• by Ross Fadner , April 20, 2004

The Network Advertising Initiative (NAI) recently received a note from Time Warner's RoadRunner, its Internet Service Provider (ISP), warning the association that it would be kicked off the network if it did not agree to stop sending out spam.

The NAI was founded on the principle that consumers need to be informed about Internet advertising practices and how it affects them and the Internet. It's an organization respected by both the Federal Trade Commission (FTC) and the U.S. Department of Commerce. The NAI is not the type of organization that is interested in spamming consumers.

Recently, an internal investigation revealed that a spyware program had actually infiltrated the NAI's Web site and sent spam messages out under the NAI's name. After some irksome clean-up work, the problem was resolved, but this is just one example of many horror stories about Web site hijackings, browser setting alterations, and identity theft that pervaded Monday's FTC workshop, "Monitoring Software on Your PC: Spyware, Adware and Other Software."

Web publishers, ISP representatives, search engine providers, advertisers, adware companies, IT security and technology firms, government officials, and representatives from nearly every organization associated with Internet advertising were on hand Monday to hear first-person accounts like the one above in an attempt to mobilize the industry toward technological, self-regulatory, and legislative action against the growing spyware problem.

In the end, about the only thing that was unanimously agreed upon is that spyware is bad, and something needs to be done. As is often the case at such events, it's that next step that no one can agree upon.

Web publishers and Internet policymakers urged legislators for more time to develop self-regulation and best practices. The NAI's executive director, J. Trevor Hughes, said that despite the urgency of the matter, it's "too early; [it's] too premature to write best practices today" until all parties involved are on the same page.

Industry officials also advised caution against hasty legislation. "A legislative response is the worst first response," said Hughes, adding that technology solutions and best practices must come first. The chief reason for caution, he said, is that past legislation has shown a tendency toward "over-inclusiveness" when it comes to Internet privacy issues.

In other words, the government and consumer protection agencies tend to view data tracking as a bad thing. According to Chris Hoofnagle, associate director, Electronic Privacy Information Center (EPIC), "the substantial majority of Americans do not want to be tracked. There are many wary consumers who won't even submit their ZIP codes because of marketing invasiveness."

Cookies are not the same thing as spyware, which is not the same thing as adware. Many healthy Internet businesses depend on tracking consumer behavior--including the entire Internet advertising industry. There are many different types and degrees of information tracking. Hoofnagle adds: "There is a growing body of recommendations made to consumers to regulate their online security. I don't know that that's fair. Why should consumers have to become Ph.D.s in privacy?"

As several Web publishers, IT professionals, and other industry advocates noted throughout the day, the recently passed Utah anti-spyware legislation demonstrates a fundamental lack of understanding of how the Internet advertising industry works.

Andrew McLaughlin, senior policy counsel for Google Inc.--citing the disparity in understanding between lawmakers and the online marketing industry--noted that: "We need to flag bills that are going to make people's lives harder, not easier." McLaughlin pointed out that even the federal Spyblock legislation currently in review by a Senate committee carries a clause that would require notice and consent every time information is extracted from online users. He pointed out that this would result in an unreasonable number of notice and consent forms.

However, EPIC's Hoofnagle asserts that notice and consent may not sufficiently protect consumers from incursions into their privacy: "It's very important that privacy not be watered down to 'notice and consent' ... Ninety-four percent of consumers believe they should have the right to access all the information that's collected about them."

McLaughlin and representatives from Web publishers and ISPs demonstrated through examples of testimonies received from their customers that consumers don't understand that spyware, or malicious software, alters Web pages displayed by their browser. Often, consumers have no idea that the software has been downloaded on their computers, or that they have downloaded an application inadvertently.

The FTC session was dominated by an urgent tone. "By far and away, the greatest challenge we face," said John Schwartz, president and chief operating officer of Symantec Corp., "is the loss of consumer confidence in the Internet. We have seen cases where people have actually gone back to dial-up due to lost confidence."

America Online unveiled its latest attempt to thwart spyware which--not surprisingly--is reserved for its members. The new spyware detector to be deployed alongside its revamped version 9.0 will automatically scan hard drives for spyware when users log on, and then present them with a list of potentially harmful software and an option for removal. The new tool is likely to draw the ire of adware companies like Claria, according to a software marketing industry executive.

Not surprisingly, industry accreditation groups such as TRUSTe urged a common industry self-regulation approach as opposed to the individual efforts offered by players such as AOL. "Groups trying to do the right thing need to be very transparent and open and willing to comply with industry efforts," said Fran Maier, president and executive director, TRUSTe.

Government officials agreed that industry self-regulation and technology efforts are important, but remained unflappable about the urgency of passing legislation on spyware in the near future.

Jennifer Baird, legislative counsel to Mary Bono (R), the California representative who recently introduced an anti-spyware bill, said "What we're hearing is that this is a problem--it should be solved, but we don't know how to do that, hold on. That's not how it works in Congress."

The FTC's Mozelle W. Thompson stated that the agency's short-term intention is to let the industry cultivate a first response: "I would like to see the industry come back with a set of best practices and develop consumer information about what spyware does and what it does not. He added, ominously: "We have an opportunity here, but consumer perception is moving very quickly ..."