Spyware has rapidly advanced from a minor nuisance to a serious problem, meriting the attention of the courts and Congress. In our coverage this week, we report that software vendors, including giants such as Symantec, Yahoo and Google, are fighting among themselves and with small sites such as Hotbar.com and WebSearch.com over what constitutes spyware, adware and their ilk. Meanwhile, consumers are being victimized by spyware, and corporations are being sapped of resources. Both IT managers and consumers are struggling to find answers. Something must be done.
There are worries that any effort to define spyware and enforce laws against it will be futile. Without anti-spyware legislation, however, we would be left with the same old tired solutions: adding more layers of filters, anti-virus and anti-spyware software products to prevent client machines from becoming compromised.
Trying to define spyware would be difficult, but that is not really the issue. There will always be variants of spyware and adware that will let those who are out to steal personal information stay one step ahead of the law. The real issue is the right of computer users, whether individual or corporate, to control what goes on the computers they own.
If lawmakers were to adopt a strict “consent” rule, then the laws could be workable. Exempt would be programs that download updates on behalf of the user, such as Windows Update, Symantecs auto-update feature or any other action that the user approves. But anything that is added or installed without consent or put on a computer on behalf of someone other than the user or owner of the machine would be prohibited.
Legislation introduced by Rep. Mary Bono, R-Calif., and recently passed by the U.S. House of Representatives—the so-called SPY ACT—focuses on this behavioral solution. The bill is similar to another, the so-called SPYBLOCK Act, which is under consideration by the Senate.
A consent standard, such as is included in these bills, would allow for software that mines personal information in order that it be sold to marketing companies—if there is an upfront notification and agreement by the user. Such notifications would have to be obvious and clear to the user before installation.
Further, we believe software programs should not install only on the condition that the user agrees to the terms of the privacy statement. A program should still be able to be installed and should function without the data mining “feature” being installed—unless, that is, thats its only function, in which case the user can reject the program outright.
Screen space and personal information are the gold of the information age, but we have gone too long without a set of rules that spell out users rights. The House and Senate must finish the work they have begun and pass a clear and workable spyware consent law.
What do you think? Tell us at [email protected].