News
News
3/16/2005
01:14 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Legislation Won't Stall The Spyware Juggernaut

The current crop of federal and state laws are too specific to do any good -- and could do a lot of harm.

Spyware has reached such epidemic proportions that legislators in the US Congress as well as state legislatures are responding to public outrage by drafting bills to prohibit its distribution, stem abusive practices and protect Internet user privacy. Unfortunately, pending and recently enacted anti-spyware laws are considerably flawed and could actually cause more harm than good. In fact, many experts believe we'd be better off if we'd simply put more effort into enforcing existing laws that prohibit fraud and deceptive business practices. And nearly all knowledgeable parties acknowledge that spyware is a technology problem that requires a technology solution.

New Laws, Plenty Of Flaws

Three pieces of legislation are receiving attention and attracting most of the debate.

- Bill S.2145, the SPY BLOCK Act, seeks to "to regulate the unauthorized installation of computer software, to require clear disclosure to computer users of certain computer software features that may pose a threat to user privacy, and for other purposes.... "

* A similar bill has been introduced to the US House of Representatives. H.R.29, the Securely Protect Yourself Against Cyber Trespass Act, or SPY ACT, seeks to "protect users of the Internet from unknowing transmission of their personally identifiable information through spyware programs, and for other purposes.... "

* California has enacted an anti-spyware law, Bill 1436:843 Consumer Protection Against Spyware Act, to "protect California consumers from " the use of spyware and malware that is deceptively or surreptitiously installed on their computers."

More Criticism Than Support

These legislatures have encountered difficulty drafting appropriate and enforceable language, and the acts under consideration have (to date) received more criticism than support. Most criticism revolves around the following issues.

Legislative definitions of spyware are imprecise. All of these bills attempt to define spyware by enumerating intrusion vectors, executable pests and bad behavior. The SPY BLOCK Act, for example, lists several browser hijacking actions under a clause entitled, "Other Practices that Thwart User Control of Computer." Enumerating a pandemic that has tens of thousands of variants can never be more than a partial effort, which will create opportunities for creative interpretation in courts of law. In a letter urging Governor Schwarzenegger to veto the California bill, Pam Dixon, Executive Director of the World Privacy Forum explains that, "by dealing with only a few types of spyware, [SB 1436] will enable the majority of spyware to continue to be disseminated legally." The California law specifically calls attention to keystroke-logging as an unauthorized and deceptive means of collecting personally identifying information. By explicitly mentioning keystroke entry, is it reasonable to conclude that capturing personal information submitted to a computer by other means, like speech synthesis, is appropriate? Enumerating spyware also assures inconsistencies across legislation, and the specter of constant amendments.

Case in point: should cookies be exempt? The US House of Representatives exempted cookies from the most recent revision of the SPY ACT. Publishers in general, and the Online Publishers Association in particular, support this exemption. But Stu Sjouwerman, Chief Operating Officer of Sunbelt Software, suggests that judging cookies on the basis of the cookie itself is deceiving. "For the most part, cookies are benign and the cookies themselves are not the problem. The problem comes when personally identifiable data about you is shared among multiple sites via a 3rd party cookie. If site x collects your name and home address and you go to site y and both [sites] use 3rd party z, your address could be delivered to site y by z without your knowledge." Do any of the bills address collective bad behavior?

This legislation is shortsighted. All of these bills only consider the types of spyware that trouble us today. They fail to recognize the rapid pace of technology change, and, more importantly, the incentive spyware developers have to employ means other than "download" and "installation" to infect a computer. Limiting the definition of spyware to software that can be installed or downloaded, terms that neither the California bill nor SPY Block Act define, is ill-advised. Fretting over whether a spyware is classified as a Browser Helper Object (BHO), and whether BHOs are installed or downloaded, is ultimately irrelevant. Spyware developers, like virus writers and spammers, constantly look for new exploitable vectors. Spyware writers in particular will capitalize upon anything that provides "undetected presence". If BHOs are not exploitable in future versions of Internet Explorer, spyware developers will most certainly seek (and find) an alternative.

Proving intent to deceive or mislead is difficult. All of these bills create a heavy burden of proof for litigators. The California law states that a person or entity may not "intentionally misrepresent that software will be uninstalled or disabled by an authorized user's action, with knowledge that the software will not be so uninstalled or disabled." Technologists who are familiar with the complexities and inter-dependencies of a registry-enabled operating system giggle at the notion that one can actually prove malice or deception, given lengthy history and considerable evidence that clean software removal is difficult to achieve. Even the recent changes to language in the SPY BLOCK Act, "Preventing reasonable efforts to uninstall," leave too much room for interpretation: how much time and effort to remove unwanted software is reasonable, and why shouldn't it apply to a PC manufacturer's installation of promotional software?

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.