Spylawg

2005-08-01T12:29:00.000-04:00

Please check my new blog that deals with broader issues related to online advertising and privacy. Thanks!

2005-07-15T11:33:00.000-04:00

Almost a year has gone by and so much has happened, yet so little has changed. The proposed anti-spyware bills have rapidly emerged at the Federal and the State level, but there have been no real solutions and a lot of failed attempts.

Microsoft finally stepped into the Anti-spyware software space and then angered everyone by going soft on Claria, Intermix settled a spyware suit with New York State for $7.5M and then got acquired for $580M, WhenU cleaned up their act and won a landmark Internet trademark case, the Supreme Court ruled on Grokster and Claria ended its profitable relationship with Kazaa, the Anti-Spyware Consortium fell apart and the Anti-Spyware Coalition was born, web users have started changing their habits to avoid spyware, but as of now, this is the only real solution we have for the spyware problem!

2004-08-23T22:10:00.000-04:00

WAKE UP!

It’s almost been two months since my last post and I had considered discontinuing this blog for various reasons that are not worth mentioning here. However, news about the dangers of spyware, adware, malware or whatever you may call it seems to be everywhere, and it’s left my head spinning.

I completely support empowering the masses and making Internet users more aware about the plethora of online threats that are out there, but a lot of what's being reported in the press is vague and inconsistent and that’s not helping anyone. I agree that spyware is not easy to define, but I do believe that there is need to draw a clear distinction between applications that are dangerous and those that are legitimate, do no harm to consumers and are crucial for e-commerce. To add to the escalating mess, anti-spyware vendors tend to label a whole host of things as either spyware or adware that should be feared by everyone and lawmakers seem to be in a hurry to arrive at a quick-fix solution that could do more harm than good. So who's to blame for this rising tide of misinformation and more importantly, who has the solution? I believe the answer lies in the online marketing industry and I also believe that they are not doing enough.

A combination of anti-spyware tools, legislation and good business practices seems like the only plausible solution in sight, but the industry has to first take a lead on self-regulation and consumer education. So far, the industry has adopted a responsive approach to protect their vested interests, but I think its time they got more proactive. I'm not talking about isolated efforts by a few companies, because if one truly wants to educate consumers and embrace self-regulation, the industry has to adopt a united stance and inform the world about what (in their opinion) amounts to responsible business practices. Although this might seem like a Herculean task, I'm afraid that if we don't hear from the industry soon, internet users will get used to being suspicious about anything that interacts with their computers and will turn to firewalls and anti-spyware tools that not only block the bad guys, but also impact legitimate applications.

There is still ample opportunity for legitimate companies that are likely to be impacted by anti-spyware tools and poorly drafted laws to step up and be honest and clear about what they do and why no internet user should be concerned about their business practices. Crafting exceptions in proposed spyware laws to meet one's own business goals will do nothing to combat long-term consumer concerns about the safety of their computers and personal information.

If things continue the way they are, we’re not going to achieve anything because the bad guys are getting smarter and Internet users are just getting screwed!

2004-06-23T02:44:00.000-04:00

Utah judge freezes anti-spyware law - News - ZDNet

I do think that temporarily enjoining the Utah law and permitting the WhenU case to proceed to trial is a small step in the right direction. Not because I believe that the Utah’s Spyware Control Act has no scope of doing any good, and not because it has anything to do with WhenU but because state level spyware regulation on the whole might not be the best approach.

Each state law might establish their own notice and consent requirements in an effort to regulate spyware. Such an approach in the US would mean that online businesses would have to navigate through a minefield of complicated legislations to determine how one can fine tune privacy policies and online business practices to ensure compliance. Online businesses would therefore be compelled to comply with the most stringent regulations and adopt extensive measures that are not user-friendly and would require users to sift through various policy statements and disclosures while on the Internet. This could ultimately result in reducing the efficiency of the Internet and would have a negative impact on consumers, instead of protecting them.

Further, the internet is a global medium of communication without geographic borders and state-level attempts to regulate activity on the internet will have overbroad enforcement implications. Another good reason for resolving this issue at the Federal level is because the Constitution gives the authority to regulate Internet commerce to Congress. Utah's attempt to regulate the entire Internet seems to exceed its authority under the Constitution. Similar state attempts to regulate the entire Internet have been found unconstitutional in the past (e.g. American Library Association v. Pataki).

However, as I write this, the Federal Spy Act (H.R. 2929) seems to be moving a little too rapidly for comfort. A self-regulatory solution seems out of the question at the moment, but if Federal legislation is the answer, then we definitely need to spend more time to create a legislative proposal that would truly be effective. The issue of spyware raises some fundamental questions that impact the way the US approaches internet privacy regulation. Can a uniform Notice and Consent provision really be the answer to all spyware issues? Would an opt-in or an opt-out regime be more adequate considering the potentially hazardous/annoying as well as beneficial uses of some technology? I think that no legislation can truly combat the spyware threat, unless lawmakers, consumer groups and the industry first think long and hard on how to achieve this delicate balance between what is fundamentally good or bad.

