In Support of Utah’s HB450

When a user searches for Hertz, may a search engine show ads for Avis instead?* A natural libertarian instinct might reply yes, sure, do whatever you want. I want to push back on that, offering reasons why such ads are improper.

Modern search engines are notable for their striking ability to give users exactly what they ask for. Search for Hertz, and most of the links will indeed take you to Hertz or bona fide Hertz-related sites (like booking agents or consumer reviews). In this context, what is a user to think when a search engine serves up an ad for something altogether different from a user’s request? Because search engines are generally so good at providing just what users requested, there’s likely user confusion any time a search engine instead replies with links to competitors. After all, if a user asked for Hertz, it’s perfectly reasonable for the user to expect that resulting links will be responsive to the user’s request.

Now, search engines often say their ad labels cure any possible use confusion. I disagree. For one, the labels are easily overlooked — all the way off to the side, all the way in the corner. Moreover, while the words “sponsored links” may be clear to an attorney or an advertising professional, I’ve found that the wording is deeply ambiguous to ordinary users. Sponsored by whom? The search engine? The company the user just asked for? A different label, like “advertisements” or “paid advertisements” would be more effective in curing confusion. But that’s not on the table.

Meanwhile, litigation does not lend itself to resolving these questions. Consider typical litigation about these ads: Blow up an exemplar onto a big posterboard, analyze it from every angle, and discuss it for days on end. The very process of litigating the case makes it amply clearly what’s going on. So it’s hard for a court to get into the mindset of an ordinary user who’s confused, who didn’t know what “sponsored links” meant, and who didn’t really see that label in any case. In this context, it comes as no great surprise that US courts reach mixed results on the question of whether a search engine may show ads for one company when a user requests a direct competitor. European courts, for whatever it’s worth, tend to say search engines must not do so.

Search engines also often claim users benefit from ads for competitors. I guess it’s possible that some users might search for Hertz, not knowing that Avis even exists. But how many users does this really describe? If a consumer actually wants offers from multiple providers, those are easy to get; just search for "car rental" or "rental car deals" to get plenty of choices. In contrast, as described above, when a user searches for a specific provider, competitors’ ads are more likely to be confusing, and less likely to be useful.

Despite lofty claims about consumer benefits, I’ve always thought search engines let advertisers bid on each others’ trademarks for one simple reason: Money. If the only advertiser allowed to bid on ads for "Hertz" is Hertz, a search engine won’t be able to sell many ads. (They’ll sell at most one, to Hertz. But even that one will garner a low price, reflecting that Hertz did not have to outbid anyone else. Furthermore, why should Hertz buy an ad for its own trademark, when it already gets top position through organic listings?) In contrast, if a search engine can get ten different car rental advertisers competing for slots, revenues will increase dramatically. (See my revenue analyses through simulations and counterfactuals.) Now, I don’t mean to say increasing revenue isn’t a laudable goal for search engines. But the financial implications frame my assessment of search engines’ arguments. They say "consumers" and "competition"; I hear "revenues" and "profits."

The HB450 Approach

Against that backdrop, Utah offers HB450 which seeks to provide an alternative. In those narrow circumstances when Utah has proper cause to regulate — among the key conditions, an advertiser using a search service that knows users are in Utah — Utah would require that advertisers not trigger ads based on competitors’ trademarks. The results? Less confusion for consumers who just want to get what they asked for. Plus, companies can reap where they’ve sowed. If a company invests in offline advertising (like ads on TV or in newspapers) to get users to search for its brand, those searches will show the company’s ads, not offers from competitors. It’s a perfectly natural, sensible approach.

Indeed, HB450 is a narrow approach. HB450 imposes no possible liability on search engines, no matter what. Rather, HB450 applies only to advertisers. Furthermore, an advertiser’s duty under HB450 is only to take down the offending ads, and even that only after notice. In addition, HB450 grants a successful plaintiff no monetary damages; HB450 allows only an injunction requiring that a defendant take down the offending ads, and attorneys fees to cover the cost of the action, but no further payments. In short, HB450 uses a minimalist approach, grounded in private-sector self-regulation and companies notifying each other of ads they believe cross the line. Far from the intrusive morass Eric Goldman seems to envision, this is sensible and appropriate, protecting consumers from confusing or deceptive ads, and protecting advertisers from competitors trading on their good names.

