Written Testimony of Jeffrey Friedberg
Director of Windows Privacy, Microsoft Corporation
Testimony Before the U.S. House Committee on Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection
“Spyware: What You Don’t Know Can Hurt You”
April 29, 2004
Chairman Stearns, Ranking Member Schakowsky, and Members of the Subcommittee: My name is Jeffrey Friedberg, and I am the Director of Windows Privacy at Microsoft Corporation. I want to thank you for the opportunity to share with the Subcommittee our views on this burgeoning threat to computer users around the world. Spyware and other deceptive software share a common theme: they use ambiguity, coercion, deceit, and outright trickery to lure or even force users to execute or install unwanted and often invasive programs. Our customers complain that this software degrades their computing experiences – in some cases rendering their computers unusable – and causes them to feel frustrated and out of control. It also compromises their privacy and can make their computers more susceptible to attack.
Microsoft applauds Congress and the members of this Subcommittee for their attention to this problem. In particular, we would like to acknowledge Representatives Mary Bono and Ed Towns for the time and energy they have invested. Stopping the spread of deceptive software is one of Microsoft’s highest priorities. We are committed to providing consumers with the information and technology that will help protect them against deceptive software. And we are committed to working with you, law enforcement, and others in the industry to identify and penalize the perpetrators of these nefarious programs.
Today, I want to describe the nature and nuances of deceptive software, and explain Microsoft’s comprehensive strategy for tackling this issue. As with any issue that raises consumer protection concerns, there are a number of ways in which the public and private sectors, working together, can address the problem. These include educating consumers, developing new technology to help protect users and to empower them to make more informed choices, identifying industry standards and best practices, and taking enforcement actions against those engaged in fraudulent, deceptive, and unfair practices. To the degree existing law fails to capture bad actors, legislation could complement this strategy, but we believe it should be carefully crafted to target the bad behavior – not the underlying technology. Overbroad legislation could place an undue burden on legitimate software, and seriously undermine the user experience.
What Is Deceptive Software?
Let me explain what, exactly, I mean by deceptive software. Deceptive software generally describes programs that gain unauthorized access to a computer – whether to spy on user activities, hijack user configurations, or deliver intrusive and unwanted pop-up advertisements. The common thread that unifies deceptive software programs – and that distinguishes them from legitimate applications – is their lack of notice and choice, and their absence of respect for users’ ability to control their own computers. With proper disclosure, user authorization and control, these same features can be an asset: user-approved tracking can lead to personalization; user-approved configuration changes (for example, setting a new search page) can yield a better user experience; and user-approved displaying of advertisements can subsidize the cost of a service (such as e-mail), making it cheaper or even free for consumers. In short, the problem is with bad practices, not the underlying features.
There is a spectrum of tricks that cause consumers to load software applications that they may not want. To better understand these tricks, it is useful to first briefly describe a legitimate download experience. I would like to draw your attention to Slide A: “User Initiates Download.” This slide represents a typical web site consumers might visit. On the web site is a link for downloading a program (in this example, a program that will display a “stock ticker”). When users click on the link, the operating system displays a security warning that asks them whether they want to install the program, as shown in Slide B: “Security Warning Displayed.” These security warnings are a normal part of the computing experience.
In some instances, however, web sites manipulate the download experience in an attempt to mislead users. When users are presented with a download request and security warning, they will often consider the web site they are visiting to decide whether to accept the download. If the web site is one they trust, they may simply accept the download without much thought. Using a deceptive technique we call a pop-under exploit, however, some web sites take advantage of this trust, going out of their way to make it more difficult for users to tell which web site is actually offering the download. For example, on Slide C: “Pop-Under Exploit – Step 1,” users who are visiting a legitimate website are presented with a download request that appears to have been generated from that site, which we see on Slide D: “Pop-Under Exploit – Step 2.” In fact, the download request was actually launched from a web page that is hidden beneath the legitimate site, as we see on Slide E: “Pop-Under Exploit – The Trick.” Launching a download request from a pop-under can result in a confusing or even misleading experience. It is likely that the user, who cannot easily view the underlying web page, will assume that the request came from the legitimate site and may choose to download the software for this reason.
Web sites are often compensated for each software download that occurs from their site and in order to increase this volume, some web sites will resort to deceptive practices. For example, a web site might confuse users so that no matter where they click, they are taken to a page that requires a download. In this scenario, shown on Slide F: “‘Cancel’ Means ‘Yes,'” a user is presented with an image that mimics a security warning or update and appears to provide the user with appropriate choices about downloading certain software. However, even if the user clicks the “Cancel” button or the “[x]” box to close the window, the web site will attempt to download the software onto the user’s machine. This type of trick can also take place through embedded security alerts, as shown on Slide G: “Faux Security Alert,” where all buttons in the alert mean “yes” and initiate a download experience the user did not want.
