June 6, 2007 4:23 PM PDT

Net firms lose in House spyware vote

Over objections from Internet companies and online advertisers, the U.S. House of Representatives on Wednesday approved a bill touted as an antispyware measure, a move that sets the stage for a political showdown in the Senate later this year.

By a 368-48 vote, with 43 of the opposing votes coming from Republicans, the House endorsed the Spy Act, which is broader and more regulatory than a second bill that was backed by politicians from Silicon Valley. The House approved the second bill on May 22.

The more regulatory version approved Wednesday, which has been revised (PDF) in the last few weeks, proposes punishments for anyone who slips code onto computers without authorization in an attempt to "impair" a machine's security features, to transmit personal information about the machine's user without the user's knowledge, or to commit other federal crimes such as identity theft. It would also require that unwanted programs be easy for consumers to disable.

On one level, the differences in the two bills represent a long-standing turf war between two House committees. On another, though, they reflect starkly different views of how to deal with online threats: through a narrow approach that seeks to criminalize breaking into computers, or through a broader approach that would levy a new and complex raft of regulations on the software industry and Web publishers. Which version prevails will depend on what the Senate decides.

"The bill, as currently drafted, would regulate every Web site on the Internet and for any site that collects any 'personal' information, a proscriptive notice pop-up box would appear."
--Mike Zaneis, vice president, IAB

In a letter to House Speaker Nancy Pelosi on Wednesday, a wide range of groups including the American Bankers Association, the Interactive Advertising Bureau, the Information Technology Association of America, and NetCoalition (which counts Yahoo, Google, and News.com publisher CNET Networks as members) warned that the Spy Act would be problematic.

"The bill, as currently drafted, would regulate every Web site on the Internet and for any site that collects any 'personal' information, a proscriptive notice pop-up box would appear," Mike Zaneis, a vice president with the Interactive Advertising Bureau, said in an e-mail interview. "Congress is not capable of carving out all of the benign technologies that currently exist or will be developed in the future."

One unusual aspect of this political tussle is that spyware is already illegal and, according to government officials, no new laws are probably necessary. The Federal Trade Commission has told politicians it already possesses broad authority to punish any fraudulent and deceptive adware or spyware practices with fines, and has sued spyware purveyors in the past. Department of Justice prosecutors have said the same thing about filing criminal charges and have already engaged in prosecutions.

But on Wednesday, the Spy Act's sponsors--including Reps. Edolphus Towns (D-N.Y.) and Mary Bono (R-Calif.)--promised the legislation would help consumers.

"Today's legislation provides consumers with new tools to protect themselves from unwanted, harmful software," Towns said in prepared remarks on the House floor Wednesday morning.

Towns said he was confident that the bill struck an appropriate balance. "Anytime we legislate on highly technical matters, there is always a danger of stifling innovation and making the use of legitimate software too burdensome," he said. "It is a very difficult tightrope to walk, but I think we have done an excellent job in walking that line."

Bono, for her part, said in a statement that she would remain a strong proponent of antispyware legislation because she believes "consumers should have the final say about what plants itself on their computer--not a third party with potentially conflicting interests."

"Antispyware" measure regulates Web cookies too
Opponents of the Spy Act, however, argue that such restrictions are worded broadly enough to threaten the viability of a vast array of Web sites that rely on cookies to provide their services. (The shopping cart function on e-commerce sites and ad-supported Web services like search engines and news sites, for instance, depend on cookies.) The bill's authors have attempted to exempt cookies, but opponents say the approved version doesn't go far enough to ease their concerns and could prevent the adoption of technologies no one has even dreamed up yet.

FTC Chairwoman Deborah Platt Majoras also has cautioned Congress against requiring a notice-and-consent approach to spyware, arguing at a hearing in October 2005 that consumers bombarded with such notices may not read them, unwittingly accepting all notices and finding harmful spyware downloaded onto their machines as a result.

Chiefly sponsored by Reps. Zoe Lofgren (D-Calif.) and Bob Goodlatte (R-Va.), the narrower version that came out of the House Judiciary Committee is called the I-Spy Act. It takes a less regulatory approach, imposing fines and up to five years in prison for anyone who intentionally causes software "to be copied onto" a computer--and damages the machine or steals personal information in the process.

Attempts by Congress at enacting new laws targeting spyware are nothing new. The House approved some kind of antispyware legislation both in 2004 and 2005, but the Senate never acted.

Some technology firms are hedging their bets by saying they support both bills. "By passing the Spy Act, the House of Representatives sent a clear message to spyware purveyors everywhere that their days of secretly infecting innocent and unsuspecting consumers' computers with spyware are numbered," Kevin Richards, Symantec's government relations manager, said Wednesday.

A Symantec spokesman said the Business Software Alliance and the Cyber Security Industry Alliance, of which Symantec is a member, also support both proposals.

