House Commerce Committee Holds Hearing on Spyware Bill

January 26, 2005. The House Commerce Committee held a hearing titled "Combating Spyware: HR 29, the SPY Act". Witnesses expressed support for, or did not oppose, the bill. No members of the Committee criticized or expressed opposition to the bill. Rep. Joe Barton (R-TX), the Chairman, stated that the full Committee will mark up the bill, probably in a few weeks. Said Barton, "this is on the fast track".

Rep. Mary Bono (R-CA) and others introduced HR 29, the "Securely Protect Yourself Against Cyber Trespass Act", or SPY Act, on January 4, 2005. It is substantially identical to the bill that the House, but not the Senate, approved late last year.

The House approved HR 2929, also titled the SPY ACT, by a vote of 399-1 on October 5, 2004. See, Roll Call No. 495. HR 2929 was the House Commerce Committee's spyware bill. HR 29 (109th Congress), like HR 2929 (108th Congress) prohibit certain conduct with respect to spyware, and gives the FTC civil enforcement authority. See also, story titled "House Passes First Spyware Bill" and story titled "Summary of House Commerce Committee Spyware Bill" in TLJ Daily E-Mail Alert No. 991, October 6, 2004.

The House approved HR 4661 (108th Congress), the "Internet Spyware (I-SPY) Prevention Act of 2004", by a vote of 415-0 on October 6, 2004. See, Roll Call No. 503. This was the House Judiciary Committee's bill. It amends Title 18 to provide criminal penalties for certain conduct related to spyware. See, story titled "House Approves Second Spyware Bill" in TLJ Daily E-Mail Alert No. 993, October 8, 2004.

HR 29 contains two sets of prohibitions. First, Section 2 prohibits deceptive acts or practices related to spyware. Second, Section 3 prohibits collection of certain information without notice and consent.

Industry witnesses at the hearing suggested the Section 3 could use some revision.

Prohibition of Deceptive Acts or Practices. Section 2 provides that "It is unlawful for any person, who is not the owner or authorized user of a protected computer, to engage in deceptive acts or practices that involve any of the following conduct with respect to the protected computer:"

Section 2 then enumerates nine categories of such deceptive acts or practices, including taking control of a computer, modifying settings related to a computer's access to the internet, collecting personally identifiable information through keystroke logging, and removing, disabling, or rendering inoperative a security, anti-spyware, or anti-virus technology.

Section 2 also prohibits "Inducing the owner or authorized user to provide personally identifiable, password, or account information to another person -- (A) by misrepresenting the identity of the person seeking the information; or (B) without the authority of the intended recipient of the information." This might be characterized as an anti-phishing, rather than anti-spyware, provision. This language was revised by the manager's amendment.

Prohibition of Collection of Certain Information Without Notice and Consent. Section 3 prohibits the collection of certain information without notice and consent. It provides that "it is unlawful for any person (1) to transmit to a protected computer, which is not owned by such person and for which such person is not an authorized user, any information collection program, unless -- (A) such information collection program provides notice in accordance with subsection (c) before execution of any of the information collection functions of the program; and (B) such information collection program includes the functions required under subsection (d)". It also provides that "it is unlawful for any person ... (2) to execute any information collection program installed on such a protected computer unless -- (A) before execution of any of the information collection functions of the program, the owner or an authorized user of the protected computer has consented to such execution pursuant to notice in accordance with subsection (c); and (B) such information collection program includes the functions required under subsection (d)."

Section 3 also requires that "each information collection program" must allow users to easily "remove the program or disable operation of the program".

Section 3 also requires that "each information collection program" must have an "identity function". That is, it requires that "each display of an advertisement directed or displayed using such information when the owner or authorized user is accessing a Web page or online location other than of the provider of the software is accompanied by the name of the information collection program, a logogram or trademark used for the exclusive purpose of identifying the program, or a statement or other information sufficient to clearly identify the program."

Exemptions and Limitations on Liability. Sections 3 and 5 of the bill include exemptions and limitations on liability.

First, Section 3 provides that "A telecommunications carrier, a provider of information service or interactive computer service, a cable operator, or a provider of transmission capability shall not be liable under this section to the extent that the carrier, operator, or provider -- (1) transmits, routes, hosts, stores, or provides connections for an information collection program through a system or network controlled or operated by or for the carrier, operator, or provider; or (2) provides an information location tool, such as a directory, index, reference, pointer, or hypertext link, through which the owner or user of a protected computer locates an information collection program."

Second, Section 5 contains a very broad law enforcement exemption. It provides that "Sections 2 and 3 of this Act shall not apply to (1) any act taken by a law enforcement agent in the performance of official duties".

Third, it contains a network security exemption. Section 5(b) now provides that "(1) any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service, to the extent that such monitoring or interaction is for network or computer security purposes, diagnostics, technical support, or repair, or for the detection or prevention of fraudulent activities; or (2) a discrete interaction with a protected computer by a provider of computer software solely to determine whether the user of the computer is authorized to use such software, that occurs upon -- (A) initialization of the software; or (B) an affirmative request by the owner or authorized user for an update of, addition to, or technical service for, the software."

Fourth, it contains a limitation on liability for certain providers of software or interactive computer services that attempt to remove programs that violate Sections 2 or 3.

Finally, the bill exempts programs that are installed as of the effective date of the bill.

Enforcement and Preemption. The bill gives rulemaking and civil enforcement authority to the Federal Trade Commission (FTC). It also allows the FTC to issue advisory opinions, and requires the FTC to submit annual reports to the Congress.

