Spyware legislation in the United States

Note: This article has been archived and is no longer maintained.

A variety of legislative efforts are underway at both the state and federal levels to address the problem of spyware. This FAQ provides links to sources concerning both enacted and pending legislation and our thoughts on the state-of-play.

While users of Mac OS X have been relatively untouched by spyware, we continue to see the Mac as a potential target for both malware and spyware, as discussed in our "Detecting and avoiding malware and spyware" FAQ. Accordingly, we recommend Mac users take appropriate precautions. It's no secret that security-related updates continue to be published for Mac OS X, indicating that potentially harmful exploits may still be found in the OS. While many Mac users regard malware and spyware as a PC problem, we believe taking the precautions recommended in our FAQ is simply common sense.

These developments are also important for Mac users to follow as they could have a profound effect on the software industry if legislation proscribes specific technologies instead of "bad behaviors." While we expect a favorable outcome to the current legislative debates, it is important that Mac users in the U.S. let their elected representatives know their thoughts on this topic.

State legislation

The National Conference of State Legislatures reports that seven states have enacted legislation related to Internet spyware or adware (advertising-supported software). At least 28 states are considering such legislation in 2005.

A key concern with individual state legislation is that it will create an untenable patchwork of regulations making it difficult or impossible for legitimate software vendors and online businesses to operate.

Utah became the first state to pass anti-spyware legislation, the Spyware Control Act, effective 3 May 2004. Anita Ramasastry's article "Can Utah's New Anti-Spyware Law Work?" provides a review of the Utah law and a critique of criticism of this law by both industry and privacy advocates.

Benjamin Edelman maintains a comprehensive Web page summarizing State Spyware Legislation.

Federal legislation

Spyware has been on the radars of both the U.S. House of Representatives and the U.S. Senate for several years. A number of spyware-related bills have been introduced in both bodies of Congress, with some passed by the House. However, federal legislation providing a single, uniform, national standard has yet to be enacted. Concerns about identity theft and the emerging patchwork of state regulations — including the personal spyware experiences of members of Congress — has provided impetus to crafting federal anti-spyware legislation.

Spyware-related bills proposed in both the House and Senate at the time of this writing include:

  • H.R.29: The Securely Protect Yourself Against Cyber Trespass Act (SPY ACT).
  • "To protect users of the Internet from unknowing transmission of their personally identifiable information through spyware programs, and for other purposes."
  • H.R.744: The Internet Spyware (I-SPY) Prevention Act.
  • "To amend title 18, United States Code, to discourage spyware, and for other purposes."
  • S.687: The Software Principles Yielding Better Levels of Consumer Knowledge Act (SPY BLOCK).
  • "A bill to regulate the unauthorized installation of computer software, to require clear disclosure to computer users of certain computer software features that may pose a threat to user privacy, and for other purposes."
  • S.1004: The Enhanced Consumer Protection Against Spyware Act.
  • "A bill to provide the Federal Trade Commission with the resources necessary to protect users of the Internet from the unfair and deceptive acts and practices associated with spyware, and for other purposes."

House legislation has been received by the Senate. H.R.29 has been referred to the Senate Committee on Commerce, Science, and Transportation. H.R.744 passed a review (PDF) by the House Judiciary Committee on 18 May 2005.

Recent spyware-related public hearings conducted by Congress include:

2005.05.11

Senate Committee on Commerce, Science, and Transportation

Spyware.

Video Transcript (Requires RealPlayer™). [1]

2005.01.26

House Committee on Energy and Commerce

Combating Spyware: H.R. 29, the Spy Act.

Transcript (1.2 MB PDF) .

2004.04.29

House Committee on Energy and Commerce

Subcommittee on Commerce, Trade, and Consumer Protection

Spyware: What You Don't Know Can Hurt You.

Transcript (1 MB PDF).

FTC, industry, and public policy concerns

In both their 29 April 2004 testimony before the House and a public address on 5 November 2004, Commissioners with the U.S. Federal Trade Commission (FTC) expressed a variety of concerns with anti-spyware legislation. Specifically, the Commissioners stated that federal legislation is unnecessary, advocating spyware be fought with improved technology, industry self-regulation, consumer education, and the existing laws covering fraud and deceptive practices. Furthermore, the Commissioners are concerned that such legislation risks defining spyware either too broadly or too narrowly, inhibiting legitimate business or enabling others to skirt the law, respectively.

The positions of the Commissioners appear to be the result of a one-day public Spyware Workshop held on 19 April 2004. Despite the range of industry participants and public commentary, some believe that little arose from the meeting beyond detailing the scope of the spyware problem and outlining the broad strokes to addressing such noted above.

The FTC Commissioners' comments echo industry concerns that any federal legislation should focus on fraudulent and deceptive behaviors, rather than proscribing specific technologies. Vendors of anti-spyware technology are also seeking protection from lawsuits by other software firms in cases where the anti-spyware solution removes or disables another software-vendor's product.

