Policy Post 10.17: FTC brings first spyware case as Congress considers legislation

Subject: [huridocs-tech] Policy Post 10.17: FTC brings first spyware case as Congress considers legislation
Date: Tue, 12 Oct 2004 15:03:48 -0400 (EDT)
CDT POLICY POST Volume 10, Number 17, October 12, 2004

A Briefing On Public Policy Issues Affecting Civil Liberties Online
from The Center For Democracy and Technology

(1) FTC Files First Spyware Case, Based on CDT Complaint
(2) FTC Case Sets Valuable Precedent For Better Enforcement
(3) House Passes Two Spyware Bills, Leveling Civil, Criminal Penalties
(4) Senate and House Seek to Reconcile Approaches In Time for November
Session


------------------------------
(1) FTC Files First Spyware Case, Based on CDT Complaint

The Federal Trade Commission (FTC) filed suit in the District Court of
New Hampshire on October 7 against Seismic Entertainment and a former
self-styled "Spam King," Sanford Wallace, taking up a complaint filed
by CDT last February. Although the FTC has formerly brought cases
against "dialers" and online "mouse trapping" schemes designed to keep
users from closing web sites, the current case is widely considered to
be the first major suit by the FTC in the core area of spyware.

CDT's complaint alleged that Seismic engaged in browser hijacking and
deceptive advertising. Following in-depth research, CDT concluded that
Seismic purchased banner ads that ran on web sites related to gaming,
sports, and other topics. The ads often appeared as public service
advertisements, but when loaded they would change a user's homepage and
trigger a stream of pop-ups, including misleading advertisements for
"Spy Wiper" or "Spy Deleter" anti-spyware software. CDT also
subsequently showed that a Seismic website caused forced installations
of advertising software and other programs.

The FTC's suit against Seismic and Wallace, its owner, mentions these
and other actions as violations of the FTC Act. The FTC alleges that
"in numerous instances, Defendants' practices cause or have caused
consumers' computers to malfunction, slow down, crash, or cease working
properly, and cause or have caused consumers to lose data stored on
their computers."

  - FTC Press Release Announcing Case against Seismic, Smartbot.net
    and Sanford Wallace, October 12, 2004
    http://www.ftc.gov/opa/2004/10/spyware.htm
  - FTC Complaint in the US District Court in New Hampshire
    http://www.ftc.gov/os/caselist/0423142/0423142.htm
  - CDT's complaint to the FTC against MailWiper and Seismic
    Entertainment Productions [PDF], February 10, 2004
    http://www.cdt.org/privacy/20040210cdt.pdf

------------------------------
(2) FTC Case Sets Valuable Precedent For Better Enforcement

Since CDT's initial report on the spyware issue in November 2003, we
have argued that existing statutes cover many spyware practices.
Relevant laws include the Computer Fraud and Abuse Act, the Electronic
Communications Privacy Act, and the FTC Act prohibiting unfair and
deceptive business practices.

The dearth of enforcement of these laws in the spyware context has been
partially responsible for allowing spyware to flourish online. At a
House hearing in April, Rep. Joe Barton, Chairman of the House Commerce
Committee, criticized the FTC for failing to bring any spyware cases.
The FTC's current action therefore represents an important step toward
better enforcement against spyware purveyors.

A recent Consumer Reports survey found that over a third of home
Internet users have had their homepage hijacked. The proliferation of
deceptive advertising for anti-spyware products is also a prevalent
problem. The FTC's current case squarely targets these practices, and
lays the groundwork for future spyware cases in other areas.

CDT plans to continue bringing cases to the FTC. CDT encourages users
that have been hit by spyware to submit their stories to
http://www.cdt.org/action/spyware. CDT reviews and researches reports
and will file complaints where appropriate.


------------------------------
(3) House Passes Two Spyware Bills, Leveling Civil, Criminal Penalties

Congress pushed forward on the spyware issue, as the House approved two
separate anti-spyware bills.

H.R. 2929, known as the "SPY ACT," was passed on October 5th. It would
create civil penalties for certain deceptive practices related to
spyware. The list of targeted practices is based on a consensus
document produced by the Consumer Software Working Group, which CDT
convened last spring. A broad range of industry and consumer groups
endorsed that list, and have worked with the Committee to refine this
section of H.R. 2929.

The SPY ACT would also require that consumers be given notices prior to
the execution of adware and other software that transmits personal
information. CDT and other groups raised concerns that this section was
poorly targeted in earlier versions of the legislation. Recent
amendments have sought to focus the notice requirements and eliminate
the need for redundant notices.