Nor is HB450 any kind of comprehensive Internet regulation, as AT&T spokesman claimed in statements to ClickZ. Trademark law and consumer protection are both traditional subjects of state regulation, and there’s no reason why states’ advertising regulations shouldn’t apply online too — particularly as geolocation systems become increasingly widespread and as it therefore becomes feasible, indeed easy and the norm, to present ads differently in one state versus in others.

In due course, I’d like to see federal regulation expand HB450 to national scope. After all, HB450’s protections ought not be limited to consumers and advertisers in Utah, and it would be perfectly natural to offer HB450 nationwide. But it’s perfectly normal for new regulatory approaches to begin in individual states — letting experience in a few states guide the decision to expand more broadly. That’s an appropriate approach here, and my hope is that that’s what will happen.


* – My Hertz/Avis example is purely hypothetical. While many advertisers ads targeting competitors’ trademarks, I do not mean to suggest that Avis does so.

The News, at My Site and Elsewhere

I’ve recently written about increasingly controversial online schemes — from installations through security holes, to spyware companies deleting each other, to programs that set affiliate cookies to claim commissions they haven’t fairly earned.

These aren’t nice practices, so I suppose it comes as no surprise that someone — perhaps some group or company that doesn’t like what I’m writing — has sought to knock my site offline. For much of Monday and Tuesday, as well as several hours last week, all of was unreachable. My prior web host, Globat, tells me I was the target of the biggest DDoS attack they’ve ever suffered — some 600MB+/second.

The Operations, Analysis, and Research Center at the Internet Systems ConsortiumDDoS attacks continue, but I’m fortunate to be back online — entirely thanks to incredible assistance from Paul Vixie of the Internet Systems Consortium. You may know Paul as the author of Bind or as co-founded of MAPS. (Or just see his Wikipedia entry.) But he’s also just an all-around nice guy and, apparently, a glutton for punishment. Huge DDoS attack? Paul is an expert at tracking online attackers, and he’s not scared. A special thanks to his Operations, Analysis, and Research Center (OARC) for hosting me. In any case, I apologize for my site’s inaccessibility yesterday. I think and hope I’ve now taken steps sufficient to keep the site operational.

Meanwhile, there’s lots of spyware news to share. I now know of fourteen different states contemplating anti-spyware legislation — a near-overwhelming list that is partiucularly worrisome since so many bills are silent on the bad practices used by the companies harming the most computer users. (Indeed, seven of the bills are near-perfect copies of the California bill I and others have criticized as exceptionally ineffective.) At the same time, federal anti-spyware legislation continues moving forward — but in a weak form that I fear does more harm than good.

Then there’s COAST’s dissolution — to my eye, the predictable result of attempting to certify providers of unwanted software when their practices remain deceptive. It’s reassuring to see Webroot standing up for consumers’ control of their PCs, though surprising to see Computer Associates defend COAST’s certification procedure as "valuable." Now that Webroot and CA have withdrawn from COAST, COAST seems bound to disappear — probably better for users than a COAST that continues certifying programs that sneak onto users’ PCs.

The final surprise of last week’s news: Technology Crossover Ventures joined in a $108 million round of VC funding for Webroot. Wanting to own a piece of Webroot is perfectly understandable. But TCV is also an investor in Claria, a provider of advertising software that Webroot removes. (See also other investors supporting spyware.) How can TCV fund both Claria (making unwanted software) and Webroot (helping users remove such software)? TCV seems aware of the issue: They’ve recently removed Claria from their Companies page. But other sources — Yahoo! Finance, Private Equity Week,, and even the Google cache — all confirm that the investment occurred.

What Hope for Federal Anti-Spyware Legislation? updated January 31, 2005

Will the new year bring effective, tough federal anti-spyware legislation? Congress’s attempt to block spam, the CAN-Spam Act, was by most reports unsuccessful. But I think Congress could do better with spyware. Spammers tend to be small, fly-by-night operations — hard for lawyers and courts to find and stop. In contrast, many spyware companies have fancy headquarters and major investors. (See my recently-released list.)

