Spyware Hearing before the Senate Committee on Commerce, Science and Transportation: Webroot Testimony
Testimony Submitted by C. David Moll, Chief Executive Officer, Webroot Software, Inc.
May 11, 2005 -- Chairman Stevens, Senator Inouye, and Committee Members, thank you for inviting me to speak to you today. My name is David Moll and I am CEO of Webroot Software, headquartered in Boulder, Colorado. Webroot is a privately held company that is backed by some of the industry's leading venture capital firms, including Technology Crossover Ventures, Accel Partners and Mayfield.
Founded in 1997, Webroot has created innovative privacy, protection and performance solutions used by millions of computer users around the world. Our customers include Fortune 500 companies, Internet service providers, government agencies, higher education institutions, small businesses and individuals.
In 2002, our research team, which consisted of just two people, saw a growing pattern of undisclosed downloads that caused numerous problems for computer users. We joined a small band of early activists that began calling these kinds of programs spyware. We introduced a product called Spy Sweeper in February of 2003 to help our customers fight this newly identified problem. When first introduced, Spy Sweeper found around 200 various programs, and easily removed them all.
We have been running at breakneck speed to stay a step ahead of spyware ever since. Today, we are a company of 250 professionals focused on combating this problem. Our research team has grown to over 30 people, a good number of whom develop and maintain the automated tools we use to outpace the developments in spyware. Spy Sweeper, has also changed to adopt new weaponry to combat spyware that is increasingly hard to identify, and at times even harder to remove. This week we will introduce Spy Sweeper 4.0, our latest edition, with more than one-half million lines of software code. This our 14th major release of the product in a little more than two years.
THE EFFECTS OF SPYWARE
Spyware and its ability to access a user's machine without informed consent for financial gain is an epidemic that threatens the viability of the Internet as a commerce, entertainment, communications and educational tool. Spyware programs can be used to facilitate the unauthorized use of computers for things like spam relay, and distributed denial of service attacks. Spyware programs can also lead to identity theft, and the theft of intellectual property, as well as data leaks, and the degradation of computer performance. Spyware is difficult to detect, and even more difficult (if not impossible) for the average user to completely remove manually.
At a high level, there are four primary ways that spyware presents a threat: data security; online privacy; network and computer performance; and Internet commerce broadly.
Data Security - Whereas a primary risk of computer viruses is data corruption, spyware poses very real threats to data security. Some of the most at risk data includes:
* national security including defense and homeland security;
* intellectual property and trade secrets;
* financial records;
* customer data;
* personal health information; and,
* other sensitive data such as passwords and account numbers.
Working with government entities and corporate customers over the past year, we have witnessed breaches involving each of these sensitive kinds of data. There are cases where spyware was used to infiltrate local law enforcement computers, trading and financial systems at financial institutions, payroll systems at Fortune 500 corporations, central databases for school systems, and entire municipal computer operations.
In these kinds of environments, even a very small number of system monitors or keyloggers puts highly-sensitive information at risk.
Privacy - When placed on a machine without the informed consent of the computer owner, spyware is the cyber-age equivalent of someone trespassing into your home. Some of the types of information collected by spyware programs without the knowledge of the computer owner are:
* browsing habits and sites visited;
* search terms used;
* advertisements clicked on;
* bookmarks and favorites;
* downloaded content;
* applications used;
* email and instant message conversations;
* usernames and passwords; and
* personal information, such as social security numbers.
While few argue about the sanctity of personally identifiable information, we often hear the argument that collecting aggregated browser habits to provide more targeted advertising is not a privacy invasion. We disagree. In our view, it is wrong to download programs or data files without the informed consent of the computer owner for marketing purposes. Such marketing behavior begins the slippery slope of reasoning that leads to more egregious privacy violations by malicious spyware. Think about this in the offline environment. Would it be ok for a marketing firm to go into your home without your knowledge to look at the books on your shelves to decide what to market to you? Would it be ok if they did it to everyone and aggregated the data?
Computer and Network Performance - Spyware can seriously impact computer and network performance. At a minimum, it is an undesirable nuisance to have your computing resources used by programs you didn't install, and do not want. There is also a larger economic impact in terms of the number of support center calls caused by spyware. According to Dell Computer, one of every five customer support calls are related to spyware, adversely affecting the profitability of their consumer business.
In corporate environments, where many computers are centrally supported and managed, spyware can drive up the total cost of ownership in the IT system; a leading IT services firm estimates that spyware costs them millions annually in productivity and support costs, and constitutes as much as 70 percent of their internal help desk call volume.
In the worst cases, systems can crash from an overload of spyware programs, resulting in the loss of data and computer assets. This part of the spyware threat is too often overlooked or under estimated, yet productivity costs associated with spyware are far greater than spam.
Internet commerce - At a macro level, spyware also presents a threat to Internet commerce as a whole. The increasing complexity and security concerns that arise from spyware, and the new uses of spyware, such as phishing and pharming attacks, have created a new level of user concern.
