Spyware legislation in the United States
Note: This article has been archived and is no longer maintained.
A variety of legislative efforts are underway at both the state and federal levels to address the problem of spyware. This FAQ provides links to sources concerning both enacted and pending legislation and our thoughts on the state-of-play.
While users of Mac OS X have been relatively untouched by spyware, we continue to see the Mac as a potential target for both malware and spyware, as discussed in our "Detecting and avoiding malware and spyware" FAQ. Accordingly, we recommend Mac users take appropriate precautions. It's no secret that security-related updates continue to be published for Mac OS X, indicating that potentially harmful exploits may still be found in the OS. While many Mac users regard malware and spyware as a PC problem, we believe taking the precautions recommended in our FAQ is simply common sense.
These developments are also important for Mac users to follow as they could have a profound effect on the software industry if legislation proscribes specific technologies instead of "bad behaviors." While we expect a favorable outcome to the current legislative debates, it is important that Mac users in the U.S. let their elected representatives know their thoughts on this topic.
The National Conference of State Legislatures reports that seven states have enacted legislation related to Internet spyware or adware (advertising-supported software). At least 28 states are considering such legislation in 2005.
A key concern with individual state legislation is that it will create an untenable patchwork of regulations making it difficult or impossible for legitimate software vendors and online businesses to operate.
Utah became the first state to pass anti-spyware legislation, the Spyware Control Act, effective 3 May 2004. Anita Ramasastry's article "Can Utah's New Anti-Spyware Law Work?" provides a review of the Utah law and a critique of criticism of this law by both industry and privacy advocates.
Benjamin Edelman maintains a comprehensive Web page summarizing State Spyware Legislation.
Spyware has been on the radars of both the U.S. House of Representatives and the U.S. Senate for several years. A number of spyware-related bills have been introduced in both bodies of Congress, with some passed by the House. However, federal legislation providing a single, uniform, national standard has yet to be enacted. Concerns about identity theft and the emerging patchwork of state regulations including the personal spyware experiences of members of Congress has provided impetus to crafting federal anti-spyware legislation.
Spyware-related bills proposed in both the House and Senate at the time of this writing include:
House legislation has been received by the Senate. H.R.29 has been referred to the Senate Committee on Commerce, Science, and Transportation. H.R.744 passed a review (PDF) by the House Judiciary Committee on 18 May 2005.
Recent spyware-related public hearings conducted by Congress include:
FTC, industry, and public policy concerns
In both their 29 April 2004 testimony before the House and a public address on 5 November 2004, Commissioners with the U.S. Federal Trade Commission (FTC) expressed a variety of concerns with anti-spyware legislation. Specifically, the Commissioners stated that federal legislation is unnecessary, advocating spyware be fought with improved technology, industry self-regulation, consumer education, and the existing laws covering fraud and deceptive practices. Furthermore, the Commissioners are concerned that such legislation risks defining spyware either too broadly or too narrowly, inhibiting legitimate business or enabling others to skirt the law, respectively.
The positions of the Commissioners appear to be the result of a one-day public Spyware Workshop held on 19 April 2004. Despite the range of industry participants and public commentary, some believe that little arose from the meeting beyond detailing the scope of the spyware problem and outlining the broad strokes to addressing such noted above.
The FTC Commissioners' comments echo industry concerns that any federal legislation should focus on fraudulent and deceptive behaviors, rather than proscribing specific technologies. Vendors of anti-spyware technology are also seeking protection from lawsuits by other software firms in cases where the anti-spyware solution removes or disables another software-vendor's product.
Others, such as the Center for Democracy and Technology (CDT), while indicating support for some proposed anti-spyware legislation, such as the SPY ACT, believe the larger issue of Internet privacy must be addressed. They argue that this could provide a comprehensive approach to addressing both current and future threats, as opposed to legislation reacting to threats after they arise, such as the CAN-SPAM Act in response to e-mail spam and anti-spyware legislation as a response to spyware.
The state of play
Eric Howes' article "The FTC Spyware Workshop: One Year Later" provides a critical analysis of events since the FTC's Spyware Workshop. While a good analysis, we believe it underplays the progress being made at the federal level.
By Congressional standards, progress on anti-spyware legislation has been rapid. Bills, such as the SPY ACT championed by Congresswoman Mary Bono of California, have considerable momentum. A reading of the hearing transcripts cited above indicates that members of Congress have significant personal experience with the scourge of spyware, implying bipartisan support for such legislation should be readily obtained.
We believe there's a good chance that federal anti-spyware legislation will become law before the end of the current, 109th Congress, which will enter a "lame duck" session after the elections in November 2006. This will be a positive development if the legislation:
Of these points, perhaps the last two are most important for computer users and the industry. Consumer choice and continued innovation are critical to the value personal computing represents in our lives. Legislation should proscribe nefarious behaviors and protect consumers without inhibiting either innovation or legitimate business.
Likewise, technological neutrality should not be limited to Internet-based applications. For example, unlawful uses of standalone keystroke loggers should be proscribed. Such applications can be installed on computers and their logs accessed, all without the use of a network such as the Internet. 
The objections raised by FTC Commissioners may be addressed by providing additional funding to combat spyware. While the FTC is correct in that spyware is particularly difficult to fight and that "bad actors" will ignore any law, if additional funding will increase prosecutions and enforcement, then it will be money well spent. Reading between the lines of the FTC concerns, their issues with federal anti-spyware legislation may be based, in part, on their receiving additional responsibilities without the funding to meet them.
While the proposed bills for anti-spyware legislation address privacy concerns at a variety of levels, we think we're unlikely to see comprehensive Internet privacy legislation, such as envisioned by the CDT, for some time, if ever.
One success story in the area of Internet privacy legislation is the Children's Online Privacy Protection Act of 1998 (COPPA), which stipulates strict rules on the collection of personal data from children under the age of 13. Unfortunately, other attempts at enacting comprehensive Internet privacy legislation have died on the vine:
We plan to update this FAQ as additional information becomes available.
 The hearing begins at approximately 15:45 (15 minutes, 45 seconds) into the video file. Prior to this, the video displays a screen announcing the hearing. We believe this is because the recording of the video transcript begins before the hearing during the pre-hearing interval when viewers could join the streaming broadcast. Use the slider in your media player to scroll the video to the actual start of the hearing. The duration of the hearing is approximately 1.5 hours.
 An example of the lawful use of a standalone keystroke logger might be for a parent to install such software on a child's computer to monitor their activities. An example of an unlawful use would be to install such software on a public-access Internet terminal in order to illegally obtain passwords, credit card numbers, or similar data.