Perspective: Making the wrong move against spyware

Spyware's creators must be uniquely bad people.

Anyone who distributes malicious code that infects your computer and surreptitiously monitors what you're doing deserves what's coming to them. The problem is that the measures in an ostensibly anti-spyware bill due for a vote in the U.S. House of Representatives may not be the best way to punish these folks.

No doubt the bill's sponsors, led by Rep. Mary Bono, a California Republican, sincerely believe that their Spy Act will outlaw dubious adware and spyware practices.

It's not clear, though, that the Spy Act is necessary or wise. It could end up being no more useful than the Can-Spam Act of 2003, which hasn't exactly eliminated junk e-mail. (CNET News.com's sister site, Download.com, is hosting an anti-spyware workshop on Tuesday in San Francisco to explore this question in more detail.)

What the Spy Act's sponsors don't like to admit is that current law already prohibits spyware, which is software that can slip onto a PC through a breach in Microsoft Windows or Internet Explorer without a hapless user noticing.

Legitimate companies would have to comply with an avalanche of regulations of dubious value.

The Federal Trade Commission enjoys broad authority to punish any fraudulent and deceptive practices with fines, and its commissioners have testified that they're willing and able to wield that authority against miscreants. Department of Justice prosecutors have said the same thing about filing criminal charges.

Adware also is covered by existing federal and state law. (While the term is somewhat amorphous, it tends to refer to pop-up advertising software such as that bundled by WhenU and Claria, formerly Gator, with other applications.)

The FTC has been paying close attention to dubious adware practices, as have state prosecutors. Last week, for instance, New York Attorney General Eliot Spitzer filed suit against Intermix Media, claiming the company "secretly" installed ad-delivery programs on PCs. For its part, Intermix said it "does not promote or condone spyware" and blamed any ethical lapses on "prior leadership."

In other words, the process seems to be mostly working.

Unintended consequences?
The Spy Act would disrupt that process. The latest version has ballooned to 4,400 words and hands broad new powers to the FTC so that it can police America's software industry. Legitimate companies would have to comply with an avalanche of regulations of dubious value--yielding pop-up privacy notices that Americans may ignore as completely as they do the junk mail that the Gramm-Leach-Bliley Act requires banks and credit unions to send out.

No wonder that even technology trade associations, such as the Information Technology Association of America, that loathe spyware are critical of this legislation. (They do like how it would zap state spyware laws, though, creating a single national standard.)

"The primary risk is that future benign interactive software may be prevented because of the very prescriptive nature of the Bono bill's notice requirements, which depend upon a consumer reading each text-based informational notice when entering a Web site or accessing content," says Mark Uncapher, a senior vice president at the ITAA.

A better approach might be one that takes aim at problematic behavior rather than problematic technology.

This is what tends to happen when politicians write laws that treat technology as something that's as easy to define as a food product or an agricultural implement. It isn't. Software is much more malleable: What is a Web browser one day may become an instant-messaging client the next.

"If you're going to write a law targeting bad acts, there are always line-drawing problems," says Peter Swire, a law professor at Ohio State University. "There is a big category of questions. The bill has been focused on computers and retail spyware, if you will. In order to run the network, system administrators have to use all sorts of tools. I've heard complaints from network companies that routing and other network administration tools might be included."

Because Bono's bill is written primarily with Web browsers in mind, odd gaps appear in its coverage. It prohibits "diverting the Internet browser," but doesn't mention mischief aimed at instant-messaging clients. Manipulating "a list of bookmarks used by the computer to access Web pages" is verboten, but not manipulating a list of RSS bookmarks. Monitoring the "Web pages" visited to deliver ads is explicitly covered, but not monitoring the contents of e-mail correspondence.

A better approach might be one that takes aim at problematic behavior rather than problematic technology. That's what a competing spyware bill, introduced by Republican Rep. Bob Goodlatte of Virginia, proposes. Goodlatte's one-page bill simply says it's illegal to install software "without authorization" if it leaks personal information or "impairs" a computer's security--an approach backed by the ITAA and other technology groups.

But the House Republican leadership seems eager to stage a vote soon, so that politicians can claim to have "outlawed" spyware. That means there's not much time left for cooler heads to prevail.

Biography
Declan McCullagh is CNET News.com's chief political correspondent. He spent more than a decade in Washington, D.C., chronicling the busy intersection between technology and politics. Previously, he was the Washington bureau chief for Wired News, and a reporter for Time.com, Time magazine and HotWired. McCullagh has taught journalism at American University and been an adjunct professor at Case Western University.

More Perspectives

[Michael Grogan]

The Republican version is crippled...

...it would work if it made it illegal to install ANY software without authorization. Adware can do lots of nasty and irritating stuff without transmitting any info or noticeably impairing the computer's function. True to Republican form this law still leaves the gaping loophole for corporate advertising.

[Michael Grogan]

The Republican version is crippled...

...it would work if it made it illegal to install ANY software without authorization. Adware can do lots of nasty and irritating stuff without transmitting any info or noticeably impairing the computer's function. True to Republican form this law still leaves the gaping loophole for corporate advertising.

As far as I can tell this Spyware is really a Microsoft Problem

I have recently switch to Mozilla, I'll never go back to IE. I wish I could remove IE from the desktop, I have named it "Crap" in order to avoid clicking on it. I hope to switch more of my systems to Linux soon.

The absolute lameness and greed of Microsoft never ceases to amaze me. With Mozilla, I am not getting any popup ads, no virus spyware, it's great.

