Lawyer Article

Published in the September 28, 2005 issue of Southeast Tech Wire.

Mr. Claypoole assisted Elizabeth Ladt in the development of this article. Elizabeth is a summer associate at Womble Carlyle.

The computer industry, businesses, and consumers have been wary of spyware since the explosion of the internet. In the past year legislators have assumed the difficult task of creating legislation that will reign in various problems caused by the ever-expanding spyware industry. Part of the problem arises from the nebulous nature of spyware itself. But most definitions of spyware include programs that are invasive and relentless in gathering personal information and causing advertising to continuously pop up on computers. The Anti-Spyware coalition’s new definition of spyware may act as a catalyst for implementing two new bills passed by the U.S. House.

In May 2005 the U.S. House passed two bills to deter internet predators from accessing confidential and personal information. Both bills impose tougher criminal penalties for spyware and prevent spyware companies from falling below the government’s radar. According to Roy Mark of Internet.com, The Spyware Prevention Act, I-SPY makes using unauthorized access to a computer to commit a crime punishable by either a fine or imprisonment for up to five years. The prison terms can go up to two years if the access is to transmit personal information for the purposes of fraud or damaging a computer. The second bill passed through the House, the Securely Protect Yourself Against Cyberspace Trespass Act, (“SPY ACT”) goes further, imposing an opt-in, notice and consent regime for legal software (adware) collecting personally identifiable information from consumers. The Senate is considering both bills in committee.

Although the legislation seems intended to help improve government regulation of spyware, some industry insiders worry that it may hurt more than help. Like the current California Anti-Spyware Act, these Acts could possibly be used as a shield to make certain spyware operations seem more legitimate and to avoid detection by anti-spyware programs. Richard Stiennon of Webroot told Internetnews.com that both bills contain a long list of exemptions, including pre-purchase installations, cookies and software and network security upgrades. He explains; "I’m leaning toward preferring the increase in penalties for bad acting. By setting a lot of definitions, you’re going to have some of the perpetrators just modifying their behavior to comply with this new law and then start legal activities to get index spyware vendors to stop listening to them." He added that the adware companies could potentially start saying that they comply with the new laws and “The Federal Trade Commission doesn’t have a problem with what we’re doing and you shouldn’t identify us (as spyware).” His concerns are legitimate considering that among lawmakers and industry insider’s spyware had yet to be clearly defined at the time that the two bills were passed.

To counter this problem, in July a coalition of consumer groups, ISPs and software companies announced that it had reached a mutually agreeable definition for spyware. Under this definition, spyware impairs “users’ control over material changes that affect their user experience, privacy or system security; use of their system resources, including what programs are installed on their computers; or collection, use and distribution of their personal or otherwise sensitive information,” according to the Anti-Spyware Coalition, which includes Hewlett-Packard, EarthLink, McAfee and Microsoft. Ryan Singel of Wired News notes that the group is now hoping that the definition, if accepted by Congress, will clear the way for anti-spyware legislation and help to create a more formalized method for companies to dispute or to change their software’s classification.

The lack of a definition has slowed federal and state legislation and created friction between forces working to hinder the growth of illegal spyware. As of now it is unclear what effect the new definitions will have on the legislation and current anti-spyware programs, but consumers and businesses are pushing for effective legislation to keep purveyors of personal information and annoying adware popup’s out of their lives.