The FTC Spyware Workshop: One Year Later

by Eric L. Howes

18 April 2005

One year ago this week (April 19 to be precise), the FTC hosted its Spyware Workshop:

FTC Spyware Workshop (home page)
The FTC's Spyware Workshop (resources)

Ben Edelman and I were talking recently about this, and reflecting on what's changed in the year since that event. What follows is a list of significant developments in the one year since the workshop.

Back to "The FTC's Spyware Workshop" page.

The Bad News  [return to top]

Unfortunately, the most significant developments in the year since the FTC workshop are all bad news for internet users.

1) Spyware/adware installations get more aggressive

The adware firms who submitted comments to the FTC or who gave interviews to reporters last year all claimed that the problem was exaggerated or that they themselves were cleaning up their acts.

In fact, in the one year since the workshop the installation methods used to install spyware and adware have become more aggressive, exploitative, and dangerous. The use of security exploits as well as out-and-out malware, in particular, has become widespread and even brazen. To be sure, the use of security exploits to install adware/spyware wasn't unknown at this time last year, however, those earlier instances were comparatively few and rare, and thus noteworthy and novel. Now they're rampant. See Ben's pieces here for a few hair-raising examples (with videos):

Video: Ebates Installed through Security Holes
Who Profits from Security Holes?

Also of interest:

News: Major Exploit Underway...

Instead of cleaning up its act, the adware industry has essentially spent the last year thumbing its nose at the FTC. And let's not forget that adware vendors even developed a new way to push unwanted software on users: DRM-protected Windows Media files:

Media Files that Spread Spyware
WMP Adware: A Case Study in Deception

As Ryan Naraine of eWeek recently pointed out, three months later Microsoft has yet to close that installation route:

Where's That Windows Media Player Update?

Once spyware and adware is installed on users' PCs, it is very difficult to remove. The latest CoolWebSearch (CWS) malware, VX2.Transponder adware, and Huntbar (Websearch/Wintools) adware variants employ a number of sophisticated techniques to thwart removal. In some cases, the only effective way to clean the infested machine is to wipe the drive, format, and reinstall.

2) Adware/spyware installations get more abusive

For my comments to the FTC last year, I wrote about an installation that dropped 7 or 8 different adware programs on users' PCs:

The Anatomy of a "Drive-by-Download"

At the time, I was aghast. One year later, that looks like chickenfeed. Typical adware/installations now drop dozens of programs on users' PCs, completely crippling boxes with hundreds of files and thousands of Registry keys. See Ben's security hole installation report and Windows Media adware report from above for some shocking numbers from two typical adware installations. Also, Webhelper and Paperghost recently wrote up an adware installation that drops so much junk on users' PCs that the whole install process goes on for a half-hour: and Its Massive Popup Adware Installs From
30 minute malware install? Yes please!

What we're now witnessing is an unprecedented assault on internet users by commercial interests. Combine the adware/spyware problem with the problems of phishing, identity theft, spam, zombie-bot networks, and commercial-for-profit worms, and you have a truly nightmarish situation for internet users.

3) Businesses are buried by spyware/adware

It's not just home consumers complaining any more. Businesses and other large organizations (schools, universities, non-profits, governmental entities) are now reporting that spyware/adware has become their biggest tech-support headache. News stories on this development abound -- a few samples:

Spyware: IT's public enemy No. 1
Companies Scramble to Deal With Spyware 

4) Spyware/adware victims are inundated w/ garbage anti-spyware

We were told last year that the market itself could solve the spyware/adware problem by offering consumers more software tools to protect themselves, and indeed we have seen the entrance of a large number of anti-spyware apps into the marketplace. Unfortunately, the vast majority of those apps are pure unadulterated garbage, as documented on the "Rogue/Suspect Anti-Spyware" page, which started back in June 2004 with about 40 apps and now lists over 180!

Rogue/Suspect Anti-Spyware Applications & Web Sites

Spyware victims face enormous difficulties sifting through the hundreds of anti-spyware that are available to find the small handful that are actually reputable, effective, and trustworthy. So prolific have anti-spyware apps become that adware firms are themselves getting into the business, releasing their own anti-spyware apps and even partnering with anti-spyware firms. And, of course, we have anti-spyware apps that are stealth-installed along with the very adware/spyware they purport to detect and remove or that install adware and spyware themselves.

