• by Wendy Davis  @wendyndavis, October 12, 2004

With Congress considering new legislation to increase penalties against spyware companies that install programs on people's computers without their knowledge, the Federal Trade Commission last week filed a complaint against Sanford Wallace, the New Hampshire businessman formerly known as "Spamford," the king of spam.

The FTC is seeking monetary damages and an injunction against Wallace and two companies allegedly owned by him, Seismic Entertainment Productions, Inc., and Smartbot.Net, Inc. A hearing has been scheduled for Friday morning in the federal district court in New Hampshire.

Starting late last year, Wallace and his companies allegedly exploited a security flaw in Microsoft's Explorer browser to take over consumers' computers and install spyware that changed users' home pages and served them pop-up ads. After installing the spyware, the companies allegedly marketed anti-spyware programs to consumers, and received a cut of sales.

The FTC charged that the alleged conduct amounted to unfair or deceptive practices. "Defendants were selling software to fix the problems they had just caused," said Lydia Parnes, acting director of the FTC's consumer protection bureau.

For his part, Wallace posted a statement on his Web site saying that he didn't "intentionally cause damage to anything or anyone." He also stated that he intended to cooperate with a government investigation, and would immediately cease any activities that were found to be illegal.

His lawyer, Ralph Jacobs of Philadelphia, said Wallace's alleged practices were common, and might have a valid place in the advertising world. "Practices listed in the FTC's papers such as changing default home pages ... and automatically uploading software, are practices in widespread use on the Internet by many companies. SmartBot's interest is in lawful ways of using these techniques for marketing," he said.

Consumer complaints about browser hijackings date to at least last November, but it took many months to sort out who was responsible, according to the Center for Democracy and Technology in Washington, D.C. In February, that group filed a related complaint with the FTC against Seismic Entertainment Productions and another company, MailWiper Inc., based on similar allegations. MailWiper is allegedly part of an affiliate network and earns commissions based on sales.

Ari Schwartz, a senior policy analyst at the Center, said that a total of 12 affiliated parties, including Wallace and his companies, seemed to be involved in the scheme through a series of affiliate relationships.

At least one individual has also brought a connected case. This March, John Gosbee, an attorney in Mandan, North Dakota, filed a lawsuit against MailWiper and other defendants under that state's computer fraud law, and is seeking class-action status to represent all North Dakota consumers who downloaded the programs. The defendants there, including MailWiper, filed papers with the court denying the charges. MailWiper's lawyer could not be reached for comment.

Gosbee said his damages include both his time--his computer ran slower after he downloaded the programs--and what he sees as a privacy invasion. "If I came into your house and started opening and closing all your bureaus, you'd be furious and I'd be doing time in Rikers," he said.

Pending anti-spyware legislation would boost penalties for installing programs on consumers' computers without their knowledge. One bill increases the fine to $11,000 per computer, while another provides for prison time. The new bills might also make it easier to prosecute spyware companies when the only wrongdoing was not notifying consumers that new software was being installed, Schwartz said.

But Schwartz and others believe that the charges against Wallace can be prosecuted even without new laws, because the alleged conduct was so egregious. "This case is a classic FTC case," he said. "It's an extortion case."