Making the wrong move against spyware

CNET News.com's Washington watcher Declan McCullagh explains why a new congressional anti-spyware proposal is doomed to irrelevance.

Declan McCullagh Former Senior Writer

Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.

See full bio

Declan McCullagh

May 3, 2005 7:34 a.m. PT

4 min read

Spyware's creators must be uniquely bad people.

Anyone who distributes malicious code that infects your computer and surreptitiously monitors what you're doing deserves what's coming to them. The problem is that the measures in an ostensibly anti-spyware bill due for a vote in the U.S. House of Representatives may not be the best way to punish these folks.

No doubt the bill's sponsors, led by Rep. Mary Bono, a California Republican, sincerely believe that their Spy Act will outlaw dubious adware and spyware practices.

It's not clear, though, that the Spy Act is necessary or wise. It could end up being no more useful than the Can-Spam Act of 2003, which hasn't exactly eliminated junk e-mail. (CNET News.com's sister site, Download.com, is hosting an anti-spyware workshop on Tuesday in San Francisco to explore this question in more detail.)

What the Spy Act's sponsors don't like to admit is that current law already prohibits spyware, which is software that can slip onto a PC through a breach in Microsoft Windows or Internet Explorer without a hapless user noticing.

Legitimate companies would have to comply with an avalanche of regulations of dubious value.

The Federal Trade Commission enjoys broad authority to punish any fraudulent and deceptive practices with fines, and its commissioners have testified that they're willing and able to wield that authority against miscreants. Department of Justice prosecutors have said the same thing about filing criminal charges.

Adware also is covered by existing federal and state law. (While the term is somewhat amorphous, it tends to refer to pop-up advertising software such as that bundled by WhenU and Claria, formerly Gator, with other applications.)

The FTC has been paying close attention to dubious adware practices, as have state prosecutors. Last week, for instance, New York Attorney General Eliot Spitzer filed suit against Intermix Media, claiming the company "secretly" installed ad-delivery programs on PCs. For its part, Intermix said it "does not promote or condone spyware" and blamed any ethical lapses on "prior leadership."

In other words, the process seems to be mostly working.

Unintended consequences?
The Spy Act would disrupt that process. The latest version has ballooned to 4,400 words and hands broad new powers to the FTC so that it can police America's software industry. Legitimate companies would have to comply with an avalanche of regulations of dubious value--yielding pop-up privacy notices that Americans may ignore as completely as they do the junk mail that the Gramm-Leach-Bliley Act requires banks and credit unions to send out.

No wonder that even technology trade associations, such as the Information Technology Association of America, that loathe spyware are critical of this legislation. (They do like how it would zap state spyware laws, though, creating a single national standard.)

"The primary risk is that future benign interactive software may be prevented because of the very prescriptive nature of the Bono bill's notice requirements, which depend upon a consumer reading each text-based informational notice when entering a Web site or accessing content," says Mark Uncapher, a senior vice president at the ITAA.

A better approach might be one that takes aim at problematic behavior rather than problematic technology.

This is what tends to happen when politicians write laws that treat technology as something that's as easy to define as a food product or an agricultural implement. It isn't. Software is much more malleable: What is a Web browser one day may become an instant-messaging client the next.

"If you're going to write a law targeting bad acts, there are always line-drawing problems," says Peter Swire, a law professor at Ohio State University. "There is a big category of questions. The bill has been focused on computers and retail spyware, if you will. In order to run the network, system administrators have to use all sorts of tools. I've heard complaints from network companies that routing and other network administration tools might be included."

Because Bono's bill is written primarily with Web browsers in mind, odd gaps appear in its coverage. It prohibits "diverting the Internet browser," but doesn't mention mischief aimed at instant-messaging clients. Manipulating "a list of bookmarks used by the computer to access Web pages" is verboten, but not manipulating a list of RSS bookmarks. Monitoring the "Web pages" visited to deliver ads is explicitly covered, but not monitoring the contents of e-mail correspondence.

A better approach might be one that takes aim at problematic behavior rather than problematic technology. That's what a competing spyware bill, introduced by Republican Rep. Bob Goodlatte of Virginia, proposes. Goodlatte's one-page bill simply says it's illegal to install software "without authorization" if it leaks personal information or "impairs" a computer's security--an approach backed by the ITAA and other technology groups.

But the House Republican leadership seems eager to stage a vote soon, so that politicians can claim to have "outlawed" spyware. That means there's not much time left for cooler heads to prevail.