Is Anti-Spyware Legislation Congress's Killer App In 2006?

Reading the news, one might think the encroaching patchwork of state anti-spyware laws and the proliferation of high-profile cases against surreptitious spyware distributors could finally prompt Congress to take action on spyware in 2006.

But a closer look reveals that states, Congress and the Federal Trade Commission have not yet reached a consensus on what spyware is and how best to address enforcement. State anti-spyware laws, such as those in California and Texas, protect different groups of computer users, define spyware violations differently, and impose dissimilar remedies and enforcement mechanisms. As of this writing, competing U.S. House and Senate spyware bills are crafted differently than state laws and do not agree with one another on activities included as spyware violations, provisions for notice to computer owners, and penalties. Further, House and Senate versions do not uniformly provide for express pre-emption. Moreover, the shortened term of an election year makes it less certain that Congress will tackle spyware legislation. At the same time, the FTC has successfully brought several spyware cases, without specific federal legislation, and recent statements make it clear that the FTC is seeking, at most, the authority from Congress to pursue civil penalties in spyware cases.

These factors strongly suggest that even if Congress does act on spyware this year, the legislation is likely to offer an incomplete solution to computer users and, for legitimate online behavioral advertisers, to leave substantial litigation questions unaddressed.

California's Protection for Consumers

California's Consumer Protection Against Computer Spyware Act, 2004 Cal. Legis. Serv. Ch. 843 (Business And Professions Code Section 22947-22947.6) (California Spyware Act), enacted Jan. 1, 2005, has been criticized for lacking provisions for notice-and-consent and enforcement mechanisms. The law is aimed at preventing distribution of spyware onto the computers of consumers in California and conducting variety of activities that are intentionally deceptive. A consumer is defined as an individual who uses the computer primarily for personal, family, or household purposes. As a result, California's anti-spyware protections do not extend to computers used by businesses.

The California Spyware Act makes it illegal for anyone to install software that modifies settings, collects personal information or takes control of the computer to send commercial emails or viruses. Specifically, the act prohibits anyone other than an authorized user of a California resident's computer from causing computer software to be copied onto that computer and using the software in a way that is intentionally deceptive to: a) modify the home page, search engine or bookmark settings; b) collect personally identifiable information, including through recording keystrokes and Web site visits; c) prevent unauthorized blocking of a consumer's reasonable efforts to block the installation or disable the software; d) misrepresent that the software is uninstalled or disabled, when it is not; or e) remove, disable or render inoperative any security, anti-spyware or anti-virus software installed on the computer.

The California Spyware Act further prohibits anyone other than an authorized user of a California resident's computer from willfully causing computer software to be copied onto that computer and using that software to take control of the computer to: a) initiate commercial email or computer viruses; b) damage another's computer; c) open advertisements that can't be closed without turning off the computer or turning off the Internet browser; d) modify the security settings for the purpose of stealing the information or causing damage to computers; or e) prevent the user from blocking the installation of or disabling software.

Another part of the California Spyware Act prohibits anyone other than an authorized user from: 1) inducing a consumer to install software on a computer by misrepresenting that the software is necessary for security or privacy reasons, or to open, view or play a particular content; or 2) deceptively copying or executing software on a computer to cause the consumer to violate the act. The act contains a broad exemption for network service providers conducting monitoring, security, or fraud detection activities.

Despite the extensive list of range of spyware activities contemplated under California's Spyware Act, critics of the law argue that its requirement for willful or intentionally deceptive actions set a high bar for a consumer to show an intentional misrepresentation or complete lack of notice. Further, while initial drafts of the law provided for enforcement and penalties, such provisions were stripped from the final versions of the bill. Instead, the California Spyware Act is enforceable under the provisions of California's Unfair Competition Law. During 2005, California's Senate considered amendments to the Spyware Act that would have added civil penalties and enforcement provisions.