The bill preempts state laws that contain provisions similar to those contains in Sections 2 and 3. However, it does not preempt the applicability of state trespass, contract, or tort laws.

No members of the Committee criticized the bill. However, a few raised specific sections of the bill. Both Rep. Nathan Deal (R-GA) and Rep. John Shadegg (R-AZ) discussed the preemption language. They are concerned that states not be overly restricted in bringing actions against distributors of spyware.

Statements by Committee Members. Rep. Barton, Rep. Cliff Stearns (R-FL), the Chairman of the Subcommittee on Commerce, Trade and Consumer Protection, and Rep. Janice Schakowsky (D-IL), the ranking Democrat on the Subcommittee, all praised the bill.

Rep. John Dingell (D-MI), the ranking Democrat on the full Committee, was not present. Nor is he currently a cosponsor. Rep. Bono, the lead sponsor of HR 2929 and HR 29, did not attend the hearing, due to illness.

Rep. Anna Eshoo (D-CA), who criticized an earlier version of the bill last summer, stated that she supports the bill as it is currently written.

Rep. Ted Strickland (D-OH), who cast a no vote in committee last summer, attended this hearing. He did not express criticism of the bill. However, he did ask the witnesses whether this bill will deter innovation in e-commerce.

Rep. Bart Stupak (D-MI) also voted against HR 2929 last summer. He attended this hearing, but said nothing.

Rep. Joe BartonRep. Barton (at right) also spoke with reporters after the hearing. He said that the Committee still needs to get written comments, digest those, and perhaps make some minor technical changes. There will then be no subcommittee markup. "We will go straight to full Committee", said Rep. Barton, "very quickly".

He said that "We think that the bill, as is, would be good public law. But, we drafted our bill so that it is strictly within our jurisdiction." That is, the House Judiciary Committee has jurisdiction over criminal penalties. He added that "We have got a good relationship with Mr. Sensenbrenner, and Mr. Goodlatte, and Mr. Coble, and Mr. Smith and others."

He also compared the House bill to legislation in the Senate. "We certainly think that our approach is the preferable approach. We have got a lot of broader based support. We have worked a lot harder to work with the various stakeholders." Barton said that "The House is ahead of the Senate on where the country is on this bill, on this issue."

He also said that "The chances in the Senate are excellent. I have talked to Sen. Burns. I have talked to Sen. McCain. I have talked to Sen. Wyden. I have talked to Sen. Dodd. They are all very interested in moving a bill."

"Sen. Burns, especially, has told me that he is going to make this a priority. Sen. Wyden is very supportive too."

Rep. Barton said that at this hearing "We didn't get anything today that is a show stopper issue." Any changes made to the bill before markup will be "kind of second and third degree liability issues, and things like that, not anything major". He added that "What we are talking about are really definitional issues, and clarification. ... There is no primary issue that is outstanding."

Barton concluded that last year "This bill passed 399 to 1. And nobody has been complaining that it passed. This is a bill that you will see the President signing sometime this year, or a version of this. I am not saying this specific bill. A bill dealing with this issue will be on the President's desk sometime this year."

Witness Testimony. The Committee heard testimony from Ari Schwartz (Center for Democracy and Technology), Ira Rubenstein (Microsoft), David Baker (Earthlink), and Howard Schmidt (R&H Security Consulting).

Schwartz stated in his prepared testimony [12 pages in PDF] that "H.R. 29 marks a substantial step forward in addressing many of the concerns of consumer groups and companies. CDT is generally supportive of the current bill. In particular, we strongly endorse the idea of raising penalties on and calling specific attention to the worst types of deceptive software practices online. CDT is less enthusiastic about the specific notice and consent requirements on adware and information collection programs, because of the definitional difficulties in crafting such a regime narrowly targeted at certain classes of software. We look forward to continuing to work with the Committee to help improve these element of the bill."

Baker stated that "we appear here today in support of the efforts of Congresswoman Bono, her cosponsors adn this Committee to re-introduce this year's H.R. 29 the SPY ACT. Prohibiting the installation of software with a user's consent, requiring uninstall capability, establishing requirements for transmission pursuant to license agreements, and requiring notices for collection of personally identifiable information, intent to advertise and modification of user settings are all steps that will empower consumers and keep them in control of their computers and their online experience."

Rubenstein said that spyware is a problem, but that anti-spyware tools are helping consumers. He also said that public education, enforcement of existing laws, and industry standards are also important elements in addressing the problem of combating spyware.

He said that federal legislation can be an effective complement to these other items. He did, however, express several general concerns about legislative proposals, which he says are addressed in the present bill.

During questioning, Rubenstein added that he is concerned that the Congress not create safe harbors for certain practices. That is, if a certain spyware related practice or application is not prohibited under the bill, this should not provide a safe harbor for the distributor against efforts by others to block it.

More Information. The CDT's Ari Schwartz stated to reporters after the hearing that the Congress has already passed, or is considering, a large number of technology specific privacy bills, covering telephone service, cable service, satellites, video cassettes (but not DVDs), spam, spyware, radio frequency identification, and other technologies. He said that rather than proceeding technology by technology, the Congress should enact one comprehensive privacy bill that addresses what is collected, and how it is used.

Mike Zaneis, of the U.S. Chamber of Commerce, spoke after the hearing with TLJ. He stated that the U.S. Chamber is comfortable with this spyware bill. However, he added that the U.S. Chamber remains concerned about the cookie language, and the damages liability language, and hopes that these sections will be revised before final passage in the House.

For examples of criticism of this bill, see story titled "Cato Panel Criticizes Spyware Bills" in TLJ Daily E-Mail Alert No. 1,013, November 8, 2005.