New US anti-spyware law may not have much bite

Currently before the US Committee on the Judiciary and likely to be passed into US law in the very near future, the Internet Spyware (I-SPY) Prevention Act of 2007 offers an interesting slant on the fight against malware and spyware. It amends Title 18 of the United States Code by inserting Sec. 1030A. "Illicit indirect use of protected computers". This creates two new criminal offences. The first, specified in clause (a), worth five years incarceration, is gaining unauthorised access to a computer system used exclusively for government or banking (a "protected computer") by means of introducing or using a program, but only in furtherance of another federal offence. Clause (b) qualifies the first with a lesser (but presumably supplementary) penalty of two years for carrying out such access with the intent of obtaining specific categories of personal information including citizen or banking credentials, or for impairing the security of a protected computer with intent to defraud or cause damage.

Such legislation has elsewhere proved hard to apply: witness the lack of bite shown by the UK Computer Misuse Act 1990, which, although intentionally loosely specified, was seriously in need of amendment within half a decade in order to keep up with the changing nature of threats. For example, a very real problem that was not envisaged by the UK legislators turned out to be demonstrating intent and causation on the part of a perpetrator where a breach is effected remotely using malware known to be in the wild. The "supply" clause in the amended Act, currently suspended and under revision, was an attempt to cover this known loophole, but it is by no means certain that an adequate formulation will be found.

So how effective is this new US legislation likely to be? It is extremely narrowly specified, and as has been discussed widely in the context of the new German anti-cracker tool provisions, such specifications can be problematic in both ways: legitimate activities can fall foul of the law and genuine perpetrators can find loopholes of escape. Furthermore, its limited coverage prevents this US law being brought to bear on the huge problem of credentials capture from private persons. Capture from the personal computers of private citizens is not covered. Nor would an incident such as the TJX credentials leak of December 2006 be actionable under it unless it could be proved that the computers broken into were used exclusively for banking purposes. Overall, such exposure is probably as significant to the public at large as that due to all occasional high-profile incidents involving banking and government systems combined. One cannot help feeling therefore that this legislation is to some extent a window dressing exercise designed to show that the US government takes the issues seriously, rather than a piece of measured legislation likely to have a significant impact on the problem. That would not be a first.

(mba)