The Federal Trade Commission calls spyware a serious threat to consumers. A recent study shows it's spreading like wildfire. While lawmakers face growing pressure to do something about it, some civil liberties groups worry new laws can have unintended consequences.
"In some cases, it could actually do harm," said Fred von Lohmann, senior intellectual property attorney for the Electronic Frontier Foundation, a San Francisco-based civil liberties group focused on technology. "Consumers are far more likely to find the protection they want from tools available in the free market than they are from legislation. The problem with legislation is that it can be too broad and affect legitimate products."
Spyware is seen as a rapidly growing problem. A "spyaudit" conducted by Webroot Software of Boulder, Colo., and Atlanta-based ISP Earthlink found more than 40.8 million instances of spyware from almost 1.5 million scans in the first four months of 2004.
The U.S. House Energy and Commerce Committee responded to the threat Thursday, approving the SPY Act by a 45-4 vote. The bill requires that spyware programs be easily identifiable and removable and allow for collection of personal information only if the user consents. It also includes tough fines against abusers. It now faces a vote from the full House, while companion legislation has been filed in the Senate.
Congresswoman Mary Bono, R-Calif., who sponsored the SPY Act, hailed the vote. "I feel that we have fashioned a bill that is strong enough to protect consumers from spyware-related privacy invasions without impeding the growth of technology," she said in a statement.
Still, von Lohmann worries any legislation can define spyware too broadly; lumping good programs with the bad.
"I'm not saying Congress has no role to play," he said. "One way it could make a dent is to make sure companies that offer tools against spyware are protected against lawsuits from spyware companies."
Utah's spyware control law, the nation's first, is an example of bad legislation, he said; a response to a legal battle between New York-based desktop advertising network WhenU and Utah-based contact lenses provider 1-800 CONTACTS that never should have happened.
"Utah lawmakers basically sided with 1-800 CONTACTS," von Lohmann said. "The law was too broad and was put together by 1-800 lawyers."
A Salt Lake City judge appears to agree, granting an injunction this week that freezes the law. WhenU filed the injunction, and in a statement called the ruling an important one for the Internet advertising industry. 1-800 CONTACTS didn't return a request for comment.
Chris Hoofnagle, associate director of the Washington D.C.-based Electronic Privacy Information Center, shares von Lohmann's concerns.
"The problem I have is that industry lobbyists get involved and get themselves exempt from the rules," Hoofnagle said. "Another problem is that Congress has a tendency to pass laws that declare something a nuisance and asks the FTC to do something. Then they don't revisit the law for 10 years. Meanwhile, new technology comes along that is legitimate and it is affected by laws that were designed for an older problem."
While it sees spyware as a growing scourge, Tom Paul, assistant director of advertising practices for the FTC, is confident lawmakers understand how to define spyware and how to target the legislation.
"There have been efforts on Capitol Hill to make legislation more focused on the results of spyware than on what defines it," Paul said. "Bono's original bill was a wider brush. You don't want to have broader software regulation. But you do want to punish those who deceive."
Paul is encouraged by amendments that have since been added to the SPY Act. The bill now includes provisions -- some recommended by Cliff Stearns (R-Fla.) -- that prohibit unfair or deceptive behavior such as keystroke logging, computer hijacking and the display of advertisements that can't be closed.
"The Stearns substitute focuses more on bad acts and deceptions than definitions, and that's good," Paul said.