House Subcommittee Approves Spyware Bill

June 17, 2004. The House Commerce Committee's Subcommittee on Commerce, Trade, and Consumer Protection amended and approved HR 2929, the "Securely Protect Yourself Against Cyber Trespass Act" or "SPY ACT". This is Rep. Mary Bono's (R-CA) anti spyware bill.

This bill was introduced on July 25, 2003 by Rep. Bono and Rep. Edolphus Towns (D-NY). See, story titled "Rep. Bono Introduces Spyware Bill" in TLJ Daily E-Mail Alert No. 706, July 29, 2003.

The Subcommittee approved an amendment in the nature of a substitute [18 pages in PDF] offered by Rep. Clifford Stearns (R-FL), the Chairman of the Subcommittee, by unanimous voice vote. It then approved the bill, as amended, by unanimous voice vote.

Rep. Cliff StearnsRep. Stearns (at right) stated at the meeting that the amendment addresses "a number of concerns regarding the activity, targeted, definitional issues, and scope of the bill.".

Specifically, said Rep. Stearns, "the amendment does the following:
 • Prohibits specific unfair deceptive behavior related to spyware.
 • Provide categories and examples of such behavior, including hijacking home pages, and key stroke logging.
 • Creates an opt-in for transmitting enabling any information collection program.
 • Specifically defines an information collection program.
 • Requires a disable and an identity function for the program.
 • Creates robust enforcement and penalties for violation, including civil penalties up three times what can be imposed under the FTC Act, or seek damages up to 3 million dollars for Section 2 of the bill, and up to one million dollars for violation of Section 3 of the bill.
 • Preempts similar state statutes.
 • Requires annual reports and reauthorization."

He added that "these provisions are the result of bipartisan efforts, and the desire to draft a balanced bill that will strike at the spyware offenders, while not affecting legitimate activity that uses similar technology."

He concluded that "we are ahead of the curve. Spyware is growing menace that needs to be contained and eliminated. Our efforts have produced legislation that will directly benefit the American consumer, and empower efforts to rid the internet of unfair or deceptive behavior related to spyware, a result the will benefit all of us, individually, and our economy as a whole."

Rep. Edolphus Towns (D-NY) called the bill "a great step in the right direction", but added that he has some reservations about the current version of the bill, including the effect upon network security if one user denies permission regarding the collection of information relevant to security.

Rep. Joe Barton (R-TX), the Chairman of the full Committee, stated that the bill "will soon go to the floor, and sometime this year become law."

Rep. Mary BonoRep. Bono (at left) spoke with reporters after the meeting. She predicted that the Senate will take up the House bill. She added, "I don't see problems over there."

She also said that "Microsoft has been involved in all of the discussions", and "they are still at the table with us". She commented that "we don't want to stop good uses" such as "Microsoft learning why their software is crashing".

Prohibited Deceptive Acts or Practices. Section 2 prohibits deceptive acts or practices related to spyware. It provides that "It is unlawful for any person, who is not the owner or authorized user of a protected computer, to engage in deceptive acts or practices in connection with any of the following conduct with respect to the protected computer". Section 2 then enumerates nine categories of such deceptive acts or practices.

First, it prohibits "Taking control of the computer". The bill provides several examples, including "utilizing such computer or computing services to send unsolicited information or material to others", and "delivering advertisements that a user of the computer cannot close without turning off the computer or closing all sessions of the Internet browser for the computer".

Second, it prohibits "Modifying settings related to the computer's access to or use of the Internet". It then lists as examples altering "the Web page that appears when the owner or authorized user launches an Internet browser", altering "the default provider used to access or search the Internet", altering bookmarks, and altering security settings.

Third, it prohibits "Collecting personally identifiable information through the use of a keystroke logging function".

Fourth, it prohibits "Monitoring, or analyzing the content of, the Web pages or other online locations accessed using the computer."

Fifth, it prohibits "Inducing the owner or authorized user to install a computer software component onto the computer, or preventing reasonable efforts to block the installation or execution of, or to disable, a computer software component". It lists as examples, "presenting the owner or authorized user with an option to decline installation of a software component such that, when the option is selected by the owner or authorized user, the installation nevertheless proceeds" and "causing a computer software component that the owner or authorized user has removed or disabled to automatically reinstall or reactivate on the computer".

Sixth, it prohibits "Representing that installing a separate software component or providing log-in and password information is necessary for security or privacy reasons, or that installing a separate software component is necessary to open, view, or play a particular type of content."

Seventh, it prohibits "Installing or executing computer software on the computer, without the permission of the party named as the provider of the software, to deceive the owner or authorized user about the identity of the person or service responsible for the functions performed or the content displayed by such computer software."

Eighth, it prohibits "Installing or executing on the computer one or more additional computer software components with the intent of causing a person to use such components in a way that violates any other provision of this section."

And finally, Section 2 of the bill prohibits "Removing, disabling, or rendering inoperative a security, anti-spyware, or anti-virus technology for the computer."

Prohibited Information Collection Practices. Section 3 of the bill prohibits the collection of certain information without notice and consent. It states that "it is unlawful for any person (1) to transmit to a protected computer, which is not owned by such person and for which such person is not an authorized user, any information collection program, or (2) to enable the operation of any information collection program with respect to such a protected computer, unless, before such transmission or enabling, the owner or an authorized user of the protected computer has consented to such transmission or enabling pursuant to notice ... and such information collection program includes the functions required under subsection (d)."

Section 3(d) then requires that "each information collection program" must allow users "to remove the program or disable operation of the program with respect to such protected computer by a function that (A) is easily identifiable to a user of the computer; and (B) can be performed without undue effort or knowledge by the user of the protected computer."

Section 3(d) also requires that "each information collection program" must have an "identity function". That is, it requires that "each display of an advertisement directed or displayed using such information is accompanied by a statement that clearly identifies the information collection program."

Exceptions and Immunities. The bill also contains several exceptions and immunities.

Section 3 contains an exemption titled "Law Enforcement Authority". However, while it does exempt law enforcement authorities, it is far broader. It exempts information collection programs that are conducted pursuant to any "court order, or a compulsory administrative process". It does not require that the information collector be a law enforcement agency, or even that it be a government agency.

Section 3 contains an immunity clause for telecommunications carriers, information service providers, and other providers of underlying transmission capability. That is, such an entity "shall not be liable under this section solely because (1) the carrier or provider transmitted, routed, stored, or provided connections for an information collection program through a system or network controlled or operated by or for the carrier or provider; or (2) of the intermediate and transient storage of such a program in the course of such transmission, routing, storing, or provision of connections."

The definitional section provides that the term software does not include cookies.

Implementation and Enforcement. The bill gives rulemaking and civil enforcement authority to the Federal Trade Commission (FTC). It provides that "the maximum civil penalty for a violation of this Act shall be one of the following amounts, as the Commission, in its discretion, applies to such a violation:
  (1) $33,000 for each violation, except that in applying this subparagraph each separate protected computer to which an information collection program is transmitted, or with respect to which such a program is enabled, in violation of this Act shall be treated as a separate violation.
  (2) In the case of a violation of (A) section 2(a), $3,000,000; and (B) section 3(a), $1,000,000, ..."

The bill preempts state laws that contain provisions similar to those contains in Sections 2 and 3. However, it does not preempt the applicability of state trespass, contract, or tort laws.

The bill requires the FTC to submit annual reports to Congress.

The bill sunsets on December 31, 2008.

The bill does not create a private right of action.