House Crime Subcommittee Approves Spyware Bill

May 1, 2007. The House Judiciary Committee's (HJC) Subcommittee on Crime, Terrorism, and Homeland Security held a hearing on HR 1525, the "Internet Spyware (I-SPY) Prevention Act of 2007". The Subcommittee then approved the bill by unanimous voice vote without amendment.

The full HJC is scheduled to hold a mark up session on Wednesday, May 2, at 10:15 AM. HR 1525 is the third of four bills on the agenda.

Rep. Zoe Lofgren (D-CA) introduced this bill on March 14, 2007. The original cosponsors are Rep. Bob Goodlatte (R-VA), Rep. Linda Sanchez (D-CA), Rep. Lamar Smith (R-TX), and Rep. Sheila Lee (D-TX).

Summary of HR 1525. This bill would amend the criminal code by adding a new section 1030A titled "Illicit indirect use of protected computers". 18 U.S.C. § 1030 is titled "Fraud and related activity in connection with computers".

The new § 1030A would contain two criminal prohibitions. First, the bill provides that "Whoever intentionally accesses a protected computer without authorization, or exceeds authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and intentionally uses that program or code in furtherance of another Federal criminal offense shall be fined under this title or imprisoned not more than 5 years, or both."

Second, the bill provides that,

"Whoever intentionally accesses a protected computer without authorization, or exceeds authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and by means of that program or code--
   (1) intentionally obtains, or transmits to another, personal information with the intent to defraud or injure a person or cause damage to a protected computer; or
   (2) intentionally impairs the security protection of the protected computer with the intent to defraud or injure a person or damage a protected computer;
shall be fined under this title or imprisoned not more than 2 years, or both."

Unlike § 1030, the new § 1030A that would be created by HR 1525 contains no language creating a private right of action. See, 18 U.S.C. § 1030(g). TLJ spoke with Rep. Lofgren after the markup. She stated that violations of federal criminal statutes generally give rise to private causes of action. In contrast, a staff member for a cosponsor of the bill told TLJ after the hearing that the bill would create no private right of action in U.S. District Court.

However, this bill does contain language that limits actions in state courts. It provides that "No person may bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant's violating this section." Rep. Lofgren stated at the hearing that the purpose of this clause is to not create a "litigation bonanza in fifty states".

The bill would also authorize the appropriation of $10 Million per year to the Department of Justice (DOJ) "for prosecutions needed to discourage the use of spyware and the practices commonly called phishing and pharming".

Rep. Bob GoodlatteRep. Goodlatte (at right) explained the terms "phishing" and "pharming". He testified that "Phishing scams occur when criminals send fake e-mail messages to consumers on behalf of famous companies and request account information that is later used to conduct criminal activities."

Rep. Goodlatte said that "Pharming scams occur when hackers re-direct Internet traffic to fake sites in order to steal personal information such as credit card numbers, passwords and account information. This form of online fraud is particularly egregious because it is not as easily discernable by consumers. With pharming scams, innocent Internet users simply type the domain name into their web browsers, and the signal is re-routed to the devious website."

The bill would also create an exemption for law enforcement and intelligence activities of any federal or state agency. It provides that "This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States."

Finally, the bill enumerates several findings, and includes a "Sense of the Congress" that "the Department of Justice should use the amendments made by this Act, and all other available tools, vigorously to prosecute those who use spyware to commit crimes and those that conduct phishing and pharming scams."

Rep. Lofgren and Rep. Goodlatte testified as witnesses for HR 1525 at the hearing.

Rep. Goodlatte stated in his testimony that "the Internet will never reach its full potential until consumers feel safe to conduct transaction online. One enormous  hurdle to consumer confidence in the Internet is the purveyance of spyware. Unfortunately, similar types of software to what legitimate businesses use to deliver new and innovative services can also be used by bad actors to break into computers, steal personal information and commit identity theft and other crimes."

Rep. Zoe LofgrenRep. Lofgren (at left) testified that "The central feature of the Act is that it targets bad actors and bad behavior without unduly restricting innovation in the online universe." She added that "one of the greatest difficulties in solving the spyware problem is that many legitimate and beneficial tools for making a user's Internet experience more enjoyable and productive are technologically indistinguishable from spyware that is used to harm users and computers."

