A Briefing On Public Policy Issues Affecting Civil Liberties Online
from
The Center For Democracy and Technology
(1) Anti-Spyware Measures Continue Moving Through Congress
(2) House "SPY ACT" On Fast Track, Clears Commerce Committee
(3) House Judiciary Bill Introduced Offering Narrower Approach, Criminal Penalties
(4) Prospects for Legislation Depend on Reconciling House, Senate Approaches
Legislation that would prohibit deceptive software is on a fast track through the House of Representatives, due in part to strong support from House Energy and Commerce Chairman Joe Barton (R-Texas). Barton recently described spyware as "a cancer on the Internet" and has predicted that an anti-spyware bill will "sometime this year become public law."
The Energy and Commerce Committee recently approved a bill that would ban certain deceptive practices and require software makers to notify consumers before collecting personal information. Lawmakers on the House Judiciary Committee have introduced a bill of their own that would establish criminal penalties for those who use spyware to steal personal information or to commit other crimes.
The Senate is also considering a bill, known as the "SPY BLOCK Act." That bill is more focused on setting notice requirements than on the prosecution of deceptive practices. Earlier this year, the Senate Communications Subcommittee held a hearing on the bill, where CDT testified that legislation might be necessary to curb spyware and that baseline privacy legislation was long overdue. The Committee has not taken further action on the spyware bill since that hearing. Although the House is currently moving rapidly, some further action by the Senate will be necessary for legislation to pass this year.
CDT strongly supports the efforts in proposed legislation to punish egregious deceptive conduct such as keystroke logging, browser hijacking, and distributed denial of service attacks with increased penalties. However, we remain concerned that, as drafted, the notice requirements in the proposed bills will actually be confusing and of little use to consumers, while serving as a potential shield for bad actors. For example, under the House Commerce bill, a software company that only uses personal information to provide a requested service and a rival company that sells information to the highest bidder must provide exactly the same notice. The result would be that consumers are simply forced to accept all such notices in order to receive services, rendering them useless. These issues would be better addressed in a technology-neutral baseline privacy bill.
On June 24, the House Energy and Commerce Committee approved H.R. 2929, known as the "Securely Protect Yourself Against Cyber Trespass Act" or SPY ACT. The bill provides a list of deceptive software practices and would establish large civil penalties for software makers who engage in such activities. The deceptive practices list is based on a consensus document produced by the Consumer Software Working Group, which CDT convened last spring. A broad range of industry and consumer groups endorsed that document.
The bill would also require that consumers be given notices prior to the execution of adware and other software that transmits personal information. Industry groups have suggested that these provisions are overbroad and may hinder legitimate software development. Recent amendments to the bill have focused the notice requirements, and added exemptions for network security monitoring programs.
Finally, the bill includes a "Good Samaritan" provision that would remove any potential liability for providers of programs that remove or disable software in violation of the Act, provided opportunity for notice and consent are given to the user. This provision is intended to help anti-spyware technologies flourish.
CDT supports the goals of this legislation, particularly in reining in the continued bad practices of offenders. However, we remain concerned that the notice provisions will do less to make consumers aware of information collection than to further confuse good and bad practices. Since the bill covers a great deal of software, many legitimate software providers may simply add the boilerplate notice required in the bill to avoid potential liability. If the notices become ubiquitous, they will do little to help consumers distinguish software that may be of concern. At the same time, spyware manufacturers could use their compliance with the notice provision to shield themselves from liability for a variety of practices that harm consumers.
The notice provisions will also create yet another type of privacy notice in law. The specificity of the requirements assure that the privacy notices will be different than those used for financial information or medical information. For these reasons, CDT continues to believe that the notice and consent provisions of this bill would be better addressed in separate, technology-neutral, baseline privacy legislation that can streamline notices in a way that makes sense to consumers.
Finally, CDT is also disappointed that the bill provides additional enforcement authority to the FTC, but does not clearly grant the same authority to state attorneys general. The FTC alone does not have the resources to adequately enforce this legislation and state attorneys general have been consumers' first line of defense against deceptive practices. While some state attorneys general may be able to act under the bill, consumers would be well served by a specific grant of authority.
Three members of the House Judiciary Committee introduced their own anti-spyware legislation on June 24. HR-4661, the Internet Spyware (I-SPY) Prevention Act, would establish prison sentences of up to five years for some computer-related crimes.
The I-SPY bill contains none of the notice requirements of the Commerce Committee version, but focuses instead on a narrow subset of malicious or deceptive practices. Specifically, it would make it criminal to access a computer without authorization or in excess authorization to further another criminal offense, to intentionally transmit personal information with intent to injure or defraud, or to intentionally impair security. The bill now has to pass the Judiciary Committee. It could be merged with the Commerce Committee bill or advance to the floor of the House on its own.
CDT regards the I-SPY Act as a useful supplement to the deceptive practices provisions of the Commerce Committee bill, and it avoids the issues of software-only notice requirements. Because the I-SPY bill carries criminal penalties, its focus on a narrower set of practices is appropriate. Civil enforcement is suitable for most spyware practices, but criminal provisions, which are used more rarely but carry far stiffer penalties, are appropriate for the egregious behaviors targeted by the I-SPY Act. While further tailoring of the bill is still needed-and is expected at the Subcommittee and Committee levels-its introduction is a significant step in the right direction.
Because few days remain in the legislative calendar, a spyware bill will have to move quickly for one to become law this year.
Reconciling or combining the two approaches currently moving in the House, the SPY ACT and the I-SPY Act, will likely be the first step. Because it has so far been less anxious to move forward with spyware legislation, the Senate remains the biggest potential obstacle to passage this year. The Senate may be more likely to act once the House has reconciled its approaches and passage of a final bill becomes imminent, but influential members of the Senate Commerce Committee have let it be known that they will not back any approach that does not have a broad consensus behind it.
Actions in the states could also accelerate the federal process. Poorly crafted state bills, or a patchwork of different bills, could provide an incentive for Congress to move forward quickly to set a uniform national standard. Spyware bills are currently pending in several states, including New York and California. Utah is the only state that has successfully passed a spyware law, but its enforcement was recently put on hold by a state judge due to questions about its constitutionality.
Detailed information about online civil liberties issues may be found at http://www.cdt.org/.
This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_10.11.shtml.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 10.11 Copyright 2004 Center for Democracy and Technology