The Texas Approach

Texas' Consumer Protection and Computer Spyware Act, Tex. Bus. & Com. Code '48.001 et seq. (Vernon Supp. 2005) (Texas Spyware Act), which came into effect on Sept. 1, 2005, is aimed at preventing copying of spyware onto any computer, which – unlike its California counterpart ' may be used by a consumer or business. The Texas law preserves a broad exemption similar to California for service providers carrying out network, security and system management activities. The Texas Spyware Act further exempts certain copying by video programming services defined under federal law.

Spyware violations under the Texas law have important differences relative to California's law. As an example, the Texas law does not target unauthorized relay of commercial e-mail or using another's computer to launch a denial of service attack. In addition, the Texas statute provides for two methods of violation that the California statute does not. The Texas Spyware Act expressly prohibits a party from changing the name or location of computer software to prevent the computer owner from locating and removing the software. The Texas law also finds a violation where a person creates a randomized or intentionally deceptive file name or folder to avoid detection and prevent removal of the software. Notably, both of these unique provisions of the Texas statute figure prominently as allegations against Sony BMG in Texas v. Sony BMG Entertainment, LLC, recently filed by the Texas Attorney General.

Standing and remedies under the Texas Spyware Act are also substantially different than under California law. The Texas law expressly provides that only certain private parties and the Texas attorney general may seek injunctive relief and/or damages for spyware violations. Owners and operators of computers, or “consumers” under the California law, lack express standing under the statute. Private parties who may bring actions include software providers, owners of web pages or trademarks, telecommunications carriers, cable operators, and ISPs, if they are adversely affected by a spyware violation.

For parties with standing, the Texas Spyware Act provides express damages with considerable punch. In addition to injunctive relief, private parties may obtain actual damages or $100,000 for “each violation of the same nature,” which the same section defines as consisting of “the same course of conduct or action” which could arguably limit availability of statutory damages where the same spyware violation occurred a multitude of times. Actual damages may be trebled in the event that violations have occurred with a frequency that a court finds constitutes a pattern or practice. Private parties are also entitled to attorney's fees and costs.

The Texas statute provides an independent basis for the Texas attorney general to pursue civil penalties and injunctive relief. In addition to temporary restraining orders and injunctive relief, a violator may be liable to the state for a civil penalty not to exceed $100,000 per violation, an event not constrained by “the same course of conduct or action” language applicable to remedies of private parties. The attorney general is also permitted to recover costs and fees of obtaining injunctive relief and penalties.

Can Congress Complete Its Work in 2006?

As the second session of the 109th Congress convenes, the House and Senate have an opportunity to intensify anti-spyware efforts begun during the first session, although with the 2006 election year, members will want to adjourn by October, thus compressing the window for legislative action. The U.S. House passed two complementary spyware bills in May 2005. The first bill, the Internet Spyware Prevention Act of 2005, H.R. 744, known as I-SPY, would amend the Computer Fraud and Abuse Act, 18 U.S.C. '1030, to set jail terms of up to 5 years for unauthorized installation of computer code on a protected computer where another federal crime is committed. A “protected computer” is defined as one used by the U.S. government, a financial institution or used in interstate commerce. I-SPY also would criminalize unauthorized installation where personal information is obtained or computer security impaired with intent to defraud or damage. The I-SPY contains an express pre-emption clause but its range of spyware activities defined as violations is arguably narrow. I-SPY vests enforcement authority in the Department of Justice.

The second spyware legislation passed by the House in 2005 would introduce prohibitions for a detailed list of spyware activities. The bill, H.R. 29, known as the Spy Act, targets keystroke logging, taking over a computer without the permission of the owner and diverting a Web browser, in addition to other violations. The bill also provides relatively detailed requirements for clear and conspicuous notice and consent in the case of information gathering programs ' although its exceptions have been criticized for lack of clarity and providing troubling loopholes. The Spy Act's prohibitions apply to any “protected computer,” with language identical to I-SPY, but the bill lacks reference to the Computer Fraud and Abuse Act, leaving the phrase “protected computer” undefined. Despite its apparent reach, particularly in introducing a notice-and consent-regime, the Spy Act lacks an express pre-emption clause. The House's Spy Act provides for enforcement by the FTC with fines of up to $3 million.

