This summer, a group of malicious hackers took advantage of a serious hole in Internet Explorer (what else is new?). In response, Microsoft told users to set the browser's security setting to High--even though the company warned that doing so might disrupt some legitimate Web sites.
That browser flaw enabled attackers to redirect users to a site that surreptitiously downloaded and installed a keystroke logger, which could then send sensitive user data--passwords, financial information and the like--to a specified Web site without the user's knowledge. Working with law enforcement agents, ISPs quickly took down the attackers' site. Microsoft has since patched IE, so users are back to surfing normally. Sort of.
This incident, however, was only the most egregious recent example of an ever-growing threat: spyware. We've all heard of it, and maybe even cursed it loud and long as we've watched pop-up ads multiply like Tribbles across our screen, or found out that someone has hacked into our bank account.
Major software vendor Computer Associates, which recently bought Pest Patrol (a developer of antispyware products, among other things), calls these sneaky apps "pests" and now has 24,000 such items in its database--and no, that number does not include viruses or worms. Half of the listings were added in the last year. Sam Curry, CA's vice president of e-trust security management, expects that number to double again within 12 to 18 months. The problem has gone beyond the home: Corporations are taking note as spyware proliferation affects worker productivity and makes intellectual property theft more likely.
People want a solution. Heck, I want a solution. Right now.
Congress has heard the cry, and a few bills moving through the House of Representatives and the Senate attempt to deal with the problem.
The key word here is attempt.
Congress wants to help, it really does. In a contentious election year, spyware is one bad guy everyone can agree on.
The chief antispyware bills moving through Congress right now are the Software Principles Yielding Better Levels of Consumer Knowledge Act, known as SPYBLOCK, in the Senate (S. 2145); and the Securely Protect Yourself Against Cyber Trespass Act, known as SPY ACT, in the House (H.R. 2929). (Who thinks up these catchy names?) The latter has seen the most action, and has moved from committee to a likely vote by the House by year's end.
Both bills attempt to define spyware and to put in place clearer standards for user consent to any software downloads. Both also provide for criminal penalties for those who try to get information from users without their consent, or install applications without user approval. So far, so good.
But both bills are too limited, each in their own ways.
The SPY ACT, sponsored by Representative Mary Bono (R-California) among a host of others, spells out standards for user notification, and specifically addresses many of the actions it wants to prevent, such as unauthorized collection of user data for any purpose, browser hijackings, keystroke logging, and unwitting spamming or denial-of-service attacks by zombie PCs. The SPYBLOCK Act does much the same, but focuses on a smaller set of behaviors that may or may not encompass some activities that aren't explicitly spelled out, depending on interpretation.
These bills each address a set of aggravating symptoms (hurray) while missing a chance to get at the rest of the problem (grr): a lack of consistent privacy and informed consent standards for the Internet.
Guidelines for All
The Center for Democracy and Technology has been very active in legislative and federal efforts to combat spyware and deceptive, irresponsible adware. Ari Schwartz, associate director for the CDT, argues that legislation and industry action should focus on establishing a set of privacy standards and fair information practices that don't depend as much as the current bills do on specific actions and definitions.
Such standards would get at the heart of what all spyware programs have in common, regardless of what they may be called, or their ultimate function. Be they genuinely harmful or merely irksome, they all get onto your PC without your clear knowledge and agreement; their presence is often buried in the lengthy user licenses no one reads. They then proceed to act as if they have every right to use your PC, your data, or your Internet connection as they see fit, again, without informing you. Moreover, once you discover they're on your PC, they rarely provide you with a straightforward and complete way to uninstall them.
Schwartz points to a lengthy bill that Senator Ernest "Fritz" Hollings (D-South Carolina) introduced in the last session of Congress (the Online Personal Privacy Act, S. 2201), which in fact attempted to set some of these best-practice guidelines. It was passed by committee but did not make it to the floor of the Senate for vote and would have to be reintroduced.
Schwartz notes that both S. 2145 and H.R. 2929 focus on programs that get downloaded onto your computer. But it's possible that these bills wouldn't cover programs that are only partially run on your machine while residing primarily on a more central network or server. There should be no distinction, Schwartz says. (For more details, see the CDT's report on policies and proposals to solve the spyware problem.) He believes that properly crafted laws can have an impact on spyware because it, unlike spam, leaves a more direct money trail, making it easier to identify and police offending companies.
A set of guidelines would take care of another potential problem: evolution of spyware. A few years ago, the term spyware didn't exist. Now, there are at least a half-dozen practices that fall under that umbrella. Who knows how many there will be in another few years--or what forms they will take? I don't want to go back to the legislative drawing board two years from now and go through this all over again.
Full disclosure: Even well-meaning companies (and editors) can be fooled by rapidly changing spyware practices. One of my colleagues recently recommended a screen saver that later got loaded with more and more spyware. Both Schwartz and CA's Curry say that's not uncommon.
In general, Curry agrees with Schwartz. He also believes that establishing a set of industry guidelines for consent, user notification, and the like would be a better overall approach than that of the current bills. Consumer, industry, and public-sector groups working together may come up with more effective rules that can remain relevant as software and services evolve, and not just address some of today's problems, he says. The rules governing financial services, he says, may serve as a model here, with a blend of industry-set guidelines and legislation to back them up.
He has a further concern: The bills, depending on their final language, might adversely impact legitimate businesses. That's a concern shared by others in the industry, and it led to the injunction that blocked Utah's spyware law. WhenU, a New York-based company that serves up ads to consumers who download free programs, might have been prohibited from continuing its business under the Utah law. It brought its case to court--and won, at least at the District level. But the company's argument that Utah had gone beyond a state's rights by trying to regulate interstate commerce won't apply at the federal level.
I must admit that my sympathy for even legitimate adware companies is pretty low: Generally, I just want all adware off my PC. But far be it for me to condone an outright legal ban on their mode of business.
With the right guidelines--preferably legislated to give them some teeth--the business model can still exist. It will just exist with informed consent by me and my fellow Web surfers, as well as with rules about what data can be collected and how it can be used. It's not such a horrible trade-off. Everyone can live happily ever after, at least until the next Internet-induced crisis.
For more immediate help getting rid of spyware, read "Bigger Threats, Better Defense" for reviews of antispyware, antivirus, and firewall products. You'll also want to check out Steve Bass's recent Home Office column on what to do to prevent spyware infection, and how to help yourself if you do get infected.