ELECTRONIC PRIVACY PROTECTION ACT -- HON. RUSH D. HOLT (Extensions of Remarks - October 26, 2000)

[Page: E1949]
---

HON. RUSH D. HOLT OF NEW JERSEY IN THE HOUSE OF REPRESENTATIVES Thursday, October 26, 2000

Mr. HOLT. Mr. Speaker, as a member of the House Internet and Privacy Caucuses I rise to
```
[Page: E1950]
```
call my colleagues attention to a bill I introduced today to protect consumers from software more commonly known as ``spyware.''

Mr. Speaker, I would like to submit a July 14th article in the Washington Post that outlined this problem. In this article entitled ``Your PC Is Watching,'' the Post writer points out that companies like Mattel who make interactive computer toys like the Reader Rabbit and Arthur's Reading Games are using spyware to track the habits and usage of children. She also points out that companies like Intuit Inc. who make the popular home accounting program Quicken employ spyware.

Spyware is a computer program, usually embedded in another program, that can take information from a person's computer without their knowledge or consent. That's right. Information can be removed from a computer without the consent of the user. What this software does is take information stored on a person's computer and transmits it to the operator of the spyware while a person is online.

This information is typically sent to the manufacturer of the software, a marketing company or an advertising agency to aid in the development of new products or advertising campaigns. Spyware often collects the cookies that a person accumulates while browsing the net.

Let me make this clear, Mr. Speaker. This legislation does not affect the issuance of cookies by Internet companies. Cookies, do not by themselves act as spyware. A cookie is an identifier for a particular Web site that allows among other things a host to recognize a user. Protections for people who want to guard against cookies are built into the major Web browsing programs.

What my legislation does is protect the American people from intrusion. None of us let strangers into the house without first checking who is at the door. Surely, we do not want intruders coming into our computers without first giving our consent and, for example, misusing cookies. With the increasing use of home computers for personal business like taxes and financial planning people are storing more and more sensitive personal data on their PCs.

What this legislation does is require the Federal Trade Commission to issue regulations within 120 days of the bill's passage to do a few common-sense things. The regulations will require that any piece of software that contains spyware be clearly marked with a label. Also, it would make it unlawful to knowingly install spyware on a computer or use spyware without obtaining consent from the primary user of the computer.

Mr. Speaker, there is one other important thing that this legislation will do. It will double the penalty for any person or company to use or install spyware on a computer that is known to be under the control of a minor.

Mr. Speaker the practice of strangers tracking the activities of our children is deplorable. I understand that most companies argue that they do not use these programs for sinister reasons. I also understand the argument that this software allows them to tailor products and services to the needs of the consumer.

Mr. Speaker I also understand that it is not a far stretch from this to the unintended uses of this software to cyber-stalk children, steal financial or medical information or even steal a person's identity.

It is time we stopped talking and studying the problem of privacy protection and start acting to protect our constituents. I urge my colleagues to join me in this effort.

