By David McGuire
washingtonpost.com Staff Writer
Friday, April 15, 2005; 10:00 AM
An anti-spyware bill could clear the U.S. House of Representatives as early as next week, but final legislation is not expected to be sent to the White House until disagreements about what qualifies as "spyware" are ironed out by key technology interest groups and lawmakers. Spyware is a catchall term used to describe programs that stealthily install themselves on computers. Some versions -- often referred to as "adware" -- spawn numerous pop-up advertisements when computer users attempt to navigate the Internet. Other, more intrusive versions can track online movements, steal passwords and sensitive data, and give hackers control over infected computers. Even the least-intrusive spyware programs can severely restrict an infected computer's ability to carry out basic functions like surfing the Web and word processing. Experts say the spyware problem has grown to near epidemic levels, rivaling the problem with e-mail spam. Last October, America Online and the National Cyber Security Alliance examined the computers of 329 randomly selected Internet users and found that 85 percent of them contained some form of spyware. The average "infected" computer had more than 90 spyware and adware programs. The research firm IDC estimated last year that people would spend $305 million a year on anti-spyware software in 2008, up from $12 million in 2003. Three separate proposals have been introduced in Congress so far this year -- two in the House and one in the Senate. A bill sponsored by Rep. Mary Bono (R-Calif.) appears to have the most momentum, earning the backing of Rep. Joe Barton (R-Texas), chairman of the influential Energy and Commerce Committee. "The consumer should have the right to know what's going on with their computer. It's their property and they should know what's happening. The bottom line is that people cannot install something on your computer and track you and eat up all the processing power on your computer without your consent," Bono said. Internet service providers whose customers are most at risk to the spyware threat are urging quick action. "Spyware is obviously a problem that affects virtually all Internet users. While the [Bono] bill will not be a cure-all, we support congressional attempts to counteract this problem. As was the case with spam we have to fight the problem on several fronts using legislation litigation enforcement, customer education and technology solutions," said Dave Baker, vice president of law and public policy for Atlanta-based Earthlink. Defining the Problem Lawmakers and lobbyists with a stake in the spyware debate agree that Congress is likely to pass a federal law sometime this year, though what that final language will look like remains up in the air. Each of the three spyware bills targets the nastiest practices associated with spyware, some of which are already illegal. But they differ both in the penalties they create and in how they define spyware. It's those definitions that have some in the high-tech industry nervous. They fear that a bill designed to stamp out spyware could inadvertently put legitimate software -- such as the kind used to automatically update anti-virus and other software programs -- on shaky legal ground. "One of the profound difficulties that we keep facing as we're talking about this is that there is a massive disconnect between what spyware really is and what is considered to be spyware," said Robert Cresanti, the vice president for public policy at the Business Software Alliance, which represents companies like Microsoft, Symantec and Cisco Systems. "A likely scenario could put legitimate companies at high risk for what might be a technical violation of the bill without any ill intent," Cresanti said. The BSA agrees that anti-spyware legislation is needed, but the group wants to make sure that the final bill doesn't hurt legitimate businesses, he said. Bono's Spy Act, which cleared the Energy and Commerce Committee by a unanimous vote March 9, would require companies to obtain permission before they install any program that collects information on a person's computer. "We're much more concerned about that section of the bill. We don't think it's responding to an immediate need in the market, and we think it has the potential for some pretty serious collateral damage against an industry that is really burgeoning right now," said Trevor Hughes, executive director of the Network Advertising Initiative, which represents online advertising companies like DoubleClick and 24/7 Real Media. Hughes said there are dozens of advertising-supported Web site features-- like stock tickers and personalized weather reports -- that could be affected under those definitions. Although Bono's bill does not restrict the use of "cookies" -- the small tracking programs used by Web sites to maintain things like virtual shopping carts and other visitor-specific content -- Hughes said it could drag in many common programs used by Web operators to personalize the online experience. "Web sites are very sophisticated commercial operations nowadays, and there may be 15 commercial entities operating on the same site," Hughes said. "If the consumer has to click through 15 different boxes saying yes I want this, no I don't want this, that's really going to impede the online experience." Bono said the current version of her bill, which has gone through several drafts, addresses the concerns raised by the high-tech industry, but still provides protection to consumers. "We've tried to accommodate industry along the way. It's come a long way but [we've] been trying to walk that fine line between keeping the industry people happy and the privacy people happy. " In the Senate, Conrad Burns's (R-Mont.) Spy Block Act also targets a class of computer programs that collect information without computer users' knowledge. It was this aspect of the bill that concerned Sen. George Allen (R-Va.) last year when it appeared that Burns's bill was headed for passage. "If you define a specific illegal spyware activity it is very difficult to do so without causing legitimate software companies unintended consequences and unneeded burdens," Allen said. Allen said he was also concerned that the law could inadvertently create a "safe harbor" for some malicious spyware distributors -- allowing them to hide behind consent language that users may agree to without fully reading. Both Hughes and Cresanti said their organizations would prefer that an anti-spyware bill target the behavior of spyware distributors, rather than a whole class of technology that has legitimate uses. Allen said he plans to introduce legislation as early as next week in the Senate that would stiffen existing anti-fraud penalties for anyone convicted of committing fraud via spyware. Allen's bill would also authorize about $10 million for law enforcers to go after spyware distributors. "Much, if not everything, they are trying to create a new definition of a crime for is already against the law," Allen said. That's also been the primary argument of the Federal Trade Commission. "Most of the acts and practices and harm consumers that are covered under these bills are things that would be either unfair or deceptive under the FTC Act," said Tom Pahl, an assistant director in the FTC's Division of Advertising Practices. Under each of the congressional proposals, the commission would be saddled with coordinating federal enforcement efforts. According to Bono, the regulators aren't doing enough. "I believe the FTC has been asleep at the wheel so far and hasn't enforced it and that's why it's grown so exponentially," she said, adding that her bill would give Congress the ability to "hold the enforcers' feet to the fire." The FTC has brought a handful of spyware cases, Pahl said, but the agency has been hindered by the fact that many spyware distributors are located overseas. The commission has asked Congress to pass legislation that would make it easier for them to coordinate with foreign law enforcers. Pahl added that Congress already pressures the commission to bolster its enforcement efforts. "Congress can and does hold our feet to the fire for how we enforce the FTC Act. Chairman Barton is very adept at holding our feet to the fire and he doesn't need a new law for that," he said. Staff writer Emily Woodward contributed to this article.