Spyware and the Federal Trade Commission

The results of the Federal Trade Commission’s spyware conference have been released. The workshop took place in Washington DC on April 19, 2004, and I wrote two position papers that were submitted as public comments 68 and 352.

There is a press release on the report: www.ftc.gov/opa/2005/03/spywarerpt.htm
The report itself is here: (68 page PDF): www.ftc.gov/os/2005/03/050307spywarerpt.pdf

Overall, everyone involved in the industry will find the “Government Responses to Spyware” section of the report interesting, on pages 19-24. The earlier sections, describing spyware, its detection, and industry responses, is thorough and very readable, and after that are supporting documents, footnotes, example screen captures, and the event handouts.

Although the FTC did not call for new legislation, the report does state that existing legislation gives them enough tools to prosecute the creators of spyware and adware right now. That’s an interesting change from what I heard last year from FTC staffers at the workshop. Then, spyware was the question, and adware wasn’t on their radar. Now, the report makes it clear that the line between spyware and adware isn’t clear, and that these two wares can’t be treated separately.

It has been a year since the workshop. Some things have changed. Then, the Microsoft representative talked about Service Pack 2 for Windows XP, and how that would help prevent spyware installations. Now, we know that it discourages downloading of our own products. Then, we heard from companies like Lavasoft that a formal definition of spyware was needed so that the anti-spyware companies could delete problem products without threat of lawsuit. Now, there have been reports at C|Net’s www.news.com that the larger adware publishers have become extremely active against companies that identify their products as spyware.

Then, it appeared that a consortium of adware publishers (Consortium of Anti-Spyware Technology vendors, or Coast) might help to control the problem. Now, Coast is shrunken and likely to be dead soon, and Lavasoft and PestPatrol, which has now been purchased by Computer Associates, use their own in-house point systems for identifying spyware, and aren’t waiting for government definitions.