No new spyware legislation needed

Australia does not need new legislation to deal with the growing spyware problem, the federal government says.After conducting a review into spyware, the Department of Communications, Information Technology and the Arts (DCITA) concluded the "most serious and culpable uses of spyware do constitute criminal offences under existing legislation.

Australia does not need new legislation to deal with the growing spyware problem, the federal government says.

After conducting a review into spyware, the Department of Communications, Information Technology and the Arts (DCITA) concluded the "most serious and culpable uses of spyware do constitute criminal offences under existing legislation." Its review, DCITA said, was conducted "in conjunction with the Attorney-General's department and law enforcement agencies".

Behaviour classified by the department as 'spyware abuse' included Internet banking fraud, browser hijacking, harvesting and collection of personal financial information, damage to computer settings, identity theft and impairment of security.

DCITA listed several pieces of Commonwealth and state legislation it considered would be effective in prosecuting those who cause malicious damage through spyware. Nationally, the department listed the Criminal Code Act (1995), the Australian Securities and Investments Commission Act (2001), the Corporations Act (2001), the Privacy Act (1988), the Trade Practices Act (1974), the Telecommunications Act (1997) and the Telecommunications (Interception) Act (1979).

DCITA noted other states were likely to follow South Australia's lead and legislate against identity theft. This would be done through the Model Criminal Code Officers Committee, a national body established to develop a model criminal code for all Australian jurisdictions.

The department said about spyware: "The programs are not harmful in themselves, and in fact many of the same software components used by spyware can be employed to benefit computer users or to protect their security. Examples include software that enables automatic security updates, Internet banking services and the blocking of access to offensive websites."

"Where spyware differs from legitimate software is the use that it is put to. A response to the spyware problem needs to target malicious and inappropriate uses of the technology, rather than the software itself," DCITA concluded.

McAfee Australia marketing director Alan Bell told ZDNet Australia&nbsp this morning the department was adopting a more academic approach than that used by the software industry. This was exemplified by the careful definition of spyware used in the report. However, Bell added: "I don't think it's as useful to define the non-malicious products as spyware. If you start talking about good spyware and bad spyware, I think it's better to talk about all spyware being bad, and the other programs are simply monitoring tools or support tools. That way we avoid muddying the waters."

Bell cited the example of software used by IT departments to remotely support a user's PC. He said while similar software was used by many spyware programs, it was not useful to define a remote support tool as "spyware".

DCITA said that it would undertake public consultation on the subject of spyware in May. In the meantime it would "work with key stakeholder groups to develop a discussion paper to provide a framework for public consultation forums in each state and territory". In addition, "These consultative activities will help shape a broad based strategy to deal with spyware."