More Anti-Spyware Authority to the Federal Trade Commission

Featured Resource:

The Federal Trade Commission has argued for more authority to fine spyware purveyors and its about time Congress gave it to them. This isn't a new issue, as CNET pointed out:

The FTC's wish list isn't news to Congress. After all, in June, the U.S. House of Representatives overwhelmingly approved a bill that would give the FTC the ability to impose fines of up to $3 million each time a long list of offenses is committed, the bulk of which center on "taking control of a computer" in an unauthorized way.
But for whatever reason, the Senate still hasn't yet acted on the proposal, known as the Spy Act, leaving the FTC to continue its longstanding plea for the extra authority. (Some have suggested imprisonment wouldn't be a bad idea, either.)

On a more cynical day I might be tempted to compare such measures as the Spy Act with the CAN SPAM Act, which has had marginal benefits if any, but there is more to the spyware legislation, at least the stronger versions.

The weaker versions can be improved though. Take for example this section from a version of Internet Spyware (I-SPY) Prevention Act of 2007 (HR 1525 RFS):

Sec. 1030A. Illicit indirect use of protected computers

`(a) Whoever intentionally accesses a protected computer without authorization, or exceeds authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and intentionally uses that program or code in furtherance of another Federal criminal offense shall be fined under this title or imprisoned not more than 5 years, or both.

`(b) Whoever intentionally accesses a protected computer without authorization, or exceeds authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and by means of that program or code--

`(1) intentionally obtains, or transmits to another, personal information with the intent to defraud or injure a person or cause damage to a protected computer; or

`(2) intentionally impairs the security protection of the protected computer with the intent to defraud or injure a person or damage a protected computer;

This seems at first glance fairly strong, but it only seems to cover unauthorized access with the intent to commit another crime, like stealing personal information. It doesn't stop adware and tracking. Why not just leave it that unauthorized access is crime? Why does the intent need to come into consideration? If someone enters your house without permission is it only a crime if they intend to steal something? I doubt it.

The fundamental rule should be no permission, no access. Period. Let's not quibble about the intent of adware peddlers who want to track our every move on the Web. If they want to watch where we go, let them get authorization from users.

Recent Posts

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net

Site Sponsor:

Now Available:

Featured Resource:

Realtime Communities

Newsletter

Monthly Archives

RSS

Ask the Expert