Perhaps the most nefarious way that software is installed requires no action on the part of the user. In this scenario, bad actors exploit a security hole and covertly install software without any notice to or consent from the user. This practice is illegal under existing law, but bad actors still attempt to deceive users in this fashion. To educate consumers on the steps they can take to minimize this risk, we created a web site, www.microsoft.com/protect , that recommends (1) keeping systems up to date using the free Windows Update service, (2) running up-to-date anti-virus software, and (3) using a firewall like the one included with Windows XP.
There is one other way that software can get installed without any action on the part of the user. If a user sets their browser security setting to “low,” as illustrated on Slide H: “Don’t Leave Your Front Door Open,” all sites are assumed to be “trusted,” and no security warning will be displayed. This can result in what are called “drive-by- downloads,” in which the download silently and automatically occurs by just visiting a web site. Microsoft encourages users to leave their security settings on the default setting of “medium” or higher, and in cases where the browser security level must be set on “low,” we encourage users to reset security back to a higher level as soon as possible.
These slides illustrate just a few of the ways in which users can be tricked into downloading unwanted and sometimes destructive software. Other tricks include limiting users’ ability to make a fair choice by repeatedly asking them to make a decision until they say “yes”; covertly installing software by piggybacking on other software being installed; pretending to uninstall; and re-installing without authorization.
Deceptive Software is a Growing Problem for Our Customers
Our customers are becoming increasingly frustrated by unwanted and deceptive software. We receive thousands of calls from customers each month directly related to unwanted or deceptive software, and we have evidence that suggests such software is at least partially responsible for approximately one-half of all application crashes that our customers report to us. In addition, our industry partners who make computers – sometimes referred to as “Original Equipment Manufacturers” or OEMs – have indicated that unwanted and deceptive software is one of the top support issues they face, and that it costs many of the larger OEMs millions of dollars per year.
Other estimates support the growing threat of the problem. According to the security software firm PC Pitstop, nearly a quarter of personal computers are afflicted with some type of unwanted or deceptive software application. More aggressive estimates place the total at between 80 and 90 percent of all PCs. Indeed, a 2003 study by the National Cyber Alliance found that 91 percent of broadband customers have some form of unwanted or deceptive software on their home computers.
What may be most alarming is the growth of these programs over the past year. PestPatrol, which sells spyware detection and removal software, estimates that there are now more than 78,000 separate spyware programs in use. In the past year, PestPatrol identified more than 500 new Trojan horses (which are programs that provide unlimited access to PCs), 500 new key loggers (which monitor and record a user’s keystrokes), and nearly 1,300 new forms of programs that display advertisements. The past year has also seen spyware manufacturers gain strides in their ongoing technological battle against anti-spyware removal and detection systems. Over the past six months, the number of “burrowers” – programs that dig so deeply into an operating system that they cannot be found or removed without major and potentially damaging surgery – has increased from six to more than 40.
The explosion in the volume of unwanted and deceptive software has had an enormous impact on Microsoft, as has the accompanying increase in the complexity with which those programs operate and the damage that they do. Many of our customers blame the problems caused by these programs on Microsoft software, believing that their systems are operating slowly, improperly, or not at all because of flaws in our products or other legitimate software. This costs us not only millions of dollars per year in otherwise unnecessary support calls, but also immeasurable damage to our reputation and, most importantly, to our efforts to optimize our customers’ computer experiences.
Adopting a Comprehensive Strategy To Combat Unwanted and Deceptive Software
As I have shown, there is a continuum of behaviors that lead or trick users into downloading unwanted software programs. In the same vein, there is a continuum of solutions that we believe must be part of the strategy to end these behaviors and curb the spread of deceptive software. This strategy has four prongs: widespread customer education; innovative technology solutions; improved industry self-regulation; and aggressive enforcement under existing state and federal laws. As I mentioned previously, new, carefully crafted and narrowly focused legislation can also play a role to the extent that existing laws do not fully address certain deceptive or misleading practices.
Addressing the Problem Starts with Consumer Education
The first step in the battle against unwanted and deceptive software is better consumer education. Once confined to the back pages of industry journals, the problem is beginning to move to the mainstream of consumer protection issues, as last week’s workshop at the Federal Trade Commission and today’s hearing demonstrate. These public forums are essential in heightening consumer awareness of the problems caused by deceptive software.
To complement those efforts, Microsoft recently launched a website – www.microsoft.com/spyware – with information that is specifically designed to help consumers understand, identify, prevent, and remove unwanted and deceptive software. This website explains what spyware is and why it can be dangerous; tells users how they can protect their machines from being compromised by these unauthorized programs; helps consumers ascertain whether their computers already contain unwanted or deceptive software by describing its symptoms, such as sluggish performance, an increase in random pop-up advertisements, and a hijacked home page; and points users to third-party tools that can detect and remove these programs.
