Anti-spyware bill could mean tougher fines

Unsurprisingly, marketers are leery of the legislation.

Overly aggressive legislation could punish legitimate advertisers and marketing firms, Jerry Cerasale, senior vice president of government affairs for the Direct Marketing Association, said in a statement. He pointed out that the spyware situation seems much improved in the two years since the legislation was first considered.

"Where once, just two short years ago, pop-up ads, drive-by downloads, and software that hijacked computers were on the rise, consumers in 2007 experience fewer such unwanted practices," Cerasale said.

However, whether the improvement has been due to industry policing or government investigations is a matter of some debate.

The FTC, some state investigators, and the U.S. Department of Justice have gotten tougher on those that would use spyware. The FTC has concluded nearly a dozen enforcement actions since January 2005, with another dozen actions brought by individual states. The DOJ has pursued a number of bot masters, such as James Ancheta and Christopher Maxwell, that have used their network of compromised PCs to install spyware and adware for revenue. Both where sentenced in 2006.

In December, spyware researcher Ben Edelman found evidence that market survey firm comScore had installed its software on users' PCs without first getting consent.

A representative of TRUSTe asked members of the subcommittee to create a safe harbor provision for companies that follow an industry self-regulatory compliance program.

"Legislative safe harbors encourage a flexible self-regulatory regime that, if adhered to, will place a company in compliance with the regulation and create incentives for participation in programs that may exceed protections required by law," Fran Maier, executive director and president of TRUSTe, said in a statement.

However, there is evidence that industry self-policing has not worked very well. In September, a controversial survey of more than a half million Web sites found that sites are twice as likely to be rated as bad actors if they have been certified by TRUSTe, a non-profit industry group that certifies marketers' data policies.

If the bill passes the full House this year, it will be the third time. In 2004 and again in 2005, the subcommittee, full committee and House of Representatives passed the act, but the bill was voted down in the Senate.

"Twice the Spy Act met its demise in the Senate," Subcommittee Chairman Rush said in his statement. "Let's hope the Senate can get its act together this time around."

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus