From: [log in to unmask] [mailto:[log in to unmask]] On Behalf Of CDT Info Sent: 28 January 2005 14:36 To: [log in to unmask] Subject: Policy Post 11.03: CDT Renews Call For Privacy Legislation At First Commerce Committee Hearing CDT POLICY POST Volume 11, Number 3, January 28, 2005 A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology (1) CDT Renews Call For Privacy Legislation At First Commerce Committee Hearing (2) Spyware Epidemic Continues to Grow Despite Initial Enforcement Success (3) CDT Testimony Emphasizes Harms of Affiliate Networks --------------------------------------- (1) CDT Renews Call For Privacy Legislation At First Commerce Committee Hearing Testifying on January 26 at the year's first hearing of the House Commerce Committee, CDT warned that the continually growing spread of spyware represents a major threat to Internet users, as well as to the long-term health of the Internet. CDT highlighted three areas where action is necessary to stem this disturbing trend toward a loss of control for Internet users: * enforcement of existing law; * better consumer education, industry self-regulation, and anti-spyware technologies; * baseline Internet privacy legislation. The Commerce Committee hearing was held to consider H.R. 29, "The SPY ACT." The bill is sponsored by Representatives Bono and Towns, and is identical to H.R. 2929, which passed the House overwhelmingly last year, but failed to gain support from the Senate. Committee Chairman Barton said at Tuesday's hearing that he aims to put the legislation on a "fast track" this year. CDT strongly supports provisions in H.R. 29 to raise penalties on the worst types of deceptive software practices online. However, CDT continues to believe that notice and consent issues are best addressed in a technology neutral matter as part of general online privacy legislation. CDT also used its testimony to highlight the central problem of affiliate networking, which creates a marketplace in which legitimate companies unwittingly support illegal activities through a maze of distributors and affiliates. * Testimony of Ari Schwartz before the House Committee on Energy and Commerce on "Combating Spyware: H.R. 29, the SPY ACT" -- http://www.cdt.org/testimony/20050126schwartz.pdf * HR 29, the SPY ACT -- http://thomas.loc.gov/cgi-bin/bdquery/z?d109:hr29: * CDT's Spyware Page -- http://www.cdt.org/privacy/spyware/ __________________________________________________ (2) Spyware Epidemic Continues to Grow Despite Initial Enforcement Success A recent survey of IT managers found that almost two-thirds rated spyware as the number one cybersecurity threat in the coming year. While it is difficult to obtain precise data on the prevalence of the spyware problem, the best study done to date, conducted by AOL and the National CyberSecurity Alliance, found that 80% of broadband and dial-up users had adware or spyware programs running on their computers. Based on the complaints CDT has received through our "Campaign Against Spyware," we believe that the prevalence of spyware violations, especially egregious and clearly unlawful behaviors, has increased dramatically. Of particular concern is the use of security holes in web browsers to silently force software onto users' computers. In October, the FTC brought its first enforcement action against Sanford Wallace and Seismic Entertainment on the basis of a complaint filed earlier by CDT. The case has resulted in an injunction requiring that Wallace and his companies cease exploiting security vulnerabilities to force software onto Internet users' computers. The order also gives the FTC access to company business records. CDT believes that further FTC investigation in the Seismic case will provide ample basis for the Commission to pursue Seismic affiliates that were also acting deceptively, and we expect that the Commission will announce further actions as other bad actors come to light. In order to have a genuine impact on the spyware problem, both the FTC and other national and state level law enforcement agencies will have to actively pursue additional cases. While the FTC's first spyware case was an important milestone, both the number and frequency of cases must be dramatically increased if law enforcement is to provide a significant deterrent to purveyors of spyware. The continued, dramatic growth of the spyware problem demonstrates that law enforcement is still losing the battle against egregious spyware purveyors clearly guilty of violating the law. * CDT's Campaign Against Spyware -- http://www.cdt.org/action/spyware * Preliminary Injunction Order in FTC v. Seismic -- http://www.cdt.org/privacy/spyware/20041220seismicorder.pdf _________________________________________________________ (3) CDT Testimony Emphasizes Harms of Affiliate Networks In CDT's complaint to the FTC regarding Seismic Entertainment and MailWiper, we highlighted the problem of affiliate relationship being "exploited by companies to deflect responsibility and avoid accountability." CDT used this week's hearing to draw attention to this issue, which is at the heart of the spyware problem. Adware companies have a superficially simple business model: Consumers agree to download a piece of adware in exchange for access to a piece of free software that the adware company has a bundling agreement with. In fact, many adware companies and other software bundlers operate through complex networks of affiliate arrangements involving adware makers, software providers, websites, advertisers, and advertising brokers. The consequence of these affiliate arrangements is that when an adware program ends up on a user's computer, the adware program is often many steps removed from the maker of the software itself. This complex network of intermediaries exacerbates the spyware problem in several ways: * Industry Responsibility: Adware companies, advertising brokers, and others all may disclaim responsibility for attacks on users' computers, while encouraging these behaviors through their affiliate schemes and doing little to police the networks of affiliates acting on their behalf. Advertisers should be pushed to take greater responsibility for the companies they advertise with. * Enforcement: Complex webs of affiliate relationships obstruct law enforcement efforts to track back parties responsible for attacks. The complexity of these cases puts an extreme strain on enforcement agencies, which struggle to tackle the problem with limited resources. * Consumer Notice: Adware companies and their affiliates have been reluctant to clearly disclose their relationships in a way that is transparent to consumers. CDT's testimony illustrated specific ways in which adware companies could improve transparency in bundling and ad-support arrangements. Companies have resisted these changes. Efforts to bring transparency to the full chain of affiliate and distribution arrangements have met with even greater opposition. For these reasons, the affiliate issue has become a central aspect of the spyware epidemic. Finding ways to effectively reform affiliate relationships will make it easier to hold accountable the purveyors of spyware. --------------------------------------- Detailed information about online civil liberties issues may be found at http://www.cdt.org/ . This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_11.03.shtml . Excerpts may be re-posted with prior permission of [log in to unmask] Policy Post 11.03 Copyright 2005 Center for Democracy and Technology _______________________________________________ http://www.cdt.org/mailman/listinfo/policy-posts -- This message has been scanned for viruses and dangerous content by the NorMAN MailScanner Service and is believed to be clean. The NorMAN MailScanner Service is operated by Information Systems and Services, University of Newcastle upon Tyne. ==== This e-mail is intended solely for the addressee. It may contain private and confidential information. If you are not the intended addressee, please take no action based on it nor show a copy to anyone. Please reply to this e-mail to highlight the error. You should also be aware that all electronic mail from, to, or within Northumbria University may be the subject of a request under the Freedom of Information Act 2000 and related legislation, and therefore may be required to be disclosed to third parties. This e-mail and attachments have been scanned for viruses prior to leaving Northumbria University. Northumbria University will not be liable for any losses as a result of any viruses being passed on. ************************************************************************************ Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion list made up of people who are interested in the interdisciplinary academic study of Cyber Society in all its manifestations.To join the list please visit: http://www.jiscmail.ac.uk/lists/cyber-society-live.html *************************************************************************************