[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
COMBATING SPYWARE: H.R. 964, THE SPY ACT
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMERCE, TRADE,
AND CONSUMER PROTECTION
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
FIRST SESSION
ON
H.R. 964
__________
MARCH 15, 2007
__________
Serial No. 110-21
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
-------
U.S. GOVERNMENT PRINTING OFFICE
38-810 WASHINGTON DC: 2008
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800 Fax: (202) 512-2250 Mail Stop SSOP,
Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
JOHN D. DINGELL, Michigan, Chairman
HENRY A. WAXMAN, California JOE BARTON, Texas
EDWARD J. MARKEY, Massachusetts Ranking Member
RICK BOUCHER, Virginia RALPH M. HALL, Texas
EDOLPHUS TOWNS, New York J. DENNIS HASTERT, Illinois
FRANK PALLONE, Jr., New Jersey FRED UPTON, Michigan
BART GORDON, Tennessee CLIFF STEARNS, Florida
BOBBY L. RUSH, Illinois NATHAN DEAL, Georgia
ANNA G. ESHOO, California ED WHITFIELD, Kentucky
BART STUPAK, Michigan BARBARA CUBIN, Wyoming
ELIOT L. ENGEL, New York JOHN SHIMKUS, Illinois
ALBERT R. WYNN, Maryland HEATHER WILSON, New Mexico
GENE GREEN, Texas JOHN B. SHADEGG, Arizona
DIANA DeGETTE, Colorado CHARLES W. ``CHIP'' PICKERING,
Vice Chairman Mississippi
LOIS CAPPS, California VITO FOSSELLA, New York
MIKE DOYLE, Pennsylvania STEVE BUYER, Indiana
JANE HARMAN, California GEORGE RADANOVICH, California
TOM ALLEN, Maine JOSEPH R. PITTS, Pennsylvania
JAN SCHAKOWSKY, Illinois MARY BONO, California
HILDA L. SOLIS, California GREG WALDEN, Oregon
CHARLES A. GONZALEZ, Texas LEE TERRY, Nebraska
JAY INSLEE, Washington MIKE FERGUSON, New Jersey
TAMMY BALDWIN, Wisconsin MIKE ROGERS, Michigan
MIKE ROSS, Arkansas SUE WILKINS MYRICK, North Carolina
DARLENE HOOLEY, Oregon JOHN SULLIVAN, Oklahoma
ANTHONY D. WEINER, New York TIM MURPHY, Pennsylvania
JIM MATHESON, Utah MICHAEL C. BURGESS, Texas
G.K. BUTTERFIELD, North Carolina MARSHA BLACKBURN, Tennessee
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
BARON P. HILL, Indiana
______
Professional Staff
Dennis B. Fitzgibbons, Chief of Staff
Gregg A. Rothschild, Chief Counsel
Sharon E. Davis, Chief Clerk
Bud Albright, Minority Staff Director
(ii)
Subcommittee on Commerce, Trade, and Consumer Protection
BOBBY L. RUSH, Illinois, Chairman
JAN SCHAKOWSKY, Illinois CLIFF STEARNS, Florida,
G.K. BUTTERFIELD, North Carolina Ranking Member
JOHN BARROW, Georgia J. DENNIS HASTERT, Illinois
BARON P. HILL, Indiana ED WHITFIELD, Kentucky
EDWARD J. MARKEY, Massachusetts CHARLES W. ``CHIP'' PICKERING,
RICK BOUCHER, Virginia Mississippi
EDOLPHUS TOWNS, New York VITO FOSSELLA, New York
DIANA DeGETTE, Colorado GEORGE RADANOVICH, California
CHARLES A. GONZALEZ, Texas JOSEPH R. PITTS, Pennsylvania
MIKE ROSS, Arkansas MARY BONO, California
DARLENE HOOLEY, Oregon LEE TERRY, Nebraska
ANTHONY D. WEINER, New York SUE WILKINS MYRICK, North Carolina
JIM MATHESON, Utah MICHAEL C. BURGESS, Texas
CHARLIE MELANCON, Louisiana MARSHA BLACKBURN, Tennessee
JOHN D. DINGELL, Michigan JOE BARTON, Texas
C O N T E N T S
----------
Page
H.R. 964, to protect users of the Internet from unknowing
transmission of their personally identifiable information
through spyware programs, and for other purposes............... 3
Barton, Hon. Joe, a Representative in Congress from the State of
Texas, opening statement....................................... 36
Bono, Hon. Mary, a Representative in Congress from the State of
California, opening statement.................................. 39
Hooley, Hon. Darlene, a Representative in Congress from the State
of Oregon, opening statement................................... 37
Rush, Hon. Bobby L., a Representative in Congress from the State
of Illinois, opening statement................................. 1
Schakowsky, Hon. Jan, a Representative in Congress from the State
of Illinois, opening statement................................. 35
Stearns, Hon. Cliff, a Representative in Congress from the State
of Florida, opening statement.................................. 34
Towns, Hon. Edolphus, a Representative in Congress from the State
of New York, opening statement................................. 38
Witnesses
Cerasale, Jerry, senior vice president, government affairs,
Direct Marketing Association, Inc.............................. 74
Prepared statement........................................... 76
Maier, Fran, executive director, TRUSTe.......................... 95
Prepared statement........................................... 97
Morgan, Dave, founder and chairman, Tacoda, Inc.................. 87
Prepared statement........................................... 89
Schwartz, Ari, deputy director, Center for Democracy and
Technology..................................................... 40
Prepared statement........................................... 42
Varney, Christine A., Hogan & Hartson LLP, on behalf of Zango,
Inc............................................................ 131
Prepared statement........................................... 134
COMBATING SPYWARE: H.R. 964, THE SPY ACT
----------
THURSDAY, MARCH 15, 2007
House of Representatives,
Subcommittee on Commerce, Trade
and Consumer Protection,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 11:10 a.m., in
room 2322 of the Rayburn House Office Building, Hon. Bobby L.
Rush (chairman of the subcommittee) presiding.
Members present: Representatives Schakowsky, Barrow, Towns,
Ross, Hooley, Matheson, Stearns, Bono, Terry and Barton [ex
officio].
OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF ILLINOIS
Mr. Rush. The subcommittee will come to order.
Today the Subcommittee on Commerce, Trade and Consumer
Protection tackles the problem of spyware, the insidious
software that consumers unwittingly download onto their
computers only to have their personal private information
extracted for commercial or fraudulent purposes.
Spyware comes in many forms. Sometimes it takes the form of
adware that tracks the Web sites an individual visits in order
to facilitate target marketing and develop pop-up ads tailored
to sites he or she visits. At other times it is far more
offensive, redirecting his or her Web searches to gambling or
pornographic sites. And sometimes at its very worst, spyware
monitors and steals a consumer's sensitive secret information
such as account passwords and credit card numbers. Spyware
surreptitiously makes its way onto one's computer by fooling
the computer into downloading the nefarious software. Spyware
is often secretly bundled with free software from Web sites
that a consumer willingly downloads onto his or her computer.
At other times spyware is installed as an add-on to a browser's
toolbar or it simply pops up as a seemingly innocuous Web site
or window, innocently asking for permission to install. Perhaps
the worst of all, some spyware masquerades as anti-spyware with
promises of cleaning up a person's computer only to install its
own version of spyware.
Whatever its form and however it is installed, at its worst
spyware can lead to the unwanted exposure of offensive Web
content to unsuspecting individuals, particularly children. It
can also lead to outright fraud resulting in significant
financial damages. At its best, spyware is simply nasty stuff
that clogs computers, slows down processing power and is costly
to remove. According to a survey in Consumer Reports as cited
in the Washington Post, consumers paid as much as $7.8 billion
over 2 years to protect or repair their computers with anti-
spyware and anti-virus software.
In the past two Congresses, Mrs. Bono and Mr. Towns
introduced the bipartisan Spy Act and both times the bill
enjoyed overwhelming support. Twice this subcommittee and the
full committee unanimously reported the bill. Twice the full
House passed the bill with near unanimity and twice the Spy Act
met its demise in the Senate. This year Mr. Towns and Mrs. Bono
are once again teaming up to introduce the Spy Act as H.R. 964.
It is my full intent as chairman of this subcommittee to do
everything I can to make it three times that this bill passes
this subcommittee and the full committee and the House of
Representatives and finally makes its way to the President's
desk. Let us all hope that the Senate can get its act together
this time around. Three times should be the charm for the
Senate.