So tough anti-spyware legislation could find and stop the biggest spyware offenders. Unfortunately, from what I’ve seen so far, any new anti-spyware law will be surprisingly lax. The major effort so far is Rep. Mary Bono‘s recently-reintroduced SPY Act (H.R.29). Her intentions are surely good, and Reuters has called her bill "tough." But as I read the bill, it’s riddled with loopholes and almost certain to be ineffective. (Ed Felten offered this unhopeful assessment in his predictions for technology policy in 2005, and Ed Foster has been saying so since June.)

The Sec.2. "Deceptive Acts" Prohibition — and Its Loopholes

Bono’s bill begins with eighteen specific practices to be prohibited. From taking control of a computer and using it to send “unsolicited information” (e.g. junk email) (Sec.2.(a)(1)(A)), to using a keystroke logger ((a)(3)), to changing home pages ((a)(2)(A)) and bookmarks ((a)(2)(C)), the bill prohibits a veritable laundry list of controversial activities.

But Sec.2.(a) covers only actions that are "deceptive." Indeed, many of the section’s prohibitions wouldn’t make sense without an exception for legitimate programs. Certainly users should be able to set new home pages if they choose, and when users install new programs, those programs should be able to add entries to browsers’ Favorites menus. Yet these same actions are unwanted when performed by spyware programs. Unfortunately, the bill offers no definition or clarification as to how to tell the difference — as to what constitutes a deceptive action. Is an action "deceptive" when it is disclosed only in fine print in a 25-page license? When the action is disclosed in a license users are never actually shown, only offered via an optional link? When the action is prominently disclosed, but in an installation performed by a site targeting children? Surprisingly, the bill is entirely silent on these important questions of what exactly Sec.2. does or does not prohibit. Instead the bill merely leaves these matters to FTC "guidance."

Pending such FTC rules, the Sec.2. requirements will be largely ineffective: Spyware companies will claim that users consented to their schemes when users pressed "yes" in installation dialog boxes — no matter how lengthy, confusing, misleading, or poorly-presented the on-screen disclosures. At best, the bill asks the FTC to address the problems Sec.2. identifies — hardly the "tough" regulation Reuters reported. The FTC’s prior "consent" comments suggest that the FTC would consider a "yes" press as an absolute bar against a Sec.2. complaint. Since so many spyware programs install by tricking users into granting at least some form of supposed consent, this FTC interpretation would eviscerate Sec.2.

Sec.2. is also puzzling because many, if not most, of the specified practices are already prohibited by existing law. For example, Sec.2.(a)(5) prohibits "Inducing the owner or authorized user to install or execute computer software by misrepresenting the identity or authority of the person or entity providing the computer software to the owner or user" — which sounds like common law fraud, and is therefore already illegal. Similarly, Sec.2.(a)(8)’s prohibition on removing security software echoes the existing Computer Fraud and Abuse Act, which prohibits "exceed[ing] authorized access" to a computer.

Perhaps Sec.2. is valuable for providing a consolidated listing of prohibited practices pertaining to unwanted software, higher penalties for such practices, and renewed calls for enforcement. But the underlying unauthorized interference with users’ computers is already illegal. What Sec.2. could do — but doesn’t — is tighten notions of consent so that spyware companies can’t claim authorization, then escape liability, where users didn’t intend to grant authorization.

The Sec.3. Notice Requirements, and How Spyware Companies Can Abuse Them

The bill’s Sec.3.(c) gives some regulation of notice and consent as to programs that collect personal information, or that track online activities and show advertising. But the bill is exceptionally permissive, seeming to permit many of the tricks spyware companies have long used to persuade users to accept their software.

Sec.3. sets out four basic requirements for notice and consent:

  1. Notice must be "clearly distinguish[ed]" from other on-screen text. ((c)(1)(A))
  2. Notice must include text "substantially similar" to "This program will collect and transmit information about you" or "This program will collect information about Web pages you access and will use that information to display advertising on your computer." ((c)(1)(B))
  3. Notice must remain on screen until the user grants or denies consent. ((c)(1)(C),(E))
  4. Notice must provide an option giving "clear" additional information about the type of information to be collected and the purpose of such collection. ((c)(1)(D))

Taken in the abstract, these sound like reasonable requirements. But many providers of unwanted software already largely satisfy these requirements, while nonetheless installing their software in ways that confuse users and in ways that don’t give users a full sense of what the programs will actually do.