The Senate has an anti-spyware bill of its own under consideration. Called the Spy Block Act, S. 687 was approved by the Senate Commerce Committee in 2005 but did not come up for a vote before the full Senate. The Spy Block Act would prohibit surreptitious software installation without authorization, misleading inducement to install software and prevention of reasonable efforts to uninstall as well as other practices. Spy Block would also introduce a federal notice requirement in the case of information collection software. Although its “clear and conspicuous” notice provision is less detailed than the House's I-SPY bill, it may offer fewer loopholes. The Senate's version provides for FTC enforcement but lacks civil penalties. The Spy Block Act may be brought to a vote before the full Senate early in 2006.

Bills pending in the House and Senate would likely need to be revised in view of issues raised late in 2005 by Sony's Rootkit copy-protection software and the associated end-user-license-agreement (EULA). Further, none of the proposed federal legislation confer enforcement rights on states' attorneys general or private parties, both of which have been actively bringing anti-spyware cases.

Does the FTC Have Enough
Authority Already?

While states have been busy with their own anti-spyware experiments and Congress has searched for a response, the FTC has sent a consistent message that new federal anti-spyware legislation is not necessary and may be counterproductive. At most, the agency has sought specific civil penalties and enhanced ability to investigate and prosecute spyware distributors located abroad.

In March 2005, the FTC issued a staff report concluding that existing federal statutory authority was sufficient to tackle and prosecute spyware problems. Entitled “Monitoring Software on Your PC: Spyware, Adware, and Other Software,” the report summarized findings from the FTC's April 2004 spyware workshop. In addition, the report noted that under Section 5 of the FTC Act, the Commission could challenge misrepresentations or half-truths by spyware distributors, or where fine print disclosures were buried deep in lengthy license agreements. Similarly, in the FTC's Oct. 5, 2005 written statement before the U.S. Senate's Commerce Committee, the Commission stopped well short of requesting specific anti-spyware legislation, asserting only that it required authority to seek civil penalties and an easing of the ability to share information with foreign law enforcement.

Moreover, the Commission stepped up anti-spyware litigation under existing federal law in 2005. These cases provide some support for the FTC's conclusion that it can target deceptive spyware distribution practices under the broad language of the FTC Act, at least in regard to the particular activities alleged. For example, in FTC v. Seismic Entertainment, FTC File No. 042 3125, the facts concerned a straightforward “drive-by” download, which installed software without even the pretense of obtaining consent. The Seismic Entertainment defendants exploited a known vulnerability in the Internet Explorer Web browser to surreptitiously download spyware to users' computers.

In other instances, the FTC's actions brought pursuant to the FTC Act's Section 5 have targeted instances of lack of “clear and conspicuous” disclosure in a manner analogous to pending bills in the House and Senate. In one case, FTC v. Odysseus Marketing, Inc., FTC File No. 042 3205, the Commission alleged that the software distributor failed to disclose to consumers that a free program for anonymous use of peer-to-peer file sharing programs would install other, harmful software on consumers' computers. In the Advertising.com, Inc. case, FTC File No. 042-3196, the facts involved installation of free security application bundled with information collecting software that was easily triggered without viewing a EULA that provided disclosures. Similarly, in the Enternet Media, Inc. case, FTC File No. 052 3135, the respondents allegedly offered free security and music software, disguised as products from Microsoft, but failed to clearly and conspicuously disclose to consumers that it was bundled with software that traced consumers' internet browsing, force-fed them pop-up advertising, and impaired computer performance. All signs are that the FTC intends to continue to rely on the FTC Act to prosecute cases in the spyware arena as well as to push for consumer education on the problem of spyware.

Conclusion

The very different approaches taken by states, Congress and the FTC as well as continued developments such as Sony's copy-protection software mean that computer users are unlikely to receive comprehensive Congressional action on spyware in 2006. At the same time, legitimate online behavioral advertisers would be wise to pay attention to developments in all three spheres.

