The collective mind of congress is rapidly turning to the fall elections, but some issues are pressing enough to warrant continued attention, among them spyware.
The growing problem of sneaky information collection programs has enterprises increasingly worried and lawmakers in the House of Representatives determined to pass an anti-spyware bill this summer.
For industry sectors subject to federal data collection laws such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, spyware can be an unwitting avenue to noncompliance.
“I think corporations are really hitting the danger zone,” said Ed English, CEO of InterMute Inc., in Braintree, Mass. “Spam is annoying, but spyware really has a more insidious nature to it. I think youre going to see a trend of more companies locking down PCs tight.”
InterMute is developing an enterprise version of its SpySubtract technology, which will be launched late in the summer, English said. The product will scan a companys network, identify the PCs that have spyware and erase it, he said.
Next page: Legislative response.
Legislative response
While experts agree that technology will be the primary means of combating spyware, there is a growing consensus that legislation can help.
After undergoing several evolutions, a bill introduced last year by Rep. Mary Bono, R-Calif., would require information collection programs to display a conspicuous notice and obtain the users consent before installation. Violators could be fined up to $3 million for collecting personal data, diverting browsers or sending some pop-up ads to users without consent.
The measure would also require the ability to disable or remove the program.
Lawmakers are trying to crack down on malicious spyware and simultaneously avoid inadvertently threatening programs that users want, such as automatic anti-virus updates, which is what the IT industry feared Bonos original bill would do. Bono, who has led the anti-spyware effort in Congress, praised the revised provisions as representing a cooperative effort to protect users.
“We are one step closer to restoring safety, confidence and control to consumers when using their own computers,” Bono said.
The industry is continuing to lobby to ensure that any new law does not ensnare programs installed by legitimate businesses that have relationships with users, such as anti-virus protection programs.
Next page: Legislating technology vs. bad behavior.
Legislating behavior
“The big issue is: Are we regulating technology here, or are we regulating bad behavior?” said Dan Burton, senior vice president of government affairs at Entrust Inc., in Plano, Texas. “The concern of the software industry is that there are lots of [spywarelike] activities that are perfectly legitimate. We have to get to the dark and bloody crossroads where technology and policy meet.”
Developing a definition of illicit spyware technology proved too difficult, so the industry urged lawmakers to focus on illicit behavior instead. The IT industry is also aiming for legislation that will pre-empt state laws, said Steve DelBianco, executive director of the Washington-based NetChoice Coalition, whose members include VeriSign Inc. and Oracle Corp.
“So many of us in industry are livid over what happened in Utah,” DelBianco said, referring to the passage of a Utah anti-spyware law that critics say could have myriad unintended consequences.
Privacy advocates have expressed concern that the notice and consent provisions may not be sufficiently strong, allowing them to be buried in long end-user license agreements and overwhelming users.
“There will be times when consumers get 15 or 16 of these [notices seeking consent] in a row. People are just going to get used to clicking yes,” said Ari Schwarz, associate director of the Center for Democracy and Technology, in Washington. “That doesnt do us much good in the privacy context.”
Supporters and detractors both agree that legislation alone will not eliminate the threat of malicious spyware. Users are already swamped with notices and agreements, and conventional wisdom has it that few read them thoroughly.
“The reality is that most people dont read [end-user agreements] at all,” said Roger Thompson, vice president of product development at PestPatrol Inc., in Carlisle, Pa. “The most encouraging thing is that people are becoming aware that there is a problem.”
Lawmakers are particularly worried about fraudulent and deceptive spyware programs, such as home-page hijacking and keystroke-logging programs, which are already illegal under existing laws.
However, pending legislation lists these programs as crimes, making it easier for the Federal Trade Commission and others to combat them in court.
Be sure to add our eWEEK.com messaging and collaboration news feed to your RSS newsreader or My Yahoo page