Following the money trail behind the flood of spyware and adware on the Internet poses some sticky questions around liability, said a panel of spyware experts at a workshop in New York City Friday.Legal experts, government officials and technology professionals gathered at New York University School of Law to discuss the causes of and solutions to unwanted software programs that track Internet users\u2019 behavior."Revenue sources is the area where I am most excited about and focused on right now. How do these programs make money? Who buys these ads?" said Ben Edelman, a Harvard University Ph.D. student and well-known antispyware advocate. To help illustrate, Edelman showed attendees a Netflix pop-up advertisement at Blockbuster.com. Through HTTP (hypertext transfer protocol) redirects, Edelman traced the unwanted ad from adware company DirectRevenue back to Netflix.Netflix initially paid an advertising affiliate, LinkShare, which then paid another ad company, AzoogleAds.com, which then paid yet another affiliate, MyGeek.com, which paid DirectRevenue, Edelman\u2019s research found."Do we tell NetFlix they can\u2019t advertise with LinkShare, or LinkShare they can\u2019t advertise with Azoogle, or Azoogle they can\u2019t advertise with MyGeek, who advertises with DirectRevenue?" Edelman asked. "I\u2019m not sure where you draw the line, but as a matter of public policy, we\u2019ve got a problem." One panelist suggested that companies advertising online should develop more thorough policies to control where their ads go on the Internet."Advertising and marketing companies are focused on the number of clickthroughs and conversions they get from online ads as a metric of success for their campaigns, but if you\u2019re angering thousands of people in the process, is it worth it?" said Ari Schwartz, deputy director of the Center for Democracy and Technology (CDT), a Washington, D.C.-based nonprofit group, at the workshop. Toward that end, the CDT Monday released a report naming about a dozen companies it says have paid for advertisements that surfaced on the Internet as adware from 180solutions. Eleven of the 18 companies CDT contacted whose ads were displayed by 180solutions never responded, CDT said. Of the seven that responded, two have since developed policies to address the problem. The other five that responded already had policies in place.The CDT earlier this year filed complaints with the U.S. Federal Trade Commission (FTC) charging 180solutions with "duping" users into downloading advertising software.The center\u2019s findings are available\u00a0on its website. CDT plans to share its findings with the\u00a0FTC and state attorneys general working on spyware suits.Netflix, which was named in the CDT report, had taken steps to address problems before the report was released. The company monitors the Web for use of its ads in adware or spyware, has policies in place that forbid affiliates from using its ads in adware or spyware, and has altered and ended affiliate arrangements when problems persist, said Steve Swasey, director of corporate communications with Netflix."Online advertising is a whole new world, and there are some opportunists out there who take advantage of loosely based arrangements. It\u2019s a problem for the whole industry," Swasey said. "We have very open ears and very open minds. If someone comes up with a solution we\u2019re not doing, we will certainly consider it."-Shelley Solheim, IDG News ServiceFor related CSO content, read Scumware Out There.Keep checking in at our CSO Security Feed page for updated news coverage.