Experts: Spyware legislation needs more work

Senate bill aimed at limiting spyware seemingly allows broadband providers and computer software and hardware vendors to scan users' computers without authorization

A bill before the U.S. Senate targeted at spyware needs some fine-tuning, with part of it seemingly allowing broadband providers and computer software and hardware vendors to scan users' computers without authorization, a couple of spyware experts said.

The Counter Spy Act, introduced last June, would allow broadband providers, computer hardware and software vendors, financial institutions, and other businesses to detect and prevent the unauthorized use of software for fraudulent or other illegal activities, said Arthur Butler, a lawyer for advocacy group Americans for Fair Electronic Commerce Transactions. The bill says it would not prevent such scans.

"We think this language is overly broad and could protect activities which could be harmful to computer users," Butler told the Senate Commerce, Science and Transportation Committee. "It would, in effect, allow a software vendor to truly monitor everything that's on a user's computer, essentially setting [vendors] up as an ad hoc police force."

Another portion of the same section of the bill, aimed at limiting antispyware software vendors and other tech companies from legal liability, would protect antispyware vendors and ISPs from legal liability when they protect users from "objectionable content." But without some accountability for antispyware vendors and ISPs, Web sites could have little recourse to refute being labeled as objectionable content, said Jerry Cerasale, senior vice president of government affairs for the Direct Marketing Association (DMA).

Some legitimate DMA members have been targeted by antispyware vendors, and in some cases, the two sides have been able to work out a compromise, he said. But in other cases, the software vendors haven't responded to concerns, and the bill could make it harder to work out issues, Cerasale said.

"'Objectionable software' is a subjective term, and we can disagree on it," Cerasale said.

However, witnesses at the hearing praised the general direction of the bill. The legislation, sponsored by Sen. Mark Pryor, an Arkansas Democrat, could allow the U.S. Federal Trade Commission to seek additional civil penalties against spyware distributors, and it defines several activities as illegal, including creating zombie computers, hijacking Internet access, launching DoS attacks, and delivering endless loops of pop-up ads.

The U.S. House of Representatives passed two antispyware bills in 2007, but the Senate has failed to act on spyware legislation during this session.

“Spyware and harmful adware are a critical threat to our online security and privacy," said Vincent Weafer, vice president of security response at Symantec. "It is wrong, and it must be stopped."

But Weafer and other witnesses also urged senators to stay away from getting too specific about what constitutes spyware. The bill doesn't specifically target programs that collect computer users' Web surfing histories, but some people may consider that a form of spyware, said Benjamin Edelman, a professor at Harvard Business School who studies spyware.

"Practices change quickly, and at our peril do we make a list of practices that ought to be prohibited because, the next day, there will be more practices that we didn't think of," Edelman said.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies