With the nation’s first anti-spam bill already to its credit, the 108th
Congress is now taking aim at spyware, the surreptitious programs that often
piggyback into a user’s computer on an otherwise authorized download. Once
there, the software can collect personal data and report Internet traffic
patterns to advertisers.
For Congress, the answer to spyware is beguilingly simple: clear and
conspicuous notice by companies attempting to download software to a
computer. The Federal Trade Commission (FTC), the technology industry and
even some consumer groups, though, say that solution will create more
problems than it solves.
Ken Silva, vice president for networks and security at VeriSign, told a
group a congressional staffers studying the issue this week, “If we cast too
big a net, we’ll actually do harm to products and services that are
well-meaning and well-intended and have a good, legitimate purpose for
security as well as for fraud protection.”
Silva said, “Something needs to be done immediately” about programs that
swipe credit card numbers and other personal information (a longstanding
problem that predates spyware), but legislation being considered by Congress
would cover “less obvious things like automatic downloads for patches to
operating systems or automatic updates for anti-virus software.”
Rep. Mary Bono (R-Calif.) has introduced H.R. 2929, the Safeguard Against
Privacy Invasion Act. This bill aims to protect individuals from unknowingly
downloading spyware and requires that consumers be given notice prior to
downloading any software.
The bill would also require that third parties disclose their identity,
street address and a valid return e-mail address to the consumer, as well as
specifically revealing their intent to collect and use the consumer’s
information. A similar bill in the Senate, supported by Conrad Burns
(R-Mont.), Ron Wyden (D-Ore.) and Barbara Boxer (D-Calif), is currently
under consideration by the Commerce Committee.
Rep. Jay Inslee (D.-Wash) is supporting yet another spyware bill that
“focuses on bad behavior rather than trying to define a certain type of
software.”
Said Inslee when he introduced the bill, “Most computer users will tell you
that spyware pops up and multiplies like cicadas, but spyware is not a
natural event; it is purposefully inflicted. My legislation will target
people who set spyware upon us with bad intent.”
The FTC agrees with Inslee that spyware involves bad behavior, not bad
technology. Spyware, the FTC says, is too vaguely defined and often confused
with adware, but generally refers to any software that covertly gathers user
information through the user’s Internet connection without his or her
knowledge, sometimes for advertising purposes. Most forms of adware,
however, are installed with the user’s knowledge.
Howard Beales, the FTC’s director of consumer protection, recently told
Congress the agency already has spyware investigations underway and FTC
Commissioner Mozelle Thompson has repeatedly objected to targeted
legislation.
Last month, Thompson asked industry Internet provider leaders such as
Microsoft, America Online and Earthlink to produce a set of best practices
for the use of adware, including disclosure statements to consumers
regarding what they are about to download.
“At the outset, I think I’d like to have a further conversation about what
kind of practices fall outside what the industry thinks is fair practice,”
Thompson told reporters. “It seems to me there are some kind of practices
that we may consider unfair or deceptive. We have existing laws to go after
some of them. We have some powerful ones right now. We need to have a
discussion, an ongoing dialogue, with industry, so they can also act partly
as our eyes and ears.”