FTC commish: More spyware-fighting tools needed
Stronger laws, more authority to impose penalties sought
IDG News Service - Organizations and law enforcement agencies fighting spyware are making progress, but new tools in an antispyware bill stalled in Congress could improve the efforts, a member of the Federal Trade Commission said Monday.
One of the spyware bills passed by the House of Representatives earlier this year, the Spy Act, would give the FTC authority to impose civil fines on companies that distribute spyware to consumers' computers. The bill, along with the Internet Spyware Prevention (or I-SPY) Act have stalled in the Senate since passing the House in May and June.
The FTC has the authority to collect profits from spyware operations and collect money for consumer redress, but it lacks the authority to impose other fines, as it does when going after spammers, said Commissioner Jon Leibowitz, speaking at a spyware forum in Washington, D.C.
Assigning a dollar figure to consumer harm is tricky in many spyware cases, especially when the spyware delivers pop-up advertisements to computers, Leibowitz said. It's sometimes difficult to get courts to assign large consumer damages to pop-up cases, he said.
In some cases, spyware damages are assessed by judges "who don't even use computers," said Dave Koehler, with the FTC's Bureau of Consumer Protection.
The Spy Act would allow the FTC to fine spyware vendors up to $3 million for hijacking computers, delivering unwanted adware and other violations and $1 million for collecting personal data without permission, in addition to going after the vendor's profits and seeking consumer redress.
Additional authority to impose civil fines would give the FTC "an enormous deterrent," Leibowitz said.
"Right now, companies know that the worst they can do is lose their profits," he added. "They're not going to get fined on top of that."
The FTC has brought several spyware actions against companies. In February, the agency settled a case against adware distributor DirectRevenue LLC. In that case, DirectRevenue settled for $1.5 million, based on its profits, but the founders of the company had received more than $20 million in venture-capital funding, Leibowitz said.
While participants in the spyware forum said there continue to be many challenges, including a growing trend of foreign spyware vendors, the cost of spyware to U.S. consumers seems to be falling. Consumer Reports estimated that spyware cost U.S. consumers $2.6 billion in 2006, but only $1.7 billion in 2007, noted Ari Schwartz, deputy director of the Center for Democracy and Technology, a supporter of StopBadware.org, a consumer-protection effort aimed at spyware and other malicious code.
The drop in the cost of spyware can be attributed to a number of factors, Schwartz said. Antispyware technology is getting better, the FTC has taken action against spyware vendors and StopBadware.org has distributed a list of malicious Web sites, he said. In addition, some states have taken action against spyware, and cybersecurity groups' public education programs seem to be working, he said.
But Ron Teixeira, executive director of the National Cyber Security Alliance (NCSA), noted that consumers may know more about spyware, but they don't always act on their knowledge. A survey (PDF format) released by the NCSA and McAfee earlier this month found 78 percent of respondents' computers didn't have all three of what the NCSA calls the "core protection" software -- antivirus, antispyware and firewall.
"We're not seeing a huge increase in the actual behavior change," he said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.