Untitled

Sidebar: Legislating Away Spyware

News Story by Robert L. Mitchell

MAY 03, 2004 (COMPUTERWORLD) - The dubious practices used by some distributors of spyware to get users to install their programs has created an uproar among consumers. "The deceptive and unfair practices are clearly illegal," says Ari Schwartz, associate director at the Center for Democracy and Technology in Washington, who recently completed a report on the subject. He cites misleading dialog boxes that trick users into authorizing downloads of spyware programs and enterprise license agreements for freeware that bury information on accompanying spyware far down in the text.

Rising consumer anger over the matter has reached Washington, where, predictably, lawmakers are responding by introducing new legislation. The latest response came on March 15, when Sens. Barbara Boxer (D-Calif.), Ron Wyden (D-Ore.) and Conrad Burns (R-Mont.) introduced the SPYBLOCK (Software Principles Yielding Better Levels of Consumer Knowledge) Act. According to a press release from Boxer, this act would "prohibit spyware, adware, and other invasive software from being secretly installed on Americans' computers," and leaves enforcement to the Federal Trade Commission and states' attorneys general.

The Safeguard Against Privacy Invasions Act, introduced by Rep. Mary Bono (D-Calif.) last summer, is intended "to protect users of the Internet from unknowing transmission of their personally identifiable information through spyware programs, and for other purposes." It also grants the FTC authority to regulate spyware programs.

In late April, congressional hearings on the spyware issue further raised the issue’s visibility with the public.

Meanwhile, states are busy creating their own legislation. Utah's recently enacted Spyware Control Act, H.B. 323, attempts to ban installation of spyware under some circumstances and requires all spyware to include a removal option.

But will attempts to legislate away the spyware problem be any more effective than previous attempts to regulate e-mail spam? Security professionals remain doubtful. "More legislation is not the answer. We have already seen how the CAN-SPAM Act in reality legalized spam instead of even denting the flow of spam," says Thor Larholm, senior security researcher at PivX Solutions LLC in Newport Beach, Calif. "I would much rather prefer that the government enforce the laws that already prohibit hacking."

For a list of recent legislation on spyware, or to see the Center for Democracy and Technology's report, "Ghosts in Our Machines: Background and Policy Proposals on the 'Spyware' Problem," visit the CDT's Web site at www.cdt.org/privacy/spyware/. For information on U.S. House and Senate bills, visit the Thomas Web site.