The commissioners from the Federal Trade Commission (FTC) all trekked over to Congress yesterday for an appearance before the Senate Commerce Committee. During the hearing, the commissioners explained what their agency has been up to over the last year and asked for a bigger budget to continue fighting the good fight in the future. And the agency does good work: it continues to pursue spammers, spyware purveyors, and pretexters. Unfortunately, it doesn't pursue many of them.
Testimony from FTC Chairwoman Deborah Platt Majoras revealed that in the last two years, the Commission has taken action against 11 spyware operators. Think about that number for a moment, and then think about the sheer amount of spyware in the wild. Despite the plague of software that continues to annoy grandparents, uncles, parents, and the occasional geek, the FTC has gone after an average of 5.5 spyware operators a year. Fortunately, it has had some notable successes, most recently a $1.5 millionfine against Direct Revenue that will hopefully strike a bit of fear into other US-based adware companies.
But there's no denying that progress has been slow. In questions after the testimony, Arkansas Democrat Mark Pryor told the commissioners that spyware was "a real source of frustration for my family, my constituents, my office." He also questioned whether the FTC's remedies were sufficient, given that the fines paid by companies often seem to be only a small portion of their total revenues. The FTC response illustrated how complicated it can be to pursue these companies. "It's hard to determine what the injury is to each consumer," said Commissioner Jon Leibowitz, who also pointed out how difficult it was to decide how much revenue a company earned from impermissible conduct, and how much from legal conduct.
Majoras also made a pitch for "civil penalty authority," which the FTC currently lacks. The Commission can currently squeeze cash out of businesses by forcing them to pay restitution, but this is often impractical because "consumers suffer injury that is either noneconomic in nature or difficult to quantify," she told senators. The FTC's other remedy is "disgorgement," which requires firms to write a check directly to the US Treasury. Disgorgement is different from a fine, though, because it can only be assessed where firms have profited from unlawful actions. If a firm violated every data protection statute on the books but made no money from doing so, it could not be forced to disgorge revenue, even if thousands of consumers suffered identity theft as a result of its actions.
Civil penalty authority would give the agency much more latitude to lay down the smack on offenders. Bills that would give the FTC this authority and Marty been introduced into Congress but have yet to be passed.
Commissioner William Kovacic also told Congress that the FTC was now partnering with other US agencies and foreign governments in order to put spyware and malware authors in jail, rather than attempt to fine them. "Until we have success as a law enforcement community in placing them in prison," he said. "I don't think we'll ultimately have the deterrent influence we need."
When it comes to spam, progress is similarly slow. The FTC has brought only 89 legal actions against spammers in the last decade, and only eight were filed in 2006. Meanwhile, spam is projected to surge past human-generated messages this year. In the FTC's defense, these cases are difficult to prove and prosecute, and spam often originates beyond US borders (and other agencies, like the Department of Justice, handle the criminal cases). Even given all the caveats, though, eight cases does not inspire confidence that the FTC will be the agency that can slow the rising tide of junk e-mail.