H.R. 964: Another Misguided Spyware Bill
Last week a subcommittee of the House Committee on Energy and Commerce reported out H.R. 964, a.k.a. the "Securely Protect Yourself Against Cyber Trespass Act" or "SPY Act." This bill is the latest incarnation of misguided legislative language that has been resurfacing since 2003 (in 2005, it passed the House as H.R. 29).
Although badware (i.e., spyware, malware, and deceptive adware) is a serious problem for computer users, H.R. 964 is not likely to help. In fact, having been massaged by lobbyists for the software and adware industries, the bill would actually make things worse, insulating adware vendors from more stringent state laws and private lawsuits.
H.R. 964 combines a variety of redundant prohibitions on deceptive practices (Section 2) and ambiguous "notice" requirements (Section 3) with broad federal preemption of state laws (Section 6). In fact, you can essentially skip the first 15 pages of the bill -- the FTC already has the authority to police many, if not all, of the "unfair or deceptive acts or practices" prohibited therein. If anything, by creating a heightened intent requirement (Section 4(c)), this law could constrain the authority the FTC already possesses against badware vendors.
So these provisions are pure window dressing. Both the FTC and Department of Justice have said (see p. 21 of this 2005 FTC report) that they already have the enforcement authority they need. In just the last two years, the FTC has commenced 11 spyware enforcement actions, demonstrating that they've got the authority they need. Of course, more enforcement would be a good thing, but H.R. 964 allocates no new money for it. (There is one improvement tucked in Section 4 of the bill -- granting the FTC the power to seek civil penalties against those who violate the law.)
The federal preemption provisions (Section 6), meanwhile, trump most of the stricter state laws that might have been used to go after badware vendors. This is particularly disappointing, as state laws have opened a new front in the war on badware. A few categories of state laws are preserved, including trespass, contract, tort, and fraud laws. And, in an interesting twist, H.R. 964 preserves state consumer protection statutes, but only if the state's Attorney General is bringing the enforcement action.
Reading between the lines in Section 6, one thing becomes clear: this section is intended primarily to block the ability of private citizens to sue badware vendors under state laws. By consolidating all the enforcement authority against badware in the hands of the FTC and state Attorneys Generals, software and adware vendors are trying to quietly block consumer class actions that could target their misbehavior. For example, H.R. 964 would have made it impossible for EFF to use California's Business and Professions Code 17200 (which allows private citizens to sue for unfair and unlawful business practices) against Sony-BMG for its spyware-laden copy-protection software.
This is a terrible move. If Congress is serious about enacting tough anti-spyware laws, it should create incentives that would encourage private citizens to pursue the bad guys. The FTC and state AGs can't possibly take on the entire job alone.
And, perhaps most disappointingly, Congress dropped the ball on the most promising section of the statute, the "Good Samaritan" provision (Section 5(c)). The consumer's most important allies in the war on badware are the companies that make badware-removal tools. If Congress really wanted to do some good, it would protect these companies from legal harassment at the hands of the badware vendors. For example, Congress could give the good guys a legal shield with which to ward off bogus defamation, interference with contract, and DMCA claims brought by badware companies (something like the immunities that CDA 230 provides for companies that host the speech of others).
Instead, Congress crafted a "Good Samaritan" clause that only protects badware-removal tools from liability under the Spy Act itself -- something that these vendors likely don't need (it's hard to imagine the FTC going after Lavasoft, isn't it?).
Frankly, I think the testimony of Zango (formerly 180Solutions, a notorious adware vendor) before Congress tells you everything you need to know about H.R. 964: "Zango supports all provisions of H.R. 964 with the exception of subsection 5(c) [the Good Samaritan provision]."