Security

Will the I-Spy bill pass and become law?


I-Spy billI-Spy, with my little eye, a bill that -- if passed -- would sentence a person convicted of malicious spyware-related activities with up to five years in prison. The Internet Spyware Prevention Act (I-Spy) was proposed in mid-March by Reps. Zoe Lofgren (D-Calif.) and Bob Goodlatte (R-Va.), and a U.S. House of Representatives subcommittee recently approved the bill. However, it's still uncertain whether this antispyware bill will pass a Senate vote and actually become a law. Check out this CNET Networks' News.com story for the specifics: "House tries again for antispyware bill."

Here's an excerpt from the article:

"Rather than attempting to define what illicit software is, the bill would make it a crime to copy computer code on a machine without authorization if doing so divulges 'personal information' about a user or 'impairs' a computer's security."

If the bill is approved by the full House Judiciary Committee, it will reach the full House for debate. I-Spy is already receiving support from large organizations, such as Microsoft, Dell, and Symantec, plus the Center for Democracy and Technology, and even online advertisers. Do you also stand behind this antispyware bill? Why or why not? Do you think I-Spy will be passed and become a law?

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

About

Sonja Thompson has worked for TechRepublic since October of 1999. She is currently a Senior Editor and the host of the several blogs.

45 comments
sukind1
sukind1

Would the spyware writers like their personal details become public? Or their details be used against themselves?

mullakev
mullakev

I hope this law could be used effectively

slurpee
slurpee

Really, it is very limited - aimed more at identity theft. I wish it was also targeted at "plain old" scumware or, at the very least bot networks - none of which seems to be illegal under this.

BALTHOR
BALTHOR

If you add it up this Spyware stuff is treason on an International level.

rrotzien
rrotzien

Don't get rid of the anti-spyware program yet. It would be an interesting law - I would also like to see offenders forbidden to have access to computers as well - at least while in jail. While this is an interesting first step, the problem I see with a law as this is described the small part that is included -- it would be a crime to do so without authorization. There are a lot of people out there who get some thing popping up saying you need to update or load this, who simply do without thinking. I know my parents usually call me when something comes up like this. Since they give authorization, then there will be no crime?? There will be a whole new form of spyware, given away, requesting permission to install, and people will be stuck with spyware.

pcbradshaw
pcbradshaw

If one takes the time to READ the actual bill and not go strictly what some "talking head" types on the web or you see on TV you will find the bill is pretty comprehensive. It could use some improvement, but overall it does provide definition of what constitutes the crime and what the penalties will be. Oveall it's a good start and it's computer professionals such as us to write to our legislators (rather than sit and grumble) to recommend improvements. In otherwords it's your country, their your representative and it's OUR job to help them get it right. A link to the text of the bill is: http://thomas.loc.gov/cgi-bin/query/F?c110:2:./temp/~c110ChJ3IM:e1260:

the_webninja
the_webninja

I believe in this Bill, except I think they should ammend it to specifically state "Malicious" in more clear definition. Because I look at a Blanket Reg like this as being along the same lines as a rule that might state that "You can't look at another driver or look into another Driver's vehicle while you are driving down the Freeway." I don't really have a Problem with the Teenage internet geek who is using Spyware to mine for Porn on other people's computers so he can get a copy for himself. That doesn't bother me. I don't care if they use Spyware to try to get a copy of a song they see on my Computer. That doesn't bother me. But the "Malicious" little Bastardds that do stuff to just try to screw up other people's computers just for fun, need more than Jail Time or Fines, I want to CANE EM! And I want their Canning Publicly Televised! :) And I want them Caned GOOD too, not just one or two Wacks, I want to Wack em til they Pass out! THEN they might learn something. I figure that's half the Problem is the Parents are affraid to disapline their Kids in the first place so they raise these little monsters who terrorize the world with their Bulllshitt. So if the Parents won't take the responsiblity for disapline, then I would be more than Happy to. :)

dunshee
dunshee

I was surprised at the several posts which seemed to take spyware lightly (such as the "looking for porn or music" and the "this generations grafitti writers". I'm concerned about people stealing my bank account access or my identity. I don't think spyware is trivial -- I think there are a lot of professional thieves working in this arena.

