Senate Communications Subcommittee Holds Hearing on Spyware Bill

March 23, 2004. The Senate Commerce Committee's Subcommittee on Communications held a hearing on spyware and S 2145, the "Software Principles Yielding Better Levels of Consumer Knowledge Act", or "SPY BLOCK Act".

Sen. Conrad Burns (R-MT) introduced S 2145 on February 27, 2004. See, story titled "Senators Introduce Anti-Spyware Bill" in TLJ Daily E-Mail Alert No. 847, March 2, 2004.

The two original cosponsors are Sen. Ron Wyden (D-OR) and Sen. Barbara Boxer (D-CA). Sen. Burns is also the Chairman of the Subcommittee. Sen. Wyden and Sen. Boxer are also members the Subcommittee. These three participated in the hearing, as did Sen. George Allen (R-VA), who is not a cosponsor of the bill.

Sen. Hillary Clinton (D-NY) has also added her name as a cosponsor of the bill. Sen. Burns and Sen. Clinton have also worked together on other bills, such as S 1250, the "Enhanced 911 Emergency Communications Act of 2003".

Sen. Conrad BurnsSen. Burns stated at the outset of the hearing that "we may be a little bit ahead of the curve whenever we start talking about the subject" of this hearing. But, he said, "I am convinced that sypware is potentially an even greater concern than junk e-mail, given its invasive nature."

He defined spyware as software programs "that are downloaded onto users' computers without their knowledge or consent. It is a sneaky way, of software, that is often used to track the movements of consumers online, and even steal passwords. The porous gaps of spyware creates in a computer security may be difficult to close. For example, one popular peer to peer file sharing network routinely installs spyware to track users' information, and retrieve targeted banner ads and pop ups."

He added that "uninstalling it may prove to be difficult". He elaborated that "some spyware includes tricklers. Now we got a new word in our vocabulary now -- tricklers, which reinstall the files as you delete them. Users may think that they are getting rid of the problem, but the reality of the situation is far different. So creators of spyware have engineered the technology so that once it is installed on a computer it is difficult, and sometimes impossible, to remove, and in some cases requires entire hard drive to be erased to get rid of the poisonous product."

He then summarized his bill. He said that it requires clear and conspicuous notice, consent, and reasonable uninstall procedures.

Sen. Wyden stated that "snoops and spies are trying to set up base camps in millions of computers across the country" and that consumers ought to be able to control what is on their computers.

Sen. Boxer stated that "this is a pro consumer bill", but that it is also "pro business", because if people think they are being spied on, they will use their computers less.

Sen. Allen stated that "under no circumstances is it acceptable for someone to secretly or deceptively monitor a consumer's activities online without that consumer's knowledge or consent, and any sort of misleading or false practices associated with spyware -- in my view, it threatens consumer confidence, I think it ruins, it harms, the internet's viable and usefulness, whether it is for commerce or for access to information. And in that sense, I thank you Senator Burns and Senator Wyden, for identifying this problem with you measure."

However, he continued that "I think we ought to consider all of the different options." He stated that he "would like to see a market driven approach", and one that does not dictate technologies. He also pointed out that there are existing laws, such as those against identity theft, fraud, and deceptive marketing practices, that already apply to spyware and adware.

Summary of S 2145. The bill contains three prohibitions. First, Section 2(a) of the bill provides that "It is unlawful for any person who is not the user of a protected computer to install computer software on that computer, or to authorize, permit, or cause the installation of computer software on that computer, unless ... the user of the computer has received notice ... the user of the computer has granted consent ... and ... the computer software's uninstall procedures satisfy the requirements" of the bill.

The bill also elaborates on the requirements for notice, consent and uninstall procedures.

Second, Section 2(b) provides that "It is unlawful for any person who is not the user of a protected computer to install computer software on that computer, or to authorize, permit, or cause the installation of computer software on that computer, if the design or operation of the computer software is intended, or may reasonably be expected, to confuse or mislead the user of the computer concerning the identity of the person or service responsible for the functions performed or content displayed by such computer software." The bill refers to this as the "red herring" prohibition.

