Lawmakers Must Forge Right Spyware Weapon

Download the authoritative guide: Cloud Computing 2018: Using the Cloud to Transform Your Business

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
With two anti-spyware bills passed in the U.S. House this week and two more already cooling their heels in the Senate, industry observers say they need to be combined into one strong piece of legislation if it's to do users any good.

And even then, the verdict is out on how much change a new law can bring about in an industry beset with hordes of spyware and adware jamming up computers, and prying into personal and financial information.

''The reality is that we'll see some bill come out of the meat grinder here that will have pieces and parts of all of these bills,'' says Ray Everett-Church, a principal with PrivacyClue LLC, a privacy and anti-spam consultancy based in San Jose, Calif. ''What remains to be seen is if the negative effects that consumers are dealing with are remedied in this bill.''

This past Monday, the House passed two different anti-spyware bills.

Under the Internet Spyware (I-SPY) Prevention Act of 2005, stronger criminal penalties would be imposed. Prison terms could be handed out for intentionally gaining access to a computer and planting unwanted software without the user's authorization.

The other bill passed Monday, the Securely Protect Yourself Against Cyber Trespass Act (SPY Act), also stiffens penalties on the people and companies behind spyware. Analysts, though, say this bill is stronger than the I-SPY Act, calling for opt-in, notice and consent for legal software aimed at collecting personal information.

This bill also specifically prohibits keystroke logging, homepage hijacking, phishing and ads that can't be closed except by shutting down the computer.

Everett-Church says he doesn't have much faith in the I-Spy bill, calling it a 'giant loophole'. The main problem, he explains, is that the bill would outlaw 'intentionally' cause harm to a computer or 'intentionally' gathering personal information. The person or company behind the spyware or adware could simply claim that causing these problems was not their intention.

''Its primary focus is on the intentional crashing or impairment of a computer and the intentional gathering of personally identifying information for use in fraudulent activity,'' says Everett-Church, who also is a columnist for eSecurityPlanet. ''This is fairly redundant in terms of other anti-hacking and privacy protection laws that already exist... Where this really falls down is that a lot of the problems caused by both spyware and adware are the fact that they can slow people's computers and cause incessant pop-up ads, crashing a computer. Is that the intent of the hardware company? It's just a side benefit of the software. As long as they're not intentionally crashing computers and intentionally gathering information to be used in a fraudulent purpose, the bill is not going to do much to harm those businesses.''

The Spy Act contains a laundry list of the problems that spyware can cause, including slowing up or crashing computers, along with information theft.

This bill contains the specifics that would help form good law, according to Everett-Church. ''This really touches on the kinds of problems that people are facing with spyware,'' he adds. ''If this makes it into the final bill, then that will be a good day for consumers.''

Tiffany Jones, regional manager for North America and Latin America government relations at Symantec Corp., a major anti-virus company based in Cupertino, Calif., says legislators will need to sit down on break the four bills down into one. And that definitely will take some conferencing to work out a consensus.

''We see that as a good thing,'' says Jones, who adds that lawmakers should not get bogged down with specific definitions of spyware and adware. ''It signals to us that members are getting much more interested in cyber security policy. I think they've done a good job so far (of understanding), and we have been trying to educate them. It's important to focus more on the behavior around the activities than on the technology itself. Most of the legislature is [focused on] trying to address bad behavior, instead of trying to regulate the technology.''

However, Ken Dunham, director of malicious code at iDefense, Inc., a security and anti-virus company based in Reston, Va., says there's a good chance that lawmakers will get entangled in definitions and lose their way to writing strong, beneficial law.

''It's likely that it will have minimal success as these things are difficult to define,'' says Dunham. ''What is spyware? What is adware? Those questions will be difficult to answer and hold up in court.

''Say a bunch of silent installations are taking place -- all very malicious and clearly hostile,'' Dunham adds. ''But the software they're installing is not necessarily illegal. How do you prove that the end user did not agree to have this software installed? Good luck trying to prosecute that.''

Dunham also notes that a good percentage of spyware and adware are coming from overseas, where U.S. law has no sway over the people behind it.

Some industry watchers, however, say the biggest challenge to writing a strong anti-spyware law may come from industry itself.

''I'm very concerned that Congress will succumb to the word games that adware companies are playing,'' says Everett-Church. ''They are trying to define what they do as being different than the bad spyware people. Yet, compare adware and spyware and you'll find very few differences in terms of how it gets on people's machines, how hard it is to get off those machines, and how people are deceived. [The adware industry] is trying to buy some legitimacy through political access.

''If they're successful in watering down a spyware bill, then the fear is that it will be just as ineffective as the CAN-Spam Act has been, and that has been a dismal failure.''

Submit a Comment

Loading Comments...