Politics and Law

When President-elect Barack Obama appoints a chief technology officer to the White House, he should make the new appointee a part of his senior economic policy team and the chief "evangelist" for innovation-spurring policies, the software and hardware industries say.

The Business Software Alliance, which represents companies like Microsoft, Hewlett-Packard, Cisco, and others, sent a letter to Obama last week with suggestions for what role the CTO should play in the administration. The BSA has taken other steps in the past week, such as meeting with the Homeland Security Secretary Michael Chertoff on Wednesday and releasing its 2009 policy agenda on Thursday, in an appeal to the next Congress and administration to integrate information technology solutions into its policy prescriptions, both in the short term and long term.

"When dealing with every major issue, there should be a question of what is the role of IT in providing the solutions," BSA CEO Robert Holleyman said Thursday.

BSA President Robert Holleyman sent a letter to President-elect Barack Obama suggesting he make his chief technology officer a part of his senior economic policy team.

The industry's goals are largely aligned with the president-elect's, Holleyman said, including Obama's proposal to push for increased adoption of health IT. New legislation and a new approach to cybersecurity is needed as well, BSA members said, to improve both the government's cyberinfrastructure and its communication with citizens regarding the security of personal information.

As lawmakers integrate IT measures into new legislation, they'll have to avoid some pitfalls, the BSA and its members warned. Health IT is seen as an "enormous opportunity" for the industry, Susan Mann, Microsoft's senior director for intellectual property policy, said Thursday. However, Congress needs to ensure there are adequate privacy protections in place and that the government does not end up with "a system of winners and losers."

Congress needs to "provide incentives for folks to invest and innovate in this area," she said, and "make sure all companies with solutions to bring to the table can compete."

Holleyman said the BSA has been working closely with Representative Pete Stark (D-Calif.) to ensure "we don't lock into place or fossilize a particular technology." Stark proposed health IT legislation that initially mandated an open source platform, Holleyman said.

"It would be mistake to say we're only going to look at open-source solutions," Holleyman said.

Ensuring electronic health records remain private is particularly tricky, Mann said, since the information by its very nature needs to be shared. However, strong privacy requirements for health records are already in place through the Health Insurance Portability and Accountability Act, said Kevin Richards, Symantec's federal government relations manager.

"I would encourage Congress to not reinvent the wheel," he said.

Securing information in cyberspace
He does, however, support reforming data breach notification law. Currently, 44 states have their own laws in place, making it difficult for software companies to comply with all of them.

"Next year you'll see a tsunami of data breach bills," Richards said. "A lot of these bills were introduced previously, but we believe the issue is ready for prime time."

The industry has been working to push the issue in numerous congressional committees and is advocating for Senate Majority Leader Harry Reid to consolidate all the data breach legislative efforts.

"The bogeyman of data security has been jurisdictional issues," Richards said.

The BSA has been working closely with the government to secure its cyberinfrastructure, and on Wednesday senior representatives from eight of its member companies met privately with DHS Secretary Michael Chertoff.

"Our industry has invested considerable resources into that partnership to protect cyberinfrastructure," said Franck Journoud, BSA manager of information security policy.

The public-private partnership, however, has been strained at times, he said.

"Sometimes it has worked really well, sometimes it hasn't worked well at all," Journoud said. "In some situations, we felt our ability to learn from DHS and the various entities involved in cybersecurity about policy development, and our ability to input into policy, was limited. Those policies can have a considerable impact on our ability to manage and operate that infrastructure."

While the BSA has voiced its support for the cybersecurity report produced by a Center for Strategic and International Studies commission, it has not taken a position on the report's suggestion to transfer cybersecurity responsibilities away from DHS to the White House.

The Software and Information Industry Association announced Tuesday it filed eight lawsuits against illegal software sellers on eBay, Amazon.com and iOffer.com.

The organization filed the suits on behalf of Adobe, charging eight individuals with knowingly selling software illegally, including Adobe Photoshop CS3 and Adobe Acrobat 8.0.

"In the current economic climate, when consumer confidence is already low, it is essential that consumers are able to purchase software online knowing that it is legal and will function properly," said Keith Kupferschmid, SIIA senior vice president of intellectual property policy and enforcement. "Illegal sellers tempt consumers with low prices, but the software often doesn't work and, of course, comes without the full range of customer support offered by manufacturers."

This is the first time the SIIA has filed suits against users on Amazon and iOffer, though it has brought charges against eBay users in the past and even considered suing eBay itself. The option of suing eBay is not off the table, Kupferschmid said in an interview.

"The problem is so bad it would be silly to not consider all available options, and that's one of them," he said. "eBay has been a little bit more cooperative, and we continue to try to work with them, but ultimately it comes down to 'Do we have a huge software piracy problem on eBay?' And the answer is yes."