Third, the Section 4 provides that "It is unlawful for any person who is not the user of a protected computer to use an information collection, advertising, distributed computing, or settings modification feature of computer software installed on that computer, if ... the computer software was installed in violation of section 2 ... the use in question falls outside the scope of what was described to the user of the computer in the notice provided ... or ... in the case of an information collection feature, the person using the feature fails to establish and maintain reasonable procedures to protect the security and integrity of personal information so collected."

The bill contains several exceptions pertaining to pre-installed software, software resident in temporary memory, and other software. The bill also contains a subsection providing immunity from liability for passive transmission, web hosting, and hyperlinking.

Finally, the bill addresses enforcement and remedies. There is no private right of action under this bill. Enforcement would be left to the Federal Trade Commission (FTC), other federal agencies, and the states.

Witness Testimony. The panel of witnesses was not enthusiastic about the bill as introduced.

Robert Holleyman (P/CEO of the Business Software Alliance) argued in his prepared testimony that "the problem is with bad behavior, not bad software tools or products". Hence, "for that reason Congress should continue to ban the behavior not the technology. The problem is with abuse, not use, of technology." He added that "the bills as introduced can be improved by focusing more directly on punishing the behavior rather than the means by which it is accomplished. Such an approach enables Congress to avoid having to make very difficult decisions about the design and operation of technology."

He also stated that "Congress has wisely avoided technology mandates" in previous legislation, and should avoid technology mandates in any spyware legislation.

Holleyman also argued that the essential problem with spyware is the capture and distribution of information, and not pop up advertising.

He testified that "We suggest that Congress simply prohibit the distribution in interstate commerce of user information obtained electronically from an individual's computer, unless the person seeking to sell the information can show that it was collected with user's explicit permission or that it was obtained from an unaffiliated entity that represents it had collected the information with such permission."

He added that "We also believe that what the bill calls advertising, distributed computing, and settings modification features should not be included in this legislation."

Avi Naider, the P/CEO of Inc., testified about his advertising company. He described it as a software based online contextual marketing company. He did not describe his company's software as either "spyware" or "adware". He said that his company provides notice to consumers that its software is being installed on consumer's computers, and that it makes it easy for consumers to uninstall the software. However, he conceded that his company's software comes bundled with other software. He argued that companies like his benefit consumers.

He argued in his prepared testimony [PDF] that any legislation should be "nuanced" to distinguish between "legitimate" and "nefarious" software. However, he did not provide explanatory definitions, or proposed statutory language, in either his written or oral testimony.

Jerry Berman, President of the Center for Democracy and Technology, wrote in his prepared testimony [9 pages in PDF] that "proliferation of invasive software referred to as ``spyware´´ is a large and rapidly growing concern", and that it should be addressed by federal legislation.

However, he advocated legislation that addresses online privacy generally, not spyware specific legislation. Sen. Boxer responded that "I have no disagreement with anything that you just said, but I am also a practical legislator. And I can tell you now ... sometimes you can't get that overall."

The CDT also released a report [14 pages in PDF] back on November 18, 2003 titled "Ghosts in Our Machines: Background and Policy Proposals on the ``Spyware´´ Problem". See, story titled "CDT Releases Report on Spyware" in TLJ Daily E-Mail Alert No. 782, November 19, 2003.

The final witness was John Levine, the P/CEO of Taughannock Networks. See, prepared testimony [PDF].

Related Bills. On July 25, 2003 Rep. Mary Bono (R-CA) and Rep. Edolphus Towns (D-NY) introduced HR 2929, the "Safeguard Against Privacy Invasions Act" introduced . This bill would prohibit the distribution of certain spyware programs over the internet without notice and consent. See, story titled "Rep. Bono Introduces Spyware Bill" in TLJ Daily E-Mail Alert No. 706, July 29, 2003.

Also, in the 107th Congress, Sen. John Edwards (D-NC) and Sen. Ernest Hollings (D-SC) introduced S 197 (107th), the "Spyware Control and Privacy Protection Act of 2000".

There are also bills that are pending in state legislatures pertaining to spyware.