WASHINGTON — The U.S. House of Representatives voted 399-1 Tuesday night to
pass legislation prohibiting unfair or deceptive practices related to
spyware. The bill, known as the Spy Act, also requires an opt-in, notice and
consent regime for legal software that collects personally identifiable
information from consumers.
Among the spyware practices prohibited by H.R. 2929 are phishing, keystroke
logging, home page hijacking and ads that can’t be closed except by shutting
down a computer. Violators could face civil penalties of up to $3 million.
The legislation is first of two anti-spyware measures before the House. On
Wednesday, lawmakers are expected to approve the I-Spy Act (H.R. 4661),
which provides for criminal penalties for many of the civil violations in
the Spy Act. Similar legislation is pending in the Senate, but no vote has
been scheduled.
If ultimately passed by the Senate and signed by President Bush, the
legislation would pre-empt any state anti-spyware bills, such as the recent
measure signed into law in California.
“It doesn’t matter if you’re a Republican or a Democrat, you don’t like it
when your computer gets hijacked. Right now, it’s basically not illegal,”
said Rep. Joe Barton (R-Texas), chairman of the House Energy and Commerce
Committee. “There’s nobody in this country that’s been impacted by spyware
that thinks we shouldn’t do anything. It’s just insidious.”
Although Congress plans to adjourn Friday, Barton said he remains hopeful
the legislation can be sent to President Bush this week. “We want to get
supporters in the Senate who are go-getters and we can try to make this
happen this week,” he said.
The bill passed Tuesday permits computer software providers to interact with
a user’s computer without notice and consent in order to determine whether
the computer user is authorized to use the software upon initialization of
the software or an update of the software.
Network monitoring is also exempted from the provisions of the notice and
consent requirements of the bill to the extent that the monitoring is for
network or security purposes, diagnostics, technical support or repair, or
the detection or prevention of fraudulent activities. Cookies are also
exempted if they are solely used to allow the user to access a website.
The Internet Spyware Prevention Act of 2004, scheduled for a Wednesday vote
With those provisions in place, The Business Software Alliance, Dell , eBay
, Microsoft
, Time
Warner , Yahoo
and Earthlink
all endorsed the legislation.
“Our legislation will prohibit many of the deceptive practices related to
spyware and it will give the Federal Trade Commission enforcement
authority,” said Rep. John Dingell (D-Mich.), the ranking Democrat on the
Energy and commerce Committee. “It will also provide added protection to
consumers by requiring legitimate companies that distribute spyware to get
permission before putting it on a computer.”
Dingell added, “Those using legitimate applications of spyware like law
enforcement or national security would be exempt.”
Spyware is often vaguely defined and often confused with adware, but
generally refers to any software that covertly gathers user information
through the user’s Internet connection without his or her knowledge,
sometimes for advertising purposes. Most forms of adware, by contrast, are
installed with the user’s knowledge.
For more than a year, consumer and privacy advocates have urged
congressional action to provide consumers with greater disclosure about the
programs that report back Internet traffic patterns to advertisers and
generate unwanted pop-ups. The software can also slow a computer or
network’s performance.
Rep. Bono (R-CA) introduced the first anti-spyware bill in July of last
year.
“Early on in the process, when I started to talking about spyware to
Congress most members looked at me with a complete blanks. I think they were
very well aware of spam and what spam meant to our constituents, but spyware
was pretty much unheard of,” Bono said.
in the House, makes it a crime to intentionally access a computer without
authorization or to intentionally exceed authorized access.
If the unauthorized intrusion is to further another federal crime such as
secretly accessing personal data, the penalty is up to five years in prison.
Deliberately injuring or defrauding a person or damaging a computer through
the unauthorized installation of spyware carry prison terms of up to two
years.
The legislation also authorizes $10 million for the Department of Justice to
combat spyware and phishing scams, although the bill does not specifically
make phishing a crime.