The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/oct5,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

• FTC Goes After Another Spyware Peddler
• X-Cleaner Spyware Remover
• Senators, FTC Discuss Spyware Problem
• Punish Behavior, Not Technology
• Headlines

Permalink | Top

The Federal Trade Commission is taking legal action against the distributor of a malware-infested file sharing program. The FTC also has asked the US District Court in New Hampshire to order Odysseus Marketing, publisher of the software, to suspend operations.

Odysseus Marketing distributes and promotes a peer-to-peer file sharing program named Kazanon, which they claim provides total anonymity to their users while sharing files. The FTC says that this claim is false, that people using the software are not anonymous. Making such a false claim is itself a violation of federal law.

Kazanon comes bundled with another program known as "Clientman". The FTC states that Clientman is spyware and that, once installed, it downloads and install numerous other spyware programs on behalf of various third parties.

All of this activity takes place without adequate disclosure. What little disclosure there is appears in the middle of a lengthy license agreement located on Odysseus Marketing's web site.

The FTC also alleges that Odysseus Marketing deliberately made it difficult to remove the software installed with Kazanon. In fact, Odysseus offers an uninstall tool that, instead of removing the software, actually installs more spyware.

The FTC charges that the practices of Odysseus Marketing, and its principal Walter Rines, are unfair and deceptive and violate the FTC Act. The agency will seek a permanent halt to the practices of this marketing company.

Permalink | Top

Program: X-Cleaner
Author: X-Block
Platform: Windows 9x, ME, NT 4.0, 2K, XP
License: $29.95 (Regularly $39.95. Discounted for SWI readers until October 13, 2005)
More Information: http://www.spywareinfo.com/downloads/x/
Purchase: http://www.spywareinfo.com/downloads/x/purchase.php

X-Cleaner Spyware Remover is an award winning spyware detector that finds and removes commercial spyware programs. X-Cleaner also features a unique mobile active-x spy scanning utility so you can login through your member's center and use it from public terminals.

A new feature of the program even allows you to bypass hardware keyloggers which use no software that can be detected.

No installation required - simply download and use or you may install if you choose. X-Cleaner provides courteous support via e-mail for registered users. Software is delivered instantly via digital download and you can download new versions as often as you like the first year.

You can even put this on a floppy disk and carry it to work in an envelope or in your shirt pocket. Insert floppy, scan and zap the keylogger or delete your surfing traces.

X-Cleaner was recommended by Kim Komando in her article for MSN, Danger, danger: 5 tips for using a public PC.

Features

1) New expanded detection and removal database.

2) General Interface Improvement- Users can now resize the program window to fit into their screen anyway they like, especially useful for the encyclopedia where they had to scroll right.

3) Bypass *hardware* keyloggers using onscreen keyboard for input- This is under the Expert tab for Deluxe Users only and makes use of the built-in based keyboard in Windows so that users can key in information without using physical keystrokes. This is very useful for sending sensitive material since hardware keyloggers (a growing threat X-Block is working on) evade anti-spyware which normally targets software loggers only. Given X-Cleaner's mobility in terms of file size, this is a useful little addition to have since you can go to an Internet Cafe- sweep for keyloggers (or use the full active-x scanner in the members area) and then use the software based keypad to evade hardware logging.

4) Direct link to online assistance integrated into software- as always X-Cleaner technicians are dedicated to providing prompt and professional e-mail support for even hard to remove cases of the spyware plague.

Permalink | Top

Federal Trade Commission Chairwoman Deborah Majoras testified Wednesday before the Senate Subcommittee on Trade, Tourism and Economic Development to discuss spyware. This is the committee from which any Senate bill addressing spyware will come. Below are the notes I took while watching a live stream, along with my commentary.

The majority of the hearing was spent discussing whether or not the FTC currently has enough authority and resources to deal with the problem of spyware. Majoras stated several times that, under existing laws, the FTC has the authority and the resources to prosecute the purveyors of spyware. Virginia Senator George Allen asked pointedly why spyware seems to be such a problem, if the FTC has what it needs to go after the problem.

Indeed, a very brief visit to the Malware Removal section of SpywareInfo's message board would show how bad the problem really is. Hundreds, literally hundreds, of people volunteer their time to assist people in removing countless numbers of malicious programs. If the FTC has everything it needs to go after the problem, why are my forums swamped with people infected by malware?

The FTC has made it clear repeatedly over the last year and a half that it does not welcome federal legislation aimed at spyware. Majoras seemed to be following that party line in her testimony before the subcommittee. She said several times that the main effort to curb spyware abuses should be technological, not legislative. At one point, she said something to the effect that "technology is what got us here and technology is what should get us out.".

Majoras noted that legislation could make the situation worse. If Congress defines a strict set of practices which are illegal, it could create loopholes that future spyware makers could exploit. That is a real concern. If you need any proof of it, just take a look at your email inbox to see the aftermath of CAN-SPAM. That law actually makes spamming legal, as long as a few simple rules are followed.

