Don't look now,
but there may be trespassers on your PC. Increasingly, Americans
surfing the Web find that they have picked up uninvited visitors in
the form of programs that install themselves on their PCs-resetting
home pages, adding new toolbars, "hijacking" browsers to unwanted
websites, and sometimes even mining PCs for personal information.
Millions of Web users are frustrated and confused, and many
observers fear the phenomenon could hinder the Internet's growth
and threaten the tech sector's growth.
Just as in the
physical world, virtual property should be vigorously protected
from such trespass. Congress is already moving forward with
legislation aimed at such practices. Yet, new legislation will not
be sufficient to protect surfers-nor is it necessary. Current law
already prohibits most if not all Internet trespass. At the same
time, the most effective defense for Web surfers will almost
certainly come not from Washington, but from private sector
technologies and services that help consumers to protect
themselves. As most homeowners know, a simple lock on the front
door may be the their most effective protection against trespass.
Washington should allow private solutions to develop, vigorously
enforcing current laws, and wait put off rushing in with a new set
of rules.
More than
Spyware
The Internet
programs at issue vary tremendously. Most often they are grouped
under the term "spyware," which refers software that sends personal
information without authorization from a PC back to the originator.
Often this is done to track Web usage to deliver targeted ads to
the consumer, though other personal information can also be
divulged. Other programs don't snoop at all but simply make
unwanted changes on the consumer's PC. At times, the user is
unaware that changes have even been made. One program, for example,
produces an imitation "Google" search engine page, but with links
to casinos and porn sites.
These Internet
pests get installed on PCs in a variety of ways. Sometimes they are
bundled with other programs that the user has installed; sometimes
they are installed through deception, such as a confusing pop-up ad
with a "click here" button; and sometimes they install themselves
when the user visits a particular website (known as "drive by"
installation.). Removing these unwanted visitors is often
difficult, as millions of frustrated users have learned.
The problem is
widespread: In 2003, spyware was the number one source of calls to
Dell's tech support center. Some analysts fear that Internet pests
may ultimately slow the growth of the Internet, as users become
frustrated and lose confidence in the Web.
Congressional
Proposals
Congress is
looking at a number of proposals aimed at stopping Internet
trespassing:
- H.R. 2929.
Sponsored by Rep. Mary Bono (R-CA) and approved by the House Energy
and Commerce Committee in July, H.R. 2929 would ban 17 specific
practices, ranging from diverting Web browsers to delivering ads
that cannot be closed to removing security and virus software. This
bill also would require that notice be given to users before
"personally identifiable information" (such as a name, address, or
credit card number) or information on Web pages visited is
transmitted to others or used to provide advertising.
- S. 2145.
Sponsored by Sens. Conrad Burns (R-MT) and approved by the Senate
Commerce Committee on September 22, S. 2145 would also ban
practices such as browser diversions. It also specifically would
prohibit surreptitious installation of software-defined as
installation in a manner designed to be concealed from the user or
to prevent the user from withholding consent. This bill would also
ban misrepresentations meant to induce a user to give consent
(i.e., lying about what the program will do) and programs that
collect information that is not related to the program without
adequate prior notification.
- H.R. 4661.
Sponsored by Rep. Bob Goodlatte (R-VA) and approved by the House
Judiciary Committee on September 8, this bill would establish
strict penalties, including prison sentences, for installing a
program without authorization and with the intent to defraud or
injure, to intentionally impair the computer's security, or in
furtherance of another crime.
Given the problems
presented by Internet pests, it is tempting to welcome these
proposals as good news for Web surfers. But there is reason for
concern. The problem is that many legitimate Internet services-such
as automatic software updating and even content filters to protect
children-depend upon transfer of information between users and
outside parties and the installation of programs. Overly
restrictive legislation could cripple such functions. Even if
activities are allowed with consent, users could end up being
bombarded with countless pop-up "notifications."
The bills now
pending in Congress are finely written to avoid the most obvious of
these problems. Thanks to amendments made over the past few months,
they are much better targeted to illegitimate activities than were
earlier drafts. At the same time, however, there are still
problems. For instance, what if a Web site or application diverts
browsers to another site where needed software updates can be
obtained? Or vital news? Would users need to authorize each such
use in advance? What if users configured their browsers to allow
such diversions? Is that adequate authorization?
Even if every such
concern were addressed, there could still be problems in the
future. Given the dynamic nature of the Internet, any restrictions
could inadvertently impede innovations not even yet conceived.
These potential
problems are real. Still, if legislation were necessary to stop the
flood of Internet pests, then the benefits might be worth the
costs. But that is not the case: The new laws being considered by
Congress are neither sufficient nor necessary to solve the
problem:
Many, if not most,
of today's Internet trespassers already operate outside the law.
"Unfair and deceptive trade practices" are banned under the Federal
Trade Commission Act. Statutes such as the Electronic
Communications Privacy Act and the Computer Fraud and Abuse Act
limit other activities. For this reason, even the Federal Trade
Commission has argued that new legislation is not needed. Instead,
the focus should be on stricter enforcement of existing laws.
It is difficult,
of course, to enforce these laws. Many of the worst offenders are
small operators with few assets who operate (or can easily move)
offshore, far away from prosecutors. These enforcement difficulties
would apply to new laws passed by Congress as well as existing
laws.
The most effective
solution to these Internet problems may have nothing to do with
laws and legislation, old or new. Instead, it will come from-and is
already coming from-the private sector. There is already a large
array of programs available to consumers-many free of charge-that
clean PCs of pests and protect against future invaders. Internet
service providers such as Earthlink and search engines such as
Yahoo are competing to come up with spyware blockers to protect
their customers. Such programs, while unfamiliar to many consumers
today, may soon become as ubitiqutious as virus protection and
anti-spam programs are now.
Consumers are
legitimately concerned about the growth of spyware and other
Internet trespassers on their PCs. And as with other matters of
technology, the best solution to this problem may have little to do
with Washington. Instead, it will come from new, private-sector
products and services that will allow Web surfers to lock out
Internet trespassers. Policymakers in Washington should allow time
for these private solutions to develop, while vigorously enforcing
current laws, before rushing in with new rules for the
Internet.
James L. Gattuso is
Research Fellow in Regulatory Policy in the Thomas A. Roe Institute
for Economic Policy Studies at The Heritage Foundation.