H.R. 964 provides a broad regulatory framework that
empowers consumers with knowledge and allows them to be in
charge of what goes on their personal computers. First, the
bill outright prohibits deceptive practices and acts related to
spyware that wreak havoc on a computer's operating system or is
a harmful invasion of one's privacy. Moreover, the bill creates
a regime where an entity cannot execute any program that
collects personal information without first giving explicit
notice to the consumer and subsequently receiving his or her
consent. The bill further requires that once installed, the
information collection program can be easily removed or
disabled. Lastly, H.R. 964 provides that the FTC will enforce
the Spy Act and that any violation of these provisions will be
treated as an unfair and deceptive act or practice violating a
rule promulgated under section 18 of the FTC Act. Accordingly,
the Commission will be able to impose significant penalties,
and I firmly believe, as do most of today's witnesses, that
this bill strikes an appropriate and workable balance that will
allow honest commerce and innovation to occur.
Last year, not only did this bill receive an overwhelming
support from our members but also from many technology
companies and associations including Yahoo, eBay, AOL Time
Warner, Dell, Microsoft, EarthLink and the U.S. Telecom
Association. We will carefully consider the testimony of our
witnesses and the comment letters that we have received from
the FTC, consumer groups and industry experts.
Again, I want to commend Mr. Towns and Mrs. Bono for the
terrific work that they have done on the Spy Act and for
exhibiting yet another example of quality bipartisan
cooperation that is really rather unique to this subcommittee,
and I welcome our guests, who have graciously agreed to appear
before us today and I hope that today marks the first step
towards making this important bill into law.
Thank you.
At this time I will submit a copy of H.R. 964 for inclusion
in the record.
[H.R. 964 follows:]
Mr. Rush. I recognize the ranking member of the
subcommittee, the gentleman from Florida, Mr. Stearns.
OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
Mr. Stearns. Thank you, Mr. Chairman.
As you have mentioned, we hope that the third time is the
charm here. It has been nearly 3 years since the committee
first held hearings on the subject of spyware. Although the
Internet may seem like it has been around for a long time to
many of us, the reality is that it has only been commercially
available for a little more than a decade. As rapidly as usage
has spread, so too has industry and user practices evolved. We
have learned about some of these practices. Obviously spyware
is one of those.
Where circumstances warranted, we tried to respond with
legislation in this committee, which we did. Some of our
efforts of my colleagues resulted in public laws such as Can
Spam. Although we like to respond as quickly as possible, we
usually try to be as careful as possible to avoid unintended
consequences. I don't think we did. I would say, Mr. Chairman,
we are on this side ready to move to markup. We think we could
move to markup after this hearing because we have had so much
support for this bill in the past and we would like to see a
markup out of this subcommittee as soon as possible.
Mrs. Bono has showed leadership and Mr. Towns has in the
108th Congress. We have discovered all the bad things about
spyware and what it creates. We also learned that most
pernicious forms of spyware have more malicious intentions than
we realized. Criminals often in other countries have developed
programs that can potentially be used to steal a person's
identity. A keystroke logger is one example of a program that
can capture a consumer's data, which can then be used to commit
fraud. Other types of spyware software have been used to hijack
a user's computer or to redirect a user's computer to bogus Web
sites.
After investigating the damage of potential harm caused by
spyware to consumer computers, we passed the bill out of the
subcommittee in the 108th. The House likewise passed it, as you
have mentioned. Unfortunately, the Senate did not take up the
bill and we tried again in the 109th. The committee again
unanimously passed the legislation. H.R. 964 is the same bill
we unanimously passed in the committee and nearly unanimously
in the House last Congress.
There has been, I think, much progress in the industry, I
would compliment them, with the adoption of best practices and
recognition of the need for consumer consent. We also have seen
an increase in the number of enforcement actions. This is all
good. That being said, the threat of spyware and the havoc it
can inflict on a consumer's computer--or worse, on the
identity--remains a real threat. Consumers and businesses are
now spending billions of dollars to protect themselves and
their computers. To that end, I believe there is still a need
for this legislation and so I support H.R. 964. A company that
is a bad actor is generally the exception rather than the rule.
While criminals may never disappear, legitimate companies are
not in business to offend their customers.
I would like to welcome the distinguished panel here. I
look forward to their views on H.R. 964.
Mr. Chairman, in closing I would like to thank Mr. Barton
for his leadership on this issue during the last two
Congresses. I also obviously commend my colleagues, Mrs. Bono
and Mr. Towns, and finally I would like to recognize my
colleague, the chairman, Mr. Dingell, and Ms. Schakowsky, who
was the ranking member when I was the chairman, for her hard
efforts in this area too.
With that, Mr. Chairman, I look forward to the hearing.
Mr. Rush. Thank you.
The committee recognizes the fine gentlewoman from
Illinois, Ms. Schakowsky.
OPENING STATEMENT OF HON. JAN SCHAKOWSKY, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF ILLINOIS
Ms. Schakowsky. Thank you, Chairman Rush, for holding
today's hearing on H.R. 964, the Spy Act.
The proliferation of spyware, covertly installed software
that can snatch personal information, has made it necessary
that we pass this legislation. And while I am proud to be an
original cosponsor of the Spy Act, I hope this is the last time
that I say that.
Our committee wanted to be proactive on this issue; we
were. I was very proud to work with Mr. Towns and Mrs. Bono and
Mr. Stearns and the chairman at the time, Mr. Barton, and Mr.
Dingell. We did our work. We got it out of the subcommittee,
the committee and the House. And when we first started working
on this issue 4 years ago, spyware was not a household word; it
is now. People used to be baffled when they found that their
Web page settings changed or when their computers became
sluggish. They would think that the problem was their computer
or the Internet service provider but now the suspect is
spyware.
Spyware is a nationwide problem that affects millions of
computers from large financial institution servers to home
computers. America Online has put occurrences of spyware as
high as 80 percent among households with broadband. As
broadband becomes more popular in American households, we can
only assume spyware will continue to affect our home computers
until we give the Federal Trade Commission all the authority it
needs to shut down spyware purveyors.
Again, spyware is much more than little annoyances such as
slow computers and unwanted popup ads. Those are just symptoms
of the real trouble spyware can cause. The spyware is so
resourceful that it can snatch personal information from
computer hard drives, track every Web site visited and log
every keystroke entered. Spyware is a serious threat to
consumer privacy and a powerful tool for identity theft, the
fastest-growing financial crime. With all the current threats
to our country, our homes and our wallets, our computers should
not have another worry.
Although we don't want to stop legitimate uses of the
software, underlying spyware such as allowing easy access to
online newspapers, we do want consumers to have control of
their computers and personal information. We have passed this
bill with overwhelming bipartisan support in the past two
Congresses and I hope this is the Congress that will get the
bill signed into law.
So I thank you, Mr. Chairman.
Mr. Rush. Thank you.
Now the committee will recognize the ranking member of the
full committee, Mr. Barton of Texas, for 5 minutes.
OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Barton. Thank you, Mr. Chairman. I appreciate the
courtesy. I was just downstairs in the Energy and Air Quality
Subcommittee in one of our hearings on climate change and
rushed up here, so I appreciate the courtesy of being allowed
to speak as soon as I get here.
Thank you for holding the hearing on the Spy Act and making
it a priority. As everyone knows, this is round 3. The
committee sent the Spy Act to the floor by unanimous vote in
the last Congress and a nearly unanimous vote in the Congress
prior to that. The House likewise passed the legislation by a
nearly unanimous vote in the last two Congresses. We are here
today because the Senate has twice failed in the last
Congresses to act on this bill for reasons that are absolutely
a mystery to me.
This legislation ought to be an automatic-passage bill. It
is a key component to solving the problem of Internet spying,
and protecting our constituents from invasions of their
privacy. The bill not only receives broad bipartisan support in
this institution but many of the big technology players also
support the Spy Act: Yahoo, eBay, AOL Time Warner, Dell,
Microsoft, EarthLink, the U.S. Telecom Association, just to
name a few. We have differences of opinion on the issue of
network neutrality, for example, among some of these folks. On
this issue, there is 100 percent unanimity.
The reason for the support is evident. Internet spying is
more than just an annoyance and more than an invasion of
consumers' privacy. It also poses the very real danger of
identity theft. Furthermore, spyware often proves dangerous to
the consumer's physical property, their personal computers. The
scariest part of spyware is that you can have an unwanted,
unnoticed program on your computer that captures and reports
your keystrokes. What is at stake is a treasure chest of your
life's financial secrets, your Social Security number, your
bank account number, your credit card number and all kinds of
personal passwords. Many consumers don't even know that this is
possible, much less that these applications are alive on their
computers right now, and as easy as it was to acquire a batch
of spyware, sometimes it is almost impossible to get rid of it
because of deceptive or nonexistent instructions for
uninstalling these applications. You can pick up a batch of
spyware by a click of a mouse but you may need the help of a
computer expert and all day to get rid of it.
Industry groups have taken strong steps, luckily, towards
combating the dangers of spyware. However, it will take a mix
of technology, consumer awareness, industry best practices,
consumer education, strong enforcement of existing law and I
think new law to effectively fight spyware.
The bill before us does that. It places strong enforcement
tools in the FTC's toolbox. It provides stiff penalties to hold
various actors accountable for their action. It still balances
the interests that are legitimate business interests of the
bill.
