Anti-spyware: Into the front lines

In the past few months, Ari Schwartz and the Washington, D.C.-based Center for Democracy and Technology have leapt into the front ranks of the Net's spyware-fighters.
They're not programmers by trade. Instead, they are using their D.C. experience and clout to raise the issue of computer hijacking and intrusive advertising to the policy level, asking regulators to crack down on abuses. After a first report on the issue last November, Schwartz's group filed a first round of complaints with the Federal Trade Commission on Wednesday about so-called anti-spyware products that the group contends are abusing customers' trust.

The practices outlined in the CDT complaint read like a technophobe's nightmare, and even the most tech-savvy surfers will recognise serious dangers. Pop-up windows spring up, Javascript warning messages flash, the CD-ROM drive on computers even opens and shuts for no apparent reason -- all in order to frighten surfers into downloading and buying a specific product, the CDT alleges.

Schwartz has played the role of lead investigator for his organisation's complaint against Mail Wiper, a company that had previously used unsolicited mail to advertise spam-blocking software. He quickly became familiar with the maze of affiliates, advertising partners and other third parties that often make it difficult to determine who exactly is responsible for taking advantage of surfers' credulity.

"There are so many parties involved, that it's hard for any consumer to know who they're involved with, or to trust the whole system," Schwartz said.

Still, his group isn't yet pressing for new legislation or regulation against spyware companies or other computer hijackers. Existing law will probably be enough, if it is enforced, they say.

CNET News.com spoke with Schwartz about spyware, deceptive advertising, and his group's decision to complain to federal regulators about one anti-spyware company's hard-sell software distribution tactics.

Why is this case serious enough to take to the FTC?
This case is symptomatic of the larger problems of fraud and deception and unfair trade practices on the Internet. We feel as though it is really the first in what we hope will be a succession of cases that will highlight some of the things that are happening online, so that some of the people that think they can get away with things due to the anonymity of the situation will not be able to do so in the future.

Does the spyware issue raise new issues of privacy and the amount of confidence people can have in their computers? Or is this just next-generation spam?
I think it does raise some of the issues to a new level. Especially in cases where people are getting software installed on their computer without their knowledge, or their default settings changed without their knowledge. It's more than just spam when someone is able to constantly monitor your behaviour or send pop-ups to you without your consent. So it's more than an annoyance, it can be a privacy problem, and it can be a major security problem for the Internet.

How is this phenomenon evolving? We saw the first explosion of adware and spyware companies come with the boom in free file-swapping tools, but what have you seen in the last six months or year?
We've seen the fact that the category of spyware, as we documented in our November report, includes a lot of different things. It's hard to talk about it as a category by itself. Some of it has existed for a long time, and some of it is a range of new things. However, despite the fact that it is hard to define in that way, we have seen an upsurge in techniques to try and get consumers to download applications, to consent to make changes to their system without actually having informed consent.

Mail Wiper (the company named in your FTC complaint) is not the only antispyware company that uses affiliates to distribute or advertise their software. Some of these affiliates use techniques such as unsolicited email advertising. In your opinion, does the original company bear responsibility for the actions of its affiliates?
According to our understanding of FTC law, they do bear responsibility if they were a partner to the action. So if they knew what was going on, maybe even beyond, then yes, depending on the actual case.

Is current law structured well enough to handle these kinds of cases? Or does there need to be more regulation of what third parties can do to computers?
We believe that the most egregious cases, where software is placed on people's computers without their consent, where information is transferred back, or where people are deceived into downloading software, we believe current law does cover those cases. We think there needs to be more active enforcement -- that's why we're bringing these complaints -- but we think current law does cover most of the egregious cases we've seen.

There is legislation out there, where they want to try to focus the issue a little more, make sure that current law is covered. Some of them try to come up with standards for software generally. We'd like to see more enforcement of existing law before we go down that road. However, it is worth exploring. We certainly need more attention to the issue and how it's going to work.

We'd rather see the privacy cases dealt with through general privacy legislation rather than adding another piece for software, or spyware, to this large puzzle we have of privacy law.

What's your advice to consumers? A lot of people have no idea what's going on under the hood in their computers?
Well, it is difficult. I think there are more tools out there now than there were in the past. You have the large companies, the OEMs (original equipment manufacturers) and the ISPs, both offering anti-spyware tools that are trustworthy. The other thing is to read through the reviews before you download the software. It's likely that the ones that have gotten good reviews from reliable sources are the ones that are going to be best for you. I think that's true for all software.

There are cases where kids download something on their parents' computer, and their parents don't know what's there, and they try to remove something, and the kid keeps downloading it again. We do see a lot of cases like that. We are going to need better self-regulation and technologies to help parents, and systems administrators generally, to control their networks better.