Utah has become the first state to make spyware a crime, passing a law that makes it illegal to install such programs on a PC without approval.
Starting in early May, violators face a fine of US$10,000 per incident, under the new Spyware Control Act. The Utah law aims to regulate the use of spyware and other advertising software, which is infamous for annoying computer users by tracking and reporting their Web whereabouts and displaying ads.
A software company that wants to load a surveillance program onto a Utah user's PC must make full disclosure, under the law. It must reveal what user behavior its software records, what information goes back to a central server, how often ads will appear, and how the ads look. Vendors must also clearly state the purpose of the downloaded software and any changes it makes to a PC's system.
"Spyware is horrible," says Utah State Representative Steve Urquhart, who sponsored the bill. He says spyware makes spam look like a minor inconvenience. "Sure, spam is a nuisance, but spyware is a violation of your privacy," he adds.
Utah's tough stance on spyware isn't going over well with many tech companies that feel the law is poorly written and overbroad.
"We feel this law will essentially outlaw a perfectly acceptable form of advertising and commerce," says Emily Hackett, executive director of the Internet Alliance, an Internet trade association.
In fact, the Internet Alliance tried unsuccessfully to convince Utah Governor Olene S. Walker to veto the Spyware Control Act. Also supporting the veto request were America Online, Google, Microsoft, Yahoo, and CNET Networks.
Opponents say the Spyware Control Act is a legal threat to a technology company's right to innovate. Hackett says the Utah law could be interpreted to ban free ad-sponsored software, and perhaps even threaten common e-mail programs that track when and which messages are delivered.
"We don't feel a ban on a specific technology is the right approach here," Hackett says. She concedes spyware is a problem, but adds, "technology isn't bad, it's the behavior of the people who use it."
Even the anti-spyware, pro-privacy Center for Democracy and Technology lobbied for a veto in Utah. Its representatives call the law "premature" and cite "definitional difficulties" with the word spyware. The group applauds Utah's attention to what it calls invasive and deceptive software, but urges a stronger, more consumer-focused approach.
Tech firms bristle
Just as the federal antispam CAN-SPAM Act has been called a well-meaning but ineffective effort, even supporters of anti-spyware measures are urging caution. Still, several other states and Congress are considering similar legislation.
Iowa and California are considering anti-spyware proposals. New York State legislators are reviewing a draft of an antihacking law that may also prevent companies from piggybacking advertising software with more desirable applications.
The U.S. Senate is considering an anti-spyware law, the Software Principles Yielding Better Levels of Consumer Knowledge (SPYBLOCK) Act. It would require distributors of spyware to get PC users' consent before installing software that records keystrokes, site navigation, or similar data and that shares it with another party.
Introduced in late February, it is due to be worked on over the next few weeks, according to a Senate staffer.
"Spyware allows virtual Peeping Toms to watch where you go and what you do on the Internet," said cosponsor Sen. Ron Wyden, D-Oregon, upon introducing the SPYBLOCK bill.
The proposals to reign in spyware are similar to efforts to control spam. They also face the same challenges, analysts say.
"Typically, legislative efforts to deal with tech issues haven't been raving successes," says Eric Hemmendinger, research director for security and privacy at the Aberdeen Group.
Walking the Line
The Utah Spyware Control Act was inspired by a court case involving pop-up ads, and was positioned as protection for Utah businesses.
Utah-based 1-800 Contacts took issue with the advertising firm WhenU, which served pop-up ads to the 1-800 Contacts Web site. Among the ads: 1-800 Contacts competitor VisionDirect.
State Rep. Urquhart says the law will let a Utah firm sue a spyware company that doesn't follow the Spyware Control Act, when its program displays ads on the Web site of a Utah-based business. He also says the act will help protect consumers by forcing spyware companies to be more upfront about their software.
"No legitimate company that notifies its customers of what is being installed on their system and what it does should have any reason to fear this law," Urquhart says.
Urquhart sees an irony in the tech industry's opposition to the Spyware Control Act in favor of self-regulation. "If not this now, then what when?" he asks.
The Internet Alliance has argued that self-regulation and technology solutions will ultimately be more affective in thwarting spyware. But Hackett could not point to any spyware solutions in the works.
"We don't have a working solution yet," Hackett says. "It's not that we are stalling. It's because it's a really tough nut crack."
In the interim, and outside Utah, users can readily find numerous freeware, shareware, or otherwise inexpensive programs designed to hunt down and remove spyware from PCs.
- Emily C. Kumler of the Medill News Service contributed to this report.