legislation

legislation

StopBadware hosts Spyware Roundtable in DC

Posted on October 30, 2007 - 18:20 by egeorge

Yesterday, StopBadware hosted a Spyware Roundtable conversation in Washington, DC, gathering leaders in spyware research and policy to discuss emerging trends and potential remedies to badware threats.

With Federal Trade Commissioner Jon Leibowitz in attendance, much of the conversation centered on ways policy and legislation could better help the FTC keep spyware purveyors at bay. The FTC favors legislative solutions that would enable it to fine spyware purveyors.

The Roundtable was chaired by StopBadware co-director John Palfrey, Center for Democracy & Technology deputy director Ari Schwartz, and Ron Teixeira of the National Cyber Security Alliance in celebration of October as National Cyber Security Awareness Month.

You can read more about the Roundtable discussion at PC World and at CNet News.

Tags: 
cdt, ftc, legislation, ncsa, ncsam, policy, spyware

More debate over anti-spyware laws

Posted on July 2, 2007 - 13:23 by egeorge

Debate over several proposed U.S. federal anti-spyware laws continued at the Anti-Spyware Coalition conference last week at Harvard. In a panel on public policy moderated by StopBadware's own John Palfrey, panelists from the Center for Democracy and Technology and the Federal Trade Commission disagreed on the best way forward for legislation that combats spyware.

The three potential bills at stake are the I-Spy Act and the Spy Act, both recently passed in the House, and the Counter Spy Act, recently re-introduced in the Senate after failing to pass in previous sessions. Ari Schwartz, deputy director of the CDT, said that the CDT supports all three bills, on the principle that any further clarification of the illegality of spyware is a good thing. Tracy Shapiro, an attorney at the FTC, said that the FTC feels it already has enough legal power at its disposal and that further legislation might actually cause confusion.

InfoWorld highlights the debate in an article here. You can also read more about the I-Spy and Spy acts in earlier StopBadware blog posts here.

Tags: 
antispywarecoalition, asc, legislation, spyware

Blogging the ASC: Public Policy & Legislation

Posted on June 27, 2007 - 20:17 by egeorge

Continuing with the live-blogging of the Anti-Spyware Coalition conference, here are StopBadware intern Mike Connolly’s notes on the Public Policy discussion panel:

John Palfrey, Executive Director of the Berkman Center, is the moderator of this segment. He is joined by Ari Schwartz, Deputy Director of the Center for Democracy and Technology, and a representative from the Federal Trade Commission’s Bureau of Consumer Protection (a late substitute for another FTC speaker).

Mr. Palfrey started by asking Mr. Schwartz for a general overview of the legislative landscape with respect to Badware…

Schwartz noted that there are at least two key statutory tools in effect. First, there are the basic fraud statues that cover unfair and deceptive trade practices, both in the online world and in terrestrial space. These statues exist on both the Federal and State levels. Second, there is the Computer Fraud and Abuse Act (18 U.S.C. § 1030)—this is a criminal statue that was originally passed by Congress in 1986 to thwart “hacking.†The act was most recently amended to include stiffer penalties under the USA PATRIOT Act of 2001, and the Department of Justice used it to indicte the creator of the Loverspy software in 2005. And last year, this statue was used in the conviction of a California man who was distributing badware via botnets. He was sentenced to five years in prison.

Next, Schwartz discussed pending legislation, including the SPY Act and the I-SPY Act. The SPY Act easily passed the House earlier this year. It is a short bill that would toughen criminal penalties for bad(ware) actors, but it also contains a controversial imposition of mandatory language for notice provisions. The software industry is generally concerned that this will result in too many flashing pop-ups, creating a user experience that actually mimics adware behavior. Furthermore, the SPY Act would preempt existing Spyware laws on the State level, and it also contains a number of “broad exceptions.â€

While the Center for Democracy and Technology generally supports enhanced penalties for creators and of spyware, Schwartz’s preference is for the I-SPY Act, another piece of legislation recently passed by the House which also calls for tougher penalties.

Also on the radar is the Counter Spy Act of 2007. This was introduced by Senator Mark Pryor and has received attention in the past few weeks. Schwartz speculated that this bill has something of a shot at movement through the Congress since Pryor is from majority party and sits on a related committee.

Next, attorney and internet expert John Levine asked about the politics surrounding the pending legislation...

According to Schwartz, advertisers generally do not care for "Good Samaritan" provisions aimed at protecting anti-spyware companies and organizations. Nevertheless, Schwartz notes that even with Good Samaritan protection, Spyware producers may continue to take action on other grounds. Therefore, Schwartz would prefer to see a statement from Congress that declares anti-spyware tools to be "good" and in the public’s interest.

Bottom line: the CDC would be happy with a proposal that enhances spyware penalties and does not preempt other State law. Schwartz points to the Zango case as an example of the lack of civil penalties, and he cites the action taken in the Sony rootkit case as an example of useful State law in this area.

Another member of the audience also noted that the advertising community is generally concerned that Congress is trying to regulate behavioral targeting. Schwartz says the SPY Act is not designed to do this—but that members of Congress are in fact interested in regulating behavioral targeting via other privacy legislation.

Mr. Palfrey then asked the FTC representative about the usefulness and/or inadequacies of the existing body of law. She has been litigating spyware cases with the FTC since 2004. She explained that when she started, there was no federal law explicitly designed to apply to spyware. Therefore, she and her colleagues looked to the broad language under section 5 of the FTC Act outlawing "unfair and deceptive trade practices." In the past few years, the FTC has used this act to target some of the more nefarious spyware actors, including Seismic Entertainment.

So, is there a good argument that we do not need any new law? Could we just get by on section 5? The FTC’s general position is that new law isn’t needed, and that there is a danger in enumerating certain prohibitions since that might suggest a defense to Spyware developers since the latest exploits will always be one-step ahead of the law...

Furthermore, the FTC has pushed for greater civil penalties since it can be considerably more difficult to prove consumer injury in spyware cases than in other, more traditional cases where damages are more readily quantified. Mr. Palfrey suggested that the ASC community could play a role in helping to develop a better understanding of Spyware’s cost in this regard…

In general, the FTC is working to enforce principals of express consent, clear and conspicuous disclaimers, and readily available uninstallers. In the coming years, the FTC will continue to focus on establishing principles and targeting crime. They will also be on the lookout for legitimate companies with practices that "cross the line." However, it was also noted that resources are particularly thin, as the FTC has only pursued a handful of cases over the past few years.

Tags: 
antispywarecoalition, asc, events, legislation, policy, spyware