Feeds

Anti-spyware bill could mean tougher fines

Third time lucky?

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

On Thursday, the anti-spyware bill - which has twice passed the U.S. House of Representatives only to be rejected by the Senate - got its third hearing in the House Subcommittee on Commerce, Trade and Consumer Protection.

The bill, whose full title is the "Securely Protect Yourself Against Cyber Trespass Act," would prohibit any software that takes control of a computer, modifies registry settings, logs keystrokes, or collects other data through misrepresentation. The legislation would also require that any program that collects information first get consent from the computer's user. The bill would levy stiff civil penalties against those responsible for programs that hijack a user's computer or collects data without adequate authorization.

Congress needs to give consumer's better protections against unsavory practices of spyware vendors, Rep. Bobby L. Rush (D-Ill.), chairman of the House Subcommittee on Commerce, Trade and Consumer Protection, said in a statement.

"At worst, spyware can lead to the unwanted exposure of offensive Web content to unsuspecting individuals, particularly children," Rush said. "It can also lead to outright fraud resulting in significant financial damages. At best, spyware is simply nasty stuff that clogs computers, slows down processing power, and is costly to remove."

Spyware is likely the most prevalent online threat, infecting more than half of all consumers' PCs, according to a study published by AOL and National Cyber Security Alliance in December 2005. Moreover, a single spyware program frequently acts as a beachhead, installing other spyware or adware programs on a victim's PC.

The unwanted programs, in addition to stealing a victim's data, could also make an innocent PC user appear guilty of a crime. In Connecticut, a substitute teacher has been found guilty of four counts of risk of injury to a minor after her classroom PC started displaying pornographic pop-up ads. A forensic investigator working for the defense found that the computer had been significantly compromised by spyware programs, and security researchers have criticized the prosecution for not adequately investigating the digital evidence. The teacher is scheduled to be sentenced at the end of March.

The legislation would give the U.S. Federal Trade Commission even greater latitude in pursuing the companies and individuals responsible for spyware. Currently, the FTC has brought cases based on its power to investigate deceptive trade practices. The Spy Act would broaden the definition of spyware and would allow the commission to levy greater fines of up to $3 million per activity committed by a spyware program that is prohibited by the act and $1 million for each violation of the prohibition against data collection without consent.

Such hefty fines are needed, said Ari Schwartz, deputy director of the Center for Democracy and Technology. Zango, a company whose settled with the FTC for deceptive trade practices in 2004, paid a fine of only $3 million, even though it took in more than $50 million in revenues, according to the CDT.

"If a company did a cost-benefit analysis right now, they could legitimately conclude that they could continue to do this (use spyware) until they got caught and then change their practices," Schwartz said. "There would be a much stronger incentive to do the right thing under this bill."

Schwartz, who testified on Thursday at the subcommittee hearing, said that the CDT supports the Spy Act but would rather see a commitment to legislation that establishes a foundation for privacy rights than a piecemeal approach that addresses specific threats, such as spyware or data breaches.

"If we do not begin to address privacy issues more comprehensively, the same players will be back in front of this Committee in a few months to address the next emerging threat to online privacy," Schwartz said in a prepared statement to the subcommittee.

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.