Network News

X My Profile
View More Activity

Spy vs. I-Spy: A Tale of Dueling Anti-Spyware Bills

The House of Representatives last week passed a bill called the "I-SPY Act" -- a.k.a. the "Internet Spyware Prevention Act of 2007." I believe it's important to highlight the benefits and limitations of this measure.

For starters, I-SPY is an enforcement bill, but it will likely do little to prevent any kind of online spying. Critics of a legislative approach to fighting spyware like to point to the massive upward spike in junk e-mail that quickly followed Congress's enactment of the CAN-SPAM Act bill. But despite its memorable acronym, CAN-SPAM was never about stopping spam; it was about making life more miserable for those who get caught.

I-SPY is no different. At its core, it tweaks the nation's computer crime laws to include more jail time and fines for a broader range of offenses. It also would give $10 million more a year to the Justice Department to prosecute spyware cases. These are laudable goals, but to say that this measure will prevent the spread of spyware -- however we choose to define it -- in my opinion is setting up false expectations.

One can certainly make the argument that stiffer penalties act as a deterrent for those who would commit cyber crimes, but that's a bit like hoping that longer jail times will turn people away from dealing drugs. To my mind, as long as the financial incentives are there, there will continue to be no shortage of people (particularly individuals living overseas) willing to do the crimes.

There is, however, another effort in the House to win passage of an anti-spyware bill that seeks to govern the business practices of companies that produce what most consumers consider to be spyware -- essentially ad-serving software that often collects and transmits data about a "user's" online activities.

The "SPY Act," which has secured preliminary approval from the House Committee on Energy and Commerce, also includes some enforcement provisions. But it mainly focuses on proscribing the kinds of actions typical of spyware programs that should be expressly illegal, such as misleading enticements to install spyware/adware programs, and what kind of notice said programs should have to provide before collecting personally identifying information from the "user."

Consumer advocates, including The Center for Democracy & Technology, are worried that passage of the bill could actually decrease the number of spyware lawsuits and prosecutions. That's because the bill would essentially override state anti-spyware laws. So far, at least 10 states have passed anti-spyware measures, with many more considering them.

It appears that the online advertising industry also opposes the Spy Act, albeit for decidedly different reasons. Mike Zaneis, vice president of public policy for the Internet Advertising Bureau, said the bill's attempt to carve out exceptions for certain technologies -- such as "cookies" used to track Web users -- is a "well-meaning, but wrong-headed approach." The group is concerned that some types of tracking technologies not specifically mentioned in the bill -- such as the use of Javascript and Web beacons -- could be relegated to a murky legal status under such a law.

It may be that the Spy Act is a response to yesterday's computer security problems. As anti-spyware vendor Sunbelt Software's CEO Alex Eckelberry has noted, today's "spyware" -- software that quite literally steals the user's financial and personal data -- installs itself in far more aggressive and overt ways that make the adware of yesteryear seem downright benign.

I have always maintained that if drive-by downloads and unexplained pop-up ad-serving software are a problem on your Windows computer, then you have far more dangerous threats to be concerned about on your PC. Unfortunately, no amount of federal legislation is going to solve this problem.

Broken record alert: If you are running Windows XP under the default user account -- the all-powerful administrator account -- it will only be a matter of time before some Web site or malicious e-mail hands control of your PC over to criminal groups. Set up your machine to operate under a "limited user" account for everyday use, and you will almost certainly find that the anti-spyware program you used to rely upon to banish uninvited software will find little to remove.

By Brian Krebs  |  May 29, 2007; 8:43 AM ET
Categories:  Fraud , From the Bunker , Safety Tips , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Apple, Microsoft Issue Security Updates
Next: A New Vector For Hackers -- Firefox Add-Ons

No comments have been posted to this entry.

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company