FTC: More spyware-fighting tools needed

Organizations and law enforcement agencies fighting spyware are making progress, but new tools in an antispyware bill stalled in the U.S. Congress could improve the efforts, a member of the U.S. Federal Trade Commission said Monday.

One of the spyware bills passed by the House of Representatives earlier this year, the Spy Act, would give the FTC authority to impose civil fines on companies that distribute spyware to consumers' computers. The bill, along with the Internet Spyware Prevention (or I-SPY) Act, have stalled in the Senate since passing the House in May and June.

The FTC has the authority to collect profits from spyware operations and collect money for consumer redress, but it lacks the authority to impose other fines, as it does when going after spammers, said Commissioner Jon Leibowitz, speaking at a spyware forum in Washington, D.C.

Assigning a dollar figure to consumer harm is tricky in many spyware cases, especially when the spyware delivers pop-up advertisements to computers, Leibowitz said. It's sometimes difficult to get courts to assign large consumer damages to pop-up cases, he said.

In some cases, spyware damages are assessed by judges "who don't even use computers," said Dave Koehler, with the FTC's Bureau of Consumer Protection.

The Spy Act would allow the FTC to fine spyware vendors up to $3 million for hijacking computers, delivering unwanted adware, and other violations, and $1 million for collecting personal data without permission, in addition to going after the vendor's profits and seeking consumer redress.

Additional authority to impose civil fines would give the FTC "an enormous deterrent," Leibowitz said.

"Right now, companies know that the worst they can do is lose their profits," he added. "They're not going to get fined on top of that."

The FTC has brought several spyware actions against companies. In February, the agency settled a case against adware distributor DirectRevenue. In that case, DirectRevenue settled for $1.5 million, based on its profits, but the founders of the company had received more than $20 million in venture-capital funding, Leibowitz said.

While participants in the spyware forum said there continue to be many challenges, including a growing trend of foreign spyware vendors, the cost of spyware to U.S. consumers seems to be falling. Consumer Reports estimated that spyware cost U.S. consumers $2.6 billion in 2006, but only $1.7 billion in 2007, noted Ari Schwartz, deputy director of the Center for Democracy and Technology, a supporter of StopBadware.org, a consumer-protection effort aimed at spyware and other malicious code.

The drop in the cost of spyware can be attributed to a number of factors, Schwartz said. Antispyware technology is getting better, the FTC has taken action against spyware vendors, and StopBadware.org has distributed a list of malicious Web sites, he said. In addition, some states have taken action against spyware, and cybersecurity groups' public education programs seem to be working, he said.

But Ron Teixeira, executive director of the National Cyber Security Alliance (NCSA), noted that consumers may know more about spyware, but they aren't always acting on their knowledge. A survey released by the NCSA and McAfee earlier this month found 78 percent of respondents' computers didn't have all three of what the NCSA calls the "core protection" software: anti-virus, antispyware, and firewall.

"We're not seeing a huge increase in the actual behavior change," he said.