I only hope that an over-zealous effort at the Federal level to find a quick solution does not result in a law that is riddled with drawbacks, which will give people like me even more reason to whine (but who’s listening anyway?).

2004-06-19T19:03:00.000-04:00

An amended version of California's Bill No. SB 1436 was introduced on June 14, 2004 and a hearing before the Assembly Business and Professions Committee is scheduled for June 22, 2004.

Back on the east coast, New York's Bill No. S 07141 was amended on third reading on June 14, 2004. It was subsequently passed by the Senate, delivered to the Assembly and referred to the Codes Committee on June 17, 2004.

2004-06-18T18:33:00.000-04:00

House Subcommittee Approves Anti-Spyware Bill

A revised House Bill 2929 returns. Keep an eye out for this one, because it might just be the Federal legislation that might go all the way. Kudos to whoever came up with such an original name. The Securely Protect Yourself Against Cyber Trespass Act! So this is the "Spy Act Act?"

More intelligent commentary to follow in the coming weeks...Watch this space.

2004-05-20T09:42:00.000-04:00

California Anti-Spyware Bills Progress

SB 1436, introduced by Sen. Kevin Murray was sent to the Assembly by a 36-2 vote and AB 2787, introduced by Assemblyman Tim Leslie is scheduled to be heard by the full Assembly next week.

Google Releases Spyware Prevention Guidelines

I personally think this is a great move by Google and although they have their own interests in mind, I'm glad they've made an attempt and its been done in a simplistic manner (the way we've grown to expect things from them).

2004-05-07T18:21:00.000-04:00

Will spyware/adware turn out to be a bigger threat than spam? So how do we combat it?

In keeping with the tradtional US approach, the first step should be to increase consumer awareness, promote technical solutions and establish industry best practices. State level spyware legislations could create several potential problems; including inconsistent state level notice and consent requirements, overbroad enforcement implications and might ultimately do more harm than good for e-commerce and consumers interests. However, as the issue of spyware/adware gathers more media attention, it will increase the urgency of lawmakers to propose quick solutions.

The spam craze spun lawmakers into frenzied action all over the world. In the US, the CAN-SPAM Act of 2003 preempted more than 30 state laws in an effort to bring about uniformity to the legal efforts to combat spam. However, spam reportedly accounted for 82% of all U.S. email last month. Further, the EU does not seem to be having much luck with its new spam directive either. Although the jury is still out on the effectiveness of the Can-Spam Act, Congress might end up going down the same path on the issue of spyware if self-regulation fails.

2004-05-04T17:39:00.000-04:00

New Federal Spyware Bill Introduced

Rep. Jay Inslee introduced a Spyware bill which requires advertising software to include a Notice that us not materially false or misleading and include directions on how internet users can uninstall or disable such software. Further, obtaining the consent of the users is cotoguous on the notice provided and users must reasonably understand the functions to which such consent is granted. The bill grants the FTC authority to enforce the law and impose fines and penalties. In other news, Rep. Mary Bono plans to re-introduced a revised version of Bill Number HR2929 in the near future.

Lawmakers seem determined to find a regulatory solution to spyware, although the FTC as well as the technology industry are of the opinion that a legislation would do more damage than good.

2004-04-26T19:00:00.000-04:00

NY Senator Suggests Criminalizing Spyware

Senator Michael Balboni has introduced a Bill in the NY state Senate to regulate spyware!

The other NY bills, A 8035 and S 5239, which were introduced in April, 2003 were referred to the Consumer Protection committee On January 7, 2004.

2004-04-23T13:45:00.000-04:00

This is a good article, which articulates the point I made in my last post. Utah's spyware law and the other proposed state and federal legislations go well beyond the goal of restricting the use of secret software spying mechanisms unknowingly downloaded onto a user’s computer and impacts legitimate business practices.

I think the EU is a step ahead of the US at addressing this problem while attempting to regulate spyware. The EU Directive on privacy and electronic communications (Electronic Privacy Directive), which was adopted on July 12, 2002 includes provisions relating to Spam and SMS marketing and also specifically targets technical methods of data collection and processing that is performed by software and hardware on the Internet without the knowledge of internet users (this is basically what is broadly referred to as 'spyware')

The Electronic Privacy Directive requires Member States to ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of users is only allowed if:

- users are informed of any invisible tracking devices or software that is placed on their computers
- users are informed of the purposes of such software and devices and the purposes should be
legitimate (i.e. in conformity with established privacy principles)
- users are offered an opportunity to opt-out from the use of such devices or software.

