A widely reported poll conducted by Seattle-based security firm WatchGuard Technologies revealed that two-thirds of IT managers and administrators believe spyware is the No. 1 threat to network security, beating out both viruses and phishing, the use of deceptive email to give up private information.
According to technology news website Silicon.com, "The problem of spyware on home and corporate desktops is reaching epidemic levels" that could "see millions of PCs grinding to a halt" in the next 12 months.
And last year, the computer security company Eblocs.com issued a report claiming that 98 percent of adult websites routinely infect their visitors' computers with spyware.
Meanwhile, the Los Angeles Times reported that some Internet users, fed up with porn dialers and incessant pop-up ads, are spending less time online, and many are switching back to dialup or abandoning the Internet altogether.
But others aren't giving up so easily. Instead, they're calling congressional representatives to let them know just how angry they are, and politicians have fallen over themselves to be the first on their voting block to strike while public opinion is hot, introducing a swell of antispyware legislation on both the state and federal levels — with mixed results.
Held Up in Utah
In May, Utah became the first state to enact spyware legislation when then-Gov. Olene Walker signed the controversial Spyware Control Act into law. In addition to prohibiting companies from downloading software onto users' computers without their consent, the law placed restrictions on data collection and the use of pop-up ads.
Privacy advocates hailed the law for striking a balance between consumer protection and fair trade practices. But New York-based adware company WhenU.com filed a lawsuit against the state claiming the law is unconstitutional because it limits the company's right to commercial speech.
A district court judge agreed and issued an injunction blocking enforcement of the law pending a full trial. The law remains in litigation limbo, but the episode has had a significant impact on subsequent spyware legislation in California and the U.S. Congress, where lawmakers have been reluctant to challenge adware developers.
Late last year, California Gov. Arnold Schwarzenegger signed into law the Consumer Protection Against Computer Spyware Act, which makes it illegal to install spyware on a person's computer without first giving notice and clearly describing what the software does.
Under the law, consumers can seek damages of $1,000, plus applicable attorney's fees, per violation.
There is a catch, though: The law requires evidence of intent to deceive in order to trigger penalties — a standard critics contend is almost impossible to prove.
The California bill initially met with stiff resistance from adware lobbyists, including Claria, a Redwood City, Calif.-based company that changed its name from Gator in 2003 amid allegations of deceptive and harmful adware practices.
By the time the bill reached Schwarzenegger's desk, however, it had gone through nine rounds of revisions and had the full support of Claria and other adware companies, which raised serious doubts about the effectiveness of the legislation.
"My worry is that the law will do more harm than good," Fred von Lohmann, senior staff attorney for the Electronic Freedom Foundation, told XBiz. "When [legislators] involve adware companies in the [amendment] process, there's a real danger they'll end up legalizing practices they should be guarding against."
Harvard Law fellow Ben Edelman, a leading spyware researcher, calls the California law "toothless" and contends lawmakers should have scrapped it and started over from scratch. And California State Sen. Debra Bowen tried to do exactly that. Bowen, who originally co-sponsored the bill, removed her name from the final draft and issued a public statement urging Schwarzenegger to chuck it into the trash heap.
"Why are we letting spyware companies write spyware laws?" Bowen asked in her statement. "It's a giant step back for anyone who cares about their personal privacy because it effectively legalizes certain types of spyware."
Perhaps not coincidentally, the controversial "intentional deception" language was added shortly after the Utah spyware law was blocked. Von Lohmann believes California legislators buckled under political pressure. Intent on passing a law — any law — to satisfy angry voters, they gave in to the adware lobby in order to avoid a protracted legal battle like the one dragging on in Utah.
"A lot of politicians just want to be perceived as doing something, irrespective of whether they're actually doing any good," he told XBiz.
To date, no one has been charged under the California law.
The Bono Bill
Perhaps the most important piece of spyware legislation is a bill currently under consideration in the U.S. House of Representatives.
Only weeks into the 109th Congress, Rep. Mary Bono, RCalif., introduced an anti-spyware bill that aims to prevent practices such as phishing, keystroke logging, homepage hijacking and the uploading of ads that can't be closed without shutting down a computer.
The Spy Act would also prohibit websites from installing software on a user's computer without first giving notice, describing in simple terms what the software does and obtaining the user's explicit consent.
Violators could face civil penalties of up to $3 million per incident.
"We think people have a right to know when potentially dangerous programs are coming onto their computers or personal information could be taken off their computers," Kimberly Pencille, a spokesperson for Bono, told XBiz.
Bono had sponsored an almost identical bill last year, which passed on a 399-1 vote in the House, but the measure reached the Senate too late in the legislative cycle to gain consideration.
There's little chance the Spy Act will meet a similar fate this year. Members of the House Energy and Commerce Committee have vowed to put the bill on the fast track, there already is strong support in the Senate and little resistance is expected from adware companies.
