows no boundaries, and it is critical to
improve the FTC's ability to work with the officials of other countries
to prevent online conduct that undermines consumer confidence in the
Internet as a medium of communication and commerce.
Second, the Commission will continue to coordinate with its Federal
and state partners who are starting to bring their own law enforcement
actions against spyware distributors to make law enforcement as
effective as possible. At the Federal level, the Department of Justice
is able to prosecute criminally those who distribute spyware in certain
circumstances. In August 2005, for instance, the Department announced
the indictments of the creator and marketer of a spyware program called
``Loverspy `' and four others who used the program to break into
computers and illegally intercept the electronic communications of
others. \11\ At the state level, state attorneys general are bringing
civil law enforcement actions. Federal criminal and state law
enforcement actions are a critical complement to the FTC's law
enforcement actions.
---------------------------------------------------------------------------
\11\ Press Release, Department of Justice, Office of the United
States Attorney, Southern District of California Carol C. Lam, News
Release Summary (Aug. 26, 2005), available at
http://www.usdoj.gov/usao/cas/pr/cas50826.1.pdf.
---------------------------------------------------------------------------
Third, the FTC and others need to continue to play an active role
in educating consumers about the risks of spyware and anti-spyware
tools. The FTC has issued a Consumer Alert specifically on spyware, as
well as four other Alerts addressing other online security issues such
as viruses and peer-to-peer file sharing. The Spyware Alert lists clues
that indicate spyware may have been installed and also discusses
measures consumers can take to get rid of spyware or to reduce their
chances of getting spyware in the first place. The Spyware Alert has
been accessed over 100,000 times since it was released in October 2004,
and the tips it includes have been repeated in dozens of print and
broadcast media stories.
And, just last week, the Commission launched a new consumer
education initiative, OnGuard Online. Over the past few months, the FTC
staff has taken a broader look at its education materials and tactics
related to cybersecurity, online privacy, and Internet fraud, and
updated its messages and outreach strategies to better educate computer
users about these important issues. The FTC's new website--
OnGuardOnline.gov--has general information on online safety, as well as
sections with specific information on a range of topics, including
spyware. This structure allows us to add to the site as new topics
arise. The spyware module includes up-to-date information, as well as
interactive features like quizzes and videos. The FTC has also printed
a million copies of a brochure, ``Stop Think Click: 7 Practices for
Safer Computing,'' with information on spyware and other computer
safety topics. The site and the brochure have information on various
technologies, but the agency is also emphasizing behavioral changes
that computer users can make to stay safe online--for example ``protect
your personal information,'' and ``know who you're dealing with.'' By
taking this approach, the FTC can ensure that the tips remain relevant
even as technology evolves.
Our partners in the OnGuard Online initiative include: the
Department of Homeland Security, the U.S. Postal Inspection Service,
the Department of Commerce, Technology Administration, the Internet
Education Foundation, the National Cyber Security Alliance, the Anti-
Phishing Working Group, TRUSTe, iSafe, AARP, the National Consumers
League, and the Better Business Bureaus. In an effort to ensure maximum
distribution of these materials, we have not branded them as our own.
Instead, we are encouraging any organization interested in computer
security to link to OnGuardOnline.gov, distribute our free brochure, or
reprint the OnGuard Online materials.
Fourth and finally, the Commission believes that legislation
granting the Commission authority to seek civil penalties against
spyware distributors may be useful in deterring the dissemination of
spyware. As described above, the Commission has challenged conduct
related to spyware dissemination as unfair or deceptive acts or
practices in violation of Section 5 of the FTC Act. Under Section 13(b)
of the FTC Act, the Commission has the authority to file actions
against those engaged in this conduct in Federal district court and
obtain injunctive relief, including monetary relief in the form of
consumer redress or disgorgement of ill-gotten profits. However, it may
be difficult in some instances for the FTC to prove the sort of
financial harm to consumers needed to order consumer redress, or the
ill-gotten gains necessary to order disgorgement. A civil penalty is
often the most appropriate remedy in such cases, and serves as a strong
deterrent.
IV. Technological Solutions
Reducing the problems associated with spyware and other malware
will require the efforts of government, consumers, and industry acting
both individually and in concert. As in other high-technology areas,
the best and most comprehensive responses to misuse of technology will
often be improved technology. At this time there are certain
technologies consumers can use to help protect themselves, but none is
completely effective and further developments are needed to enhance
security.
The primary technological tools that consumers can use right now to
protect themselves from spyware are detection programs. These programs
can scan consumers' computers, inform them whether there is spyware,
and offer them the option of disabling it, deleting it, or leaving it
alone. To be effective, however, these programs must be updated on a
regular basis. In addition, they are inherently variable depending on
what they classify as ``spyware.'' Furthermore, they only detect
spyware once it has been installed; they do not prevent its
installation. Some Internet service providers have made spyware
scanners and removers available to their subscribers. Firewalls also
provide some protection from spyware, but, like scanners, they do not
prevent spyware from being installed. Rather, they alert consumers if
installed spyware attempts to send out information it has collected.
Other technological solutions at the browser and operating system
level are being developed. The Commission's experience in other
technological areas suggests that market forces will provide the high-
tech industry with incentives to develop technological solutions,
although it is not clear exactly what that technology will be or when
it will be available.
