Posted by Maxim Weinstein
Wed, 11 Jun 2008 20:12:00 GMT
A U.S. Senate hearing was scheduled today to hear testimony on the issue of spyware, with the conversation focused primarily around the Counter Spy Act of 2007, proposed last year by Arkansas Senator Mark Pryor.
The bill provides some very specific definitions of prohibited behavior and grants explicit power to the Federal Trade Commission (FTC) to enforce compliance. It also increases the penalties available to the FTC.
Last year, there was some discussion of this legislation and similar laws that passed the House. StopBadware.org even weighed in with some thoughts of its own.
Taking a current look at the Counter Spy Act raises a few questions in my mind:
1. Does the FTC need explicit legislation granting it additional authority? As of last year, the FTC said no:
Tracy Shapiro, an attorney for the FTC’s Advertising Practices Division, said the federal watchdog would like to see legislation that increases civil penalties against cyber-criminals, but it feels that the new bills could eventually get in its way in bringing accused spyware companies to trial. Section V of the Federal Trade Commission Act remains broad enough to provide for continued prosecution of the most significant offenders, including spyware providers, she said.
2. StopBadware.org has changed its badware guidelines multiple times in just two and a half years, due to ongoing changes in technology and badware practices, as well as an ongoing desire to make sure that we’re “getting it right.” If legislation defines spyware specifically, what happens when a new piece of spyware falls outside that definition?
3. The Counter Spy Act appears to explicitly allow (or at least protect from FTC action under this law) unauthorized installation of software on a user’s computer, so long as that software doesn’t engage specifically in spying or certain advertising behavior. If the government is going to have enforcement authority, shouldn’t it have more discretion?
4. Is stealing social security or account numbers as they’re typed and sending them to a third party covered by this legislation? If so, I can’t figure out how. One provision protects against wholesale keylogging (i.e., capturing every keystroke) and another protects against stealing private information “from the hard drive or other storage medium.” Unless I’m missing it, I don’t see anything about selective capturing of information via keylogging. This helps illustrated point #2.
In general, my opinion is that legislation that grants authority and resources to the government to fight spyware is helpful, but doing it right is really difficult. The FTC has already established some expertise and made use of existing legislation to go after spyware distributors. Maybe a simpler solution, then, would be to provide more funding and perhaps greater penalties without seeking to define a constantly-moving target.
Note: This post has been edited to correct a factual error in the name of the legislation to which Tracy Shapiro of the FTC referred.
Posted in all | Tags ftc, legislation, stopbadware
Posted by Erica George
Tue, 30 Oct 2007 22:00:00 GMT
Yesterday, StopBadware hosted a Spyware Roundtable conversation in Washington, DC, gathering leaders in spyware research and policy to discuss emerging trends and potential remedies to badware threats.
With Federal Trade Commissioner Jon Leibowitz in attendance, much of the conversation centered on ways policy and legislation could better help the FTC keep spyware purveyors at bay. The FTC favors legislative solutions that would enable it to fine spyware purveyors.
The Roundtable was chaired by StopBadware co-director John Palfrey, Center for Democracy & Technology deputy director Ari Schwartz, and Ron Teixeira of the National Cyber Security Alliance in celebration of October as National Cyber Security Awareness Month.
You can read more about the Roundtable discussion at PC World and at CNet News.
Posted in all | Tags cdt, ftc, legislation, ncsa, ncsam, policy, spyware
Posted by Erica George
Mon, 02 Jul 2007 16:25:00 GMT
Debate over several proposed U.S. federal anti-spyware laws continued at the Anti-Spyware Coalition conference last week at Harvard. In a panel on public policy moderated by StopBadware’s own John Palfrey, panelists from the Center for Democracy and Technology and the Federal Trade Commission disagreed on the best way forward for legislation that combats spyware.