That's not to say the bill doesn't have its critics.
"If someone proposed legislation that gave consumers good protection against spyware, I'd be all for it, but I haven't seen it yet," Pam Dixon, executive director of the World Privacy Forum, told XBiz.
The major criticism of Bono's bill from among privacy advocates and consumer groups is that it got so watered down in the debate and amendment process during the last legislative session — when software companies lobbied for, and won, major concessions — that it is now too weak to do any good.
"I think [Bono's bill] is well-intentioned, but it's riddled with loopholes and isn't likely to be effective," Edelman told XBiz, adding that there is greater danger from passing a flawed law than doing nothing at all.
"Rather than helping the spyware problem, Bono's weak bill could even make things worse," Edelman wrote on his website. "If passed, the bill will fill the space — making further federal antispyware legislation unlikely, at least in the short run."
Von Lohmann goes a step further, arguing that the government simply isn't capable of legislating on complex technology issues.
"All the legislation I've seen so far is a waste of time," he said. "The notion that government is capable of protecting people from spyware is naive."
The problem, according to Evan Hansen, net and networking editor at ZDNet.com, is that policymakers aren't as tech savvy as the code writers who create software. "The government is trying to play catch-up," Hanson told XBiz. "Technology moves so quickly that a lot of the things they're recommending are yesterday's news."
Hansen added that those responsible for the most pernicious spyware are also the most adept at covering their tracks, rendering useless any laws designed to stop them.
Besides, says von Lohmann, "The guys who are up to no good can just move overseas."
The Forgotten Law
Lost amid the current debate over Bono's bill is the fact that statutes governing spyware practices already exist. Since 1996, many common spyware behaviors have been outlawed by Section 1030(a)(5) of title 18, United States Code, Computer Fraud and Abuse Act.
The law authorizes the Federal Trade Commission to levy fines and criminal charges against anyone who knowingly accesses a computer without authorization.
"A lot of the issues, like keystroke logging, are already covered by 1030, but ... the fine is only $11,000 per violation, and that doesn't even make a dent when you consider the money [violators are making]," said Pencille, Bono's representative. "Our legislation gives teeth to Section 1030 by allowing fines up to $3 million per violation. It really makes a statement to these people that they better get out of the [spyware] business."
But Edelman contends the FTC doesn't necessarily want teeth. He points out that in nine years, the agency has charged only one individual with wrongdoing under Section 1030's spyware provisions.
In October, the FTC filed its first civil suit against Sanford Wallace, owner of Seismic Entertainment Products, accusing him of spreading unsolicited software downloads through deceptive and illegal means. Wallace agreed in January to stop secretly installing programs on users computers but still maintains that he acted within the letter of the law. And he may have a point.
Most spyware, including the kind Wallace was using, cannot be deemed illegal under a strict interpretation of Section 1030 because it takes advantage of the fact that users often click "I Agree" on software license agreements without reading them — thereby authorizing access to their computers.
Industry experts speculate that the agency simply isn't interested in picking fights it might not win, which is why it has been reluctant to enforce Section 1030.
The FTC itself, in a prepared statement to the House of Representatives' Committee on Trade and Commerce, said, "Spyware is an elastic and vague term that ... could be so broad that [it covers] software that is beneficial or benign; software that is beneficial but misused; or software that is just poorly written or has inefficient code."
The upshot: The FTC isn't quite sure how to interpret the law and is, therefore, reluctant to enforce it. Which leads many to question whether the agency will be any more eager to go after offenders if Bono's bill is passed into law.
The general consensus among industry analysts is that the Spy Act, like Can-Spam, will end up being little more than a public image campaign aimed at creating the perception that the government is cracking down on spyware purveyors. A few sacrificial lambs may be thrown to the lions, but enforcement will be spotty at best.
Perception vs. Reality
The accusation that adult websites are major spyware offenders is, no doubt, unfair, but in this case, perception trumps reality, and the perception is that adult webmasters are infecting users' computers with malicious spyware.
Most telling is media coverage of the Eblocs.com survey that said 98 percent of adult sites use spyware. Newspapers, TV networks and others reported the figure without questioning it because they believed it to be true. And now their readers and viewers believe it to be true. And so do lawmakers.
Last year during debates over proposed spyware legislation, Sen. Conrad Burns (R-Mont.) read a letter from a Texas man complaining about malware. "Now it has gotten a porn generator going, and I get 30 to 50 messages a day from different porn sites," the man wrote.
The fact that Burns chose a letter that mentioned porn sites wasn't a coincidence. It's clear that many conservatives in Congress see spyware laws as a backdoor opportunity to harass and prosecute adult businesses. For adult webmasters, the writing on the wall is unmistakable: If you use pop-ups and dialer programs, do so with great care, and do so at your own risk.