Here we go again. Congress has decided it needs to protect us from spyware, but - surprise, surprise - the bill they are most seriously considering actually offers no help in that regard. What's worse, the bill seems designed to make it harder for you to legally go after those who spy on you, particularly if they are doing so to determine if you're authorized to use a software product.
Last week a subcommittee of the House Committee on Energy and Commerce approved H.R. 964, the Spy Act, which bans some of the more blatant forms of spyware such as those that hijack computer or log keystrokes. The bill now goes to the full committee for approval, and it's expected to move quickly as it has strong bipartisan support.
But why? There are already plenty of federal and state laws regarding computer fraud, trespass, and deceptive trade practices that make spyware illegal. The existing laws have been sufficient to allow the FTC and/or state attorneys general to even successfully go after some of the nastier adware companies like Direct Revenue and Zango/180 Solutions. So what is the purpose of this law?
A clue can be found in the Limitations section of the Act, which features this rather broad exception:
Exception Relating to Security- Nothing in this Act shall apply to--
(1) any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service, to the extent that such monitoring or interaction is for network or computer security purposes, diagnostics, technical support, or repair, or for the detection or prevention of fraudulent activities; or
(2) a discrete interaction with a protected computer by a provider of computer software solely to determine whether the user of the computer is authorized to use such software, that occurs upon -- (A) initialization of the software; or (B) an affirmative request by the owner or authorized user for an update of, addition to, or technical service for, the software.
In other words, it's perfectly OK for basically any vendor you do business with, or maybe thinks you do business with them for that matter, to use any of the deceptive practices the bill prohibits to load spyware on your computer. The company doesn't have to give you notice and it can collect whatever information it thinks necessary to make sure there's no funny business going on. And by the way, another exception provision specifically protects computer manufacturers from any liability for spyware they load on your computer before they send it to you. Of course, the exception for software companies checking to make sure you're an authorized user is the strongest evidence of what this bill is all about. After all, in terms of function, there's not much difference between spyware and DRM. Too bad for Sony this bill wasn't already the law when its rootkit-infected CDs came to light.
Another disturbing aspect of the bill is its enforcement provisions. The bill very specifically pre-empts all state laws that regulate "unfair or deceptive conduct" similar to that covered by the Spy Act. Now, the state spyware laws are pretty useless anyway, so that may not seem like a big problem. But the bill vests all enforcement power in the FTC and says that "no person other than the Attorney General of a State may bring a civil action" under the law. Private rights of action under state consumer protection laws are eliminated. So if you're victimized by a spyware-like deception and want to sue the perpetrator, you've got to talk the FTC or your state attorney general into taking up your case.
Let's sum up. If the Spy Act become law, hardware, software, and network vendors will be granted carte blanche to use spyware themselves to police their customers' use of their products and services. Incredibly broad exceptions will probably allow even the worst of the adware outfits to operate with legal cover. State attempts to deal with the spyware problem will be pre-empted and enforcement left up almost entirely to the FTC. Gee, what's not to like in that deal?
If Congress' approach on this sounds vaguely familiar, it should. It's basically the same formula Congress adopted four years to deal with spam. As we know, the dreadful Can Spam Act of 2003 proved to be the "Yes, You Can Spam Act." If wiser heads in Congress don't prevail - and who knows if there are any - I fear the Spy Act of 2007 will just prove to be the "Vendors Can Spy Act."