Another Bad Technology Bill
Earlier this year I came up with a list of the worst technology bills of all time, but it looks like I already need to update it, as a whopper of a bad technology bill is right on the horizon.
In that list, I included the CAN-SPAM Act, which has really lived up to its name, if not its proposed intent. While the CAN-SPAM Act did very little to control the spread of spam (which has actually increased since the bill was passed in 2003), it did serve to legalize many forms of corporate spam oops, I mean e-mail marketing.
Now a new bill is quickly tracking its way through Congress and looks to have broad bipartisan support. If passed, the Securely Protect Yourself Against Cyber Trespass Act, aka Spy Act, could do for corporate spyware what CAN-SPAM did for commercial spam.
Come to think of it, this could end up being much worse than CAN-SPAM. You cant deny that spam is annoying and wastes lots of time in dealing with it, but it doesnt cause actual harm. Spyware, on the other hand, can be a big problem, both in its impacts on user privacy and identity protection and in its potential to become a gateway for more serious forms of malware.
What makes this bill even worse is that it is pretty much unnecessary. In testimonies before Congress, both the Federal Trade Commission and the Department of Justice have said that they already have all of the authority they need to go after the worst spyware purveyors.
So what is the point of the Spy Act? First, it lets members of Congress look like they are doing something about a perceived problem. But, most importantly, the bill appears to be designed to provide a safe haven for software and content vendors to use restrictive rights management controls and spyware to control how customers use their products.
The bill includes several wide-reaching exemptions that could make it perfectly legal for a software vendor to include spyware on your systems for the purposes of security, tech support or the prevention of fraudulent activities. That last item is scariest to me, as a broad interpretation would let ISPs or software vendors monitor and record pretty much any information on user systems.
Also, the Spy Act supersedes tougher state laws and completely prevents individual legal actions against spyware vendors, limiting all legal action to the FTC and state attorneys general. As several analysts and writers have already pointed out, if the Spy Act had been law when the notorious Sony rootkit was discovered, Sony would have been largely protected under this law and the state of California would not have been able to take the same legal actions that it did against Sony.
While the potential negative impacts of this bill are scary from a PC-user perspective, they can be equally scary from a corporate IT perspective. As part of an IT organization, youve probably made a big investment against the spread of spyware in your company.
If it becomes legal for vendors to install wide-reaching spyware on your company systems, it could have a big impact on both your corporate privacy and on your ability to secure systems, since a software vendors spyware will almost certainly be easy for black-hat hackers to subvert for their own uses (as was the case with the Sony rootkit).
Sure, some of these potential negative possibilities of the Spy Act fit in the worst-case-scenario category. But if our experience with technology bills has taught us one thing, its that there will always be people and companies willing to push a law to its limits to serve their own ends.
Want further proof that the Spy Act will do more to protect spyware and adware than it will to stop it? As the Electronic Frontier Foundations Fred von Lohmann pointed out in his Deep Links blog, Zango, which is regularly identified by security company Webroot Software as one of the biggest spreaders of adware, came out in recent testimony before Congress in full support of the Spy Act in its current form.
Thats pretty much all I need to know. If a company such as Zango thinks this bill is A-OK, then we might as well start referring to it as the Please Spy Act.