Antispyware bill finds favour with businesses

The US legislators have passed antispyware legislation aimed at criminals, but it eschewed imposing regulations on businesses that use spyware for legitimate purposes.

The US House of Representatives has passed an antispyware bill Tuesday that sets criminal penalties for those who defraud consumers and businesses through the use of spyware.

Anything with 21 pages of dense regulations that specify what software can and can't do, written by a lot of lawyers without computer security training … is going to have problems.
Dan Blum
vice president and directorBurton Group Inc.
The antispyware bill was sponsored by Rep. Zoe Lofgren, D-Calif.. It establishes a sentence of five years in prison for individuals who commit fraud with spyware. The bill is much less complex than a similar piece of legislation recently approved by the House Committee on Energy and Commerce. That legislation included a 21-page set of regulations that dictated how software and advertising companies should inform and obtain consent from computer users before installing spyware for legitimate business purposes.

Experts said the House passed the right bill. No similar bill is being considered in the Senate.

"Anything with 21 pages of dense regulations that specify what software can and can't do, written by a lot of lawyers without computer security training or even if written by computer security people, is going to have problems," said Dan Blum, vice president and director at Burton Group.

Spyware is a growing problem, experts say. Gartner has said financially motivated spyware attacks will comprise 70% of all security incidents by 2010.

Avivah Litan, vice president and research director at Gartner, said, "You don't want government getting too involved in technology implementations. It's too much of a dynamic environment. Things change very quickly. The last thing you want the government to do is to tell the private sector how to implement technology."

Besides, Litan said, 21 pages of regulations wouldn't protect consumers from fraud.

"Criminals aren't going to be stopped by any regulations that say you must notify people before installing software," Litan said. "It would only inhibit people from doing legitimate jobs."

As unlikely as it sounds, there is legitimate spyware, Litan said. Regulations would inhibit some important work.

More on spyware
Spyware may be a losing battle, experts say

Next-generation spyware
"If Bank of America had to call a customer whenever it wanted to download fraud protection technology onto a user's computer, they'd never get anything accomplished," Litan said.

The bill makes it a crime to use spyware to intentionally obtain or transmit personal information with the intent to defraud or injure a person or cause damage to a protected computer. It also makes it a crime to use spyware to intentionally impair the security protection of a computer for such purposes.

Blum said this legislation is particularly important because it makes the attempt to use spyware for fraud a crime.

"Say someone was attempting fraud and you know they're attempting fraud, but they didn't actually succeed in committing the fraud. But it is clear that they were headed in that direction," Blum said. "Now you can still get them for trying that, whereas before you had to wait until fraud could be proven."

The bill also allocates $10 million to the attorney general for use in prosecutions of such cases of spyware crime and the practices of phishing and pharming.

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Read more on IT risk management