I tried re-installing IE, it didn't fix IE.

And I do not have time to do the research needed to determine if my IE can be fixed, and I guess neither does Microsoft.

There is absolutely no excuse for Microsoft to allow the following:

- Popup Ads.
- Self installing programs.
- Programs that can set entries under the "startup\run" registry keys.
- Programs that can read address books, history, or any other private information and set out, this could be blocked.

Microsoft has done an awful deed by leaving hundreds of millions of people naked to the inspection of creeps who create the virus malware, which Microsoft (for it's own greedy reasons) made possible.

Microsoft is an unethical, greed oriented company.

My advice to everyone, forget about Microsoft and their product if you can. Fill your networks with a heterogenous mix of computers and software (not from Microsoft, if possible).

As far as I can tell this Spyware is really a Microsoft Problem

I have recently switch to Mozilla, I'll never go back to IE. I wish I could remove IE from the desktop, I have named it "Crap" in order to avoid clicking on it. I hope to switch more of my systems to Linux soon.

The absolute lameness and greed of Microsoft never ceases to amaze me. With Mozilla, I am not getting any popup ads, no virus spyware, it's great.

I tried re-installing IE, it didn't fix IE.

And I do not have time to do the research needed to determine if my IE can be fixed, and I guess neither does Microsoft.

There is absolutely no excuse for Microsoft to allow the following:

- Popup Ads.
- Self installing programs.
- Programs that can set entries under the "startup\run" registry keys.
- Programs that can read address books, history, or any other private information and set out, this could be blocked.

Microsoft has done an awful deed by leaving hundreds of millions of people naked to the inspection of creeps who create the virus malware, which Microsoft (for it's own greedy reasons) made possible.

Microsoft is an unethical, greed oriented company.

My advice to everyone, forget about Microsoft and their product if you can. Fill your networks with a heterogenous mix of computers and software (not from Microsoft, if possible).

I support Anti-Adware/Spyware legislation

I support Anti-Adware/Spyware legislation. I think they are invasive and clogg up ones system without regard to the owner or user. So "cann them". Immediately and any others on the horizon. People know what they want to buy, and they will seek them out on their own, at their own time. Thanks.

I support Anti-Adware/Spyware legislation

I support Anti-Adware/Spyware legislation. I think they are invasive and clogg up ones system without regard to the owner or user. So "cann them". Immediately and any others on the horizon. People know what they want to buy, and they will seek them out on their own, at their own time. Thanks.

[JOSEPHWILSON1952]

WHO IS AT FAULT?

While I read comments from fellow "C-Netites", I can't help from comment on who is really at fault for the criminal activity of the thieves that install spyware/adware.
Yes, they are thieves.
If I purchase 10MB of bandwdith, but can only use 2MB because your adware/spyware is consuming the other 6MB, you are stealing from me.
Spyware/Adware conveyors are guilty of unlawful entry. This is my computer, not theirs. I didn't invite you into my private computer.
They are guilty of false advertising. They tell the clients that they will generate 30 million customers. But not if 95% of us are blocking and/or removing them. (Wise up clients!!!)
"OUR" law, because this is "Our" Problem, should state; "It's illegal to install software of any kind without the authorization of the owner of the computer. This includes all computers belonging to private citizens and business computers" "All computer users will be notified by a installation screen that states program/spyware/adware/keylogger is being installed." "The installation screen will clearly provide the FULL intent of the software and if it contains adware/spyware." "The installation screen will have the option to say Yes or No to the installation." "The Software will remove all installation entries on the Hard Drive and in the Computer Registry if the Computer Owner selects "NO" to the installation attempt." "Individuals or companies that violate this Law will prosecuted."
One of your readers commented that if they wanted something, They would look for it on their own. I agree. Companys listen up. If your not listed on an Internet Search Engine, 95% of us won't see you. Because we remove our spyware/adware. If you have so little confidence in your product that you have to resort to adware/spyware, then close your doors and get off the Internet.
We are tired of YOU!!!!

[JOSEPHWILSON1952]

WHO IS AT FAULT?

While I read comments from fellow "C-Netites", I can't help from comment on who is really at fault for the criminal activity of the thieves that install spyware/adware.
Yes, they are thieves.
If I purchase 10MB of bandwdith, but can only use 2MB because your adware/spyware is consuming the other 6MB, you are stealing from me.
Spyware/Adware conveyors are guilty of unlawful entry. This is my computer, not theirs. I didn't invite you into my private computer.
They are guilty of false advertising. They tell the clients that they will generate 30 million customers. But not if 95% of us are blocking and/or removing them. (Wise up clients!!!)
"OUR" law, because this is "Our" Problem, should state; "It's illegal to install software of any kind without the authorization of the owner of the computer. This includes all computers belonging to private citizens and business computers" "All computer users will be notified by a installation screen that states program/spyware/adware/keylogger is being installed." "The installation screen will clearly provide the FULL intent of the software and if it contains adware/spyware." "The installation screen will have the option to say Yes or No to the installation." "The Software will remove all installation entries on the Hard Drive and in the Computer Registry if the Computer Owner selects "NO" to the installation attempt." "Individuals or companies that violate this Law will prosecuted."
One of your readers commented that if they wanted something, They would look for it on their own. I agree. Companys listen up. If your not listed on an Internet Search Engine, 95% of us won't see you. Because we remove our spyware/adware. If you have so little confidence in your product that you have to resort to adware/spyware, then close your doors and get off the Internet.
We are tired of YOU!!!!