V. Conclusion
The FTC will continue to execute aggressive law enforcement and
innovative consumer education programs in the spyware arena. The FTC
thanks this Committee for focusing attention on this important issue,
and for giving me an opportunity to discuss the Commission's
enforcement program. The Commission looks forward to working with the
Committee on the problem of spyware.
Senator Smith. Thank you Ms. Majoras. I assume from your
testimony that the FTC could use some more authority, because
it supports the Allen bill that I've introduced with him. Is
that accurate, you could use some more authority to do more
rulemaking on this issue?
Ms. Majoras. Well, we could, as you and Senator Allen have
pointed out, we do believe that we have legal authority to
attack spyware and we've already done it in five different
cases, but we would like additional authority to work with our
counterparts overseas, we think that's absolutely critical and
we think we really could use civil penalty authority to assist
us in bringing actions and remedying them.
Senator Smith. And how about more resources? If you had
your druthers would you be getting more authority or more
resources to prosecute cases?
Ms. Majoras. That's always a tough question whether we need
more resources. We work very hard on the budget process with
Congress to get whatever resources we think we're going to need
for the year. It's tough for me to turn down more resources if
they're being offered. But I don't think--resources have been
less a problem than I think, folks are concerned about the
bigger problem, which has been finding the folks who are
distributing the spyware and then being able to serve them.
They obviously can hide behind the Internet, they can skip
town, they can skip the country, they go to other countries and
hide, and that has actually been the biggest problem. We are
using our resources as wisely as we can. We are squeezing every
bit we can out of every dollar, and our anti-spyware program is
part of the larger program that includes spam, and Internet
fraud, on which we're devoting substantial resources.
Senator Smith. What percentage would be coming into our
country from abroad, and what percentage starts here in the
United States?
Ms. Majoras. We don't have exact percentages, it's very
hard to tell. But certainly we think a great majority of
spyware is either coming in from outside the United States, or
is making use of a foreign intermediary in some way to attack
consumers in the United States.
Senator Smith. And in the global economy in which we live,
you need more authority to deal with the international
component, I think that has been very clearly demonstrated.
Senator Nelson.
Senator Bill Nelson. Good afternoon Madam Chairman. Tell me
if you agree with the following statement of principles, that
software should not be installed without a consumers knowledge
and consent.
Ms. Majoras. If it harms consumers, I do agree with that.
Senator Bill Nelson. Consumers should know who is
installing the software on their computer.
Ms. Majoras. Generally, yes.
Senator Bill Nelson. Consumers should have the ability to
completely remove software from their computers.
Ms. Majoras. Again, most of it, yes.
Senator Bill Nelson. If software is going to collect
information about a consumer, the software should inform the
consumer first.
Ms. Majoras. Generally yes.
Senator Bill Nelson. If software is going to cause ads to
appear it should make clear what is causing the ads.
Ms. Majoras. That one is a little bit trickier, we have
taken that on a case-by-case basis.
Senator Bill Nelson. In your testimony, we're going to--
you've addressed it and we've got to confront the question of
preemption. Do you think that it's important to preserve
general state consumer protection laws as potential state-level
tools against software?
Ms. Majoras. We do. In almost any context, we support
allowing the state attorneys general to continue to enforce
their consumer protection statutes. Having said that, there are
certainly instances in which businesses really need
consistent--if businesses are going to get guidance, we all
benefit if it's consistent across the Nation.
Senator Bill Nelson. Do you think it would be helpful to
have some baseline standards for what kind of behavior is
acceptable, what disclosures should be given to consumers, and
a statement of the right to uninstall software?
Ms. Majoras. Well, with respect to disclosures, the FTC has
provided general guidance to companies for a number of years in
the form of something we call Dot Com Disclosures, so we've
already provided some general guidance. Our only concern about
making the guidance too specific Senator Nelson, is that the
landscape keeps changing and those who insist on perpetrating
fraud and harming consumers find new ways to do it. And so the
concern with being too specific about what is permitted and
what isn't, not only is you have to get the words exactly
right, so that you don't prevent what should be legal conduct,
but also we have to worry about the future, and we don't want
to bring a case, and only to be told, well, because that
particular practice wasn't specifically listed in the piece of
legislation, therefore the FTC cannot attack it.
Senator Bill Nelson. I understand. I'm talking about more
baseline standards, on behaviors, on disclosures, and on the
right to uninstall.
Ms. Majoras. We think the FTC has put a lot of that out
there, but yes, there's no question that business can always
use guidance, and those businesses who actually have an
interest in complying with the law.
Senator Bill Nelson. And give us your opinion about the
basic right of a consumer to have the ability to remove
software from his or her computer?
Ms. Majoras. Well, we've actually brought cases in which we
have alleged violations of the FTC Act because consumers do not
have that right, including the case that I mentioned earlier
today, Odysseus Marketing. So we do think it is a violation if
software is downloaded to a consumer's computer that is causing
some harm, and the consumer cannot find a reasonable means to
remove it.
Senator Bill Nelson. Thank you.
Senator Smith. Senator Burns.
