Feds take aim at spyware, but IT isn't optimistic

Computerworld - Two bills passed by the U.S. House of Representatives this week could make it easier for law enforcement officials to prosecute purveyors of spyware and help security vendors develop tools aimed at blocking the programs.
But the international nature of the problem makes it unlikely that the proposed U.S. laws will do much to stanch the spread of spyware, several IT managers said this week.
"I'm very happy that they are trying to do something," said Steve Gelfound, IT operations manager at the Endangered Child Unit of the National Center for Missing & Exploited Children in Alexandria, Va. "But it's really hard to try and control the Internet."
Gelfound called the proliferation of spyware a global problem. "Until everybody agrees to get together and do something, it's going to be almost impossible to stop it," he said.
The two bills, which were approved by wide margins, would impose monetary penalties and jail terms for people who use spyware programs to gather information from computers, monitor usage and serve up advertisements without user consent. Both bills still have to be approved by the Senate and signed by President Bush.
Robert Olson, a systems administrator at Uline Inc., a Waukegan, Ill.-based distributor of packing and shipping materials, said he's "ecstatic" that Congress is taking action against spyware. "The biggest win we get out of this is the availability of a solid definition that antispyware vendors can start working with" to identify and block offending programs, he said.
But like Gelfound, Olson said stopping spyware coming from overseas won't be easy. "There's really no way to enact the penalties against somebody who is pushing these things from outside the country unless you get other governments to agree," he said.
The bills would establish a useful definition of what constitutes spyware, said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. "They provide a framework for deciding what exactly is good and what's bad."
Several vendors of antispyware tools have been sued by companies that serve up Internet advertising, claiming that their products were being erroneously identified as spyware. Lindstrom said the bills approved by the House "do a good job of assigning motives on people" in such cases.
One of the bills seeks to prohibit practices such as using spyware to hijack a user's Web browser, install programs that monitor keystrokes or modify PC settings (see story). The proposed law also requires prominent opt-in notices for all programs that monitor and collect information about the online activities of users.
The otherbill would make it illegal to use spyware programs to alter security settings or to access personal data for the purpose of defrauding users.
The proposed laws are good for dealing with "homegrown" spyware, said Jarrad Winter, network security manager at Western United Insurance Co. in Irvine, Calif. "But really, the most destructive stuff comes from overseas," he said. "So in the grand scheme of things, I don't think this will make a big difference."
What's also needed, Winter said, is a continuing focus on developing better technical fixes for identifying, weeding out and stopping spyware programs.

Read more about legislation/regulation in Computerworld's Legislation/Regulation Knowledge Center.