Microsoft is committed to working with Congress and the FTC to continue educating consumers about the ways they can prevent unwanted and deceptive software from attacking their PCs. While the Internet is an incredible resource that has enabled – and will continue to enable – countless and sweeping improvements in communications, commerce, and government, that same power requires that computer users take the same care for their safety and security online as they would offline. As an industry leader, we acknowledge and strive to fulfill our responsibility to educate consumers about these and other related issues. Consumers who take steps to remove or prevent the installation of this software will not only preserve their own privacy, security, and optimum computer experiences, but they will make an important contribution to the larger effort of generally eliminating the problem. The entities that produce these programs will have much less incentive to create and download their products if consumers take steps to block their use – or at least do not respond to the seller on whose behalf the deceptive software purveyor is operating.
Industry Is Working on New Technology To Combat Deceptive Software
The development of anti-spyware technology should complement the impact of consumer education and awareness. For example, third parties have released anti-spyware programs that enable users to remove or disable many examples of unwanted and deceptive software from their PCs without damaging their existing hardware or legitimate software. These tools are continually being improved to address new variants and scenarios.
Microsoft is working on enhancements that will also help address the problem. For example, we will soon be introducing Windows XP Service Pack 2 – a free update for all licensed Windows XP users – that includes features designed to block some of the entry points and distribution methods of deceptive software by better informing users in advance about the type of software they will be installing. These enhancements include:
A new pop-up blocker, turned on by default, that will reduce a user’s exposure to unsolicited downloads (See Slide I: “New Popup Blocker”);
A new download blocker that will suppress unsolicited downloads until the user expresses interest (See Slide J: “New Download Blocker”);
Redesigned security warnings that make it easier for users to understand what software is to be downloaded, make it more obvious when bad practices are used (e.g., multi-line program names), and allow users to choose to never install certain types of software (See Slide K: “Improved Install Prompts”);
A new policy that restricts a user’s ability to directly select “low” security settings (See Slide L: “Harder to Leave Your Front Door Open”); and,
Tools to help expert users and support professionals understand and disable unwanted functionalities that have been added to the browser. (See Slide M: “New Add-On Manager.”)
Beyond Windows XP Service Pack 2, Microsoft is investing in future technologies that advance our goal of giving users the ability to understand what software they are running and installing, and whether they can trust it. We continue to explore ways that we can better inform consumers in advance about programs that they plan to install, and to provide them with more control over the installation itself. We also are striving to enhance and simplify the ways in which our customers can see what software is running on their computers, and to evaluate what to do with that software based on their preferences. And we are working to advance technologies that can be used by our entire spectrum of customers – from the most sophisticated enterprise to the most novice consumer – because we want them all to have an equally fulfilling computer experience.
Industry Best Practices Are an Important Part of the Solution
The third important part of our strategy is to develop a set of industry-wide best practices. Developing best practices is critical because they will create an incentive for legitimate software publishers to distinguish themselves from less scrupulous publishers and minimize the risk of being classified with the bad actors that engage in deceptive practices. Best practices will also serve as a foundation for programs that certify and label good actors and thereby enable users to make more informed decisions about the type of software they execute and install on their computers.
The first step in this process is developing an understanding of the devious, deceptive, or unfair practices that adversely affect consumers. The Center for Democracy and Technology (CDT) has made great strides in this area through its Consumer Software Working Group, of which we are a member. This group includes public interest organizations, software companies, Internet service providers, and hardware manufacturers, all of whom have worked hard to identify a set of deceptive practices that raise serious concerns. These practices – many (if not all) of which are illegal under existing law – should help focus regulatory and law enforcement efforts on the truly bad actors.
In addition to recognizing bad practices, we think it is equally important to begin to develop best practices in certain scenarios. These scenarios include the collection and transmission of personal information, the display of advertisements, and changes to configuration settings that affect the Internet browser home page or browser search page. The touchstone of these best practices should be appropriate notice and consent. Users should understand what the software will do in these scenarios before it is executed, and they should then have a choice about whether to execute it. In addition, programs with these features that are installed on a user’s computer should also be easily uninstalled or disabled – or if that is not possible, the user should be clearly informed of that fact upfront.
Microsoft is actively extending its best practices to explicitly include the scenarios highlighted above. We are committed to working with other companies in the industry to ensure that users have high-quality experiences with legitimate software. And we would be happy to share our best practices to the extent they would be helpful in moving the industry forward to this common goal. In the end, self-regulatory measures more than federal requirements will help industry leaders define and implement best practices that account for the complexities of different software applications and can evolve to meet the ever-changing nature of technology.