The Electronic Privacy Directive covers spyware, web bugs, hidden identifiers and other similar devices that can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. It is important to note that although the new provisions under the Electronic Privacy Directive target all technical methods of collection of data from the terminal equipment of users of electronic communications networks, the Directive recognizes that some non-obvious data collection technologies such as "cookies", can be used as a legitimate and useful tool, for example, in analyzing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. However, even where devices such as cookies, are intended for a legitimate purpose, they have to meet the two basic requirements (notice and an opportunity to opt-out). This may be a good approach to avoid restricting technologies that can have legitimate purposes and could be beneficial for users and the e-commerce industry as a whole.

If the US decides to tackle the problem of spyware through legislations, it should first recognize that such technologies raise concerns that are not limited to the protection of privacy rights and enter into the realm of trespass and the ability of an Internet user to control use of his/her terminal equipment. I generally agree with the EU approach, which builds on privacy law principles of notice and consent and ensures that non-obvious data collection technologies are only used for legitimate business purposes. However, the EU Directive is not without its drawbacks. Further, the implementation of the Electronic Privacy Directive into national legislations of the member states has been slow, and therefore the true impact of the Directive cannot be assessed as of now.

2004-04-22T21:01:00.000-04:00

Utah's Spyware law may see some changes

Hot on the heels of the delay in the enactment of Utah's new Spyware law, comes more news that the said law (in its present form) might not be the best solution to the problem of spyware.

This article makes important observations on the need for more public awareness and the drawback of having a law that has a negative effect on technology that is legitimate and has a beneficial use to consumers. On the issue of arriving at what would constitute reasonable standards of disclosure, this article rightly points out what companies should and should not try and get away with. I liked the comparison between WhenU's disclosure and that of the Google Toolbar.

I might be repeating myself, but I think there is a need to recognize that it is the use of the technology at issue here and not the technology itself. There is a need to outline what constitutes acceptable/unacceptable behavior and whether technological measures, greater awareness or a regulatory solution or a combination of these elements can make the Internet a safer place for consumers (without having to restrict technology and legitimate business practices that are fundamental to the future of the internet).

2004-04-22T10:36:00.000-04:00

WhenU Suit Delays Utah Anti-Spyware Law

The preliminary injunction hearing is scheduled for May 21 in the third Judicial District Court of Utah. WhenU's ability to do business in Utah is at stake if the preliminary injunction is not granted.

2004-04-20T23:19:00.000-04:00

Now that we know that the FTC has grasped the complexities involved with dealing with the problem of spyware and that they don’t support a quick fix regulatory solution, what does an internet user do? Fight spyware yourself!

You might have also heard that Earthlink currently offers a free service known as Spy Audit that analyzes the contents of a hard drive and provides a report of spyware programs it finds. According to Earthlink, "This free service examines your computer and lists spyware results in minutes. It will not change or harm your system in any way". Further, Earthink has started to keep tabs on spyware. As reported earlier, Earthlink found an average of nearly 28 spyware items on each PC it scanned during the first quarter (1.06 million scans were carried out through its Spy Audit service for this purpose). Now did independantly run these scans, or are these the scans run by user's who have availed of the service? If the latter is true, then Earthlink definitely does not provide enough information about what the software does. Moreover, their Privacy policy doesn't seem to have any information about data gathered by the software and how it is used. And lastly, the software starts scanning automatically once you click on the downloaded file, without providing any further information to the user. Hello Earthlink?

2004-04-20T10:33:00.000-04:00

Former Collier Shannon Scott Partner to Spearhead Claria's Consumer Privacy Protection and Government Affairs Efforts

Just when I was wondering how Claria was going to fight the odds with their unproven and controversial business model that has been labelled by many as 'adware/spyware', they've gone ahead and recruited a really respected privacy lawyer. Great move! 'Behavioral marketing' (as they prefer to call it) is not going down without a fight.

2004-04-19T19:36:00.000-04:00

FTC Takes On Spyware

While I applaud the FTC's current efforts to put a swift end the new menace to Internet society, I cannot imagine a simple solution to the problem.

The FTC should rightfully be taking the lead in this endeavor, and should protect consumers from unfair and deceptive practices that can secretly gather data and ruin your computer and Internet connection. However, the FTC is definitely short of resources at this point to take on such a Herculean task, but hopefully it will see better days ahead.

As I mentioned earlier…the FTC workshop is a start in the right direction and I don’t want to say more on the possible outcome until there is some sort of consensus or concrete action plan. I must say, the early signs are encouraging and pretty much outline the current mess and the significant role the industry and technology can play, before one can think of implementing a viable regulatory solution.