Download our in-depth report: The Ultimate Guide to IT Security Vendors
The House Energy and Commerce Committee kept anti-spyware legislation on the fast track Thursday with a 45-4 vote approving a bill requiring that consumers be given clear and conspicuous notice prior to downloading the Web traffic tracking software.
The legislation approved Thursday is an amended version of H.R. 2929, or the Securely Protect Yourself Against Cyber Trespass Act (SPY Act), which was passed last week by a subcommittee.
The SPY Act includes provisions to prohibit unfair or deceptive behavior, such as key-stroke logging, computer hijacking and the display of advertisements that cannot be closed. It also requires anyone who is not the owner or authorized user of a computer to provide an opt-in screen prior to transmitting or enabling any information collection program, which can collect personally identifiable information or information about Web sites visited. Penalties for violating the proposed law range up to $3 million.
This morning's amendment adds language about the nature and extent of the notice required, exemptions for legitimate software patches and liability provisions for Internet service providers.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
With final committee passage, the bill now goes to the full House for a vote. Similar legislation has been introduced in the Senate but has yet to pass any committee votes.
Following last week's passage, a number of IT industry groups expressed concerns that the bill was overly broad. In a letter to Energy and Commerce Chairman Joe Barton (R-Texas) earlier this week, the Information Technology Association of America said the subcommittee version "will generate a veritable blizzard of legally mandated pop-up notices that only a lawyer would love."
To address those concerns, Rep. Cliff Stearns (R-Fla.) drafted new language late Wednesday night. Most committee members did not see the new language until Thursday morning.
"We wanted to make sure legitimate commerce is not undermined by this legislation," Stearns, who sponsored the new language, said. "This refines and significantly improves the bill."
Spyware is often vaguely defined and often confused with adware, but generally refers to any software that covertly gathers user information through the user's Internet connection without his or her knowledge, sometimes for advertising purposes. Most forms of adware, however, are installed with the user's knowledge.
Concerned about the growing number of programs that often surreptitiously piggyback on downloaded files, consumer and privacy advocates have urged congressional action to provide consumers with greater disclosure about the programs that report back Internet traffic patterns to advertisers and generate unwanted popups. The software can also slow a computer or network's performance.
The Federal Trade Commission (FTC) has repeatedly said new legislation regulating spyware is unnecessary, contending the solution to the invasive programs is more likely to be found in better technology solutions and intensive consumer education, rather than in either state or federal legislation.
At an April spyware conference, the FTC asked industry Internet provider leaders such as Microsoft, America Online and EarthLink to produce a set of best practices for the use of adware, including disclosure statements to consumers regarding what they are about to download.
Although Rep. Mary Bono (R-Calif.) introduced the original bill more than a year ago, the legislation had little traction until Barton declared in April that spyware was a "cancer" on the Internet and promised to pass an anti-spyware measure this year.
In the disclosure notice required under the proposed law, the SPY Act requires consumers be informed of the type of information the software collects or sends, or the purpose for which the information is collected or sent. The bill also requires that spyware that the consumer consents to download must be easily uninstalled "without undue effort or knowledge" on the part of the computer user.