Consider, for example, the Grokster installation procedure.. By my count, Grokster shows a 120-page Claria license followed by a 278-page license for half a dozen other programs. These licenses differ somewhat from the specific text in the bill’s section (c)(1)(B), but the bill’s "substantially similar" provision means the existing text may be sufficient. And although Grokster ultimately installs at least fifteen different unwanted programs, it need only show a Sec.3. disclosure once: The fact that Claria’s disclosure (perhaps) satisfies Sec.3.’s requirements seems to clear the way, under the plain language of Sec.3., for Grokster to install whatever other programs it wants, without so much as telling users the names of the programs to be installed.

A Claria drive-by download prompt -- allowing the user to press 'Yes' and have software installed, without first seeing Claria's license agreement.Even "drive-by downloads" might be taken to be permitted under the bill. Recall the ActiveX "security warnings" shown by Windows versions prior to XP Service Pack 2 — pop-ups like that shown at right, appearing when users browse unrelated web sites, but installing software on users’ computers with a single press of a "yes" button. (These practices are all the more confusing because some legitimate programs, like Macromedia Flash, use the same dialog box to install their latest versions.) Turning to the specific requirements of the bill as applied to these installation attempts:

  • The use of a hyperlink, with resulting blue highlighting and underlining, could be claimed to satisfy the "clearly distinguish" requirement of (c)(1)(A).
  • Claria’s existing disclosure could be claimed to be "substantially similar" to the required (c)(1)(B) statement. Claria’s existing "display … GAIN-branded ads" disclosure could be claimed to be similar to the bill’s "display advertising on your computer" model text. Claria’s "based on websites you view" might be claimed to be similar to the bill’s "collect information about Web pages you access."
  • The installation dialog box remains on screen until the user makes a choice, seemingly satisfying the requirements in (c)(1)(E).
  • Claria’s hyperlink provides more information, seemingly responsive to the requirement in (c)(1)(D), though Claria’s lengthy text might or might not satisfy the bill’s "clear description" requirement.

Of course, some practices are so egregious that even the proposed bill would prohibit them. For example, when 180solutions software is installed through security holes, users get no notice whatsoever and have no opportunity at all to deny consent — violating the Sec.3. requirements. But Claria’s drive-by downloads are also arguably unacceptable. Why should Congress endorse software installed via popups which appear as users browse totally unrelated content; which install software with just a single click of "yes"; and which look so similar to popups installing software that users actually need (like Macromedia Flash)?

I see at least three specific problems with Sec.3.:

  • Allowing disclosures to be written in "substantially similar" language — inviting spyware providers to describe their products in marketing euphemisms, deterring users from making a impartial choice based on unbiased facts and plain language.
  • Allowing installation of many unwanted programs after only a single disclosure — without telling users about the names or even the quantity of programs to be installed.
  • Giving software providers carte blanche to repurpose users’ computers for software providers’ benefit, after requiring only a one-sentence pro forma disclosure.

Weak enforcement

Suppose some bad actor violated the bill’s requirements. How will they be held accountable? Sec.4. speaks to enforcement — unfortunately giving enforcement authority only to the FTC.

Experience shows the FTC to be slow to pursue spyware perpetrators: The FTC has filed only a single anti-spyware case to date, and has failed to act on (among scores of other problematic activities) the installation of dozens of programs through security holes, even when documented in research posted months ago (by me and others). If the FTC won’t rigorously enforce Bono’s bill, then the bill will be dead letter — on the books, but unsuccessful in constraining spyware companies’ behavior.

A better approach would encourage enforcement by parties with a strong incentive to act. State attorneys general face public election which inspires aggressive pro-consumer litigation. Private parties also have clear incentives to sue, since they could seek to recover damages from spyware companies operating in violation of the bill’s requirements. I’d like to see the enforcement clause broadened to grant enforcement powers to those with real incentives to identify and pursue wrongdoers.

