House Commerce Committee Approves Spyware Bill, 3/9/2005.

House Commerce Committee Approves Spyware Bill

March 9, 2005. The House Commerce Committee amended and approved HR 29, the "Securely Protect Yourself Against Cyber Trespass Act", or SPY ACT, by unanimous votes. This is Rep. Mary Bono's (R-CA) spyware bill.

The Committee approved one amendment [5 pages in PDF], offered by Rep. Cliff Stearns (R-FL), by unanimous voice vote. It then approved the bill, as amended, on a roll call vote of 43-0.

Rep. Joe Barton (R-TX), the Chairman of the full Committee, read an opening statement in which he said that "The amendment that will be offered today continues to strengthen the antifraud provisions of the bill by giving the FTC better enforcement tools against web-based phishing and evil-twin attacks."

He added that the bill has been revised "to take into account legitimate and benign business functions as well as standard functionalities of the Internet. The amendment does this while preserving meaningful consumer notice and consent. The amendment exempts HTML and Java to the extent they facilitate the ordinary construction of web pages without monitoring consumers' behavior outside of that website or gathering personally identifiable information about those consumers."

He also stated that "The amendment also requires the FTC to exempt embedded advertisements from the identity function of the bill while preserving notice and consent and continuing to require a disable function for the information collection program that facilitates the advertising."

Legislative History. Rep. Bono (at right) and others introduced HR 29 on January 4, 2005. The Committee held a hearing on January 26, 2005. See, story titled "House Commerce Committee Holds Hearing on Spyware Bill" in TLJ Daily E-Mail Alert No. 1,064, January 27, 2005.

The Subcommittee on Trade, Commerce and Consumer Protection amended and approved HR 29 on February 16, 2005. See, HR 29 as reported by the Subcommittee [28 pages in PDF], and story titled "House Subcommittee Marks Up Spyware Bill" in TLJ Daily E-Mail Alert No. 1,080, February 22, 2004.

HR 29 (109th Congress), as introduced, was substantially identical to HR 2929 (108th Congress), which was also titled the SPY ACT. The House approved that bill by a vote of 399-1 on October 5, 2004. See, Roll Call No. 495. See also, story titled "House Passes First Spyware Bill" and story titled "Summary of House Commerce Committee Spyware Bill" in TLJ Daily E-Mail Alert No. 991, October 6, 2004.

There is also related legislation that has been referred to the House Judiciary Committee. The House Commerce Committee has jurisdiction over consumer protection, while the House Judiciary Committee has jurisdiction over criminal matters.

On February 10, 2005. Rep. Bob Goodlatte (R-VA), Rep. Zoe Lofgren (D-CA), and others, introduced HR 744, the "Internet Spyware (I-SPY) Prevention Act of 2005". See also, story titled "Rep. Goodlatte Reintroduces Criminal Spyware Bill" in TLJ Daily E-Mail Alert No. 1,075, February 11, 2005.

HR 744 is similar to HR 4661 (108th Congress), titled "Internet Spyware (I-SPY) Prevention Act of 2004". These bills add a new Section 1030A to the Criminal Code titled "Illicit indirect use of protected computers". The full House approved HR 4661 by a vote of 415-0 on October 6, 2004. See, Roll Call No. 503 and story titled "House Approves Second Spyware Bill" in TLJ Daily E-Mail Alert No. 993, October 8, 2004.

Summary of HR 29 As Amended. HR 29 contains two sets of prohibitions. First, § 2 prohibits deceptive acts or practices related to spyware. Second, Section 3 prohibits collection of certain information without notice and consent.

§ 2 provides that "It is unlawful for any person, who is not the owner or authorized user of a protected computer, to engage in deceptive acts or practices that involve any of the following conduct with respect to the protected computer:"

§ 2 then lists deceptive acts or practices, including taking control of a computer, modifying settings related to a computer's access to the internet, collecting personally identifiable information through keystroke logging, and removing, disabling, or rendering inoperative a security, anti-spyware, or anti-virus technology.

§ 2 also prohibits "Inducing the owner or authorized user to provide personally identifiable, password, or account information to another person -- (A) by misrepresenting the identity of the person seeking the information; or (B) without the authority of the intended recipient of the information."

The bill as approved by the Subcommittee included nine categories of deceptive acts or practices. The amendment approved on March 9 adds a tenth. It prohibits "Inducing the owner or authorized user of the computer to disclose personally identifiable information by means of a Web page that (A) is substantially similar to a Web page established or provided by another person; and (B) misleads the owner or authorized user that such Web page is provided by such other person." Rep. Stearns stated at the hearing that the bill targets "the nefarious practice of evil twin attacks and web based phishing".

§ 3 prohibits the collection of certain information without notice and consent. It provides that "it is unlawful for any person (1) to transmit to a protected computer, which is not owned by such person and for which such person is not an authorized user, any information collection program, unless -- (A) such information collection program provides notice in accordance with subsection (c) before execution of any of the information collection functions of the program; and (B) such information collection program includes the functions required under subsection (d)".

