Spyware versus spyware on the Hill
- By William Jackson
- Sep 09, 2004
Free software downloaded from the Internet frequently carries spyware, which most users regard as at least a nuisance if not an invasion of privacy.
A House committee's recent approval of anti-spyware legislation has put the fear of government regulation into software vendors' hearts.
'We believe it will generate a blizzard of legally mandated pop-up notices that only a lawyer would love,' said Harris N. Miller, president of the Information Technology Association of America, in a letter to the House Energy and Commerce Committee.
He predicted HR 2929, if enacted, would set up an unnecessary regulatory regime for online software distribution.
HR 2929, introduced by Rep. Mary Bono (R-Calif.) nearly a year ago, directs the Federal Trade Commission to mandate express user consent before spyware can be transmitted over the Internet and installed.
Software vendors agree that spyware is bad, but they define the term narrowly. Stealing a credit card number is a crime, they say. Delivering a pop-up ad is just business.What is it?
A spyware program gathers information about the host computer's activity and sends it to a third party, often without the user's knowledge. It also might harvest personal information and deliver pop-up ads to the screen. Free software downloaded from the Internet frequently carries spyware, which most users regard as at least a nuisance if not an invasion of privacy.
Keystroke loggers that can steal personal information are obviously spyware. Other forms are less easy to define.
'Many good uses of similar technologies could be considered spyware by some definitions,' Miller said, for example, software that automatically updates, renews or monitors programs on a user's computer.
The Competitive Enterprise Institute of Washington also weighed in, saying the bill lacks 'the laser precision necessary to prohibit only the bad forms of spyware.'
There is a difference between software that legitimately tracks user activity and 'spyware that tracks activity for purposes of stealing private information,' said Braden Cox, the institute's technology counsel.
But that distinction is lost on many.
'It's a problem,' said Roger Thompson, vice president of product development for PestPatrol Inc. of Carlisle, Pa., which produces anti-spyware products. Regardless of why data is gathered, it usually happens without the user's knowledge.
'You don't realize how many of these things you are getting when you install software,' Thompson said. 'That's an area where legislation could help.'
Bono's bill requires consent to install spyware and a clear notification when such consent is part of a license for other software. It also prohibits gathering personally identifiable information without the user's knowledge.
Her bill defines spyware as any program that can gather and transmit information about the host computer without user initiation. It calls for FTC to distinguish spyware from legitimate software that communicates for purposes such as supporting network connections.
A Senate bill introduced by Conrad R. Burns (R-Mont.) is more detailed. The Software Principles Yielding Better Levels of Consumer Knowledge Act, also known as the Spy Block Act (S 2145), would outlaw all surreptitious installation of software except cookies and require uninstall procedures for approved software. It also would make it illegal to mislead a user about what the software is doing and who benefits.
The Senate bill would require the user to separately approve each software feature, including type of information gathered, ads delivered, setting changes and messages sent out by the host.
The primary enforcer of the Senate bill would be the FTC, although other regulatory agencies could also enforce it and states could file civil actions. The Spy Block Act is awaiting action by the Senate Commerce, Science and Transportation Subcommittee on Communications.
Thompson, who makes a living from anti-spyware products, said no law would completely eliminate the problem.
'I don't think legislation is enough,' he said. 'I'd be happy if it were, because then
I could go off and write gameware. But I think legislation is headed in the right direction. It is probably needed.'
William Jackson is a Maryland-based freelance writer.