Reading the news, one might think the encroaching patchwork of state anti-spyware laws and the proliferation of high-profile cases against surreptitious spyware distributors could finally prompt Congress to take action on spyware in 2006.

But a closer look reveals that states, Congress and the Federal Trade Commission have not yet reached a consensus on what spyware is and how best to address enforcement. State anti-spyware laws, such as those in California and Texas, protect different groups of computer users, define spyware violations differently, and impose dissimilar remedies and enforcement mechanisms. As of this writing, competing U.S. House and Senate spyware bills are crafted differently than state laws and do not agree with one another on activities included as spyware violations, provisions for notice to computer owners, and penalties. Further, House and Senate versions do not uniformly provide for express pre-emption. Moreover, the shortened term of an election year makes it less certain that Congress will tackle spyware legislation. At the same time, the FTC has successfully brought several spyware cases, without specific federal legislation, and recent statements make it clear that the FTC is seeking, at most, the authority from Congress to pursue civil penalties in spyware cases.

These factors strongly suggest that even if Congress does act on spyware this year, the legislation is likely to offer an incomplete solution to computer users and, for legitimate online behavioral advertisers, to leave substantial litigation questions unaddressed.

California's Protection for Consumers

California's Consumer Protection Against Computer Spyware Act, 2004 Cal. Legis. Serv. Ch. 843 (Business And Professions Code Section 22947-22947.6) (California Spyware Act), enacted Jan. 1, 2005, has been criticized for lacking provisions for notice-and-consent and enforcement mechanisms. The law is aimed at preventing distribution of spyware onto the computers of consumers in California and conducting variety of activities that are intentionally deceptive. A consumer is defined as an individual who uses the computer primarily for personal, family, or household purposes. As a result, California's anti-spyware protections do not extend to computers used by businesses.

The California Spyware Act makes it illegal for anyone to install software that modifies settings, collects personal information or takes control of the computer to send commercial emails or viruses. Specifically, the act prohibits anyone other than an authorized user of a California resident's computer from causing computer software to be copied onto that computer and using the software in a way that is intentionally deceptive to: a) modify the home page, search engine or bookmark settings; b) collect personally identifiable information, including through recording keystrokes and Web site visits; c) prevent unauthorized blocking of a consumer's reasonable efforts to block the installation or disable the software; d) misrepresent that the software is uninstalled or disabled, when it is not; or e) remove, disable or render inoperative any security, anti-spyware or anti-virus software installed on the computer.

The California Spyware Act further prohibits anyone other than an authorized user of a California resident's computer from willfully causing computer software to be copied onto that computer and using that software to take control of the computer to: a) initiate commercial email or computer viruses; b) damage another's computer; c) open advertisements that can't be closed without turning off the computer or turning off the Internet browser; d) modify the security settings for the purpose of stealing the information or causing damage to computers; or e) prevent the user from blocking the installation of or disabling software.

Another part of the California Spyware Act prohibits anyone other than an authorized user from: 1) inducing a consumer to install software on a computer by misrepresenting that the software is necessary for security or privacy reasons, or to open, view or play a particular content; or 2) deceptively copying or executing software on a computer to cause the consumer to violate the act. The act contains a broad exemption for network service providers conducting monitoring, security, or fraud detection activities.

Despite the extensive list of range of spyware activities contemplated under California's Spyware Act, critics of the law argue that its requirement for willful or intentionally deceptive actions set a high bar for a consumer to show an intentional misrepresentation or complete lack of notice. Further, while initial drafts of the law provided for enforcement and penalties, such provisions were stripped from the final versions of the bill. Instead, the California Spyware Act is enforceable under the provisions of California's Unfair Competition Law. During 2005, California's Senate considered amendments to the Spyware Act that would have added civil penalties and enforcement provisions.