It also provides that "it is unlawful for any person ... (2) to execute any information collection program installed on such a protected computer unless -- (A) before execution of any of the information collection functions of the program, the owner or an authorized user of the protected computer has consented to such execution pursuant to notice in accordance with subsection (c); and (B) such information collection program includes the functions required under subsection (d)."

§ 3 also requires that "each information collection program" must allow users to easily "remove the program or disable operation of the program".

§ 3 also requires that "each information collection program" must have an "identity function". That is, it requires that "each display of an advertisement directed or displayed using such information when the owner or authorized user is accessing a Web page or online location other than of the provider of the software is accompanied by the name of the information collection program, a logogram or trademark used for the exclusive purpose of identifying the program, or a statement or other information sufficient to clearly identify the program."

The amendment approved on March 9 rewrites the bill's definition of "information collection program". Rep. Stearns stated that it adds language that "allows companies to monitor activities on their web site, and direct advertising based upon that monitoring, without being subject to the notice and consent provisions" of § 3. He added that "it is the web based counterpart of handing you a coupon for promotional material in a store".

This amendment provides "Computer software that otherwise would be considered an information collection program ... shall not be considered such a program if--
(A) the only information collected by the software regarding Web pages that are accessed using the computer is information regarding Web pages within a particular Web site;
(B) such information collected is not sent to a person other than (i) the provider of the Web site accessed; or (ii) a party authorized to facilitate the display or functionality of Web pages within the Web site accessed; and
(C) the only advertising delivered to or displayed on the computer using such information is advertising on Web pages within that particular Web site."

The bill also addresses embedded ads. It provides that the FTC "shall, by regulation, exempt from the applicability of subparagraph (A) the embedded display of any advertisement on a Web page that contemporaneously displays other information." The amendment changed the word "may" to "shall".

The amendment approved on March 9 also adds a definition of the term "web site". It provides that "The term ‘‘web site’’ means a collection of Web pages that are presented and made available by means of the World Wide Web as a single Web site (or a single Web page so presented and made available), which Web pages have such characteristics in relation to each other as the Commission may prescribe, which may include--
(A) a common domain name;
(B) a common theme or topic;
(C) common ownership, management, or registration; and
(D) relationship to a common intended beginning file or home page or other means of accessing or linking the pages together."

The bill also instructs the Federal Trade Commission (FTC) to promulgate implementing regulations. The amendment approved on March 9 includes a "public interest" standard. It provides that "In exercising its authority to issue any regulation under this Act, the Commission shall determine that the regulation is consistent with the public interest and the purposes of this Act." The bill does not define the term "public interest". This item was included in the amendment at the request of Rep. John Dingell (D-MI).

Cookies. This bill regulates any "information collection program". This bill further provides that an "information collection program" is a "computer software". Moreover, the amendment approved by the Subcommittee on February 16 provides in the paragraph defining "computer software" that "This paragraph may not be construed to include, as computer software, a cookie or any other type of text or data file that solely may be read or transferred by a computer." That is, cookies are not covered by the bill. However, the bill does instruct the FTC to conduct a study of cookies.

Rep. John Dingell Rep. Dingell (at right), the ranking Democrat on the full Committee, discussed this topic at the meeting on March 9. He read a prepared statement. He said that "The problem is that not all spyware and adware is ``computer software.´´ For example, ``cookies´´ are not software and the rule of construction on page 25 of the bill makes clear that cookies are not covered. But concerns have been raised that this language is too broad and may create a loophole for all kinds of text or data files that act as spyware and adware. We have received information from Webroot Software and others that not all cookies are benign: ``tracking´´ or ``persistent´´ cookies are used to collect identifying information about the user. While section 8 of the bill requires the Federal Trade Commission to study this anomoly, at least with respect to cookies, we need to make sure that we are not creating dangerous loopholes that are inconsistent with the purposes of the legislation."

Rep. Dingell added that "have a few concerns that I trust will be addressed as we work on the Committee report and further refine the bill." He voted for the bill.

Other Criticism of the Bill. The House Commerce Committee has a tradition of building consensus, and seeking to present a unified front to the full House. Opponents of bills often do not publicly express their opposition.

Hence, it may be notable that several other members, while not voting against the bill, suggested that further revisions could be made before the bill is considered by the full House.

For example, Rep. Vito Fosella (R-NY), stated "the same technology that is used by, not only cheats and fraudulent individuals, but also, as has been stated, legitimate businesses, to bring the benefits of online commerce to citizens".

He continued that HR 29 "goes a long way to solving the spyware problem", but that he added that "I think it should be noted, however, that software that targets advertisers to consumers is not necessarily privacy threatening, and HR 29 should be carefully tailored to avoid including ... innovative non-privacy threatening technologies that deliver relevant information to consumers on their desktops."

"So, our responsibility then is that the legislation targets the bad actors" and "does not pick winners and losers, especially those legitimate businesses that provide the same service in a different software format, particularly privacy protective software", concluded Rep. Fosella.