Proposed bill would slam pirates, ignore malware

Ars Technica reported yesterday on proposed U.S. legislation, called the Combating Online Infringement and Counterfeits Act (COICA). One of the primary purposes of this bill is to provide a legal mechanism for interfering with the operation of a website that is "dedicated to infringing activities." With a court order, U.S.-based registrars may be ordered to suspend a domain name, and domestic DNS operators may be ordered to stop resolving the domain name. Financial transactions through domestic services (e.g., Visa card processing) can also be suspended.

There are some interesting technical and legal questions in this bill, but the part that interests me is how narrowly focused it is. If Congress is going to establish a mechanism for fighting websites dedicated to illegal activity, why not broaden it beyond copyright infringement (which, by the way, is a civil offense, not a criminal one) and include distribution of malware, phishing, or other criminal activities?

The answer to my rhetorical question can likely be found by following the money. Lobbying by copyright holders and their representatives (e.g., the Recording Industry Association of America and the Motion Picture Association of America, for example) is big business, while we in the malware world have relatively sparse resources dedicated to influencing policy. The reality, though, is that e-crime is a substantial drain on the U.S. economy, and the prescriptive measures in COICA could apply just as easily to e-crime sites as to piracy sites. (Again, I'm leaving aside potential critiques of these prescriptive mechanisms or other aspects of the legislation.)

It would be great to see some broader legislation that draws on the expertise of the law enforcement and tech communities, as well as past judicial precedent, to create a standard framework for taking legal action against any website that is dedicated to illegal activity.

Proposed bill pushes informed consent for P2P sharing

As reported by Ars Technica and others, Rep. Henry Waxman (D-WA) and the rest of the House Energy & Commerce Committee are pushing a bill that requires peer-to-peer (P2P) file sharing applications to provide informed consent before installation and before making files available for sharing. The bill labels a failure to provide the required consent as an unfair trade practice, which means the Federal Trade Commission (FTC) can use its authority to punish the offending software distributor. The motivation for the bill seems to be a combination of two concerns: first, that important confidential files may be inadvertently shared by government or corporate employees; and second, that individuals accused of illegal file sharing may use "I didn't know I was sharing those files" as a defense.
From my initial read of the bill (PDF), this seems like decent legislation. It is brief and clear in its definitions, and the only requirements are "clear and conspicuous notice," "informed consent," and the ability to uninstall or disable the software, all of which approximate the language we use in our software guidelines. There is an appropriate exception for software that is pre-installed on the computer (the user doesn't have to consent prior to installation but is required to be notified that the software is installed). The most notable thing about the bill is probably what isn't covered: software installed by the government (let's call that the "FBI exemption"), non-commercial software (probably because there's no entity for the FTC to punish for unfair business practices), and several specific categories of software that don't look like P2P software (servers, communications apps, and security software).
I can't help wonder about the sense in legislating behavior of only one specific type of application, but I have to admit it seems like the bill addresses the specific concerns about P2P software I alluded to earlier without overstepping. It's good to see legislation that doesn't try to dictate technical solutions and instead sticks to the basics: tell the user what is happening, and let him/her decide what to do next.

Senate hears testimony on spyware

A U.S. Senate hearing was scheduled today to hear testimony on the issue of spyware, with the conversation focused primarily around the "Counter Spy Act of 2007":http://www.govtrack.us/congress/billtext.xpd?bill=s110-1625, proposed last year by Arkansas Senator Mark Pryor.

The bill provides some very specific definitions of prohibited behavior and grants explicit power to the Federal Trade Commission (FTC) to enforce compliance. It also increases the penalties available to the FTC.

Last year, there was "some":http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1263... "discussion":http://www.infoworld.com/article/07/06/28/Policy-experts-split-on-spywar... of this legislation and similar laws that passed the House. StopBadware.org even weighed in with "some":http://blogs.stopbadware.org/articles/2007/05/24/kudos-to-congress-house... "thoughts":http://blogs.stopbadware.org/articles/2007/06/08/more-spyware-regulation... of its own.

Taking a current look at the Counter Spy Act raises a few questions in my mind:

1. Does the FTC need explicit legislation granting it additional authority? As of last year, the "FTC said no":http://www.cio.com.au/index.php/id;1239574182;pp;1;fp;4;fpid;1935:

bq. Tracy Shapiro, an attorney for the FTC's Advertising Practices Division, said the federal watchdog would like to see legislation that increases civil penalties against cyber-criminals, but it feels that the new bills could eventually get in its way in bringing accused spyware companies to trial. Section V of the Federal Trade Commission Act remains broad enough to provide for continued prosecution of the most significant offenders, including spyware providers, she said.

2. StopBadware.org has changed its "badware guidelines":http://blogs.stopbadware.org/home/guidelines multiple times in just two and a half years, due to ongoing changes in technology and badware practices, as well as an ongoing desire to make sure that we're "getting it right." If legislation defines spyware specifically, what happens when a new piece of spyware falls outside that definition?

3. The Counter Spy Act appears to explicitly allow (or at least protect from FTC action under this law) unauthorized installation of software on a user's computer, so long as that software doesn't engage specifically in spying or certain advertising behavior. If the government is going to have enforcement authority, shouldn't it have more discretion?

4. Is stealing social security or account numbers as they're typed and sending them to a third party covered by this legislation? If so, I can't figure out how. One provision protects against wholesale keylogging (i.e., capturing every keystroke) and another protects against stealing private information "from the hard drive or other storage medium." Unless I'm missing it, I don't see anything about selective capturing of information via keylogging. This helps illustrated point #2.

In general, my opinion is that legislation that grants authority and resources to the government to fight spyware is helpful, but doing it right is really difficult. The FTC has already established some expertise and made use of existing legislation to go after spyware distributors. Maybe a simpler solution, then, would be to provide more funding and perhaps greater penalties without seeking to define a constantly-moving target.

_Note: This post has been edited to correct a factual error in the name of the legislation to which Tracy Shapiro of the FTC referred._