Inquiring lawmakers want to know the best way to get a grip on spyware, those pestiferous little programs advertisers and peer-to-peer networks like to slip on your computer to monitor you or use your machine for other things. And the Center for Democracy and Technology has an idea for them: don't outlaw specific snoopery, just set a broad online privacy rights policy to prohibit secret online surveillance.
That's the message in a report about spyware the CDT issued November 18. "We believe that it would be best to…address at least the privacy dimension of spyware as part of baseline Internet privacy legislation," said the report, Ghosts In Our Machines. "At the same time, pending bills, because they focus on applications that take information from a user's computer, do not address the larger problem of control."
For now, the Electronic Communications Privacy Act makes it a crime to intercept communications without a court order or one party's consent. The Computer Fraud and Abuse Act "may also apply to some uses of spyware," the CDT said, since programs spread through security vulnerabilities and able to take over a user's computer or Net connection might violate that law, "especially in cases where those programs are used to steal passwords or other information." But spyware that doesn't obstruct a computer's operation or add to the cost of running it, the report said, may not violate the CFAA.
The Federal Trade Commission Act's Title Five, however, might best address spyware from among the laws now on the books, the report said. That title allows the FTC to act against unfair or deceptive trade practices, which "may apply to some of the most invasive kinds of (spyware)."
The spyware issue, like the spam issue, tends to cross party lines. Rep. Mary Bono (R-California) and Sen. John Edwards (D-North Carolina) have each written bills to hit spyware specifically, while Sen. Ernest (Fritz) Hollings (D-South Carolina) has added a section on spyware to a proposal to set baseline privacy standards in cyberspace, the CDT said. And Sen. Conrad Burns (R-Montana) is on record saying he's considering a more sweeping bill aiming at spyware.
But another problem with fighting spyware, the CDT report suggested, is the term itself. "The slipperiness of the term…makes it very hard to craft a definition that is precise enough for use in legislation," the report said. "For this reason, we believe it will be extremely difficult to adequately address all of the privacy concerns with spyware outside the context of general privacy legislation."
Instead of isolating subsets of computer applications to regulate, the CDT said, "it makes more sense to articulate the basic privacy standards to which all programs should be held."
As of this writing, the FTC hasn't yet acted against spyware merchants or deployers. "We have followed up on some allegations," said commission spokeswoman Claudia Bourne-Farrell to reporters, "and to date we haven't found things that violated the law or violated individual privacy.
Last year, the Senate Commerce Committee tried passing a broad online privacy bill but that bill never got as far as a floor vote. Meanwhile, KaZaA, the popular and controversial peer-to-peer network, offers a "spyware-free" version of its program.
