Privacy-Security (UIUC)- FTC Spyware Workshop

On April 19, 2004 the Federal Trade Commission (FTC) hosted a workshop to address the problems of "spyware." You can read about that one day workshop and download related documents on the following pages:

This page contains links to a number of other documents and resources related to the FTC's Spyware Workshop, including my own comments to FTC and my several long online musings about the recent efforts against "spyware."

Several other folks have made significant contributions to the recent efforts against the scourge of "spyware." In particluar see Ben Edelman's web page, which contains his eye-opening research about WhenU and Gator. PC Pitstop also has several important studies about WhenU and Gator users. Bill Pytlovany kept a blog from the FTC's Spyware Workshop, with both comments and photos. Mike Healan of SpywareInfo has posted his own extensive comments on the Spyware Workshop. Simson Garfinkel has also offered some potentially useful suggestions for bringing the "spyware" problem under control. For still more links to important research and statements about "spyware," see the Anti-Spyware Advocacy & Research section below.

It's now been one year since the FTC hosted its Spyware Workshop. Ben Edelman and I were talking recently about this, and reflecting on what's changed in the year since that event. What follows is a list of significant developments in the one year since the workshop.

On March 7, 2005 -- almost one year after the worksop was held -- the FTC finally released its staff report on the workshop. This report provides a summary of some of the major points of discussion during the workshop, however, it is woefully short in providing real insight into the problems with spyware and adware because the FTC report finds a way to neatly straddle the fence on almost every significant issue. The staff report is available in PDF format:

The FTC's staff report isn't the only report available on the workshop, however. In the month or so after the workshop I produced mini-reports of my own with extensive comments on each of the six panels at the FTC's Spyware Workshop. This series of mini-reports appeared as several long posts in THIS thread at the DSLR/BBR Security forum:

A number of other workshops and conferences have been held to address the problem of spyware and adware in the wake of the FTC's own Spyware Workshop:

It's worth pointing out that the UC Berkeley and NAI agendas are dominated by speakers and organizations with little apparent direct knowledge of spyware and adware, much less an established track record of working on the problem. These people and organizations were simply Missing In Action while this problem developed over the past five years, and they've taken an interest in the problem only now that the threat of regulation and widespread deployment of anti-spyware software has emerged. When the problem involved only web users getting taken to the cleaners by unsavory elements of the adware advertising industry, the problem wasn't worthy of their attention.

While I'm certainly encouraged that the spyware and adware problem is getting wider attention, I remain skeptical of whether these new players bring anything of substance to the table, as they look to me to be far too concerned with protecting established industry interests and not concerned enough with helping the victims of spyware and adware.

The FTC accepted comments from the public on the topic of "spyware" through May 21. You can view the comments that were submitted here:

For brief summaries and critiques of the more noteworthy and important comments submitted to the FTC, see this thread at the DSLR/BBR Security forum:

I have posted several times at the DSLR/BBR Security forum about the FTC's Spyware Workshop. In the earlier posts before the workshop was conducted, I addressed the announced topics of discussion for the workshop, what could be expected from it, and what anti-spyware activists could hope to accomplish. In a related thread I have also offered some tips for constructing a set of comments to submit to the FTC that would be useful, persuasive, and credible. Since comments from the public began rolling in, I have been briefly summarizing and evaluating the more important and noteworthy submissions to the FTC. In a later thread, I review and critique each of the six panels at the FTC's Spyware Workshop, which I attended. (Note: I'm known as "eburger68" at DSLR/BBR.)

Tired of being hijacked? TELL the FTC! (Feb. 21, 2004)
http://www.dslreports.com/forum/remark,9458905~mode=flat

In this first thread at DSLR/BBR I review the announced topics of discussion for the Spyware Workshop and raise several concerns about the apparent direction of the FTC's agenda.

Telling the FTC About Spyware: A Few Tips... (Mar. 5, 2004)
http://www.dslreports.com/forum/remark,9587358~mode=flat

As it is imperative that the FTC hear from the public about the issue of "spyware," I offer a few tips for crafting effective, credible, compelling comments to submit to the FTC.

Lop.com Goes to the FTC (Mar. 22, 2004)
http://www.dslreports.com/forum/remark,9745185~mode=flat

C2 Media's Jason Lucas submitted a set of comments to the FTC. In this thread I critique some of the more eyebrow-raising claims that the company behind Lop.com makes.

What I Told the FTC about Spyware... (Mar. 29, 2004)
http://www.dslreports.com/forum/remark,9818820~mode=flat

On March 29 I finally submitted comments of my own to the FTC. This thread contains links to all of my comments (also found on this page below) as well as a few thoughts about them.

The Coming Spyware Storm: Polticos wake-up, take sides (Mar. 29, 2004)
http://www.dslreports.com/shownews/41552

An extension of my "comments" thread just above, this news discussion thread at DSLR/BBR contains DSLR/BBR readers reaction to my announcement that I had submitted comments.

