FTC Sues Alleged Spyware DistributorFTC Sues Alleged Spyware Distributor

The Federal Trade Commission is taking its first legal action against an alleged spyware distributor. In a court filing last week, the commission asked the U.S. District Court of New Hampshire for an injunction and equitable relief against Sanford Wallace and his companies Seismic Entertainment Productions and SmartBot.Net, the FTC said in a press conference Tuesday in Washington.

Recalling charges against an Arizona firefighter arrested in 2002 for starting a fire in order to get paid for putting it out, the FTC alleges that Wallace distributed spyware that created pop-up ads on victims' computers in order to sell his company's anti-spyware software.

"The defendants were selling software to fix the problems they just caused," says Lydia Parnes, acting director of the FTC's Bureau of Consumer Protection. "No one should be pestered or spied on by people who illegally hijack their computers. To those who are purveyors of spyware: This may be our first case, but it won't be our last."

This isn't Wallace's first case, however. In 1998, EarthLink Inc. won a $2 million judgment in Los Angeles Superior Court against Wallace, the so-called "spam king," and his company at the time, Cyber Promotions Inc. Wallace was required to write a formal letter of apology to EarthLink members for any inconvenience he caused as a result of his spamming.

In a press release heralding the victory at the time, Garry Betty, president and CEO of EarthLink, said, "I can't tell you how happy I am to be rid of one of the Internet's most notorious spammers. The most important benefit of this judgment is the message we've sent to spammers that illegally tap our resources and clog up the Internet with this trash--we won't stand for it. On top of that, now they'll pay a very real penalty."

The penalty sought by the FTC could likewise be harsh, despite the fact that the FTC Act, under which the suit is brought, does not empower the agency to obtain punitive civil damages. Beyond an injunction to halt the distribution of spyware, the commission is seeking monetary relief in the form of restitution, court costs, and "ill-gotten gains."

"The law provides up to $10,000 per violation," says attorney Michael S. Elkin, an Internet privacy expert and national chair of commercial litigation and entertainment & media practices at Thelen Reid & Priest. "So, if you count up the number of violations that have occurred, you're talking about a fairly significant sum of money."

Should the FTC prevail, the action may create a precedent and discourage other potential spyware distributors, Elkin says. He acknowledges, though, that the law has limits, noting that legislation won't make spyware go away. "We know from peer-to-peer file sharing that despite the prosecutions from the recording industry and the Motion Picture Association that all the actions to try to clamp down haven't eradicated illegal file sharing," he says.

Future enforcement actions may be filed under stronger pending legislation, Elkin says. California's Consumer Protection Against Spyware Act is set to go into effect on Jan. 1. Congress is considering similar anti-spyware legislation.

While the FTC has not taken a position on this legislation, Parnes says, it does recognize that spyware is a growing problem. She also notes that Congress is considering cross-border fraud legislation, which would be particularly helpful in going after lawbreakers located overseas.

While the FTC lacks data to determine the extent of the spyware problem, the agency in April held a workshop on spyware at which Dell reported that from 10% to 12% of its tech-support calls can be blamed on spyware, and Microsoft reported that 50% of Windows crashes are caused by spyware.

According to the FTC's complaint, the defendants exploited vulnerabilities in certain versions of the Microsoft Internet Explorer Web browser to change users' home pages, modify the browser's search engine, download advertising and other software programs, and deliver "an incessant stream of pop-up advertisements."

During the question-and-answer session after the announcement, one journalist asked whether the commission recommended that consumers use a browser other than Internet Explorer that might be less vulnerable to attack. Parnes said the commission doesn't make such recommendations.