RealTime IT News

House Passes Anti-Spyware Bill

WASHINGTON -- The U.S. House of Representatives voted 399-1 Tuesday night to pass legislation prohibiting unfair or deceptive practices related to spyware. The bill, known as the Spy Act, also requires an opt-in, notice and consent regime for legal software that collects personally identifiable information from consumers.

Among the spyware practices prohibited by H.R. 2929 are phishing, keystroke logging, home page hijacking and ads that can't be closed except by shutting down a computer. Violators could face civil penalties of up to $3 million.

The legislation is first of two anti-spyware measures before the House. On Wednesday, lawmakers are expected to approve the I-Spy Act (H.R. 4661), which provides for criminal penalties for many of the civil violations in the Spy Act. Similar legislation is pending in the Senate, but no vote has been scheduled.

If ultimately passed by the Senate and signed by President Bush, the legislation would pre-empt any state anti-spyware bills, such as the recent measure signed into law in California.

"It doesn't matter if you're a Republican or a Democrat, you don't like it when your computer gets hijacked. Right now, it's basically not illegal," said Rep. Joe Barton (R-Texas), chairman of the House Energy and Commerce Committee. "There's nobody in this country that's been impacted by spyware that thinks we shouldn't do anything. It's just insidious."

Although Congress plans to adjourn Friday, Barton said he remains hopeful the legislation can be sent to President Bush this week. "We want to get supporters in the Senate who are go-getters and we can try to make this happen this week," he said.

The bill passed Tuesday permits computer software providers to interact with a user's computer without notice and consent in order to determine whether the computer user is authorized to use the software upon initialization of the software or an update of the software.

Network monitoring is also exempted from the provisions of the notice and consent requirements of the bill to the extent that the monitoring is for network or security purposes, diagnostics, technical support or repair, or the detection or prevention of fraudulent activities. Cookies are also exempted if they are solely used to allow the user to access a website.

With those provisions in place, The Business Software Alliance, Dell , eBay , Microsoft , Time Warner , Yahoo and Earthlink all endorsed the legislation.

"Our legislation will prohibit many of the deceptive practices related to spyware and it will give the Federal Trade Commission enforcement authority," said Rep. John Dingell (D-Mich.), the ranking Democrat on the Energy and commerce Committee. "It will also provide added protection to consumers by requiring legitimate companies that distribute spyware to get permission before putting it on a computer."

Dingell added, "Those using legitimate applications of spyware like law enforcement or national security would be exempt."

Spyware is often vaguely defined and often confused with adware, but generally refers to any software that covertly gathers user information through the user's Internet connection without his or her knowledge, sometimes for advertising purposes. Most forms of adware, by contrast, are installed with the user's knowledge.

For more than a year, consumer and privacy advocates have urged congressional action to provide consumers with greater disclosure about the programs that report back Internet traffic patterns to advertisers and generate unwanted pop-ups. The software can also slow a computer or network's performance.

Rep. Bono (R-CA) introduced the first anti-spyware bill in July of last year.

"Early on in the process, when I started to talking about spyware to Congress most members looked at me with a complete blanks. I think they were very well aware of spam and what spam meant to our constituents, but spyware was pretty much unheard of," Bono said.

The Internet Spyware Prevention Act of 2004, scheduled for a Wednesday vote in the House, makes it a crime to intentionally access a computer without authorization or to intentionally exceed authorized access.

If the unauthorized intrusion is to further another federal crime such as secretly accessing personal data, the penalty is up to five years in prison. Deliberately injuring or defrauding a person or damaging a computer through the unauthorized installation of spyware carry prison terms of up to two years.

The legislation also authorizes $10 million for the Department of Justice to combat spyware and phishing scams, although the bill does not specifically make phishing a crime.