[From the Washington Post, Fri., July 14, 2000] (BY ARIANA EUNJUNG CHA)
Keith Little, a computer technician who makes house calls on the apple farms of central Washington state, says more and more of his clients are asking him to take steps to protect their online privacy. So he scans their computers for any mischievous programs and installs security software.
What surprises people is how often Little finds programs designed to funnel bits of their personal information from their computers and into giant corporate databases. He says more than half of the 20 or so computers he inspects each week are running stealthy programs he calls ``spyware.''
The electronic eavesdroppers usually come attached to the software people install on their personal computers. Whenever a user connects to the Internet, these programs take advantage of the opening to pass on information that has been stored on the PC's hard drive. The data--it could be details of Web surfing habits or identifying personal information--are then typically sent to the manufacturer of the software or a marketer to be used in developing new products or advertising campaigns.
At a time when concerns about online privacy have spread from Interent bulletin boards to Capitol Hill, this tracking software has become a flash point for the debates about how to balance consumer rights with the business models of the digital age.
Little has found the programs in children's software such as Mattel Interactive's Reader Rabbit and Arthur's Reading Games, Intuit Inc.'s financial planner Quicken, and dozens of other packages. The electronic hitchhiker also is part of a program associated with the Netscape browser that millions of people use to travel the Internet.
One Web site has identified more than 4000 of these data-gathering and tracking programs. Most are free ``shareware'' that people download off the Web, but an increasing number are mainstream programs, even those people pay for.
``When people find out, they are livid,'' said Little, 42. ``They say, `Get it out of there'. Then they become very afraid to use their computers, afraid of what personal stuff it's sending out. The problem is that they were not informed.''
The companies that use the programs say they were created not for nefarious reasons but to help tailor information consumers want. The programs work by collecting data from a hard drive or from the electronic ``cookies'' many users pick up when they visit Web sites. A marketing company might then use the information about what Web sites you frequent to decide whether you would be interested in an ad for a sporting-goods retailer or one for opera tickets. A software manufacturer often wants to know who has purchased its products so it can alert users to problems or update them about new goodies.
Most companies say they do not seek out information that would identify a person by name. Further, they say the information is not disseminated publicly, but only used for internal corporate purposes.
Privacy advocates, though, equate the programs to taps on phone lines. Rep. Edward J. Markey (D-Mass.) recently introduced a bill that would require companies to give ``conspicuous notice'' of any information they are collecting and to allow users to decline to participate. A New Jersey photographer last week filed a lawsuit against Netscape Communications, an America Online Inc. subsidiary, accusing the company of using its SmartDownload program to ``eavesdrop.''
Concern has grown in the past few months as more Americans, unsettled by high-profile accounts of spreading computer viruses and other hacker attacks, have installed security software--or ``firewalls''--in their personnel computers. The security programs typically alert users with warning messages whenever an unauthorized program is attempting to send information out into the Internet. Many users quickly discover how vulnerable they are.
Last winter, a Seattle company called RealNetworks Inc. came under fire after customers discovered its music player was collecting information about users' listening habits in order to personalize its services. The company has since stopped the practice and apologized. Intuit, meanwhile, has acknowledged using the tracking programs to target ads. And a few weeks ago, after parent complaints, Mattel Inc. officials apologized for adding a data-gathering program to more than 100 titles of its Learning Co. unit's educational programs for children.
Simson Garfinkel remembers that he was 40,000 feet in the air on a plane from London to Boston in May when he noticed that his laptop kept trying to connect to the Internet. The culprit: an educational program he had installed for his 3-year-old daughter. It was trying to send out the producer's code number and other such information to the company so it could better respond to consumer needs, according to Mattel spokeswoman Susan Salminen.
``I wouldn't call it spyware exactly. It was more like marketing ware. But even that conveys a lot of personal information to the folks at Mattel and it was upsetting,'' said Garfinkel, a computer network architect from Cambridge, Mass.
Mattel's Salminen said the program's intentions are benevolent but the company already had decided to eliminate it late last year from all new software because of ``public concern around the privacy issue.''
Earlier this month, a Netscape user named Christoper Specht filed a class-action suit in U.S. District Court in Manhattan seeking damages of a minimum of $10,000 per person for violating consumers' privacy by tracking which files they download from the Internet.
A spokeswoman for Dulles-based AOL said the company is aware of SmartDownload's ability to gather customer data but it had ``never used it to access or retain information about users or files.''
``The lawsuit is without merit,'' said Ann Brackbill, a senior vice president. As every corner of the Internet becomes increasingly commercialized, many online companies are experimenting with new models for making money in the uncharted new economy.
One way is to give away products or sell them for below cost and make money through advertising. The tracking programs allow these companies to tout their ability to target specific audiences to potential advertisers. At the same time, many software companies are trying to develop a continuing relationship with their customers, becoming in effect service-oriented companies. The tracking programs allow them to keep in touch.
For the most part, companies that track consumers say the information they collect is minimal, and it's gathered anonymously so that the data cannot be linked to real names. But security professionals like Travis Haymore of Lanham's Digital Systems International Group. point out that some of the data streams leaving personal computers are so heavily cloaked, or encrypted, that it's practically impossible for anyone to verity or refute such claims. And the programs are more invasive than the electronic cookies
```
[Page: E1951]
```
that businesses use to track people on the Web because they potentially can scan documents and images on people's hard drives as well as track online habits.
``Your tax records, what medical sites you've been looking at, your online banking--if someone has
Irate computer users also have filled online bulletin boards with complaints about tracking programs that are impossible to remove (even when the original host program is deleted), that crash their computers or clog up their telephone or cable lines, slowing down their Internet connections.
Two technology marketing companies, Silicon Valley's Radiate.com and Sterling's Conducent Technologies Inc., which have developed ``ad hots,'' software for the most popular ads targeting customers, have been at the heart of the online privacy debate. These ventures partner with software companies and share a cut of the advertising revenue.
Conducent's director of Marketing, Robert Regular, says participation in its ad-driven programs is ``voluntary'' and offers consumers many advantages, including discounted or free software. People who purchase CD-ROMs made by eGames, for instance, can can get six free programs if they choose to look at ads and give up some personal information. ``We will show ads and will make use of the user's Internet connection and if they agree to that, great. If not, they don't have to use the software,'' he said.
Regular says the company always has required it partners to disclose in their privacy policies that the programs were ``ad-supported'' but only this month started making them flash separate screens during in the installation process alerting users of the tracking.
Like other people in the industry, Regular disputes the ``spyware'' characterization.
``We don't spy on anyone.'' We don't know any personally identifiable information. We know they are an anonymous user. We don't look at anything that they do,'' he said. ``Because we run in the background, people think we're doing something deceptive and don't understand that its in order to refresh ads.''
As stories of tracking software and other privacy concerns have circulated throughout the online world in recent months, companies and independent programmers have scrambled to develop protection tools with names such as ZoneAlarm and OptOut. More than 1.1 million people already have downloaded OptOut, freeware that was devloped by Steve Gibson, asecurity consultant in California and a privacy advocate. And personal firewall software has been rushing off store shelves since last fall, with 40,000 to 50,000 copies being sold each month, according to research firm PC Data Inc.
But even unsophisticated programmers can easily get around the best available electronic firewalls, security experts say.
Symantec's Steve Cullen, the senior vice president for consumer business, said people using Norton Internet Security 2000, the most popular firewall program, for instance, can specify that their names, credit-card numbers and other sensitive information be blocked from leaving the computer. But if that information is electronically masked by one of many easy techniques, it can still get through.
``If it's really spyware, certainly encoding or encrypting is something that these guys could do and that makes it much trickier to catch it,'' he said.
Still Cullen says that scenario is rare. He said about 80 percent of the time companies don't bother hiding the data and leave it as plain text, a format that is simple to filter.
Christopher Kelley, an analyst with Forrester Research, believes that the ``sneakiness'' with which some corporations are acting has exacerbated privacy concerns and damaged the industry's credibility--something that they may come to regret as an increasing number of angry citizens create technological tools that could topple the companies' entire business plans. Added Montreal computer consultant Gilles Lalonde: ``Right now it's now a free-for-all. Anything goes. This is the kind of environment that permits these kinds of intrusive behaviors, allows them to flourish. If we don't start to define some ethical rules, before long people will lose their trust in all online companies and this great technological revolution just stops.''

END