TexasKAT
TexasKAT

Malicious is not a good enough description of these people's activities. These are probably the children of the people who, in my day, spray painted buildings, broke into houses and stole everything they could get their hands on. As for punishment, I would rather see these hoodlums put in a room full of IT Pros who have to spend countless hours of their time cleaing up after the mess that is made. We would DEFINITELY know how to deal with them.

Dr Dij
Dr Dij

your computer? Wow! Ok - And if you don't happen to have any porn files, maybe you'd be nice enuf to lend him your credit card to send to a shady russian porn site? And I'm sure the little twerp needs peace and quite while he's having fun with himself, so you should definitely let him buy a iPod with your card; after all he might also need it to quell the sound of gunfire when he's sent to iRaq. So you then also don't have a problem with that same teenager breaking into your (non-virtual) house to poke around thru your piles of porn? Maybe as long as he doesn't steal anything else or make himself a sandwich and watch TV? Or try to boink your gal after he's busy handing himself?

Sonja Thompson
Sonja Thompson

The Internet Spyware Prevention Act (I-Spy) is expected to be approved by the full House Judiciary Committee, and then it can be sent to the full House for debate. If it's passed, people convicted of malicious spyware-related activities will be given a sentence of up to five years in prison. Do you think this antispyware bill will be passed and become a law?

talgryalen
talgryalen

Not sure if it will be law but I hope it does pass.

jimc52
jimc52

As described in this article, I think the definition of copying code from a computer without authorization means little to exactly nothing. The easiest way to introduce spyware is to get the user to agree to it's installation. We all know what a pain it is to read lengthy EULA liturgies...and how common it is for every brand of company or individual to write "something" in the EULA which provides the kind of "authorization" we all don't want. 1). EULA's should be clear, short and succinct. 2). EULA's should not contain lengthy, arbitrary, or easily misrepresented statements. 3). EULA's should not be a "mandated right" of the creator to get the user to "authorize" the violation of obvious security features, such as: *Getting the user to "authorize" bringing down a firewall or to "authorize" firewall port access for surreptitios means, such as gathering personal information or on-line use statistics. *Getting the user to "authorize" root kits or any other software device that inherently allows modification of the operating system code, the kernel, or any feature which distorts, changes, hides, resides or encumbers the kernel operation or associated dll's. *Getting the user to "authorize" the installation of collection information as a condition of using the software. *Getting the user to "authorize" disablement of anti-virus, anti-spyware, anti-trojan or any other security software. *Making it mandatory as a condition of use of a particular software to be provided that will in any other way, violate personal information, on-line use. I find this legislation of little use in preventing anything because all they will do is get the user to "authorize" the installation of the spyware through the EULA and in any criminal action, they will merely argue: "It was part of the EULA that the user agreed to." I think it is also necessary to make it a violation of the law for the software to routinely "phone home." By this, I mean, reporting to the creator of the software that the software is being used, how it is used, whether or not it is a valid or legal software or for any other reason without the direct continuing participation consent of the user. The EULA should not be a legal device by which the user's rights are infringed upon or the user is assumed to continue participation with "authorization." In other words, the user should be able to DISABLE any feature which they have decided is a violation of their privacy even IF they have consented to the EULA beforehand...I say this, because more often then not, users either do not take the time to read the EULA or if they do, they do not fully understand what exactly it is they are agreeing to. A EULA agreement should be nullifed IF the user did not clearly understand what was being agreed to to begin with. The EULA is the problem that will allow the security issues to continue unabated.

w2ktechman
w2ktechman

"Rather than attempting to define what illicit software is, the bill would make it a crime to copy computer code on a machine without authorization if doing so divulges 'personal information' about a user or 'impairs' a computer's security." I would say that any and all SW makers could be at risk. Any SW added to a computer can impair security, and auto-updates are quite common. Aside from that, I dont see it as much of a deterrent. 5 years seems low for those who steal identities. Besides, many spyware writers end up with a hell of a lot of money, to which 5 years might seem acceptable risk.

djc14925
djc14925

Sec. 1030A Illicit indirect use of protected computers. sub sections (c) "No person may bring a civil action under the law of any State is such action is premised in whole or in part upon the defendant's violating the section. For the purpose of this subsection, the term "State" includes the District of Columbia, Puerto Rico, and any other territory or possession of the United States."