I could go on and on but let me simply say that this has
been a bipartisan effort on our committee. Congresswoman Bono,
Congressman Towns, Congressman Stearns, Congresswoman Jan
Schakowsky as well as Chairman Dingell and myself have worked
diligently to bring this legislation to the floor. And now with
your efforts, Mr. Chairman, I am sure that we will finally get
it across the finish line and get it through the Senate too. It
just takes somebody from Chicago to get it done.
With that, Mr. Chairman, I yield back the balance of my
time.
Mr. Rush. What else do you want?
The gentle lady from Oregon, Ms. Hooley, is recognized for
5 minutes.
OPENING STATEMENT OF HON. DARLENE HOOLEY, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OREGON
Ms. Hooley. Thank you, Mr. Chairman, and I am thankful to
all of the witnesses for being here today and your testimony on
this issue.
Although I am new to the Energy and Commerce Committee and
this subcommittee, I have been involved for the last 8 years
with fraud prevention efforts. I am pleased to join this
subcommittee and have the opportunity to address these
important issues as they relate to commerce. I commend my
colleagues for taking up this issue of spyware, not only this
Congress but for the last two Congresses, and I, like the chair
and ranking member, hope this legislation can finally get all
the way through and become law.
Software that is installed without your consent to monitor
or control your computer, known as spyware, threatens the
security of our personal information and private transactions.
It threatens commerce on the Internet and consumers' confidence
of Web purchases and pollutes computers to the point they no
longer function. Despite the efforts of FTC, which has
completed 11 spyware enforcement cases, and the passage of the
Safe Web Act, more needs to be done and I think this
legislation is the answer. I do, however, have some concerns
with regard to the lack of an exemption for fraud detection
software. As I understand it, fraud detection software that is
used to make consumers safer and helps protect them from
fraudulent activity might be curtailed by this legislation. I
hope we can look at this issue before markup.
Again, I applaud this subcommittee for their diligent work
on spyware and look forward to working with all of you and
passing this piece of legislation.
Thank you, and I yield back.
Mr. Rush. Thank you.
The gentleman from Nebraska, Mr. Terry, is recognized for 5
minutes.
Mr. Terry. I pass.
Mr. Rush. The gentleman from Utah is recognized for 5
minutes.
Mr. Matheson. I will waive.
Mr. Rush. The gentleman from New York, the coauthor of the
bill, Mr. Towns, is recognized for 5 minutes.
OPENING STATEMENT OF HON. EDOLPHUS TOWNS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NEW YORK
Mr. Towns. Thank you very much, Mr. Chairman. I want you to
know that I feel very confident and comfortable that this is
going to make it all the way with you in the chair and of
course seeing Mr. Morgan down from New York and I know that we
are going to finish this thing off this time, no doubt about
it.
I also want to thank you for holding this important hearing
today on H.R. 964, the Spy Act, and for your strong commitment
to protecting consumers' privacy on the Internet. As the
primary Democratic sponsor, I have been proud to work with
Congresswoman Mary Bono. Her tireless efforts on this issue
have been unmatched, and I want to thank her for her dedication
and commitment to this issue.
We passed this bill out of committee a few times already so
perhaps the third time will be a charm. That is why it is
important to hold this hearing. We want to make sure to get it
right.
Spyware continues to be a nuisance to many of our
constituents, even as new and innovative Internet business
models have sprung up. There is still some debate about the
approach Congress should take to protect consumers from these
harmful programs. One computer manufacturer has said that
problems related to spyware cause most of their customer
complaints. Another company said that spyware accounts for
about 50 percent of all tech support calls. Although hard to
quantify, this is adding hundreds of millions of dollars in
costs for companies.
More importantly, spyware programs can invade consumer
privacy by recording and transmitting personal information,
monitoring the Web sites you visit or even stealing documents
from our computers. Other programs hijack your computer,
forcing you to click through multiple screens until you
download a program. Finally, all of these programs impair the
functionality of a consumer's computer, often slowing its
operation to a grinding halt.
Although the problem seems clear, the solution is far from
it. Technology changes at a tremendous rate, often making
legislation outdated. Additionally, some computer programs
which serve legitimate functions such as scanning your system
for problems or security breaches or customizing our browser or
advertising experience could be classified as spyware if we do
not legislate carefully. It seems to me that a key issue is
notice. Consumers must get meaningful and accurate notice
before they make a decision to download programs that could
harm their computers. The FTC should be prosecuting companies
that do not provide notice or that provide deceptive notice.
Certainly the egregious violators can be prosecuted under
existing statutes and the FTC has taken steps in this regard,
possibly in reaction to our continued interest in this
legislation.
Finally, let me conclude by saluting my colleagues, first
Congresswoman Bono for her legislation and leadership on this
issue, and of course, let me thank Ranking Member Barton of the
full committee and of course former Chairman Stearns and of
course former Ranking Member Schakowsky and also Mr. Dingell,
who is the chairman of the full committee. I want to thank all
of you for your work and I know that at the end of the day we
are going to get this done, so thank you very much, Mr.
Chairman.
Mr. Rush. Thank you. Before we hear the best that we have
for today, I want to just bring to the attention of Ms. Hooley,
on page 19, line 3, there are provisions here for the detection
or prevention of fraudulent activities.
Ms. Hooley. OK. What line is it, Mr. Chairman?
Mr. Rush. Page 19, line 3.
Ms. Hooley. Line 3?
Mr. Rush. Right.
Now I have to personally apologize to the next speaker, a
fine member of this subcommittee. Mrs. Bono, I want you to know
that we are indeed saving the best for the last, so you are
recognized now for 5 minutes.
OPENING STATEMENT OF HON. MARY BONO, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Mrs. Bono. Thank you, Mr. Chairman, and I just want to
mention to my colleague, Mr. Towns, whom I have known for many
years, that you reminded me of one of my favorite stories that
I ran into Bono in an elevator when I was with my late husband,
Sonny Bono, and the two of them had an argument over how to
pronounce the name, but Sonny won with ``Bono''. That is one of
my favorite stories and we love to laugh about that.
I want to begin by thanking Chairman Rush and Ranking
Member Stearns, again, my colleague, Ed Towns, Ms. Schakowsky
and the long list of staff who have worked so hard, especially
David Cavicke. They have worked so hard for many years in
crafting the Spy Act. I would also like to thank full committee
Chairman Dingell and Ranking Member Barton for their leadership
and support throughout the past three Congresses. Without their
commitment to addressing the problem of spyware, this bill
would not be the bipartisan lovefest piece of legislation it is
today. In the 108th Congress, I introduced H.R. 2929, the
Safeguard Against Privacy Invasions Act. That bill passed the
House by a vote of 399 to 1. In the 109th Congress, I
reintroduced my spyware bill as H.R. 29, the Securely Protect
Yourself Against Spyware Act, or Spy Act, and you don't know
how that delights staff to come up with such clever acronyms.
But just as it did in the 108th Congress, my bill passed the
House by a large margin of 393 to 4.
I remain a strong proponent of spyware legislation because
of my belief that our constituents deserve adequate protections
when they are online. This means that the computer user should
be able to maintain control over his or her computer and the
information they store on it. The Spy Act prohibits perverse
behavior such as keystroke logging and drive-by downloads.
Moreover, it establishes a simple notice regime so that
computer users can make informed decisions regarding the
programs they wish to put on their computers. Simply stated,
this bill works to restore privacy on the personal computer,
which has become the control center for our business
transactions as well as our personal interactions.
There was a time when the Internet was an occasional tool.
However, today the Internet is used by most on a daily basis
for practically everything. For this reason, it is crucial that
computer users can securely carry out their lives on the
Internet without fear that an unknown party may gain access to
sensitive information. It is my firm belief that the Spy Act
does this while at the same time preventing negative impacts to
legitimate industry and the overall integrity of the Internet.
I look forward to listening to the testimony from our panel
today and I am sure that we all agree that spyware is a problem
that could undermine the Internet's integrity and needs to be
addressed.
I would once again like to thank the committee for its
support. I would like to urge my colleagues to support H.R.
964, the Towns-Bono Spy Act.
Again, thank you very much, Mr. Chairman. I yield back my
time.
Mr. Rush. Now we will hear from our fine array of
witnesses. We certainly want to thank you for taking your time
out from your busy schedule to testify before this subcommittee
on this very important matter. I will introduce you
individually and we will ask that you restrict your comments,
please, to 5 minutes, and then be available for questioning.
Our first witness today is Mr. Ari Schwartz. He is the
deputy director of the Center for Democracy and Technology,
CDT. CDT is a nonprofit public-interest organization devoted to
promoting privacy, civil liberties and democratic values online
through legislative, regulatory, self-regulatory and public
education efforts. In this capacity, they have been a vocal
supporter of comprehensive privacy legislation and further
support the goals of H.R. 964, the Spy Act.
