Stopping Spyware at the Source

By Cindy Skrzycki
Tuesday, March 6, 2007

During the past few months, the Federal Trade Commission has filed deceptive- advertising cases against two distributors of what is called adware or spyware. The insidious form of software subjects consumers and their computers to unwanted advertising and surveillance.

The five-member commission plans to escalate its attack by going after some of the big-name Internet advertisers that hire the online distributors.

"We need to stop the demand side of spyware," said Jon Leibowitz, one of the five commission members and a Democrat. "We will send letters to major corporations and entities that place the majority of these ads. This is a wake-up call to put them on notice. That would be a good way to choke off the money."

The FTC move, which follows action against three large advertisers taken by New York state in January, reflects efforts by authorities to clean up the growing market for Internet marketing.

Companies spent an estimated $16.1 billion advertising on the Web last year, up 32 percent from the year before, according to the Direct Marketing Association, a trade group. And consumers and computer companies spent $2.6 billion trying to block or remove spyware, Consumer Reports magazine said.

Consumers often download the troubling software after getting an Internet offer for a "free" product, such as music, screen savers or even anti-spam programs. The adware is then secretly installed and can track computer use, send barrages of pop-ups or even damage the computer.

Leibowitz said up to 200 advertisers will be warned to police where their ad dollars are going online. He said the commission doesn't plan to disclose which companies will get the letters.

New York Attorney General Andrew Cuomo led the way on "naming names." He announced on Jan. 29 that Cingular Wireless, and agreed to pay a total of $100,000 in fines to settle a spyware case involving a distributor called DirectRevenue.

The three companies said they no longer did business with DirectRevenue. Cingular, the Atlanta-based wireless unit of AT&T, the largest U.S. phone company, and Priceline, an online travel agency based in Connecticut, said they no longer used adware providers.

The FTC announced last month that DirectRevenue and four of its principals settled charges that they used unfair and deceptive methods to get consumers to download software and then obstruct them from removing it. The company agreed to return $1.5 million in "ill-gotten gains," stop future downloads without consumers' express consent, and provide a way to locate and remove the adware from computers.

Leibowitz wrote a dissent in the case, calling the $1.5 million payment "a disappointment because apparently it leaves DirectRevenue's owners lining their pockets with more than $20 million from a business model based on deceit."

The FTC penalized Zango of Bellevue, Wash., $3 million for deceptive advertising in November.

Both DirectRevenue and Zango said they had changed their practices but that the approaches they used during the periods covered by the cases were legal.

The FTC campaign "will disrupt the economic benefit of advertising with spyware," said Alex Eckelberry, president of Sunbelt Software, a security software company in Clearwater, Fla. "You cut off the money supply, and these guys are toast."

Leibowitz said some advertisers don't know they are part of a spyware campaign because they assume, or are given assurances, that consumers will get conspicuous disclosure about the software installation and will have to consent before it is downloaded.

Because adware distributors often use affiliates that are paid by the click, they have an incentive to get their programs running on as many computers as possible.

"Internet advertising is a maze of twisty passages, with lots of middlemen who cover their tracks," said David Methvin, chief technology officer for PC Pitstop, a company that helps people test and tune their computers.

Computer security experts said the spyware problem is diminishing as a result of FTC enforcement actions, the New York inquiry and security fixes developed by Microsoft.

"We have seen a change in how adware companies notify people when they sign up for software, and they limit their distributors," said Ari Schwartz, deputy director of the Center for Democracy and Technology, a nonprofit advocacy group in the District that has done extensive research on the issue.

Reputable companies that care about their brands have backed away from online advertising that elicits hostile reactions from consumers, Methvin said. "What is left is a 'distilled essence of fraud' fueled by small companies that continue to advertise aggressively."

There is no specific federal law aimed at spyware, Schwartz said, though 17 states have adopted statutes. Trade groups such as the New York-based Direct Marketing Association also have issued guidelines for marketers, which insist that consumers be given clear and conspicuous notice, identification of the software and an easy way to uninstall it.

Cindy Skrzycki is a regulatory columnist for Bloomberg News. She can be reached

View all comments that have been posted about this article.

© 2007 The Washington Post Company