A Guide to Spyware Comments Filed w/ the FTC (Apr. 3 - 26, 2004)
http://www.dslreports.com/forum/remark,9864340~mode=flat

As comments from the public are posted at the FTC's site, I have updated this thread, calling attention to the more interesting and notewrothy submissions and briefly evaluating their content.

What's the *motivation* for hijack-ware? (Apr. 7, 2004)
http://www.dslreports.com/forum/remark,9898401~mode=flat

Many folks wonder why anyone would have anything to do with "spyware" vendors, given how universally reviled they are. In this thread I briefly explain why "spyware" or advertising software companies are becoming a growing threat because of the business and investments they are receiving from mainstream investors and advertisers.

FTC Spyware Workshop Panelists - Worries... (Apr. 16, 2004)
http://www.dslreports.com/forum/remark,9986136~mode=flat

The FTC posted its agenda shortly before the workshop. That agenda contained a breakdown of the panels and panelists selected for the workshop. In this thread I raise several concerns with the makeup of those panels and exolain why consumers might not be adequately represented in several of the key discussions at the workshop.

FTC Spyware Workshop: 1st Impressions (Apr. 19 - May 1, 2004)
http://www.dslreports.com/forum/remark,10018653~mode=flat

On Monday April 19 I attended the FTC's Spyware Workshop in Washington D.C. This thread contains my initial impressions of the workshop (written while I was still in D.C.). Later posts in the thread offer pointed summaries and commentary on each of the six panels at the workshop. Note: be sure to check out the later pages in this thread, as most of my commentary on specific workshop panels appears on pages 2 and 3. Here's short index of my comments in this thread:

Overview of the Workshop
Panel 1: Defining, Understanding, and Disseminating Spyware
Panel 2: Security Risks and PC Functionality
Panel 3: Privacy Risks
Panel 4: Industry Responses to Spyware
Panel 5: Technological Responses to Spyware
Panel 6: Government Responses to Spyware
Corrections to comments

FTC Won't Act on Spyware (Apr. 20, 2004)
http://www.dslreports.com/shownews/42568

In this "news" thread done in response to my "1st Impressions" thread just above, readers at DSLR/BBR react to my report from the FTC's Spyware Workshop.

FTC Goes to Bat for Spyware Industry (Apr. 29, 2004)
http://www.dslreports.com/forum/remark,10106664~mode=flat

The FTC has rejected calls for strong regulations or legislation to protect consumers from unscrupulous "spyware" vendors, recommending instead "industry self-regulation." In this thread I call attention to the FTC's comments on April 29 before a House subcommittee considering the issue of "spyware" -- a forum in which the FTC's representatives got a frosty reception from committee members.

Yahoo Gives Adware a Pass (Jun. 2, 2004)
http://www.dslreports.com/forum/remark,10399574~mode=flat

On May 26 Yahoo announced that it would be incorporating anti-spyware scanning into the new version of its Yahoo Toolbar, still in beta. On June 1, however, it became known that Yahoo had configured the toolbar by default not to scan for "adware," a category which includes among others Claria's Gator/GAIN software. It turns out that Yahoo supplies almost one-third of Claria's revenue, making it apparent that Yahoo was protecting its commercial interests rather than the privacy and security of Yahoo Toolbar users. This thread discusses that unfortunate decision by Yahoo and the dangers of relying on commercial entities more generally for spyware protection when they have a vested interest in putting advertising before internet users.

On March 29 I finally submitted my own comments to the FTC on the problem of spyware. You can download these comments in PDF format as a single document. That PDF document contains three texts: my comments themselves as well as two supporting documents:

Since one of those texts is rather large, I've split them up for those who might want to view them one-by-one. They are available in either PDF format or HTML format (web pages):

Note: to view the PDF versions of these documents, you'll need a PDF viewer like the free Adobe Acrobat Reader.

The FTC's Spyware Workshop comes at a time of heightened scrutiny from state and federal legislators, who are hearing ever louder complaints from their constituents about the problems of "spyware." What follows is a short compendium of web pages, recent reports, news articles, and opinion pieces concerning the efforts of state and federal legislators to address the issue of "spyware" through regulation and oversight:

I am currently Director of Malware Research at Sunbelt Software. Prior to joining Sunbelt I was a graduate student in the Graduate School of Library and Information Science (GSLIS) at the University of Illinois at Urbana-Champaign. For twelve years I taught business and technical writing at the University of Illinois. During 2004-2005 I taught a course in GSLIS titled "Literacy in the Information Age." For three years I also taught composition courses at Parkland Community College in Champaign.

Over the past five years I have maintained a personal web site -- first at at the University of Illinois; now at Spyware Warrior.com -- to supply internet users with resources to protect their privacy and security on the internet. Among those resources are several utilities and "block lists" that allow users of Microsoft's Internet Explorer web browser to protect themselves against the flood of unwanted software and content pushed on them by aggressive advertising and marketing entities.

If you have questions or comments about any of the information presented above, please don't hesitate to ask.