Mr. Schwartz, you are recognized for 5 minutes.
STATEMENT OF ARI SCHWARTZ, DEPUTY DIRECTOR, CENTER FOR
DEMOCRACY & TECHNOLOGY
Mr. Schwartz. Chairman Rush, Ranking Member Stearns,
members of the committee, thank you for holding this public
hearing today on the Spy Act and for inviting me to
participate.
This committee has consistently followed the spyware issue
over the past 4 years and CDT is pleased to see this much-
needed attention continue.
I come back to the committee today to offer good news and
bad news on the spyware issue. First the bad news. As predicted
by members of this committee in the past, spyware has
unquestionably become one of the most serious threats to the
Internet's future. Consumer Reports magazine estimates that
consumers lost $2.6 billion to spyware alone last year, and one
in eight consumers have spyware on their computer and according
to the magazine, about 1 million consumers had to throw away
their computer because they were so riddled with spyware.
On the other side, in terms of good news, there are new
indications that the combination of law enforcement, anti-
spyware technology, industry self-regulation, consumer
education, legislative efforts and increased responsibility on
the part of advertisers are beginning to impact the marketplace
that had allowed spyware to flourish.
On the law enforcement front, spyware actions at both the
Federal and State level have increased dramatically over the
past 2 years. The FTC has now successfully prosecuted 11 cases,
which we detailed in our written testimony. Based on the
experiences of these cases, it is now clear that the Commission
desperately needs increased civil penalty authority in order to
be comprehensively effective. The Spy Act, H.R. 964, provides
such authority.
Spyware enforcement has also been developing at the State
level with 10 cases across four States so far. Although H.R.
964 safeguards State-level enforcement under consumer
protection statutes, it does not explicitly preserve the
ability for State attorneys general to bring civil actions
under statutory provisions specific to spyware. With so much
enforcement work now occurring at the State level, we feel it
is important to safeguard the role of the State attorney
general by empowering them to help enforce Federal law.
On a final note, I would like to stress that the Center for
Democracy & Technology still strongly believes that the real
long-term solution to spyware and other privacy issues in front
of this committee will require baseline consumer privacy
legislation based on fair information practices. General
privacy legislation would provide businesses with guidance as
they deploy new technologies and business models that involve
the collection of information and it would give consumers some
measure of confidence that their privacy is being protected as
companies roll out these new ventures. If we do not begin to
address privacy issues more comprehensively, this committee
will need to continue to address new emerging privacy threats
every few months with new legislation in order to protect
consumers in the networked economy.
We have seen a number of issues already begin to increase
with the most recent including spam, do-not-call lists, search
information, data breaches, use of Social Security numbers,
pretexting and spyware. While we appreciate the committee's
hard work on all these important issues, we believe that the
members of this committee should join with the 13 companies and
multiple consumer groups that have actively supported
comprehensive consumer privacy legislation in an attempt to
address these issues at the source rather than continue a
piecemeal approach each time a new privacy threat arises.
Thank you for your attention. I look forward to your
questions.
[The prepared statement of Mr. Schwartz follows:]
Mr. Rush. Thank you.
Our next witness, and Mr. Cerasale, if I mispronounce your
name, please correct me, is Mr. Jerry Cerasale, a senior vice
president of government affairs for the Direct Marketing
Association Incorporated, DMA. DMA represents 3,600 member
companies that are engaged in direct database and interactive
marketing and electronic commerce. Last year the association
developed and adopted standards for software downloads as part
of its guidelines for ethical business practice. DMA opposes
this bill and a broad regulatory approach in general because it
believes that self-regulation coupled with existing FTC
authority is working to crack down on harmful spyware.
Mr. Cerasale, you are recognized for 5 minutes.
STATEMENT OF JERRY CERASALE, SENIOR VICE PRESIDENT, GOVERNMENT
AFFAIRS, DIRECT MARKETING ASSOCIATION, INC.
Mr. Cerasale. Thank you very much, Mr. Chairman. With a
last name like mine, I respond to anything that comes close. So
that is fine. Cerasale is how it is pronounced but Cerasale is
all right as well. I am not ashamed of my heritage.
I do thank you for inviting us here and I would ask that my
written testimony be placed in the record, and I thank you for
recognizing DMA, the leading trade association. We have been
around since 1917 and our members are part of the economy, very
much part of this new e-commerce as they are providers of
Internet service. They sell goods on the Internet and so forth.
This is very important for us.
We agree fully with the subcommittee and the committee that
we want to try and rid the Internet of spyware. That is really
a goal that I think we should all be working toward, and I want
to commend this committee especially because you were the
instigator. You were the catalyst for moving forward in trying
to get industry looking at spyware. You were the catalyst to
DMA in producing our guidelines for spyware, for downloading of
software on the computers. You were the catalyst for browsers
taking any spyware software and putting it in their browser.
You are the catalyst for computer manufacturers adding that
onto computers. You are the catalyst for software providers
creating anti-spyware software. And I believe you are the
catalyst for the FTC and the States for moving and trying to go
against those bad actors putting on spyware deceptively onto
consumers' computers and stealing information, stealing their
computer, slowing it down and forcing those many people who had
to throw away their computers.
We have made progress since you started this investigation.
It is not over, and I don't think it will ever be over. As
technology changes, bad actors adapt. They get new technology
and we are going to have to be ever vigilant as we go forward
here. We don't think at the DMA that there is really a magic
bullet that is an all-purpose answer to everything here, which
is why we look at going forward with our guidelines because we
can change them fairly rapidly and try and adjust to what is
happening in the marketplace and try and keep this Internet
open for e-commerce.
We are really pleased that e-commerce has grown. One of the
great things is as we look at the growth, we have statistics to
show it is growing at 24 percent right now. It had been larger
but it is continually growing, and one of the great things was
that Cyber Monday was larger than Black Friday this holiday
season and the gap is going to get larger and larger as e-
commerce becomes more and more part of our American experience
for the benefit of consumers and the benefit of businesses.
As we look at H.R. 964, we support granting the attorneys
general the opportunity to and the authority to enforce the
law. We think that is a major part of balancing for preemption.
We also support the efforts and what is in section 2 of the
law. We think going after the bad actors is really what is
important and strikes the right balance.
We have some concerns with section 3 of the bill. We think
that the broad definition of software, and we had a very
difficult time trying to define software in our guidelines so
it is not something that is new. A broad definition of software
will take into account and cover things that are part of the
seamless use of the Internet that Americans are used to, that
provides advertising-supported contents, there is so much free
content on the Internet and so we think that section 3 probably
goes further than we would want. We believe you need
conspicuous notice, you need choice for the consumer, you need
an ability to uninstall or at least totally disengage, disable
any software that is put on your computer. We think there
should be a link to the privacy policy of the person putting on
the software and the name of the company should be known. We
think that strikes the balance for consumer choice plus
advertising marketing-supported Internet content which is
available free to most Americans.
The DMA has a concern with the Good Samaritan provision. We
are worried that the Good Samaritan provision in the bill could
become a means, an anti-competitive means and so we want to
make sure that we look at that and strike that balance and make
sure that is there. We also think that the monitoring provision
in 5(b) is a little bit too narrow. That provision for the
anti-fraud thing looks at certain companies. There are other
companies that do anti-fraud that aren't covered in that
exemption and we think that they are there.
We want to thank you very much for having me here today.
[The prepared statement of Mr. Cerasale follows:]
Mr. Rush. Our next witness is Mr. Dave Morgan. Mr. Morgan
is the founder and the chairman of TACODA, Incorporated. Mr.
Morgan will testify on behalf of his company and on behalf of
the Interactive Advertising Bureau, which represents more than
300 leading companies that are responsible for selling more
than 86 percent of online advertising. TACODA, which develops
innovative technologies for target marketing, says on page 4 of
its written statement that it supports H.R. 964, the next three
pages detailing its complaints against everything but section
2.
Now we will recognize Mr. Morgan for 5 minutes.
STATEMENT OF DAVE MORGAN, FOUNDER AND CHAIRMAN, TACODA, INC.
Mr. Morgan. Thank you. Chairman Rush, Ranking Member
Stearns and members of the subcommittee, thank you very much
for inviting me to testify on H.R. 964.
I am Dave Morgan, and as you can tell, I am wearing two
hats here today. One is the founder and chairman of TACODA,
Inc., a New York-based online advertising company, and also as
the chairman of the Public Policy Council of the Interactive
Advertising Bureau, which is the trade body of basically the
largest majority of the online advertising today.
Consideration of this legislation in past Congresses has
been an extraordinarily open and bipartisan effort and we
welcome the opportunity to participate with the committee and
the staff in developing appropriate language that balances
consumer protection with fostering continued growth on the
Internet. It is clear to me and the IAB that this subcommittee
intends to address the legislation to combat purveyors of
malicious software while at the same time not adversely
affecting legitimate online practices such as those employed at
TACODA.