Senator Burns. Madam Chairman, thank you again for coming
today. You're probably aware that there are several industry
groups working on definitions of spyware. It always seems like
when we get into these kind of situations we all define the
same thing in different ways and usually definitions are what
lawyers make a living at, and enforcement becomes more
difficult. To what degree, do you think the FTC can work with
these industry groups, and to get efforts underway and do you
think it is important that we have a public rulemaking process?
We all say awareness is everything, and a public process in
which we make the rules and then we define the terms. What's
your attitude toward a situation like that?
Ms. Majoras. Well, I certainly think that working together
with industry is critical in attacking spyware and obviously if
legislation is being considered it's critical because these
folks are the experts. And they can tell us, not only explain
to us not only what's out there today, but they're also
thinking several steps ahead. And that can be very important if
we're trying to put in place rules that are going to work on a
going forward basis. So I think that can be very important. One
thing I would caution against though is I know that many in
industry have been anxious to really come up with the
definition of spyware. And I think part of the reason why it's
been difficult to come up with a definition that everyone can
agree on is again, because we have a bit of a moving target.
And so what we've tried to do at the FTC is we're really
looking at two things: whether the software has been downloaded
without the consumer's permission, and causes some substantial
harm to the consumer; that is really what we've been operating
under. Call it spyware, call it adware, call it malware, that
is what we have been looking at when we bring a case.
Senator Burns. And also on the awareness, that same thing,
now you've got some proceedings going on for consumers. Can you
tell us how those proceedings are going, were there fines
levied where if individual consumers, their computers were
hurt, or crashed, did they get compensated, their computers
back up and running again, or new hard drive, or whatever. Did
they get their money back on their software of whatever, can
you give us some kind of an idea of the results you've had in
these proceedings?
Ms. Majoras. Yes Senator, we've brought five cases since
last October, both the first case, and the last case we brought
are still in litigation. In the first case we brought we were
able to get a preliminary injunction against the conduct and
that was a case in which we alleged in the complaint that in
fact, yes, the purveyor of the spyware hijacked the consumers'
computers and changed their settings and the like, changed
their home pages, and downloaded personal information. That
case is still in litigation, similarly obviously we've just
announced the case we filed last week, in which spyware was
downloaded without consumers' permission and again, essentially
in this case what we allege in the complaint is that it has
taken over the consumer's computer. That's still in litigation.
We've brought a couple of cases against those who claim that
they're selling an anti-spyware solution, when in fact it's a
solution that doesn't work, and so in those two instances both
of those respondents did settle those cases with us, and we
were able to get some consumer redress, if I recall correctly.
And we brought one additional case in which the respondent
advertised a free download of security software. But then
didn't tell consumers that if they downloaded this free
security software they would also get adware attached to their
computer, so then they would be barraged with pop-up ads and
the like and that case also settled.
Senator Burns. In other words they used the spy block
technology to implant their own adware stuff without telling
the customers, is that correct?
Ms. Majoras. I'm not sure which technology they used, but
without sufficient disclosure to the consumer they did download
adware to the computer.
Senator Burns. Now since these proceedings have been filed
and you've been in them, are there any surprises about--do you
have resources to take the case to final?
Ms. Majoras. We do have resources I think to take these
cases to final. The biggest surprises probably have been--
really probably came in the beginning. We started trying to
figure out a way how we were going to investigate these cases
and we infected two of our own computers so badly with spyware
that they couldn't be used anymore and so we learned a lot. And
so one of the things we've done during this time period as
we've been bringing these cases is, we've bought some new
computers, some new software, and some new hardware to assist
us in going forward. As I said, we're learning as we go through
this.
Senator Burns. Well, I thank you for your work. And I don't
think there's a person up here today that doesn't want to get
you some legislation and empower with you a little more power
than you have now, because I think you're on the right track.
And also the differences that we have, we'll get those worked
out and I would hope that we could have something on the
President's desk and for you to look at pretty quickly. So
thank you for your testimony. I read your testimony, and I
concur in a lot of the subjects that you brought up there, so
thank you for coming today.
Mr. Chairman, thank you.
Senator Smith. Thank you Senator Burns.
Senator Allen.
Senator Allen. Thank you Mr. Chairman, four different
things, trying to get some clarification here. One is
authority, second is resources, third is penalties, and fourth
is what jurisdiction or standards we should be applying.
Insofar as authority, and I'll ask you some questions, it seems
like you have all the authority you need. Resources, you say
you don't need more, but you--then on authority, the area that
you need it more in, is not necessarily domestic but
international. Resources you say you have enough, penalties,
you need stronger penalties, particularly civil penalty
standards. The question is whether you have 50 or 40 different
standards, or a standard for all the United States and its
territories. Now has there ever been a situation where the FTC
could not bring a case because you don't have sufficient
authority under existing laws, other than, aside from the U.S.
SAFE WEB Act, which is incorporated in part, and this is
Senator Smith's measure. Is there any new authority that the
FTC needs if you find in other words that somebody regardless
of what their doing, if it's fraudulent and deceptive you can
prosecute them, if it is misleading, if it is false and so
forth. Has there ever been a situation where you didn't have
the legal authority to prosecute within the United States?
Ms. Majoras. With respect to spyware, I'm not aware of any,
no.
