What constitutes fair disclosure? All of these bills prohibit information collection and software installation without notice and consent, but none require software to fully disclose its purpose and operation, in unambiguous language, so that Internet users can make intelligent decisions regarding consent. Spyware companies can hide behind privacy policies obscurely posted at web sites users never visit; EULA-like language that only practicing law professionals can understand; and similar means to obfuscate intent. In fact, they frequently do so today, with considerable success.
Are Laws Necessary?

Some legal experts feel that much of the really nasty spyware behavior going on now could be stopped under existing laws that govern unfair trade practices and computer fraud. Susan Crawford, Assistant Professor of Law at Cardozo Law School and Policy Fellow with the Center for Democracy & Technology in Washington, D.C said, "Spyware is a different kind of issue -- it's about the imposition of an inappropriate, unsought-for relationship in code. That relationship can only be dealt with, to my mind, by tort law and with the help of juries and judges. It's impossible to define 'spyware' in a way that won't capture lots of helpful software. The fact that FTC has been able to act with respect to spyware signals that a new statute isn't needed."

What Impact?

Sunbelt's Sjouwerman and attorney David J. Steele, adjunct professor at Loyola Law School, agree that U.S. Federal and state antispyware legislation will have very little impact on illegal software installation and misuse of personal information. "Ultimately, the vast majority [of spyware] will be coming from overseas, where sites and operators are difficult to trace and cannot be brought to justice. Did the CAN-SPAM Act do anything to cut down on spam?" asked Sjouwerman. Steele added, "The real problem with Internet regulation is that it is just so easy to set up shop overseas and avoid all the legal issues that the U.S. wants to impose. There is no cyber-equivalent of a U.S. border where packets are inspected for compliance with U.S. law. And I'm not sure most Internet users want a cyber border, even if it were technically feasible."

Spyware is a technology problem that requires a technology solution. On the surface, the task of combating spyware seems to be heading in the same direction viruses and SPAM have taken us. Expect to see similar layered countermeasures. We need configurable operating systems and browser implementations that operate securely by default. We will be forced to employ desktop antispyware software and antispyware security gateways and subscription services to keep pace with this constantly evolving threat. The spyware threat grows more obvious each day, and as consumers become more educated about spyware, they will hopefully take measures to protect their personal information and privacy with a greater sense of urgency than they have in response to viruses and worms. If we have any hope of reclaiming the considerable ground already lost in the cyberwar to save privacy, we must take measures to reduce the economic incentives that drive spyware development. If we complement these measures with effective enforcement of existing anti-fraud legislation, we might just beat this spyware beast into submission.

Or we can wait until spyware infests our Sidekicks, and join Paris Hilton in the "I wish I'd taken protecting my personal information seriously" club.

Dave Piscitello is president and principal consultant at Core Competence, Inc. A 30-year network, Internet and security veteran, Dave provides advisory and consulting for security and broadband access companies, service providers, and Fortune 100 companies. A prodigious writer, Dave has published hundreds of articles, product reviews, and editorials for print and online publications. Dave maintains a personal blog at and a popular antispyware resources page.