Judiciary Committee Members Introduce Spyware Bill

June 23, 2004. Rep. Bob Goodlatte (R-VA), Rep. Zoe Lofgren (D-CA), and Rep. Lamar Smith (R-TX) introduced HR 4661 the "Internet Spyware (I-SPY) Prevention Act of 2004". It would add a new Section 1030A to the Criminal Code titled "Illicit indirect use of protected computers" to create two narrow criminal prohibitions related to some of the more egregious forms of spyware.

Rep. Bob GoodlatteThe bill was referred to the House Judiciary Committee. Rep. Smith is the Chairman of the Subcommittee on Courts, the Internet and Intellectual Property (CIIP). Rep. Goodlatte (at right) and Rep. Lofgren are also members of the CIIP Subcommittee.

Summary of HR 4661. It would add a new Section 1030A to the Criminal Code titled "Illicit indirect use of protected computers". Currently, 18 U.S.C. § 1030 is titled "Fraud and related activity in connection with computers".

This bill provides two prohibitions. First, it provides that "Whoever intentionally accesses a protected computer without authorization, or exceeds authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and intentionally uses that program or code in furtherance of another Federal criminal offense shall be fined under this title or imprisoned 5 years, or both."

Second, it provides that "Whoever intentionally accesses a protected computer without authorization, or exceeds authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and by means of that program or code---
   (1) intentionally obtains, or transmits to another, personal information with the intent to defraud or injure a person or cause damage to a protected computer; or
   (2) intentionally impairs the security protection of the protected computer;
shall be fined under this title or imprisoned not more than 2 years, or both."

The bill also includes a broad preemption of state laws that create a private right of action. However, it contains no provision that preempts actions by states or state attorneys general.

Finally, the bill contains a definitional section. The definitions of "protected computer" and "exceeds authorized access" for the purposes of interpretation of the new § 1030A would be the same as those currently in § 1030.

The definition of "personal information" includes a "first and last name", "home or other physical address", "electronic mail address", "telephone number", "Social Security number, tax identification number, drivers licence number, passport number, or any other government-issued identification number" and "a credit card or bank account number or any password or access code associated with a credit card or bank account".

However, this definition includes less information than does the definition of "personally identifying information" found in the House Commerce Committee bill, HR 2929. That bill also adds "Any access code or password ..."

Comparison to HR 2929. The House Commerce Committee (HCC) has already passed a different spyware bill. On June 24, the HCC amended and approved HR 2929, the "Safeguard Against Privacy Invasions Act" or "SPY Act" on a roll call vote of 45-4. See, story titled "House Commerce Committee Approves Spyware Bill" in TLJ Daily E-Mail Alert No. 926, June 25, 2004; and story titled "House Subcommittee Approves Spyware Bill" in TLJ Daily E-Mail Alert No. 922, June 21, 2004.

The two bills contain different provisions. The Commerce Committee bill only creates prohibitions that are civilly enforceable by the Federal Trade Commission (FTC). The Judiciary Committee bill only creates criminal prohibitions that are enforceable by Department of Justice (DOJ).

The Commerce Committee bill creates a long and broad list of prohibited activities. The Judiciary Committee bill contains only a few narrow prohibitions of some of the most egregious types of conduct.

The Judiciary Committee bill does not contain the broad prohibitions that some critics of the Judiciary Committee's bill assert might affect practices currently being followed by Microsoft, eBay, and Yahoo. In this perspective, the Judiciary Committee bill is a much more limited alternative to the Commerce Committee bill.

In another perspective, the two bills are complimentary. The Commerce Committee bill addresses consumer protection issues within the jurisdiction of that Committee, and the Judiciary Committee bill addresses criminal issues within the jurisdiction of that Committee. Members of each Committee are reluctant to put in their bills provisions that would also give the other Committee jurisdiction over their bills. The two bills could ultimately be combined.

Rep. Zoe LofgrenRep. Lofgren (at right) stated in a release that "Spyware is quickly becoming one of the biggest threats to consumers on the information superhighway. Among other things, criminals can use spyware to track every keystroke an individual makes, including credit card and social security numbers ... This bill is a good starting point to target the worst offenders while allowing legitimate applications to flourish."

Rep. Goodlatte stated in the same release that "By imposing criminal penalties on these bad actors, this legislation will help deter the use of spyware, and will thus help protect consumers from these aggressive attacks ... At the same time the legislation leaves the door open for innovative technology development to continue to combat spyware programs."