Senator Allen. So you feel that other than internationally,
but within these orders of the United States, and our
territories, you feel the FTC has the authority regardless of
what the technology or method of deception is utilized?
Ms. Majoras. Well, we've successfully brought cases, we've
got more in the pipeline. So that's correct. Other than what
I've said about civil penalty authority, yes.
Senator Allen. What you do want is you want more civil
authority. Civil penalties, I guess you could call that
authority as well.
Ms. Majoras. We think that could be very helpful.
Senator Allen. And that's included in the measure the
Chairman and I have introduced. Now if the Congress codified
prescriptive definitions of illegal behavior that are specific
to current technology, could we run the risk that this law
could be obsolete as new technology continues to develop.
In other words by defining a specific illegal behavior, are
we creating loopholes for spyware purveyors who figure out ways
to get around the law?
Ms. Majoras. Well, that is possible. I mean, obviously
Section 5 of the FTC Act would still be in effect, so we would
hope that there was something that [inaudible] cracks, but we'd
be able to use our broad authority to go after them. But what
we wouldn't want is for a court to say, well it's not on the
list, so therefore, sorry FTC, you can't go after them. That's
really our only reservation.
Senator Allen. Because in effect, you could end up with a
safe harbor for those using these fraudulent deceptive
practices if they're not on that list, the court could say,
well they're not on the list, so therefore you cannot
prosecute.
Ms. Majoras. It's possible, we can't say for sure that's
how a court would interpret it.
Senator Allen. Now so far, on the issue of jurisdiction, in
the standard, so far 18 states have enacted legislation
regarding spyware and many new laws are pending in several
states. Since spyware, clearly by its nature is national, in
fact it's international in its scope. Do you agree that a
national framework is necessary to ensure a patchwork of state
laws do not unnecessarily confuse and burden consumers and
legitimate software providers?
Ms. Majoras. I think it's possible, depending on the
differences among the various state laws that--probably
consumers, less so--but that those who are actually trying to
comply with the law. I mean they simply can't in the Internet
context comply with multiple standards. I mean basically they
would have to figure out what the highest standard is, I
believe, and then comply with that one. And so--and if that
weren't the Federal, if there are Federal standards, and that
ends up not being the highest one, then I suppose whichever
state had the highest standard would become the de facto
standard for the Nation.
Senator Allen. Well, for your enforcement would it not be
best to have a--the best standard, the strongest standard, the
most effective standard that's set for the Nation by the
Federal Government and Congress?
Ms. Majoras. Well, I think a consistent standard would help
all of us. And the fact of the matter is the state attorneys
general are critical partners to us in this fight, but if we're
all singing from the same hymn book sort of speak, I think we
can be very effective.
Senator Allen. Well, our measure does have the attorneys
general of the states involved, with a national standard, but
have them helping enforce it, because in some cases the Federal
Government can't do it all.
Ms. Majoras. That's exactly right. We would want the states
to absolutely have authority.
Senator Allen. All right. Now on the questions of notice,
and the notice and consent regime. According to this July 2005
Pew Internet and American Life Project, 73 percent they found
according to them, 73 percent of Internet users do not always
read user agreements, privacy statements, or other disclaimers,
before downloading, or installing programs. There are some of
us who will click through things real quickly because you want
to read something. In fact, one study of a user agreement
included a clause that promised $1,000 to the first person to
write in and request that $1,000. The agreement was downloaded
more than 3,000 times before somebody finally read the fine
print and claimed the reward. Now do you believe that
subjecting the entire software industry to a new notice and
consent regime will help combat spyware?
Ms. Majoras. Overall, no, I don't think that would be the
most effective tool. Our experience, while I don't have
statistics, comports very closely with the conclusion of that
survey. And that is, for better or for worse, consumers don't
read these disclosures, and the more they are bombarded with
similar disclosures, the less likely they are to read them. And
what our concern has been is that we could have a spyware
distributor who is distributing spyware that is very, very
harmful to consumers, but then can just say, well I disclosed
it to consumers that this is what I was going to do, so too bad
for them. And while that has, no question, sensational appeal,
because none of us want to be extraordinarily paternalistic to
American consumers. When we know that they don't read these
disclosures when they're downloading software, it makes it hard
to say that's what we think would truly, would truly protect
consumers.
What we're doing in our casework, is looking at disclosures
on a case-by-case basis to see if we think they're adequate.
Senator Allen. Thank you, Mr. Chairman.
Senator Smith. Thank you, Senator Allen.
Senator Allen. Thank you, Madam Chairman.
Senator Smith. To Senator Allen's point and your answer,
that you today announced the Odysseus case that you're
pursuing, and is this not a company that offers through peer-
to-peer enticements to children, free music and other things
that they readily go past the disclosures to get what's free,
but in the end it's maybe very promotional, and a very
degrading thing?
Ms. Majoras. It's similar, they were working in the peer-
to-peer realm. And the representation they made was that by
downloading their software, your peer-to-peer presence would be
anonymous and no one would be able to trace you. That, we
alleged, isn't true. And then, in addition, they've downloaded
a lot of other software, which in essence as we say in the
complaint, just to summarize it here, hijacks the consumer's
computer.
Senator Smith. Isn't that already illegal?
Ms. Majoras. Yes. We've filed a suit under Section 5 of the
FTC Act.