The Texas Approach

Texas' Consumer Protection and Computer Spyware Act, Tex. Bus. & Com. Code '48.001 et seq. (Vernon Supp. 2005) (Texas Spyware Act), which came into effect on Sept. 1, 2005, is aimed at preventing copying of spyware onto any computer, which – unlike its California counterpart ' may be used by a consumer or business. The Texas law preserves a broad exemption similar to California for service providers carrying out network, security and system management activities. The Texas Spyware Act further exempts certain copying by video programming services defined under federal law.

Spyware violations under the Texas law have important differences relative to California's law. As an example, the Texas law does not target unauthorized relay of commercial e-mail or using another's computer to launch a denial of service attack. In addition, the Texas statute provides for two methods of violation that the California statute does not. The Texas Spyware Act expressly prohibits a party from changing the name or location of computer software to prevent the computer owner from locating and removing the software. The Texas law also finds a violation where a person creates a randomized or intentionally deceptive file name or folder to avoid detection and prevent removal of the software. Notably, both of these unique provisions of the Texas statute figure prominently as allegations against Sony BMG in Texas v. Sony BMG Entertainment, LLC, recently filed by the Texas Attorney General.

Standing and remedies under the Texas Spyware Act are also substantially different than under California law. The Texas law expressly provides that only certain private parties and the Texas attorney general may seek injunctive relief and/or damages for spyware violations. Owners and operators of computers, or “consumers” under the California law, lack express standing under the statute. Private parties who may bring actions include software providers, owners of web pages or trademarks, telecommunications carriers, cable operators, and ISPs, if they are adversely affected by a spyware violation.

For parties with standing, the Texas Spyware Act provides express damages with considerable punch. In addition to injunctive relief, private parties may obtain actual damages or $100,000 for “each violation of the same nature,” which the same section defines as consisting of “the same course of conduct or action” which could arguably limit availability of statutory damages where the same spyware violation occurred a multitude of times. Actual damages may be trebled in the event that violations have occurred with a frequency that a court finds constitutes a pattern or practice. Private parties are also entitled to attorney's fees and costs.

The Texas statute provides an independent basis for the Texas attorney general to pursue civil penalties and injunctive relief. In addition to temporary restraining orders and injunctive relief, a violator may be liable to the state for a civil penalty not to exceed $100,000 per violation, an event not constrained by “the same course of conduct or action” language applicable to remedies of private parties. The attorney general is also permitted to recover costs and fees of obtaining injunctive relief and penalties.

Can Congress Complete Its Work in 2006?

As the second session of the 109th Congress convenes, the House and Senate have an opportunity to intensify anti-spyware efforts begun during the first session, although with the 2006 election year, members will want to adjourn by October, thus compressing the window for legislative action. The U.S. House passed two complementary spyware bills in May 2005. The first bill, the Internet Spyware Prevention Act of 2005, H.R. 744, known as I-SPY, would amend the Computer Fraud and Abuse Act, 18 U.S.C. '1030, to set jail terms of up to 5 years for unauthorized installation of computer code on a protected computer where another federal crime is committed. A “protected computer” is defined as one used by the U.S. government, a financial institution or used in interstate commerce. I-SPY also would criminalize unauthorized installation where personal information is obtained or computer security impaired with intent to defraud or damage. The I-SPY contains an express pre-emption clause but its range of spyware activities defined as violations is arguably narrow. I-SPY vests enforcement authority in the Department of Justice.

The second spyware legislation passed by the House in 2005 would introduce prohibitions for a detailed list of spyware activities. The bill, H.R. 29, known as the Spy Act, targets keystroke logging, taking over a computer without the permission of the owner and diverting a Web browser, in addition to other violations. The bill also provides relatively detailed requirements for clear and conspicuous notice and consent in the case of information gathering programs ' although its exceptions have been criticized for lack of clarity and providing troubling loopholes. The Spy Act's prohibitions apply to any “protected computer,” with language identical to I-SPY, but the bill lacks reference to the Computer Fraud and Abuse Act, leaving the phrase “protected computer” undefined. Despite its apparent reach, particularly in introducing a notice-and consent-regime, the Spy Act lacks an express pre-emption clause. The House's Spy Act provides for enforcement by the FTC with fines of up to $3 million.

