Feeds

Anti-spyware bill could mean tougher fines

Third time lucky?

  • alert
  • submit to reddit

Top three mobile application threats

On Thursday, the anti-spyware bill - which has twice passed the U.S. House of Representatives only to be rejected by the Senate - got its third hearing in the House Subcommittee on Commerce, Trade and Consumer Protection.

The bill, whose full title is the "Securely Protect Yourself Against Cyber Trespass Act," would prohibit any software that takes control of a computer, modifies registry settings, logs keystrokes, or collects other data through misrepresentation. The legislation would also require that any program that collects information first get consent from the computer's user. The bill would levy stiff civil penalties against those responsible for programs that hijack a user's computer or collects data without adequate authorization.

Congress needs to give consumer's better protections against unsavory practices of spyware vendors, Rep. Bobby L. Rush (D-Ill.), chairman of the House Subcommittee on Commerce, Trade and Consumer Protection, said in a statement.

"At worst, spyware can lead to the unwanted exposure of offensive Web content to unsuspecting individuals, particularly children," Rush said. "It can also lead to outright fraud resulting in significant financial damages. At best, spyware is simply nasty stuff that clogs computers, slows down processing power, and is costly to remove."

Spyware is likely the most prevalent online threat, infecting more than half of all consumers' PCs, according to a study published by AOL and National Cyber Security Alliance in December 2005. Moreover, a single spyware program frequently acts as a beachhead, installing other spyware or adware programs on a victim's PC.

The unwanted programs, in addition to stealing a victim's data, could also make an innocent PC user appear guilty of a crime. In Connecticut, a substitute teacher has been found guilty of four counts of risk of injury to a minor after her classroom PC started displaying pornographic pop-up ads. A forensic investigator working for the defense found that the computer had been significantly compromised by spyware programs, and security researchers have criticized the prosecution for not adequately investigating the digital evidence. The teacher is scheduled to be sentenced at the end of March.

The legislation would give the U.S. Federal Trade Commission even greater latitude in pursuing the companies and individuals responsible for spyware. Currently, the FTC has brought cases based on its power to investigate deceptive trade practices. The Spy Act would broaden the definition of spyware and would allow the commission to levy greater fines of up to $3 million per activity committed by a spyware program that is prohibited by the act and $1 million for each violation of the prohibition against data collection without consent.

Such hefty fines are needed, said Ari Schwartz, deputy director of the Center for Democracy and Technology. Zango, a company whose settled with the FTC for deceptive trade practices in 2004, paid a fine of only $3 million, even though it took in more than $50 million in revenues, according to the CDT.

"If a company did a cost-benefit analysis right now, they could legitimately conclude that they could continue to do this (use spyware) until they got caught and then change their practices," Schwartz said. "There would be a much stronger incentive to do the right thing under this bill."

Schwartz, who testified on Thursday at the subcommittee hearing, said that the CDT supports the Spy Act but would rather see a commitment to legislation that establishes a foundation for privacy rights than a piecemeal approach that addresses specific threats, such as spyware or data breaches.

"If we do not begin to address privacy issues more comprehensively, the same players will be back in front of this Committee in a few months to address the next emerging threat to online privacy," Schwartz said in a prepared statement to the subcommittee.

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.