Lawmakers Must Forge Right Spyware Weapon
Two anti-spyware bills were passed in the House this week and two more already are in the Senate. What will it take to create one bill that will do the trick?
And even then, the verdict is out on how much change a new law can bring about in an industry beset with hordes of spyware and adware jamming up computers, and prying into personal and financial information.
''The reality is that we'll see some bill come out of the meat grinder here that will have pieces and parts of all of these bills,'' says Ray Everett-Church, a principal with PrivacyClue LLC, a privacy and anti-spam consultancy based in San Jose, Calif. ''What remains to be seen is if the negative effects that consumers are dealing with are remedied in this bill.''
This past Monday, the House passed two different anti-spyware bills.
The other bill passed Monday, the Securely Protect Yourself Against Cyber Trespass Act (SPY Act), also stiffens penalties on the people and companies behind spyware. Analysts, though, say this bill is stronger than the I-SPY Act, calling for opt-in, notice and consent for legal software aimed at collecting personal information.
This bill also specifically prohibits keystroke logging, homepage hijacking, phishing and ads that can't be closed except by shutting down the computer.
Everett-Church says he doesn't have much faith in the I-Spy bill, calling it a 'giant loophole'. The main problem, he explains, is that the bill would outlaw 'intentionally' cause harm to a computer or 'intentionally' gathering personal information. The person or company behind the spyware or adware could simply claim that causing these problems was not their intention.
''Its primary focus is on the intentional crashing or impairment of a computer and the intentional gathering of personally identifying information for use in fraudulent activity,'' says Everett-Church, who also is a columnist for eSecurityPlanet. ''This is fairly redundant in terms of other anti-hacking and privacy protection laws that already exist... Where this really falls down is that a lot of the problems caused by both spyware and adware are the fact that they can slow people's computers and cause incessant pop-up ads, crashing a computer. Is that the intent of the hardware company? It's just a side benefit of the software. As long as they're not intentionally crashing computers and intentionally gathering information to be used in a fraudulent purpose, the bill is not going to do much to harm those businesses.''
The Spy Act contains a laundry list of the problems that spyware can cause, including slowing up or crashing computers, along with information theft.
This bill contains the specifics that would help form good law, according to Everett-Church. ''This really touches on the kinds of problems that people are facing with spyware,'' he adds. ''If this makes it into the final bill, then that will be a good day for consumers.''
Tiffany Jones, regional manager for North America and Latin America government relations at Symantec Corp., a major anti-virus company based in Cupertino, Calif., says legislators will need to sit down on break the four bills down into one. And that definitely will take some conferencing to work out a consensus.
''We see that as a good thing,'' says Jones, who adds that lawmakers should not get bogged down with specific definitions of spyware and adware. ''It signals to us that members are getting much more interested in cyber security policy. I think they've done a good job so far (of understanding), and we have been trying to educate them. It's important to focus more on the behavior around the activities than on the technology itself. Most of the legislature is [focused on] trying to address bad behavior, instead of trying to regulate the technology.''