Original URL: http://www.theregister.co.uk/2007/03/18/anti_spyware_bill/

Anti-spyware bill could mean tougher fines

Third time lucky?

By Robert Lemos

Posted in Security, 18th March 2007 07:02 GMT

On Thursday, the anti-spyware bill - which has twice passed the U.S. House of Representatives only to be rejected by the Senate - got its third hearing in the House Subcommittee on Commerce, Trade and Consumer Protection.

The bill, whose full title is the "Securely Protect Yourself Against Cyber Trespass Act," would prohibit any software that takes control of a computer, modifies registry settings, logs keystrokes, or collects other data through misrepresentation. The legislation would also require that any program that collects information first get consent from the computer's user. The bill would levy stiff civil penalties against those responsible for programs that hijack a user's computer or collects data without adequate authorization.

Congress needs to give consumer's better protections against unsavory practices of spyware vendors, Rep. Bobby L. Rush (D-Ill.), chairman of the House Subcommittee on Commerce, Trade and Consumer Protection, said in a statement.

"At worst, spyware can lead to the unwanted exposure of offensive Web content to unsuspecting individuals, particularly children," Rush said. "It can also lead to outright fraud resulting in significant financial damages. At best, spyware is simply nasty stuff that clogs computers, slows down processing power, and is costly to remove."

Spyware is likely the most prevalent online threat, infecting more than half of all consumers' PCs, according to a study published by AOL and National Cyber Security Alliance in December 2005. Moreover, a single spyware program frequently acts as a beachhead, installing other spyware or adware programs on a victim's PC.

The unwanted programs, in addition to stealing a victim's data, could also make an innocent PC user appear guilty of a crime. In Connecticut, a substitute teacher has been found guilty of four counts of risk of injury to a minor after her classroom PC started displaying pornographic pop-up ads. A forensic investigator working for the defense found that the computer had been significantly compromised by spyware programs, and security researchers have criticized the prosecution for not adequately investigating the digital evidence. The teacher is scheduled to be sentenced at the end of March.

The legislation would give the U.S. Federal Trade Commission even greater latitude in pursuing the companies and individuals responsible for spyware. Currently, the FTC has brought cases based on its power to investigate deceptive trade practices. The Spy Act would broaden the definition of spyware and would allow the commission to levy greater fines of up to $3 million per activity committed by a spyware program that is prohibited by the act and $1 million for each violation of the prohibition against data collection without consent.

Such hefty fines are needed, said Ari Schwartz, deputy director of the Center for Democracy and Technology. Zango, a company whose settled with the FTC for deceptive trade practices in 2004, paid a fine of only $3 million, even though it took in more than $50 million in revenues, according to the CDT.

"If a company did a cost-benefit analysis right now, they could legitimately conclude that they could continue to do this (use spyware) until they got caught and then change their practices," Schwartz said. "There would be a much stronger incentive to do the right thing under this bill."

Schwartz, who testified on Thursday at the subcommittee hearing, said that the CDT supports the Spy Act but would rather see a commitment to legislation that establishes a foundation for privacy rights than a piecemeal approach that addresses specific threats, such as spyware or data breaches.

"If we do not begin to address privacy issues more comprehensively, the same players will be back in front of this Committee in a few months to address the next emerging threat to online privacy," Schwartz said in a prepared statement to the subcommittee.

Unsurprisingly, marketers are leery of the legislation.

Overly aggressive legislation could punish legitimate advertisers and marketing firms, Jerry Cerasale, senior vice president of government affairs for the Direct Marketing Association, said in a statement. He pointed out that the spyware situation seems much improved in the two years since the legislation was first considered.

"Where once, just two short years ago, pop-up ads, drive-by downloads, and software that hijacked computers were on the rise, consumers in 2007 experience fewer such unwanted practices," Cerasale said.

However, whether the improvement has been due to industry policing or government investigations is a matter of some debate.

The FTC, some state investigators, and the U.S. Department of Justice have gotten tougher on those that would use spyware. The FTC has concluded nearly a dozen enforcement actions since January 2005, with another dozen actions brought by individual states. The DOJ has pursued a number of bot masters, such as James Ancheta and Christopher Maxwell, that have used their network of compromised PCs to install spyware and adware for revenue. Both where sentenced in 2006.

In December, spyware researcher Ben Edelman found evidence that market survey firm comScore had installed its software on users' PCs without first getting consent.

A representative of TRUSTe asked members of the subcommittee to create a safe harbor provision for companies that follow an industry self-regulatory compliance program.

"Legislative safe harbors encourage a flexible self-regulatory regime that, if adhered to, will place a company in compliance with the regulation and create incentives for participation in programs that may exceed protections required by law," Fran Maier, executive director and president of TRUSTe, said in a statement.

However, there is evidence that industry self-policing has not worked very well. In September, a controversial survey of more than a half million Web sites found that sites are twice as likely to be rated as bad actors if they have been certified by TRUSTe, a non-profit industry group that certifies marketers' data policies.

If the bill passes the full House this year, it will be the third time. In 2004 and again in 2005, the subcommittee, full committee and House of Representatives passed the act, but the bill was voted down in the Senate.

"Twice the Spy Act met its demise in the Senate," Subcommittee Chairman Rush said in his statement. "Let's hope the Senate can get its act together this time around."

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus