A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology
(1) CDT Renews Call For Privacy Legislation At First Commerce Committee Hearing
(2) Spyware Epidemic Continues to Grow Despite Initial Enforcement Success
(3) CDT Testimony Emphasizes Harms of Affiliate Networks
Testifying on January 26 at the year's first hearing of the House Commerce Committee, CDT warned that the continually growing spread of spyware represents a major threat to Internet users, as well as to the long-term health of the Internet. CDT highlighted three areas where action is necessary to stem this disturbing trend toward a loss of control for Internet users:
The Commerce Committee hearing was held to consider H.R. 29, "The SPY ACT." The bill is sponsored by Representatives Bono and Towns, and is identical to H.R. 2929, which passed the House overwhelmingly last year, but failed to gain support from the Senate. Committee Chairman Barton said at Tuesday's hearing that he aims to put the legislation on a "fast track" this year.
CDT strongly supports provisions in H.R. 29 to raise penalties on the worst types of deceptive software practices online. However, CDT continues to believe that notice and consent issues are best addressed in a technology neutral matter as part of general online privacy legislation.
CDT also used its testimony to highlight the central problem of affiliate networking, which creates a marketplace in which legitimate companies unwittingly support illegal activities through a maze of distributors and affiliates.
A recent survey of IT managers found that almost two-thirds rated spyware as the number one cybersecurity threat in the coming year. While it is difficult to obtain precise data on the prevalence of the spyware problem, the best study done to date, conducted by AOL and the Nation CyberSecurity Alliance, found that 80% of broadband and dial-up users had adware or spyware programs running on their computers. Based on the complaints CDT has received through our "Campaign Against Spyware," we believe that the prevalence of spyware violations, especially egregious and clearly unlawful behaviors, has increased dramatically. Of particular concern is the use of security holes in web browsers to silently force software onto users' computers.
In October, the FTC brought its first enforcement action against Sanford Wallace and Seismic Entertainment on the basis of a complaint filed earlier by CDT. The case has resulted in an injunction requiring that Wallace and his companies cease exploiting security vulnerabilities to force software onto Internet users' computers. The order also gives the FTC access to company business records. CDT believes that further FTC investigation in the Seismic case will provide ample basis for the Commission to pursue Seismic affiliates that were also acting deceptively, and we expect that the Commission will announce further actions as other bad actors come to light.
In order to have a genuine impact on the spyware problem, both the FTC and other national and state level law enforcement agencies will have to actively pursue additional cases. While the FTC's first spyware case was an important milestone, both the number and frequency of cases must be dramatically increased if law enforcement is to provide a significant deterrent to purveyors of spyware. The continued, dramatic growth of the spyware problem demonstrates that law enforcement is still losing the battle against egregious spyware purveyors clearly guilty of violating the law.
In CDT's complaint to the FTC regarding Seismic Entertainment and MailWiper, we highlighted the problem of affiliate relationship being "exploited by companies to deflect responsibility and avoid accountability." CDT used this week's hearing to draw attention to this issue, which is at the heart of the spyware problem.
Adware companies have a superficially simple business model: Consumers agree to download a piece of adware in exchange for access to a piece of free software that the adware company has a bundling agreement with. In fact, many adware companies and other software bundlers operate through complex networks of affiliate arrangements involving adware makers, software providers, websites, advertisers, and advertising brokers.
The consequence of these affiliate arrangements is that when an adware program ends up on a user's computer, the adware program is often many steps removed from the maker of the software itself. This complex network of intermediaries exacerbates the spyware problem in several ways:
For these reasons, the affiliate issue has become a central aspect of the spyware epidemic. Finding ways to effectively reform affiliate relationships will make it easier to hold accountable the purveyors of spyware.