Others, such as the Center for Democracy and Technology (CDT), while indicating support for some proposed anti-spyware legislation, such as the SPY ACT, believe the larger issue of Internet privacy must be addressed. They argue that this could provide a comprehensive approach to addressing both current and future threats, as opposed to legislation reacting to threats after they arise, such as the CAN-SPAM Act in response to e-mail spam and anti-spyware legislation as a response to spyware.

The state of play

Eric Howes' article "The FTC Spyware Workshop: One Year Later" provides a critical analysis of events since the FTC's Spyware Workshop. While a good analysis, we believe it underplays the progress being made at the federal level.

By Congressional standards, progress on anti-spyware legislation has been rapid. Bills, such as the SPY ACT championed by Congresswoman Mary Bono of California, have considerable momentum. A reading of the hearing transcripts cited above indicates that members of Congress have significant personal experience with the scourge of spyware, implying bipartisan support for such legislation should be readily obtained.

We believe there's a good chance that federal anti-spyware legislation will become law before the end of the current, 109th Congress, which will enter a "lame duck" session after the elections in November 2006. This will be a positive development if the legislation:

  • Strengthens existing laws.
  • Provides the FTC with the additional resources needed to prosecute purveyors of spyware.
  • Remains technology-neutral, i.e. proscribes "bad behaviors" instead of specific technologies.
  • Harmonizes various state laws, providing a level playing field for industry.

Of these points, perhaps the last two are most important for computer users and the industry. Consumer choice and continued innovation are critical to the value personal computing represents in our lives. Legislation should proscribe nefarious behaviors and protect consumers without inhibiting either innovation or legitimate business.

Likewise, technological neutrality should not be limited to Internet-based applications. For example, unlawful uses of standalone keystroke loggers should be proscribed. Such applications can be installed on computers and their logs accessed, all without the use of a network such as the Internet. [2]

The objections raised by FTC Commissioners may be addressed by providing additional funding to combat spyware. While the FTC is correct in that spyware is particularly difficult to fight and that "bad actors" will ignore any law, if additional funding will increase prosecutions and enforcement, then it will be money well spent. Reading between the lines of the FTC concerns, their issues with federal anti-spyware legislation may be based, in part, on their receiving additional responsibilities without the funding to meet them.

While the proposed bills for anti-spyware legislation address privacy concerns at a variety of levels, we think we're unlikely to see comprehensive Internet privacy legislation, such as envisioned by the CDT, for some time, if ever.

One success story in the area of Internet privacy legislation is the Children's Online Privacy Protection Act of 1998 (COPPA), which stipulates strict rules on the collection of personal data from children under the age of 13. Unfortunately, other attempts at enacting comprehensive Internet privacy legislation have died on the vine:

  • Congressional interest in comprehensive Internet privacy legislation was sparked after the FTC published its May 2000 report Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress (PDF). However, bills such as S.2201, went nowhere. The only result we can detect from these activities is the now-common practice of Web sites posting privacy policies.
  • Bills introduced in 2005 -- such as H.R.84, H.R.1263, and S.116 -- appear to have been introduced in reaction to major incidents of security breaches resulting in massive losses of consumer data and the potential for such data to be used in identity theft. Only H.R.84 addresses the issue of online privacy, and only with respect to operators of Web sites and online services. In essence, the bill requires the FTC to develop COPPA-like protections for persons not covered by COPPA. While the protection of consumers' data is critical, these bills do not address the broad issues of "Internet privacy" writ large.

We plan to update this FAQ as additional information becomes available.

Related links

  • Center for Democracy and Technology (CDT), a non-profit public policy organization focused on the global Internet, maintains a Web page concerning their efforts related to spyware.
  • Mr. Benjamin Edelman maintains an excellent Web site focused on spyware research, testing, legislation, and suits.
  • The U.S. Federal Trade Commission (FTC) provides some consumer guidance on spyware and a broader collection of information and resources on consumer information security.
  • FindLaw® provides a variety of services, including legal news and commentary regarding spyware.
  • Tech Law Journal has followed spyware legislation as part of its comprehensive coverage of "legal, legislative, and regulatory issues affecting the computer, Internet, information, and communications industries." It offers a subscription to a daily e-mail alert on such issues. Archives of its e-mail alerts older than 60 days are freely available.

Notes

[1] The hearing begins at approximately 15:45 (15 minutes, 45 seconds) into the video file. Prior to this, the video displays a screen announcing the hearing. We believe this is because the recording of the video transcript begins before the hearing during the pre-hearing interval when viewers could join the streaming broadcast. Use the slider in your media player to scroll the video to the actual start of the hearing. The duration of the hearing is approximately 1.5 hours.

[2] An example of the lawful use of a standalone keystroke logger might be for a parent to install such software on a child's computer to monitor their activities. An example of an unlawful use would be to install such software on a public-access Internet terminal in order to illegally obtain passwords, credit card numbers, or similar data.

Did you find this FAQ helpful? You will find a wealth of additional advice for preventing or resolving Mac OS X problems in Dr. Smoke's book, Troubleshooting Mac® OS X.
Use of this site signifies your agreement to the terms of use.