An antispyware bill that the U.S. House of Representatives passed this week earned praise from cybersecurity groups, but faces an uncertain future in the Senate.
The bill, which would create penalties of up to five years in prison for some spyware-like behavior, is a “needed piece of legislation in order to protect consumers,” said Kevin Richards, federal government relations manager for Symantec. Many online identity theft schemes start with spyware on a victim’s computer, he said.
Though versions of the Internet Spyware Prevention Act (I-SPY) have passed through the House in the last two sessions of Congress, they stalled in the Senate. The House passed I-SPY and a second spyware bill in May 2005. But the Senate failed to act, partly because of concerns that the second proposal, called the Securely Protect Yourself Against Cyber Trespass Act or SPY Act, too broadly defined spyware.
The Senate Commerce, Science and Transportation Committee also became hung up on what approach to take for a spyware bill — a criminal penalties approach similar to I-SPY or a broader approach attempting to define spyware technologies similar to the second House bill.
Concerns over the SPY Act remain. Last month, the Electronic Frontier Foundation issued an alert about the SPY Act, saying it opposes the bill because it would preempt tougher state laws against spyware and hacking. “In fact, having been massaged by lobbyists for the software and adware industries, the bill would actually make things worse, insulating adware vendors from more stringent state laws and private lawsuits,” wrote EFF lawyer Fred von Lohmann.
Any bills that have not passed through the House and Senate during their two-year session must be reintroduced. This year the SPY Act has been approved by the House Energy and Commerce Committee but has not faced a vote on the House floor.
On the other hand, there seems to be less opposition to I-SPY. I-SPY has “broad support from the industry,” said Geoff Gray, legislative consultant for the Cyber Security Industry Alliance, a trade group. “It concentrates on bad actions as opposed to bad technologies.”
I-SPY now goes to the Senate for consideration. Two champions of antispyware legislation in the Senate, Republicans George Allen of Virginia and Conrad Burns of Montana, were defeated in last November’s elections.
Meanwhile, supporters of the I-SPY Act say they will push for passage in the Senate. Symantec is engaging senators about the need for a spyware bill and other cybersecurity measures, Richards said. Several senators seem open to cybersecurity legislation, he said.
“I think there’s interest there,” he said. “But senators are focused on a big plate of issues.”
Although Burns and Allen are gone, I-SPY has a “decent” chance of passing the Senate, added Gray. The House may have given it a better shot by not passing the more controversial SPY Act at the same time, he said.
“A little steam has gone out of it on the Senate side, but maybe some of the conflict as well,” Gray said.
A spokesman for Representative Zoe Lofgren, one of the primary sponsors of I-SPY, said it’s early to gauge the bill’s chances in the Senate. The California Democrat will begin pushing for the bill in the Senate soon, the spokesman said.
Representatives of tech-focused senators said their bosses are looking at antispyware legislation. “It’s one of our priorities,” said a spokesman for Senator John Ensign, a Nevada Republican and cosponsor of an antispyware bill in the last session of Congress.
Senator Ron Wyden, an Oregon Democrat, is also looking into the issue, a spokeswoman said. Wyden, cosponsor of the broader antispyware bill in the Senate last Congress, is “looking into what he feels the correct course should be legislatively … based on the way the spyware issue has evolved over the last two years,” said spokeswoman Melissa Merz.