New York Sues Over Alleged Spyware
Speaking a language spyware purveyors understand: fines and jail time
Can we finally say goodbye to VX2, Aurora, and OfferOptimizer?
These and many other pieces of adware and spyware, created by a company called Direct Revenue, have secretly installed themselves on PCs as part of software “bundles” included with “free” applications, games, or browser “enhancements”; or installed via drive-by downloads that exploit known browser vulnerabilities. After installation, they track users’ surfing habits, targeting users with multiple, unending pop-up advertisements.
Now, the New York Attorney General’s office is seeking a court order to prevent Direct Revenue from disseminating spyware or using existing spyware installations to deliver advertising. Fittingly, it also wants the court to compel Direct Revenue to disclose its own revenues, then pay penalties for its fraudulent practices.
Spyware makers, beware? According to New York Attorney General Eliot Spitzer, “Surreptitiously installed spyware and adware harm consumers and businesses, and my office will continue to prosecute these practices aggressively.” His office has already been making an anti-spyware and anti-adware name for itself, with the notable prosecution last year of adware purveyor Intermix Media, among others.
The current suit names four people, including Direct Revenue’s founders and chief officers, and alleges they knew about the organization’s fraudulent practices since its founding. They have also all owned a majority of stock since the company was founded.
Numerous Direct Revenue e-mails attached to the suit back up the AG’s charges. For example, lawsuit defendant and former Direct Revenue CEO Josh Abram said in April 2005 when e-mailing a distributor, “We have a very stealthy version of our adware product which we’re happy to give u… Don’t worry. If we do a deal—a build together—these will not be caught.”
Contrast the revenues companies such as Direct Revenue garner from serving advertising via spyware, versus the money companies must spend to defend against spyware, which can lift sensitive corporate information and browsing habits, not to mention bog down employees’ PCs and send them to the help desk. In particular, Forrester Research reports that at least for small and medium-size businesses (SMBs), along with viruses, worms, and spam, spyware is a top security concern. Already, an estimated 57 percent of SMBs have purchased anti-spyware software.
Avoiding Spyware Uninstallers
One problem with spyware: it’s just so insidious. Indeed, take another e-mail reproduced as part of the suit was from Direct Revenue’s chief technology officer, who observed how those infected with the company’s spyware “don’t know how they got our software.”
Once a PC is infected with spyware, removing it typically takes dedicated software. Audaciously, Direct Revenue provided customers with a site claiming to remove its spyware, but when users followed instructions to deactivate their firewall and download the “uninstallers,” they merely downloaded additional spyware.
Penalty for Past Practices
In a Direct Revenue press release posted on the company’s site, an unnamed spokesman rebuffs the charge. "This lawsuit is a baseless attempt by the Office of the Attorney General to rewrite the rules of the adware business. It focuses exclusively on the company's past practices—practices we and other industry leaders changed long ago—and says not a word about what we're doing today.
"We are proud of our products and the value they bring to both advertisers and consumers—the former by delivering positive, measurable results for their ad dollars, and the latter by offering free content and applications in exchange for viewing a few targeted advertisements per day.”
Furthermore, the company says its current practices include explicit and affirmative customer consent (in plain English) prior to installation, easy removal of the company’s software (by supplying a link to an opt-out page from every ad and by being listed in Add/Remove Programs), no use of personally identifiable information, and no use of third-party affiliates to distribute its software. The press release fails to address any past practices, however.
Getting Tough with Spyware Purveyors
Despite the public excoriation of spyware purveyors, there may be only one way to stem spyware: fines and jail time. As Ari Schwartz, the deputy director of the Center for Democracy and Technology in Washington, notes, “aggressive law enforcement is an essential component in the ongoing fight to stem the tide of unwanted spyware.”
Finally, prosecutors are catching up with such companies. While Congress has considered passing anti-spyware legislation, many computer security advocates argue current laws are sufficient for stopping spyware. In other words, don’t bother with a show of “get tough” legislation—just get tough.
Witness the New York suit, which the AG’s office says was filed “under New York’s General Business Law, which prohibits false advertising and deceptive business practices; its Penal Law, which prohibits computer tampering; and its common law prohibitions against trespass.” As the use of such laws illustrates, distributing spyware is a fraudulent activity, and that’s cause enough to pursue legal remedies.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.