Lawmakers Must Forge Right Spyware Weapon

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
With two anti-spyware bills passed in the U.S. House this week and twomore already cooling their heels in the Senate, industry observers saythey need to be combined into one strong piece of legislation if it's todo users any good.

And even then, the verdict is out on how much change a new law can bringabout in an industry beset with hordes of spyware and adware jamming upcomputers, and prying into personal and financial information.

''The reality is that we'll see some bill come out of the meat grinderhere that will have pieces and parts of all of these bills,'' says RayEverett-Church, a principal with PrivacyClue LLC, a privacy and anti-spamconsultancy based in San Jose, Calif. ''What remains to be seen is if thenegative effects that consumers are dealing with are remedied in thisbill.''

This past Monday, the House passed two different anti-spyware bills.

Under the Internet Spyware (I-SPY) Prevention Act of 2005, strongercriminal penalties would be imposed. Prison terms could be handed out forintentionally gaining access to a computer and planting unwanted softwarewithout the user's authorization.

The other bill passed Monday, the Securely Protect Yourself Against CyberTrespass Act (SPY Act), also stiffens penalties on the people andcompanies behind spyware. Analysts, though, say this bill is strongerthan the I-SPY Act, calling for opt-in, notice and consent for legalsoftware aimed at collecting personal information.

This bill also specifically prohibits keystroke logging, homepagehijacking, phishing and ads that can't be closed except by shutting downthe computer.

Everett-Church says he doesn't have much faith in the I-Spy bill, callingit a 'giant loophole'. The main problem, he explains, is that the billwould outlaw 'intentionally' cause harm to a computer or 'intentionally'gathering personal information. The person or company behind the spywareor adware could simply claim that causing these problems was not theirintention.

''Its primary focus is on the intentional crashing or impairment of acomputer and the intentional gathering of personally identifyinginformation for use in fraudulent activity,'' says Everett-Church, whoalso is a columnist for eSecurityPlanet. ''This is fairlyredundant in terms of other anti-hacking and privacy protection laws thatalready exist... Where this really falls down is that a lot of theproblems caused by both spyware and adware are the fact that they canslow people's computers and cause incessant pop-up ads, crashing acomputer. Is that the intent of the hardware company? It's just a sidebenefit of the software. As long as they're not intentionally crashingcomputers and intentionally gathering information to be used in afraudulent purpose, the bill is not going to do much to harm thosebusinesses.''

The Spy Act contains a laundry list of the problems that spyware cancause, including slowing up or crashing computers, along with informationtheft.

This bill contains the specifics that would help form good law, accordingto Everett-Church. ''This really touches on the kinds of problems thatpeople are facing with spyware,'' he adds. ''If this makes it into thefinal bill, then that will be a good day for consumers.''

Tiffany Jones, regional manager for North America and Latin Americagovernment relations at Symantec Corp., a major anti-virus company basedin Cupertino, Calif., says legislators will need to sit down on break thefour bills down into one. And that definitely will take some conferencingto work out a consensus.

''We see that as a good thing,'' says Jones, who adds that lawmakersshould not get bogged down with specific definitions of spyware andadware. ''It signals to us that members are getting much more interestedin cyber security policy. I think they've done a good job so far (ofunderstanding), and we have been trying to educate them. It's importantto focus more on the behavior around the activities than on thetechnology itself. Most of the legislature is [focused on] trying toaddress bad behavior, instead of trying to regulate the technology.''

However, Ken Dunham, director of malicious code at iDefense, Inc., asecurity and anti-virus company based in Reston, Va., says there's a goodchance that lawmakers will get entangled in definitions and lose theirway to writing strong, beneficial law.

''It's likely that it will have minimal success as these things aredifficult to define,'' says Dunham. ''What is spyware? What is adware?Those questions will be difficult to answer and hold up in court.

''Say a bunch of silent installations are taking place -- all verymalicious and clearly hostile,'' Dunham adds. ''But the software they'reinstalling is not necessarily illegal. How do you prove that the end userdid not agree to have this software installed? Good luck trying toprosecute that.''

Dunham also notes that a good percentage of spyware and adware are comingfrom overseas, where U.S. law has no sway over the people behind it.

Some industry watchers, however, say the biggest challenge to writing astrong anti-spyware law may come from industry itself.

''I'm very concerned that Congress will succumb to the word games thatadware companies are playing,'' says Everett-Church. ''They are trying todefine what they do as being different than the bad spyware people. Yet,compare adware and spyware and you'll find very few differences in termsof how it gets on people's machines, how hard it is to get off thosemachines, and how people are deceived. [The adware industry] is trying tobuy some legitimacy through political access.

''If they're successful in watering down a spyware bill, then the fear isthat it will be just as ineffective as the CAN-Spam Act has been, andthat has been a dismal failure.''