Saturday, September 18, 2021

Lawmakers Must Forge Right Spyware Weapon

With two anti-spyware bills passed in the U.S. House this week and two

more already cooling their heels in the Senate, industry observers say

they need to be combined into one strong piece of legislation if it’s to

do users any good.

And even then, the verdict is out on how much change a new law can bring

about in an industry beset with hordes of spyware and adware jamming up

computers, and prying into personal and financial information.

”The reality is that we’ll see some bill come out of the meat grinder

here that will have pieces and parts of all of these bills,” says Ray

Everett-Church, a principal with PrivacyClue LLC, a privacy and anti-spam

consultancy based in San Jose, Calif. ”What remains to be seen is if the

negative effects that consumers are dealing with are remedied in this

bill.”

This past Monday, the House passed two different anti-spyware bills.

Under the Internet Spyware (I-SPY) Prevention Act of 2005, stronger

criminal penalties would be imposed. Prison terms could be handed out for

intentionally gaining access to a computer and planting unwanted software

without the user’s authorization.

The other bill passed Monday, the Securely Protect Yourself Against Cyber

Trespass Act (SPY Act), also stiffens penalties on the people and

companies behind spyware. Analysts, though, say this bill is stronger

than the I-SPY Act, calling for opt-in, notice and consent for legal

software aimed at collecting personal information.

This bill also specifically prohibits keystroke logging, homepage

hijacking, phishing and ads that can’t be closed except by shutting down

the computer.

Everett-Church says he doesn’t have much faith in the I-Spy bill, calling

it a ‘giant loophole’. The main problem, he explains, is that the bill

would outlaw ‘intentionally’ cause harm to a computer or ‘intentionally’

gathering personal information. The person or company behind the spyware

or adware could simply claim that causing these problems was not their

intention.

”Its primary focus is on the intentional crashing or impairment of a

computer and the intentional gathering of personally identifying

information for use in fraudulent activity,” says Everett-Church, who

also is a columnist for eSecurityPlanet. ”This is fairly

redundant in terms of other anti-hacking and privacy protection laws that

already exist… Where this really falls down is that a lot of the

problems caused by both spyware and adware are the fact that they can

slow people’s computers and cause incessant pop-up ads, crashing a

computer. Is that the intent of the hardware company? It’s just a side

benefit of the software. As long as they’re not intentionally crashing

computers and intentionally gathering information to be used in a

fraudulent purpose, the bill is not going to do much to harm those

businesses.”

The Spy Act contains a laundry list of the problems that spyware can

cause, including slowing up or crashing computers, along with information

theft.

This bill contains the specifics that would help form good law, according

to Everett-Church. ”This really touches on the kinds of problems that

people are facing with spyware,” he adds. ”If this makes it into the

final bill, then that will be a good day for consumers.”

Tiffany Jones, regional manager for North America and Latin America

government relations at Symantec Corp., a major anti-virus company based

in Cupertino, Calif., says legislators will need to sit down on break the

four bills down into one. And that definitely will take some conferencing

to work out a consensus.

”We see that as a good thing,” says Jones, who adds that lawmakers

should not get bogged down with specific definitions of spyware and

adware. ”It signals to us that members are getting much more interested

in cyber security policy. I think they’ve done a good job so far (of

understanding), and we have been trying to educate them. It’s important

to focus more on the behavior around the activities than on the

technology itself. Most of the legislature is [focused on] trying to

address bad behavior, instead of trying to regulate the technology.”

However, Ken Dunham, director of malicious code at iDefense, Inc., a

security and anti-virus company based in Reston, Va., says there’s a good

chance that lawmakers will get entangled in definitions and lose their

way to writing strong, beneficial law.

”It’s likely that it will have minimal success as these things are

difficult to define,” says Dunham. ”What is spyware? What is adware?

Those questions will be difficult to answer and hold up in court.

”Say a bunch of silent installations are taking place — all very

malicious and clearly hostile,” Dunham adds. ”But the software they’re

installing is not necessarily illegal. How do you prove that the end user

did not agree to have this software installed? Good luck trying to

prosecute that.”

Dunham also notes that a good percentage of spyware and adware are coming

from overseas, where U.S. law has no sway over the people behind it.

Some industry watchers, however, say the biggest challenge to writing a

strong anti-spyware law may come from industry itself.

”I’m very concerned that Congress will succumb to the word games that

adware companies are playing,” says Everett-Church. ”They are trying to

define what they do as being different than the bad spyware people. Yet,

compare adware and spyware and you’ll find very few differences in terms

of how it gets on people’s machines, how hard it is to get off those

machines, and how people are deceived. [The adware industry] is trying to

buy some legitimacy through political access.

”If they’re successful in watering down a spyware bill, then the fear is

that it will be just as ineffective as the CAN-Spam Act has been, and

that has been a dismal failure.”

Similar articles

Latest Articles