FTC commish: More spyware-fighting tools needed
Stronger laws, more authority to impose penalties sought
IDG News Service - Organizations and law enforcement agencies fighting spyware are making progress, but new tools in an antispyware bill stalled in Congress could improve the efforts, a member of the Federal Trade Commission said Monday.
One of the spyware bills passed by the House of Representatives earlier this year, the Spy Act, would give the FTC authority to impose civil fines on companies that distribute spyware to consumers' computers. The bill, along with the Internet Spyware Prevention (or I-SPY) Act have stalled in the Senate since passing the House in May and June.
The FTC has the authority to collect profits from spyware operations and collect money for consumer redress, but it lacks the authority to impose other fines, as it does when going after spammers, said Commissioner Jon Leibowitz, speaking at a spyware forum in Washington, D.C.
Assigning a dollar figure to consumer harm is tricky in many spyware cases, especially when the spyware delivers pop-up advertisements to computers, Leibowitz said. It's sometimes difficult to get courts to assign large consumer damages to pop-up cases, he said.
In some cases, spyware damages are assessed by judges "who don't even use computers," said Dave Koehler, with the FTC's Bureau of Consumer Protection.
The Spy Act would allow the FTC to fine spyware vendors up to $3 million for hijacking computers, delivering unwanted adware and other violations and $1 million for collecting personal data without permission, in addition to going after the vendor's profits and seeking consumer redress.
Additional authority to impose civil fines would give the FTC "an enormous deterrent," Leibowitz said.
"Right now, companies know that the worst they can do is lose their profits," he added. "They're not going to get fined on top of that."
The FTC has brought several spyware actions against companies. In February, the agency settled a case against adware distributor DirectRevenue LLC. In that case, DirectRevenue settled for $1.5 million, based on its profits, but the founders of the company had received more than $20 million in venture-capital funding, Leibowitz said.
While participants in the spyware forum said there continue to be many challenges, including a growing trend of foreign spyware vendors, the cost of spyware to U.S. consumers seems to be falling. Consumer Reports estimated that spyware cost U.S. consumers $2.6 billion in 2006, but only $1.7 billion in 2007, noted Ari Schwartz, deputy director of the Center for Democracy and Technology, a supporter of StopBadware.org, a consumer-protection effort aimed at spyware and other malicious code.
The drop in the cost of spyware can be attributed to a number of factors, Schwartz said. Antispyware technology is getting better, the FTC has taken action against spyware vendors and StopBadware.org has distributed a list of malicious Web sites, he said. In addition, some states have taken action against spyware, and cybersecurity groups' public education programs seem to be working, he said.
But Ron Teixeira, executive director of the National Cyber Security Alliance (NCSA), noted that consumers may know more about spyware, but they don't always act on their knowledge. A survey (PDF format) released by the NCSA and McAfee earlier this month found 78 percent of respondents' computers didn't have all three of what the NCSA calls the "core protection" software -- antivirus, antispyware and firewall.
"We're not seeing a huge increase in the actual behavior change," he said.
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- The Keys to Securing Data in a Collaborative Workplace Losing data is costly. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off...
- Live Webcast How to serve up a Grand Slam with a scalable IT Infrastructure for cloud, big data and advanced analytics Register today to attend this webcast, and see examples of how The U.S. Tennis Association, Wimbledon and U.S. Golf Association are using the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.