Spyware has reached such epidemic proportions that legislators in the US Congress as well as state legislatures are responding to public outrage by drafting bills to prohibit its distribution, stem abusive practices and protect Internet user privacy. Unfortunately, pending and recently enacted antispyware legislation are considerably flawed and could actually cause more harm than good. In fact, many experts believe we'd be better off if we'd simply put more effort into enforcing existing laws that prohibit fraud and deceptive business practices. And nearly all knowledgeable parties acknowledge that spyware is a technology problem that requires a technology solution.
New Laws, plenty of flaws
Three pieces of legislation are receiving attention and attracting most of the debate.
Bill S.2145, the SPY BLOCK Act, seeks to "to regulate the unauthorized installation of computer software, to require clear disclosure to computer users of certain computer software features that may pose a threat to user privacy, and for other purposes..."
A similar bill has been introduced to the US House of Representatives. H.R.29, the Securely Protect Yourself Against Cyber Trespass Act, or SPY ACT, seeks to "protect users of the Internet from unknowing transmission of their personally identifiable information through spyware programs, and for other purposes..." (http://www.theorator.com/bills109/hr29.html).
California has enacted an anti-spyware law, Bill 1436:843 Consumer Protection Against Spyware Act (http://www.leginfo.ca.gov/pub/03-04/bill/sen/sb_1401-1450/sb_1436_bill_20040928_chaptered.html), to "protect California consumers from " the use of spyware and malware that is deceptively or surreptitiously installed on their computers."
A case of more criticism than support
These legislatures have encountered difficulty drafting appropriate and enforceable language, and the acts under consideration have (to date) received more criticism than support. Most criticism revolves around the following issues.
Legislative definitions of spyware are imprecise. All of these bills attempt to define spyware by enumerating intrusion vectors, executable pests and bad behavior. US S.2145, for example, lists several browser hijacking actions under a clause entitled, "Other Practices that Thwart User Control of Computer". (see http://www.cbo.gov/ftpdocs/59xx/doc5927/s2145ps.pdf) Enumerating a pandemic that has tens of thousands of variants can never be more than a partial effort, which will create opportunities for creative interpretation in courts of law. In a letter urging Governor Schwarzenegger to veto the bill, Pam Dixon, Executive Director of the World Privacy Forum explains that, "by dealing with only a few types of spyware, [SB 1436] will enable the majority of spyware to continue to be disseminated legally." (see http://www.privacyrights.org/ar/SB1436Letter.htm) The California law specifically calls attention to keystroke-logging as an unauthorized and deceptive means of collecting personally identifying information. By explicitly mentioning keystroke entry, is it reasonable to conclude that capturing personal information submitted to a computer by other means, like speech synthesis, is appropriate? Enumerating spyware also assures inconsistencies across legislation, and the specter of constant amendments.
Case in point: should cookies be exempt? The US House of Representatives exempted cookies from the most recent revision of SPY ACT. Publishers in general, and the Online Publishers Association in particular, support this exemption. (http://www.online-publishers.org/?pg=legislative ) But Stu Sjouwerman, Chief Operating Officer of Sunbelt Software, suggests that judging cookies on the basis of the cookie itself is deceiving. "For the most part, cookies are benign and the cookies themselves are not the problem. The problem comes when personally identifiable data about you is shared among multiple sites via a 3rd party cookie. If site x collects your name and home address and you go to site y and both [sites] use 3rd party z, your address could be delivered to site y by z without your knowledge." Do any of the bills address collective bad behavior?
This legislation is shortsighted. All of these bills only consider the types of spyware that trouble us today. They fail to recognize the rapid pace of technology change, and, more importantly, the incentive spyware developers have to employ means other than "download" and "installation" to infect a computer. Limiting the definition of spyware to software that can be installed or downloaded, terms that neither the CA bill nor US S.2145 define, is ill-advised. Fretting over whether a spyware is classified as a Browser Helper Object (BHO), and whether BHOs are installed or downloaded, is ultimately irrelevant. Spyware developers, like virus writers and spammers, constantly look for new exploitable vectors. Spyware writers in particular will capitalize upon anything that provides "undetected presence". If BHOs are not exploitable in future versions of Internet Explorer, spyware developers will most certainly seek (and find) an alternative.