See more CNET content tagged:
bill, town, vice president, spyware, anti-spyware

9 comments

Join the conversation!
Add your comment
Legislation won't address this problem
This particular bill is flawed because it does not address 'social engineering' attacks which are becoming the most prevalent. If you can trick the end-user into consenting to install the software, are you guilty? Probably not if you can afford a good lawyer.

No laws can replace common sense. Stop treating internet users like idiots and put more emphasis on educating them. Why is it that people think it is funny to depict some Homer clicking away at links in spam mail? It is hard to be a cyber criminal when there are no victims to exploit.
Posted by NewsReader_ (280 comments )
Reply Link Flag
Most ARE idiots!
The thing is---MOST internet, neigh, computer users ARE Homers.

You obviously haven't had to support a building full of people all using computers with internet access, or support aged family or even friends of friends.

Most people DO click links and then ask you "why does ebay want me to change my password again?" after the fact.

No amount of teaching can break through the skulls of many non techie people, and they're the ones the internet explosion has caught since 2000. Prior to 2000, more people (except AOL users primarily) were more tech savvy.

Social engineering has been around long before the internet. Your grandparents were likely engineered over the phone to donate to worthy causes or beleived everything they read in the National Enquirer.
Posted by Anon-Y-mous (124 comments )
Link Flag
sounds good to me
if a few of the drive by installer scum spend a week with Paris in the Century Hilton, that would be a start. If the whole interactive by stealth industry were put out of business tomorrow, starting with the fine folk at gator (whatever they are called now), it would not be soon enough. If the slimeball purveyours of "your computer is at risk" popups where sent to work on a chain gang that would be great. Add in the people who made those Apple vs PC commercials as well for good measure.
Posted by gggg sssss (2285 comments )
Reply Link Flag
The Tubes are Full
These bozos scare me. I cringe everytime I read that a new tech law comes up. The rules are being made by clueless old dudes who have no idea what any of this means. So they rely on their old friends the lobbyists to "educate" them. Remember, Orrin Hatch wants to let the RIAA "blow up" your computer for file sharing. The tubes are full alright...full of (expletive). And it all seems to eminate from Washington.
Posted by cidman2001 (223 comments )
Reply Link Flag
Legit websites?
What legit website will force themselves to install a program without proper consent?
Posted by inachu (963 comments )
Reply Link Flag
Kill the cash cow and let's have some steaks
Opposition to this spyware act by net companies is clearly fueled by their desire to protect their cash cow of selling your accumulated data to others. There is no legimate reason for ANY website to install cookies to monitor your web surfing habits. Any cookie that monitors or tracks anything should be illegal. Only cookies which enhance the web site visit and user experience are acceptable. The new act could be further enhanced by requiring that all cookies installed during a visit be removed from a consumers computer during log-out from that site with an exemption that would allow for cookies to remain that assist with faster reconnection to that site. Perhaps we could offer to the executives of the companies who take issue with this act, to install wireless web cams with GPS in their cars so that consumers can track THEIR location visits and activities.
Posted by alarmlv (8 comments )
Reply Link Flag
Sounds great - almost!
Other then the "notice and consent" it will dramatically improve my Internet experience. The problem is tracking cookies - which never help the surfer - they only help those who track Internet usage. Unfortunately with notice and consent, inexperienced users - as stated - will tend to authorize any type of them. Notice and consent is fine for normal cookies; but with tracking cookies and other malware it needs an absolute "its illegal", including prohibiting any site from reporting which users visited it; reporting how many would be acceptable.

The real problem are the various operating systems which permit modifications without user consent. I wouldn't mind clicking okay to a cookie the first time I visited a site I liked so it would recognize me when I arrived back at that site. The other side of the coin are tracking cookies which "phone home" no matter where you go.

Stricter controls on all modifications to the OS could - if done right - eliminate viruses and other malware. The best way would be for the OS to prevent any site from installing anything other than an "I'm here" type cookie. Anything else needs to be software that has to be installed and would always show up in the installed programs menu.
Posted by shanedr (155 comments )
Reply Link Flag
Sounds Good... Problems easily solved
At present, all that is required is a click to get cookies on your PC which monitor you. And that in itself is part of the problem.

People unknowingly click on so many things that it's hard to really bind them by law for clicking on something (even if accidental).

However, a better approach would be to offer an Opt-In E-mail to the user for them to verify that it's OK for that site to track their visits. (* CHUCKLE *)

It will:

#1. Show the user exactly who's tracking them.

#2. Resolve the accidental clicking as now they must reply via E-mail to Opt in to allow that site to track them.

Advertisers and web site owners around the world will be up in arms over the matter, but it will show the user who's trying to track them. And if any non-opted in cookies are found on a person's PC, they should be able to sue the tracking company. (* GRIN *)

Yea... sounds like a winner to me. I mean, we're talking about spyware right? Many cookie setters are performing spyware-like activities... so hopefully this will bring them out of the woodworks.

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.