Recordings of sessions at the Anti-Spyware Coalition conference, which took place this past Wednesday at Harvard Law School, are now available:
You will need Real 10 Player to play the recordings (free download available here).
We have one more panel's worth of notes from our blogging of yesterday's Anti-Spyware Coalition conference. Here, StopBadware researcher Oliver Day shares his notes on the Trends panel, which closed out the day at the conference:
Google:
* The interstitial page. Creates a way to warn users of the search engine when a website is possibly infected.
* The Ghost in the Browser paper by Niels Provos et al. Technical paper on the methodologies used by Google to determine "badness"
* Safe browsing API overview. Opening up more information to the end users
* Online security blog. Tech oriented blog that is a day to day journal of the group.
Truste:
* Program whitelists
* Affiliate networks offloading responsibility
StopBadware:
* Educating consumers
* Guideline creation and security tips for site owners
* Community building via discussion groups, etc.
Site Advisor:
* Built for consumers by MIT engineers
* Bots testing for annoying behaviors
Questions:
How do all these pieces fit together in the security ecosystem?
Orgs like Truste try to fill in particular niches like deep product reviews. Google is trying to make searching safer. Stopbadware is in a unique position as a non-profit to act as a watch dog against corporations (see AOL report).
Are we acting as arbiters of the Internet? What happens when we get something wrong? Versions change often (think updates) so how valid are product certifications?
Google claims near zero False Positives based on vetting through partners. No one should surf securely feeling that they are protected from *all* things. How does one "look both ways" when you are browsing web pages?
False positives can be dealt with on a programmatic level. Creating decays on bans, white lists, etc.
Will/do consumers want their computers to be like appliances?
Porn is a vehicle for a badware codec.
How do we compensate for human stupidity?
How do we evade the bad guys when they know where we are (IP address)?
Community helps develop reputation systems.
What is the opinion of these groups for certifications by other groups? Things marked bad by different orgs are likely to be bad. Things marked good should still be viewed with skepticism.
Continuing with the live-blogging of the Anti-Spyware Coalition conference, here are StopBadware intern Mike Connolly’s notes on the Public Policy discussion panel:
John Palfrey, Executive Director of the Berkman Center, is the moderator of this segment. He is joined by Ari Schwartz, Deputy Director of the Center for Democracy and Technology, and a representative from the Federal Trade Commission’s Bureau of Consumer Protection (a late substitute for another FTC speaker).
Mr. Palfrey started by asking Mr. Schwartz for a general overview of the legislative landscape with respect to Badware…
Schwartz noted that there are at least two key statutory tools in effect. First, there are the basic fraud statues that cover unfair and deceptive trade practices, both in the online world and in terrestrial space. These statues exist on both the Federal and State levels. Second, there is the Computer Fraud and Abuse Act (18 U.S.C. § 1030)—this is a criminal statue that was originally passed by Congress in 1986 to thwart “hacking.†The act was most recently amended to include stiffer penalties under the USA PATRIOT Act of 2001, and the Department of Justice used it to indicte the creator of the Loverspy software in 2005. And last year, this statue was used in the conviction of a California man who was distributing badware via botnets. He was sentenced to five years in prison.
Next, Schwartz discussed pending legislation, including the SPY Act and the I-SPY Act. The SPY Act easily passed the House earlier this year. It is a short bill that would toughen criminal penalties for bad(ware) actors, but it also contains a controversial imposition of mandatory language for notice provisions. The software industry is generally concerned that this will result in too many flashing pop-ups, creating a user experience that actually mimics adware behavior. Furthermore, the SPY Act would preempt existing Spyware laws on the State level, and it also contains a number of “broad exceptions.â€
While the Center for Democracy and Technology generally supports enhanced penalties for creators and of spyware, Schwartz’s preference is for the I-SPY Act, another piece of legislation recently passed by the House which also calls for tougher penalties.
Also on the radar is the Counter Spy Act of 2007. This was introduced by Senator Mark Pryor and has received attention in the past few weeks. Schwartz speculated that this bill has something of a shot at movement through the Congress since Pryor is from majority party and sits on a related committee.
Next, attorney and internet expert John Levine asked about the politics surrounding the pending legislation...
According to Schwartz, advertisers generally do not care for "Good Samaritan" provisions aimed at protecting anti-spyware companies and organizations. Nevertheless, Schwartz notes that even with Good Samaritan protection, Spyware producers may continue to take action on other grounds. Therefore, Schwartz would prefer to see a statement from Congress that declares anti-spyware tools to be "good" and in the public’s interest.
Bottom line: the CDC would be happy with a proposal that enhances spyware penalties and does not preempt other State law. Schwartz points to the Zango case as an example of the lack of civil penalties, and he cites the action taken in the Sony rootkit case as an example of useful State law in this area.
Another member of the audience also noted that the advertising community is generally concerned that Congress is trying to regulate behavioral targeting. Schwartz says the SPY Act is not designed to do this—but that members of Congress are in fact interested in regulating behavioral targeting via other privacy legislation.
Mr. Palfrey then asked the FTC representative about the usefulness and/or inadequacies of the existing body of law. She has been litigating spyware cases with the FTC since 2004. She explained that when she started, there was no federal law explicitly designed to apply to spyware. Therefore, she and her colleagues looked to the broad language under section 5 of the FTC Act outlawing "unfair and deceptive trade practices." In the past few years, the FTC has used this act to target some of the more nefarious spyware actors, including Seismic Entertainment.
So, is there a good argument that we do not need any new law? Could we just get by on section 5? The FTC’s general position is that new law isn’t needed, and that there is a danger in enumerating certain prohibitions since that might suggest a defense to Spyware developers since the latest exploits will always be one-step ahead of the law...
Furthermore, the FTC has pushed for greater civil penalties since it can be considerably more difficult to prove consumer injury in spyware cases than in other, more traditional cases where damages are more readily quantified. Mr. Palfrey suggested that the ASC community could play a role in helping to develop a better understanding of Spyware’s cost in this regard…
In general, the FTC is working to enforce principals of express consent, clear and conspicuous disclaimers, and readily available uninstallers. In the coming years, the FTC will continue to focus on establishing principles and targeting crime. They will also be on the lookout for legitimate companies with practices that "cross the line." However, it was also noted that resources are particularly thin, as the FTC has only pursued a handful of cases over the past few years.