Majoras testified that two problems in particular are hampering the FTC's ability to prosecute spyware makers. The biggest problem is tracking down the people responsible for creating the spyware. Another problem is the fact that, when they do track down the people responsible, often they are located in other countries, where US law does not apply. Majoras said that "a great majority of spyware is coming into the United States from outside the country".

When pressed about what Congress could do to help the FTC, Majoras replied that the FTC could use more authority to seek civil penalties against the purveyors of spyware. All of the senators agreed to this idea. Senator Allen even suggested using asset forfeiture laws against the makers of spyware, to seize any assets and profits made from the illegal use of spyware technology.

During questioning, Senator Bill Nelson repeated one question over and over: should consumers have an absolute right to uninstall any piece of software from their computers? Senator Nelson, apparently unsatisfied with her answers, kept repeating it. Chairwoman Majoras managed to dodge answering the question directly, while leaving the impression that it should not be a right.

How that can even be in doubt is beyond me. The answer to that question is an unequivocal "Yes!". A computer is private property. The owner has the absolute final word on what is or is not installed on it. That would seem to be common sense. Then again, we are talking about politics, where common sense is rare.

Another senator asked if software should be forced to disclose the fact that it will collect information or display advertisements. Surprisingly, Majoras answered the senator's question with a "no". She pointed out that the more notices a person sees, the less likely they actually are to read them.

That is a good point. If disclosure were the only thing required of software, then I would agree with Chairwoman Majoras. However, I don't believe anyone is suggesting that disclosing the activities of the software will make what it does proper or that it be the only legal requirement.

Failing to disclose that a program is going to collect information and pop up ads is just one of several bad practices that must be corrected. The fact that it is not the entire problem does not mean it should be ignored. It should be required, although it should not be the only requirement.

On an ominous note, it seems that putting together Senate legislation seems to be hindered by the lack of a standard definition of the term "spyware". I honestly had thought this problem had been avoided by concentrating on bad software behavior. There always has been the risk that law makers would attempt to stuff the entire range of behavior practiced by malicious software to fit into some convoluted definition of spyware, then declare that spyware is illegal. It would be better to decide on which practices should be outlawed, regardless of what definition is applied to those practices.

The hearing took another ominous direction when the questioning turned to the matter of state laws. The Subcommittee Chairman, Senator Gordon Smith, pointed out that 18 individual states had enacted legislation aimed at spyware. Senator Smith then asked Majoras if a single, national standard would be better than "a confusing patchwork of state laws". It is not a good sign when a US Senator refers to state laws negatively. It is even worse when that senator is the subcommittee chairman. Majoras waffled on the question for a bit, but seemed to come down on the side that a single, national standard would be better.

Almost every piece of legislation proposed in Congress concerning spyware specifically overrides any existing state laws. Every state antispyware law that I have seen is tougher than anything circulating through the US Congress. Again, I refer you to your inbox to see what happened when a federal antispam law overrode tougher state antispam laws.

Senator Smith says that he wants to be able to have an antispyware bill on the President's desk before Christmas. Judging by what I saw and heard at this hearing, that legislation may not be what we need. Here are my specific concerns.

No Definitions

We do not need a "legal" definition of spyware. How that word is defined is irrelevant. The reason Congress is acting is because people are complaining. What they are complaining about is not just spyware. The complaints are about a series of bad practices carried out by malicious software. It is those bad practices which need to be controlled. What we do not need Congress to do is to define spyware, then say that spyware is illegal. That would leave too many loopholes and would not solve the problem.

Adware Should Not Be Exempted

There seemed to be far too much concern about unintentionally restricting the activities of "legitimate" software, namely adware. The senators seemed confused as how to restrict spyware without also restricting adware. The adware makers have produced a massive PR campaign, successfully, to make people believe that "spyware" is bad but "adware" is good. Certainly they appear to have convinced the Congress of this.

I wish someone had been able produce a different PR campaign, one pointing out the fact that the majority of the software people complain about happens to be adware. True, adware is not as bad as the keylogger stealing your passwords. However, nearly all of the software causing the problem turns out to be adware. Again, the whole issue of "adware vs spyware" can be avoided by restricting behavior instead of writing legal definitions. Whether a program is adware or not does not matter, as long as it follows the rules of good conduct.

State Laws Should Not Be Nullified

As I have said already, all of the state antispyware laws that I have read are better than anything being proposed now in Congress. Additionally, every one of those federal proposals specifically override existing state laws. Once again, look to your inbox to see why this should not be done.

In addition to the fact that the state laws are better, there is another reason why they should not be overridden. The fifty individual states are sovereign governments. The federal government should not manhandle its way into the crowd and tell the states that they can no longer look after their own citizens. As a strong believer in the principle of federalism (an ironic name, if one ever existed), it simply rubs me the wrong way to see the federal government usurp authority from the states that way.

