WASHINGTON, D.C. -- A handful of tech-savvy senators are tackling the growing problem of spyware with a proposed law that would make it harder for sites to inflict the invasive programs on unwitting users, and easier for the recipients to remove them.
The Software Principles Yielding Better Levels of Consumer Knowledge (SPYBLOCK) Act would "give consumers control over the programs that are downloaded onto their computers," says cosponsor Barbara Boxer (D-California). The measure was introduced Thursday by Boxer and Senators Ron Wyden (D-Oregon) and Conrad Burns (R-Montana).
The bill tackles three aspects of spyware. It imposes new rules that would make it more difficult for companies to slip software onto users' systems surreptitiously; require easy directions and options for removal; and prohibit harmful spyware.
Under the proposal, if a company needs a user to install certain software to view Web site components or advertising, it would have to explain the reason and nature of the download in a pop-up window or another clear notice. This explanation would remain on the computer screen until the user either consents or declines to install the software. The act would make illegal the practice of downloading and installing software without alerting the user--a growing practice among some companies.
If a user decides to install that software, it must be easily removable, according to the legislation. The application must appear in the Add/Remove Programs menu; be completely removable using normal, reasonable procedures; and, if it is an advertisement, it must include a link that tells the user how to turn off the ad feature or uninstall the software.
Some spyware is nearly impossible to remove once installed.
"[Some] consumers have been downloading and saying that they can't remove [the software]," says Ari Schwartz, associate director of the Center for Democracy and Technology. "Individuals should have the ability to enter into a contract and leave that contract if they want to."
Tougher Tack Urged
The Federal Trade Commission and the state attorneys general would enforce the law, if enacted. However, some industry experts think more enforcement is needed.
Chris Hoofnagle, the associate director of the Electronic Privacy Information Center, says consumers' lack of legal rights on the spyware issue is a serious problem.
He criticizes the bill for not including a provision that lets individuals take legal action against spyware companies that stalk computer users.
"It's a serious problem, because you want users in the enforcement loop," Hoofnagle says.
Schwartz agrees, saying enforcement needs to be improved and "the most effective piece that this bill can bring is more attention to this issue and greater enforcement for the worst practices out there."
Robert Bagnall, director of focused intelligence at IDefense, a Virginia-based security intelligence company, expresses concern over the international threat of spyware.
"The legitimate companies in the United States who currently place spyware [on retail computers] will have a tougher time doing it ... but [legislation] will not help with the international factors at all," Bagnall says.
Status and Path
An anti-spyware bill has a good chance of passing Congress this session, Hoofnagle says. He cites the recent interest in cybersecurity as another boost. However, even legislation that sounds good can be eviscerated through "tinkering with definitions."
The proposed legislation follows a similar earlier effort, House Resolution 2929, introduced in July 2003 by Representative Mary Bono (D-California). That bill, which is still being debated at the committee level, also requires explicit user consent before the installation of software and orders enforcement by the FTC.
The bill introduced Thursday by Boxer, Burns, and Wyden is still in an early stage. It has not yet been assigned a number or been referred to committee, though it is expected to go to the Senate Committee on Commerce, Science, and Transportation, of which all three senators are members.
The FTC plans a workshop on spyware in mid-April.