I was asked recently to comment on the house bills that were passed regarding anti-spyware. Given that the same issue occurred with spam, it may be worth highlighting the value of legislation (which I am not a huge fan of, but it may help slightly).
The biggest thing that these bills do is begin to draw the line between legitimate and illegitimate activity. With spyware, this is especially important as "spyware" companies legislate against anti-spyware companies (here is a good list that keeps track of legal action).
The other thing it does is provide some means for prosecution. In some ways, it forces a company into demonstrating intent.
Will it stop spyware? Not likely. There will be plenty of challenges, probably revolving more around consent than anything else. But it will almost certainly help in our defining good versus bad.
I’d love to see more definition around spyware, as long as there is so much ambiguity resolution seems far away.
It is annoying how reputable antispyware products identify so many benign cookies as SPYWARE! (See how much we need their products and how much damage is being done to our systems?) At a minimum the more credible companies would break down miscreants into distinct buckets like: cookies, adware delivery, keystroke logging, redirectors, unknown.
Then at least we can’t be accused of crying wolf (as often as we seem to).
I wholly concur with Stu’s assertion that a definition of spyware is needed before any solutions can be offered. I think Pete would agree that if it isn’t defined then it can’t be measured….. take it one step further and without definition, it can’t be legislated.
Most, if not all, anti-spyware products fall squarely into the FUD camp. Fear, uncertainty and doubt works once, IMHO, and quickly loses any shred of respect. Sure, it is tempting to run to management with a report from any spyware product and receive money to “take care of the problem” but how many times will that work?
I really have no problem with this legislation. I think it is more likely to force definitions and without it, we would be stuck in ambiguity. We often legislate broadly and let the courts interpret, as far as I can tell.
I don’t think this stuff is THAT hard in most cases (I am aware of the tracking cookies issue but most spyware solutions I’ve used lately are very clear about that, and you can deselect them from your scan).
As I mentioned in my post, what will be more interesting to me is the notion of consent. I believe there are plenty of people out there who install software and yet don’t really understand the nature of what the software is doing yet will consent to it nonetheless, simply by clicking the “I accept” button and not reading the policy/license/terms of use.