Senator Smith. Do you think you'll win, if it's already
illegal? Because I want to make sure it's illegal.
[Laughter.]
Ms. Majoras. Well, I certainly understand that Senator, and
I can't--I couldn't tell you that nobody would ever challenge
our authority or that a judge would never--you know could never
find that we didn't have such authority, but it's not been a
problem to date. And we feel that this isn't a close call under
Section 5 of the FTC Act and so we brought the case.
Senator Smith. So the people who are maybe here, or
interested in it. I understand that the software actually
changes your search results that consumers get from search
engines, like Google and Yahoo, and that this is done without
the consumers knowledge.
Ms. Majoras. That's exactly right. I mean we don't think
that they have a way necessarily of knowing. So as you know
it's important to some, to be the first in a Google search
results, or what have you, and this apparently can change the
results around, but again, no, the consumers wouldn't
necessarily know that was even happening to them.
Senator Smith. Well, if you find out it isn't illegal, let
us know.
Ms. Majoras. You would be the first call we would make.
Senator Smith. I mean our bill does address this very kind
of thing. And so you know, that's why we keep asking you if you
need any more resources, do you need more authorities? Because
this really gets to the heart of what we're trying to
accomplish for the protection of American consumers without
stifling innovation in future technologies. Do you see a way? I
mean you've heard all of us up here, all agreeing there's a
problem we want to fix, and the difference and the difficulty
is in the breadth of how we would go about it. I guess as you
evaluate the two different bills that are represented here, is
there a way to merge them in your mind?
Ms. Majoras. Well, I think there's probably, there probably
is a way to bring it together and one--I mean if we could
classify them, your bill restates the FTC's authority to attack
software, but in a more general way. The other bill tries to be
a bit more specific about it. And I would just caution that if
specifics are going to be added to any legislation that becomes
law that it is made absolutely clear that other types of
conduct may also be illegal, within this same family and that
the FTC's authority is not being narrowed by this.
Senator Smith. And if we leave it broad, to the degree you
need to make it narrower, do you have rulemaking authorities to
make it narrower?
Ms. Majoras. Well, we would have rulemaking authority if
you gave it to us, if it was needed. The one area where I think
it's difficult to reconcile is with respect to notice. Which
again I agree has very--has facial appeal, it does to me too,
but I just don't--our experience is it doesn't actually protect
consumers. And since that's our job, it's hard for me to
support that.
Senator Smith. And there's a lot of advertising that is
actually promoting very valuable things, and useful products
and we don't want to get in the way of that.
Ms. Majoras. No. No, we don't want to get in the way of it,
and in fact there may be First Amendment issues if we tried to
go too far.
Senator Smith. As I understand the U.S. SAFE WEB Act which
you have indicated your support for, its provisions are really
not all that new or unusual, there are other agencies in the
government that already have these powers, is that your
understanding?
Ms. Majoras. Absolutely. The SEC, the CFTC, and banking
agencies.
Senator Smith. You need them too?
Ms. Majoras. We do, I can't emphasize it enough Chairman
Smith.
Senator Smith. Well, Chairwoman Majoras, thank you very
much. Yes, please.
Senator Allen. My time has expired but may ask some
questions.
Senator Smith. Yes, please go ahead.
Senator Allen. I just want to follow up on your good
probative questions. Your caution trying to figure these things
out, several things that you asked for, you asked for the
international authority, the U.S. SAFE WEB Act, that's part of
our measure, it is not part of Senator Burns' measures. So that
was one thing where you wanted regular authority. That probably
can be merged together. We do have a fundamental difference on
the jurisdiction and how you define illegal behavior, which
right now is very broad. If it's fraudulent or deceptive, if
it's misleading, you know, it's illegal which is what you'd
want. You could limit yourself by prosecutorial discretion I
suppose, and in a court the trier of fact would say, well no
that isn't deceptive. As opposed to specifying a bunch of
different specific illegal methods, which could end up with a
safe harbor if it's not on that list. And maybe the solution to
that, is to say well these are illegal but they are not the
only ones that are illegal. Anything is, but then the other
side feels like all right, we've at least specified these. I
suppose that could be worked out. The notice issue is one that
I do think is irreconcilable. Because as I was--there was a
reason I asked that question, and why some 3,000 hits are
getting $3,000. Folks just simply don't read it, they don't
have time for it. Even looking on this--who's going to go
through--now I think it's helpful for those in the IT
departments of companies, somebody's going through all that,
and seeing which are good spyware blocker programs. But a
normal person in their home is just generally not going to go
through all that. So there does need to be a better business
bureau approach. And I see that's what that is. Now you get
into the issue of jurisdiction. That's a key one as to whether
you have a national standard, or 50 or 40 different states
standards. I think to make companies to have to comply with 40
different standards, and maybe different nuances and different
case law and all the rest makes it very difficult. To me that
is not irreconcilable difference. Now I think it's important to
respect the rights, and prerogatives of the states, and
prosecution and that's why in our measure we do have the
attorneys general brought in.
