Experts to Congress: Regulate Spyware

By Matthew Harwood

Information and computer security experts yesterday evaluated the Senate's legislation to protect the privacy and security of consumers and businesses from the ravages of spyware before the Senate's Committee on Commerce, Science, and Transportation.

The legislation under discussion would prevent  the unauthorized downloading of software onto a computer for the sake of tracking a user's online behavior or gaining acess to their personal information without their express approval.

"Spyware and other malware that is downloaded without authorization can cause a range of problems for computer users, from nuisance adware that delivers pop-up ads, to software that causes sluggish computer performance, to keystroke loggers that capture sensitive information," said Eileen Harrington, deputy director of the Bureau of Consumer Protection of the Federal Trade Commission (FTC). Swiping such sensitive information can lead to identity theft and fraud.

According to the computer security firm Symantec, 1.8 million known malware and security risks are proliferating around the Internet, with a majority discovered in the last 18 months.

Witnesses overwhelmingly defended Congress' attempt to regulate how software can be downloaded onto computers.

The bill seeks to increase fines threefold for unauthorized spyware and adware peddlers. Presently, the FTC only seeks convicted firms "disgorge," or return,  their ill-gotten gains.

Benjamin Edelman, an assistant professor at Harvard Business School, agreed that stiffer fines will make purveyors of spyware and adware think twice.

"Effective deterrance requires a penalty that exceeds disgorgement, since investigation and litigation are less than certain," he said. "Otherwise, a rational perpetrator would proceed in expectation of sometimes getting to keep the proceeds."

Vincent Weafer, vice president of security response for Symantec Corporation; Arthur A. Butler, an attorney representing Americans for Fair Electronic Commerce Transactions (AFFECT); and Marc Rotenberg, executive director of the Electronic Privacy Information Center; said they supported the Senate's bill, but had suggestions to improve it.

Both Weafer and Rotenberg (here and here) testified that the Senate bill should not preempt stricter state laws. "Federal law should set a baseline of privacy protection," Rotenberg said. "It should not cap it."

Butler, however, took issue with what he called "overly broad" exception language in the bill.

The bill, as written, he said, allows software vendors to download code into their products that would enable them to monitor a user's activities on the assumption that the vendor would only monitor for fraudelent or illegal use of its product.

"It would allow the provider to set itself up as an ad hoc police force to conduct warrantless searches and to act as judge and jury to conduct unilateral seizures," Butler said. "Private entities do not and should not have the right to conduct law enforcement activities."

Weafer, however, supported the provision, and said it is invaluable to protecting vendors from software piracy. "Software piracy results in almost $50 billion in losses to the software industry each year," he said, "including more than $8 billion in the U.S. alone."

But Butler said that if this provision remains, software providers would have the power to unilaterally shut down the user's computer or Internet when a dispute arose. This happened to Revlon Inc. when it refused to pay for warehouse-management software bought from Logisticon, Inc. In response, Logisticon shut down its software for three days, resulting in a $20 million loss to Revlon.

Butler said when a dispute arises, a software vendor should have to take its dispute to court before the software is shutdown.

Jerry Cerasale, senior vice president of government affairs for Direct Marketing Association, Inc., argued that government regulation was not the solution.

"In our experience," he said, "industry guidelines are the most effective way to address concerns that arise in the continuously changing technological landscape."

Cerasale fears regulation could stifle e-commerce when it has exhibited "staggering growth." Last year, customers spent $733 million online in one day known as Cyber Monday - a 21 percent increase over 2006 and more than the amount customers spent on Black Friday, the start of the holiday shopping season.

Moreover, he remains skeptical that regulation is needed due to anti-spyware technologies, the enforcement of existing laws, and industry guidelines, which have beaten back spyware's threat over the last three years.

Weafer also cautioned lawmakers that the legislation must only target unfair or deceptive practices behind unauthorized software downloads and not the software technology itself. Technology is not the problem, he argued, it's how it is used. Congress should therefore refrain from regulating the technology itself, less it impede innovation.



View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.