Democrats tackle spyware
The Democrats' information technology spokesperson, Brian Greig, said today the Spyware Bill 2005 was not designed to ban spyware or other unauthorised installations but to require companies to obtain permission from the owner of the computer before proceeding.
"It is this authorisation that is at the heart of the Australian Democrats' proposals," Greig told the Senate. "Namely that no program or cookie or any other form of tracking device is to be installed on any computer without the user of that computer being given full and clear information as to the purpose of that computer or tracking device.
"Further, any such warning must include details of any effect the program will have on the computer and what, if any, data will be gathered, who will have access to that data and what use will be made of it.
"After the user has been given all necessary information, the user will retain full control with the need for a separate authorisation before installation.
"Furthermore, once installed, each program or monitoring or tracking device must make it easy for the user to completely remove or uninstall it".
Spyware is an increasingly ubiquitous problem. A recent report revealed around 90 percent of malware found on both home and corporate PCs turned out to be spyware.
Frost & Sullivan security analyst James Turner has said that until anti-spyware utilities are easier to use, "the majority of Internet users will not be able to adequately protect themselves".
Greig said the legislation had to cover situations whereby programs that are not intrinsically malicious can be used with ill-intent.
"One program which records every stroke of the keyboard by a user can be used by hackers to gain credit card numbers or by security-conscious financial organisations acting with the full knowledge of their employees," he said.
In his second-reading speech, Greig singled out Web advertising heavyweight Doubleclick's use of tracking cookies and their role in creating a history of Web usage by an individual.
"Currently companies such as Doubleclick claim that this clickstream is not matched to your individual identity.
"Instead, each cookie contains a unique global identifier which lets the ad server track your movements without identifying your actual name or e-mail address.
"But it is a very small move to match this global ID to personally identifying information or the Internet address of the surfer and the implications of this are obvious".
In the case of adware, the legislation states, companies should include an identifiable link that users can click on the ad that informs them how to turn off the advertising feature or uninstall the software.
The bill requires companies to provide a representative example of the type of advertisement that may be delivered by the software, together with a clear description of the estimated frequency of the advertisement and how users can distinguish the type of ads delivered by different software programs.
It also requires that companies inform the user of the nature, volume and likely impact on the computer's processing capacity of any computational or processing tasks the software will cause the computer to perform.
The software must also appear in the "Add/Remove Programs" menu or any similar feature provided by the operating system and be easily and completely removable using normal procedures for removing computer software.