Antagonist
Antagonist

Except they should make it the death penalty...

crazijoe
crazijoe

Well that's all fine and dandy but does the government even know what to look for? How will they prove that somebody's email server was just used as a spam box or if someones home computer is just a botnet? Sounds like alot of false criminal charges will be pursued just because a person's computer was pumping out illicit spyware or malware without them knowing it. Show me one basic home user that knows what their computer is doing at any given time. A criminal, that uses his or her computer to commit a criminal act, is stupid when they can use someone elses remotely. And a smart criminal has the ability to cover his or her tracks. The problem with the government is they are looking more at proof of guilt instead of actual computer forensic investigations. They would rather convict an innocent person just because their knowledge and the public's of computer forensics is lacking. You put an innocent person in the stand and the computer illiterate jury will surely convict him. Illegal activity will always happen. The government needs to find the real criminals and not the one harboring the illicit machine that the that's sending out the stuff without the owners consent.

Dumphrey
Dumphrey

brings up an important idea: the average user NEEDS to be better educated about security, and not just rely on newer security products.

crazijoe
crazijoe

The problem is the average user WILL NOT attempt to better educate about security because they don't have to. Not untill it happens to them will they think about security.

ley1963
ley1963

I think this law is a good start, but I believe that this would only force those involved in this type of activity to go outside the US. What would this law mean for those who engage in this activity in countries such as Russia. The Intenet is now an International entity, and we even as we speak, more and more malicious activity is originating from outside the US. Any law or restictions have to be accepted by more that just the US. Unfortunately, there are a lot of places where one could hide without retribution from any local government agency. I hate to think that we need a worldwide governing body to control the Internet, since I see it doing more harm than good, but what are the options. I know I may sound a little nostalgic here. But the Intenet was really cool back in the 90s when mostly techies were using it and we all ahered to a higher standard.

djc14925
djc14925

What happend to those higher standards when we all held ourselves accountable???

AndrewB
AndrewB

... call for modern measures. These kinds of laws are much like the traffica laws of 100 years ago. Necessary evils for a new technology. We depend on computer information for so very much, and downtime could be crippling. I see it akin to how they finally busted Al Capone - tax evasion!

fredeppy
fredeppy

There are so many laws today that go unenforced, what is going to make this law any different than the others. We need to enforce what is already in place and stop leniant judges from giving wrist slaps to first time offenders, we need to stop all of the plea bargaining baloney. Clear the courts of all these junk lawsuits etc. and make more time and room for criminal cases. Up to five years, is no sentencing guideline. Five years, hard time, no ifs, ands, or buts.

Antagonist
Antagonist

You just threaten with death then follow through a few times. Guaranteed to work.

6T9ura$$0ff
6T9ura$$0ff

So let's just ship them over there for 20 years of 24 hr/day on call, latrine duty and cigi-butt policing.

fredeppy
fredeppy

I have too much respect for my brothers and sisters over there doing the job. I gave 22 years of my life. Fred

w2ktechman
w2ktechman

there would be no crime! They used to give the death penalty for stealing, that and chopping off hands, fingers, etc.. Has the thought of the death penalty been a deterrent? I say yes, has it stopped crime?? I say, no.

replimaster
replimaster

a required 10 year front-line assignment in Iraq?

replimaster
replimaster

Can you cite even 1 instance where the death of a person has not completely stopped their antisocial behavior?

fredeppy
fredeppy

Ok Antagonist, I guess they don't like your death penalty idea. The gender reassignment idea is kind of double jeopardy, cause big bubba will probably take care of that anyway. So, no death penalty, no gender reassingnment, I guess we will have to go with frontal lobotomy. Fred

w2ktechman
w2ktechman

Look at all of the ways different civilizations enforced death penalties and torture! Did it stop crime???

inertman
inertman

as i have suggested in the past the penalty needs to be severe enough that every one would be remiss to get caught. but instead of death( many people are not afraid of death so this is not a deterent), i would stick to the five years, not 'up to' though, but before being sent to prison the perp is sent to trinidad for gender re-assignment. i think most people would find that a similar violation of their personal space that reflects the severity of malicious computer violations. and then of course the other felons would enjoy violating their personal space even more.

Endoscopy
Endoscopy

The real issue is not weather or not to pass a law but how to enforce it. Congress passed a law on spam and spam keeps increasing. Policing the internet is extremely difficult.

Eternal
Eternal

first you have to find the programmers or companies of said software... ok, might not be that hard... but say you find them.. and they don't live in the states.. what then? A good number of nasties are probably overseas. Our laws up here in Canada are different than yours down there... I can remote into a computer, look around, copy files.... I just legally can't edit/delete/put files with out permission. I've done it to, and a few times I left notes on desktops telling saying "Oops I was looking for a friends PC, found yours.. this how you would secure it from further intrusions..."

Antagonist
Antagonist

I find it hard to believe that it is legal to break into someone's computer for any reason in Canada. Please cite the law.

cenadj
cenadj

Yeah ithink it should b passed & it should b'come a LAW.

libskrap
libskrap

I haven't followed the details, but I would expect that it would pass -- sounds like the kind of thing that congress would pass. But tell me, who decides whether something is spying or not? and whether it is malicious or not? and how do they find the culprit(s)? and how do they enforce it? Seems like right now that MS is spying on everybody they can, Google and doubleclick, symantec and mcafee, most isp's, Apple, and others. then there's homeland security -- what are they doing? some of the stuff is "just collecting marketing data" or "just ensuring that everybody is paying for everything we can charge them for", and other stuff is taking up cycles on users computers while the companies figure out what to do with the data. The idea sounds ok -- get rid of the baddies. It is just very hard to get agreement on where the line is for malicious-ness.

Ed H.
Ed H.

will Bush threaten a veto? It seems that is pretty much all he does these days, particularly if the legislation protects consumers. Someone is making a profit on all this spyware, so it would hurt the economy to stamp it out. Better to let them volunteer to stop creating it and leave the government out of it.

iainwrig
iainwrig

He would not have been re-elected if it wasnt for the first steel building in history collapsing from fire, causing this country to be so affraid they had no one to turn too, other than our savior, George Bush. Just thought I would chime in and be the assbag to start a political argument on an IT forum :)

fredeppy
fredeppy

Well said, what a novel idea, personal responsibility, hmmm. Fred

inertman
inertman

sooner or later these bbds turn to the president, and that's 'president bush' to you( in my ountry, the U.S.A.,avererage jackasses refer to the commander in chief as Mr.President or President). now while i accept the fact that most of you toe heads don't respect our governmnment, and don't understand protcol,(even though you extend the pretense)trying to bring the "Bush Factor" into this discussion is almost pedantic. i see it over and again, "Bush this" and "Bush that", you people need to take responsibility for your own actions and therefore, your own suppositions. the president was duly elected, twice, and if you wish to argue the 2000 election, i urge you to go back to high school and re-educate yourself on the electoral process. the fact that the mass media reports a 39% satisfaction rate of the president doesn't mean anything, these are the same people that 30 years ago told us there was global cooling and justified the wielding of torches on tankers to melt the polar ice caps, look it up in the new york times archives. then you shoulkd understand the power of the veto now, if you understand politics and the lame duck session, which is the last session of an incumbant president during senitorial session, he doesn't wield as much power except to prevent the worthless waste-of-life senators from doing something particularly stupid, via veto. grow up and get a clue! this issue will never see the light of day and it has nothing to do w/ your hatred of the sitting president, jackass! this has to do w/ miscreants trying to undo all of the accomplishments they can, and via people like you, are doing pretty well at it. grow a spine, andtry to do something about it rather than shirking responsibilityto someone who has nothing to do w/ it! if you use a computer, you're as responsible as the next person for protecting the intenet!

F4A6Pilot
F4A6Pilot

The data being collected is nobody's business... It should be recognized as the threat that it is to freedom. All of this spyware should be approved by the user for every transaction that goes out. The browsers should not allow any cookies, or other informational tracking to be sent out by default...

Editor's Picks