The consumer experience with respect to spyware and online
advertising has improved in the last few years and I would say
I think the primary driver of that has been this committee's
focus on the issue and the clear intent that the bad practices
and this kind of action will not be tolerated. Second, we have
certainly seen significant prosecutions and actions from the
Federal Trade Commission and we have also seen a lot of
industry self-regulatory effort, and as a member of the
industry, I can tell you much of that has also been driven from
a reaction from your attention to this issue, and also the
self-regulation in areas of downloadable software. Given these
developments and particularly with respect to the broader
online advertising industry, we do think that there are issues
around section 3 where there could be some unintended
consequences.
A little bit about TACODA. It was created in 2001 as a
company to target online advertising. We deliver billions of
advertisements online every day in the pages of major Web sites
like the New York Times or Chicago Tribune or Orbitz, not pop-
up advertising and the protection of consumer privacy and the
principles of relevancy, transparency and freedom of choice
have been hallmarks of TACODA's business practices from the
beginning. We are a board member of the Network Advertising
Initiative, the NAI, the Direct Marketing Association and its
interactive marketing advisory board.
Interactive and online advertising is the primary means of
funding a cost-free rich Internet as well as free access to
unparalleled products and services. Online advertising is
paying the bills for what people are spending more than 20
percent of all of their media consumption today. TACODA and the
IAB have worked closely with Web sites to develop guidelines to
address topics including e-mail, popup ads, lead generation.
Most people are probably surprised by the impact of online
advertising and the fact that it is supporting this content but
that is the reality because the vast majority of the content
online is free today because advertising has paid for it.
We support H.R. 964's efforts to combat spyware. We
strongly agree that spyware is bad for consumers, business and
the online advertising industry. The bill does not impinge on
certain legitimate practices like those of TACODA which make it
very easy at TACODA to be supportive of this legislation. But
there is always a risk of legislation that governs technology
and technology practices and that is where there are the areas
of concern across the broader industry, that there may be some
unintended consequences of defining technology, and given the
dramatic advances in combating spyware and the guidance now
available from enforcement and self-regulatory initiatives that
did not exist at the outset of the last Congress, we believe
that certain provisions of the bill are worth re-examining: the
broad definitions of computer software and personally
identifiable information as well as requirements in connection
with the collection of both personal information and non-
personal information. In addition, there are new technologies
that really weren't even utilized as recently as 2 years ago in
areas of some certain uses of cookies and java and java script.
Additionally, the IAB hopes to ensure that the anti-spyware
providers can continue to remove bad software. We recognize the
goal of the Good Samaritan provision. However, we would have
concerns that with changes that have broadened this language to
create a more extensive immunity provision, that would afford
companies broad discretion to remove legitimate software which
is often misidentified as spyware.
Thank you for considering the views of TACODA and the IAB
on these issues. The success of the Internet has helped fuel
this country's economy. We look forward to working together
with you. Thank you, Chairman Rush. Thank you, Ranking Member
Stearns. Thank you, members of the subcommittee. I look forward
to your questions.
[The prepared statement of Mr. Morgan follows:]
Mr. Rush. Thank you, Mr. Morgan.
Our next witness is Ms. Fran Maier. Ms. Maier is the
executive director of TRUSTe. TRUSTe is an independent,
nonprofit organization that helps consumers and businesses
identify trustworthy online organizations through its Web
privacy seal. The organization is very supportive of H.R. 964,
which establishes many of the same requirements included in
TRUSTe's Trusted Download Program.
Ms. Maier, you are recognized for 5 minutes.
STATEMENT OF FRAN MAIER, EXECUTIVE DIRECTOR, TRUSTe
Ms. Maier. Chairman Rush and Ranking Member Stearns and
members of the subcommittee, I am Fran Maier, executive
director and president of TRUSTe. We are, as you said, an
independent, nonprofit organization and our mission is to
advance privacy and trust for a networked world. We do this by
serving as a trust authority, bringing together stakeholders
and developing programs and best practices. Throughout
programs, we aim to recognize and reward, elevate better
industry players, responsible industry players.
I want to thank you for the opportunity to speak to the
committee about industry self-regulation and our insights on
H.R. 964.
First, I would like to talk a little bit about the Trusted
Download Program. We have been working on this almost as long
as you have been working on this bill for over a couple of
years because spyware and unwanted software has really eroded
consumer trust in the Internet. We developed the Trusted
Download Program with a broad range of stakeholders including
our founding partners, AOL, CNET Networks, Computer
Associations, Microsoft, Verizon, Yahoo, and the Center for
Democracy and Technology. Our program certifies that
applications meet requirements for consent, uninstall and
affiliate control as well as a number of other rigorous
requirements. It is designed to bring accountability and
transparency to the downloadable consumer market by creating
market incentives for responsible best practices. Our program
requirements are rigorous and have been shared with the
committee. I would like to add that our certification program
includes complete evaluation and monitoring and we use an
outside testing lab to make sure that the benefits of
certification only go to responsible players.
Interestingly, I think our program requirements are tiered
to take into account the many variations in software
applications and distribution, so the greater the potential
harm to a consumer, the stricter the standards for
certification. For example, providers of advertising and
tracking software in our program must take full responsibility
for how their software is promoted and distributed. This
includes the methods used by affiliates, distributors and
bundling partners. The first group of nine certified
applications were announced on our Whitelist on our Web site
last month. We are happy to report that we think that the
Trusted Download Program has already had a big impact for the
consumer's benefit. One hundred percent of the companies'
applications that were certified last month made changes,
significant changes to their disclosure or to some of their
activities. We have seen that publishers are reducing the size
of their affiliate networks in response to the program and the
press that they have received. CNET's download.com, which is a
portal where consumers download software, is indicating when
one of our certified applications is certified so that
consumers can make that choice when they decide to download
some software, and AOL and Yahoo among others are using the
program to make some decisions about who they will partner with
and advertise with. We believe to improve consumers'
experience, we need both the stick of effective regulation
against the bad actors as well as the carrot of market
incentives to motivate more responsible players.
Now, to H.R. 964, the Spyware Act. TRUSTe applauds the
committee's work on the proposed legislation and you should
know that your work has informed the development of the
program. Baseline protections for consumers from spyware
together with private sector self-regulatory initiatives such
as we have will provide tangible relief to consumers. Section
2, which outlines egregious software behavior, and section 3,
requirements for notice, consent and uninstall, are very
similar to the Trusted Download Program. However, we believe
H.R. 964's effectiveness would be strengthened and its impact
magnified by inclusion of a safe harbor for self-regulatory
compliance programs modeled on the safe harbor provision of the
Children's Online Privacy Protection Act. As part of the Safe
Harbor, we would want participation in a self-regulatory
program as a factor for the court to consider when determining
penalties under section 4. A strong safe harbor would further
incent companies to implement best practices. We believe that
self-regulatory can complement legislation by going beyond
legal requirements, respond quickly to consumer concerns and
evolve at the fast pace of industry.
I would like to conclude by saying that now that the
Trusted Download Program has been launched, there are no more
excuses. Advertisers can't say they can't control how their
advertising is presented to consumers. Publishers should know
whether their software is lacking adequate consumer controls
and consent and companies should be able to maintain now that
they can see the good software from the bad.
Thank you for this opportunity. We respectfully request
that you include a safe harbor to encourage adherence to best
practices.
[The prepared statement of Ms. Maier follows:]
Mr. Rush. Thank you, Ms. Maier.
Our next and final witness for this morning's hearing is
Ms. Christine A. Varney from the law firm of Hogan and Hartson
LLP. She is speaking on behalf of Zango Incorporated. Zango is
an online media company that provides consumers with proper
online media and programming in exchange for their consent to
download adware onto their computers. Previously, as 180
Solutions, the company settled FTC charges that it used unfair
and deceptive practices to install unwanted adware that was
deliberately difficult to remove. The settlement disgorged
Zango of $3 million in ill-gotten gains and presently bars the
company from installing any adware software onto a consumer's
computer without his or her explicit consent and an easy means
of removing it. Zango was lost in the dark and now they see the
light. They support H.R. 964 except for section 5(c), the Good
Samaritan section, which it believes to be anti-competitive and
subject to abuse.
Ms. Varney, you are recognized for 5 minutes for your
opening statement.
STATEMENT OF CHRISTINE A. VARNEY, HOGAN & HARTSON LLP, ON
BEHALF OF ZANGO, INC.
Ms. Varney. Thank you, Mr. Chairman. I was getting a little
worried there until you got to the ``see the light'' part.
Chairman Rush, Ranking Member Stearns and members of the
subcommittee, as the chairman said, I am Christine Varney. I am
head of the Internet practice at Hogan and Hartson, and in the
spirit of full disclosure, I am a founder and past chair and
current board member of TRUSTe. I am also a former Federal
Trade commissioner.
