Feds Take Aim at Spyware, but IT Isn't Optimistic

Users say global scope of problem puts many purveyors beyond reach of proposed laws

Two antispyware bills that were passed by the U.S. House of Representatives last week could make it easier for law enforcement officials to prosecute developers of such software and help security vendors develop tools aimed at blocking the programs.

But the international nature of the problem makes it unlikely that the proposed U.S. laws will do much to stanch the spread of spyware, several IT managers said last week.

"I'm very happy that they are trying to do something," said Steve Gelfound, IT operations manager for the Endangered Child Unit of the National Center for Missing & Exploited Children in Alexandria, Va. "But it's really hard to try and control the Internet."

Gelfound added that the proliferation of spyware is a global problem. "Until everybody agrees to get together and do something, it's going to be almost impossible to stop it," he said.

The two bills, which were approved by wide margins, would impose monetary penalties and jail terms for people who use spyware programs to gather information from computers, monitor usage and serve up advertisements without user consent. Both bills still have to be approved by the Senate and signed by President Bush.

Robert Olson, a systems administrator at Uline Inc., a Waukegan, Ill.-based distributor of packing and shipping materials, said he's "ecstatic" that Congress is taking action against spyware. "The biggest win we get out of this is the availability of a solid definition that antispyware vendors can start working with" to identify and block offending programs, he said.

But like Gelfound, Olson said stopping spyware coming from overseas won't be easy. "There's really no way to enact the penalties against somebody who is pushing these things from outside the country, unless you get other governments to agree," he said.

The bills would establish a useful definition of what constitutes spyware, said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. "They provide a framework for deciding what exactly is good and what's bad," he said.

Several vendors of antispyware tools have been sued by companies that serve up Internet advertising, claiming that their products were being erroneously identified as spyware. Lindstrom said the bills approved by the House "do a good job of assigning motives on people" in such cases.

One of the bills that was passed last Monday seeks to prohibit practices such as using spyware to hijack a Web browser, install programs that monitor keystrokes or modify PC settings. The proposed law also requires that prominent opt-in notices be displayed by all programs that monitor and collect information about the online activities of users.

The other bill would make it illegal to use spyware programs to alter security settings or to access personal data for the purpose of defrauding users.

The proposed laws are good for dealing with "homegrown" spyware, said Jarrad Winter, network security manager at Western United Insurance Co. in Irvine, Calif. "But really, the most destructive stuff comes from overseas," he said. "So in the grand scheme of things, I don't think this will make a big difference."

What's also needed, Winter said, is a continuing focus on developing better technical fixes for identifying, weeding out and stopping spyware programs.


Spyware Legislation

Securely Protect Yourself Against Cyber Trespass Act (H.R. 29)

Proposes fines of up to $3 million for purveyors of programs that illegally gather information, monitor usage activity, hijack Web browsers and modify computer settings.

Internet Spyware Prevention Act of 2005 (H.R. 744)

Proposes jail terms of up to three years for people who use spyware programs to intentionally alter computer security settings or to access or transmit personal data with the intent of defrauding another person.

Copyright © 2005 IDG Communications, Inc.

Shop Tech Products at Amazon