That's the take of Richard Stiennon, vice president of threat research at anti-spyware firm Webroot. Stiennon, who spoke at the Gartner IT Security Summit here today, thinks Congress should do less, rather than more, when it comes to federal anti-spyware bills.
Last month, the U.S. House of Representatives passed two anti-spyware measures. One bill (I-SPY Act) imposes tougher criminal penalties for spyware-related activities.
The other bill (SPY Act) also increases penalties but includes an opt-in, notice and consent regime for legal software -- adware -- that collects personally identifiable information from consumers.
''I'm leaning toward preferring the increase in penalties for bad acting,'' Stiennon told internetnews.com. ''By setting a lot of definitions, you're going to have some of the perpetrators just modifying their behavior to comply with this new law and then start legal activities to get index spyware vendors to stop listing them.''
In particular, Stiennon said, adware companies might be able to say, ''Hey, we comply with this new law, the Federal Trade Commission doesn't have a problem with what we're doing and you shouldn't identify us this way.''
Prominent adware firms such as Claria have in recent months mounted public relations campaigns to distinguish themselves from spyware companies. The purpose of adware is to drive visitors to advertisers' Web sites. Adware writers and distributors redirect browsers and generate pop-up adds.
Adware vendors contend they obtain consent before installing their software. Spyware, on the other hand, distributes pop-up advertising without consent and often in malicious ways.
With or without a new law, Stiennon vowed to continue to list adware vendors in Webroot's quarterly rankings of top threats to network security.