As the chairman said, I am appearing here today on behalf
of my client Zango and Zango appreciates the opportunity to
share its support for 964 and join the chorus of support that
you are hearing for the bill. Just a moment about Zango and
then we will talk just for a few moments about the specific
provisions of the bill.
Zango provides consumers with access to a large and
expanding catalog of more than 100,000 pieces of Web content
including online video, games, music tools and utilities. Much
like television, this content is funded by advertising and
available to consumers without charge. Twenty million consumers
have chosen to enjoy this content and tens of thousands of
consumers elect to download Zango software every day. At the
same time, this business model offers smaller content providers
and Web publishers the opportunity to monetize their creations
and their online traffic by delivering to advertisers a
receptive consumer when that consumer is most likely to be
making an online purchasing decision. The company has more than
3,000 advertising partners. Zango's desktop advertising model
differs from other marketing applications in several respects.
First and foremost, Zango's pre-download notice and consent
process will meet the requirements of H.R. 964 as does its
uninstall and labeling features. Second, Zango does not track
or collect any user's personally identifiable information. In
short, Zango is not spying on anyone. Third, instead of merely
providing links in response to a search query or distracting
the user with multiple click-throughs, Zango delivers an
advertiser's specific Web page in response to the consumer's
search for a related product or service. This gives the
consumer the benefit of comparative offers on the Web at the
time the consumer is looking to acquire something.
Although, as I have emphasized, Zango is not spyware, the
company long ago recognized that its success and ultimately the
success of its business model was dependent upon Internet users
understanding and trusting its value proposition and upon a
level regulatory playing field for all online advertisers.
Thus, Zango has supported congressional action in this area
since the 108th Congress when it endorsed the bill reported by
this committee. As with that bill, H.R. 964's greatest strength
is its recognition that conduct and intentions underlying
different forms of downloadable software require different
approaches.
Zango supports section 2 and 3 of the bill which
appropriately and carefully distinguish between software
functions that are per se unacceptable versus those for which
consumer choice and consumer benefits are preserved with
appropriate consumer protection. Zango also commends the
authors of the bill for continuing to include the preemption
provisions of section 6 and the tracking cookie study in
section 8.
We are concerned, however, about subsection 5(c), which has
been described as a liability exception for the so-called Good
Samaritans. This provision unnecessarily restricts the FTC's
ability to pursue enforcement action against those parties the
FTC believes warrant it. Equally important, the presence of
such an immunity provision in the bill opens the door wide to
judicial application and expansion of the concept in private
litigation between commercial parties. Some companies selling
scanning applications to consumers compete by issuing
inflammatory warnings designed to frighten consumers about
software lurking on their computers. It will not be long before
purported congressional policy protecting Good Samaritans is
cited as a legal basis for defending against or dismissing a
civil claim brought by a software provider against one of these
applications or even a claim brought by one of these
applications against another. There is no compelling reason in
this instance to alter the standard that commercial disputes
between commercial parties should be settled commercially or
short of that, in the courts in private litigation. The conduct
of commercial parties should not be exempted from the FTC
enforcement authority merely due to the alleged nature of the
particular product or service being sold. Zango respectfully
urges the committee to delete subsection 5(c).
All participants in the online advertising industry should
embrace and implement the standards set forth in section 3 of
H.R. 964, as Zango has, but unfortunately, not all will. Too
many in fact will not until they are compelled to do so. As the
desktop advertising industry evolves, Zango will continue to
strengthen its business practices and enhance its technology to
make the online economy increasingly valuable by enabling
consumers, advertisers, publishers and content providers to
seamlessly work together. With the one modification suggested,
H.R. 964 is fully supported by Zango and we urge its enactment.
I have submitted longer written remarks for the record, and
I look forward to your questions.
[The prepared statement of Ms. Varney follows:]
Mr. Rush. Thank you very much.
The chair recognizes himself for 5 minutes of questioning.
I am going to ask a series of questions of this entire panel
and I ask you in the interest of time, I only have 5 minutes,
that you do not filibuster, just answer the question with a yes
or no answer. I will give you ample opportunity if I have time
remaining to expand on your answers after we have gone through
this entire series.
So I want to start with Mr. Schwartz. Mr. Schwartz, do you
support H.R. 964?
Mr. Cerasale. Not as written.
Mr. Rush. Mr. Morgan?
Mr. Morgan. On behalf of TACODA, we support the bill.
Mr. Rush. Ms. Maier?
Ms. Maier. Yes.
Mr. Rush. Ms. Varney?
Ms. Varney. Yes.
Mr. Rush. Next question. Do you believe that consumers
should be protected from the dangers of significant economic
losses inherent in spyware programs, and if your answer is yes,
do you support section 2 of the bill?
Mr. Schwartz?
Mr. Schwartz. Yes, and yes.
Mr. Rush. Mr. Cerasale?
Mr. Cerasale. Yes to both.
Mr. Rush. Mr. Morgan?
Mr. Morgan. Yes to both.
Ms. Maier. Absolutely.
Ms. Varney. Yes to both.
Mr. Rush. Do you believe that consumers should receive
clear and conspicuous notice of advertising and tracking
software, especially programs that collect personal information
on consumers, Mr. Schwartz?
Mr. Schwartz. Yes.
Mr. Cerasale. Yes, Mr. Chairman.
Mr. Morgan. Yes, Mr. Chairman.
Ms. Maier. Yes.
Ms. Varney. Yes.
Mr. Rush. I am tempted to start from this end but I am
winning starting from that end so I think I am going to keep on
going. I am not going to change.
Do you believe that consumers should be provided the right
to consent to such intrusive applications on their computers?
Mr. Schwartz. Yes.
Mr. Cerasale. No, we believe in consumer choice, not
necessarily one size fits all.
Mr. Morgan. On behalf of the IAB, we believe that one size
does not fit all.
Mr. Rush. So what is your answer?
Mr. Morgan. My answer would be no, not broadly.
Ms. Maier. Yes.
Ms. Varney. Yes.
Mr. Rush. I am going to start at this end now.
Ms. Varney, do you believe that such programs should
provide consumers with a simple installation procedure?
Ms. Varney. And simple uninstallation, yes.
Ms. Maier. Agree with that, yes.
Mr. Morgan. Yes.
Mr. Cerasale. Yes, it should be if they can't fully
uninstall, it should be at least totally disabled.
Mr. Schwartz. Yes.
Mr. Rush. Ms. Varney, do you support section 3 of the bill?
Ms. Varney. Yes.
Ms. Maier. Yes.
Mr. Morgan. And as I said before, yes, TACODA is supportive
of the entire bill. On behalf of the online advertising
industry, we would like a few parts of section 3 re-examined.
Mr. Rush. Mr. Cerasale?
Mr. Cerasale. Section 3, not totally as written.
Mr. Schwartz. We support the goals of section 3. We have
some comments in our written testimony regarding some of the
details.
Mr. Rush. Ms. Varney, do you believe that the Congress
should provide a single, coherent, pro-competitive regime for
consumer protection in this area rather than a patchwork quilt
of different State laws?
Ms. Varney. Yes, I do, Chairman.
Ms. Maier. Yes, I do.
Mr. Morgan. Yes, I do.
Mr. Cerasale. Yes, we support preemption.
Mr. Schwartz. In general, yes.
Mr. Rush. Mr. Schwartz, I have a few moments.
Mr. Schwartz. I would say that we would like the States to
be able to act under the Federal bill though. I understand that
that raises some jurisdictional questions but we hope that that
can be addressed on the floor that attorneys general will be
able to act under this bill as a Federal bill.
Mr. Rush. We have had some earlier commentary on the Good
Samaritan provision. Is there anybody else that would like to
add some other commentary on the Good Samaritan provision?
Mr. Schwartz. I will make a statement about the Good
Samaritan provision. I think that the goals of the Good
Samaritan provision are good ones. The goals seem to be to
promote anti-spyware software. Really, the first line of
defense for a consumer today is anti-spyware software and we
have seen that it has had a major effect, positive effect on
the issue. I have worked with the anti-spyware coalition, with
anti-spyware groups and with privacy groups and public interest
groups, working together to build best practices and standards
for how anti-spyware companies work. We think that we have come
up with a good set of best practices, putting out more actually
just today that have gone through an extensive public comment
period.
I question the concern over the provision, more because I
don't think it is going to be effective in doing what the goals
intend it to do. The goal is, as I said, to promote anti-
spyware software but it really only protects anti-spyware
software from the provisions, from the penalties in the bill
and not from things that an anti-spyware company is most likely
to be sued over, defamation, for example, or raising concerns
about software. There are no penalties in this bill that go
after anti-spyware software in that way so I question how
effective it is going to be, but the concerns that have been
raised here I don't see as really getting at the main problem
with the provision.
Mr. Rush. My time has expired.
Now I will recognize the ranking member, Mr. Stearns.
Mr. Stearns. Thank you, Mr. Chairman.