No members present at the hearing expressed opposition to the bill, or any part of it.

HR 964, the House Commerce Committee Bill. As in prior Congresses, there are two competing spyware related bills. On April 19, 2007, the House Commerce Committee's (HCC) Subcommittee on Commerce, Trade, and Consumer Protection amended and approved HR 964, the "Securely Protect Yourself Against Cyber Trespass Act", or SPY ACT. The Subcommittee approved a manager's amendment [4 pages in PDF] offered by Rep. Bobby Rush (D-IL) that makes 26 changes to HR 964 IH [31 pages in PDF] (as introduced on February 8, 2007).

First, the HCC prohibits deceptive acts or practices related to spyware. Second, it prohibits collection of certain information without notice and consent. It gives enforcement and rulemaking authority to the Federal Trade Commission (FTC). It also preempts certain state spyware related laws.

See, stories titled "House Subcommittee Approves SPY ACT" and "Summary of HR 964, the SPY ACT" in TLJ Daily E-Mail Alert No. 1,568, April 23, 2007.

TLJ spoke with Rep. Lofgren after the May 1, 2007, markup. She said that the HCC bill is "well intentioned", but a "real mistake in terms of approach". She said that the HJC bill does not "regulate technology".

Rep. Goodlatte testified at the hearing that the HCC bill takes "a much more regulatory approach", whereas the HJC bill is only directed at "intent" and "action", without "stifling technology on the internet".

Rep. Lofgren, who represents a Silicon Valley district, added that "the tech community ... much prefers this approach".

Bills in Prior Congresses. October 5, 2004, the House passed HR 2929 (108th Congress), also titled the "Securely Protect Yourself Against Cyber Trespass Act", or SPY ACT, on a roll call vote of 399-1. See, Roll Call No. 495. HR 2929 was the HCC's spyware bill, and a predecessor to the present bill, HR 964. However, the Senate did not approve HR 2929 (108th). See, story titled "House Passes First Spyware Bill" in TLJ Daily E-Mail Alert No. 991, October 6, 2004.

On January 4, 2005, Rep. Bono and Rep. Towns reintroduced their legislation as HR 29 (109th). This too was titled "Securely Protect Yourself Against Cyber Trespass Act", or SPY ACT.  See also, story titled "House to Vote on Spyware Bills" in TLJ Daily E-Mail Alert No. 1,140, May 23, 2005; story titled "House Commerce Committee Approves Spyware Bill" in TLJ Daily E-Mail Alert No. 1,092, March 10, 2005; story titled "House Subcommittee Marks Up Spyware Bill" in TLJ Daily E-Mail Alert No. 1,080, February 22, 2004; and story titled "House Commerce Committee Holds Hearing on Spyware Bill" in TLJ Daily E-Mail Alert No. 1,064, January 27, 2005. The House approved the bill on May 23, 2005, by a vote of 393-4. (Rep. Lofgren voted against.) See, Roll Call No. 201. However, the Senate did not approve it.

The predecessor of HR 1525 (110th) in the 109th Congress was HR 744 (109th), the "Internet Spyware (I-SPY) Prevention Act of 2005". See also, story titled "Rep. Goodlatte Reintroduces Criminal Spyware Bill" in TLJ Daily E-Mail Alert No. 1,075, February 11, 2005, and story titled "House to Vote on Spyware Bills" in TLJ Daily E-Mail Alert No. 1,140, May 23, 2005. The House approved the bill on May 23, 2005 by a vote of 395-1. See, Roll Call No. 200. However, the Senate did not approve it.

HR 744 (109th) was similar to HR 4661 (108th), titled the "Internet Spyware (I-SPY) Prevention Act of 2004". The full House approved HR 4661 by a vote of 415-0 on October 6, 2004. See, Roll Call No. 503 and story titled "House Approves Second Spyware Bill" in TLJ Daily E-Mail Alert No. 993, October 8, 2004.