FTC Tackles Slippery Subject of Spyware

As the Federal Trade Commission begins holding policy forums on the topic-which has bills pending on it in Congress-it learns that spyware is in the eye of the beholder.

WASHINGTON—Like spam, spyware is unlikely to be abolished by new laws or regulations. Also like spam, the intrusive software is attracting enough popular ire to spur politicians to act anyway.

The latest perceived threat to Internet users privacy, spyware is following the same trajectory in Washington that spam followed before Congress passed a law attempting to reduce unsolicited e-mail.

As the Federal Trade Commission began discussing spyware publicly this week, it quickly learned that different interests define the problem in disparate ways, fixing varying degrees of odiousness to their definitions. Like spam, spyware is in the eye of the beholder.

/zimages/3/28571.gifClick here to read Security Center Editor Larry Seltzers column "Whats Spyware? Lets Ask Congress!"

The FTC, which is currently conducting at least two investigations involving deceptive software, held a policy forum on it Monday. The Department of Justice also has pursued spyware-related cases based on existing criminal laws, but some in Congress argue that these laws are not adequate. Federal anti-spyware bills have been introduced in both the Senate and the House, and Utah has already enacted its own anti-spyware law.

/zimages/3/28571.gifRead Seltzers follow-up column on spyware here.

Spyware poses risks not just to consumer privacy, but to the safety and integrity of enterprise data as well. When users discover that spyware has been downloaded onto their computers without their knowledge, they often blame innocent parties such as their ISP, computer manufacturer, operative system vendor or e-commerce merchant.

"Were the people being blamed sometimes," Jules Polonetsky, vice president of integrity assurance at America Online Inc., said at the forum. The next update of AOLs software will automatically scan for spyware applications and allow users to decide whether to keep them on their computers, Polonetsky said.

More than half of all Windows crashes reported to Microsoft Corp. are the result of deceptive software, according to Brian Arbogast, corporate vice president of the Identity, Mobile and Partner Services Group for MSN and the Personal Services Division at Microsoft. Spyware is increasingly making computers slower and less stable in addition to intruding on browsing, he said.

The next Windows service pack, coming out this summer, will include enhancements that make it harder for software to be installed without the users knowledge. It will include a pop-up blocker in Explorer, an ActiveX blocker to suppress downloads the user does not initiate, and improved software install prompts, according to Jeffrey Friedberg, director of Windows privacy at Microsoft.

Reminiscent of the policy debate over spam, many in the industry are cautioning against legislation aimed at spyware for fear that legitimate monitoring and tracking software will be targeted unintentionally.

"Its not necessarily the technology, its the uses" that create problems, said James Koenig, chief practice co-leader of privacy strategy and compliance at PriceWaterhouseCoopers LLP.

Many in the industry argue that rather than passing new laws and implementing new regulations, the government should help better educate users on how to protect themselves.

"In the end, it is going to come down to customers making choices," Microsofts Arbogast said.

But some privacy advocates say consumer education is unlikely to solve the problem. Future categories of software are likely to present intrusion problems similar to those that spyware presents today, said Chris Hoofnagle, associate director of the Electronic Privacy Information Center in Washington. He added that digital rights management software can be particularly invasive.

"I think there will be coercive power in this market, especially when it comes to media," Hoofnagle said.

Instead of creating notice and consent requirements on any given software or application in a reactive fashion, Congress should develop a more comprehensive policy against intrusive Internet behavior, Hoofnagle said.

Privacy advocates also say it may be unfair and insufficient to place the burden on the user of protecting against spyware intrusions. Using serialized programs such as Microsofts Media Player creates risks of intrusion, and some vulnerabilities could be limited if the operating system were decoupled from the Internet browser, Hoofnagle said. "Its hard to look at this issue without looking at Microsoft," he said.

/zimages/3/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: /zimages/3/19420.gif http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif