Antispyware legislation awaiting Senate action offers little promise of meaningful prosecution against violators, said Ron O’Brien, a senior security analyst with antispyware firm Sophos.
The U.S. House of Representatives has passed an antispyware bill that would impose specific penalties for scammers accessing computers without authorization while attempting to commit other federal crimes. The bill, sponsored by both Democrats and Republicans, would make the fraudulent use of spyware a crime punishable by to up to five years in prison.
However, some federal lawmakers and computer security experts complain that the proposed law does not impose any new requirements on software makers to help prevent spyware intrusions. Nor does it require new technology to combat the worst forms of spyware.
‘Band-Aid on a Broken Leg’
Perhaps the proposed spyware law’s most outstanding shortcoming is its failure to include a provision endorsed by the House Energy and Commerce Committee that would require software distributors and advertisers to clearly notify consumers and obtain their consent before loading programs onto a computer.
The biggest problem in stemming growing spyware problems exist with users themselves who wait to take adequate precautions to protect their computers, according to O’Brien.
“The reality is spyware is so ubiquitous that it is like putting a Band-Aid on a broken leg. Given the number of computers not protected, this is like attempting to remedy a problem by throwing money at it. But it doesn’t even come close to solving the spyware problem, O’Brien told TechNewsWorld.
The federal antispyware proposal would be an unenforceable law, O’Brien asserted.
“There is nobody to go after,” O’Brien said about the pending new law. “Congress needs to address the larger issue. That is that using the Internet carries certain responsibilities for the users. They must do virus updates and security patches regularly. Otherwise, the problem will not go away.”
Home users with a computer that is three or four years old start complaining about its slowness. When they take it to a repair store, they learn that their computers are so loaded with spyware that the cheapest solution is to buy a new one, O’Brien said.
Of course, if the computer user does not learn to become proactive about spyware, the new computer will soon be in the same spyware-stuffed condition.
Key Action Needed
One reason that spyware infects so many computers, O’Brien suggested, is that there is little incentive for a new-computer buyer to maintain his or her computer protection. They get comfortable with the preinstalled trial antivirus and antispyware products and do not renew them when the free 60- or 90-day trial period ends.
“There is no silver bullet in fighting spyware. The government needs to mandate more than a trial version of virus and spyware protection on new computers,” reasoned O’Brien.
Such a mandate would go a long way in curtailing the spread of spyware. Much of spyware and other types of malware rely on vulnerabilities of the operating system. Malware writers aim at unprotected systems. The intrusion risk is compounded if the user’s computer is not patched and running the latest security updates and program versions, O’Brien explained.
“The top occurring malware are old viruses against which we already have protection. But users are not updating their systems. This gives the malware safe harbor,” he said.
“Federal lawmakers had good intentions with the antispyware bill, but their use of the term “spyware” shows that lawmakers are not in touch with the industry. The brunt of the issue is, if people lose faith and confidence with the Internet, then the economy is doomed,” said O’Brien.
Spyware is only one part of the entire malware situation. Because the bill addresses only spyware, the legislation misses its mark. New malware comes out every day. There are 5,000 new Web sites identified per day as hosting malware.
Spyware takes more than one form. One component is a tracking cookie that sends a user’s Web browsing activity to a secret location. Not all cookies, though, are spyware, noted O’Brien, referring to cookies that provide useful e-commerce features for return users to a legitimate business Web sites.
Another part of spyware involves the introduction of Trojans, or hidden programs introduced onto a hard drive when the users download code from a Web site, either knowingly or unknowingly.
There are 450,000 Web sites hosting malware. Another 750,000 Web sites may be hosting malware, O’Brien said. Thirty percent of all spyware comes from China; 30 to 35 percent comes from the U.S.