Bills Aim To Block Spyware

California and federal legislation would ban automatic installation of unauthorized programs, but many consumers unknowingly agree to downloads
The Can-Spam Act took effect in January, yet spam still fills E-mail in-boxes every day. Spam accounted for 83% of the millions of E-mail messages scanned in the United States by security services provider MessageLabs last month. By that measure, the law isn't working.

That hasn't stopped politicians and legislators from taking legal aim at another growing threat: spyware (see "Tiny, Evil Things," April 26). Anti-spyware bills working their way through the California Legislature would ban the automatic installation of unauthorized programs on a user's computer and would require that consumers be informed before information-sharing spyware is installed on their systems.

A federal bill known as the Spyblock Act also would require consumers to consent before software could be installed from the Internet on their computers and also would prohibit information collection, advertising, distributed computing, and modifications to a PC without advance consent.

While some legal experts say new laws could curb the proliferation of spyware, few expect them to sweep these pests into extinction. Technology lawyer Michael R. Overly, a partner in the Los Angeles office of Foley & Lardner, has been critical of other technology-related laws, including anti-spam laws. But he says proposed state and federal anti-spyware laws could be effective by forcing companies that install spyware to make the applications easy to remove, as well as demanding clear advance notice that spyware will be installed if users visit a Web site or download an application. "It gives users the ability to better protect themselves," he says.

However, these laws, if approved, won't make spyware go away. One problem is that many consumers unknowingly give their consent to the installation of spyware by clicking on user license agreements, called clickwrap agreements, that have consent clauses buried deep within.

Lawmakers can deal with that issue in a number of ways. They can require that a special screen pop up and explain that spyware tracking software is being installed and ask for approval, or they can require that language on spyware be placed at the beginning of the user license agreement rather than at the end. Or they might follow the approach used by some financial contracts and require that words explaining spyware be shown in boldface type in capital letters.

Spyware and Adware Chart"The real problem with spyware is that much of it is installed with consent, but without effective consent," says Mark Rasch, the former head of the U.S. Justice Department's computer crimes unit and currently a senior VP and head of cyberlaw at the managed security services firm Solutionary Inc.

Overly says a business client recently discovered its systems were infected with spyware and wanted to take legal action against the maker of the application that installed the spyware. However, it turned out his client's employees had agreed to the installation of the spyware and so a lawsuit had little chance of success.

There are existing laws to protect against the more malicious forms of spyware, such as those used by hackers to install backdoors and keyboard loggers. The Computer Fraud and Abuse Act provides civil and criminal penalties for the illegal installation of spyware, says Nick Akerman, a partner at law firm Dorsey & Whitney.

Still, it will take both laws and technology to contend with spyware, legal experts argue. "You need technology to fight the problem. There will always be companies and individuals that don't follow the rules," Overly says. The best place to begin, he says, is for people to "start reading these clickwrap agreements."

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing