Issues over the weighting of state and federal anti-spyware measures shouldn't stand in the way of the proposed bills, whose benefits outweigh their loopholes and could help lead to more cases against cyber-criminals, the CDT leader contends.

He cited the relatively light punishment handed out in cases brought against proven spyware brokers such as DirectRevenue and Zango as proof that existing laws are insufficient.

"Raising penalties is useful, DirectRevenue should have been fined more than $5 million, Zango should have been fined more than $3 million, and they would have been if we had more direct penalties," Schwartz said. "Most people are supportive of these bills, CDT would be happy with raising penalties without pre-empting the states, but most companies looking at these bills are pushing for pre-emption."

On the flip side, the FTC feels that existing laws provide it with sufficient power to go after spyware providers, even though the agency has only filed a dozen such suits in recent years.

Tracy Shapiro, an attorney for the FTC's Advertising Practices Division, said the federal watchdog would like to see legislation that increases civil penalties against cyber-criminals, but it feels that the new bills could eventually get in its way in bringing accused spyware companies to trial. The Computer Fraud and Abuse Act remains broad enough to provide for continued prosecution of the most significant offenders, including spyware providers, she said.

"In general there doesn't need to be a law specifically outlining spyware. There's a danger in saying 'no keystroke logging' because that's too specific and someone might look at the law and say another practice is OK," said Shapiro. "Sometimes it's hard to craft legislation to address specific types of technologies; it seems like a good argument against new laws if we can get judgments already."

In addition to the potential to create loopholes by limiting their scope to existing threats, the specific nature of the bills could make them hard to apply to similar threats carried out in the future on mobile devices, as opposed to today's PC-based spyware schemes, she said.

On the flip side, Schwartz said the CDT has been surprised and disappointed that the FTC hasn't brought any lawsuits based on the SafeWeb Act, passed by Congress in 2006 and aimed at helping the agency fight spam, spyware, and online fraud.

The expert said it was particularly puzzling that the FTC hasn't taken advantage of elements of the SafeWab law aimed at aiding in the pursuit of cyber-criminals operating in other countries -- widely recognized as one of the biggest challenges in fighting malware and online fraud.

"We've seen very little action under the SafeWeb Act; there have been some joint spyware cases with Canada where U.S.-based adware companies were working within Canada, which seemed like the perfect opportunities to use it," said Schwartz. "We thought [SafeWeb] was worth passing, and we want to see some action on it soon."

Shapiro admitted that she didn't know of any cases brought by the FTC that have sought to apply the SafeWeb laws. In the area of international cyber-law enforcement, she said it remains a challenge to share information with some foreign governments.

Other Anti-Spyware Coalition contributors remarked that they share the FTC's concerns over passing laws that may eventually serve to handcuff enforcers with outdated terms and conditions.

"We're pretty much against the laws," said Alex Eckelberry, president of anti-spyware applications vendor Sunbelt Software. "We think they will do more harm than good."