You wanted also the civil fines, which will be helpful. The
one thing I find interesting though was your answer on the
question of, you don't need any more resources. Here's my
perspective of that. Is that this is so pervasive and you have
nearly 50 percent of all computers being hit with this spyware,
and it's great that you've brought these big cases, and you've
knocked down organizations, spyware organizations and you say
how difficult it is to prosecute and find these people, well if
you're dealing with normal criminal behavior and you have a
certain amount of resources, if you actually had more
detectives so to speak, more investigators, more funds if there
were drug dealing for undercover agents, or making drug buys,
or--those resources do matter in combating illegal drug
activity.
So I find it interesting that you say that you don't need
any more resources when this is such a big pervasive problem of
this fraudulent and deceptive activity. If you have the civil
penalties and I don't know the answer to this, but where do the
fines, if fines are--does that go to the general fund, or does
that go--would that go to further law enforcement efforts?
Ms. Majoras. I believe it goes to the general fund, yes. It
goes into the Treasury. It goes into the Treasury.
Senator Allen. All right. In drug dealing, with asset
forfeiture, for those assets that are traceable to illegal drug
dealing, that actually goes Mr. Chairman to law enforcement so
that they use it for undercover drug buys, paying overtime,
surveillance costs, sometimes paying informants for example,
it's like catching the shark and cutting it up for bait. Use
the assets to catch more sharks. Why do you say that you don't
need more resources with--and maybe this is what the
Administration wants you to say and I understand that, having
been a Governor, I expected all my agency heads to tow the
line. But with something that is so pervasive, and obviously of
bipartisan concern, and not just us, but obviously to the
American people and to the technology community generally and
the Internet, why would it not be helpful for you to have more
personnel to actually get after this obviously growing,
disruptive, illegal behavior?
Ms. Majoras. Well, I appreciate the question and, no,
Senator, nobody's asked me to tow any line on this. You know
we've actually been very pleased. We think as other agencies
have been cut back in the last couple of years, as some belts
have been tightened, we think that Congress has been very
generous with us, which we appreciate and that they recognize
the importance of our work.
Look, if you give us more resources, we'll----
Senator Allen. What would you do with them?
Ms. Majoras.--certainly use them. Well, probably one of the
things I would do, is I would hire some more tech experts, who
can help us with some of the difficulties in actually hunting
down these folks, or in helping us find ways to push industry
in the right direction. Because I do think that ultimately
technology will--is what will help us prevail. So I think we
can. But the only issue I would say with respect to having a
very large amount of new funds, which are actually earmarked
for a particular purpose, is that what tends to happen is then
if priorities shift and change, because for example new spyware
tools come out and that tends to be less a problem, and the bad
guys, if you will, have moved on to something else, then we
have to come back to you and say, look we have this pot of
money, which you wanted us to use for this purpose, but quite
frankly priorities have changed, and they would have even
changed for you. And so that's part of something that we
obviously would have to work with you on, Senator.
But obviously our job is to enforce the laws that Congress
passes and to take our lead from consumers first, and obviously
you are the elected representatives who represent them. So if
you want us to have more resources to send the message to us
that I've got to put more investigators on this, then obviously
we will do that.
Senator Allen. Well, in the event you actually solve this
problem quickly, obviously appropriations are annual. Even if
appropriations actually get done in a timely manner, I suspect
that the fines and forfeitures that you will glean from these
added--not that the law enforcement is simply to gain money for
the government, but I suspect with greater enforcement not only
will you have the Internet being more useful and less
aggravating and less--fewer computers shut down because they're
clogged up with all of this spyware, is that you'll actually
end up getting more fines and forfeitures, and assets seized
than that $10 million over the period of this measure. And if
you didn't need the money, you can always say, we need it more
for something else. But I don't see this getting solved in the
next few years. I think it could be ameliorated, I think it
could be mitigated, but this is--it's too lucrative a business,
illegal enterprise right now, and to the extent you drive it
out of this country, you're still going to have it overseas,
and that's why the U.S. SAFE WEB Act is so important and have
the international community caring as much about this as we try
to get the international community to care about intellectual
property rights for example.
Ms. Majoras. That's right.
Senator Allen. To the extent you ever get it to that point,
fine, we'll save some money there. And you're doing a great
job, and you've had some good noteworthy cases, but you also
recognize that it's just the tip of the iceberg in this illegal
spyware enterprise.
Ms. Majoras. Indeed, not only do we recognize it, but we
would hate to raise expectations way too high, because we're
going to keep at this. I mean, you know, we talk all the time
about how the worst thing that could happen to us would be for
our consumers to just simply lose faith in this wonderful new
medium that we have that is the Internet. And we can't let that
happen, and we have to--we really have to guard and protect
consumer's confidence in it. So we're going to keep at it. But
I point out the difficulties in tracking these folks down and
so forth, only to remind us again that it won't be just law
enforcement that's going to tackle this problem, we need new
technology.
And the good news is, that if we do get these additional
international resources, we can leverage that. We spend a lot
of resources trying to chase down people in countries where
we're trying to hire lawyers who know what they're doing over
there when we don't, and so on and so forth, and we could use
our counterparts and vice versa, then we will be actually a lot
more efficient even in our use of resources.
So I appreciate your point Senator Allen.
Senator Allen. Well, thank you. And thank you, Mr.
Chairman, just understand Madam Chairman that the Chairman here
and this Senator want to work with you and do this effectively.