Alternative legislation

What would tough anti-spyware legislation look like? One easy addition is to specifically prohibit drive-bys. Congress should not allow the installation, as users merely browse unrelated web pages, of software that tracks online activities and shows ads. Users should only be offered such software at a time and in a manner in which they can meaningfully evaluate the agreement. They should have to seek out such software to be installed on their computer; it should not be not be foisted upon them. Neither should users suffer repeat installation attempts — like reappearing "You must press ‘Yes’ to continue" popups that harass users until they agree. Saying ‘no’ once should be enough, but nowhere does the bill prevent spyware providers from asking over and over.

Tough anti-spyware legislation would also establish special barriers against practices known to be particularly detrimental to users’ PCs. Installing a dozen or more spyware programs cripples even a fast computer, and tough anti-spyware legislation would, at the least, require special disclosures when a requested program intends to install multiple other programs. I’d expect at least a listing of all the specific programs to be installed, with a one-sentence description of the effects and purported benefits of each.

Congress should also speak to the uses of affiliates to perform software installations. Companies like 180solutions have embraced affiliate installations — offering web-based signup procedures (not to mention spam email campaigns) to find "partners" to install 180 software in exchange for commissions of $0.07 per installation. Later, when 180 software is installed without notice or consent, 180 claims "deceptive distribution" — as if 180 were surprised that their unaccountable affiliates didn’t follow the rules. A tough anti-spyware law should decisively close this potential loophole. Where software developers are lax in their supervision of affiliates, and especially where affiliates’ bad practices continue for months on end, the software developers should be held accountable — legally and financially — for the prohibited actions of their affiliate business partners.

As discussed above, the bill lacks meaningful enforcement provisions. Real compliance almost certainly requires permitting enforcement by state attorney generals and private parties. A truly tough anti-spyware bill should also hold advertisers accountable for their decisions to contract with, support, and fund spyware companies. If an advertiser hires a spyware company to show its ads through software wrongly installed on users’ PCs, perhaps that advertiser should pay a share of the costs of repairing users’ computers.

Rather than helping the spyware problem, Bono’s weak bill could even make things worse. If passed, the bill will fill the space — making further federal anti-spyware legislation unlikely, at least in the short run. Also, the bill specifically supercedes state laws which might be tougher — so if Bono’s bill passes, no state can set higher requirements. (In a recent hearing, Congressman Gillmor raised this same concern.) Finally, passing a bill that rubber-stamps spyware firms’ controversial practices serves only to make those companies stronger. Claria publicly supported California’s toothless anti-spyware bill. Since Bono’s bill will do equally little to curb Claria’s practices, Claria will surely support this legislation too.

But all is not lost. With half a dozen line edits, Bono’s bill could be significantly better. And the bill is only a few hours of editing away from prohibiting spyware companies’ major deceptive practices without affecting legitimate practices used by mainstream companies. Here’s hoping for a bill that truly deserves the "tough" moniker.

Grokster and Claria Take Licenses to New Lows, and Congress Lets Them Do It

I’ve recently been looking at the unwanted software installed by Grokster (a peer-to-peer filesharing program). Eric Howes has documented Grokster’s exceptionally large bundle, which includes Claria, 411 Ferret/ActiveSearch, AdRoar, Altnet/BDE, BroadcastPC, Cydoor, Flashtrack, MyWay/Mybar, SearchLocate/SideBar, Topsearch, TVMedia, VX2/ABetterInternet, Browser Hijack, two different TopMoxie programs (branded by WebRebates), and several other programs not yet identified.

These programs, in combination, place a major burden on users’ computers: Loading and running so many extra tasks leaves less memory, less bandwidth, and less CPU time for whatever users actually want to do. My lab PCs are fast and well-maintained, but installing Grokster and its bundle makes them sluggish and hard to use. Worse, it’s hard to undo the damage Grokster and its partners cause: Eric also tracks, in unprecedented detail, how even the newest spyware removal applications can’t get rid of all the programs Grokster installs. It’s a mess, Eric’s site explains, and he’s surely right.

But as it turns out, the situation is even worse than Eric realized. As Eric explains, Grokster installs lots of junk if a user presses Accept. However, Grokster also installs software even if the user presses Cancel! That’s right: If a user has second thoughts after seeing the long license agreements, and if the user decides to press Cancel, Grokster’s installer nonetheless installs SearchLocate/SideBar and TVMedia. See the screen-shots below, taken from my video (WMV, 1MB) of the install process. (For best viewing, watch video in full-screen mode.)

