RealTime IT News

Bad Actors Safe Under Spyware Legislation?

WASHINGTON -- Congress' good intentions may also be good business for the $2.8 billion shady world of the spyware industry. Pending anti-spyware legislation may, in fact, end up legitimizing bad actors.

That's the take of Richard Stiennon, vice president of threat research at anti-spyware firm Webroot. Stiennon, who spoke at the Gartner IT Security Summit here today, thinks Congress should do less, rather than more, when it comes to federal anti-spyware bills.

Last month, the U.S. House of Representatives passed two anti-spyware measures. One bill (I-SPY Act) imposes tougher criminal penalties for spyware-related activities.

The other bill (SPY Act) also increases penalties but includes an opt-in, notice and consent regime for legal software -- adware -- that collects personally identifiable information from consumers.

Both bills contain a long list of exemptions, including pre-purchase installations, cookies and software and network security upgrades.

"I'm leaning toward preferring the increase in penalties for bad acting," Stiennon told internetnews.com. "By setting a lot of definitions, you're going to have some of the perpetrators just modifying their behavior to comply with this new law and then start legal activities to get index spyware vendors to stop listing them."

In particular, Stiennon said, adware companies might be able to say, "Hey, we comply with this new law, the Federal Trade Commission doesn't have a problem with what we're doing and you shouldn't identify us this way."

Prominent adware firms such as Claria have in recent months mounted public relations campaigns to distinguish themselves from spyware companies. The purpose of adware is to drive visitors to advertisers' Web sites. Adware writers and distributors redirect browsers and generate pop-up adds.

Adware vendors contend they obtain consent before installing their software. Spyware, on the other hand, distributes pop-up advertising without consent and often in malicious ways.

With or without a new law, Stiennon vowed to continue to list adware vendors in Webroot's quarterly rankings of top threats to network security.

"I certainly agree they are adware companies, that's how we identify them," Stiennon said. "The one thing we won't stop doing is to identify them as adware companies as long as they serve ads and support free software with ads."

He also scoffed at adware firms' claims of notice and consent, saying, "If they truly gave end users full disclosure, they wouldn't have any customers."

Adware consent, he said, should read: "This product is going to pop up a million ads in your face and it's going to significantly reduce the performance of your computer and increase boot times by 30 seconds."

Stiennon also shrugged off the idea of adware lawsuits against Webroot seeking to be de-listed as a threat.

"Sadly, in this country anybody can sue anyone for anything," he said. "I don't think anybody could win one of those cases because you will not find 12 U.S. citizens who feel sorry for adware vendors."

Ultimately, Stiennon said, federal anti-spyware legislation will be as effective as the CAN-SPAM Act, Congress' effort to curb unwanted and unsolicited e-mail.

"Legislation isn't going to make it go away. Maybe it will push it offshore," he said. "The CAN-SPAM Act has done some good, but there's more spam now than when CAN-SPAM passed. It's made it more expensive for legitimate companies to engage in spam, and this will be the exact same with spyware."