Dueling Spyware Bills Weigh Down an Indecisive Congress

By Scott M. Fulton, III, BetaNews

June 15, 2007, 7:17 PM

Certainly no one likes spyware -- perhaps not even its creators, if they also happen to be its victims -- so since mid-May, a trio of bills have been introduced. All three will face the Senate next week, including two competing versions passed by the House, and an entirely new Senate bill whose ink isn't even dry enough for its prototype language to enter the Congressional Record.

With Americans' approval levels of Congress' job performance at 23% and plummeting, according to an NBC News/Wall Street Journal poll released earlier this week, both houses are looking to assume a leadership role on smaller, easier to swallow issues than funding the war in Iraq and heading off inflation at home.

All three bills aim to give the appearance of banning spyware on the federal level, even though many states already have bans in place, and even though technically, intrusive and destructive spyware isn't legal today under US law anyway. But at least one of the House bills being referred to the Senate may actually have the effect of relaxing federal spyware laws, despite the appearance of reinforcing them.

As though a law were present mandating that no bill should be passed without its name being made into an acronym, H.R. 964 was dubbed the "Securely Protect Yourself Against Cyber Trespass Act," or "SPY Act." Its chief provision is to make it a federal crime for a person who is not the owner of a computer to take control of that computer for deceptive purposes.

The Internet is listed as one way to do this, but it's not the only way, as the bill leaves open the possibility that a person could take control of a computer without using any remote means whatsoever. At first, it would seem perhaps a co-worker implanting unwanted software onto a computer could be tried under the terms of this bill.

Enforcement of the law would take place, however, under the auspices of the Federal Trade Commission, which would pursue violations as cases of fraud and misrepresentation. That fact alone means corporations are more likely to be held responsible than individuals, with minimum penalties set in the millions of dollars rather than in terms of jail time.

Critics of the SPY bill are taking it to task for leaving open provisions for law enforcement to utilize clandestine software for surveillance purposes; although a legal review of the bill could render such provisions unnecessary for law enforcement purposes, since the Federal Trade Commission -- as the bill's chosen enforcement authority -- would have no purview over complaints related to law enforcement anyway. Imagine, in other words, a consumer protection agency fining the FBI three million dollars for misrepresenting itself.

Chasing the SPY bill is the competing I-SPY bill (H.R. 1525, Internet Spyware Prevention Act), whose language is far simpler. Rather than characterize malicious use through implanted software as a form of fraud and misrepresentation, I-SPY would open the door a lot wider, by rendering it illegal for someone to take control of a computer using implanted software for purposes of committing an already established federal crime. Fraud is among those mentioned, though imperiling the security of the user is another, taking the bill outside the realm of trade law.

If you're a software developer yourself rather than a politician, perhaps you've already detected what could end up being the key flaw of both bills: They specifically refer to that which takes control of victims' computers as a who, not a what. I don't know how recently you've shaken hands with or had a serious conversation with a spyware, but I have to admit I've never had the occasion. These flaws alone could jeopardize either bill, even if it gets passed into law and signed during our lifetimes, by virtue of not being able to withstand judicial review.

Perhaps the bills' authors could have taken a lesson from the Justice Dept.'s recent spyware awareness campaign. The enemy isn't people, the FBI reminds us, but "bots" farmed and herded by individuals who may or may not be taking direct control of victims' computers. Should either bill pass, a suspected violator could conceivably use the DOJ's definition of a "bot-herder" in his own defense.

In a press release yesterday, Sen. Mark Pryor (D - Ark.) announced he's introducing before the floor of the senate his own "Counter Spy Act" (whose name, in the context of the other two bills, conjures memories of Sergio Aragones' Antonio Prohias' classic characters in MAD Magazine), whose purpose appears at first to mirror that of the House's SPY act - not the I-SPY Act, if you're keeping score at home.

"Spyware is a serious infringement upon basic levels of privacy and security," reads Sen. Pryor's statement. "There are very few, if any, legitimate reasons for this practice to continue, but countless reasons for it to be stopped, including identity theft and sluggish computer performance."

The Pryor bill would appoint the FTC the enforcer of violations, which would again characterize spyware proprietors as companies, not people - and certainly not law enforcement agencies (see above: "if any"). Pryor went on to say the industry has failed in being self-regulating, without saying which industry he was referring to.

All three bills may yet succeed in their objective to give Congress the appearance of debating meaningful issues to the American voter. In fact, the longer they succeed in that objective, the less likely they are to pass soon - because in the strange way that Washington works, if you pass a bill you're not seen to be debating it, which means it's out of the public eye.