A Briefing On Public Policy Issues Affecting Civil Liberties Online
from
The Center For Democracy and Technology
(1) FTC Files First Spyware Case, Based on CDT Complaint
(2) FTC Case Sets Valuable Precedent For Better Enforcement
(3) House Passes Two Spyware Bills, Leveling Civil, Criminal Penalties
(4) Senate and House Seek to Reconcile Approaches In Time for November Session
The Federal Trade Commission (FTC) filed suit in the District Court of New Hampshire on October 7 against Seismic Entertainment and a former self-styled "Spam King," Sanford Wallace, taking up a complaint filed by CDT last February. Although the FTC has formerly brought cases against "dialers" and online "mouse trapping" schemes designed to keep users from closing web sites, the current case is widely considered to be the first major suit by the FTC in the core area of spyware.
CDT's complaint alleged that Seismic engaged in browser hijacking and deceptive advertising. Following in-depth research, CDT concluded that Seismic purchased banner ads that ran on web sites related to gaming, sports, and other topics. The ads often appeared as public service advertisements, but when loaded they would change a user's homepage and trigger a stream of pop-ups, including misleading advertisements for "Spy Wiper" or "Spy Deleter" anti-spyware software. CDT also subsequently showed that a Seismic website caused forced installations of advertising software and other programs.
The FTC's suit against Seismic and Wallace, its owner, mentions these and other actions as violations of the FTC Act. The FTC alleges that "in numerous instances, Defendants' practices cause or have caused consumers' computers to malfunction, slow down, crash, or cease working properly, and cause or have caused consumers to lose data stored on their computers."
Since CDT's initial report on the spyware issue in November 2003, we have argued that existing statutes cover many spyware practices. Relevant laws include the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the FTC Act prohibiting unfair and deceptive business practices.
The dearth of enforcement of these laws in the spyware context has been partially responsible for allowing spyware to flourish online. At a House hearing in April, Rep. Joe Barton, Chairman of the House Commerce Committee, criticized the FTC for failing to bring any spyware cases. The FTC's current action therefore represents an important step toward better enforcement against spyware purveyors.
A recent Consumer Reports survey found that over a third of home Internet users have had their homepage hijacked. The proliferation of deceptive advertising for anti-spyware products is also a prevalent problem. The FTC's current case squarely targets these practices, and lays the groundwork for future spyware cases in other areas.
CDT plans to continue bringing cases to the FTC. CDT encourages users that have been hit by spyware to submit their stories to http://www.cdt.org/action/spyware. CDT reviews and researches reports and will file complaints where appropriate.
Congress pushed forward on the spyware issue, as the House approved two separate anti-spyware bills.
H.R. 2929, known as the "SPY ACT," was passed on October 5th. It would create civil penalties for certain deceptive practices related to spyware. The list of targeted practices is based on a consensus document produced by the Consumer Software Working Group, which CDT convened last spring. A broad range of industry and consumer groups endorsed that list, and have worked with the Committee to refine this section of H.R. 2929.
The SPY ACT would also require that consumers be given notices prior to the execution of adware and other software that transmits personal information. CDT and other groups raised concerns that this section was poorly targeted in earlier versions of the legislation. Recent amendments have sought to focus the notice requirements and eliminate the need for redundant notices.
The second bill, H.R. 4661, known as the "I-SPY Act," would establish criminal penalties for those who use spyware to steal personal information or to commit other federal crimes. This bill, passed by the House on October 6th, would create high penalties for the most egregious types of spyware.
While CDT still believes that privacy legislation addressing the full range of online privacy concerns is needed and would address many of the issues implicated by spyware, the current bills would be a helpful initial step toward combating the problem.
In contrast to the House, the Senate has yet to pass a spyware bill. S. 2517, the "SPY BLOCK" Act, was approved by the Senate Commerce Committee in September, and awaits consideration by the full Senate. The bill includes the criminal provisions of the House criminal bill, and prohibits a list of deceptive practices similar to that in the House civil-penalties bill.
The biggest difference between the House and Senate bills is in their requirements for notice on installation of software. The Senate bill prohibits deceptive installations, but does not include the level of detail in mandating the wording of notices that is present in its House counterpart. CDT prefers the Senate's approach, which we believe will provide needed flexibility for different kinds of devices and interfaces.
Although the House and Senate are now in recess, both are expected to meet again briefly in a "lame duck" session in November. House and Senate staff are working to reconcile the three bills in order to have them ready for this session.
Meanwhile, states continue to push forward with their own laws. California Governor Arnold Schwarzenegger signed a spyware bill on September 28, prohibiting several deceptive spyware related practices in California. This makes California the second state, after Utah, to pass specific anti-spyware legislation.
Detailed information about online civil liberties issues may be found at http://www.cdt.org/.
This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_10.17.shtml.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 10.17 Copyright 2004 Center for Democracy and Technology
