Congress Takes Aim at Spyware

Inside the Capitol, three bills designed to protect consumers from malicious spyware are duking it out

by Aaron Ricadela

On the surface, a trio of antispyware bills on Capitol Hill appear to be a boon for the technology industry and its customers. If passed into law, the measures would make it a federal crime to launch software that hijacks a computer to show ads or collect personal information, while giving government agencies new powers to prosecute spyware purveyors. Such laws might also clarify the distinctions between spyware and legitimate online ads, while easing anxiety among wary Web users.

That's the best-case scenario. Back in the real world, these legislative efforts have devolved into the usual bickering among tech industry factions, as well as between the two California congresswomen who sponsored separate bills recently passed by the House of Representatives. With the likes of Microsoft (MSFT), Google (GOOG), Yahoo! (YHOO), and Symantec (SYMC) staking their ground, the fight to draft an antispyware law spotlights the complexities of legislating the use of technology while preserving innovation.

Legislative Strategies

Spyware is software that embeds itself on a personal computer, usually unbeknownst to the machine's owner. Sometimes the spyware reports back to its maker about a person's Web surfing habits in order to respond with a stream of ads to that PC. The worst variants of spyware can act as a gateway for other malicious software that can collect a user's Social Security number or credit-card data.

The lengthy legislative crusade against this scourge began with a bill proposed in the House back in 2003. That one, co-sponsored by representatives Mary Bono (R-Calif.) and Edolphus Towns (D-N.Y.), was passed by the House on June 6. Just two weeks earlier, the House had passed another bill sponsored by Representative Zoe Lofgren (D-Calif.). Further complicating matters, Senator Mark Pryor (D-Ark.) introduced a third bill June 14.

The three measures take different swipes at the always thorny challenge of trying to legislate against a technological threat without stifling innovation or creating unintended loopholes.

"One lesson we've learned over the years is the Congress is not good at legislating technologies," says Marcus Sachs, a computer security expert at SRI International, an industry research institute and think tank. In the fight against junk e-mail, the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act of 2003 simply drove spammers offshore. And the Digital Millennium Copyright Act of 1998 has pitted media and Internet companies in a battle over copyright protection online. "In this weird, squishy world of software, networking, and computers, if you get too technical, it's possible to write legislation that backfires once it's enacted," he adds.

Security Concerns vs. Seamless Surfing

The spyware tussle hinges on whether any new law should emphasize regulating the software that companies can place on a consumer's PC, or focus on punishment against spyware purveyors that harvest personal information and commit fraud (see BusinessWeek.com, 7/17/06, "The Plot to Hijack Your Computer").

One problem in crafting an effective solution is that some spyware techniques—such as tracking users' behavior online to serve them targeted pop-up ads—resemble marketing tools used by legitimate advertisers. A law that cracks down too sternly on tracking software used to personalize Web sites and ads could interfere with the seamless surfing that users have come to enjoy. But go too light on regulation, and spyware makers may exploit the law as a license to legally plant pernicious products on computers.