The FTC Spyware Workshop: One Year Later
One year ago this week (April 19 to be precise), the FTC hosted its Spyware Workshop:
Ben Edelman and I were talking recently about this, and reflecting on what's changed in the year since that event. What follows is a list of significant developments in the one year since the workshop. Back to "The FTC's Spyware Workshop" page.
The Bad News [return
to top] 1) Spyware/adware installations get more aggressive The adware firms who submitted comments to the FTC or who gave interviews to reporters last year all claimed that the problem was exaggerated or that they themselves were cleaning up their acts. In fact, in the one year since the workshop the installation methods used to install spyware and adware have become more aggressive, exploitative, and dangerous. The use of security exploits as well as out-and-out malware, in particular, has become widespread and even brazen. To be sure, the use of security exploits to install adware/spyware wasn't unknown at this time last year, however, those earlier instances were comparatively few and rare, and thus noteworthy and novel. Now they're rampant. See Ben's pieces here for a few hair-raising examples (with videos): Also of interest: Instead of cleaning up its act, the adware industry has essentially spent the last year thumbing its nose at the FTC. And let's not forget that adware vendors even developed a new way to push unwanted software on users: DRM-protected Windows Media files: As Ryan Naraine of eWeek recently pointed out, three months later Microsoft has yet to close that installation route: Once spyware and adware is installed on users' PCs, it is very difficult to remove. The latest CoolWebSearch (CWS) malware, VX2.Transponder adware, and Huntbar (Websearch/Wintools) adware variants employ a number of sophisticated techniques to thwart removal. In some cases, the only effective way to clean the infested machine is to wipe the drive, format, and reinstall. 2) Adware/spyware installations get more abusive For my comments to the FTC last year, I wrote about an installation that dropped 7 or 8 different adware programs on users' PCs: At the time, I was aghast. One year later, that looks like chickenfeed. Typical adware/installations now drop dozens of programs on users' PCs, completely crippling boxes with hundreds of files and thousands of Registry keys. See Ben's security hole installation report and Windows Media adware report from above for some shocking numbers from two typical adware installations. Also, Webhelper and Paperghost recently wrote up an adware installation that drops so much junk on users' PCs that the whole install process goes on for a half-hour:
What we're now witnessing is an unprecedented assault on internet users by commercial interests. Combine the adware/spyware problem with the problems of phishing, identity theft, spam, zombie-bot networks, and commercial-for-profit worms, and you have a truly nightmarish situation for internet users.
3) Businesses are buried by spyware/adware
4) Spyware/adware victims are inundated w/ garbage anti-spyware Spyware victims face enormous difficulties sifting through the hundreds of anti-spyware that are available to find the small handful that are actually reputable, effective, and trustworthy. So prolific have anti-spyware apps become that adware firms are themselves getting into the business, releasing their own anti-spyware apps and even partnering with anti-spyware firms. And, of course, we have anti-spyware apps that are stealth-installed along with the very adware/spyware they purport to detect and remove or that install adware and spyware themselves.
5) The FTC goes MIA
Note that both of those cases are against shady anti-spyware vendors, not adware/spyware vendors proper, despite the prolific, widespread abuses we've seen (CoolWebSearch [CWS] malware, VX2.Transponder adware, security exploits, deceptive installation practices, Windows Media adware, et al). One of the most aggressive, obnoxious adware firms is sitting up in New York City, completely unmolested and even threatening its critics. Still worse, one of the biggest CoolWebSearch (CWS) malware distribution hubs in the world is sitting out at a hosting firm located in CA, also completely unhindered by the authorities. I'm certainly happy that the FTC moved on the two cases that it did, but the FTC's actions to date have been woefully inadequate. 6) "Industry best practices" go MIA The computer and advertising industries themselves, esp. adware firms, made all kinds of noises about developing strict "industry best practices" and setting other high standards for installation and privacy practices. But what has happened in the year since they talked about those endeavors? Almost nothing. Installation and privacy practices used by most adware firms have either remained as obnoxious and exploitative as they always were, or they have even gotten worse, with poor notice and disclosure during installation of adware being the norm and illegal "force-installs" or "stealth-installs" of adware and spyware becoming rampant (as noted earlier). We've also seen increasingly obnoxious and exploitative license language designed to tie users' hands:
Instead of fixing these problems, the adware industry has resorted to "more of the same": endless excuse-making, claiming the problem is exaggerated, blaming users for not being more savvy, blaming their own distributors whom they claim not to be able to control, attempting to game definitions of "spyware," and launching massive PR campaigns to clean up their image without actually cleaning up their poor practices. Not only has there been very little movement to establish real standards with teeth and credibility, but the one instance in which standards of some sort were developed and applied was so utterly compromised that it was justly ridiculed and denounced by the anti-spyware community. The Consortium of Anti-Spyware Technology vendors (COAST) collapsed over the course of Jan.-Apr. 2005 after granting admission to 180solutions, an adware company which we now know hasn't even come close to cleaning up its act: At the time of its collapse, this anti-spyware industry consortium had more adware firms as members than it did anti-spyware firms -- see the following for the sad story of the COAST endgame: The COAST/180solutions incident offered a beautiful illustration of what can go wrong when "industry best practices" become little more than PR cover for adware firms looking to burnish their image. And we also have the sad specter of adware firms and anti-spyware firms partnering with each other (WhenU/Aluria): WhenU is certainly not the only adware firm looking to gain cover through partnerships with anti-spyware firms:
7) Adware firms go on a legal rampage The latest crop of C&Ds comes from IBIS, the folks who brought us such wonderful software as Websearch and Wintools. And, of course, Lavasoft and Pest Patrol took a public beating back in Feb. 2005 for removing WhenU from their detections without properly informing their customers: Other recent threats came from 180solutions, Claria, DirectRevenue, Hotbar, and iSearch/iDownload.