Based on our recent research, there are more than 250,000 Web pages that leverage a weakness we call an "exploit" which allows them to contaminate a user's computer with some form of spyware even when there is no interaction from the user - a practice known as a drive-by download. Quite often these sites hosting drive-by downloads operate using URLs that are commonly misspelled or mistyped alternatives to the URLs of popular sites. For example, just last week, Internet users planning to visit Google's site who inadvertently mistyped and entered www.googkle.com became the unwitting victims of drive-by downloads.
In the consumer world, spyware represents the same potential for fraud that internal spyware infections represent to corporations. For example a leading financial institution working with Webroot determined than 100 percent of the e-commerce fraud experienced by the bank in the past quarter was tied to spyware on end user machines. Spyware, keystroke loggers in particular, that can be installed from drive-by sites or via emails, have become new methods to those harvesting identities and defrauding consumers via the Internet.
As more people become aware of these numbers and understand the threat of spyware, we are concerned about an overall negative effect on consumer trust in the online economy.
THE GROWTH OF SPYWARE
Spyware has become pervasive. Webroot's survey of more than one million PCs in the last quarter reveals that 88 percent of home computers (64 percent if we exclude tracking cookies) and 87 percent of business computers (55 percent if we exclude tracking cookies) are infected with some form of spyware. The good news is that awareness is increasing, and more people are installing programs, like Webroot's Spy Sweeper, to prevent and contain spyware from impacting their system. The bad news is that the spyware purveyors are financially motivated, creative and resourceful. Therefore, we face a constant escalation in the amount of spyware we have to fight.
To give you an idea about the growth rate of spyware, Webroot identifies between 50 and 100 new pieces of spyware every week, and between 200 to 500 pieces of spyware that have "morphed" to avoid detection and removal. With the help of a spyware research system we call Phileas, which I will explain further later, Spy Sweeper currently detects about 88,000 spyware traces - individual files which make up a piece of spyware.
Understanding the growth of spyware requires more than just data about infection rates. It also requires that we understand the impetus behind propagating these programs. Spyware is not like a virus designed by a "script kiddie" who just wants to show off. Spyware is part of a calculated business plan, or a tool used by criminals. In both instances there are clear economic motives behind the proliferation of spyware.
In order to effectively fight this problem, it is essential that we have a clear picture of economic drivers, infection rates and trends. Recognizing this need, Webroot began work earlier this year to create a report that would encapsulate all of the key aspects of the issue. The result is the Webroot State of Spyware report which we issued this past week. This is a broad and detailed accounting of spyware today. We continue to compile this data, and we will issue updates to our report quarterly.
To ensure that you have all the information we assembled, I'd like to ask that a copy of the report be included in the hearing record as an appendix to my testimony.
FIGHTING SPYWARE
Until recently, the primary methods for fighting spyware were reactive. Anti-spyware companies concentrated on fixing an already infected machine. That alone presents a significant challenge, because in order for us to do our job correctly, we need to not only detect and quarantine the spyware programs, but we also need to ensure that we do not interfere with any legitimate files in the process.
Once we mastered the techniques to accomplish these two things, we worked to figure out a method that would not only cure spyware infections but also prevent them. Last year, we launched the Webroot Phileas Malware Crawler that I referenced earlier. Phileas is the anti-spyware industry's first automated spyware research system. Phileas deploys hundreds of automated programs -- called bots -- to crawl the Web searching for spyware. In less than an hour, a single Phileas bot completes the equivalent of 10 days of manual research by a trained person. With the speed and scale of the Phileas system, we travel the Internet every day to find spyware before it attacks our customers. We complement systems like Phileas with "shields" built into the Spy Sweeper software which protect users' systems from the common behaviors of spyware, stopping the threat before it can take hold of a system.
Ultimately, we believe that it is best to fight technology with technology, and we remain committed to continuing to provide the very best commercially available technology solutions to fighting spyware. However, we also believe that there is a vital role for legislators, regulatory agencies and law enforcement to play in this fight.
As I stated earlier, there are economic motivations behind the growth of spyware. Some of the companies involved in the proliferation are considered legitimate U.S. based companies. The complaint filed by the FTC against Seismic, and the NY Attorney General's case against Intermix, demonstrate that there are cases that can be pursued under current law in U.S. Courts. We encourage enforcement agencies and Attorneys General to deploy additional resources to join the fight against spyware. Companies need to understand that there will be costs associated with operating in ways that deceive and defraud consumers.
In addition to existing law, we at Webroot also anticipate benefits from legislation such as Senator Burns' bill, S. 687. The bill provides additional clarity and focus to the problems we are seeing, and I hope it will induce additional attention from enforcement agencies.
CONCLUSION
Again I thank you for inviting me here today. Spyware is something we have spent innumerable hours on over the last two years, and I appreciate the opportunity to come and share with you some of what we have learned. I welcome any questions you have for me.
I would also like to offer our assistance to all the Members of the Committee. If, after today's hearing, any of you have additional questions we can answer or need information we can provide, please do not hesitate to contact us. Based on our attention to this problem, and our unique research capability, we are in a unique position to offer assistance, and welcome the opportunity to help in the formation of policy.
[ Comment, Edit or Article Submission ]
