Congress is debating three bills that would protect citizens from spyware, but some IT professionals doubt whether the legislation can successfully address the problem.
The measures are generally designed to criminalize software that takes control of computers to collect personal data or display ads without the PC user's consent. The legislation would also bolster the ability of prosecutors to go after spyware pushers. The three bills are the Internet Spyware Prevention Act of 2007 (I-SPY Act) and Securely Protect Yourself Against Cyber Trespass Act (SPY ACT), both of which passed the House this past spring; and the Counter Spy Act of 2007, introduced last month in the Senate.
Jeffrey Jarzabek, IT director for Matocha Associates, an Oakbrook Terrace, Ill., firm specializing in architecture, engineering, general contracting and construction management, has doubts that any of these bills would be helpful. He said the latest efforts remind him of the CAN-SPAM Act, which has been largely panned as a failure.
"Laws only work when they can be enforced," he said in an email exchange. "The problem here is that the federal government doesn't know how to find people and then track their behavior. Just like the CAN-SPAM Act, if you cannot find the culprits, what can you do?"
Arkansas Sen. Mark Pryor, who introduced the Counter Spy Act in the Senate, said in a statement that spyware is a "serious infringement upon basic levels of privacy and security" and that there are very few, if any, legitimate reasons to launch it. He said his bill would prohibit the covert embedding of spyware on a user's computer without first obtaining their consent. The bill also requires the Federal Trade Commission to enforce the law as if a violation was an unfair or deceptive practice. The agency would have authority to bring a civil action against the perpetrators and criminal penalties could be imposed.
"My bill protects consumers' right to privacy and their confidence in using the Internet," Pryor said. "The industry has failed in self-regulating. It's time to step in and enact serious consequences against those who use this invasive and deceptive practice."
Bob Wilcox, vice president of corporate information security at Brookfield, Wis.-based Fiserv, is also doubtful that legislation would help crack down on spyware.
"My overall reaction is, who are we going to prosecute?" he said in an email exchange. "While it is a noble notion, the criminals are difficult to identify and without that ability, the thought that [the SPY ACT] will slow down malware, spyware, botnets or ID theft is a bit of a stretch. I don't see it being instrumental in the reduction of such activities."
Despite this skepticism, some see value in legislation if it's used to fight malware in addition to getting organizations to set sound corporate user policies and put in place tougher IT security tools.
"The use of regulations to deter malware is a piece in the overall pie," said Jeff Bardin, an IT professional working for a New England-based financial services firm. "Regulations alone can't remove malware, nor do I believe that it will ever be removed. [But] regulations in combination with technical controls at every potential layer of the Internet" can make a difference.
Bardin said regulations should be used to hold telecom providers more accountable for security, "forcing them to deliver clean pipes three miles out instead of my having to pay for dirty pipes as well as tools to clean the utility at my front door."