INDUSTRY ANALYSIS
US Getting Serious on Spyware Laws

Governments at both the state and federal level in the U.S. are getting serious about addressing the void in the legal framework for fighting "spyware."

To begin with, we need to define the term "spyware," due to the fact that this term has been used to describe everything from keystroke loggers, to advertising applications that track a user's web browsing, to cookies and even to programs designed to help provide security patches directly to users.

Based on a comprehensive report released by the Center for Democracy and Technology (CDT) in November 2003, there are three main categories of "spyware."

The first category comprises keystroke loggers and screen capture utilities. Also called "snoopware," these applications are installed by a third party to capture the user's keystrokes and record periodic screen shots. This category of spyware has legal uses, as in limited situations of employee monitoring, and illegal uses.

Enforcement Action

The second category concerns "adware" and similar applications, which are installed covertly by piggybacking on unrelated applications and downloads that are resistant to being uninstalled. Instead of capturing keystrokes, these programs transmit information about the user or the user's computer back to a central location. They are the most problematic because they fall into a legal grey zone, depending on the facts of the particular program and the manner in which it is installed.

The third category involves legitimate applications that have faulty or weak user-privacy protections. According to the CDT report, the third category has been inappropriately labeled as "spyware" because it includes programs that, although featuring flawed user privacy protections, are based on legitimate business models.

Existing U.S. laws that can be used to fight "spyware" are:

These laws are inadequate in that they fail to cover some of the most common abuses and do not respond to the unique features of the technology. Accordingly, many legislators are rushing to introduce new laws to deal with this problem.

Proposed Federal Legislation

New proposed federal legislation, H.R. 2929, better known as the "Spy Act" was passed in the U.S. House of Representatives with a 399-1 vote on October 5. The Spy Act is was introduced by Reps. Mary Bono (R-California) and Edolphus Towns (D-New York) in the summer of 2003, and its main objective is to protect Internet users against cybertrespassing -- namely security and privacy breaches -- brought about by spyware or adware.

The Spy Act makes it unlawful for any non-owner or unauthorized user of a computer exclusively used by a financial institution or the U.S. government, or a computer used in interstate or foreign commerce or communication, to engage in subterfuge and misrepresentation by taking over control of, modification of or causing the modification of the computer's functionality and security systems in a number of undesired and harmful ways listed in proposed legislation.

The prohibition extends to collection by non-owners and unauthorized persons of users' "personally identifiable information."

The Spy Act also makes it unlawful for a non-user of a computer to transmit information collection programs to a computer protected under the legislation, unless the program gives notice before executing its collection functions and specifies its functions, or unless the user has already given consent under a previous notification.

Notice Requirements

The required notice is to be clear, conspicuous and in plain language and:

(i) state that if accepted, the program will collect personally identifiable information about the user and their computer use;

(ii) state that the user has the choice to grant, deny, abandon or cancel the execution of the collection program;

(iii) provide the user with an option to view a clear description of the types of collectible information plus the purposes for its intended use.

A statement clearly identifying the collection program must accompany each display of a collected advertisement. The program must contain a disabling function that easily allows the user to remove or disable the program.

If a user has consented and if there will be a material change in the way the collected information is to be used so that it is outside the purpose specified in the first notice, an additional notice must be sent to the user.

California Measure

The enforcement of the Spy Act is to fall under the authority of the FTC, with civil penalties of up to $3 million for each infraction.

The Spy Act provides an exemption from liability for actions undertaken by law enforcement authorities in the performance of their official duties. The Spy Act also limits the liability of intermediaries, such as a telecommunications carrier or an Internet service provider.

At the state level, on September 28, California Gov. Arnold Schwarzenegger signed into law state Sen. Kevin Murray's (D-LA) SB 1436, an addition to Division 8 of the California Business and Professions Code (the "Code") and called the "Consumer Protection Against Computer Spyware California Act".

The California legislation bans unauthorized users from installing on computers owned by Californians any software that deceptively or surreptitiously takes control of the computer's functionality, modifies the computer's functionality and causes the computer's functionality to be modified. In addition, it bans software that also, by fraudulent means, enables "personally identifiable information" to be collected.

Counter-Attack Intended

The California legislation, like the federal Spy Act, aims to counter-attack computer security and privacy breaches. The California legislation also prohibits:

The new laws, if implemented, are a welcome tool in fighting spyware and setting guidelines as to what are appropriate activities as far as adware is concerned. However, as with most problems of an "e" nature, no new law will substitute for new technological measures and user education.