Sunday, March 18, 2007

Third Time Lucky for Anti-Spyware Bill

Last week, the American Anti-Spyware Bill got it's third hearing in the House Subcommittee on Commerce, Trade and Consumer Protection. It has already been passed twice by the U.S House of Representatives, only to get quashed by the Senate.

The full article about this can be found at Security Focus, it's a two page article, make sure you read it all. Here are some snippets of interest.

The bill, whose full title is the "Securely Protect Yourself Against Cyber Trespass Act," would prohibit any software that takes control of a computer, modifies registry settings, logs keystrokes, or collects other data through misrepresentation. The legislation would also require that any program that collects information first get consent from the computer's user. The bill would levy stiff civil penalties against those responsible for programs that hijack a user's computer or collects data without adequate authorization.

Congress needs to give consumer's better protections against unsavory practices of spyware vendors, Rep. Bobby L. Rush (D-Ill.), chairman of the House Subcommittee on Commerce, Trade and Consumer Protection, said in a statement.

"At worst, spyware can lead to the unwanted exposure of offensive Web content to unsuspecting individuals, particularly children," Rush said. "It can also lead to outright fraud resulting in significant financial damages. At best, spyware is simply nasty stuff that clogs computers, slows down processing power, and is costly to remove."

Spyware is likely the most prevalent online threat, infecting more than half of all consumers' PCs, according to a study published by AOL and National Cyber Security Alliance in December 2005. Moreover, a single spyware program frequently acts as a beachhead, installing other spyware or adware programs on a victim's PC.

The unwanted programs, in addition to stealing a victim's data, could also make an innocent PC user appear guilty of a crime. In Connecticut, a substitute teacher has been found guilty of four counts of risk of injury to a minor after her classroom PC started displaying pornographic pop-up ads. A forensic investigator working for the defense found that the computer had been significantly compromised by spyware programs, and security researchers have criticized the prosecution for not adequately investigating the digital evidence. The teacher is scheduled to be sentenced at the end of March.

This got me to wondering what is happening in the UK at the moment. Well, there was a paper published last November by the Parliamentary Information Technology Commitee.(PITCOM) There are an interesting few paragraphs under the 'Hackers' and cyber crime heading.

The Computer Misuse Act was updated recently (and about time too). Although some of the wording in the Police and Justice Act is a bit worrying for IT and security professionals who are trying to combat cyber crime.

But my point is... how effective is this legislation? I don't recall seeing a news story where the good guys caught and prosecuted a cyber baddie recently.
Who is looking after the little guy on his home PC who is being bombarded with 'postcards from a friend' or being directed to phishing sites or getting dragged down by Winfixer?

It isn't just industry who are victims or potential victims of cyber crime, we all are... but who do we report it to? Is anyone collecting statistics? How do you get something done? Malware Complaints won't be able to solve your problems for you, but it is a step in the right direction.