A bill to take the “spy” out of spyware got a public hearing before a Congressional subcommittee Wednesday.
The legislation filed by Rep. Mary Bono (R-California) would require spyware purveyors to inform computer users of the presence, nature and function of their applications, as well as seek permission from users before downloading intrusive goods to their computers.
“Unfortunately, consumers regularly and unknowingly download software programs that have the ability to track their every move,” Bono told members of the House Commerce, Trade and Consumer Protection Subcommittee of the House Energy and Commerce Committee.
Not Just Annoying
“Consumers are sometimes informed when they download such software,” she continued. “However, the notice is often buried in multithousand-word documents that are filled with technical terms and legalese that would confuse even a high-tech expert.”
Spyware — software intended to aid an unauthorized party in obtaining private information from a computer without the computer owner’s knowledge — used to be considered an annoyance, but it has become much more than that.
“The issue of spyware has been around for a long time, but we’ve noticed that it’s becoming increasingly malicious,” said Ken Sokol, senior product manager at Clearswift of Bellevue, Washington, a maker of Internet and e-mail filtering software.
“You’re starting to see some very sophisticated capabilities built into these things,” he told TechNewsWorld. “Some spyware will sit there and monitor what you’re doing at your computer or steal sensitive information about you or your customers.”
Until now, spyware has been seen as primarily a consumer problem, but Clearswift issued a white paper on the eve of the Congressional hearing suggesting the malware will create serious trouble for businesses, too.
“[Programs that] have been marketed and sold as corporate security devices and parental control software for kids are finding their way into the hands of hackers and criminals [who aim to] remotely [take] control of a victim’s PC to facilitate industrial espionage,” Clearswift Threatlab manager Pete Simpson said in a statement.
“Commercial spyware is a serious threat to corporate networks and unless taken seriously, can place personal and corporate confidential information at risk, resulting in identity theft and corporate espionage,” he noted.
Silent and Dangerous
The connection between spyware and identity theft was also argued at the Congressional hearing by Roger Thompson, vice president for product development at Carlisle, Pennsylvania-based PestPatrol, maker of an antihacking utility that detects and removes hacker tools, spyware and Trojan horses.
In testimony submitted to the subcommittee, Thompson said: “Spyware is silent. It’s invisible to the consumer. It allows criminals to steal from them. It arrives uninvited and unwanted. It has not received the attention needed to warn the unsuspecting of these dangers to their personal and confidential information. And, perhaps worst of all, spyware and similar malware problems rob consumers of the confidence needed to make commerce over the Internet inviting, safe and successful.”
This year alone, Thompson noted, his company has received 60,000 incident reports from customers about spyware abuse.
PestPatrol, along with Webroot Software, Aluria Software and Lavasoft, have formed a group — the Consortium of Antispyware Technology (COAST) — to increase consumer awareness about spyware and its dangers.
The group also is working on a code of acceptable behavior for spyware makers, which is expected to be released in the second quarter of 2004. “There is a place for adware, but there needs to be full disclosure on it,” PestPatrol vice president of business development Pete Cafarchio told TechNewsWorld. “It must also be more forthright in its claims of the personal information that it’s collecting. Right now, privacy policies can dance all around that issue, and you can be left in a fog.”
Creating deportment guidelines for clandestine applications might appear to be a dubious exercise, but Cafarchio said COAST has been approached by some spyware makers that are eager to comply with such standards. By conforming to a code, the vendors believe their software can avoid being tarred with the spyware epithet, Cafarchio explained.
“There are a lot of people who want to do the right thing — even marketing companies — but right now there’s nothing out there that’s clearly defined,” he said.
Although some civil liberties groups have voiced objections to spyware legislation, Cafarchio sees some benefits of Rep. Bono’s efforts. “It increases awareness, and that’s real important,” he asserted. “And it serves as a warning to some of the application developers that are pushing the boundaries that people are reaching their limits and they’re going to retaliate if something isn’t done.”