Proving intent to deceive or mislead is difficult. All of these bills create a heavy burden of proof for litigators. The California law states that a person or entity may not "intentionally misrepresent that software will be uninstalled or disabled by an authorized user's action, with knowledge that the software will not be so uninstalled or disabled". Technologists who are familiar with the complexities and inter-dependencies of a registry-enabled operating system giggle at the notion that one can actually prove malice or deception, given lengthy history and considerable evidence that clean software removal is difficult to achieve. Even the recent changes to language in US S.2145 - Preventing reasonable efforts to uninstall - leave too much room for interpretation: how much time and effort to remove unwanted software is reasonable, and why shouldn't it apply to a PC manufacturer's installation of promotional software?
What constitutes fair disclosure? All of these bills prohibit information collection and software installation without notice and consent, but none require software to fully disclose its purpose and operation, in unambiguous language, so that Internet users can make intelligent decisions regarding consent. Spyware companies can hide behind privacy policies obscurely posted at web sites users never visit; EULA-like language that only practicing law professionals can understand; and similar means to obfuscate intent. In fact, they frequently do so today, with considerable success.
Do we really need explicit anti-spyware laws?
Some legal experts feel that much of the really nasty spyware behavior going on now could be stopped under existing laws that govern unfair trade practices and computer fraud. Susan Crawford, Assistant Professor of Law at Cardozo Law School and Policy Fellow with the Center for Democracy & Technology in Washington, D.C said, "Spyware is a different kind of issue -- it's about the imposition of an inappropriate, unsought-for relationship in code. That relationship can only be dealt with, to my mind, by tort law and with the help of juries and judges. It's impossible to define "spyware" in a way that won't capture lots of helpful software. The fact that FTC has been able to act with respect to spyware signals that a new statute isn't needed." (see http://scrawford.blogware.com/blog/_archives/2005/1/27/287273.html). Crawford refers to the October http://www.ftc.gov/opa/2004/10/spyware.htm
Sunbelt's Sjouwerman and attorney David J. Steele, adjunct professor at Loyola Law School, agree that U.S. Federal and state antispyware legislation will have very little impact on illegal software installation and misuse of personal information. "Ultimately, the vast majority [of spyware] will be coming from overseas, where sites and operators are difficult to trace and cannot be brought to justice. Did the CAN-SPAM Act do anything to cut down on spam? ", asked Sjouwerman. Steele added, "The real problem with Internet regulation is that it is just so easy to set up shop overseas and avoid all the legal issues that the U.S. wants to impose. There is no cyber-equivalent of a U.S. border where packets are inspected for compliance with U.S. law. And I'm not sure most Internet users want a cyber border, even if it were technically feasible."
Spyware is a technology problem that requires a technology solution. On the surface, the task of combating spyware seems to be heading in the same direction viruses and SPAM have taken us. Expect to see similar layered countermeasures. We need configurable operating systems and browser implementations that operate securely by default. We will be forced to employ desktop antispyware software and antispyware security gateways and subscription services to keep pace with this constantly evolving threat.
The spyware threat grows more obvious each day, and as consumers become more educated about spyware, they will hopefully take measures to protect their personal information and privacy with a greater sense of urgency than they have in response to viruses and worms. If we have any hope of reclaiming the considerable ground already lost in the cyberwar to save privacy, we must take measures to reduce the economic incentives that drive spyware development. If we complement these measures with effective enforcement of existing anti-fraud legislation, we might just beat this spyware beast into submission.
Or we can wait until spyware infests our Sidekicks, and join Paris Hilton in the "I wish I'd taken protecting my personal information seriously" club.
Originally published March 2005 in Security Pipeline, reprinted courtesy of CMP Technology and Dark Reading