Oh, oh. In case you haven't noticed, there's a very familiar pattern to current legislative activity regarding anti-spyware laws. It's very reminiscent of where Congress was last year at this time on anti-spam legislation, and that ultimately led to the disastrous Can Spam Act. Are we soon to see the enactment of the "Yes, You Can Spy Act" as well?
The parallels with the situation that created the Can Spam Act are downright scary. Just as there was an all too justifiable hue-and-cry last year about spam, the politicians are now keenly feeling the need to do something about the spyware plague. The states are passing strong laws that might actually be effective, a trend that marketing and technology lobbyists are telling Congress is a bad, bad thing that requires pre-emption by federal law. And while everyone agrees that the things the worst offenders are doing are already highly illegal, for some reason our national lawmakers think the answer is to concentrate enforcement powers in an already overwhelmed Federal Trade Commission.
New spyware laws aren't needed for the homepage hijackers, keystroke loggers, etc. that already clearly constitute violations of the Computer Fraud and Abuse Act and many others laws. The one category of offenders that legislators could address is the We're-Adware-Not-Spyware vendors like Gator (now calling itself Claria) and WhenU. As we know, these companies hide the true nature of their software deep in their sneakwrap licenses, allowing them to claim they have "consent" from users who, of course, have no idea they are "agreeing" to have a torrent of pop-up ads take over their computer. This supposed consent makes it hard for the many victims who try to sue them, not to mention law enforcement agencies, to hold these companies responsible for the very considerable damage they are doing to the Internet.
Unquestionably, devising a fair law that can fight sneakwrap-sanctioned spyware is no easy task, but what appears at the very least to be a valiant attempt is the recently-enacted Utah spyware law. The best proof of that is WhenU's lawsuit seeking to overturn the law because it would keep them from doing business in the state. (Sadly, last week WhenU was granted a temporary injunction delaying enforcement of the Utah law.) And, just as California's tough anti-spam law suddenly put Can Spam on a fast track to enactment last year, Utah's anti-spyware seems to have galvanized Congress into action.
H.R. 2929, currently called the Spy Act, is moving through the House so fast it's hard to keep track of what it says. The version now headed to the House floor (after being approved by the same House committee that approved what became Can Spam) does at least have a requirement that the user be notified in plain English what the spyware/adware does. Unfortunately, it also very pointedly pre-empts the much stronger Utah law. Even worse is the fact that it leaves enforcement solely to the FTC, even though FTC officials have made it clear they have neither the will nor the means to go after any but the most criminal offenders.
It's a good bet that, once the lobbyists are finished with it, the Spy Act will read more like the Sneakwrap-Sanctioned Spyware Protection Act. Software industry lobbyists are already attacking the law's rather mild notice-and-consent requirement as being too burdensome. In fact, organizations that have long championed the sneakwrap licensing approach now claim they are trying to save users from having to read too many notices. For example, the Business Software Alliance issued a statement saying the notices the bill mandates won't allow consumers to distinguish between legitimate vendors and the bad actors. "We are concerned that the 'one size fits all' notices approach will not help to inform consumers about how their personal information is being used, and will become just another screen to click 'I agree.'" BSA CEO Robert Holleyman said in the statement.
I can't begin to tell you how ironic it is for someone who watched UCITA's creation to hear the BSA argue that users should not be required to mindlessly click OK. (When you think about it, Gator and WhenU actually represent the very epitome of the UCITA-style transactions that BSA's lobbyists essentially authored.) But, of course, the software industry is less concerned about spyware here and more concerned that spyware laws not force them to clearly disclosure their own terms and conditions. Since Congress isn't really consulting much of anyone else, we can be pretty certain they are going to get it wrong again.
Read or post comments about this story here.