The three potential bills at stake are the I-Spy Act and the Spy Act, both recently passed in the House, and the Counter Spy Act, recently re-introduced in the Senate after failing to pass in previous sessions. Ari Schwartz, deputy director of the CDT, said that the CDT supports all three bills, on the principle that any further clarification of the illegality of spyware is a good thing. Tracy Shapiro, an attorney at the FTC, said that the FTC feels it already has enough legal power at its disposal and that further legislation might actually cause confusion.
InfoWorld highlights the debate in an article here. You can also read more about the I-Spy and Spy acts in earlier StopBadware blog posts here.
Posted in all | Tags AntiSpywareCoalition, ASC, legislation, spyware
Posted by Erica George
Thu, 28 Jun 2007 00:13:00 GMT
Continuing with the live-blogging of the Anti-Spyware Coalition conference, here are StopBadware intern Mike Connolly’s notes on the Public Policy discussion panel:
John Palfrey, Executive Director of the Berkman Center, is the moderator of this segment. He is joined by Ari Schwartz, Deputy Director of the Center for Democracy and Technology, and a representative from the Federal Trade Commission’s Bureau of Consumer Protection (a late substitute for another FTC speaker).
Mr. Palfrey started by asking Mr. Schwartz for a general overview of the legislative landscape with respect to Badware…
Schwartz noted that there are at least two key statutory tools in effect. First, there are the basic fraud statues that cover unfair and deceptive trade practices, both in the online world and in terrestrial space. These statues exist on both the Federal and State levels. Second, there is the Computer Fraud and Abuse Act (18 U.S.C. § 1030)—this is a criminal statue that was originally passed by Congress in 1986 to thwart “hacking.” The act was most recently amended to include stiffer penalties under the USA PATRIOT Act of 2001, and the Department of Justice used it to indicte the creator of the Loverspy software in 2005. And last year, this statue was used in the conviction of a California man who was distributing badware via botnets. He was sentenced to five years in prison.
Next, Schwartz discussed pending legislation, including the SPY Act and the I-SPY Act. The SPY Act easily passed the House earlier this year. It is a short bill that would toughen criminal penalties for bad(ware) actors, but it also contains a controversial imposition of mandatory language for notice provisions. The software industry is generally concerned that this will result in too many flashing pop-ups, creating a user experience that actually mimics adware behavior. Furthermore, the SPY Act would preempt existing Spyware laws on the State level, and it also contains a number of “broad exceptions.”
While the Center for Democracy and Technology generally supports enhanced penalties for creators and of spyware, Schwartz’s preference is for the I-SPY Act, another piece of legislation recently passed by the House which also calls for tougher penalties.
Also on the radar is the Counter Spy Act of 2007. This was introduced by Senator Mark Pryor and has received attention in the past few weeks. Schwartz speculated that this bill has something of a shot at movement through the Congress since Pryor is from majority party and sits on a related committee.
Next, attorney and internet expert John Levine asked about the politics surrounding the pending legislation…
According to Schwartz, advertisers generally do not care for “Good Samaritan” provisions aimed at protecting anti-spyware companies and organizations. Nevertheless, Schwartz notes that even with Good Samaritan protection, Spyware producers may continue to take action on other grounds. Therefore, Schwartz would prefer to see a statement from Congress that declares anti-spyware tools to be “good” and in the public’s interest.
Bottom line: the CDC would be happy with a proposal that enhances spyware penalties and does not preempt other State law. Schwartz points to the Zango case as an example of the lack of civil penalties, and he cites the action taken in the Sony rootkit case as an example of useful State law in this area.
Another member of the audience also noted that the advertising community is generally concerned that Congress is trying to regulate behavioral targeting. Schwartz says the SPY Act is not designed to do this—but that members of Congress are in fact interested in regulating behavioral targeting via other privacy legislation.
Mr. Palfrey then asked the FTC representative about the usefulness and/or inadequacies of the existing body of law. She has been litigating spyware cases with the FTC since 2004. She explained that when she started, there was no federal law explicitly designed to apply to spyware. Therefore, she and her colleagues looked to the broad language under section 5 of the FTC Act outlawing “unfair and deceptive trade practices.” In the past few years, the FTC has used this act to target some of the more nefarious spyware actors, including Seismic Entertainment.
