Spyware Redux

It’s not often that I get much of a response to a column, but my recent piece about spyware prompted several letters — and not just the “let-me-tell-you-about-my-experience” kind.

Meet Ben Edelman. Ben is every mother’s dream, provided the mother in question wanted a doctor or a lawyer in the family. He’s currently both a Ph.D. candidate in economics and a law student at Harvard. In his spare time — this is surely a euphemism for sleep deprivation — Ben researches things like spyware and runs a Web site where he publishes his findings.

According to the site, “Ben has served as a consultant and testifying expert for a variety of clients, including the ACLU, the National Association of Broadcasters, the National Football League, the New York Times, the Washington Post and Wells Fargo.” This one graduate student makes the average professional analyst group look positively slothful by comparison.

House Bill 29

Edelman got in touch with me shortly after I wrote a column supporting a bill (HR29) currently making its way through Congress under the sponsorship of Mary Bono (R-Calif.). My goal in writing the column was not purely altruistic. I believe that the Internet will not reach its full potential as a commerce engine as long as there are cyber pirates out there eager to swipe your identity and cripple your computer.

My purpose was to draw attention to the bill because I believe it is important and that the CRM community has a special responsibility to support it in the name of customers and future revenues.

I thought it was a pretty good bill. Little did I know — layman that I am — that HR29 is far from perfect. According to Edelman, it is riddled with loopholes that would make it ineffectual. I suggest you take a look at Edelman’s site for a full discussion, but I will lay out a few of the larger points here.

Enforcement and Notification

One problem with the bill is weak enforcement. The legislation puts this hot potato in the lap of the Federal Trade Commission (FTC), which has a dismal record of enforcement. According to Edelman, “The FTC has filed only a single anti-spyware case to date, and has failed to act on (among scores of other problematic activities) the installation of dozens of programs through security holes, even when documented in research posted months ago (by me and others).” (You can follow his hyperlinks for more details.)

Edelman makes the modest proposal that, rather than giving sole enforcement authority to the FTC, the bill should also grant jurisdiction to state attorneys general — who face voters regularly and who frequently prosecute consumer fraud.

The second area that needs shoring up is notification. People should be notified or asked if they want to download programs that have embedded spyware. There are numerous ways, however, to get around such a fair notice provision, such as offering a 200-page license agreement that no one will read. Another way to get user acceptance is to insist the download is necessary to run the content being offered.

“Spyware companies will claim that users consented to their schemes when users pressed ‘yes’ in installation dialog boxes — no matter how lengthy, confusing, misleading, or poorly-presented the on-screen disclosures,” Edelman explains.

Though neither the legislation nor Edelman consider it, outlawing these and other bad behaviors will not solve the whole problem. There is a lot of spyware already installed, and much of it is impervious to removal attempts by even very good anti-spyware programs. The recalcitrant software must be removed manually, sometimes even requiring wiping a hard disk completely clean and reinstalling the operating system, which can result in lost data and productivity.

Wouldn’t it be nice if the legislation also mandated that spyware propagators issue de-installation routines and make them available free on their Web sites? It’s their mess. They should clean it up.

VC Connection

Perhaps the most surprising and disappointing discovery I made in visiting Edelman’s Web site is his rogues gallery of spyware makers and their venture capital sponsors. Investigating just four large spyware companies revealed $139 million in investments from the venture capital community. There’s very little ambiguity in the findings: They come directly from SEC filings, which the meticulous Edelman offers as hyperlinks should you wish to peruse them.

According to Edelman, for example, more than $58 million has gone into a spyware maker named Gator (which has changed its name to Claria) from VC’s, including U.S. Venture Partners — whose other investments have included Ask Jeeves, Cisco, Iomega and Sun — and Greylock, which also invested in DoubleClick, Evite, Filenes Basement, LinkedIn, RedHat, Staples and Upromise.

Guys? Hello?

It’s just a hunch, but the VC angle might be the smoking gun. It would be hard to get many CRM vendors behind improving the legislation it meant biting the hands that feed them. And Congress? It looks as if this one’s up to the people. If we care enough to try, we can petition our legislators to write a better bill. Or we can continue to buy firewalls and live with the mess.

So there it is. Ben Edelman, we thank you, and good luck with your studies!

Now get some sleep.

Denis Pombriant is founder and managing principal of Beagle Research Group. An influential thought leader in the CRM industry for more than five years, Pombriant researches emerging trends in CRM and publishes research reports that can be found on the company’s Web site and on other influential Web sites in the CRM market. In 2003 CRM Magazine named Pombriant one of the most influential executives in the CRM industry. He is also quoted extensively in Paul Greenberg’s CRM at the Speed of Light, third edition. His latest report is titled “KeyFindings: CRM Market Events, Observations, and Analysis 2004.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

CRM Buyer Channels