Mr. Schwartz, you mentioned in your opening statement that
sometimes it is so difficult to get rid of the spyware that you
have to throw away your computer and there is not really a
program out there that can just sweep through and get rid of
the spyware?
Mr. Schwartz. We have seen a real increase in the ability
of these programs to embed themselves in computers.
Mr. Stearns. So it is almost impossible to get rid of them?
Mr. Schwartz. In many cases, if they have something that is
called a root kit, it can be imbedded into the operating
system, so when you are looking for the program, you ask the
operating system, the operating system basically tells you this
program isn't there because the question goes to the operating
system and the root kit basically tells the operating system--
and this is a very simplistic version of what happens but----
Mr. Stearns. With that in mind, I ask the staff, there are
only four States in the United States that have actually passed
spyware: New York, Texas, California and Washington. Utah tried
to do it and the courts threw it out. What was the reason why
the courts threw it out? Does anyone in the panel know?
Mr. Schwartz. It was a different kind of a spyware bill. It
really tried to focus on copyright provisions, intellectual
property of ads showing up over the other ads, the place where
the consumer was trying to go instead of at the deceptive
practices that this bill and that most of the other bills have
gone after.
Mr. Stearns. Ms. Maier, some critics have suggested that
the online environment has changed with new software, new
programming so that this legislation really perhaps is not
needed, and maybe, Mr. Schwartz, you can help me too. Do you
think that it is possible that it would be accurate that--there
are some software companies that are not in favor of this bill.
Some of them are concerned because we have a study on cookies
and others are concerned, say well, just let the software
handle it. What is your opinion in terms of software being able
to prevent software from coming in and that would take of the
problem, we don't need legislation?
Ms. Maier. Sir, there is always the good players and the
bad players and I think the good players can look to self-
regulatory efforts, to look to best practices and----
Mr. Stearns. So there is no software out there that would
prevent the bad players from getting into the computer?
Ms. Maier. I don't think there is a perfect solution. I
think it really is a partnership between legislation,
technology, self-regulatory and other efforts, and so I see
legislation as necessary.
Mr. Stearns. Does the rest of the panel agree with that,
that there is no software out there that at least would cover
90 percent of the spyware?
Mr. Schwartz. That is correct.
Mr. Cerasale. That is correct. As a matter of fact, if
there were one tomorrow, it might not be effective as
technology is constantly changing.
Mr. Stearns. So as much as technology is moving forward for
software, bad guys can find another way?
Mr. Cerasale. Absolutely. They may be more technologically
advanced the more people are trying to stop them.
Mr. Morgan. Yes, I would agree with that. I mean, it is
absolutely impossible for technology to be a silver bullet
here.
Mr. Stearns. Ms. Varney?
Ms. Varney. I agree with that.
Mr. Stearns. OK. The next question is, it appears that
section 3 of this bill is the area that a lot of people are
concerned about. I guess for the panel, are cookies used for
the purpose of serving advertisements? Should cookies be
treated differently than spyware that does not use personally
identifiable information to serve advertisements?
Mr. Schwartz, would you start?
Mr. Schwartz. Cookies are a somewhat complex issue but I do
think that they should be treated differently than software.
Mr. Cerasale. Cookies are so much embedded in how the
Internet works. It clearly is a different animal. Cookies and
similar-type technologies are different from a software
download.
Mr. Stearns. OK. Mr. Morgan?
Mr. Morgan. Yes, cookies and what I would call relatively
passive technologies are very different than the kind of
invasive software that has been used with the computer
programs. I think the issues that people have around section 3
are, it is really hard to figure out the wording of how you can
get between that passive and active from a practical
standpoint.
Mr. Stearns. Mr. Morgan, when this got out of our
committee, they put in this study on cookies, and I cautioned
them, I said that was going to create a lot of concern and
angst in the industry because once you have a study on cookies,
the study might come out, you never know where it is going to
go and everybody has these cookies. Do you think cookies by
themselves are innocuous and----
Mr. Morgan. I think they are largely innocuous but I
actually think that the study is a fine idea. I think that this
is one of those examples, as they say, that sunshine is the
best antiseptic. If there are problems, I don't think anything
is hurt by having attention brought.
Mr. Stearns. Ms. Maier, and you might also point out,
answer the first question, but the second intuitively is this
study on cookies, is that necessary?
Ms. Maier. First of all, I think that cookies are outside
the scope of what we call software or downloadable applications
in our program. A study on cookies I think is a great idea. I
think there are a lot of things going on. Our Web cell program
requires consumers to know about other cookies and other
tracking software so if there is a study on cookies, I hope it
would be including other----
Mr. Stearns. Is it possible cookies could replicate the
software once they are in the computer?
Ms. Maier. What it is technically possible continues to
amaze me but I don't think that is----
Mr. Stearns. Do cookies track and do the same thing that
spyware does in another way that could be considered harmful?
Ms. Maier. Not generally.
Mr. Stearns. Mr. Schwartz, do you want to answer that?
Mr. Schwartz. Cookies basically give an ID number from a
particular Web site and they can be used--the uses of them have
changed over time and--but there are more harmful pieces of ID
tracking that have come up over time so it is kind of--there
has been a change in that. I do think that a study would be
helpful at getting at how they are being used.
Mr. Stearns. Ms. Varney, let me just close. My time is
running out. If you don't mind just answering the question.
Ms. Varney. Sure. I think the study is a terrific idea. I
think the tension around section 3 is on two levels. Cookies,
java script, HTML, all devices used in the seamless delivery of
content that consumers want today on the Internet can be
abused, and the question is, where does this bill land on those
type of seamless technologies.
I think there is another tension maybe unspoken in public.
Yahoo, Google, AOL all have toolbars and those toolbars
absolutely collect information and deliver advertising.
Currently, those companies give you great notice and get great
consent inside their master agreement. They don't pull it out
separately. I think there is a question about whether or not
they should and whether or not that bill requires them too.
Mr. Stearns. Thank you, Mr. Chairman.
Mr. Rush. Ms. Schakowsky is recognized for 5 minutes.
Ms. Schakowsky. Mr. Schwartz, you frequently talk about
baseline privacy legislation and I wondered if you could
describe for us what you would envision for such a bill and
also because you mentioned--I can't remember if you said it but
in your written testimony there are some downsides to not
having a more comprehensive piece of legislation in dealing,
for example, with spyware alone. So I wonder if----
Mr. Schwartz. Let me start with the problems and then move
to what we would like to see. Some of the problems that we see,
you have different--we start coming up with these different
privacy bills in all of these areas, I mentioned seven in my
testimony, but for those of you who have been on this
subcommittee know, there are dozens, literally dozens of
privacy issues that have come before this subcommittee over the
past 10 years or so, as we start coming up with different
standards for different types of information, it becomes harder
for consumers to know what the particular standard is for that
type of information. If we don't have a safety net there, and
there are some areas that still fall outside of that so a new
technology arises and you have to create a new standard for
that new technology. You have to compare it to all these other
differing standards, go through this whole process again. We
think that it makes more sense to come up with really a
baseline safety net kind of standard where we know that if
something falls out of it, at least it is covered by this new
standard of where personal information is being directly
collected, and we would like to see something that covers the
fair information practices. I think that the Federal Trade
Commission, actually started by the work of Commissioner Varney
at the end of the table over there, has at one point back in
the 1990's endorsed privacy legislation. We thought that that
was an excellent starting point: notice, choice and consent,
depending on the situation, access and security and enforcement
as a great starting point to look at to getting at these
issues. We feel there have been a number of bills over the
years that have started us down that path. We now have 13
companies that testified in front of the, I think it was the
full committee, last year in support of looking at general
privacy legislation. We think consumer groups are behind it.
There is momentum now we think to get at this issue so that we
don't have these kind of different standards across different
kinds of industry, across different kinds of technology.
Ms. Schakowsky. I would really like to hear from other
panelists on their view of having a comprehensive baseline
bill.
Mr. Cerasale?
Mr. Cerasale. Yes. Well, DMA does not have a set position
on an overall comprehensive privacy bill. We want to be open
and talk and discuss it. There are an awful lot of privacy laws
in the United States and how they do come together and so forth
and what information is covered and not covered. An overall
privacy bill could in fact really create the different
standards that financial information is treated one way whereas
as marketing information another that may be more restrictive
and so it is a very complicated issue and we have an awful lot
of guidelines. It is not just DMA but OPA and others have
guidelines that companies like Yahoo, AOL and Google follow
with notice and choice and I think that right at the moment you
have in the United States a series of laws and guidelines as
industry works together that seems to work. One of the problems
with an overall bill is that technology is changing so quickly,
it makes it very difficult as we see, for example, the
computer----
Ms. Schakowsky. I am going to have to stop you because I
want others to speak. But it is also a problem with technology
changing with very specific bills that deal with a specific
problem.
Yes?