So, is there a good argument that we do not need any new law? Could we just get by on section 5? The FTC’s general position is that new law isn’t needed, and that there is a danger in enumerating certain prohibitions since that might suggest a defense to Spyware developers since the latest exploits will always be one-step ahead of the law…
Furthermore, the FTC has pushed for greater civil penalties since it can be considerably more difficult to prove consumer injury in spyware cases than in other, more traditional cases where damages are more readily quantified. Mr. Palfrey suggested that the ASC community could play a role in helping to develop a better understanding of Spyware’s cost in this regard…
In general, the FTC is working to enforce principals of express consent, clear and conspicuous disclaimers, and readily available uninstallers. In the coming years, the FTC will continue to focus on establishing principles and targeting crime. They will also be on the lookout for legitimate companies with practices that “cross the line.” However, it was also noted that resources are particularly thin, as the FTC has only pursued a handful of cases over the past few years.
Posted in all | Tags AntiSpywareCoalition, ASC, events, legislation, policy, spyware
Posted by Erica George
Wed, 13 Jun 2007 20:32:00 GMT
Yesterday, the blog BoingBoing highlighted an analysis of the Spy Act by the Electronic Frontier Foundation that raises troubling questions about the Spy Act, an anti-spyware bill which recently passed the U.S. House.
The EFF’s analysis questions the wording of Section 6 of the Spy Act, which describes the proposed act’s effect on other laws. Section 6 would allow the Spy Act, as federal law, to preempt existing State laws which, according to EFF, are in some cases stronger in their provisions against spyware.
Most troubling, Section 6 also would prohibit private citizens from suing spyware producers and distributors, reserving that right for state Attorneys General and the FTC. As the EFF’s Fred von Lohmann notes, this provision would have made impossible the EFF’s action against Sony over badware rootkits that installed along with Sony’s digital restrictions management on music CDs.
Also see StopBadware’s previous post on the Spy Act, which raised concerns over a focus on regulation over criminal enforcement.
Posted in all | Tags legislation, spyware
Posted by Erica George
Fri, 08 Jun 2007 21:43:00 GMT
On Wednesday, the U.S. House passed a second piece of anti-spyware legislation, known as the Spy Act. Unlike the I-Spy Act which passed the House in late May and which focuses only on ensuring criminal penalties for spyware purveyors, the Spy Act adds a layer of regulatory requirements for software vendors. The act would require websites to obtain proactive consent from users for all collections of personal information, a provision several technology companies are concerned could become overly burdensome.
StopBadware applauds lawmakers for recognizing the problem of spyware and working towards solutions. However, we are concerned that a focus on regulatory requirements may prove detrimental to innovation online. We believe the best legislative approach to protecting consumers is to focus on consumer rights to online privacy, and on criminal penalties for those who violate those rights by distributing spyware, rather than on regulations for all software producers.
You can read more at CNet, or see the bill here.
Posted in all | Tags legislation, spyware
Posted by Erica George
Thu, 24 May 2007 21:15:00 GMT
Earlier this week, the U.S. House of Representatives passed legislation aimed at fighting the fraudulent use of the Internet through spyware and other harmful scams. Spearheaded by Rep. Zoe Lofgren, the Internet Spyware Prevention Act, if signed into law, would impose criminal penalties for those who access a computer, without authorization and with the intent to commit fraud, and for those who transmit personal identification information over the internet with the intent to injure to commit fraud. The bill also authorizes $40 million for the Department of Justice to combat other computer-related scams.
The bill does not include controversial proposed language that would have required software distributors to notify and seek consent from software users. Those provisions were generally viewed unfavorably by the software developer community as overreaching policy that would have become stifling to innovation.
For more information, see this Security News article.
Posted in all | Tags legislation, spyware
|
