RealTime IT News

Spyware Solutions Not So Simple

With the nation's first anti-spam bill already to its credit, the 108th Congress is now taking aim at spyware, the surreptitious programs that often piggyback into a user's computer on an otherwise authorized download. Once there, the software can collect personal data and report Internet traffic patterns to advertisers.

For Congress, the answer to spyware is beguilingly simple: clear and conspicuous notice by companies attempting to download software to a computer. The Federal Trade Commission (FTC), the technology industry and even some consumer groups, though, say that solution will create more problems than it solves.

Ken Silva, vice president for networks and security at VeriSign, told a group a congressional staffers studying the issue this week, "If we cast too big a net, we'll actually do harm to products and services that are well-meaning and well-intended and have a good, legitimate purpose for security as well as for fraud protection."

Silva said, "Something needs to be done immediately" about programs that swipe credit card numbers and other personal information (a longstanding problem that predates spyware), but legislation being considered by Congress would cover "less obvious things like automatic downloads for patches to operating systems or automatic updates for anti-virus software."

Rep. Mary Bono (R-Calif.) has introduced H.R. 2929, the Safeguard Against Privacy Invasion Act. This bill aims to protect individuals from unknowingly downloading spyware and requires that consumers be given notice prior to downloading any software.

The bill would also require that third parties disclose their identity, street address and a valid return e-mail address to the consumer, as well as specifically revealing their intent to collect and use the consumer's information. A similar bill in the Senate, supported by Conrad Burns (R-Mont.), Ron Wyden (D-Ore.) and Barbara Boxer (D-Calif), is currently under consideration by the Commerce Committee.

Rep. Jay Inslee (D.-Wash) is supporting yet another spyware bill that "focuses on bad behavior rather than trying to define a certain type of software."

Said Inslee when he introduced the bill, "Most computer users will tell you that spyware pops up and multiplies like cicadas, but spyware is not a natural event; it is purposefully inflicted. My legislation will target people who set spyware upon us with bad intent."

The FTC agrees with Inslee that spyware involves bad behavior, not bad technology. Spyware, the FTC says, is too vaguely defined and often confused with adware, but generally refers to any software that covertly gathers user information through the user's Internet connection without his or her knowledge, sometimes for advertising purposes. Most forms of adware, however, are installed with the user's knowledge.

Howard Beales, the FTC's director of consumer protection, recently told Congress the agency already has spyware investigations underway and FTC Commissioner Mozelle Thompson has repeatedly objected to targeted legislation.

Last month, Thompson asked industry Internet provider leaders such as Microsoft, America Online and Earthlink to produce a set of best practices for the use of adware, including disclosure statements to consumers regarding what they are about to download.

"At the outset, I think I'd like to have a further conversation about what kind of practices fall outside what the industry thinks is fair practice," Thompson told reporters. "It seems to me there are some kind of practices that we may consider unfair or deceptive. We have existing laws to go after some of them. We have some powerful ones right now. We need to have a discussion, an ongoing dialogue, with industry, so they can also act partly as our eyes and ears."