• United States



by Sandy Kendall

Can a New Law Neutralize Spyware?

Mar 15, 20043 mins
CSO and CISOData and Information Security

Computer scientists at the University of Washington recently released results of a study suggesting that one in 20 computers may be infected with spyware programs that can track what their users do online, alter browser settings and spawn uncontrollable pop-up ads. Steven Gribble, who conducted the study, told the New Scientist that his team studied 31,303 computers connected to the UW network, looking for only the four most common spyware programs. They found that within the university, 69 percent of all departments and offices contained at least one computer running the programs, and that overall 5.1 percent of connected machines had a spyware program running. Gribble said because the universitys computer users are more technically aware than the average Internet user, he believed the study underestimates the extent of spyware in the wider Internet.

Spyware such as Gator, Cydoor, SaveNow and eZula, the four searched for by Gribbles study, and countless othersoften ends up on peoples computers after they download free programs, such as file sharing software, media players or online greeting cards. With the legitimate stuff, legally speaking, users are informed about the software piggybackingin minute print buried in the middle of a license agreement. Other more devious spyware can install itself by drive-by downloads, where it is unwittingly downloaded by users when they merely visit certain websites. Worse yet, these programs frequently are next to impossible to uninstall, at least without special software tools. And, while there is no evidence of this happening in any widespread way, the UW team discovered a simple method of using some of the programs to run unauthorized code on a computer or hack into computers running the program.

Our dependence on the Internet as critical infrastructure becomes more obvious each day, and the U.S. Senate has not been blind to that. Thats why Sens. Ron Wyden (D-Or.), Barbara Boxer (D-Calif.) and Conrad Burns (R-Mont.) recently introduced legislation called SPYBLOCK that would prohibit the installation of software on any computer without notifying its user and getting their specific consent, and would require companies that offer software downloads to provide more information about what the programs do and what information they collect. The bill would make illegal the sharing of collected information with third parties and would require reasonable uninstall procedures for all downloadable software. It would allow states to sue violators in federal court, and would be enforced by the Federal Trade Commission (FCC), which could impose fines and civil penalties.

Who could argue with that? Anyone who thinks the bill doesnt go far enough. Some critics of the proposed legislation are dubious about letting the FCC regulate this, and they are leery of the restriction that allows states to sue, but not individuals. Many point to the CAN-SPAM act, upon which this bill is based, and ask: Are you really receiving any less spam? As with e-mail, they say the sleazier the spyware operation, the less likely the law would discourage it. Researcher Steven Gribble says he and his colleagues think legislation may not be enough; they call for educating users and promoting network tools for scanning for spyware. Still other security experts are withholding judgment, concerned about unintended consequences that may emerge.

Where do you stand? Should we lay off making new laws and just enforce the current consumer protection legislation we already have? Or should we push for much more rigorous legislation? Let us know your mind.