C:\Program Files directory before Grokster installation begins.  Click to enlarge.


C:\Program Files folder before Grokster installation begins.
Sorted by date/time, ascending order. Latest entries:

Pressing Cancel in the Grokster installer.  Click to enlarge.  

The Grokster installer. I press the Cancel button.


C:\Program Files directory after Grokster installation is cancelled.  Click to enlarge.  

C:\Program Files folder after Grokster installation terminates.
Sorted by date/time, ascending order. Latest entries:

Notice new entries at the bottom of hte list: SearchLocate and TV Media.  These directories and their contents were created, after I pressed the Cancel button in the Grokster installer.

Equally outrageous are the extraordinarily lengthy license agreements Grokster and its partners ask users to accept. First comes a Claria license agreement that takes, by my count, 120 distinct screens (119 presses of the page-down key) to view in full. As shown in the Grokster installer, Claria’s license has grown to an incredible 6,645 words. So Claria’s current license is 43% longer than the US constitution — before we count the nine separate web pages Claria’s license references, some of them quite lengthy, but which Claria nonetheless claims are "incorporated by reference." Furthermore, Claria’s license is growing rapidly: When I prepared screen-shots of Claria’s license, as shown by Kazaa in June 2004, the license was 5,541 words long. If Claria’s license continues to grow by 20% every four months, it will be 11,500 words long in October 2005, and 34,300 words long in October 2007. Maybe Claria’s lawyers get paid by the word.

And it gets worse: Grokster installs other programs, with their own licenses, and Grokster shows these many licenses en masse in a subsequent screen. These licenses appear in a text box that, for whatever reason, doesn’t let me to copy its text to the clipboard. So I can’t know the precise word count of the licenses in this second box. But I do know it took 278 page-downs to view the entire license.

That makes a total of 398 page-downs for any user who wants to know what lies in store upon installing Grokster. 398!

This past week, the US House of Representatives passed two bills that purport to address the spyware problem. Would they do anything about Grokster’s outrageous activities?

Goodlatte‘s H.R.4661 prohibits unauthorized software installation — but only under specific, narrow circumstances. I can’t immediately say that SearchLocate/SideBar and TVMedia are used in furtherance of a Federal criminal offense, so Sec.2.(a) is inapplicable. And I can’t say that the programs intentionally obtain or transmit personal information with the intent to defraud, injure, or cause damage. Surely the programs’ authors would deny any such intent. So Sec.2.(b) is inapt too. Looks like Goodlatte’s bill wouldn’t help.

Bono‘s H.R. 2929 does prohibit the unauthorized software installation. Sec.2.(a)(4)(A) specifically bans installing software when a user declines installation. Score one for the good guys.

But suppose Grokster ended the truly outrageous installation of software even when users press Cancel, instead installing its bundle only when users press Accept. (Grokster will more than likely make this change after reading my article.) Then Grokster would be, I fear, substantially compliant with H.R.2929.

For 2929’s purposes, it doesn’t matter that Grokster installs so much software that it essentially ruins even an above-average PC. The bill’s Sec.3. approves of the installation of fifteen programs, or a hundred and fifteen, so long as the user is first shown a single notice that warns "This program will collect information about Web pages you access and will use that information to display advertising on your computer. Do you accept?’ Or, thanks to a recent revision to the bill, the installer can show some other text, so long as it is "substantially similar," but even if it is more complicated, more confusing, or harder to understand.

I worry that Grokster can and will include the brief disclosure 2929 specifies, or an alternative text that makes the installation sound even more unobjectionable. Then all too many users will be tricked into accepting Grokster’s massive software bundle, and they will find their PCs grind to a halt under the load Grokster and its partners impose. Users will be running Bono-certified software, 100% compliant with relevant law (should Bono’s bill in fact become law). But their computers will be nearly useless nonetheless.

