Combatting malicious spyware and privacy violations on the Internet is a big part of CDT’s mission. So CDT supports strong legal tools to pursue bad actors. But we also want to ensure that those tools don’t provide a broad basis for targeting or threatening people who aren’t doing anything nefarious. A provision in a bill approved by the Senate Judiciary Committee yesterday carries that risk.

The bill, S. 2168, includes a variety of reasonable provisions designed to improve the criminal statute against computer intrusions, including raising criminal penalties against spyware purveyors. But one item is problematic.

Specifically, 18 U.S.C. 1030(a)(5) currently criminalizes accessing or transmitting data to a computer on an unauthorized basis, in a manner that causes damage of at least $5,000. The new bill would eliminate the requirement that prosecutors demonstrate that damages are at least $5,000. Under the new bill:

• Violations without the $5,000 damage showing would be prosecutable — though as misdemeanors rather than felonies;
• Felony status would require either a showing of $5,000 in damages, or a showing that 10 or more computers were affected; and
• The private right of action in 1030(g) would be substantially expanded, becoming available not just when there is $5,000 in damage, but also (like felony status) whenever 10 computers have been affected.

(more…)

Adware vendor DirectRevenue has officially shut down. According to a notice posted on its Web site, the company has “ceased operationsâ€? and is maintaining the site only to provide uninstall instructions to legacy users of its adware products. This is good news from a company that engaged in some of the most egregious behaviors in the spyware space — sending “torpedoesâ€? to remove anti-spyware software and showing a pop-up ad every minute, for example.

This will not be the last that we hear from DirectRevenue, however. Although the company settled with the Federal Trade Commission for $1.5 million earlier this year, the New York Attorney General’s lawsuit against DirectRevenue and its owners is still pending. As CDT noted when the FTC announced its settlement, $1.5 million is chump change for a company whose owners earned $20 million by deceiving consumers. Thankfully, the state attorneys general have the authority to pursue these kinds of deceptive operations, and the folks in New York have been vigilant about enforcing against the Internet’s nastiest spyware schemes. DirectRevenue may be finished online, but certainly not in court.

Earlier today I had the opportunity to participate in the 3rd Joint London Action Plan-Contact Network of Spam Authorities Workshop, which also featured joint sessions with the Messaging Anti-Abuse Working Group. Every LAP-CNSA conference includes a panel on organizational updates, and I was pleased to provide an update on the activities of the Anti-Spyware Coalition. The ASC has been hard at work this year, finalizing its Best Practices and Conflict Resolution documents and organizing a successful public workshop of its own in June.

Bigger news from the event came yesterday when Federal Trade Commission Chairman Deborah Platt Majoras announced that a district court judge has put a halt to an international spamming operation that deceptively promoted drugs for weight loss and aging reversal. This is the first case in which the FTC has made use of the U.S. SAFE WEB Act, a law passed late last year to make cross-border enforcement easier for the agency. Allowing cooperation with other nations is an absolute necessity in an age where cross-border networks make multi-national scams a routine occurrence.

In testimony before Congress earlier this year, CDT expressed the hope that the FTC would make increasing use of its new SAFE WEB Act powers. Because the Commission is not required to report to Congress about its usage of the new law for three years, monitoring how the Act is affecting cross-border enforcement is difficult unless the FTC volunteers this information. In this case, the Commission chose to do just that, much to CDT’s delight.

We are pleased to see that the FTC is both making use of its new cross-border powers and disclosing the fact that it has done so. We hope this trend will continue.

In an important ruling for consumers, a federal court in Seattle this week found that an anti-spyware provider was immune against the legal claims brought by a company that distributes potentially unwanted adware. The court ruled that the Communications Decency Act protected Kapersky Lab Inc. against claims that its spyware-filtering tool interfered with the functioning of Zango Inc.’s “adware” program. The case was one of two rulings against Zango in suits the company had filed against anti-spyware vendors. The other was Zango v. PCTools.

User empowerment is key in the fight against spyware. In both these cases, Zango was attempting to keep its adware program functioning even when users installed anti-spyware software to counteract such behavior.

Anti-spyware vendors have the difficult task of deciding what software is dangerous or objectionable to their users. However, providers of such tools have previously been threatened with legal action for targeting certain software for blocking or removal. Some software is unwanted by some users and not others. And many potentially unwanted programs exhibit both desirable and undesirable behavior. It is up to anti-spyware vendors to decide what poses a risk to their users, and provide their users with appropriate choices to deal with that risk.

