The Federal Trade Commission ("FTC") loosely defines "spyware" as software that "aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer's consent, or asserts control over a computer without the consumer's knowledge." Examples of spyware include software that collects information about the use of the computer on which the software is installed, some of which may collect personally identifiable information ("PII"). When the computer is connected to the Internet, the software periodically relays the information back to the software manufacturer, a marketing company, or another third party. Another form of spyware--commonly called "adware" --traces a user's Web activity and causes advertisements to suddenly appear on the user's monitor--called "pop-up"--ads in response. Software programs that include spyware functionality may be pre-installed on a new computer, can be sold or provided for free on a disk (or other media), or downloaded from the Internet, often without the knowledge of the Internet user.
The greatest security and privacy challenges posed by spyware relate to technologies that are specifically intended to capture a user's personal information or take control of the computer for the purveyor's purposes without the knowledge or consent of the user. These include keystroke logging programs that capture a user's passwords, Social Security, or account numbers. This information can then be captured and redirected for criminal purposes including fraud, larceny, identity theft, or other cybercrimes. Perhaps even worse is the use of spyware that allows computer hackers to hijack a user's computer and turn it to their own purposes rendering the computer a "zombie" capable of being directed remotely to send spam, viruses, help hack other computers, or allow others access to engage in copyright piracy.
According to the FTC, a survey of broadband users released by the National CyberSecurity Alliance found that over 90 percent of consumers had some form of spyware on their computers, and most consumers were not aware of it. Spyware presents privacy, security, and functionality concerns for both Internet users and legitimate commercial activity on the Internet. It has created opportunities for types of illegal behavior that are often difficult to detect and even more difficult to prosecute under existing law. In addition, the proliferation of spyware threatens to undermine consumer confidence in the integrity and security of the Internet and stifle the enormous commercial and communications potential of the information superhighway.
"Phishing" is a general term for using what appear to be either the websites of, or e-mails that appear to be sent from, well known legitimate businesses. These fraudulent websites and e-mails are designed to deceive Internet users into revealing personal information that can be used to defraud those same users. In some respects, phishing is only distinguished from traditional identity theft and fraud because it involves employing the Internet as a means to obtain the wanted information. Specifically, the schemes themselves, and the uses of the information by the criminals who obtain it are not unique to the Internet. In addition, almost all are illegal under existing Federal criminal laws dealing with wire fraud.
This scope of this problem was highlighted in a recent Department of Justice report on phishing. According to the report: During 2003 and early 2004, law enforcement authorities, businesses, and Internet users have seen a significant increase in the use of phishing. Criminals create and use such e-mails and websites to deceive Internet users into disclosing their bank and financial account information or other personal data like usernames and passwords. The "phishers" then take that information and use it for criminal purposes, like identity theft and fraud. A growing number of phishing schemes exploit for illegal purposes the names and logos of legitimate financial institutions, businesses, and government agencies in North America, Europe, and the Asia-Pacific region; One industry organization, the Anti-Phishing Working Group (www.antiphishing.org) has reported that in January 2004, there were 176 unique phishing attacks reported to it--an increase of more than 50 percent over the number of reported phishing attacks in December 2003.
One difficulty in solving the problems of both spyware and phishing is that average computer users are not aware of the steps they can take to protect themselves. Most computer users today have access to security features that are either part of their operating system or web browser or that can be obtained through additional software available at little or no cost, features which can stop most spyware from ever being installed on a user's computer.
Unfortunately, many computer users fail to take advantage of these features, such as firewalls, anti-spyware programs, cookie-blockers, etc. or use them properly. Likewise, most phishing scams require the willing participation of the recipient to either visit a website or reply to an email and give out personal information. As in earlier forms of fraud using the mail or telephones, common sense and a healthy level of suspicion go a long way toward not becoming a victim of phishing. Users can protect themselves against many phishing predators by exercising heightened scrutiny and undertaking verification measures whenever they are asked for passwords, credit card numbers, banking information, or other personal information by someone online. To the extent that spyware, phishing, hacking, and spam now sometimes intersect in attacks on computers, the proper use of a firewall, anti-virus software, and various means of blocking unsolicited e-mail can address these other attendant ills and thwart most attacks.
A second major difficulty in solving both spyware and phishing is that many of those who are the beneficiaries of information gleaned from these practices are difficult to track and locate, and the most egregious abusers are seldom legitimate businesses or individuals who might be responsive to government regulation or civil penalties. Annoying but less harmful forms of spyware, particularly adware, are used by a number of legitimate companies that could be found and could be expected to comply with regulations. However, the worst spyware abuses and the vast majority of phishing would likely be unaffected by government regulation or civil enforcement.
A third difficulty in solving the spyware problem is that many legitimate and beneficial tools for making a user's computing and Internet experience more enjoyable are technologically indistinguishable from spyware that is used to harm users and computers. For example, a "cookie" is a small text file typically downloaded when a person visits a website, it stores personal information and information about the user's preferences to make navigation of the site easier and typically is only accessible and active when the user is visiting that website. Another example of a benevolent cookie would be the "shopping cart" cookie on many retail websites that allows the user to "carry" their purchases through the virtual store and to the virtual checkout.
However some cookies that are technologically similar in most respects could be used for less benevolent purposes, such as intentionally targeting the user with ads, or tracking the user's visits to other websites and communicating this information to the originating website upon a return visit. A cookie could also be used for even more malicious purposes to give a criminal access to personal information that would allow them to defraud or otherwise harm the user. Other programs that make use of "spying" capabilities such as parental monitoring software or technical support system monitoring software are clearly beneficial in the hands of authorized users but if installed on a computer by the wrong hands, could be used maliciously. These similarities in technological terms but differences in use exemplify why it is imperative for consumers, Internet Service Providers ("ISPs"), and lawmakers to deal with the problem of spyware and phishing not as particular technologies but as types of behavior that make illegal use of the Internet and various codes, programs, and software.