The Senate has an anti-spyware bill of its own under consideration. Called the Spy Block Act, S. 687 was approved by the Senate Commerce Committee in 2005 but did not come up for a vote before the full Senate. The Spy Block Act would prohibit surreptitious software installation without authorization, misleading inducement to install software and prevention of reasonable efforts to uninstall as well as other practices. Spy Block would also introduce a federal notice requirement in the case of information collection software. Although its “clear and conspicuous” notice provision is less detailed than the House's I-SPY bill, it may offer fewer loopholes. The Senate's version provides for FTC enforcement but lacks civil penalties. The Spy Block Act may be brought to a vote before the full Senate early in 2006.

Bills pending in the House and Senate would likely need to be revised in view of issues raised late in 2005 by Sony's Rootkit copy-protection software and the associated end-user-license-agreement (EULA). Further, none of the proposed federal legislation confer enforcement rights on states' attorneys general or private parties, both of which have been actively bringing anti-spyware cases.

Does the FTC Have Enough
Authority Already?

While states have been busy with their own anti-spyware experiments and Congress has searched for a response, the FTC has sent a consistent message that new federal anti-spyware legislation is not necessary and may be counterproductive. At most, the agency has sought specific civil penalties and enhanced ability to investigate and prosecute spyware distributors located abroad.

In March 2005, the FTC issued a staff report concluding that existing federal statutory authority was sufficient to tackle and prosecute spyware problems. Entitled “Monitoring Software on Your PC: Spyware, Adware, and Other Software,” the report summarized findings from the FTC's April 2004 spyware workshop. In addition, the report noted that under Section 5 of the FTC Act, the Commission could challenge misrepresentations or half-truths by spyware distributors, or where fine print disclosures were buried deep in lengthy license agreements. Similarly, in the FTC's Oct. 5, 2005 written statement before the U.S. Senate's Commerce Committee, the Commission stopped well short of requesting specific anti-spyware legislation, asserting only that it required authority to seek civil penalties and an easing of the ability to share information with foreign law enforcement.

Moreover, the Commission stepped up anti-spyware litigation under existing federal law in 2005. These cases provide some support for the FTC's conclusion that it can target deceptive spyware distribution practices under the broad language of the FTC Act, at least in regard to the particular activities alleged. For example, in FTC v. Seismic Entertainment, FTC File No. 042 3125, the facts concerned a straightforward “drive-by” download, which installed software without even the pretense of obtaining consent. The Seismic Entertainment defendants exploited a known vulnerability in the Internet Explorer Web browser to surreptitiously download spyware to users' computers.

In other instances, the FTC's actions brought pursuant to the FTC Act's Section 5 have targeted instances of lack of “clear and conspicuous” disclosure in a manner analogous to pending bills in the House and Senate. In one case, FTC v. Odysseus Marketing, Inc., FTC File No. 042 3205, the Commission alleged that the software distributor failed to disclose to consumers that a free program for anonymous use of peer-to-peer file sharing programs would install other, harmful software on consumers' computers. In the Advertising.com, Inc. case, FTC File No. 042-3196, the facts involved installation of free security application bundled with information collecting software that was easily triggered without viewing a EULA that provided disclosures. Similarly, in the Enternet Media, Inc. case, FTC File No. 052 3135, the respondents allegedly offered free security and music software, disguised as products from Microsoft, but failed to clearly and conspicuously disclose to consumers that it was bundled with software that traced consumers' internet browsing, force-fed them pop-up advertising, and impaired computer performance. All signs are that the FTC intends to continue to rely on the FTC Act to prosecute cases in the spyware arena as well as to push for consumer education on the problem of spyware.

Conclusion

The very different approaches taken by states, Congress and the FTC as well as continued developments such as Sony's copy-protection software mean that computer users are unlikely to receive comprehensive Congressional action on spyware in 2006. At the same time, legitimate online behavioral advertisers would be wise to pay attention to developments in all three spheres.