A U.S. Senate hearing was scheduled today to hear testimony on the issue of spyware, with the conversation focused primarily around the "Counter Spy Act of 2007":http://www.govtrack.us/congress/billtext.xpd?bill=s110-1625, proposed last year by Arkansas Senator Mark Pryor.
The bill provides some very specific definitions of prohibited behavior and grants explicit power to the Federal Trade Commission (FTC) to enforce compliance. It also increases the penalties available to the FTC.
Last year, there was "some":http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1263... "discussion":http://www.infoworld.com/article/07/06/28/Policy-experts-split-on-spywar... of this legislation and similar laws that passed the House. StopBadware.org even weighed in with "some":http://blogs.stopbadware.org/articles/2007/05/24/kudos-to-congress-house... "thoughts":http://blogs.stopbadware.org/articles/2007/06/08/more-spyware-regulation... of its own.
Taking a current look at the Counter Spy Act raises a few questions in my mind:
1. Does the FTC need explicit legislation granting it additional authority? As of last year, the "FTC said no":http://www.cio.com.au/index.php/id;1239574182;pp;1;fp;4;fpid;1935:
bq. Tracy Shapiro, an attorney for the FTC's Advertising Practices Division, said the federal watchdog would like to see legislation that increases civil penalties against cyber-criminals, but it feels that the new bills could eventually get in its way in bringing accused spyware companies to trial. Section V of the Federal Trade Commission Act remains broad enough to provide for continued prosecution of the most significant offenders, including spyware providers, she said.
2. StopBadware.org has changed its "badware guidelines":http://blogs.stopbadware.org/home/guidelines multiple times in just two and a half years, due to ongoing changes in technology and badware practices, as well as an ongoing desire to make sure that we're "getting it right." If legislation defines spyware specifically, what happens when a new piece of spyware falls outside that definition?
3. The Counter Spy Act appears to explicitly allow (or at least protect from FTC action under this law) unauthorized installation of software on a user's computer, so long as that software doesn't engage specifically in spying or certain advertising behavior. If the government is going to have enforcement authority, shouldn't it have more discretion?
4. Is stealing social security or account numbers as they're typed and sending them to a third party covered by this legislation? If so, I can't figure out how. One provision protects against wholesale keylogging (i.e., capturing every keystroke) and another protects against stealing private information "from the hard drive or other storage medium." Unless I'm missing it, I don't see anything about selective capturing of information via keylogging. This helps illustrated point #2.
In general, my opinion is that legislation that grants authority and resources to the government to fight spyware is helpful, but doing it right is really difficult. The FTC has already established some expertise and made use of existing legislation to go after spyware distributors. Maybe a simpler solution, then, would be to provide more funding and perhaps greater penalties without seeking to define a constantly-moving target.
_Note: This post has been edited to correct a factual error in the name of the legislation to which Tracy Shapiro of the FTC referred._