A Briefing On Public Policy Issues Affecting Civil Liberties Online
from
The Center For Democracy and Technology
(1) CDT Presents Consensus List of Deceptive Spyware Scenarios at FTC Workshop
(2) Much "Spyware" Already Illegal
(3) Working Group Efforts Highlight Difficulty in Defining Spyware In General Terms
(4) Multifaceted Approach Needed to Address Spyware Problem
A broad coalition of high tech companies and consumer advocates has compiled a list of unfair, deceptive or devious practices involving software downloaded from the Internet - software that takes over users' computers and resists removal, sometimes even stealing information. CDT presented the list at a Federal Trade Commission workshop on Monday, April 19 and called on the FTC to take enforcement action against software makers and online advertisers who engage in the condemned practices.
The list of devious practices represented an initial consensus response to growing concerns about the threats to Internet users' privacy posed by an array of invasive software programs referred to as "spyware." Some studies show that the majority of Internet users have some form of "spyware" on their computers, in most cases without even knowing it is there.
The Consumer Software Working Group, convened by CDT, included major software and hardware companies, leading Internet service providers, anti-spyware technology vendors, and consumer and privacy groups. In an effort to begin specifying what is "spyware," and what distinguishes it from acceptable online practices, the group drew up a list of examples, based on real cases, of specific practices involving the use or distribution of software that Working Group members agreed were clearly unfair, deceptive, or devious.
The practices the Working Group identified include:
The Consumer Software Working Group's list of "Examples of Unfair, Deceptive or Devious Practices Involving Software" is available at http://www.cdt.org/privacy/spyware/20040419cswg.pdf
More information on spyware: http://www.cdt.org/privacy/spyware/
FTC's Spyware Workshop Page: http://www.ftc.gov/bcp/workshops/spyware/index.htm
The Federal Trade Commission Act gives the FTC the authority to take enforcement action against unfair and deceptive trade practices. CDT and others have said that many spyware practices clearly fall within this jurisdiction, but so far the FTC has brought few actions against spyware makers.
In November 2003, CDT invited Internet users to tell us about their experiences with spyware, so we could investigate specific cases and file complaints where appropriate. In February, based on user responses and following a careful technical investigation, CDT filed a complaint against two companies involved in deceptive advertising and homepage "hijacking." However, the FTC has not acted upon the complaint.
In presenting the devious practices list to the FTC at its April 19 workshop, CDT Associate Director Ari Schwartz told the Commission that the Working Group's agreement on unacceptable practices demonstrates widespread consensus that certain current practices involving software are already illegal. In a preface to its list of spyware scenarios, the Consumer Software Working Group said it "is concerned about a specific set of devious, deceptive or unfair practices that adversely affect consumers online. Most of these practices may be illegal under current law, depending on the specific facts of the particular case."
CDT told the Commission that better enforcement of the FTC Act and other applicable statutes such as the Computer Fraud and Abuse Act and state fraud laws could have a substantial impact on the spyware problem. Rather than wait for new "spyware" laws, CDT again called on the Commission to go after the egregious cases that are illegal under current law.
Information on CDT's "Campaign Against Spyware," calling on users to send us their spyware stories, is available at http://www.cdt.org/action/spyware/
CDT's Complaint to the FTC in the Matter of Mail Wiper, Inc and Seismic Entertainment Productions, Inc. is available at http://www.cdt.org/privacy/20040210cdt.pdf
Several bills have been introduced in Congress to address spyware, and Utah has already adopted a law, but the Working Group's discussions highlighted the difficulties in constructing a complete and precise definition of spyware and other forms of invasive software without sweeping in benign practices that are standard among software companies and ISPs.
CDT has warned that, given the definitional difficulties, legislating against spyware would likely prohibit ordinary, acceptable behavior of companies that serve consumers. The Working Group echoed this concern, specifically noting that "the wide range of and lack of clarity in attempted definitions for the types of software practices that most concern consumers hamper attempts at self-regulatory, technological and legislative responses. Many definitions of spyware in circulation today are either under-inclusive in important respects or, more commonly, overbroad so that they include practices that clearly benefit consumers, or both."
Rather than legislation aimed at spyware, CDT believes that the issues of privacy and user control can be better addressed by online privacy legislation that would focus on the underlying problematic behaviors rather than on specific technologies.
On March 23, CDT President Jerry Berman testified on the proposed "SPYBLOCK Act," introduced by in the U.S. Senate by Conrad Burns (R-MT) and Ron Wyden (D-OR): http://www.cdt.org/testimony/20040323berman.shtml
In its presentation to the FTC, CDT stressed that, in the end, a combination of solutions is needed to fully address the spyware issue. Needed steps include both better consumer awareness and improved anti-spyware technologies to give users greater control over the software on their computers. Although the definitional issues make new legislation difficult, it may in the long run be necessary as well, especially as we learn more about the problem. In the short term, however, stepped up enforcement by the FTC under existing law may have the greatest impact.
CDT urges consumers that have been affected by spyware to send their experiences to our campaign against spyware and to the FTC. Direct feedback from Internet users about the specific harms they have suffered is crucial to spur a greater response from the Commission to the spyware problem.
Detailed information about online civil liberties issues may be found at http://www.cdt.org/.
This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_10.07.shtml.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 10.07 Copyright 2004 Center for Democracy and Technology