8) Adware firms get VC funding That's just plain depressing. Note that some of those VCs are shamelessly playing both sides of the street -- funding spyware/adware firms and then turning around to fund anti-spyware firms. And let's not even get started on the large, well-known U.S. companies that are actually advertising through adware networks, thus pumping even more money into these companies. Ben's site, again, is the place to go for information on advertisers. 9) Adware firms exploit pay-per-install affiliate networks This is perhaps the most important development of the past year. It's become increasingly clear that what's fueling the adware/spyware problem and what's enabling rampant stealth-installs of this unwanted software is the use of "pay-per-install" affiliate/distribution networks by adware firms. I discuss the problem here: Wayne Porter offers a number of useful points here: And Ari Schwartz of the CDT put a spotlight on the problem in his Jan. 26 testimony before a House sub-committee: When you look at the way these "pay-per-install" affiliate networks work and then reflect on the fact that VCs and large advertisers are fueling those networks with massive infusions of money into adware firms, it's difficult to escape the conclusion that the market is broken -- or that, at the very least, the market isn't working to protect consumers, web surfers, and citizens.
The Good News [return
to top] 1) Microsoft rolls out Windows XP SP2 This major Microsoft update to Windows XP adds a number of improvements to IE and Windows to decrease the likelihood that users will get taken by adware/spyware:
2) Microsoft offers its own AntiSpyware app
3) Anti-virus vendors get a clue Symantec is the real laggard here. McAfee was first out of the gates in Jan. 2004 with its own AntiSpyware app. Computer Associates purchased Pest Patrol in mid-2004. Panda, Kaspersky, and TrendMicro incorporated anti-spyware functionality into their core products later in 2004. Symantec announced plans to do so in Jan. 2005.
4) ISPs get a clue 5) Lawmakers get a clue Legislators at both the state and federal level have clued into the spyware/adware problem. Most of the laws they've come up with are extremely problematic, but it is significant that lawmakers at least listening and that almost none of them wants to be seen defending adware/spyware. 6) Plaintiffs' attorneys get a clue We have seen law suits against adware/spyware firms before (which Ben summarizes on his site), but most of those have been filed by companies upset at contextual advertisers like WhenU and Claria who offer competing advertising and offers when users visit company web sites. Just the other week, though, we saw the filing of a class action lawsuit on behalf of Illinois consumers against DirectRevenue. That's big news: 7) NY AG gets a clue New York Attorney General Eliot Spitzer recently notified Intermix Media (the folks who brought you KeenValue, PerfectNav, SirSearch, and other hijackers) that it was the target of an investigation into "unlawful and deceptive acts and practices associated with distribution of toolbar, redirect and contextual ad serving applications": If the FTC won't take strong action against major adware vendors, perhaps the NY AG will. 8) Other news Tolerance for adware companies is dropping in many quarters. CNET announced that it was giving adware the boot from Download.com, for example: Google has been cracking down on sleazy, deceptive advertising for dodgy anti-spyware apps. Its AdWords/AdSense advertising is significantly improved over where it was last year. Note that it started taking these steps after announcing its "Software Principles": So, there is some good news, but all in all we are in a worse spot than we were one year ago. All the best, More Information on Spyware & Adware [return to top]
Back to "The FTC's Spyware Workshop" page. © Copyright 2005 Eric L. Howes |