New spyware legislation a mixed bag: "A comprehensive spyware bill recently cleared the House Energy & Commerce Committee's Subcommittee on Commerce, Trade, and Consumer Protection (it flows trippingly from the tongue, no?) and is busy stirring up controversy. Dubbed the "Securely Protect Yourself Against Cyber Trespass Act" (the SPY ACT Act), H.R. 964 would limit all sorts of spyware, but it also contains several important exceptions that lead the EFF to say that "the bill would actually make things worse."

The legislation prevents a broad array of activities: spambots, botnets, adware, home page hijacking, keystroke logging, disabling antispyware or antivirus technology, and grabbing a person's modem and dialing numbers in Antigua. The bill also requires increased notice and consent from software vendors who collect personal information.

This sounds like a big step forward, but the FTC already has much of this authority and in fact has been prosecuting spyware vendors for several years. The new bill does give the agency the early Christmas present that it wanted--civil penalties against spyware operators--but it doesn't really allow them to prosecute new kinds of cases.
Worries arise

It does do some things that are new, however. First, it preempts many state laws about "unfair or deceptive conduct with respect to computers" and says that only a state Attorney General or the FTC can bring cases under the SPY ACT. The law does not affect state laws about trespass, contract law, tort law, fraud, or consumer protection statutes as they relate to spyware.

Fred von Lohmann, a senior staff attorney for the EFF, said in a statement that "this is a terrible move" because "software and adware vendors are trying to quietly block consumer class actions that could target their misbehavior." The EFF believes, for instance, that it could not have brought suit against Sony BMG for the rootkit that was installed on many of the company's CDs if this law had been in place at the time. "If Congress is serious about enacting tough anti-spyware laws," von Lohmann continued, "it should create incentives that would encourage private citizens to pursue the bad guys."

The Center for Democracy and Technology, which testified before Congress on the bill last month, doesn't believe the bill is as bad as the EFF makes out, and in fact is "generally supportive" of the legislation. The CDT representative told Congress that "all of the state spyware cases have invoked state consumer protection laws," and noted that these laws would be left intact. What would change, though, is that state Attorneys General could not bring actions under specific state statutes against spyware; these would instead be replaced by the uniform federal standard. The CDT also notes that the FTC has been busy busting some of the biggest spyware vendors, but it has been unable to secure much in the way of financial penalties. The new civil penalty authority should give the agency the power to seek fines against companies, not just "disgorgements" of improperly earned revenue.

(Read Original Article - Via Law & Disorder Section - Ars Technica.)