RealTime IT News

I-SPY a Green Light in The House

The annual U.S. House clash between competing anti-spyware bills moved into its third congressional session today with the House Judiciary Committee approving the Internet Spyware (I-SPY) Prevention Act of 2007.

The bill would impose prison terms of up to five years for placing unauthorized code on a computer that would reveal personal information about a user or impairs a computer's normal security software. The legislation would also give the Department of Justice $10 million annually to fund spyware investigations and prosecutions.

"This is a very good bill. It cracks down on bad offenders who misuse software while allowing continued innovation on the Internet," bill co-sponsor Bob Goodlatte (R-Va.) said.

The I-SPY Act (H.R. 1525) was introduced in both the 108th and 109th Congresses, where it passed in the House, but the Senate failed to act on the legislation. The vote also comes less than a month after a House Energy and Commerce subcommittee approved the Securely Protect Yourself Against Cyber Trespass Act (SPY Act).

As with the I-SPY Act, the House has twice approved the SPY Act (H.R. 964) only to see it fail in the Senate. In both cases, opposition from the advertising industry halted the legislation in the Senate.

The primary difference between the two bills is the I-SPY Act attacks spyware in a generic fashion while the SPY Act specifically requires an opt-in, notice and consent regime for legal software -- often known as adware or spyware -- that collects personally identifiable information from consumers.

The SPY Act would also prohibit surreptitious keystroke logging, browser hijacking and the unauthorized removal or disabling of security software installed on a computer. Violators would face civil penalties of up to $3 million per violation.

"The central feature of the [I-SPY Act] is that it targets bad actors and bad behavior without unduly restricting innovation in the online universe," bill co-sponsor Rep. Zoe Lofgren (D-Calif.) said at a Tuesday subcommittee markup of the legislation.

Lofgren said one of the greatest challenges to drafting anti-spyware legislation is that many legal programs are almost indistinguishable from spyware.

"An Internet 'cookie' can be used to store detailed information about a user's preferences when visiting a much-frequented Web site," Lofgren said. "But the same technology can be used by identity thieves to track and store personal and financial information. The appropriate legislative target is not the cookie itself, but the criminals who use it for illegal purposes."

Lofgren said the notice-and-consent regime mandated by the SPY Act is flawed because violators are likely to ignore the law.

"As we learned with the CAN-SPAM Act, legislatively mandating a certain approach is a far cry from ensuring that others comply with it," Lofgren said. "Thus, legitimate uses of technology will be burdened by notice-and-consent requirements while bad actors will most likely ignore them."

Lofgren added it would be "unwise and unfortunate" for Congress to interfere with the evolution of the Internet through the "overbroad" regulations called for in the SPY Act.

Goodlatte (R-Va.) said the I-SPY Act targets bad behavior, not technology as the SPY Act does.

"By going after the criminal behavior associated with the use of spyware, the I-SPY Prevention Act recognizes that not all software is spyware and that the crime does not lie in the technology itself, but rather in actually using the technology for nefarious purposes," Goodlatte said. "People commit crimes, not software."