SB 140-BAN INTERNET SPYWARE  CHAIR CON BUNDE announced SB 140 to be up for consideration. SENATOR THERRIAULT, sponsor of SB 140, gave a short introduction before presenting a slide show. I've introduced SB 140 to accomplish two main objectives. The first is to send a message to computer invaders that it will be illegal in Alaska to conduct certain practices involving the injection of unwanted and malicious programs into computers. The second objective is to heighten through the legislative process both the awareness of the magnitude of the spyware problem and how to deal with it in the most cost-effective and time-efficient manner.... We have through research made contact with a nationally recognized expert [Ben Edelman] who has worked with us in drafting SB 140.... Virtually every branch of local and state governments have spyware problems. The cost of protecting private citizens from spyware is $21 billion nationally. This is based on the estimated three to six minutes each day people use to clean or otherwise deal with unwanted programs that affect their computers. The challenge is to keep the legislation targeted at unscrupulous and malicious sources without making it so broad that it will damage legitimate uses of computer programs. SENATOR THERRIAULT said that SB 140 is broadly based on the Utah model with some features of the California version worked in. It may be difficult to prosecute those who ply their invasive practices in Alaska, but the magnitude of the problem moved him to declare such activities illegal so that legal recourse is available to those who wish to pursue the violators. CURTIS CLOTHIER, Manager, Data Processing, Legislative Affairs, narrated a presentation called "Spyware 101." 1:42:13 PM He explained that spyware is software that collects personal information or makes changes on your computer without your knowledge or consent. Sometimes it's accompanied by an Addware program that launches customized advertising. Spyware is relatively new; the first document case being in early 2000. But it started to hit radar screens in 2003 when a study indicated that two out of 100 support calls to help desks were related to spyware. Now it is estimated to be two out of five calls. 1:44:18 PM CHAIR BUNDE asked if anti-virus programs would help. MR. CLOTHIER answered no; virus guards usually check only for viruses. Spyware usually makes its way through the Web browser. Most virus guards are aimed at Email or viruses that are already on a computer in files. 1:45:26 PM He described ways spyware can get on a computer - generally by installation of an application that is free with the end-user license agreement too long. It generally causes a computer to slow down or crash. 1:46:54 PM Spyware doesn't necessarily collect bad information. Some computers have it preloaded and it gives manufacturers information about a computer's health. The customer is generally informed, however. Other software has a free version and a paid version. The free version includes advertising. "It's the knowledge and consent thing, which I think is really critical in loading software." 1:47:41 PM Once spyware is on a computer, it requires a call to a technical support person who can run several different programs, but that is not always successful. 1:48:25 PM MR. CLOTHIER said that despite his division's best efforts, the legislature gets on average four to five machines a week that are infected with spyware - each taking as much as several hours to fix. He said that, "Spyware prevention and removal now takes up more of our time than virus and spam issues." He said there isn't any one good solution to the problem. He is trying to focus on educating his customers. He tells them not to click on advertisements to download software. Programs are being developed, but they cost money. All indicators lead him to believe it will be a problem well into the future. 1:51:47 PM CHAIR BUNDE asked how enforcement would work. MR. CLOTHIER replied that programs can trace things, but that in the vast majority of cases, people are covering their tracks pretty well. Many times they have moved on from a physical location by the time they are found. CHAIR BUNDE asked if this law were passed, would legitimate vendors have to stop their activity while the serious criminals would still be operating. MR. CLOTHIER replied that license agreements are made difficult on purpose and he was sure vendors could do a better job of making it clear what they are intending to do with free software. "Certainly, it's such a mess right now that no one reads and people who aren't really savvy to the technology, just say yes to everything and trap themselves." CHAIR BUNDE remarked, "We need to protect people from themselves a little bit - sort of like a seat belt law." 1:53:50 PM BENJAMIN EDELMAN, PhD. student at Harvard University, said he is a independent researcher