The SIIA has been expanding its antipiracy program, and including the eight new suits announced Tuesday, has filed charges against 40 online software pirates this year. Many of those cases are still pending, but many of those that have been resolved have been very successful, Kupferschmid said. In some cases, defendants have paid hundreds of thousands of dollars in damages, and some civil suits have prompted the Justice Department to pursue criminal charges against online software pirates.

"We applaud the SIIA in its efforts to combat software piracy. The distribution of counterfeit software on any online site is unacceptable," said Ryan Boyce, CEO of iOffer. "We hope that by assisting SIIA with promoting this initiative, anyone who buys counterfeit software by mistake will learn how to report illegal sellers."

A U.S. District Court refused to impose an outright ban on the sale of RemoteSpy keylogger spyware, but the court has barred its parent company from marketing the product for deceptive purposes while it considers a complaint from the FTC that the software may violate the FTC Act.

The U.S. District Court for the Middle District of Florida, Orlando Division, had previously issued a temporary restraining order against Florida-based CyberSpy Software, halting the sales of RemoteSpy. However, the court on November 25 issued a more narrowly tailored preliminary injunction (PDF).

CyberSpy altered the RemoteSpy Web site to comply with the injunction, and as of December 3, RemoteSpy was once again available for sale and users could access their accounts.

The Federal Trade Commission filed a complaint (PDF) against CyberSpy Software on November 5, alleging the company has violated the FTC Act by selling software that can be deployed remotely by someone other than the owner or authorized user of a computer, can be installed without the owner's knowledge, and can used to surreptitiously collect and disclose personal information. The FTC also claims CyberSpy unfairly collected and stored personal information gathered with RemoteSpy.

The commission asked the court to permanently ban the sale of RemoteSpy and require CyberSpy to pay restitution for any injury to consumers resulting from violations of the FTC Act.

The preliminary injunction, in place while the FTC's case against CyberSpy is pending, orders the company and its CEO Tracer Spence to stop promoting, selling, or distributing RemoteSpy by "suggesting to customers that it may be, or is intended to be, surreptitiously installed on a computer without the knowledge or consent of the computer's owner." The defendants are also barred from providing others with the means to falsely represent a keylogger program as an innocuous file, such as photos or music.

"RemoteSpy is designed to be installed without the knowledge or consent of the owner or authorized user of a computer, and defendants' marketing touts this function," the court stated in its injunction. "In light of these marketing efforts, the potential for devastating abuse far outweighs the possibility of benign use."

CyberSpy is seeking to dismiss the entire lawsuit.

"The FTC claims our software should be illegal because someone, somewhere might abuse it," Spence said in a release, "but computer monitoring software is just like any other surveillance technology: There is nothing inherently illegal about binoculars, hidden cameras, or directional microphones, for example, but people can use those tools to break the law."

A U.S. District Court has temporarily halted the sale of RemoteSpy keylogger spyware at the request of the Federal Trade Commission, which claims the software violates the FTC Act.

The FTC filed a complaint (PDF) against Florida-based CyberSpy Software on November 5, alleging the company has violated the FTC Act by selling software that can be deployed remotely by someone other than the owner or authorized user of a computer, can be installed without the owner's knowledge, and can used to surreptitiously collect and disclose personal information. The FTC also claims CyberSpy unfairly collected and stored personal information gathered with RemoteSpy.

In its complaint, the FTC asked the U.S. District Court for the Middle District of Florida, Orlando Division, to issue a temporary restraining order halting the sale of RemoteSpy while its case is pending, permanently ban the sale of RemoteSpy, and require CyberSpy to pay restitution for any injury to consumers resulting from its violations of the FTC Act.

The court, in its temporary restraining order filed November 6 against CyberSpy, said there is a "substantial likelihood" that the FTC will be able to prove the spyware maker violated the FTC Act.

"The sale and operation of RemoteSpy is likely to cause substantial harm to consumers that cannot be reasonably avoided and is not outweighed by countervailing benefits to consumers or to competition," the court wrote. "The likely harm includes financial harm (including identity theft) and endangering the health and safety of consumers."

Along with barring CyberSpy from selling RemoteSpy, the restraining order bars the company from disclosing or making available any information obtained through the software. It also requires CyberSpy to ensure any Web sites associated with the product, including www.remotespy.com, are not publicly accessible.

The FTC's complaint names Tracer R. Spence, the registered agent and manager of CyberSpy, as liable for the charges against the spyware maker.

CyberSpy's possible violations were first brought to light to the FTC in a complaint (PDF) filed in March by the Electronic Privacy Information Center.

Though other federal agencies have been known to use keylogger software, the FTC has been challenging the distribution of spyware for the past four years.