Spyware Targeted at Congressional Hearing

A bill to take the “spy” out of spyware got a public hearing before a Congressional subcommittee Wednesday.

The legislation filed by Rep. Mary Bono (R-California) would require spyware purveyors to inform computer users of the presence, nature and function of their applications, as well as seek permission from users before downloading intrusive goods to their computers.

“Unfortunately, consumers regularly and unknowingly download software programs that have the ability to track their every move,” Bono told members of the House Commerce, Trade and Consumer Protection Subcommittee of the House Energy and Commerce Committee.

Not Just Annoying

“Consumers are sometimes informed when they download such software,” she continued. “However, the notice is often buried in multithousand-word documents that are filled with technical terms and legalese that would confuse even a high-tech expert.”

Spyware — software intended to aid an unauthorized party in obtaining private information from a computer without the computer owner’s knowledge — used to be considered an annoyance, but it has become much more than that.

“The issue of spyware has been around for a long time, but we’ve noticed that it’s becoming increasingly malicious,” said Ken Sokol, senior product manager at Clearswift of Bellevue, Washington, a maker of Internet and e-mail filtering software.

Information Stealing

“You’re starting to see some very sophisticated capabilities built into these things,” he told TechNewsWorld. “Some spyware will sit there and monitor what you’re doing at your computer or steal sensitive information about you or your customers.”

Until now, spyware has been seen as primarily a consumer problem, but Clearswift issued a white paper on the eve of the Congressional hearing suggesting the malware will create serious trouble for businesses, too.

“[Programs that] have been marketed and sold as corporate security devices and parental control software for kids are finding their way into the hands of hackers and criminals [who aim to] remotely [take] control of a victim’s PC to facilitate industrial espionage,” Clearswift Threatlab manager Pete Simpson said in a statement.

“Commercial spyware is a serious threat to corporate networks and unless taken seriously, can place personal and corporate confidential information at risk, resulting in identity theft and corporate espionage,” he noted.

Silent and Dangerous

The connection between spyware and identity theft was also argued at the Congressional hearing by Roger Thompson, vice president for product development at Carlisle, Pennsylvania-based PestPatrol, maker of an antihacking utility that detects and removes hacker tools, spyware and Trojan horses.

In testimony submitted to the subcommittee, Thompson said: “Spyware is silent. It’s invisible to the consumer. It allows criminals to steal from them. It arrives uninvited and unwanted. It has not received the attention needed to warn the unsuspecting of these dangers to their personal and confidential information. And, perhaps worst of all, spyware and similar malware problems rob consumers of the confidence needed to make commerce over the Internet inviting, safe and successful.”

This year alone, Thompson noted, his company has received 60,000 incident reports from customers about spyware abuse.

Foggy Policies

PestPatrol, along with Webroot Software, Aluria Software and Lavasoft, have formed a group — the Consortium of Antispyware Technology (COAST) — to increase consumer awareness about spyware and its dangers.

The group also is working on a code of acceptable behavior for spyware makers, which is expected to be released in the second quarter of 2004. “There is a place for adware, but there needs to be full disclosure on it,” PestPatrol vice president of business development Pete Cafarchio told TechNewsWorld. “It must also be more forthright in its claims of the personal information that it’s collecting. Right now, privacy policies can dance all around that issue, and you can be left in a fog.”

Creating deportment guidelines for clandestine applications might appear to be a dubious exercise, but Cafarchio said COAST has been approached by some spyware makers that are eager to comply with such standards. By conforming to a code, the vendors believe their software can avoid being tarred with the spyware epithet, Cafarchio explained.

Retaliation Warning

“There are a lot of people who want to do the right thing — even marketing companies — but right now there’s nothing out there that’s clearly defined,” he said.

Although some civil liberties groups have voiced objections to spyware legislation, Cafarchio sees some benefits of Rep. Bono’s efforts. “It increases awareness, and that’s real important,” he asserted. “And it serves as a warning to some of the application developers that are pushing the boundaries that people are reaching their limits and they’re going to retaliate if something isn’t done.”


  • I AM *so* glad to see that some progress is being made toward regulating the spyware industry. If companies want to collect and analyze information about me openly, with my permission, using their own resources, in order to better understand my needs and interests, that’s an acceptable marketing practice. When they sneakily – or secretly – steal information from me without asking permission, using MY resources, and their software causes my computer system to slow down and possibly freeze or even crash, that is unforgivable. Everyone’s been up in arms about spam recently, shouldn’t we take the same stance against spyware?

  • I AM glad to see that at last our representatives are taking a good hard look at the problems that can be caused by spyware installations. I have been an outspoken critic of these programs for over two years and have watched as these programs have gotten more aggressive.
    Hopefully, this bill will not get "watered down" or fall through the cracks of the system like previous attempts at legislation.
    I also hope that this new legislation can also close some of the pitfalls and loopholes of the Uniform Computer Information Transactions Act (UCITA) which allows software publishers to change the terms of the contract after purchase (or download) and AM end the "E-sign" act to make privacy policies binding so companies can not change or alter them after the fact like they currently are allowed to do without proper notification. .
    FYI: In order for this legislation to get passed consumers need to contact their representatives to let them know that they are fed up with these adware/spyware companies exploiting their privacy & personal information for their own economic gain. .

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

Technewsworld Channels