Rep. Bono Introduces Spyware Bill

July 25, 2003. Rep. Mary Bono (R-CA) and Rep. Edolphus Towns (D-NY) introduced HR 2929 [PDF], the "Safeguard Against Privacy Invasions Act", a bill to prohibit the distribution of certain spyware programs over the internet without notice and consent.

Rep. Mary BonoRep. Bono (at right) issued a release which states the nature of the problem addressed by the bill. It states that "When users surf the Internet, they often unintentionally download invasive spyware. Just visiting a web site can sometimes result in a ``drive-by download,´´ meaning the spyware is installed on the PC simply by clicking on a website. More often, consumers unknowingly agree to download spyware systems when they accept software licensing agreements while downloading software from the Internet."

The bill was referred to the House Commerce Committee, of which both Rep. Bono and Rep. Towns are members.

The bill gives rule making and civil enforcement authority to the Federal Trade Commission (FTC), and criminal enforcement authority to the Department of Justice (DOJ).

Definition of Spyware. What constitutes spyware is not settled. Moreover, some programs, that consumer advocates describe as spyware, is described otherwise by its producers and distributors.

The bill, as currently written, does little to clarify the issue. The bill provides that "The term ``spyware program´´ means any computer program or software that can be used to transmit from a computer, or that has the capability of so transmitting, by means of the Internet and without any action on the part of the user of the computer to initiate such transmission, information regarding the user of the computer, regarding the use of the computer, or that is stored on the computer."

The bill would leave it to the FTC to write rules that identify what spyware is.

Definition of Computer. The bill contains no definition of the term "computer". Rather, it applies the very broad definition used in 18 U.S.C. § 1030 (which pertains to computer hacking).

Subsection 1030(e)(1) provides that "the term ``computer´´ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;".

Thus, the bill would appear to cover certain PDAs, cell phones, and other devices that have access to the internet, that now exist, or have yet to be invented.

Prohibitions. The bill contains two key subsections with prohibitions.

First, subsection 2(a) provides that the FTC "shall, by regulation, prohibit the transmission of a spyware program to a covered computer by means of the Internet, unless the user of the covered computer expressly consents to such transmission in response to a clear and conspicuous request for such consent or through an affirmative request for such transmission."

Second, subsection 2(c), which addresses spyware that collects personally identifying information, provides that the FTC "shall, by regulation, prohibit the use of any spyware program that is transmitted to a covered computer by means of the Internet for collecting any personally identifiable information from the covered computer, unless notice that the program will be used for such collection is provided -- (1) in any license, contract, or other agreement covering the spyware program or the information, program, or communication together with which, or in connection with which, the spyware program is transmitted; and (2) in another prominent location, as the Commission shall provide."

Also, subsection 2(b) does not contain a prohibition, but rather, requires the FTC to establish requirements in cases where the transmission of the spyware program requires an affirmative action to agree to a license. It provides that the FTC "shall, by regulation, establish requirements for the transmission of a spyware program to a covered computer, by means of the Internet, in any case in which the transmission of the spyware program, or any information, program, or communication together or in connection with which the spyware program is transmitted, requires any affirmative action on the part of the user of the covered computer to agree to a license, contract, or other agreement which is made available on the World Wide Web ..."

Subsection 2(b) further provides that "The terms of such license, contract, or agreement shall be set forth on a World Wide Web page and the mechanism by which the user of the covered computer agrees to such license, contract, or agreement shall be included on the same page." Moreover, it provides that "The terms of the license, contract, or other agreement shall -- (A) include provisions, that are clearly stated and prominently displayed, which specify that agreement to such license, contract, or other agreement constitutes consent to transmission of the spyware for purposes of subsection (a); and (B) clearly explain the purpose of including the spyware." Finally, it provides that "The name of the person or entity transmitting the spyware, a valid physical street address of such person or entity, and a functioning return electronic mail address for such person or entity shall be included on the World Wide Web page referred to in paragraph (1)."

Enforcement. The bill provides that violations would constitute "an unfair or deceptive act" within the meaning of the FTC Act. The FTC would have authority to enforce any such violation of the FTC Act.

In addition, the bill provides that whoever "(1) violates section 2(c) or the regulations issued under such section, or (2) knowingly violates any other provision of this Act or any regulation issued under this Act, shall be fined under title 18, United States Code, or imprisoned for not more than 1 year, or both."

Activities Not Addressed By The Bill. The bill only covers spyware programs that are transmitted via the internet. Hence, spyware programs that are preinstalled by an original equipment manufacturer (OEM), or installed by a computer user from a CD, would not be affected by this bill. And of course, only programs are covered. Other means of surveillance of computer use are not covered.

The bill does not contain a law enforcement authority exception. Nor does the bill address monitoring by employers of employees' computer use in the workplace. Nor does the bill address the situation where multiple persons use the same computer.