If I were revising Bono’s bill, I’d seek to tighten its requirements. I certainly wouldn’t permit watered-down "substantially similar" disclosures. I’d also prohibit the installation of a bundle of software, where the user requested only a single program, if that bundle has significant adverse effects on the speed and reliability of a typical computer, and if that bundle has no substantial relationship to the software the user initially requested. For bundled programs that show advertising, I’d require that the installation provide a sample of each kind of advertisement to be shown, and I’d require that the installation disclose the typical frequency of ad displays. In short, there are lots of creative ways to tighten the language, so that programs can’t satisfy the bill’s requirements while continuing to trick users into unwanted installations.

Instead, 2929 takes a narrower approach — admittedly stopping a class of outrageous behaviors, but letting all too many continue. Given the bill’s preemption of tougher state laws, this is legislation that, far from stopping spyware, in many respects makes the spyware problem worse.

Can we count on the Senate to close the loopholes in the bills as passed? News coverage suggests that these bills are a done deal already. And Congress has enacted weak legislation before (e.g. CAN-SPAM). So I’m not holding my breath.

California’s Toothless Spyware Law

Yesterday Governor Schwarzenegger signed into law SB 1436 ("Computer Spyware"), a California bill that speaks to certain programs installed on users’ computers. The bill admittedly speaks to programs that trick users, harm users, and take advantage of users. So why don’t I support it?

SB1436 prohibits a number of activities. It bans, for example, transmitting computer viruses from a users’ computers (22947.3(a)(1)), using a computer as part of a denial of service attack ((a)(3)), and presenting an option to decline installation of software when selecting that option will in fact cause software to be installed nonetheless ((c)(1)). These are surely bad actions. But they’re all prohibited under existing law — fraud, unfair trade practice, computer fraud and abuse act, etc. When investigators, lawyers, and researchers have tracked down bad actors using these methods in the past, they’ve proceeded with suit, with considerable success. (See e.g. Melissa virus writer’s jail sentence.) So we don’t need SB1436 to address these outrageous activities.

A Claria drive-by download prompt -- allowing the user to press 'Yes' and have software installed, without first seeing Claria's license agreement.A Claria drive-by download prompt — allowing the user to press ‘Yes’ and have software installed, without first seeing Claria’s license agreement.

In contrast, SB1436 fails to speak to the truly controversial activities — many of them arguably "borderline" — that have actually been used by major players in the spyware space, whose installed user counts now reach into the tens of millions. Consider Claria’s 5,500 word license agreement. As presented in Kazaa’s installer (screenshots), Claria’s license is 20% longer than the US Constitution, and it requires 56 on-screen pages to view in full. Or, consider Claria’s drive-by installer (screenshot), where a user can press "Yes" without ever even seeing Claria’s license. More recently, Claria’s drive-bys have begun to show users the Claria license — but only after the user presses Yes, and only after the software is installed! What should we make of such installation practices? Has a user really "accepted" Claria’s software when the user receives unhelpful, confusing, and/or untimely disclosures? Even if the user is a minor? Even if the user mistakenly thought Claria’s software was necessary to view the web page that triggered the drive-by? Some courts may think that pressing "Yes" indicates assent — no matter the circumstances, no matter how one-sided the terms presented, and for that matter even if the terms weren’t actually presented (but were merely linked to). But I don’t think that’s a necessary conclusion, given the length and presentation of the supposed agreement.

SB1436 had an opportunity to address these deceptive installation tactics by clarifying standards for notice and consent. Indeed, the first draft of SB1436 (dated February 19, 2004) addressed Claria’s tactics directly: "’Spyware’ means an executable program that automatically … transmits to the provider … data regarding computer usage, including … which Internet sites are or have been visited by a user" — exactly what Claria does. The February draft went on to set out various requirements and disclosure duties, even including a minimum font size for disclosure. That’s not to say the February bill was perfect — certainly there was more fine-tuning to be done. But it sought to establish disclosure duties for all companies transmitting information about users’ online browsing — not just a few outrageous outliers who send viruses.

Unfortunately, SB1436’s initial comprehensive approach somehow got lost between the February draft and the August revisions. A recent RedHerring article claims the bill was "gutted" by "the well-heeled and influential online advertising lobby." Claria’s chief privacy officer recently stated that he had "met with the staffs of members who have proposed legislation" — though not mentioning any special efforts to modify the bill. Whatever Claria’s role, even a quick reading shows that the revised bill won’t affect Claria’s current practices.

