Cybereye | 2007: Year of the antispyware law?
- By William Jackson
- May 07, 2007
Spring is once again here, and with it hope springs eternal. A pair of anti-spyware bills have been introduced in the House, and there is a chance this year that at least one of them might actually make it into law.
The House Judiciary Committee last week approved H.R. 1525, the Internet Spyware (I-SPY) Act, a short bill that would outlaw spyware and add prison time for any hacking done in the course of a federal crime.
'This bill is similar to one introduced in the last two Congresses,' said Kevin Richards, federal government relations manager for Symantec Corp. It passed both times but died in the Senate. The problem does not appear to be resistance to the bill, but lack of time as legislation gets backed up at the end of the session. 'The clock ran out on them,' Richards said. By addressing the bill early in the session, it might just make it through this time.
It is a good bill, said Art Wong, Symantec's senior vice president for security response and managed security services. It defines the illegal behavior being proscribed rather than the technology being used. 'It's the behavior that we want to legislate against, not the technology.'
There is another bill, H.R. 964, the Spy Act, before the House Energy and Commerce Committee that is more comprehensive. While I-SPY criminalizes the software being used to surreptitiously gather data and otherwise exploit a computer, the Spy Act lays out and outlaws a broad range of fraudulent activities involving computers. It makes it a crime to use unfair or deceptive acts to deliver unwanted programs or to exploit a computer. It outlaws the use of botnets, bans adware and makes it illegal to tinker with the settings or configuration of a computer. It prohibits phishing and pharming and requires consent of the computer owner before any software gathering personal information can be loaded.
Several concessions to the IT industry have been included in the Spy Act. Consent to allow data gathering only has to be given once. This prevents the harassment of computer users by pop-up permission boxes every time data is gathered and sent by a legitimate program. It also specifically allows tracking of a user through a particular Web site for delivery of ads while within that site. And carriers and service providers are exempted from liability for hosting or transmitting prohibited sites or programs.
Perhaps most significantly, the bill includes a clear definition of spyware and a Good Samaritan provision to protect antispyware vendors. The vendors cannot be held liable for attacking software they have identified as spyware. This is an important point, because purveyors of spyware have in the past attacked antispyware vendors in court for targeting their software. If spyware is in the eye of the beholder, who is to say who is the good guy and who is the bad? This bill would help make that distinction.
The bill also would require the Federal Trade Commission to report on and make recommendations for dealing with cookies and with spyware installed before the law would take effect.
Overall, the Spy Act is a more complete bill, with one exception. It does not include any appropriations for enforcement. FTC is given the authority but not the budget to enforce the laws. I-SPY authorizes the appropriation of $10 million each year from fiscal 2008 through 2011 to the attorney general for enforcement.
There appears to be no conflict between the two bills and there is no reason why both should not be passed. Neither one would by itself stop the problem of spyware or eliminate the need for constant vigilance and improved IT security. But they help efine the problems and would provide tools for fighting them.
Passage of either one would be an improvement over the present situation, and passage of both would be even better. Let's hope that the House and Senate can get around to them before the inevitable distractions of the budget and a new election cycle get in the way.
William Jackson is a Maryland-based freelance writer.