Little Rant by Eightball & Thundercloud
From InfoAve Premium Issue #52
Click to Subscribe Now!
The Spy Act
On October 5, 2004, the U.S.
Congress passed the "Spy Act" in an attempt to stop the pandemic of spyware and
adware. (The entire contents of this act are included after this article so you can read
the entire H.R. 2929 "The Spy Act" for yourself).
There are so many holes in this
piece of legislation that it will have virtually no effect on most of the spyware/adware
which inundates the Internet today. It might have been in the congressional best-interest
to have actually talked to people who know what spyware/adware programs are and asked for
their input before writing such an glaringly inadequate law.
Only the worst of the worst
spyware developers could be prosecuted under the provisions of the Spy Act. Those
surreptitious companies that give notice of intent to potential users in long EULAs filled
with a long litany of provisions and sub-provisions will escape punishment. Indeed they
will continue to flourish and prosper. And these kinds of programs are the most prevalent
and most widely installed of all.
This law offers protection only
from the worst kinds of spyware software: The keyloggers, the "dialers", and the
home page/search engine hijackers and mega-popup toolbars. It won't touch those companies
who entice unsuspecting users with free smileys, free screen savers, or other free and
seemingly fun or useful programs. "Automatic updates" are never clearly defined
and programs which install third party programs which may be adware or spyware are painted
with a broad brush of unclear and confusing language.
This law doesn't include your
Internet Protocol address (IP address) under its definition of "personally
identifiable information". Yet, you can be identified by your IP address. This law
makes no provision for information you voluntarily give to a company, like your name,
address, and email address, even if such information, voluntarily given, is used for
purposes for which it was not intended.
In short, this law will do little
to stop the proliferation of spyware and adware. In fact, this law may make spyware even
more of a menace than it already is. We may see EULAs grow longer and more convoluted and
the flood gates open to allow a whole new breed of spyware and adware to thrivein the gray
areas created by the loopholes and ambiguities of this law.
We think this law is so nebulous
it creates a window of opportunity for "legalized" spyware and adware. And, we
don't think that was the intent of the congress. We think our lawmakers have let us down
That's our opinion. Read the bill
for yourself and tell us what you think! Please
H. R. 2929
To protect users of the Internet from unknowing
transmission of their personally identifiable information through spyware programs, and
for other purposes.
SECTION 1. SHORT TITLE.
This Act may be cited as the `Securely Protect Yourself
Against Cyber Trespass Act' or the `SPY ACT'.
SEC. 2. PROHIBITION OF DECEPTIVE ACTS OR PRACTICES
RELATING TO SPYWARE.
(a) Prohibition- It is unlawful for any person, who is not
the owner or authorized user of a protected computer, to engage in deceptive acts or
practices that involve any of the following conduct with respect to the protected
(ii) away from the site the user intended to view, to one
or more other Web pages, such that the user is prevented from viewing the content at the
intended Web page, unless such diverting is otherwise authorized;
(C) accessing or using the modem, or Internet connection or
service, for the computer and thereby causing damage to the computer or causing the owner
or authorized user to incur unauthorized financial charges;
(4) Inducing the owner or authorized user to install a
computer software component onto the computer, or preventing reasonable efforts to block
the installation or execution of, or to disable, a computer software component by--
(A) presenting the owner or authorized user with an option
to decline installation of a software component such that, when the option is selected by
the owner or authorized user, the installation nevertheless proceeds; or
(5) Misrepresenting that installing a separate software
component or providing log-in and password information is necessary for security or
privacy reasons, or that installing a separate software component is necessary to open,
view, or play a particular type of content.
(8) Removing, disabling, or rendering inoperative a
security, anti-spyware, or anti-virus technology installed on the computer.
(b) Guidance- The Commission shall issue guidance regarding
compliance with and violations of this section. This subsection shall take effect upon the
date of the enactment of this Act.
(c) Effective Date- Except as provided in subsection (b),
this section shall take effect upon the expiration of the 6-month period that begins on
the date of the enactment of this Act.
SEC. 3. PROHIBITION OF COLLECTION OF CERTAIN INFORMATION
WITHOUT NOTICE AND CONSENT.
(a) OPT-IN REQUIREMENT- Except as provided in subsection
(e), it is unlawful for any person--
(1) to transmit to a protected computer, which is not owned
by such person and for which such person is not an authorized user, any information
collection program, unless--
(b) Information Collection Program- For purposes of this
section, the term `information collection program' means computer software that--
(1) IN GENERAL- Notice in accordance with this subsection
with respect to an information collection program is clear and conspicuous notice in plain
language, set forth as the Commission shall provide, that meets all of the following
(2) SINGLE NOTICE- The Commission shall provide that, in
the case in which multiple information collection programs are provided to the protected
computer together, or as part of a suite of functionally-related software, the notice
requirements of paragraphs (1)(A) and (2)(A) of subsection (a) may be met by providing,
before execution of any of the information collection functions of the programs, clear and
conspicuous notice in plain language in accordance with paragraph (1) of this subsection
by means of a single notice that applies to all such information collection programs,
except that such notice shall provide the option under subparagraph (D) of paragraph (1)
of this subsection with respect to each such information collection program.
