The Internet Spyware (I-SPY) Prevention Act of 2007 would impose prison terms of up to five years for placing unauthorized code on a computer that mines personal information about a user or impairs a computer's normal security software.
The legislation would also give the Department of Justice $10 million annually to fund spyware investigations and prosecutions.
"By imposing criminal penalties on these bad actors, this legislation will help deter the use of spyware, and will thus help protect consumers from these aggressive attacks," bill co-sponsor Rep. Bob Goodlatte (R-Va.) said in a statement. "I am encouraged by the House passage of the [bill] and I call on the Senate to act on this important legislation."
The SPY Act specifically requires an opt-in, notice and consent regime for legal software -- often known as adware or spyware -- that collects personally identifiable information from consumers.
The SPY Act would also prohibit surreptitious keystroke logging, browser hijacking and the unauthorized removal or disabling of security software installed on a computer. Violators would face civil penalties of up to $3 million per violation.
The House has twice approved the legislation but, like the I SPY Act, the Senate has failed to show interest.
In both cases, opposition from the advertising industry blocked Senate passage of the bills. Advertisers claim both bills fail to distinguish between legally installed software and malware.
But Goodlatte said Tuesday, the I SPY Act, "Leaves the door open for innovative technology developments to continue to combat spyware programs."
When the I SPY Act passed the House Judiciary Committee earlier this month, Rep. Zoe Lofgren (D-Calif.), a co-sponsor of the bill with Goodlatte, said one of the greatest challenges to drafting anti-spyware legislation is that many legal programs are almost indistinguishable from spyware.
"An Internet 'cookie' (define) can be used to store detailed information about a user's preferences when visiting a much-frequented Web site," Lofgren said. "But the same technology can be used by identity thieves to track and store personal and financial information. The appropriate legislative target is not the cookie itself, but the criminals who use it for illegal purposes."