Locking the Door Against Internet Trespass: New Heritage Article on Spyware

by on September 29, 2004

A new article on the spyware issue, just released by Heritage. I argue that while spyware is a real problem, the answer will be found in private-sector innovation, not new legislation…


Locking the Door Against Internet Trespass: Are New Laws Needed?
by James L. Gattuso
WebMemo #575

September 27, 2004

Don’t look now, but there may be trespassers on your PC. Increasingly, Americans surfing the Web find that they have picked up uninvited visitors in the form of programs that install themselves on their PCs–resetting home pages, adding new toolbars, “hijacking” browsers to unwanted websites, and sometimes even mining PCs for personal information. Millions of Web users are frustrated and confused, and many observers fear the phenomenon could hinder the Internet’s growth and threaten the tech sector’s growth.

Just as in the physical world, virtual property should be vigorously protected from such trespass. Congress is already moving forward with legislation aimed at such practices. Yet, new legislation will not be sufficient to protect surfers–nor is it necessary. Current law already prohibits most if not all Internet trespass. At the same time, the most effective defense for Web surfers will almost certainly come not from Washington, but from private sector technologies and services that help consumers to protect themselves. As most homeowners know, a simple lock on the front door may be the their most effective protection against trespass. Washington should allow private solutions to develop, vigorously enforcing current laws, and wait put off rushing in with a new set of rules.

More than Spyware

The Internet programs at issue vary tremendously. Most often they are grouped under the term “spyware,” which refers software that sends personal information without authorization from a PC back to the originator. Often this is done to track Web usage to deliver targeted ads to the consumer, though other personal information can also be divulged. Other programs don’t snoop at all but simply make unwanted changes on the consumer’s PC. At times, the user is unaware that changes have even been made. One program, for example, produces an imitation “Google” search engine page, but with links to casinos and porn sites.

These Internet pests get installed on PCs in a variety of ways. Sometimes they are bundled with other programs that the user has installed; sometimes they are installed through deception, such as a confusing pop-up ad with a “click here” button; and sometimes they install themselves when the user visits a particular website (known as “drive by” installation.). Removing these unwanted visitors is often difficult, as millions of frustrated users have learned.

The problem is widespread: In 2003, spyware was the number one source of calls to Dell’s tech support center. Some analysts fear that Internet pests may ultimately slow the growth of the Internet, as users become frustrated and lose confidence in the Web.

Congressional Proposals

Congress is looking at a number of proposals aimed at stopping Internet trespassing:

H.R. 2929. Sponsored by Rep. Mary Bono (R-CA) and approved by the House Energy and Commerce Committee in July, H.R. 2929 would ban 17 specific practices, ranging from diverting Web browsers to delivering ads that cannot be closed to removing security and virus software. This bill also would require that notice be given to users before “personally identifiable information” (such as a name, address, or credit card number) or information on Web pages visited is transmitted to others or used to provide advertising.

S. 2145. Sponsored by Sens. Conrad Burns (R-MT) and approved by the Senate Commerce Committee on September 22, S. 2145 would also ban practices such as browser diversions. It also specifically would prohibit surreptitious installation of software–defined as installation in a manner designed to be concealed from the user or to prevent the user from withholding consent. This bill would also ban misrepresentations meant to induce a user to give consent (i.e., lying about what the program will do) and programs that collect information that is not related to the program without adequate prior notification.

H.R. 4661. Sponsored by Rep. Bob Goodlatte (R-VA) and approved by the House Judiciary Committee on September 8, this bill would establish strict penalties, including prison sentences, for installing a program without authorization and with the intent to defraud or injure, to intentionally impair the computer’s security, or in furtherance of another crime.
Given the problems presented by Internet pests, it is tempting to welcome these proposals as good news for Web surfers. But there is reason for concern. The problem is that many legitimate Internet services–such as automatic software updating and even content filters to protect children–depend upon transfer of information between users and outside parties and the installation of programs. Overly restrictive legislation could cripple such functions. Even if activities are allowed with consent, users could end up being bombarded with countless pop-up “notifications.”

The bills now pending in Congress are finely written to avoid the most obvious of these problems. Thanks to amendments made over the past few months, they are much better targeted to illegitimate activities than were earlier drafts. At the same time, however, there are still problems. For instance, what if a Web site or application diverts browsers to another site where needed software updates can be obtained? Or vital news? Would users need to authorize each such use in advance? What if users configured their browsers to allow such diversions? Is that adequate authorization?

Even if every such concern were addressed, there could still be problems in the future. Given the dynamic nature of the Internet, any restrictions could inadvertently impede innovations not even yet conceived.

These potential problems are real. Still, if legislation were necessary to stop the flood of Internet pests, then the benefits might be worth the costs. But that is not the case: The new laws being considered by Congress are neither sufficient nor necessary to solve the problem:

Many, if not most, of today’s Internet trespassers already operate outside the law. “Unfair and deceptive trade practices” are banned under the Federal Trade Commission Act. Statutes such as the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act limit other activities. For this reason, even the Federal Trade Commission has argued that new legislation is not needed. Instead, the focus should be on stricter enforcement of existing laws.

It is difficult, of course, to enforce these laws. Many of the worst offenders are small operators with few assets who operate (or can easily move) offshore, far away from prosecutors. These enforcement difficulties would apply to new laws passed by Congress as well as existing laws.

The most effective solution to these Internet problems may have nothing to do with laws and legislation, old or new. Instead, it will come from–and is already coming from–the private sector. There is already a large array of programs available to consumers–many free of charge–that clean PCs of pests and protect against future invaders. Internet service providers such as Earthlink and search engines such as Yahoo are competing to come up with spyware blockers to protect their customers. Such programs, while unfamiliar to many consumers today, may soon become as ubitiqutious as virus protection and anti-spam programs are now.

Consumers are legitimately concerned about the growth of spyware and other Internet trespassers on their PCs. And as with other matters of technology, the best solution to this problem may have little to do with Washington. Instead, it will come from new, private-sector products and services that will allow Web surfers to lock out Internet trespassers. Policymakers in Washington should allow time for these private solutions to develop, while vigorously enforcing current laws, before rushing in with new rules for the Internet.

James L. Gattuso is Research Fellow in Regulatory Policy in the Thomas A. Roe Institute for Economic Policy Studies at The Heritage Foundation

Comments on this entry are closed.

Previous post:

Next post: