Policy experts split on spyware laws

CDT and FTC disagree whether a trio of anti-spyware bills before Congress will result in more prosecutions

CAMBRIDGE, Mass. -- Two of the agencies most actively involved in bringing cyber-criminals to justice in the United States have expressed opposing opinions over pending anti-spyware legislation.

Even as a trio of spyware bills is moving forward on Capitol Hill, officials from the Center for Democracy and Technology (CDT) and the Federal Trade Commission (FTC) said their two organizations have differing views on the need for passage of the proposed laws.

At a forum sponsored by the Anti-Spyware Coalition and held here at Harvard Law School on June 27, officials from the FTC and CDT -- a Washington-based nonprofit that has become a prominent Internet policy watchdog -- detailed areas where their organizations diverge regarding Congressional anti-spyware bills.

The Anti-Spyware Coalition -- a security consortium backed by industry players including AOL, Dell, Google, McAfee, Microsoft, and Yahoo -- hosted the panel that brought legal experts from the two organizations together to air their differences. The discussion was hosted by John Palfrey, executive director of the Berkman Center for Internet and Society at Harvard Law, a well-known expert in the field of Internet security and privacy issues

The three pieces of legislation being debated were the Internet Spyware Prevention Act of 2007 (I-SPY Act) and Securely Protect Yourself Against Cyber Trespass Act (SPY ACT) -- both of which passed vote in the U.S. House of Representatives in May and remain up for debate in the Senate -- and the Counter Spy Act of 2007, introduced before the Senate in mid-June.

While both the FTC and CDT are actively involved in attempts to bring suspected purveyors of spyware to court and stop them from distributing illegal code to end-users, the agencies appear to be divided over whether the new laws will result in more prosecutions.

The CDT supports passage of all three proposed bills, claiming that any additional laws that increase civil and criminal penalties against spyware brokers and better define illegal practices will prove helpful in bringing new cases -- despite the group's recognition of flaws in all three bills.

For its part, the FTC contends that the new laws may only serve to muddle its ability to go after cyber-criminals when it finds them.

In outlining each of the bills for the assembled audience, CDT Deputy Director Ari Schwartz highlighted the group's hopes for each of the measures.

The I-SPY Act is the least controversial of the three bills in that it merely seeks to extend penalties established in the Computer Fraud and Abuse Act -- originally passed in 1986 -- and make the legal punishments for criminal hacking more severe.

The CDT is fully behind the bill and it passed through House hearings with almost no opposition, proving its overall appeal, Schwartz said.

The SPY ACT -- originally written by California Republican Rep. Mary Bono and passed by the House in previous sessions -- has proven more divisive; some businesses are expressing serious concerns about the proposal's limitations on consumer information gathering and the fact that the bill would supersede existing state anti-spyware laws.

Even though the CDT is against the idea of undercutting existing state laws, the group still supports the measure as it raises penalties on some criminal cyber-crimes and directly addresses troublesome spyware affiliate distribution issues, said Schwartz.

The Counter Spy Act was only recently re-introduced by Arkansas Democratic Sen. Mark Pryor. Previous backers of the bill were voted out of Congress last year, making chances slim that the legislation will move forward quickly. However, the CDT favors the bill's effort to more clearly define the parameters of illegal adware programs, said Schwartz.

Issues over the weighting of state and federal anti-spyware measures shouldn't stand in the way of the proposed bills, whose benefits outweigh their loopholes and could help lead to more cases against cyber-criminals, the CDT leader contends.

He cited the relatively light punishment handed out in cases brought against proven spyware brokers such as DirectRevenue and Zango as proof that existing laws are insufficient.

"Raising penalties is useful, DirectRevenue should have been fined more than $5 million, Zango should have been fined more than $3 million, and they would have been if we had more direct penalties," Schwartz said. "Most people are supportive of these bills, CDT would be happy with raising penalties without pre-empting the states, but most companies looking at these bills are pushing for pre-emption."

On the flip side, the FTC feels that existing laws provide it with sufficient power to go after spyware providers, even though the agency has only filed a dozen such suits in recent years.

Tracy Shapiro, an attorney for the FTC's Advertising Practices Division, said the federal watchdog would like to see legislation that increases civil penalties against cyber-criminals, but it feels that the new bills could eventually get in its way in bringing accused spyware companies to trial. The Computer Fraud and Abuse Act remains broad enough to provide for continued prosecution of the most significant offenders, including spyware providers, she said.

"In general there doesn't need to be a law specifically outlining spyware. There's a danger in saying 'no keystroke logging' because that's too specific and someone might look at the law and say another practice is OK," said Shapiro. "Sometimes it's hard to craft legislation to address specific types of technologies; it seems like a good argument against new laws if we can get judgments already."

In addition to the potential to create loopholes by limiting their scope to existing threats, the specific nature of the bills could make them hard to apply to similar threats carried out in the future on mobile devices, as opposed to today's PC-based spyware schemes, she said.

On the flip side, Schwartz said the CDT has been surprised and disappointed that the FTC hasn't brought any lawsuits based on the SafeWeb Act, passed by Congress in 2006 and aimed at helping the agency fight spam, spyware, and online fraud.

The expert said it was particularly puzzling that the FTC hasn't taken advantage of elements of the SafeWab law aimed at aiding in the pursuit of cyber-criminals operating in other countries -- widely recognized as one of the biggest challenges in fighting malware and online fraud.

"We've seen very little action under the SafeWeb Act; there have been some joint spyware cases with Canada where U.S.-based adware companies were working within Canada, which seemed like the perfect opportunities to use it," said Schwartz. "We thought [SafeWeb] was worth passing, and we want to see some action on it soon."

Shapiro admitted that she didn't know of any cases brought by the FTC that have sought to apply the SafeWeb laws. In the area of international cyber-law enforcement, she said it remains a challenge to share information with some foreign governments.

Other Anti-Spyware Coalition contributors remarked that they share the FTC's concerns over passing laws that may eventually serve to handcuff enforcers with outdated terms and conditions.

"We're pretty much against the laws," said Alex Eckelberry, president of anti-spyware applications vendor Sunbelt Software. "We think they will do more harm than good."