June 15, 2005
Enhanced Consumer Protection Against Spyware Act of 2005 (S 1004)
The law has several substantive provisions, mostly revolving around a central provision making it illegal "to install through deceptive acts or practices software on protected computers." On its face, this is already illegal, but that is consistent with Allen's objective. As the bill says in the preamble:
"According to the Commission's statements to Congress, the vast majority of unfair or deceptive acts or practices involving spyware, such as deceptively asserting control over a consumer's computer and capturing keystroke information, are already unlawful under the Federal Trade Commission Act."
In support of this threshold prohibition, the bill provides some new consequences for the illegal behavior, such as giving the FTC the ability to treble damages, impose new sanctions for a "pattern or practice" of violations, and disgorge profits.
The bill contains a tough preemption clause that would wipe out a lot of state-based legislative initiative. Given the poor drafting and diversity of regulatory models at the state level, preemption would be a particularly good thing, and this law's preemption would clean out a lot of the junk. The law also minimizes private causes of action, another good thing.
A separate section of the bill adds some new criminal sanctions under a new 1030A, presumably enforced by the DOJ instead of the FTC. The first criminalizes unauthorized installation of software and using it to commit another federal offense, giving the DOJ another opportunity to charge-stack or pick the easiest conviction. This provision tracks the I-SPY Act passed by the House.
The second criminalizes installation of software and using it to impair a computer's security protections. The consequences of this provision are a little less clear to me; I think it would be great if this provision got tightened during review to make sure it does not create false positives. This provision does not track I-SPY, but (as I discuss below) chances are that it will just be added to I-SPY.
Finally, the law proposes to augment the FTC's budget by $10M/year to increase enforcement on the Internet.
I think this bill has a lot of promise. The bill is comparatively well-drafted and relatively surgical, compared to abominations like the SPY Act (which is neither). I think this bill might actually support, rather than destroy, user experience on the Internet, and therefore it has a lot more merit than its alternatives.
However, I'm not entirely clear what will happen to this bill and the others pending in the Senate. A typical compromise in this situation would be to smush this act into some other act (maybe the SPY Act/I-SPY Act as passed by the House, or perhaps one of the other pending Senate bills), instead of trying to undertake the harder effort of figuring out which policies would actually be the best. In my world, smushing this act into a lousy act won't cure the defects of a lousy act, so I'd much rather see the lousy act be trumped than preserved.
Another possibility is that the Allen bill will cause gridlock in the Senate. From my perspective, this wouldn't be a bad thing either--I think it would be fine to wait some more time before regulating hard-to-define "spyware." With the Senate embroiled in bigger controversies, it does remain a possibility that the Senate won't act on any of the proposals in time.
Posted by Eric at June 15, 2005 09:16 PM | Adware/Spyware