What's next: Spyware
Last year spyware legislation overwhelmingly passed the House (399 to 1). The Senate didn't act on it. We're going to see a lot of activity on this front again this year. But I'm not so sure legislation is such a great idea.
Three reasons:
1. Spyware is being conceived of as an assault on privacy interests, and draft legislation may be intended to set the stage for future broad privacy statutes. But spyware is a different kind of issue — it's about the imposition of an inappropriate, unsought-for relationship in code. That relationship can only be dealt with, to my mind, by tort law and with the help of juries and judges. It's impossible to define “spyware” in a way that won't capture lots of helpful software. The fact that FTC has been able to act with respect to spyware signals that a new statute isn't needed.
2. The draft House bill, HR 29, takes a very heavy-handed regulatory approach. It suggests that the FTC will spend an enormous amount of its resources (resources that could be spent bringing cases) on adopting a very detailed set of rules about the design of software. It mandates notices for online applications. These notices will be both annoying and ultimately meaningless (who will understand what it is they are consenting to?). GLB for bits.
3. And it won't work. Bad actors will move offshore and won't follow the rules anyway. Sure, a federal bill may preempt some wacky state approaches, but the cure may be both worse than the disease (design mandates for software! swirling useless notices!) and ineffective.
It's better to encourage evolutionary, adaptive, tool-based approaches to spyware. Indeed, the evidence is that spyware attacks are diminishing due to better tools being used by ISPs and network operators.
We have two models for viruses/attacks on our system: inoculation (or search and destroy) and the immune system. Let's go with the immune system approach: learning, memory, watching for unexpected data flows, and networks of helpful systems.
Comments
One Response to “What's next: Spyware”
Got something to say?
I don't agree that bad actors will move offshore. Some will, of course. But legislation could readily speak to the installation practices used by big US companies — the kind of companies who have received hundreds of millions of dollars of VC funding (listings). Legislation could also speak to the kinds of advertising practices that may permissibly be used by big US companies. Since advertising expenditures by big US firms are what's fueling the spyware business, spyware is actually quite a bit easier to stop than, say, general hacking, viruses, worms, and other malware.