Conclusion

Congress wants to send the President an antispyware bill before the end of this year. There are so many proposed bills out there now, in both houses of Congress, that I have no idea what a final bill will look like. I have the sinking feeling that I won't like it when it finally is written. I've had this feeling before. It was when I was reading the CAN-SPAM Act, and we all know how that turned out.

Permalink | Top

The following appeared in this newsletter in April 2004. Considering the content of the previous article, I wanted to run this again.

---

The Business Software Alliance also has filed a comment at the FTC about spyware, a rather large one. I find myself in agreement with their take on the issue. Basically, the BSA prefers that the behavior of spyware, not software itself be regulated.

Rather than trying to create a legal definition of "spyware" and "adware" and then regulating any software that falls within either category, the FTC should instead regulate the behavior that makes spyware so obnoxious. Legal definitions can have loopholes and many spyware companies have clever lawyers. So let's just ignore the term entirely and be concerned only with the behavior.

Coolwebsearch can argue all they want that their software is not spyware or adware or a browser hijacker. What they cannot argue about is that their software makes irrevocable changes to Internet Explorer and Windows. What Coolwebsearch cannot argue about is that their software actively resists removal. Instead of trying to define "spyware" and making Coolwebsearch's software fit into it somehow, instead let's spend our time outlawing its behavior.

I propose to make the following activity illegal:

Making alterations to any web browser which cannot be reversed by the built-in tools.

If Coolwebsearch wants to change the home page to coolwebsearch.com, that is fine. If their software resists the owner's efforts to change the home page back to the owner's preference, that should be illegal.

Resisting the removal of unwanted software.

Once installed, software must not resist being removed in any manner. A PC is private property belonging to the consumer who purchased it. Just as I can remove some politician's "vote for me ... FOR THE CHILDREN!!!!" sign from my front lawn, I should be able to remove any software from my computer. Both are my private property.

If the software is going to provide its own uninstaller, that uninstaller should be provided along with the software. No one should be forced to go to a web page and either download a separate uninstaller or trust an ActiveX control to remove the software. Very often, spyware will destroy a PC's internet connection, so the owner might not be able to go online at all.

Installing without clear and explicit consent.

Software should not be allowed to install unless the owner has given clear and unmistakable consent to its installation. This does not include an ActiveX security warning that pops up in Internet Explorer. This does not include clicking "I agree" to a 10,000 word EULA. Before CoolWebSearch can copy a single file to a person's hard drive, a box should pop up asking "Do you wish to install this software from coolwebsearch.com?". This dialog box should appear regardless of browser security settings.

This would include software bundles, where more than one distinct piece of software is being installed. If KaZaA is going to install Cydoor adware, it cannot do so without first informing the user that it is a separate piece of software and asking permission to do so. If Sharman Networks wants the KaZaA installer to exit if you choose not to install its sponsor(s), that is their choice.

This also includes auto update functions, no matter what program it belongs to. No software should be allowed to install software on someone's property without first gaining the consent of the owner. If someone wants to go into the options menu and specifically allow a program to do that, that is perfectly fine. If a piece of software does this without first gaining explicit consent to do so, that should be illegal without exception.

Transmitting information without clear consent.

Software should not be allowed to transmit any data to its vendor or any third party without the owner's explicit consent. If Gator/Claria's software is going to transmit the address of a web site I visit, regardless of the reason it is transmitting it, this fact needs to disclosed to me before it is installed. If Wild Tangent's updater is going to transmit the specifications of my hardware, regardless of the reason it is doing so, this fact should be disclosed before it is installed. I should be required to check a box stating that I understand that this information is going to be transmitted before the program finishes installing, separate from the EULA or security warning or whatever.

Generating advertisements of any sort without disclosure.

If Gator/Claria's software is going to launch a pop-up ad every time I search for a hotel room or eye glasses, so be it. However, their installer must inform me before the program is installed that it will be displaying advertisements and in what form those advertisement will be displayed.

I believe this covers just about every nasty habit common to all software referred to as "spyware", "adware", "malware", "grayware" or any other such label. These are common sense requirements that can be and should be applied to all software, regardless of whatever label someone cares to give it. It protects consumers and avoids the inevitable problem of a company finding a loophole in a legal definition of "spyware".

It also does something that very few software companies do these days; it would force them to show respect to the user and to acknowledge their property rights. Any company that would refuse to follow these guidelines is declaring its contempt for the user and displaying a shameful lack of ethics.

Permalink | Top

SpywareInfo has a new(ish) feature, listing news headlines relevant to spyware, privacy and safely using the computer. There is a saying that "all politics are local". It seems that this also applies to the internet. It is a close community in that problems can spread from anywhere. If you see a local story that you think deserves attention, please let us know. Use this mail form, tell us some details and we will follow the story.

This Spywareinfo News Section is updated every day - and several times during the day. It is a section of Spywareinfo that we hope will keep you informed on a daily basis - and keep your internet time a bit safer. Go have a look.