A new California law aimed at curbing spyware, software applications that surreptitiously collect the keystrokes, passwords, and credit-card numbers of Internet users, will go into effect Jan. 1.
The law, dubbed the Consumer Protection Against Spyware Act, was signed last week by Calif. Gov. Arnold Schwarzenegger. It outlaws software that secretly steals personal information, such as user names and passwords, sends viruses, or takes control of infected systems as part of a distributed denial-of-service attack. The law also requires software companies and Web sites to inform users if their software or sites will install spyware and disclose what the spyware will do and what information it will collect. California consumers who believe they've been the victim of illegal activity under the law can seek attorney's fees and damages of $1,000 for each violation.
Spyware is a growing concern among consumers and businesses. Spyware has been loosely defined as everything from hacker tools such as Trojan horses and keystroke loggers to programs that track what Web sites consumers visit and what search terms they use. That information is used by online marketers for such purposes as generating pop-up advertisements.
On Monday, Internet service provider EarthLink Inc. and anti-spyware and system-utility software maker Webroot Software Inc., published their SpyAudit Report, which showed a decrease in the spyware-infected systems they monitor. The companies scanned more than 1.1 million PCs for the period of July through September and found a decrease in the instances of adware and adware cookies, as well as a decrease in the number of system monitors and Trojan horse applications on Internet surfers' systems.
Still, for the third quarter, the two companies found an average of 25 spyware-related applications running on each system, compared with an average of 26.5 for the period of January through March of 2004.
Security experts say the decline could be due, in part, to increased awareness of spyware and adware infections and the increasing number of software tools available to fight the threat. Throughout the year more antivirus vendors, including Symantec Corp. and McAfee Inc., have been adding some level of spyware and adware detection and removal tools to their software.
Bruce Hughes, director of malicious code research for ICSA Labs, which tests and certifies IT security products and is a division of TruSecure Corp., doesn't believe instances of spyware infections are on the decline. "I believe the bad guys are still winning and coming up with new ways to get their software on user's PC's," he says.
Hughes blames the lack of quality, automated, anti-spyware tools for much of the trouble people have ridding their systems of these applications. "Many of the solutions today only clean the main components [of spyware], leaving many things behind."
Legal experts often cite the difficulty in crafting anti-spyware laws, saying such laws, if not drafted properly, could affect legitimate applications such as anti-virus software or other software applications that scan a users system without the user's consent.
"This law provides a relatively reasonable and measured response to a growing program because it focuses on deceptive and fraudulent intent," says Mark Rasch, the former head of the U.S. Department of Justice's computer crimes unit and currently a senior VP and head of cyberlaw at the managed security services firm Solutionary Inc., who had been critical of earlier legislative attempts to make spyware illegal.
Legal problems could still arise from the law, Rasch says. For instance, he's surprised there's no legal exception for law enforcement to install surveillance applications. Rasch says it's legal for investigators, with a court's permission, to trick a user into downloading a keystroke logger for an investigation. "It could be argued that court authorization would over-rule this statute, but I'm not so sure," Rasch says.
Others aren't as convinced the law will have much impact on illegal activity. Marne Gordan, director of regulatory affairs for TruSecure, doesn't believe anti-spyware laws will have much impact on spyware activity. "We currently have laws against phishing, spamming, and hacking, but realistically, this kind of activity happens all the time," Gordan says.
However, the number of companies that use spyware to legitimately collect marketing and demographic data could drop because they're more easily tracked. "Typically, less-than-reputable companies use this software to drive pop-up ad campaigns or generate spam ads, based on user profiles developed from analysis of the keystrokes and surfing patterns collected by the spyware. Consumers find it intrusive and generally hate it, and this legislation may have some impact on those organizations that use it to target consumers for advertising, at least in the beginning," Gordan says.
Despite doubts about the effectiveness of anti-spyware laws, more are on the way. The Spy Block Act, now pending in the U.S. Senate, would require a consumer's consent before spyware is installed, make it mandatory that spyware applications be easy to uninstall, and require that consumers be given details about what the spyware software would do and collect.
Various states as well as the U.S. House of Representatives have similar anti-spyware legislation under consideration.