(B) SUBSEQUENT NOTICE- The person who transmitted the
program shall provide another notice in accordance with this subsection and obtain consent
before such program may be used to collect or send information of a type or for a purpose
that is materially different from, and outside the scope of, the type or purpose set forth
in the initial or any previous notice.
(d) Required Functions- The functions required under this
subsection to be included in an information collection program that executes any
information collection functions with respect to a protected computer are as follows:
(2) IDENTITY FUNCTION- With respect only to an information
collection program that uses information collected in the manner described in paragraph
(1)(B)(ii) or (2)(B) of subsection (b), a function of the program that provides that each
display of an advertisement directed or displayed using such information when the owner or
authorized user is accessing a Web page or online location other than of the provider of
the software is accompanied by the name of the information collection program, a logogram
or trademark used for the exclusive purpose of identifying the program, or a statement or
other information sufficient to clearly identify the program.
(e) Limitation on Liability- A telecommunications carrier,
a provider of information service or interactive computer service, a cable operator, or a
provider of transmission capability shall not be liable under this section to the extent
that the carrier, operator, or provider--
(1) transmits, routes, hosts, stores, or provides
connections for an information collection program through a system or network controlled
or operated by or for the carrier, operator, or provider; or
(2) provides an information location tool, such as a
directory, index, reference, pointer, or hypertext link, through which the owner or user
of a protected computer locates an information collection program.
SEC. 4. ENFORCEMENT.
(a) Unfair or Deceptive Act or Practice- This Act shall be
enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
A violation of any provision of this Act or of a regulation issued under this Act
committed with actual knowledge or knowledge fairly implied on the basis of objective
circumstances that such act is unfair or deceptive or violates this Act shall be treated
as an unfair or deceptive act or practice violating a rule promulgated under section 18 of
the Federal Trade Commission Act (15 U.S.C. 57a).
(1) IN GENERAL- Notwithstanding subsection (a) and the
Federal Trade Commission Act, in the case of a person who engages in a pattern or practice
that violates section 2 or 3, the Commission may, in its discretion, seek a civil penalty
for such pattern or practice of violations in an amount, as determined by the Commission,
of not more than--
(c) Exclusiveness of Remedies- The remedies in this section
(including remedies available to the Commission under the Federal Trade Commission Act)
are the exclusive remedies for violations of this Act.
(d) Effective Date- This section shall take effect on the
date of the enactment of this Act, but only to the extent that this section applies to
violations of section 2(a).
SEC. 5. LIMITATIONS.
(2) the transmission or execution of an information
collection program in compliance with a law enforcement, investigatory, national security,
or regulatory agency or department of the United States or any State in response to a
request or demand made under authority granted to that agency or department, including a
warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant,
a court order, or other lawful process.
(1) any monitoring of, or interaction with, a subscriber's
Internet or other network connection or service, or a protected computer, by a
telecommunications carrier, cable operator, computer hardware or software provider, or
provider of information service or interactive computer service, to the extent that such
monitoring or interaction is for network or computer security purposes, diagnostics,
technical support, or repair, or for the detection or prevention of fraudulent activities;
(B) an affirmative request by the owner or authorized user
for an update of, addition to, or technical service for, the software.
(c) Good Samaritan Protection- No provider of computer
software or of interactive computer service may be held liable under this Act on account
of any action voluntarily taken, or service provided, in good faith to remove or disable a
program used to violate section 2 or 3 that is installed on a computer of a customer of
such provider, if such provider notifies the customer and obtains the consent of the
customer before undertaking such action or providing such service.
(d) Limitation on Liability- A manufacturer or retailer of
computer equipment shall not be liable under this Act to the extent that the manufacturer
or retailer is providing third party branded software that is installed on the equipment
the manufacturer or retailer is manufacturing or selling.
SEC. 6. EFFECT ON OTHER LAWS.
(b) Preservation of FTC Authority- Nothing in this Act may
be construed in any way to limit or affect the Commission's authority under any other
provision of law, including the authority to issue advisory opinions (under Part 1 of
Volume 16 of the Code of Federal Regulations), policy statements, or guidance regarding
SEC. 7. ANNUAL FTC REPORT.