testing spyware in his lab. It has become quite a serious problem. Some do bona fide spying by tracking purchases and credit cards, but others track your Websites to find out which ones you like to visit and have pop ups - generally with offers from competitors of the sites asked for. There is nothing legitimate with putting yourself out there as Hertz when you are Budget. Hard enforcement is needed, because stealing credit cards is already against the law. There is no clear benefit to passing another law that would continue to be broken. Pop ups need to be addressed, because some people think it is a grey area - as in the Hertz/Budget scenario. It creates troubling economic incentives where everyone and his brother wants to sneak on to your computer with a pop up ad. SB 140 focuses on pop up ads. It says it's not a legitimate business practice to show a user an ad for one company when the user asked for that company's competitor or for some other site by domain name. So, if I picked up my cell phone and I called 1-800- American, trying to reach American Airlines, that wouldn't be legitimate for Sprint to connect me to United instead - even if United offered a nice advertising fee to my cell phone company. That's not fair competition.... Courts have gone both ways, but this bill makes it very clear that it can't be done in Alaska. 1:59:41 PM California passed a bill last year that names about a dozen specific tactics that are absolutely abominable - like using one person's computer as part of an attack against another computer. They named a lot of behaviors that are problematic, but he thought it was ultimately ineffective because the outrageous tactics are not the ones that are used by the biggest companies trying to sneak on to users' computers. 2:02:10 PM Utah's governor signed a bill into law on which SB 140 is modeled. He emphasized that constitutional issues need to be looked at. Critics of bills like this might suggest granting extra protection to trademark holders and that would, in turn, be bad for consumers. This would suggest that Hertz has a right to have their site displayed on screen and Budget can't interfere with that. That is giving a windfall to Hertz. He thought it was important to think through who exactly is being harmed and who is being benefited. It seems to me that users are receiving the brunt of the benefit.... When a user types in Hertz.com, it's quite clear the user wants Hertz. The user does not want 10 different pop up ads for 10 different competitors.... He was surprised at the number of software companies that objected to the state of Utah passing any bill having to do with soft ware. They thought they should be exempt from any government regulation, especially from any state regulation. "That seems entirely wrong to me. People who make products have to comply with laws in all 50 states...." MR. EDELMAN said that enforcement is difficult especially if the companies are offshore, but the people who are doing the biggest harm are big companies. Gator, a big spyware firm, is talking about going public. Other spyware companies are big firms with lobbyists and lawyers. These are folks we can get to and to the extent that they have big companies advertising with them, Budget Car Rental or Expedia or you name it, we can get to their advertisers, too. It is not impossible to find these folks.... 2:06:36 PM SB 140 has two different ways to identify spyware - one is to ask the user if he is an Alaskan resident and the other is for the computer's IP address to indicate it's an Alaska address. 2:08:26 PM Chair Bunde asked Senator Therriault if he knew of any opposition to this bill from companies in Alaska. SENATOR THERRIAULT replied that he had not heard of any opposition. He thought the committee might ask for the difference between a cookie and spyware. CHAIR BUNDE asked if a cookie is a form of spyware. MR. EDELMAN replied that it isn't a form of spyware. It is a data file that a Website can place on a person's computer so that it can store information, like a password. They do not slow down a computer, make it crash or send your information anywhere else. They don't cause problems. There is no need to talk about cookies in a spyware bill. SENATOR DAVIS asked what Mr. Edelman thought about this particular bill. MR. EDELMAN said he thinks it is a strong bill; it makes specific people and entities accountable. It has a clear plan for enforcement - by private parties under existing statutes pertaining to unfair competition and consumer protection. Some legislation in other states places the burden on the state to hire investigators and lawyers to figure out who the spyware purveyors are. The harm is actual and targets a lot of people; it is a grey problem and courts haven't handled it consistently. CHAIR BUNDE thanked him for his testimony and said SB 140 would be addressed again on Thursday.