Analysis Forget Congress' myopic efforts to outlaw spyware. What we really need is better enforcement of existing computer crime laws, says SecurityFocus columnist Mark D. Rasch.
In Through the Looking Glass, Lewis Carroll's Humpty Dumpty tells Alice: "When I use a word, ... it means just what I choose it to mean - neither more nor less."
"The question is," replies Alice, "whether you can make words mean so many different things."
In trying to define spyware, the U.S. House of Representatives is faced with a similarly daunting lexicographical task.
Last week the "Internet Spyware Prevention Act of 2004" - I-SPY for short - was reported out of the House Judiciary Committee, and is now ready for consideration by the full House of Representatives. But while there is little doubt that spyware, and its kissing cousin, adware, are annoying, infuriating, and potentially invasive of privacy, before we allow legislators to jump in with the heavy club of possible jail time, security professionals need to decide not only what spyware is, but also what specific characteristics of spyware we want to outlaw.
One short definition of spyware might be a program that enters our computer without our effective knowledge or consent, is difficult or impossible to detect or remove, alone or in aggregate slows down or otherwise interferes with the operation of the computer, and collects and disseminates personal information about us to unknown third parties.
But for spyware to be criminal, must it have all of these attributes? And must the spyware author know that it will have an effect, and intend that effect, or is enough that the bad behavior simply be a consequence of the code?
The first element that might make spyware criminal is the fact that it loads on your machine without your consent. But plenty of programs load without the user's knowledge. In fact, for most people, almost all programs load without their having any clue what the programs are doing. Java and Active X programs load on my machine without my effective consent. Sure, I can set my browser settings to exclude them, but I can also buy anti-spyware software to keep out most spyware.
Is my failure to exclude something consent to letting it run, or is this just blaming the victim? How much do I have to know about what the program is going to do before my consent can be deemed to be effective? When I install P2P programs like Kazaa, there is a long click wrap contract that sort-of tells me that I'm getting some "advertising programs" in the bargain. But it doesn't tell me how many programs, what they will do, or how to get rid of them.
Let's face it, its nearly impossible to get true effective consent to all of the possible things software can do. Thus, the mere fact that spyware is loaded without complete consent is not enough, in and of itself, to make for an enforceable criminal law.
A second problem with spyware is the fact that it materially affects the performance of my computer. In fact, running an anti-spyware program recently, I found more than 300 instances of spyware on an unprotected machine. Deleting them all and rerunning the software a few days later, there were still over 100 bits of spyware. Eventually, I formatted the drive and reinstalled the OS to get it to work.
But can an individual spyware vendor be held liable for the fact that his or her program - in concert with hundreds of other programs - can bog down a machine, when the program acting alone would have no noticeable effect? If we require only a trivial effect on the target machine, we are left criminalizing virtually every website, cookie, or application.
The third potential basis for criminalizing spyware is the fact that it surreptitiously collects and transmits personal information about me to third parties. But here, too, the issue boils down to consent: do the Kazaa clickwrap contracts adequately advise me of what the adware and spyware does? Kazaa tells you that it installs GAIN software, and if you check out GAIN's website you'll learn that the program collects information about your Web surfing and the software running on your machine. But if I don't read that website, have I consented to the privacy violation? Where do we draw the line between a Trojanized key logger or remote access tool and a program like GAIN? Both "access" our computers, perhaps without our knowledge or genuine consent; both capture information and transmit it to someone else.
The I-SPY bill roughly includes these three elements, but links them in a formula that does little to combat spyware.
The bill would make it a crime to cause a program to be copied onto a computer, and intentionally use that program in furtherance of another federal crime, or to get personal information "with the intent to defraud or injure a person or cause damage to a protected computer" or impair the security protection of the computer.
Note that it does not itself prohibit a program that steals your personal information without consent. Such a program would only be illegal if the distributor wants to defraud or injure you. If someone uses the internet to further a fraud, it is already a crime under 18 U.S.C. 1343 (wire fraud). This legislation merely adds the word "injure".
The language that prohibits software that would "impair the security protection" of a computer without authorization is problematic in a different way. I-SPY does not specify how much the program must "impair" security to be qualify as felonious. Many programs require certain changes in security configurations in order to run, opening and closing ports for example, and I may or may not know that this is happening. Would software have to expressly tell me what effect it was having on my overall security, and get my affirmative consent to the modifications each time, to escape possible criminal sanction?
If we intend to force software vendors to perform an overall security assessment of their product - that is, to fully explain the effect of their software on a customer's security status - then we should have that debate. But Congress shouldn't just insert this language into a putative spyware bill.
In reality, I-SPY does little to prevent spyware. And it's far from clear that a new law is even needed.
Current U.S. federal criminal law, 18 U.S.C. 1030, already makes it a crime to access (read that "use") a protected computer (read that "any computer") without authorization (or in excess of authorization) and thereby obtain "information from [the] computer." It seems to me that this is a perfect vehicle for prosecuting existing spyware that transmits your personal information, assuming it truly does so by accessing your computer without your consent.
The same statute also makes it a crime to transmit code which intentionally (a felony) or recklessly (a misdemeanor) causes damage to a computer, or to intentionally access a computer without authorization and thereby cause damage. This also could apply to some spyware. And yet, there has never been a spyware prosecution, and there are more than 500 different breeds of spyware in the wild.
This begs the question, do we really need a new law, or just enforcement of existing law?
Before it goes any further, this bill needs a good and vigorous debate; a war of words. I for one would be happy to trudge up to Capitol Hill to participate - as soon as I can get this junk off my desktop machine.
SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.
Sponsored: Ransomware has gone nuclear