For the 12-month period that begins upon the effective date
under section 11(a) and for each 12-month period thereafter, the Commission shall submit a
report to the Congress that--
(1) specifies the number and types of actions taken during
such period to enforce sections 2(a) and 3, the disposition of each such action, any
penalties levied in connection with such actions, and any penalties collected in
connection with such actions; and
Each report under this subsection for a 12-month period
shall be submitted not later than 90 days after the expiration of such period.
SEC. 8. FTC REPORT ON COOKIES.
(a) In General- Not later than the expiration of the
6-month period that begins on the date of the enactment of this Act, the Commission shall
submit a report to the Congress regarding the use of tracking cookies in the delivery or
display of advertising to the owners and users of computers. The report shall examine and
describe the methods by which such tracking cookies and the websites that place them on
computers function separately and together, and the extent to which they are covered or
affected by this Act. The report may include such recommendations as the Commission
considers necessary and appropriate, including treatment of tracking cookies under this
Act or other laws.
(b) DEFINITION- For purposes of this section, the term
`tracking cookie' means a cookie or similar text or data file used alone or in conjunction
with one or more websites to transmit or convey personally identifiable information of a
computer owner or user, or information regarding Web pages accessed by the owner or user,
to a party other than the intended recipient, for the purpose of--
SEC. 9. REGULATIONS.
(a) In General- The Commission shall issue the regulations
required by this Act not later than the expiration of the 6-month period beginning on the
date of the enactment of this Act. Any regulations issued pursuant to this Act shall be
issued in accordance with section 553 of title 5, United States Code.
SEC. 10. DEFINITIONS.
(2) COLLECT- The term `collect', when used with respect to
information and for purposes only of section 3, does not include obtaining of the
information by a party who is intended by the owner or authorized user of a protected
computer to receive the information pursuant to the owner or authorized user--
(i) a cookie or other text or data file that is placed on
the computer system of a user by an Internet service provider, interactive computer
service, or Internet website to return information to such provider, service, or website;
(ii) computer software that is placed on the computer
system of a user by an Internet service provider, interactive computer service, or
Internet website solely to enable the user subsequently to use such provider or service or
to access such website.
(8) DISABLE- The term `disable' means, with respect to an
information collection program, to permanently prevent such program from executing any of
the functions described in section 3(b) that such program is otherwise capable of
executing (including by removing, deleting, or disabling the program), unless the owner or
operator of a protected computer takes a subsequent affirmative action to enable the
execution of such functions.
(9) INFORMATION COLLECTION FUNCTIONS- The term `information
collection functions' means, with respect to an information collection program, the
functions of the program described in subsection (b) of section 3.
(12) INTERNET- The term `Internet' means collectively the
myriad of computer and telecommunications facilities, including equipment and operating
software, which comprise the interconnected world-wide network of networks that employ the
Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols
to such protocol, to communicate information of all kinds by wire or radio.
(ii) A home or other physical address of an individual,
including street name, name of a city or town, and zip code.
(v) A social security number, tax identification number,
passport number, driver's license number, or any other government-issued identification
(vii) Any access code, password, or account number, other
than an access code or password transmitted by an owner or authorized user of a protected
computer to the intended recipient to register for, or log onto, a Web page or other
Internet service or a network connection or service of a subscriber that is protected by
an access code or password.
(viii) Date of birth, birth certificate number, or place of
birth of an individual, except in the case of a date of birth transmitted or collected for
the purpose of compliance with the law.
(B) RULEMAKING- The Commission may, by regulation, add to
the types of information specified under paragraph (1) that shall be considered personally
identifiable information for purposes of this Act, except that such information may not
include any record of aggregate data that does not identify particular persons, particular
computers, particular users of computers, or particular email addresses or other locations
of computers with respect to the Internet.
(14) SUITE OF FUNCTIONALLY RELATED SOFTWARE- The term
`suite of functionally related software` means a group of computer software programs
distributed to an end user by a single provider, which programs are necessary to enable
features or functionalities of an integrated service offered by the provider.
(17) WEB PAGE- The term `Web page' means a location, with
respect to the World Wide Web, that has a single Uniform Resource Locator or another
single location with respect to the Internet, as the Federal Trade Commission may
SEC. 11. APPLICABILITY AND SUNSET.
(a) Effective Date- Except as specifically provided
otherwise in this Act, this Act shall take effect upon the expiration of the 12-month
period that begins on the date of the enactment of this Act.
(b) Applicability- Section 3 shall not apply to an
information collection program installed on a protected computer before the effective date
under subsection (a) of this section.
(c) Sunset- This Act shall not apply after December 31,
Passed the House of Representatives October 5, 2004.
Download a free trial and check your computer. You can't lose- you can
Smileycons | Email
Guardian | Visit Our Security Page | Visit Our Home Page | Subscribe to InfoAve Premium
All content is
copyright ©2004 by Cloudeight Internet LLC (all rights reserved)