Enforcement Is a Critical Part of the Fight Against Deceptive Software
A fourth key weapon to stop the spread of deceptive software is the aggressive enforcement of existing laws. Such enforcement could put some of the most insidious violators out of business, which would have a significant impact on the amount and type of deceptive software that is produced and distributed in the United States. Moreover, a few targeted enforcement actions would serve as a powerful deterrent to other manufacturers of deceptive software.
Enforcement actions are possible using existing law. For example, under the Federal Trade Commission Act, the FTC is empowered to challenge unfair and deceptive trade practices, which – by definition – are at the heart of virtually all deceptive software programs. Many states have similar laws that authorize their own enforcement agencies to prosecute entities that engage in these same types of practices. And the Computer Fraud and Abuse Act provides other law enforcement agencies with the means to address spyware threats that involve hacking into users’ computers. Given the growing sophistication, diversity, and proliferation of spyware, the private and public sectors should combine their resources to hold those who publish illegitimate deceptive software accountable for their actions and the damage they perpetrate.
Congress Should Proceed Cautiously
Microsoft is hopeful that the combination of user education, improved technology, industry best practices, and enforcement of existing laws can effectively combat the growing problem of deceptive software. Although we have seen an increase in the amount and complexity of deceptive software in recent months, it is encouraging to see the stepped-up response of both the public and private sectors. We are open to considering whether federal legislation can provide an additional layer of protection and another weapon in the fight against deceptive software. However, Microsoft offers two important caveats when considering federal legislation.
First, as noted above, many deceptive software programs are already either prohibited under existing law – such as the Computer Fraud and Abuse Act – or are subject to the FTC’s jurisdiction over unfair and deceptive trade practices. Any additional federal legislation deemed necessary to outlaw deceptive software must be carefully crafted to supplement the existing legal framework only where gaps are identified.
Second, any legislation should target deceptive behavior, rather than specific features or functionalities, to avoid imposing unworkable requirements on legitimate programs and negatively impacting computer users. Examples of some unintended consequences of well-intentioned legislation include the following:
Disruptive User Experience. Many legitimate software programs contain an information-gathering activity to perform properly, including error reporting applications, troubleshooting and maintenance programs, security protocols, and Internet browsers. Imposing notice and consent requirements every time these legitimate programs collect and transmit a piece of information would disrupt the computing experience, because users would be flooded with constant, non-bypassable warnings – making it impossible to perform routine Internet functions (such as connecting to a web page) without intolerable delay and distraction.
Compromised Consent Experience. “One size fits all” notice and consent requirements may not give users sufficient context to make informed decisions. For example, requiring notice and consent at the time of installation ignores the importance of a technique we refer to as “just in time” consent, which delays the notice and consent experience until the time most relevant to the user – just before the feature is executed. If a program crashes, for instance, Windows Error Reporting functionality will ask the user whether he or she would like to send crash information to Microsoft. At this time, the user is able to examine the type of information that will be sent to Microsoft and to assess the actual privacy impact, if any, of transmitting such information in light of the potential benefit of receiving a possible fix for the problem. In this case, the user understands the costs and benefits of the proposition being made and is able to make an informed choice. Presenting the notice and choice experience at the time of installation, on the other hand, would lack this critical context.
Unrealistic Uninstall Requirements. Requiring standardized uninstall practices for all software would be unworkable in many circumstances. For example, there are cases where a full and complete uninstall is neither technically possible nor desirable, such as with a software component that is in use and shared by other programs. In addition, there are other cases where an uninstall may be technically possible, but the cost to provide such functionality would be prohibitive, such as with complex software systems that may require the entire software system to be removed. Finally, there are situations where requiring uninstall could actually comprise the security of the system, such as backing out security upgrades or removing critical services.
There are many other areas in which legislation could fall into similar traps, imposing ineffective or impracticable requirements, or even threatening PC security and usability. We therefore encourage Congress to focus its attention on the devious practices of deceptive software, including those identified by CDT and its Consumer Software Working Group; to legislate only to the extent such practices are not already illegal under existing law; and to engage industry experts in understanding the complexities of software, thereby ensuring appropriate due diligence to avoid unintended consequences.
Unwanted and deceptive software is a growing problem, and we believe that a multi-faceted approach is needed: improved consumer education; new technology solutions; a comprehensive set of industry best practices; and aggressive enforcement of existing laws against violators. This approach will enable consumers to make more informed decisions about installing software; help distinguish good actors from bad ones; and make being bad an expensive proposition. We commend the Subcommittee for holding this hearing today and thank you for extending us an invitation to share our experience and recommendations with you. Microsoft is committed to working with you to thwart the efforts of those who produce and distribute these deceptive programs, and to restoring choice and control back where it belongs – in the hands of consumers.