Modernizing Authentication — What It Takes to Transform Secure Access
WASHINGTON -- Anti-spyware legislation took a major step forward Wednesday when the U.S. Senate Commerce Committee approved a bill to outlaw spyware that is loaded on a computer without the user's consent.
The SPYBLOCK (Software Principles Yielding Better Levels of Consumer Knowledge) Act sponsored by Sen. Conrad Burns (R-Mont.) requires that consumers be given clear and conspicuous notice prior to downloading software. The bill said the notice must be displayed on the computer screen until the user either grants or denies consent to installation.
The notice itself must describe the name and general nature of the computer software to be installed and must also include a separate disclosure with respect to the type of information that may be collected through the downloaded software.
The bill would also require that third parties disclose their identity to the consumer along with their street address and a valid return e-mail address as well as specifically revealing their intent to collect and use the consumer's information.
"All around the country unwitting computer users find their computers jammed up with all kinds of software they didn't ask for and didn't even know was there," said Sen. Ron Wyden (D-Ore.), a co-sponsor of the bill.
Wyden said the legislation "establishes the principle that the computer belongs to its owner and is not a free access site to purveyors of this garbage." Sen. George Allen (R-Virg.) added an amendment calling for up to five years in prison if the unauthorized access to a computer is used to further another federal crime such as secretly accessing personal data. Deliberately injuring or defrauding a person or damaging a computer through the unauthorized installation of spyware would carry prison terms of up to two years.
Although Burns and Wyden introduced their bill more than a year ago, as did original House sponsor Mary Bono (R-Calif.), the anti-spyware movement in Congress gained consideration traction only after the Federal Trade Commission (FTC) in April said industry solutions would be preferable to either state or federal legislation.
"I think it is very difficult at this time to draw a line around what is spyware and what is not," Howard Beales, the FTC's director of consumer protection, told the House Subcommittee on Commerce, Trade and Consumer Protection at the time.
House Commerce Committee Chairman Joe Barton (R-Texas) dismissed the FTC's position, calling spyware a "cancer on the Internet" and vowed action this year.
Since April, both the House and Senate versions of the anti-spyware legislation have been redrafted to address FTC and industry concerns that the bills were overly broad and would bring on a series of unintended consequences.
Exceptions to the proposed law now include software pre-installed on computers that include proper disclosure notices, software "reasonably needed" to provide capability for general purpose online browsing, e-mail and instant messaging and software updates approved by the user for virus protection.
Spyware is often confused by consumers with adware, which are usually legal and legitimate applications. Spyware, without the user's permission, piggybacks on downloaded files and reports back to third parties Internet traffic patterns to advertisers and generates unwanted popup ads.
Even when consumers delete the downloaded file, spyware often remains and continues to monitor the user's browsing habits. According to a report released last year by the Center for Democracy and Technology, spyware creates privacy problems, opens security holes and can hurt the performance and stability of consumer computer systems.
Two committees in the House of Representatives have already passed similar legislation and a full floor vote is expected by as early as next week. The Senate anticipates a full vote before the end of the month.
If both chambers approve the legislation, anti-spyware measures will join the Can Spam Act as centerpiece consumer technology bills passed by the 108th Congress. President Bush signed the anti-spam bill into law last December. Clarifies lead sentence in prior version