And we do feel that you need out of jurisdiction as you say, or
added authority. And I do feel that you do need more resources
to get the job done, and it shouldn't just be the government,
it does need to be the technology industry. They are the ones
who are the most creative in coming up with the firewalls, and
the filters, and the ways to block unwanted spyware, or illegal
spyware. There is some spyware which has--and you were very
clever answering those questions of Senator Nelson. But you
know in some cases it's not harmful, it's not deceptive and so
forth. I do think it's going to take a concerted team effort on
the part of the technology community and actually probably
can--I just have faith in their innovative, creative
capabilities to make sure the Internet stays a great invention
for the dissemination of information and ideas, and commerce,
and education, and tele-medicine, and in so many ways,
improving our lives in commerce. So I thank you again Mr.
Chairman for your leadership, look forward to working with you,
and Madam Chairman, thank you for articulate principled
leadership.
Ms. Majoras. Thank you very much, Senator Allen.
Senator Smith. And Madam Chairman, to Senator Allen's
point, I think if you hear anything today it is that this is an
enormous problem and it requires urgent effort, and so please
know we're counting on you, we appreciate you, and we hope you
convey to everyone at the FTC we appreciate their good work. We
recognize in our mailboxes that there is growing alarm and we
need to be ahead of it. So thank you, and with that we're
adjourned.
Ms. Majoras. Thank you very much, Senator.
[Whereupon, at 3:40 p.m., the Committee adjourned.]
A P P E N D I X
Response to Written Questions Submitted by Hon. Frank R. Lautenberg to
Hon. Deborah P. Majoras
Response to Questions One and Three
Your letter poses two questions about the nature and efficacy of
the FTC's consumer education efforts related to spyware. Your letter
commends the FTC and industry for launching a new website,
www.OnGuardOnline.gov., but expresses the concern that the website uses
technical terms (e.g., updating operating systems, firewalls, and
drive-by installations) that consumers, particularly seniors, may not
understand. Your letter also cites statistics as to the prevalence of
spyware on computers and asks about the Commission's short-term and
long-term goals to decrease its prevalence through consumer education.
The Commission shares your concern about the importance of
educating consumers about problems in electronic commerce, including
spyware. To inform consumers about spyware and other threats on the
Internet, the Commission launched its OnGuard Online initiative, with
the OnGuardOnline.gov website as its primary consumer education tool.
The initiative was developed to address the need for a comprehensive,
consistent set of educational messages for consumers. It incorporates
the best learning of the Internet community and presents it in a
complete and accessible format. In consultation with communications
experts, it was designed to be usable by consumers with a broad range
of familiarity with the Internet and technology. The comprehensive
website uses interactive activities, articles, videos, and tips that
address topics important to consumers, including ways that consumers
can lower their risk of spyware infections, clues as to whether spyware
is on their computer, and an informative spyware quiz. Consumers are
also able to report via the website if they have been a victim of
spyware.
Because people learn in a variety of ways, the FTC has made the
OnGuard Online information available in many forms. The
OnGuardOnline.gov website includes video tutorials prepared by the
Internet Education Foundation with visual instructions to ``click here,
then here,'' to turn on the security features in various types of
software. The site also presents a series of videos prepared by
Microsoft with the information presented in an accessible format.
Some consumers, including many seniors, may not be familiar with
technical terms used to describe technology. The OnGuard Online
initiative therefore uses plain language to describe technical
concepts. For example, the OnGuard Online brochure explains that
``[f]irewalls help keep hackers from using your computer to send out
your personal information without your permission.'' In addition, the
OnGuard Online bookmarks and posters have quick tips written in plain
language, and the OnguardOnline.gov website includes an extensive
glossary of computing terms, for consumers who need more information
about the terms used. Finally, the AARP is a partner in the OnGuard
Online initiative.
Response to Question Two
Your letter asks whether it is deceptive to fail to disclose that
spyware will be installed. Your letter also asks whether it is
deceptive to disclose only in the end-user license agreement that
spyware will be installed.
It is well-established that a failure to disclose adequately
material facts to consumers may be unfair or deceptive in violation of
Section 5 of the FTC Act. The FTC has alleged a failure to disclose
information in a number of Internet-related deception cases. \1\ The
Commission staff also has issued a guidance document that provides
advertisers with advice as to how to apply traditional FTC disclosure
principles to the online environment, including advertising and
marketing software on the Internet. \2\
---------------------------------------------------------------------------
\1\ See, e.g., Juno Online Services, Inc., FTC Dkt. No. C-4016
(June 29, 2001) (failure to disclose that some subscribers to its ISP
service would incur long distance telephone charges while connecting to
the Internet) (consent order); BUY.COM, Inc., FTC Dkt. No. C-3978
(Sept. 8, 2000) (failure to disclose restrictions and costs associated
with purchasing a ``free'' or ``low-cost'' personal computer in
exchange for agreeing to purchase Internet service) (consent order);
Value America, Inc., FTC Dkt. No. C-3976 (Sept. 8, 2000) (same).
\2\ Federal Trade Commission Staff Working Paper, Dot Com
Disclosures: Information About Online Advertising (May 3, 2000),
available at http://www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/
index.html.
