Anti-Spyware Coalition Workshop Recap

By Eric Goldman

I attended the Anti-Spyware Coalition Public Workshop last week in Washington DC. This was a well-attended event (my guess is that 300+ people attended), with a good mix of anti-spyware vendors, anti-spyware activists, adware vendors, policy wonks/politicos and reporters. This post recaps some of my notes from the event.

A few consensus themes emerged from the talks:

1) No one really knows if the adware/spyware problem is getting better, worse or staying the same. There is conflicting statistical evidence addressing this problem, but no one is treating that evidence as dispositive. At the conference, there was some anecdotal evidence that the legitimate players are cleaning up their act while the cheats are using more egregious tactics, but there was contrary evidence on all sides. This metrics issue strikes me as critical; if things are improving already, there may be less justification for new spyware-specific regulations.

2) Consumers don’t want to futz with different technologies for anti-spam, anti-virus, anti-spyware, anti-pop-up, etc. They just want their computers to work. Therefore, standalone anti-spyware products should be a short-term market opportunity. Over time, vendors necessarily will have to provide integrated services that give consumers what they want (a working computer).

3) A number of commentators expressed the view that, after a couple of decades of effort, we’ve solved the virus problem and are well underway with solving the spam problem. However, we are in an early stage fighting spyware, so it will take some time before anti-spyware technology turns the corner. Another way of viewing this is that regulators should be patient because industry hasn’t had enough time to fix the problem.

4) The representatives of state AG offices seemed to agree that spyware-specific laws are nice but unnecessary. They feel that they have enough power under the catchall restriction on deceptive and unfair trade practices. The federal enforcers took a similar line that spyware-specific laws aren’t needed.

Some comments about a few specific talks:

Justin Brooknan, from Spitzer’s office, led the Intermix enforcement action. He described some of the background on that action. Justin had arrived at Spitzer’s office 18 months earlier with a securities law background. Spitzer then told him to do something about spyware. They decided to focus on “mainstream” adware instead of malicious spyware because: (1) adware gets the most complaints from consumers, (2) they wanted to make the most impact, and (3) adware companies operate in a zone of “plausible deniability.” He said the NYAG’s office isn’t anti-adware, but they think that consumers don’t understand the value proposition. Justin thinks that the adware crowd is cleaning up their act since the Intermix action, so the NYAG’s next action probably will be against malicious spyware.

FTC Commission Leibowitz spoke at lunch. He recited some basic FTC attitudes about adware/spyware, but then moved onto his hot button. He thinks advertising dollars fuel adware, so he wants the FTC to reduce demand for adware advertising. He then reiterated his proposal for “shaming” adware advertisers by publicly announcing whose ads run on adware (naming names).

Although some news reports treated Leibowitz’s idea as a new proposal, Leibowitz has been championing this idea for at least a couple months–I blogged on it back in December. I did not have kind words for this idea in that post. To recap: If advertising via adware is illegal, bust the advertisers. If it’s not illegal but the FTC thinks it should be, then lobby Congress to make it illegal. But if it’s not illegal and Congress won’t make it illegal, then on what grounds can the FTC delineate what it considers “shame-worthy”? Government manipulation of consumer perceptions (in this case, by communicating, under government authority, that advertisers have done something that the FTC thinks is legal but morally wrong) is called PROPAGANDA, and it’s a terrible abuse of power. I recognize that Leibowitz’s idea is appealingly simple, and it plays well with crowds, but I really hope that he rethinks his advocacy of it.

Following Leibowitz was Walt Mossberg of the WSJ. I don’t normally read his column, so I wasn’t well-prepared for his shtick. As a result, I was shocked at how error-riddled, uninformed and internally inconsistent his talk was.

Mossberg’s basic point is that he owns his hard drive and no one should put stuff on it without robust notice and his consent. This point is fine so far as it goes, but converting this theoretical view into practical suggestions got Mossberg into a jam. For example, he argued that no one should place tracking cookies on his hard drive without permission, but then he struggled to explain why he didn’t mind the nonconsensual placement of other cookies.

He also argued that he doesn’t want his anti-virus vendor to notify him every time when there are new updates; instead, they should just install it without bothering him. I agree with him, but I and many other audience members immediately noticed an obvious inconsistency with his basic “my hard drive is my property” attitude. When asked about this in the Q&A, he mumbled something about users giving advance consent when installing the anti-virus software, but I’m not sure many of us were satisfied with his answer.

So, Mossberg appears to subscribe to the more-info-is-better view (I had thought behavioral economists had destroyed this thinking by now, but maybe some people haven’t heard). In Mossberg’s world, consumers get lots of notices about their computers (like, every time someone tries to place a tracking cookie) so they can make choices. This sounds like a very noisy world to me. Recognizing that this world may be too noisy, Mossberg doesn’t want notifications that he doesn’t need (like from his anti-virus vendor). I’m not exactly clear how Mossberg plans to distinguish good from bad notices on an ex ante basis.

(I could point out more examples of Mossberg’s inconsistencies and ill-informed opinions, but I think I’ve given his talk more airtime than it deserves).

After lunch, I participated in the “industry self-regulation” panel. Our moderator Tori Case asked us: what’s the biggest problem facing the industry?

Fran Maier of TRUSTe said the biggest problem is loss of consumer trust. Bill Day of WhenU said the biggest problem was rogue installations. I said that the biggest problem was the “crisis of contracts“–the disclosures and consent that vendors need to form a legally binding contract may not be enough to believe that consumers are making good private ordering decisions. Eric Howes of Sunbelt Software said the biggest problem is that the responsible players aren’t accepting their responsibility. Jules P of AOL said it was hard to set appropriate defaults for consumers.

The next panel discussed legislative developments, particularly in Congress. It appears that the Senate has a low likelihood of passing anti-spyware legislation this session; there are a limited number of legislative days left, and the bill would have to pass unanimously to get through.

The Senate logjam appears to be attributable to 2 main factors. First, the two competing bills (Burns v. Allen) take very different approaches to the problem, and those approaches haven’t been reconciled. Second, there appears to be some contentiousness over an immunity for anti-spyware technology that removes identified spyware. Personally, I would strongly favor an immunity for categorizing software as “spyware” or “adware” or whatever–the vendors’ demand letters over these classifications strike me as silly but problematic. But according to an industry lobbyist, there have been only 4 lawsuits over these classifications, so from one perspective, this hasn’t emerged as a big problem yet.

However, giving technology vendors the absolute liability-free right to blast software off someone’s desktop may be too much, even for a defense-side guy like me. Remember in 2001 when the RIAA wanted the right to hack downloaders’ computers and not be liable for any damages? Bad, bad idea.

In the final panel, US Attorney Mitch Dembin (who prosecuted some users of Loverspy) said that he felt the laws were pretty good (“we don’t need new statutes–we have enough!”). Nevertheless, he proposed a couple of minor tweaks to the CFAA. He’d like to see 18 1030(a)(2) a felony instead of a misdemeanor, and he would like 1030(a)(5) to apply if someone damages 50 computers. I’m not sure either change is all that necessary, but these suggestions might warrant further consideration.

At a lot of these conferences, industry participants just get up and repeat the corporate line they’ve outlined many times before. Personally, I find those talks really boring. While there were a few rehash-y talks, for the most part I thought most of the speakers had something new and valuable to add to the dialogue. Thanks to Ari Schwartz and CDT for organizing an interesting conference.