All two Federal Trade Commissioners had to do was suggest that proposed Congressional anti-spyware legislation had the potential to harm legitimate software, and that kicked off the latest little firestorm between lawmakers and the trade regulators - in which members of the House Energy and Commerce Subcommittee on Consumer Protection accused Howard Beales and Mozelle Thompson of being the only men in America who like having spyware and adware prowling their computers.
Thompson had told the panel the software industry should have more time to respond to spyware concerns, and that self-regulation blended with existing laws being enforced were the more prudent way for now. And panel member Rep. Joseph Barton (R-Texas) ripped right into Thompson and Beales. "You're the only person in this country that wants spyware on their computer," the lawmaker said, adding that if he asked his colleagues whether they wanted spyware removed, "every one but you, sir" would want it removed.
The FTC maintains it has a broad mandate already to stop unfair competition and unfair or deceptive acts that includes enforcing them against spyware and adware. The Justice Department, the FTC said, also has a particular mandate to put the more pernicious spyware makers and distributors behind bars. The commission is still taking comments on the programs through May 21, while a recent FTC workshop featured what the agency called a "spirited debate" about spyware that included what government, industry, and consumers should do about spyware and its risks.
That workshop, the FTC told the Congressional panel in prepared remarks, concluded among other things that defining "spyware" itself is difficult because the term is "elastic and vague," used "to describe a wide range of software.
"Some definitions of spyware could be so broad that they cover software that is beneficial or benign; software that is beneficial but misused; or software that is just poorly written or has inefficient code," the agency continued. "Indeed, there continues to be considerable debate regarding whether 'adware' should be considered spyware. Given the risks of defining spyware too broadly, some panelists at our workshop argued that the more prudent course is to focus on the harms caused by misuse or abuse of software rather than on the definition of spyware."
Some of the lawmakers, however, were having none of it. "I'm a little concerned that you're not outraged that people have access to someone's privacy, Social Security numbers, and all this," said subcommittee chairman Cliff Stearns (R-Florida), "and you're saying let it go by the wayside." Beales, however, countered that installing "legitimate" software - Microsoft Word, Microsoft Windows, and the like - would become too cumbersome if users had to consent directly to all of the hundreds of applications making up the full program.
"We need to determine whether there is a definable class of software that can be called spyware," Beales told the subcommittee. "(Spyware is) difficult, if not impossible, to define."
The House is said to be considering two spyware bills and the Senate, one. One of the two House bills defines spyware broadly enough to label as such as any software that transmits personal information. Some analysts, according to one published report, think that could be taken to mean any e-mail client, because e-mail transmits an address on the "from" line, and many other utilities like Unix utilities.
Whatever it is or isn't, spyware's harms include privacy invasion, security risks to systems, and functionality trouble for consumers. Spyware is also suspected of harvesting personal consumer information by way of non-consensual computer monitoring, the FTC prepared remarks noted, and of triggering identity theft by surreptitious placement of keystroke loggers on personal computers. And these problems cost businesses and consumers millions to try to overcome and block them, the FTC said.
The FTC said it believes spyware's "relatively recent emergence" means "little empirical data" regarding just how widespread it is and just how deep or broad are its effects and damages. But businesses and consumers, the agency's prepared comments added, "are becoming more aware of the capabilities of spyware, and they are responding by installing anti-spyware products and taking other measures to minimize these risks."
In other words - they didn't exactly need the government to do the job for them just yet. But try telling that to politicians feeling under the election-year gun to do something, if not anything, about a problem some lawmakers say has infected their own work computers.
"It may be this year's spam, if you will," Rep. Jay Inslee (D-Washington) told ZDNet News after introducing one of the two House bills, which would slap heavy penalties on "malicious" spyware writers. "We're recognizing that we have privacy rights at stake that could be abused and you have this increasing infestation of pop-up ads. That's a great impediment to people's use of this technology."
The other House bill, written by Rep. Mary Bono (R-California), would broaden the FTC's powers to force companies to allow uninstallation of spyware and adware. And both bills would pre-empt any existing state laws, including a Utah law due to take effect in May, which adware maker WhenU is challenging in court. That law bars companies from installing any software that tracks user actions online, but WhenU sued to bar its enforcement on free speech grounds, saying the law didn't account for WhenU's software being installable, the company said, only when people agree to accept terms of service that describe all WhenU program functions.
The FTC does not deny that spyware is a growing nuisance in cyberspace. "(We) are learning more about the practice," Beale and Thompson told the subcommittee, "so that government responses to spyware will be focused and effective."