5) The FTC goes MIA

Last year the FTC told us (PDF) and Congress that it didn't need any new laws to combat spyware because it had all the enforcement power it needed under existing statutes. One year later the FTC has prosecuted precisely two cases related to spyware:

Note that both of those cases are against shady anti-spyware vendors, not adware/spyware vendors proper, despite the prolific, widespread abuses we've seen (CoolWebSearch [CWS] malware, VX2.Transponder adware, security exploits, deceptive installation practices, Windows Media adware, et al). One of the most aggressive, obnoxious adware firms is sitting up in New York City, completely unmolested and even threatening its critics. Still worse, one of the biggest CoolWebSearch (CWS) malware distribution hubs in the world is sitting out at a hosting firm located in CA, also completely unhindered by the authorities.

I'm certainly happy that the FTC moved on the two cases that it did, but the FTC's actions to date have been woefully inadequate.

6) "Industry best practices" go MIA

The computer and advertising industries themselves, esp. adware firms, made all kinds of noises about developing strict "industry best practices" and setting other high standards for installation and privacy practices. But what has happened in the year since they talked about those endeavors? Almost nothing.

Installation and privacy practices used by most adware firms have either remained as obnoxious and exploitative as they always were, or they have even gotten worse, with poor notice and disclosure during installation of adware being the norm and illegal "force-installs" or "stealth-installs" of adware and spyware becoming rampant (as noted earlier). We've also seen increasingly obnoxious and exploitative license language designed to tie users' hands:

Anatomy of a Drive-by-Install (Even on Firefox)
Spyware Installation Methods
Claria's Misleading Installation Methods
180's Misleading Installation Methods
3D Desktop's Misleading Installation Methods
180 Talks a Big Talk, but Doesn't Deliver
180 Installation Methods & License Agreements
Claria's Practices Don't Meet Its Lawyers' Claims
Gator's EULA Gone Bad
Grokster and Claria Take Licenses to New Lows...
EULA Privacy Statements

Instead of fixing these problems, the adware industry has resorted to "more of the same": endless excuse-making, claiming the problem is exaggerated, blaming users for not being more savvy, blaming their own distributors whom they claim not to be able to control, attempting to game definitions of "spyware," and launching massive PR campaigns to clean up their image without actually cleaning up their poor practices.

Not only has there been very little movement to establish real standards with teeth and credibility, but the one instance in which standards of some sort were developed and applied was so utterly compromised that it was justly ridiculed and denounced by the anti-spyware community. The Consortium of Anti-Spyware Technology vendors (COAST) collapsed over the course of Jan.-Apr. 2005 after granting admission to 180solutions, an adware company which we now know hasn't even come close to cleaning up its act:

Oh, What a Tangled Web We Weave...
Scratch a Lie, Find a Thief...

At the time of its collapse, this anti-spyware industry consortium had more adware firms as members than it did anti-spyware firms -- see the following for the sad story of the COAST endgame:

Anti-spyware group Coast hits an iceberg

The COAST/180solutions incident offered a beautiful illustration of what can go wrong when "industry best practices" become little more than PR cover for adware firms looking to burnish their image. And we also have the sad specter of adware firms and anti-spyware firms partnering with each other (WhenU/Aluria):

WhenU Enters the Anti-Spyware Market

WhenU is certainly not the only adware firm looking to gain cover through partnerships with anti-spyware firms:

Buying Legitimacy
Adware Vendors Running for Cover...

7) Adware firms go on a legal rampage

Although a number of adware firms are loudly proclaiming their self-reform, most of these reform efforts are little more than fancy PR campaigns designed to give themselves an image makeover without substantially changing their actual business practices. What they have started to do, though, is threaten anti-spyware firms and other critics in the anti-spyware community with law suits -- see Ben's page for a handy summary of the explosion of threats against the anti-spyware community:

Threats Against Spyware Detectors, Removers, and Critics

The latest crop of C&Ds comes from IBIS, the folks who brought us such wonderful software as Websearch and Wintools. 

Silencing the Critics: IBIS

And, of course, Lavasoft and Pest Patrol took a public beating back in Feb. 2005 for removing WhenU from their detections without properly informing their customers:

ASW Vendors in La-La Land

Other recent threats came from 180solutions, Claria, DirectRevenue, Hotbar, and iSearch/iDownload.

8) Adware firms get VC funding

As Ben has documented, adware/spyware firms are getting more and more funding from VCs:

Investors Supporting Spyware

That's just plain depressing. Note that some of those VCs are shamelessly playing both sides of the street -- funding spyware/adware firms and then turning around to fund anti-spyware firms. And let's not even get started on the large, well-known U.S. companies that are actually advertising through adware networks, thus pumping even more money into these companies. Ben's site, again, is the place to go for information on advertisers.

