Two privacy rights groups urged California Governor Arnold Schwarzenegger
to veto an anti-spyware bill Thursday, saying it’s worse than no legislation at all.
The California-based Privacy Rights Clearinghouse and the World Privacy Forum said SB 1436, the Consumer Protection Against Computer Spyware Act, could act as a model for more bad laws.
According to the bill’s author, Sen. Kevin Murray (D-Los Angeles), SB 1436 makes it illegal to install spyware on someone’s computer without first giving notice. It requires software makers and Web site operators to disclose whether they put spyware on someone’s computer as well as describe what it does. The bill also sets forth a private right of action whereby a consumer could seek damages of $1,000 per incident and applicable attorney’s fees.
But the privacy groups told Schwarzenegger that the bill has several flaws.
First, and most important, the bill says that in order to trigger penalties, there must be an intent to deceive on the part of the companies installing the spyware. But terms such as “intent to deceive,” “intentionally deceptive,” and “intentionally misleading” are too difficult to prove.
“If a company is caught violating, it sets a higher standard for litigation on unfair and deceptive business practices than is enforceable,” said Pam Dixon, executive director of the World Privacy Forum. She said that in litigation, it’s almost impossible to prove intent.
The privacy advocates complained that the bill’s definition of spyware is too narrow, dealing with only a few types of spyware, while there are at least 1,000 known types. For example, Dixon said, the bill does not specifically name keystroke logging as a prohibited practice.
The definition of a virus is also too narrow, they complained. The bill
defines a virus as “software code that acts to degrade a computer’s performance and replicate itself.” But other viral actions harm computers without doing either.
“We are concerned that SB 1436, by dealing with only a few types of spyware, will enable the majority of spyware to continue to be disseminated legally,” their letter to Schwarzenegger said.
Finally, SB1436 is not based on the “fair information principles” of notice, consent, and purpose specification, as promulgated by the Organization for Economic Co-Operation and Development, an international organization to foster good government, as well as other principles such as collection limitation and access.
The bill was introduced to the California State Senate in February by Murray and co-authors Debra Bowen (D-Redondo Beach) and Gloria Romero (D-Los Angeles). It was amended nine times by the Senate and the Assembly before passing on August 26.
The privacy advocates said earlier versions of the bill did contain notice, consent, and purpose specifications, but that these — along with the emphasis on intention to deceive — were added at the last minute due to industry pressure.
Murray, the bill’s principal author, did not respond to several requests for comment.
The bill was opposed by the MSP Alliance, a trade organization for the managed services industry that includes as members AOL,
the California Chamber of Commerce and the California Cable and Telecommunications Association.
According to a letter the trade group sent to Lou Correa, the chair of the House Business & Professions Committee, the group felt that the bill would “create significant litigation risks for a broad range of interactive software programs that are not spyware, but that collect some form of personally identifiable information for beneficial purposes.”
The MSP said it feared that such righteous activities as protecting children from pornography, violent and racist content, digital rights management, fraud prevention and authenticating users could be seen as violations.
The group also argued that the bill would lead to extensive litigation over whether various companies’ notices were adequate.
A spokesperson for the MSP said that it was AOL that had initially opposed the bill, but following the amendments, the group has no problem with it.
But Bowen, one of the co-authors of SB 1436, does have problems with the amendments. In fact, she took her name off the bill.
“Why are we letting the spyware companies write the spyware laws?” Bowen said via e-mail. “Should the marketing companies be writing the junk fax and spam laws? Should the phone companies be writing the consumer protection laws?”
“The bill tries to ban the most common forms of spyware with the left hand, but then the right hand comes in and says the ban doesn’t apply unless the company used ‘intentionally deceptive’ means to ‘willfully’ install the spyware,” Bowen continued. “That’s ridiculous.”
Bowen, who has taken stands against the potential for invasion of consumers’ privacy via RFID technology and has authored several e-mail privacy bills, pointed out that the intent to deceive standard doesn’t apply to those who send junk faxes or record telephone conversations without warning, for example.
“It’s a giant step backwards for anyone who cares about their personal privacy because it effectively legalizes certain types of spyware,” Bowen said.
The Privacy Rights Clearinghouse and the World Privacy Forum said that because California is a bellwether state when it comes to consumer law, the bill might spawn others that were equally bad.
“Spyware is a devilishly difficult issue to legislate,” the privacy groups wrote to Schwarzenegger. “Rather than enact a bill that does not adequately address the problems inherent in spyware, and rather than implement a law that is virtually unenforceable, we urge you to veto this bill.”
The Governor’s Office declined comment on when Schwarzenegger would review the bill. The deadline for signing it into law is September 30, 1004.
Joanne McNabb, chief of the California Office of Privacy Protection, said her office still is reviewing the matter. The California Office of Privacy Protection is an organization within the state government’s Bureau of Consumer Affairs that is charged with promoting and protecting citizens’ privacy rights.