On Monday, the U. S. House of Representatives passed two separate pieces of “spyware” legislation, only one of which actually promises to do anything to help consumers terrorized by unwanted spyware and adware.
[Author’s Note: From this point forward, I’m going to try and use the term “malware” to collectively describe the follies, felonies, and frauds, that constitute much of the behavior of the spyware and adware industries. If you want to know more about why I’m using the term malware, please read my explanation.]
As reported by CNet News.com’s ace DC bureau chief Declan McCullagh (who is apparently moving out here to SF soon; congrats Declan! and yay for us who enjoy his company!), the two bills take a very different tack, and together amount to exactly 200% more spyware legislation than the U.S. Senate managed to approve last year!
The first bill, H.R. 29, sponsored by Rep. Mary Bono (R-Ca.), identifies many of the most annoying and damaging features of “spyware,” “adware,” and anything else that falls into the semantic morass in between. It also focuses on issues of end-user notice and consent, two areas where most adware and spyware have chronic deficiencies. This bill would also empower the Federal Trade Commission to continue looking into malware issues, and require them to create regulations to guide future enforcement.
The second bill, H.R. 744, sponsored by Rep. Bob Goodlatte (R-Va.) and Rep. Zoe Lofgren (D-Ca.), is a far narrower bill, focused primarily on only that software used to steal personal information for the purpose of committing fraud or to intentionally crash someones computer. As such, the bill would offer virtually no protection for those consumers who are besieged by software, whose intention may not be, but whose actual consequences are crashed computers and frustrated end-users.
I’m still digesting the final version of the Bono bill and trying to determine what actual effect it might have on protecting end-users from the excesses of the adware and spyware industries. But my initial reading of the Goodlatte-Lofgren bill is that to the extent it prohibits unauthorized access to private data, it offers consumers nothing in the way of new protections over existing law. However, the language does a masterful job of completely avoiding any impact on some of the worst players in the malware business… many of whom I’ve written about extensively in this blog.
Why does the Goodlatte-Lofgren bill completely miss the boat?
First, the bill focuses on anyone who, “intentionally obtains… personal information with the intent to defraud or injure… or cause damage to a protected computer…” Of course, the makers of most spyware and adware don’t “intentionally” crash people’s computers, even though their software routinely does it. Indeed, according to Microsoft’s anti-malware team leader, Jason Garms:
“The primary problem that users have with spyware is that their systems crash or are really slow or don’t behave in the way they expect them to,” Garms said. “We try to figure out how many of the crashes that are reported to us are actually attributable to spyware, and it turns out that at least one-third of those machines had spyware installed on them, so it is a big problem.”
Second, the Goodlatte-Lofgren bill focuses on “intentional” gathering of personal information for purposes of committing fraud (which is already illegal). Most malware companies are proud that they only gather “aggregated” or “anonymous” data while their software is monitoring your Internet activities. They don’t need your Social Security number to cause an annoying pop-up ad; they don’t need your mother’s maiden name to hijack your default search engine. Thus, by limiting the reach of penalties to only those bad guys who are already committing fraud, they have created a loophole through which you can drive the entire malware industry.
So, pound for pound, I think the Bono bill is looking like a better piece of legislation. It doesn’t buy into the adware companies’ word-games and instead focuses on the actual harm visited upon consumers. The Bono bill reads like a laundry list of the annoying, frustrating, and intentionally harmful things that I have personally witnessed while trying to exorcise the demon-spawn of companies like Claria, WhenU, CoolSavings, QooLogic, 180 Solutions, and others, from the computers of my friends and family.
Meanwhile, the semantic battle over “adware” vs. “spyware” has Microsoft seeking protection from the frivolous, harassing lawsuits that have become the stock-in-trade of many of the most notorious malware companies. It seems that whenever malware companies perceive a threat, they try to kill the messenger. CNet pointed out a few of those incidents, such as Claria’s lawsuit against PC Pitstop, New.net’s suit against the maker of Ad-Aware, and threats against the tireless anti-spyware advocate Ben Edelman.