9) Adware firms exploit pay-per-install affiliate networks

This is perhaps the most important development of the past year. It's become increasingly clear that what's fueling the adware/spyware problem and what's enabling rampant stealth-installs of this unwanted software is the use of "pay-per-install" affiliate/distribution networks by adware firms. I discuss the problem here:

"Our sleazy affiliates did it..."

Wayne Porter offers a number of useful points here:

SpazBox- Just Because You Don't see it Doesn't Mean It Isn't There

And Ari Schwartz of the CDT put a spotlight on the problem in his Jan. 26 testimony before a House sub-committee:

Testimony of Ari Schwartz of the Center for Democracy & Technology (PDF)

When you look at the way these "pay-per-install" affiliate networks work and then reflect on the fact that VCs and large advertisers are fueling those networks with massive infusions of money into adware firms, it's difficult to escape the conclusion that the market is broken -- or that, at the very least, the market isn't working to protect consumers, web surfers, and citizens.

The Good News  [return to top]

It's not all bad news, though. There have been some positive developments in the one year since the FTC workshop

1) Microsoft rolls out Windows XP SP2

This major Microsoft update to Windows XP adds a number of improvements to IE and Windows to decrease the likelihood that users will get taken by adware/spyware:

Microsoft Windows XP Service Pack 2

2) Microsoft offers its own AntiSpyware app

Microsoft itself entered the anti-spyware business after buying GIANT. This move is in addition to making several anti-virus acquisitions and offering a free malware removal tool to users:

Microsoft: Spyware

3) Anti-virus vendors get a clue

After sitting on their hands for the past five years (I date the rise of adware back to the spring of 2000), the major AV firms are finally being compelled to enter the anti-spyware market. They've still got a ways to go, but at least they're doing something. This action comes amidst a booming market for anti-spyware solutions.

Symantec is the real laggard here. McAfee was first out of the gates in Jan. 2004 with its own AntiSpyware app. Computer Associates purchased Pest Patrol in mid-2004. Panda, Kaspersky, and TrendMicro incorporated anti-spyware functionality into their core products later in 2004.  Symantec announced plans to do so in Jan. 2005. 

4) ISPs get a clue

Earthlink, AOL, and other large ISPs have now started offering their customers free anti-spyware software. Some of the software they're offering isn't all that good, but at least they're taking steps to protect their customers.

Earthlink Spyware Blocker
AOL Goes After Spyware

5) Lawmakers get a clue

Legislators at both the state and federal level have clued into the spyware/adware problem. Most of the laws they've come up with are extremely problematic, but it is significant that lawmakers at least listening and that almost none of them wants to be seen defending adware/spyware.

Spyware Legislation

6) Plaintiffs' attorneys get a clue

We have seen law suits against adware/spyware firms before (which Ben summarizes on his site), but most of those have been filed by companies upset at contextual advertisers like WhenU and Claria who offer competing advertising and offers when users visit company web sites. Just the other week, though, we saw the filing of a class action lawsuit on behalf of Illinois consumers against DirectRevenue. That's big news:

Spyware Lawsuit Alleges Computer Hijacking

7) NY AG gets a clue

New York Attorney General Eliot Spitzer recently notified Intermix Media (the folks who brought you KeenValue, PerfectNav, SirSearch, and other hijackers) that it was the target of an investigation into "unlawful and deceptive acts and practices associated with distribution of toolbar, redirect and contextual ad serving applications":

Adware Vendors Beware: NY AG Watching

If the FTC won't take strong action against major adware vendors, perhaps the NY AG will.

8) Other news

Tolerance for adware companies is dropping in many quarters. CNET announced that it was giving adware the boot from, for example:

CNET: Adware, Spyware, and Practices That Thwart User Control

Google has been cracking down on sleazy, deceptive advertising for dodgy anti-spyware apps. Its AdWords/AdSense advertising is significantly improved over where it was last year. Note that it started taking these steps after announcing its "Software Principles":

Google: Software Principles

So, there is some good news, but all in all we are in a worse spot than we were one year ago.

All the best,

Eric L. Howes

More Information on Spyware & Adware  [return to top]

Back to "The FTC's Spyware Workshop" page.

Copyright 2005 Eric L. Howes