House Passes Anti-Spyware Legislation

For the third time in three congressional sessions, the U.S. House approved legislation today aimed at curbing spyware and other malware, including phishing and pharming scams.

The Internet Spyware (I-SPY) Prevention Act of 2007 would impose prison terms of up to five years for placing unauthorized code on a computer that mines personal information about a user or impairs a computer’s normal security software.

The legislation would also give the Department of Justice $10 million annually to fund spyware investigations and prosecutions.

“By imposing criminal penalties on these bad actors, this legislation will help deter the use of spyware, and will thus help protect consumers from these aggressive attacks,” bill co-sponsor Rep. Bob Goodlatte (R-Va.) said in a statement. “I am encouraged by the House passage of the [bill] and I call on the Senate to act on this important legislation.”

Although the House has passed the bill three times, the Senate has yet to approve the legislation. A House Energy and Commerce subcommittee has also approved the Securely Protect Yourself Against Cyber Trespass Act (SPY Act).

The SPY Act specifically requires an opt-in, notice and consent regime for legal software — often known as adware or spyware — that collects personally identifiable information from consumers.

The SPY Act would also prohibit surreptitious keystroke logging, browser hijacking and the unauthorized removal or disabling of security software installed on a computer. Violators would face civil penalties of up to $3 million per violation.

The House has twice approved the legislation but, like the I SPY Act, the Senate has failed to show interest.

In both cases, opposition from the advertising industry blocked Senate passage of the bills. Advertisers claim both bills fail to distinguish between legally installed software and malware.

But Goodlatte said Tuesday, the I SPY Act, “Leaves the door open for innovative technology developments to continue to combat spyware programs.”

When the I SPY Act passed the House Judiciary Committee earlier this month, Rep. Zoe Lofgren (D-Calif.), a co-sponsor of the bill with Goodlatte, said one of the greatest challenges to drafting anti-spyware legislation is that many legal programs are almost indistinguishable from spyware.

“An Internet ‘cookie’  can be used to store detailed information about a user’s preferences when visiting a much-frequented Web site,” Lofgren said. “But the same technology can be used by identity thieves to track and store personal and financial information. The appropriate legislative target is not the cookie itself, but the criminals who use it for illegal purposes.”

Lofgren called the SPY Act overly broad and that the notice-and-consent regime mandated by the SPY Act is flawed because violators are likely to ignore the law.

In continuing to push for the I SPY legislation, Goodlatte pointed to a recent study by the National CyberSecurity Alliance showing that more than 90 percent of consumers have some sort of installed spyware on their computers. In most cases, the study states, consumers were unaware of the spyware on their machines.