The Inside Job: Domestic Spyware
Has your organization been compromised by spyware? You may want to read on before answering. According to a recent study conducted by Websense Inc., a leading provider of anti-spyware software, 92% of all IT administrators involved believed their networks where infected with some type of spyware. Only 6% of the IT staff believed they were responsible for downloading spyware into the network. Incidents such as this have contributed to a large problem as so many people do not know enough about spyware to help prevent the infection. Regardless of how it is being distributed, spyware has become such a concern that even the U.S. Congress has taken note.
Why it is a Problem
Spyware programs have been viewed as intrusive as many internet users are not pleased with having their surfing habits documented. The fact that several web sites deploying these programs are questionable makes things even worse. What began as a simple adware program has often been discovered to be malicious software that harbors viruses, hacks into and steals personal data, propagates spam, or hijacks a web browser. This type of program can easily capture a victim's credit card or PIN number when making purchases or banking online. When this sensitive data is collected by an adware database it becomes a repository well suited for financial fraud and identity theft.
Not all spyware is used maliciously, as evidenced in the instance with domestic spyware. This type of program is usually installed by a parent, teacher or company who want to monitor the internet activity of other users. IT administrators may want to check up on members of their staff while parents may be suspicious of whom their children are chatting with online. Domestic spyware is viewed as useful in these instances though it still can be abused by malicious individuals.
Like many tools used by hackers, spyware programs are readily available and can be easily installed without a user's knowledge or consent. Law enforcement agents have been known to use domestic spyware to monitor suspected illegal activity, while criminals have used it to thieve data from government agencies and large corporations.
The SPY BLOCK Act
In November of 2005, the Senate Commerce Committee approved the SPY BLOCK Act. The legislation was actually a substitute amendment to the original bill introduced by Senator Conrad Burns in February of 2004. As amended, the legislation specifically addresses computer hijacking, loss of control over a computer, adware that doesn't reveal it's complete operation, and the collecting of personal data. It prohibits the collecting of personal data when the process of collection is not "clearly and conspicuously disclosed" or advertised as part of the program's intent. If personal information such as bank account or Social Security numbers is to be collected, a consent regime and notice is required. Additionally, the user must be able to manually uninstall any software that collects personal data.
The SPY BLOCK Act also strengthens enforcement by giving authority to the FTC and state attorney generals to enforce these provisions.
This bill has since been moved into full Senate for complete consideration. Many critics feel that is will be less effective than the CAN SPAM Act of 2003 as exploits by malicious individuals become more advanced.