Spyware has reached such epidemic proportions that legislators in the US Congress as well as state legislatures are responding to public outrage by drafting bills to prohibit its distribution, stem abusive practices and protect Internet user privacy. Unfortunately, pending and recently enacted anti-spyware laws are considerably flawed and could actually cause more harm than good. In fact, many experts believe we'd be better off if we'd simply put more effort into enforcing existing laws that prohibit fraud and deceptive business practices. And nearly all knowledgeable parties acknowledge that spyware is a technology problem that requires a technology solution.
New Laws, Plenty Of Flaws
Three pieces of legislation are receiving attention and attracting most of the debate.
- Bill S.2145, the SPY BLOCK Act, seeks to "to regulate the unauthorized installation of computer software, to require clear disclosure to computer users of certain computer software features that may pose a threat to user privacy, and for other purposes.... "
* A similar bill has been introduced to the US House of Representatives. H.R.29, the Securely Protect Yourself Against Cyber Trespass Act, or SPY ACT, seeks to "protect users of the Internet from unknowing transmission of their personally identifiable information through spyware programs, and for other purposes.... "
* California has enacted an anti-spyware law, Bill 1436:843 Consumer Protection Against Spyware Act, to "protect California consumers from " the use of spyware and malware that is deceptively or surreptitiously installed on their computers."
More Criticism Than Support
These legislatures have encountered difficulty drafting appropriate and enforceable language, and the acts under consideration have (to date) received more criticism than support. Most criticism revolves around the following issues.
Legislative definitions of spyware are imprecise. All of these bills attempt to define spyware by enumerating intrusion vectors, executable pests and bad behavior. The SPY BLOCK Act, for example, lists several browser hijacking actions under a clause entitled, "Other Practices that Thwart User Control of Computer." Enumerating a pandemic that has tens of thousands of variants can never be more than a partial effort, which will create opportunities for creative interpretation in courts of law. In a letter urging Governor Schwarzenegger to veto the California bill, Pam Dixon, Executive Director of the World Privacy Forum explains that, "by dealing with only a few types of spyware, [SB 1436] will enable the majority of spyware to continue to be disseminated legally." The California law specifically calls attention to keystroke-logging as an unauthorized and deceptive means of collecting personally identifying information. By explicitly mentioning keystroke entry, is it reasonable to conclude that capturing personal information submitted to a computer by other means, like speech synthesis, is appropriate? Enumerating spyware also assures inconsistencies across legislation, and the specter of constant amendments.
Case in point: should cookies be exempt? The US House of Representatives exempted cookies from the most recent revision of the SPY ACT. Publishers in general, and the Online Publishers Association in particular, support this exemption. But Stu Sjouwerman, Chief Operating Officer of Sunbelt Software, suggests that judging cookies on the basis of the cookie itself is deceiving. "For the most part, cookies are benign and the cookies themselves are not the problem. The problem comes when personally identifiable data about you is shared among multiple sites via a 3rd party cookie. If site x collects your name and home address and you go to site y and both [sites] use 3rd party z, your address could be delivered to site y by z without your knowledge." Do any of the bills address collective bad behavior?
This legislation is shortsighted. All of these bills only consider the types of spyware that trouble us today. They fail to recognize the rapid pace of technology change, and, more importantly, the incentive spyware developers have to employ means other than "download" and "installation" to infect a computer. Limiting the definition of spyware to software that can be installed or downloaded, terms that neither the California bill nor SPY Block Act define, is ill-advised. Fretting over whether a spyware is classified as a Browser Helper Object (BHO), and whether BHOs are installed or downloaded, is ultimately irrelevant. Spyware developers, like virus writers and spammers, constantly look for new exploitable vectors. Spyware writers in particular will capitalize upon anything that provides "undetected presence". If BHOs are not exploitable in future versions of Internet Explorer, spyware developers will most certainly seek (and find) an alternative.
Proving intent to deceive or mislead is difficult. All of these bills create a heavy burden of proof for litigators. The California law states that a person or entity may not "intentionally misrepresent that software will be uninstalled or disabled by an authorized user's action, with knowledge that the software will not be so uninstalled or disabled." Technologists who are familiar with the complexities and inter-dependencies of a registry-enabled operating system giggle at the notion that one can actually prove malice or deception, given lengthy history and considerable evidence that clean software removal is difficult to achieve. Even the recent changes to language in the SPY BLOCK Act, "Preventing reasonable efforts to uninstall," leave too much room for interpretation: how much time and effort to remove unwanted software is reasonable, and why shouldn't it apply to a PC manufacturer's installation of promotional software?