Politicians are pressing ahead in attempts to enact antispyware legislation--though many forms of spyware are already illegal.
A U.S. House of Representatives subcommittee on Tuesday once again approved a bill that proposes up to five years in prison for malicious spyware-related activities. Reps. Zoe Lofgren (D-Calif.) and Bob Goodlatte (R-Va.) reintroduced the measure, known as the Internet Spyware Prevention Act, or I-Spy for short, in mid-March.
Similar versions passed the House by overwhelming margins in the past two congressional sessions but died before a Senate vote occurred.
"Phishing and spyware aren't just inconvenient to consumers, they represent a threat to the vitality of the Internet," Lofgren said at a hearing on the bill Tuesday afternoon. "If you can't trust the Internet, people will not use the Internet for commerce, and that is not a good thing."
Goodlatte warned that the practice--by which cybercrooks sneak software on users' machines, often through security holes, in an attempt to steal information about them--represents "one enormous hurdle to consumer confidence on the Internet."
The bill's sponsors have said their effort differs from competing antispyware measures--backed by a different committee--because it is designed to combat the scourge without stifling software development or imposing heavy-handed regulations.
Rather than attempting to define what illicit software is, the bill would make it a crime to copy computer code on a machine without authorization if doing so divulges "personal information" about a user or "impairs" a computer's security. Violators would face up to five years in prison.
Yet the most worrisome forms of spyware already are illegal. The Federal Trade Commission has told politicians it already possesses broad authority to punish any fraudulent and deceptive adware or spyware practices with fines, and has sued spyware purveyors in the past. U.S. Department of Justice prosecutors have said the same thing about filing criminal charges and have already engaged in prosecutions.
The subcommittee approval is an incremental step in the life cycle of the bill, which enjoys support from Microsoft, Dell, Symantec, the Center for Democracy and Technology, online advertisers and others mostly because the language is less onerous than the other committee's regulatory version. It is expected to be approved by the full House Judiciary Committee on Wednesday morning, after which it can be sent to the full House for debate.
Meanwhile, the second House committee has also been pushing for passage of a separate bill called the Spy Act, which would make it unlawful to engage in various means of "taking control" of a user's computer, to collect personally identifiable information through keystroke loggers, and to modify a user's Internet settings such as the browser's home page.
The bill has prompted concern from the online advertising industry, however, in part because of its broad prohibition on collecting information about users or their behavior without notice and their consent. Those industry representatives have argued that such a provision--even though it exempts Web cookies and software intended to prevent fraud--could unintentionally threaten Web sites that rely on cookies and other tactics to target ads and to provide free content to users.
Lofgren said the infamous Can-Spam Act, which mandated certain notice requirements of e-mail senders, is proof that the notice-and-consent approach isn't effective. She suggested it has done little to curb junk e-mailing, at the expense of burdening legitimate senders.
"Regulation of technology is almost always a bad idea because technology changes faster than Congress can legislate," she said, "and what we attempt to regulate will morph into something else."
CNET News.com's Declan McCullagh contributed to this report.