The danger of the sort of lawsuit brought by Zango in these cases is that intimidation could discourage anti-spyware vendors from using their own best judgment about what software to target, in turn limiting the quality of tools available to the consumer. The Kapersky decision, in particular, offers important reassurance for anti-spyware companies, and will make it harder for companies like Zango to be successful in legal intimidation tactics.

Given the robust competition in the anti-spyware market, users have a great deal of choice regarding the level of targeting and protection that best suits them.

Anti-spyware providers, meanwhile, can look for guidance in the Anti-Spyware Coalition (ASC) standards. These guidelines were developed by anti-spyware software companies, academics, and consumer groups in order to create industry standards in the assessment of spyware. These guidelines ensure that vendors follow industry standard guidelines, providing grounds on which to defend their identification of spyware and the actions they take to protect consumers.

In the recently released State of the Net report for 2007, Consumer Reports noted that spyware infections have dropped. However, the chances of any given computer getting an infection are still quite high — one in three — with about a quarter of the infected computers suffering serious damage from spyware.

The report highlights the practice of online advertising services and Web sites deceptively installing programs on computers, which then pop up advertisements. A Google study estimated that ten percent of the websites it indexes attempt to download potentially unwanted software onto visiting computers. Many large websites have agreed to discontinue use of these advertising services, after several states and the FTC brought action against various sites.

This report serves as a reminder that — while our tools for fighting spyware are advancing — so too is the threat. Anti-virus and anti-spyware analysts say that threats are continuing to emerge, and consumers are at great risk. New tools are available to malware creators, making the creation and distribution of malware easier.

While progress is being made in the fight against malware, technical and legal avenues must continue to be pursued.

I just returned from Vegas and an interesting couple of days at Black Hat and Defcon. The Anti-Spyware Coalition put on the same panel at both conferences. Eileen Harrington, Deputy Director at the FTC, gave a great overview of the Commission’s work on spyware and suggested that they are spending a lot of time helping highlight the criminal aspects of spyware to others in the government — since the FTC is a civil law enforcement agency, they pass criminal matters to the DOJ.

Ben Edelman, now an Associate Professor at Harvard Business School, gave an overview of some of his latest research including his report on several exploits that install Zango software that seem to be pretty clearly in violation of Zango’s settlement agreement with the FTC. Mario Vaksun, Director of Knowledgebase Services at Bit9, showed some interesting research about how malware installers have been issued signatures by the two biggest certificate authorities raising questions about the long term ability of this form of authentication to protect users. It seems that the “Sexy Sexy” dialer was given over 1,700 certificates.

Some of the other top notch policy presentations that I saw were given by Jennifer Granick, now at Stanford Law but soon moving to EFF, who gave an excellent case studies in Disclosure and Intellectual Property Law and by Robert W. Clark, of the Department of the Navy Secretariat, who gave one of the more informational and entertaining “Year in Review on Computer and Internet Security Law” presentations that I’ve ever seen.

And yes, the Defcon badge is as cool as advertised.

Yesterday was an excellent example of what makes the Anti-Spyware Coalition’s Public Workshops so exciting for members of the Anti-Spyware industry and the other organizations impacted by spyware. The ASC hosted its third Public Workshop at Harvard University Law School, in conjunction with the Berkman Center for Internet and Society and StopBadware.org.

Steve Gibson offered a morning keynote to start the day off. He talked about how he came into the anti-spyware business, and what he saw as the inherent problems in modern network security. Steve also sat on the first panel of the day, which continued to explore the current state of spyware and malware and the fight against it.

Chris Boyd (aka paperghost) of vitalsecurity.org and FaceTime Communications, joined fellow spyware fighters from Earthlink and CAUCE to discuss the various international threats that they have been picking up recently in the second panel of the morning.

Over lunch, Cindy Southworth of the National Network to End Domestic Violence put a very real face on what can sometimes become a very academic discussion by conducting an informal chat with a survivor of domestic abuse whose abuser used various forms of spyware to track her.

In the afternoon, two more panels offered insights into the less technical side of the issue. John Palfrey of the Berkman Center, Ari Schwartz from CDT and Tracy Shapiro from the Federal Trade Commission had an in depth discussion of the current laws, both national and state, and the current bills that are moving through the US Congress.

Finally, representatives from some of the larger anti-spyware filtering, white-listing and black-listing efforts took to the stage to discuss non-software approaches to combating spyware. TrustE, StopBadware, SiteAdvisor and Google each talked about the work they’re doing to combat spyware by informing the user about the content they’re downloading, before they download it. An interesting discussion of user education ensued.

StopBadware and paperghost blogged the event, and Harvard video recorded the day. Keep an eye on the ASC website to see the video in the near future.