Print

Email story

Comment

Letter to the editor

Can Congress get arms around spyware problem?

Lawmakers turn their attention to the data-collecting programs - but it's unclear how much they can really do to fight abuses.

By ANITA KUMAR
Published May 2, 2005

WASHINGTON - It can crash a computer, fill a screen with pop-up ads or allow someone to steal financial information, maybe even an identity.

But most people don't know what it is.

Spyware, a catch-all phrase for software that enables a person's online movements to be tracked, has quietly become the latest threat to cybersecurity, affecting eight out of 10 computers.

Members of Congress, some of whom complain about spyware tampering with their computers, have their own ideas about how to tackle the problem.

Some say they want software companies to have to seek permission from consumers before installing data-collecting programs on their computers. Others say they want to define spyware crimes and its penalties.

"Consumers should have control over the programs on their machines and should not have their privacy jeopardized by invasive programs lurking on their computers," said Sen. Ron Wyden, an Oregon Democrat and sponsor of an antispyware bill.

Lawmakers are responding to escalating public concern about computer security, while taking advantage of the momentum to act created after personal records of thousands of Americans were released in unrelated data breaches recently.

Some software companies and industry experts, though, are skeptical the slow-moving federal government can keep up with escalating technology problems and cite the failure of a bill passed two years ago to get rid of unwanted e-mail.

They question if the bills will have enough teeth to make a difference, or are necessary since law enforcement agencies, including the Federal Trade Commission, have the power to go after companies.

Besides, they say, the best way to solve the problem is for consumers to protect their own computers, just like other property including TVs and washing machines, and arm themselves with tools the computer industry can provide.

"We wish everyone would just leave this whole thing alone," said Tom Schatz, president of Citizens Against Government Waste, a nonprofit watchdog group. "It's an over-regulation and, in that sense, a waste."

Spyware can be a problem for even the most careful computer users, leading to unwanted pop-up ads, hijacked Web browsers, changes to homepages and computer slowdowns.

Companies, many of them smaller software businesses overseas, that benefit from spyware programs monitor Web sites so they can send out pop-up ads for specific products, take over a computer to hide their illegal activities and steal passwords to access bank accounts and credit cards.

All of that can be accomplished without clicking on anything to download spyware software. It just takes a visit to an infected Web site.

Spam may be easier to see, but spyware is more dangerous.

"Consumers regularly and unknowingly download software programs that have the ability to track their every move," said Rep. Mary Bono, a California Republican and sponsor of an antispyware bill.

In October, spyware was found on 80 percent of computers in a study by America Online and the National Cyber Security Alliance. The average infected computer had more than 90 spyware programs. One had more than 1,000.

Online fraud accounted for 11.6 percent of identity theft cases. Nearly half of that, or 5.2 percent, was caused by spyware.

"It's a large and growing problem - a real online epidemic," said Michel Steffen, a policy analyst for the Center for Democracy & Technology. "No silver bullet will solve the problem."

Frank Torres, Microsoft's director of consumer affairs for Microsoft, said spyware creates a problem for his company because customers blame Microsoft for computer slowdowns and other trouble.

"Until people understand a little better what they do when they get on the Internet, nothing will help," said Charles Palmer, a manager at IBM's research center in New York.

Consumer protection laws ban the most egregious spyware practices. The Computer Fraud and Abuse Act, a 1986 law most recently amended in 2001, makes it a crime to access a computer without authorization.

Since October, the FTC has filed two lawsuits under fraud laws against spyware distributors. Both are pending, including one against notorious Internet scam artist Sanford Wallace, once dubbed the "Spam King," who is accused of infecting computers with advertising programs.

"Just when we were getting a good start on addressing spam, spyware popped up," FTC chairwoman Deborah Platt Majoras said in a speech last month. "The term spyware may be amorphous, but there is no doubt that its negative impact is real. It is hard to find any computer user who has not struggled for hours to remove spyware from his computer."

On the first day of the new Congress in January, an antispyware bill was introduced. Two more have followed. And a third is expected next week. Some bills would make specific actions illegal, such as getting personal information with the intent of hurting a person or computer, and then outline the punishment. Others would force software companies to get a computer user's permission before installing programs that can collect personal data.

Industry leaders say they worry about the bills calling for a user's permission because it fears they would inadvertently restrict legitimate software - such as the kind used to update antiviruses and deliver targeted online advertising - and would impose excessive technical requirements.

"There is very strong sentiment that something needs to get done," said Mark Uncapher, a senior vice president at Information Technology Association of America, which represents 400 companies. "But we are concerned about the unintended consequences."

At least a dozen bills involving spyware and other online privacy protection issues have been introduced on Capitol Hill and in state capitals this year. Utah and California have passed legislation. In Florida, a state Senate committee passed an antispyware bill in March. But no House companion bill has been written, and it's unlikely any action would be taken before the legislative session ends this week.

"It's very important not to overstate all of these laws," said Rep. Jim Davis, a Tampa Democrat who voted for a spyware bill in the House Energy and Commerce Committee. "It's not a cure-all."

The House is expected to consider at least one bill, sponsored by Bono requiring companies to get a computer user's permission before installing programs that can collect personal data, before the Memorial Day recess. After that the Senate is expected to take up its bill, sponsored by Sens. Ron Wyden, D-Ore., and Conrad Burns, R-Mont., outlining crimes and penalties.

If both versions pass, the chambers will have to iron out their differences. Even seemingly simple tasks, such as agreeing on a definition for spyware, could derail their efforts.

Industry experts stress that companies have, and are continuing to produce, the best solutions to protect computers. The research firm IDC estimated last year that people would spend $305-million a year on antispyware software in 2008, up from $12-million in 2003.

Creating uniform standards for the industry will help more than legislation, said Judith Collins, a criminal justice professor and identity theft expert at Michigan State University. Legislation "can certainly help - but again that is not going to resolve this problem," she said.

Lobbyists and others watching spyware bills say Congress is committed to doing something this year. Last year the House passed two antispyware bills with virtually no opposition; they died when the Senate did not act.

Richard Balough, associate director of the John Marshall Law School Center for Information Technology & Privacy Law in Chicago, said this year's bills are not strong enough. They would be more effective, he said, if, for example, they addressed companies that not only use but profit from spyware, such as advertisers on pop-up ads.

Just look at what happened in 2003. Congress set out to rid computers of junk e-mail by passing the CAN-SPAM Act.

But in the end, the final bill failed to outlaw spam.

Times researchers Kitty Bennett, Carolyn Edds and Deirdre Morrow contributed to this report. Anita Kumar can be reached at 202 463-0576 or kumar@sptimes.com

[Last modified May 2, 2005, 14:53:02]