The House of Representatives has passed a bill designed to toughen penalties on spyware vendors and criminalize the act of installing potentially dangerous software on a user's machine.

But the bill must pass the Senate as well, and Congress' record of crafting useful legislation to combat Internet threats is mixed at best.

The House cleared the "Internet Spyware Prevention Act" (aka "I-SPY") on a voice vote on May 22. Rep. Zoe Lofgren (D-CA), who sponsored the bill along with Rep. Bob Goodlatte (R-VA), hailed it as a success for consumers.

"[I-SPY] is a bipartisan measure that identifies the truly unscrupulous acts associated with spyware and subjects them to criminal punishment," Lofgren said. "It targets the worst forms of spyware without unduly burdening technological innovation."

I-SPY prohibits "intentionally accessing a protected computer without authorization, or exceeding authorized access, by causing a computer program or code to be copied onto the protected computer, and intentionally using that program or code" in order to obtain personal information, which the bill defines as a Social Security number, bank account number, credit card number, and so on.

The bill also authorizes disbursements of $10 million a year through 2011 to the Justice Department, in order to fund efforts to combat spyware, phishing, and pharming.

Lofgren, who represents tech-heavy San Jose, California, won the support of the software industry for the bill. A competing bill, the "Securely Protect Yourself Against Cyber Trespass Act (aka the SPY Act)," mandated that companies create clear, upfront disclosures of any software they wanted to install on a user's machine, which vendors objected to as overly burdensome.

Although clear disclosures of potential spyware seems like a win for users, the SPY Act also preempted state-level antispyware laws, limiting venues of redress to state Attorneys General and the Federal Trade Commission (FTC). In addition, it contained many exemptions that could enable security vendors to install spyware on users' machines and monitor their activities.

Consumers Can't Sue

Both I-SPY and the SPY Act prevent individual legal actions against spyware purveyors. If I-SPY becomes law, cases such as the Sony rootkit scandal could not be pursued in civil court, or as part of a class action suit.

Lawsuits filed against Sony in New York, California, Texas, and other states caused bad publicity for the company and forced it to settle the cases for millions of dollars.

Congress' previous benchmark for legislation against Internet threats, the CAN-SPAM Act, was widely derided as a failure when it came to stopping spam, with spam traffic actually increasing since the act's passage in 2004.

With the Senate currently occupied with battles over funding the Iraq war and passing immigration reform, the possibility of getting a companion bill to I-SPY passed are chancy at best. And given the bill's potential restrictions on consumer redress for spyware threats, many in the security sector believe it may be best for Congress to "first do no harm," and let existing laws, better user education, and stronger security products do the job of combating spyware.