A new federal bill hopes to eliminate spyware -- software that quietly relays user information or even keystrokes to outsiders -- and rein in adware, which prompts those annoying pop-up advertisements. The goal is to protect users from identity theft and organizations from intellectual-property loss.
The SPYBLOCK Act, introduced by senators Ron Wyden (D-Ore.), Conrad Burns (R-Mont.) and Barbara Boxer (D-Calif.), prohibits installation of software on a user's computer without consent, and requires reasonable uninstall procedures. Also illegal would be sharing a user's information with third parties without explicit approval, sending users to fake Web sites in phishing attacks, or using browser vulnerabilities to force "drive-by downloads." The Federal Trade Commission (FTC) and state attorneys general would enforce the bill, and could file injunctions and levy fines.
Utah, Iowa and California state legislatures also are weighing antispyware bills.
The legislation comes amid reports of a spyware epidemic, according to new research from the University of Washington (UW), as reported by New Scientist magazine. Scans of the 31,000 computers connected to the UW network revealed 1 in 20 were running one of four spyware programs: Cydoor, eZula, the former Gator or SaveNow. Given the university's computer-savvy user base, researchers surmise infection rates are much higher in the general population.
Further making the case against spyware and adware, UW researchers were able to fool Gator and eZula -- which have built-in mechanisms for downloading updates and further third-party software onto a user's PC -- into accepting and running executable files.
Software distributors seem to be on notice. Gator, for example, recently changed its name to Claria Corp. Claria spokesperson Elena Kochergina says the latest version of its software -- free, but for the cost of adware -- contains a "plain English end-user license agreement" outlining any products or advertising deals the product proposes to install, and "does not request or hold on to any personally identifiable information."
Yet could Spyblock live up to its name? Many security experts are withholding judgment. "We still need to examine it to see what the unintended consequences might be," says Ari Schwartz, an associate director for privacy rights group the Center for Democracy and Technology (CDT).
In fact, current legislation could be enough to corral spyware companies. "We believe they're already breaking laws by deception," says Schwartz. For example, the CTD filed a "deceptive practices" complaint with the FTC over software company MailWiper, which develops Spy Wiper software. The complaint alleges that MailWiper hijacks users' browsers, altering homepage settings and funneling deceptive advertising.
The problem is untangling what spyware does, and who's behind it. "For us to track down this company, we had to work with a range of people ... then spend days tracing it back," he says. The message: enforcing Spyblock wouldn't be easy, especially if a trace-back ends overseas.