Senate panel mulls action on spyware
Congress wonders what to do about pop-up ads
By Bob Sullivan
Updated: 4:52 p.m. ET May 11, 2005
WASHINGTON - The Senate Commerce Committee took up the increasingly vexing issue of spyware Wednesday, but finished the conversation without consensus on how to stop it. In fact, there wasn't even consensus on what spyware is.
Several pieces of federal legislation aimed at curbing spyware are making their way through Congress, but initiatives have gotten bogged down by the disagreement over terms. At the heart of the issue is this question: Should all unwanted pop-up ad software be banned by federal law, or just programs deemed to be fraudulent?
In the pop-up advertising industry, firms make a distinction between adware -- installed with a user's consent, however minimal -- and spyware, which sneaks its way onto computers.
"The problem is nobody thinks the software they produce is spyware," said Sen. Barbara Boxer, D-Calif.
Spyware continues to cripple consumers' computers. Several recent studies suggest that most computers connected to the Internet are infected with it. In fact, said Sen. Ron Wyden, D-Ore., spyware has surpassed spam as Internet public enemy No. 1.
"This is much more serious than spam," he said, because spyware makers can surreptitiously track Web users, and even steal their identities. "We need to make sure consumers are in charge of their computers."
Congress is considering several measures that are similar in nature to the CAN-SPAM Act of 2003, which increased penalties for spamming but, some critics say, didn't go far enough. Under pressure from marketing firms, the law left the door open for e-mail marketing, and put the burden on consumers to opt-out of e-mail pitches.
Marketing firms are pressing for similar distinctions in any spyware legislation. The industry is concerned that all pop-up marketing or advertising networks may be banned by a law that is too broad.
"We may throw the baby out with the bath water," said Trevor Hughes, executive director of the National Advertising Initiative. "Some solutions to the spyware may harm the very thing (the Internet) we are trying to protect."
Last year, the House of Representatives passed anti-spyware legislation sponsored by Rep. Mary Bono, R-Calif. The bill never reached a Senate vote. Bono's bill, the Safeguard Against Privacy Invasions Act or Spy Act, has again passed a House Committee and is awaiting a full House vote there. In March, Sen. Conrad Burns (R-Mont.) and Sen. Ron Wyden (D-Ore.) introduced the Software Principles Yielding Better Levels of Consumer Knowledge, or Spy Block Act.
Both declare deceptive installation of pop-up ad software to be illegal, and both require some form of consumer consent. But neither would do much for the millions of people who already have pop-up software installed on their machines.
The proliferation of spyware had some lawmakers suggesting more dramatic action to protect consumers. Sen. Olympia Snowe, R-Maine, asked why Congress couldn't authorize something similar to the popular Do Not Call List, which largely ended dinner-time interruptions by telemarketers.
Hughes responded by saying an overly broad definition of spyware could have "unintended consequences" for the advertising industry.
C. David Moll, CEO of antispyware firm Webroot Software Inc., said in a recent test of 1 million PCs that 90 percent were infected with spyware. He also said 250,000 Web sites on the Internet included secret code to sneak spyware onto computers. In one recent spyware installer version his company found, users presented with a dialog box could only say "yes" to download -- the "cancel" button had been disabled.
"This is an organized threat," Moll said, with spyware programmers gaining in skill every month. "To be light handed with your approach to avoid ruffling the feathers of the advertising industry will have an ill effect."
There was little disagreement among the lawmakers and panelists about the need for more resources to track down illegal pop-up advertisers. Ari Schwartz, associate director of the Center for Democracy and Technology, chronicled for the committee the months-long investigation conducted by his agency and the Federal Trade Commission of Seismic Media, which was sued by the FTC in October.
"The complexity of these cases puts an extreme strain on enforcement agencies, which struggle to tackle the problem with limited resources," he said.
High-tech headaches have gotten much attention on Capital Hill of late. On Tuesday, the Senate Commerce Committee also held another round of hearings on identity theft in light of the recent data breaches at ChoicePoint, LexisNexis, and other major U.S. firms. Additional hearings on spyware are expected later this year, as legislators attempt to find agreement among the various spyware bills. Finding agreement, and doing something to help consumers, is essential, Sen. Bill Nelson, R-Fla. said.
"All these problems are converging at once. If we don't put an end to spyware and spam and ID theft, people will be gun shy to use their computers," Nelson said.