---------------------------------------------------------------------------
The Commission has addressed the failure to disclose adequately to
consumers the material fact that spyware would be installed on their
computers. In particular, disclosing the presence of bundled software,
including spyware, only in the end-user licensing agreement may be
unfair or deceptive. For example, in FTC v. Odysseus Marketing, Inc.,
the defendants offered consumers a free software program that purported
to make the consumers anonymous when using peer-to-peer file-sharing
programs. \3\ The Commission alleged, however, that the distributors
failed to disclose to consumers that this program, in turn, would
install other, harmful software on their computers. Similarly, in
Advertising.com, Inc., the respondents allegedly offered free security
software, but bundled with it software that caused consumers to receive
a substantial number of pop-up ads. \4\ Although the presence of this
software was disclosed in the end-user license agreement, the
Commission alleged that this disclosure was inadequate. The Commission
therefore is using its authority to prohibit unfair or deceptive acts
and practices to take law enforcement action against those who fail to
disclose adequately to consumers that spyware will be installed on
their computers. It is important to note that, as I indicated in my
testimony, such a case-by-case approach that focuses on bringing law
enforcement action where a failure to disclose has harmed consumers is
preferable to requiring disclosure for all software, no matter how
innocuous.
---------------------------------------------------------------------------
\3\ The Commission recently filed a complaint in Federal court
alleging that this failure to disclose was deceptive in violation of
Section 5 of the FTC Act. The parties stipulated to a preliminary
injunction order, which was entered on October 11, 2005. FTC v.
Odysseus Marketing, Inc., No. 05-CV-330 (D.N.H. filed Sept. 21, 2005),
available at http://www.ftc.gov/opa/2005/10/odysseus.htm.
\4\ In the Matter of Advertising.com, FTC Dkt. No. C-4147 (consent
order Sept. 12, 2005), available at http://www.ftc.gov/os/caselist/
0423196/0423196.htm.
---------------------------------------------------------------------------
Response to Question Four
As the Commission indicated in its testimony, \5\ our main tool for
combating spyware is bringing law enforcement actions challenging acts
and practices as unfair or deceptive in violation of Section 5 of the
FTC Act. Your letter asks how many spyware-related law enforcement
actions we have brought in 2005, as well as for a description of our
efforts to investigate spyware, given that many consumers may not know
that they have spyware on their computers.
---------------------------------------------------------------------------
\5\ Federal Trade Commission, Prepared Statement Before the
Committee on Commerce, Science, and Transportation Subcommittee on
Trade, Tourism, and Economic Development, United States Senate (Oct. 5,
2005), available at http://www.ftc.aov/os/testimonv/
051005spywaretest.pdf.
---------------------------------------------------------------------------
Thus far, the FTC has brought six law enforcement actions involving
spyware, including five law enforcement actions to date in 2005. The
FTC's written testimony at the recent hearing describes the FTC's first
five actions. Our sixth law enforcement action was filed after the
hearing. \6\ In the Enternet Media, Inc. case, the FTC alleged that the
defendants distributed via the Internet exploitive software code dubbed
``Search Miracle'' and ``EliteBar,'' onto the computers of unsuspecting
consumers. With the aid of their network of affiliates, the complaint
alleged, the defendants trick consumers into downloading and installing
their exploitive code by disguising it as harmless, free software, such
as Internet browser upgrades, music files, cell phone ring tones, and
song lyrics. However, contrary to their representations, the
defendants' code is not a browser upgrade or security patch, nor is it
any type of harmless free software. Rather, it functions as a type of
spyware that substantially interferes with the functionality of
consumers' computers, such as by tracking consumers' Internet activity,
changing consumers' homepage settings, inserting a new toolbar onto
consumers' Internet browsers, inserting an obtrusive window onto
consumers' computer screens that displays advertisements, and
displaying voluminous pop-up advertisements, even when consumers'
Internet browsers are closed. To make matters worse, the FTC alleges,
it is extremely difficult for consumers to uninstall the exploitive
code, and that the defendants' uninstall instructions do not work. A
Federal district court granted a temporary restraining order; a
preliminary injunction hearing has been scheduled for the near future.
Using this law enforcement approach, we were also able to freeze $2
million in the defendants' bank accounts.
---------------------------------------------------------------------------
\6\ FTC v. Enternet Media, Inc., No. CV-05-7777 (C.D. Cal. filed
Nov. 1, 2005).
---------------------------------------------------------------------------
Spyware investigations and prosecutions are a priority for the
Commission. We are actively looking at a wide variety of sources of
information about the identity and location of those distributing
spyware that is causing harm to American consumers. We are consulting
with Federal and state criminal and civil law enforcement agencies. We
also are receiving critical information from high-tech companies, such
as anti-spyware companies and operating system companies. We further
are receiving valuable information from consumer groups, anti-spyware
organization websites, academics, and the technology press. I
appreciate the assistance that we are receiving from these groups, and
I look forward to continue working with them to make our spyware
investigations and prosecutions as effective as possible.
Thank you for providing me with an opportunity to supplement my
answers at the hearing concerning the FTC's law enforcement record as
it pertains to spyware. If you would like additional information,
please contact Anna Davis, the Director of the Office of Congressional
Relations, at (202) 326-3680.
