Spyware: Background and Policy Issues for Congress
Publication Date: March 2008
Publisher(s): Library of Congress. Congressional Research Service
The term "spyware" is not well defined. Generally it is used to refer to any software that is downloaded onto a person's computer without their knowledge. Spyware may collect information about a computer user's activities and transmit that information to someone else. It may change computer settings, or cause "pop-up" advertisements to appear (in that context, it is called "adware"). Spyware may redirect a Web browser to a site different from what the user intended to visit, or change the user's home page. A type of spyware called "keylogging" software records individual keystrokes, even if the author modifies or deletes what was written, or if the characters do not appear on the monitor. Thus, passwords, credit card numbers, and other personally identifiable information may be captured and relayed to unauthorized recipients.
Some of these software programs have legitimate applications the computer user wants. They obtain the moniker "spyware" when they are installed surreptitiously, or perform additional functions of which the user is unaware. Users typically do not realize that spyware is on their computer. They may have unknowingly downloaded it from the Internet by clicking within a website, or it might have been included in an attachment to an electronic mail message (e-mail) or embedded in other software.
According to an October 2004 survey and tests conducted by America Online and the National Cyber Security Alliance, 80% of computers in the test group were infected by spyware or adware, and 89% of the users of those computers were unaware of it. The Federal Trade Commission (FTC) issued a consumer alert on spyware in October 2004. It provided a list of warning signs that might indicate that a computer is infected with spyware, and advice on what to do if it is.
Several states have passed spyware laws, but there is no specific federal law. During the first session of the 109th Congress, the House passed two different spyware bills, H.R. 29 and H.R. 744, on May 23, 2005. In the Senate, three bills were introduced: S. 687, S. 1004, and S. 1608. S. 687 and S. 1608 were ordered reported from the Senate Commerce Committee during 2005.
A central point of the debate is whether new laws are needed, or if industry selfregulation, coupled with enforcement actions under existing laws such as the Federal Trade Commission Act, is sufficient. The lack of a precise definition for spyware is cited as a fundamental problem in attempting to write new laws that could lead to unintended consequences. Opponents of new legislation further insist that, if legal action is necessary, existing laws provide sufficient authority. Consumer concern about control of their computers being taken over by spyware, and resulting impacts on their privacy, leads others to conclude that more legislation is needed. The FTC supports S. 1608, which would enhance FTC enforcement against spyware, focusing on cross-border fraud.
Note: This report was originally written by Marcia S. Smith; the author acknowledges her contribution to CRS coverage of this issue area.