Meanwhile, Claria gets to go on record not only supporting the law, but perhaps even complying with it from its first day in effect. Claria can now claim the implicit endorsement of California law: After all, if California passed a spyware law, and Claria complies, then (the logic goes) Claria must be a legitimate business that consumers and advertisers should happily do business with. But the truth is not so simple: Claria’s deceptive installation methods continue, tricking tens of millions of users into receiving Claria software without truly understanding what they’re getting into.

A better spyware bill would address the subtleties of Claria’s methods — would address lengthy, confusing licenses, and licenses shown only after supposed consent. Interestingly, some of the pending federal legislation speaks to disclosure requirements for programs like Claria. The federal bills are far from perfect. But they at least seek to address the harms, like Claria, that actually plague millions of users day in and day out. More on the proposed federal legislation next month.

Utah Spyware Control Act On Hold updated July 7, 2004

Today brought closing arguments in, Inc., v. The State of Utah.

After closing arguments, Judge Fratto granted WhenU’s Motion for Preliminary Injunction, enjoining current enforcement of the Spyware Control Act. Ruling from the bench, Judge Fratto stated that he was not persuaded that WhenU had satisfied the requirements of showing a substantial likelihood of prevailing on the merits of its constitutional challenge as to the spyware provisions of the Act, but that WhenU had satisfied such showing regarding the context-triggered pop-up ads provision. Nonetheless, Judge Fratto enjoined enforcement of the act in its entirety. See transcript of ruling.

For my perspective on the factual portion of the hearing, June 10-11, see Report from WhenU v Utah.

Report from WhenU v Utah updated June 13, 2004

In April I mentioned WhenU’s suit against the state of Utah, challenging Utah’s recent Spyware Control Act. Oral argument took place yesterday and today as to WhenU’s motion for preliminary injunction.

Consistent with case filings, WhenU claimed that the company cannot reliably determine which users are in Utah and which are elsewhere. However, documents presented in the hearing showed that WhenU offers its advertisers the service of showing their ads only in particular locations, including in particular states.

Counsel for the state of Utah also asked WhenU’s CEO about WhenU’s display of advertising for online gambling and for online liquor sales. My testing demonstrated that WhenU shows such ads in Utah, but longstanding Utah law is thought to prohibit these ads. So WhenU will have to develop — arguably, already should have developed! — systems to avoid showing these ads in Utah. WhenU has criticized the Spyware Control Act, claiming that compliance would be difficult and costly. But WhenU must satisfy Utah’s gambling and liquor laws independent of the Spyware Control Act. So much for the purportedly high burden of Utah’s spyware regulation.

In my own oral testimony, I explained the methods of installation and operation of spyware. In one notable section, I showed videos of WhenU software installed via drive-by downloads with defective license agreements, such that even when a user requested to view WhenU’s license agreement, the license was not available.

Details in, Inc., v. The State of Utah – Case Documents. The hearing will conclude on June 22, 2004, and the Court’s decision is expected thereafter.

Spyware, Adware, and Malware: Research, Testing, Legislation, and Suits

A number of firms currently design and offer so-called “spyware” software — programs that monitor user activities, and transmit user information to remote servers and/or show targeted advertisements. As distinguished from the design model anticipated by’s definition of adware (“any software application in which advertising banners are displayed while the program is running”), these spyware programs run continuously and show advertisements specifically responding to the web sites that users visit. Companies making programs in this latter category include Gator (recently renamed Claria), WhenU, and 180Solutions. Other spyware programs include keystroke recorders, screen capture programs, and numerous additional software systems that surreptitiously monitor and/or transmit users’ activities. As programs and practices shift and terms evolve, some practices are more naturally termed “adware” or “malware” — especially if their tracking is secondary to an advertising purpose.

These programs have prompted a number of legal challenges, as described in the pending suits section, below. They have also attracted attention from legislators, who have proposed laws to rein in the problem.

I have followed these developments generally, I have written about the programs and their effects, and I have been retained as an expert in certain of these suits. This page indexes my research and my work in selected cases.

Spyware, Adware, and Malware: Research, Testing, Legislation, and Suits