The second bill, H.R. 4661, known as the "I-SPY Act," would establish
criminal penalties for those who use spyware to steal personal
information or to commit other federal crimes. This bill, passed by the
House on October 6th, would create high penalties for the most
egregious types of spyware.

While CDT still believes that privacy legislation addressing the full
range of online privacy concerns is needed and would address many of
the issues implicated by spyware, the current bills would be a helpful
initial step toward combating the problem.

  - Text of HR 2929, Securely Protect Yourself Against Cyber Trespass Act
    http://www.cdt.org/privacy/spyware/20040924cdtcommerce.pdf
  - Text of HR 4661, Internet Spyware Prevention Act
    http://thomas.loc.gov/cgi-bin/query/z?c108:H.R.4661:
  - CDT's Testimony before the House Subcommittee on Commerce, Trade, and
    Consumer Protection on H.R. 2929 [PDF] , April 29, 2004
    http://www.cdt.org/testimony/20040429schwartz.pdf

------------------------------
(4) Senate and House Seek to Reconcile Approaches In Time for
November Session

In contrast to the House, the Senate has yet to pass a spyware bill. S.
2517, the "SPY BLOCK" Act, was approved by the Senate Commerce
Committee in September, and awaits consideration by the full Senate.
The bill includes the criminal provisions of the House criminal bill,
and prohibits a list of deceptive practices similar to that in the
House civil-penalties bill.

The biggest difference between the House and Senate bills is in their
requirements for notice on installation of software. The Senate bill
prohibits deceptive installations, but does not include the level of
detail in mandating the wording of notices that is present in its House
counterpart. CDT prefers the Senate's approach, which we believe will
provide needed flexibility for different kinds of devices and
interfaces.

Although the House and Senate are now in recess, both are expected to
meet again briefly in a "lame duck" session in November. House and
Senate staff are working to reconcile the three bills in order to have
them ready for this session.

Meanwhile, states continue to push forward with their own laws.
California Governor Arnold Schwarzenegger signed a spyware bill on
September 28, prohibiting several deceptive spyware related practices
in California. This makes California the second state, after Utah, to
pass specific anti-spyware legislation.

  - Text of S. 2145, "SPY BLOCK" Act
    http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s.02145:
  - Text of California SB 1436
    http://thomas.loc.gov/cgi-bin/query/z?c108:H.R.4661:
  - CDT Testimony before the Senate Commerce Committee on S. 2145
    http://www.cdt.org/testimony/20040323berman.shtml


------------------------------
Detailed information about online civil liberties issues may be found
at http://www.cdt.org/.

This document may be redistributed freely in full or linked to
http://www.cdt.org/publications/pp_10.17.shtml.

Excerpts may be re-posted with prior permission of ari@cdt.org

Policy Post 10.17 Copyright 2004 Center for Democracy and Technology


--
To subscribe to CDT's Activist Network, sign up at:
   http://www.cdt.org/join/

If you ever wish to remove yourself from the list, unsubscribe at:
   http://www.cdt.org/action/unsubscribe.shtml

If you just want to change your address, you should unsubscribe
yourself and then sign up again or contact: mclark@cdt.org
--
Michael Clark, Grassroots Webmaster
mclark@cdt.org
PGP Key available on keyservers

Center for Democracy and Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006
http://www.cdt.org/
voice: 202-637-9800
fax: 202-637-0968


========== HURIDOCS-Tech listserv ==========
Send mail intended for the list to <huridocs-tech@hrea.org>.
Archives of the list can be found at:
http://www.hrea.org/lists/huridocs-tech/markup/maillist.php
To subscribe to the list, send a message to <majordomo@hrea.org>,
with the following text in the message: subscribe huridocs-tech
To unsubscribe from the list, send a message to <majordomo@hrea.org>,
with the following text in the message: unsubscribe huridocs-tech
If you have problems (un)subscribing, contact <owner-huridocs-tech@hrea.org>.
Prev by Date: APC condemns arbitrary seizure of IndyMedia web servers by US and European law enforcers
Next by Date: Iran: Journalist detained in Internet crackdown
Previous by thread: Policy Post 10.13: Email Privacy Protection Called into Question by Federal Appeals Court Decision
Next by thread: Policy Post 10.20: Coalition Opposes Net Wiretap Design Mandates
[Reply to this message] [Start a new topic] [Date Index] [Thread Index] [Author Index] [Subject Index] [List Home Page] [HREA Home Page]