Mr. Morgan. Both TACODA and IAB, we don't have a formal
position but we are certainly open to dialog on that kind of
legislation.
Ms. Schakowsky. Ms. Maier.
Ms. Maier. We have been working with a number of companies
in trying to encourage better privacy protections for consumers
and in general we think baseline privacy legislation could be
good. That said, I think we still need spyware legislation
because a lot of this doesn't even have to do with personal
information but computers installing things and tracking and
that could be outside the scope of privacy legislation.
Ms. Varney. Congresswoman, I am here on behalf of Zango and
they really have not examined whether or not it would be for or
against any baseline privacy legislation. They strongly support
this bill and they don't collect personally identifiable
information. So I think there is a need--even if there a
baseline privacy bill that we get out of the Congress and
signed by this President, there probably still is a need for
this type of legislation.
Ms. Schakowsky. I am not suggesting that we don't do this
legislation. Thank you.
Mr. Rush. Mrs. Bono is recognized for 5 minutes.
Mrs. Bono. Thank you, Mr. Chairman.
First, I just want to comment on the discussion about
cookies. I think the study or the report on cookies in the bill
is a good thing and I didn't really have a problem with cookies
in the beginning because anybody with a slightly elevated
degree of sophistication on the Internet knows how to go ahead
and delete your cookies. It is not that hard to do. So I think
the report obviously is a good thing. That is why we didn't
really give it more weight than that because there is a removal
tool.
And I just want to comment, the question that Ranking
Member Stearns asked was about software and how effective it is
at removing spyware/adware and I just want to applaud Microsoft
because I think Windows Vista--I am a user of Vista on one of
my computers--and I think they have come a long way and with
Windows Defender I think they have certainly tried to tackle
the issue. As soon as Windows Vista works with iTunes, it might
be a perfect world, but until then, I do want to applaud them
for their efforts to address the issue.
But I would like to ask a question of Mr. Morgan, and that
is, can you tell us about the current state of the online
advertising industry and how popup ads are currently being
used? There has been obviously a lot of restraint, best
practice put into place but they are still out there. Can you
go over what they are doing now?
Mr. Morgan. Certainly, Congresswoman. Well, first I would
like to say I have been in the online advertising industry for
about 15 years and we have probably had some forms of spyware
for the better part of the last 10, and I applaud you,
Congresswoman Bono, because until you made it an issue and
brought it to the forefront, it wasn't being talked about, and
I won't say it wasn't being talked about in Congress. It wasn't
being talked about inside the online advertising industry. I am
one of the first to say self-regulation and self-regulatory
practices help solve problems but we weren't solving it, and
that is one of the reasons you probably hear sometimes a little
balance of my position in TACODA in talking about other things.
But I will say that since you got involved and you and
Congressman Towns introduced the bill, there has been a lot of
attention in the industry and I have not seen any issue that
has had more attention in the industry over the last several
years, and what we have seen is, we have seen a significant, I
would say a dramatic reduction in the use of popup advertising.
We have certainly seen companies like Microsoft make
extraordinary leaps forward in software and technology. We have
seen a lot of practices go forward and I think that has been a
great thing.
Mrs. Bono. Can you describe then how interactive
advertising helps provide consumers with free online content?
Mr. Morgan. I think that--and this is a tiny anecdote but
one of the things I have found in talking to people about this
is that a lot of people think the Internet works like cable
television and that you pay a bill to an Internet service
provider and you get access to a bunch of channels and content,
and what most people haven't realized is the money that is paid
by a consumer never actually makes it to the people that make
the content. Not a penny of that goes to the New York Times or
to Orbitz or to iVillage. They are 100 percent supporting what
they give for free to consumers with advertising and one of the
reasons it has been such a robust industry that we have really
supported the actions against spyware because it had the
capability and still has some capability that really had the
capability to really harm or destroy what was really emerging
in strong industry.
Mrs. Bono. I think on your point there, I just picked up--
the committee did a great job providing a ton of information up
here including a Business Week article from July 17. I hadn't
even seen this before, but for those of you who have seen it,
the opening quote says consumers have strong opinions about
direct revenue software, and this is a quote: ``If I ever''--I
don't even know if I should say this for the record but it
says, ``If I ever meet anyone from your company, I will kill
you,'' a person who identified himself as X said in an e-mail
to Direct Revenue last summer, ``I will * * * * kill you and
your families.'' That is what it says. Such sentiments aren't
unusual. ``You people are evil personified,'' and this
gentleman goes on to say, ``I would like the 4 hours of my life
back I have wasted trying to get your stupid uninvited software
off of my now-crippled system,'' and I think that last sentence
really identifies people's frustration with adware and spyware
and it is not a matter of direct advertising and good
practices. It is a matter of really interfering with people's
lives and the fact is I believe we own our own computers, not
an outside source, and that is where this whole thing came
from.
I see Mr. Chairman, that I am just about out of time and I
just want to thank all of you on the panel who have worked with
us in the past on this bill and I know Ed Towns and I will
continue to work with you and hear your concerns as we go
through the process. So thank you very much.
Mr. Rush. Does the gentlelady request unanimous consent
that this be included into the record, the article?
Mrs. Bono. Yes, Mr. Chairman, thank you, and also to notice
that I was quoting because I don't know if I violated rules by
quoting the F-word but I did not say that word so I don't want
to get in trouble.
Mr. Rush. No, since you complimented the committee, we will
accept that. Thank you.
Mr. Rush. Ms. Hooley, you are recognized for 5 minutes.
Ms. Hooley. Thank you, Mr. Chairman, and I thank all of my
colleagues who have worked so hard on this bill and Mrs. Bono,
for all of your hard work.
I am a cosponsor of the bill. I strongly support this bill
and I want to make sure there are not any unintended
consequences and I am concerned that there may be unintended
consequences if there is detection software, then that they
can't be used to keep consumers safe them from fraudulent
activity. I know, Mr. Chairman, you pointed out the exemption
clause but I don't know if that clause actually does what it
needs to do to make sure that there is an exemption here for
the software that helps keep fraudulent activity out of your
life, software that determines the legitimacy of a transaction
or to verify information supplied by that consumer, and I guess
I would like to hear from you if you think again that we don't
have some unintended consequence in this piece of legislation.
Ms. Varney. May I comment on that?
Ms. Hooley. Yes, please.
Ms. Varney. Zango has commented on that provision,
Congresswoman, and the way that we read the language, and if I
may, I will just quote it. It says that ``No provider of
computer software may be held liable under this Act on account
of any action voluntarily taken or service provided in good
faith to disable a program used to violate section 2 or 3.''
There is a couple of concerns we have. Remember, this Act is
enforceable by the FTC.
Ms. Hooley. Right.
Ms. Varney. It doesn't create a private right of action. So
what this in effect is saying to the FTC is that anybody can
hide behind the defense of hey, we are just a scanning ap
trying to take bad stuff off people's computers. We think that
is an unwise standard to put in this Act. The FTC is very
judicious about its enforcement and I cannot foresee a
circumstance under which they would go after a legitimate
provider of a scanning application. However, the providers of
scanning applications ought to be under the same requirements
when it comes to notice and consent and uninstall. So we think
that the better course here, since this is an act empowering
the FTC to prosecute bad actors, is to leave that exemption
out, let the FTC prosecute those who do have the requisite bad
intention or who fail to provide the adequate notice, consent
and uninstall.
Ms. Hooley. Yes, Mr. Cerasale?
Mr. Cerasale. I want to look at the exemption provision in
section 5(b) where the monitoring or interaction of your anti-
fraud software you are exempted from the Act totally so in the
notice and all of that but it is limited to telecommunications
carrier, cable operator, computer hardware or software provider
or provider of information, service or interactive computer
service to the extent that it is more for anti-fraud. Those are
not the only people--they are not really software providers.
They are not the only people running the anti-fraud programs,
creating the software and sending it in. So we need to expand
to financial institutions to use this, credit card companies,
so forth, retailers even use because they collect credit cards
or direct marketers so we need to look at expanding 5(b), not
that the exemption is bad but to expand it to help us in the
prevention of financial fraud.
Ms. Hooley. OK. I am assuming that you would have a list of
what else needs to be added to those exemptions?
Mr. Cerasale. Yes. I will provide that list and try and
work out--we probably need to talk with committee staff to make
sure that we are as inclusive or not too inclusive in the
exemption.
Ms. Hooley. Did this fix this in the Senate, by the way?
Did they do something different in the Senate, anybody know?
Mr. Cerasale. They did make a change in the Senate so we
can use--we will provide the Senate language.
Ms. Hooley. OK. Thank you.
Mr. Rush. Thank you so very much. I certainly want to
extend our thanks to the witnesses who have come and helped us
and informed us so much and participated in this hearing.
Again, thank you for taking the time out from your busy day.
With that said, we will call the committee adjourned. The
committee is now adjourned.
[Whereupon, at 12:30 p.m., the subcommittee was adjourned.]
