Even though the CDT is against the idea of undercutting existing state laws, the group still supports the measure as it raises penalties on some criminal cyber-crimes and directly addresses troublesome spyware affiliate distribution issues, said Schwartz.
The Counter Spy Act was only recently re-introduced by Arkansas Democratic Sen. Mark Pryor. Previous backers of the bill were voted out of Congress last year, making chances slim that the legislation will move forward quickly. However, the CDT favors the bill's effort to more clearly define the parameters of illegal adware programs, said Schwartz.
Issues over the weighting of state and federal anti-spyware measures shouldn't stand in the way of the proposed bills, whose benefits outweigh their loopholes and could help lead to more cases against cyber-criminals, the CDT leader contends.
He cited the relatively light punishment handed out in cases brought against proven spyware brokers such as DirectRevenue and Zango as proof that existing laws are insufficient.
"Raising penalties is useful, DirectRevenue should have been fined more than $5 million, Zango should have been fined more than $3 million, and they would have been if we had more direct penalties," Schwartz said. "Most people are supportive of these bills, CDT would be happy with raising penalties without pre-empting the states, but most companies looking at these bills are pushing for pre-emption."
On the flip side, the FTC feels that existing laws provide it with sufficient power to go after spyware providers, even though the agency has only filed a dozen such suits in recent years.
Tracy Shapiro, an attorney for the FTC's Advertising Practices Division, said the federal watchdog would like to see legislation that increases civil penalties against cyber-criminals, but it feels that the new bills could eventually get in its way in bringing accused spyware companies to trial. The Computer Fraud and Abuse Act remains broad enough to provide for continued prosecution of the most significant offenders, including spyware providers, she said.
"In general there doesn't need to be a law specifically outlining spyware. There's a danger in saying 'no keystroke logging' because that's too specific and someone might look at the law and say another practice is OK," said Shapiro. "Sometimes it's hard to craft legislation to address specific types of technologies; it seems like a good argument against new laws if we can get judgments already."
In addition to the potential to create loopholes by limiting their scope to existing threats, the specific nature of the bills could make them hard to apply to similar threats carried out in the future on mobile devices, as opposed to today's PC-based spyware schemes, she said.
On the flip side, Schwartz said the CDT has been surprised and disappointed that the FTC hasn't brought any lawsuits based on the SafeWeb Act, passed by Congress in 2006 and aimed at helping the agency fight spam, spyware, and online fraud.
The expert said it was particularly puzzling that the FTC hasn't taken advantage of elements of the SafeWab law aimed at aiding in the pursuit of cyber-criminals operating in other countries -- widely recognized as one of the biggest challenges in fighting malware and online fraud.