more already cooling their heels in the Senate, industry observers say
they need to be combined into one strong piece of legislation if it’s to
do users any good.
And even then, the verdict is out on how much change a new law can bring
about in an industry beset with hordes of spyware and adware jamming up
computers, and prying into personal and financial information.
”The reality is that we’ll see some bill come out of the meat grinder
here that will have pieces and parts of all of these bills,” says Ray
Everett-Church, a principal with PrivacyClue LLC, a privacy and anti-spam
consultancy based in San Jose, Calif. ”What remains to be seen is if the
negative effects that consumers are dealing with are remedied in this
bill.”
This past Monday, the House passed two different anti-spyware bills.
Under the Internet Spyware (I-SPY) Prevention Act of 2005, stronger
criminal penalties would be imposed. Prison terms could be handed out for
intentionally gaining access to a computer and planting unwanted software
without the user’s authorization.
The other bill passed Monday, the Securely Protect Yourself Against Cyber
Trespass Act (SPY Act), also stiffens penalties on the people and
companies behind spyware. Analysts, though, say this bill is stronger
than the I-SPY Act, calling for opt-in, notice and consent for legal
software aimed at collecting personal information.
This bill also specifically prohibits keystroke logging, homepage
hijacking, phishing and ads that can’t be closed except by shutting down
the computer.
Everett-Church says he doesn’t have much faith in the I-Spy bill, calling
it a ‘giant loophole’. The main problem, he explains, is that the bill
would outlaw ‘intentionally’ cause harm to a computer or ‘intentionally’
gathering personal information. The person or company behind the spyware
or adware could simply claim that causing these problems was not their
intention.
”Its primary focus is on the intentional crashing or impairment of a
computer and the intentional gathering of personally identifying
information for use in fraudulent activity,” says Everett-Church, who
also is a columnist for eSecurityPlanet. ”This is fairly
redundant in terms of other anti-hacking and privacy protection laws that
already exist… Where this really falls down is that a lot of the
problems caused by both spyware and adware are the fact that they can
slow people’s computers and cause incessant pop-up ads, crashing a
computer. Is that the intent of the hardware company? It’s just a side
benefit of the software. As long as they’re not intentionally crashing
computers and intentionally gathering information to be used in a
fraudulent purpose, the bill is not going to do much to harm those
businesses.”
The Spy Act contains a laundry list of the problems that spyware can
cause, including slowing up or crashing computers, along with information
theft.
This bill contains the specifics that would help form good law, according
to Everett-Church. ”This really touches on the kinds of problems that
people are facing with spyware,” he adds. ”If this makes it into the
final bill, then that will be a good day for consumers.”
Tiffany Jones, regional manager for North America and Latin America
government relations at Symantec Corp., a major anti-virus company based
in Cupertino, Calif., says legislators will need to sit down on break the
four bills down into one. And that definitely will take some conferencing
to work out a consensus.
”We see that as a good thing,” says Jones, who adds that lawmakers
should not get bogged down with specific definitions of spyware and
adware. ”It signals to us that members are getting much more interested
in cyber security policy. I think they’ve done a good job so far (of
understanding), and we have been trying to educate them. It’s important
to focus more on the behavior around the activities than on the
technology itself. Most of the legislature is [focused on] trying to
address bad behavior, instead of trying to regulate the technology.”
However, Ken Dunham, director of malicious code at iDefense, Inc., a
security and anti-virus company based in Reston, Va., says there’s a good
chance that lawmakers will get entangled in definitions and lose their
way to writing strong, beneficial law.
”It’s likely that it will have minimal success as these things are
difficult to define,” says Dunham. ”What is spyware? What is adware?
Those questions will be difficult to answer and hold up in court.
”Say a bunch of silent installations are taking place — all very
malicious and clearly hostile,” Dunham adds. ”But the software they’re
installing is not necessarily illegal. How do you prove that the end user
did not agree to have this software installed? Good luck trying to
prosecute that.”
Dunham also notes that a good percentage of spyware and adware are coming
from overseas, where U.S. law has no sway over the people behind it.
Some industry watchers, however, say the biggest challenge to writing a
strong anti-spyware law may come from industry itself.
”I’m very concerned that Congress will succumb to the word games that
adware companies are playing,” says Everett-Church. ”They are trying to
define what they do as being different than the bad spyware people. Yet,
compare adware and spyware and you’ll find very few differences in terms
of how it gets on people’s machines, how hard it is to get off those
machines, and how people are deceived. [The adware industry] is trying to
buy some legitimacy through political access.
”If they’re successful in watering down a spyware bill, then the fear is
that it will be just as ineffective as the CAN-Spam Act has been, and
that has been a dismal failure.”