FTC Wants More Power To Fine Spyware Companies

from the a-little-punishment-could-be-useful dept

While the FTC has gone after some spyware/malware providers, they're somewhat limited by current laws over how much they can fine those companies. That's why we've seen stories of such firms getting fines that are a tiny fraction of the actual money they made. Now, the FTC is pushing Congress to change the laws to give the FTC the ability to actually punish these firms with large fines, rather than just being able to go after profits. The article linked here frames it as a debate over whether or not Congress should pass anti-spyware laws, but why can't the FTC use current laws concerning deceptive marketing techniques to punish these firms? Does it really need a special separate law that tries to define spyware?

Filed Under: fines, ftc, spyware

Ding Dong, DirectRevenue Is Dead

from the apparently-it's-tough-to-make-money-being-legit dept

DirectRevenue was considered one of the worst adware/spyware firms out there for many years. The company was famous for changing names every time people started to figure out how sleazy the company's marketing techniques were, and then repeatedly claiming it had cleaned up its practice of sneaky installs when the reality was that it kept doing the same thing. Eventually, the company was sued and paid a $1.5 million fine -- significantly less than the $28 million in profits the firm's founders apparently had made (and the $80 million the company had brought in over the years). Either way, now that the lawsuits appear to be done, and the fact that it's pretty difficult to make any money in that business without surreptitious installs, the company is shutting down. I'm sure the founders who walked away with all that money aren't too upset by it, however.

Filed Under: adware, spyware
Companies: directrevenue

Court Rules That Anti-Spyware Companies Can Call Spyware Spyware

from the what's-in-a-name dept

All too often, we've seen cases where security software firms were sued for calling some piece of software "spyware" or "adware." In fact, Microsoft even wanted to make sure that new anti-spyware legislation would make it clear that there's nothing wrong with calling spyware "spyware." However, in the latest ruling on one of these cases (in which Zango sued Kaspersky), the ruling makes it clear we already have such a law on the books. The judge dismissed the lawsuit, noting that security firms have every right to label software as they see fit, citing part of section 230 of the Communications Decency Act.

We often point to section 230, because it protects service providers from liability for the actions of the service providers' users. However, this is referring to a different part of section 230, which says that no service provider is liable for a good faith attempt to restrict access to something it deems objectionable. The court felt that the security company was a service provider, and that since it believed Zango was objectionable, then it has every right to try to restrict it. The court makes a second very important point. Zango complains that its software is not objectionable, and therefore the security providers cannot block it as objectionable. However, the court points out that the statute clearly says that it's for what the service provider finds objectionable. In other words, the content in question need not be "objectionable" at all -- it only matters what the service provider feels about it. This is a pretty strong endorsement for the idea that security companies absolutely can call software whatever they feel is appropriate.

Filed Under: adware, cda, section 230, spyware
Companies: kaspersky, zango

How Does The FBI's Spyware Get Around Security Software?

from the cloak-and-dagger-or-point-and-click dept

A teenager in Washington state got sentenced to 90 days in juvenile detention this week, after he plead guilty to making some bomb threats via e-mail to a high school. It turns out that the FBI nabbed him with a piece of spyware called the Computer and Internet Protocol Address Verifier, or CIPAV. The FBI used the spyware after it had obtained server logs from Google and MySpace, which gave them an IP address that led to an infected computer in Italy. This isn't too surprising, really, but what makes it a little more intriguing is that it's not clear how the FBI slipped the program onto the kid's computer, nor how it evaded detection by anti-virus software. The most likely possibility is that they took advantage of some unpatched vulnerability on the kid's PC, with a browser or plug-in hole exploited by a MySpace web message. The question of evading security software looms larger, though, with CNet's Declan McCullagh wondering if the government persuaded security software vendors to whitelist CIPAV. He said that some vendors said they'd comply with court orders to ignore government or police spyware, and that McAfee and Microsoft wouldn't say if that's what had, in fact, happened here. Meanwhile, Kevin Poulsen over at Wired says that a more likely (and less controversial) explanation is that without ever seeing CIPAV, security software vendors can't make a signature for it, so their systems can detect it.

Filed Under: government, law enforcement, spyware
Companies: fbi, mcafee, microsoft