Lame Anti-Spyware Bill Passed House, Stuck in Senate
Posted by Pile
(5717 views) [E-Mail link]
|Computer users MAY be excited by H.R. 29: Securely Protect Yourself Against Cyber Trespass Act, which passed (393-4) the House and is currently stuck in Senate committee. Also known as the Spy Act (no intended reference to Karl Rove), would outlaw the act of taking over a computer in order to send unauthorized information or code, as well as diverting a Web browser without the permission of the computer owner.|
Unfortunately, as is typical in D.C., all is not what it appears. This Anti-Spyware bill does more to take away peoples' security and give comfort to spyware companies, but hey, it's got a catchy title that sounds effective, so maybe nobody will notice?
The problem is, the bill doesn't levy any criminal penalties, merely trivial civil fines of $3000 and $1000 for most offenses. History has already proven that employing small civil fines amounts to a complete and utter waste of time. You can't find these people and law enforcement won't allocate resources to track down a bunch of guys (to collect $3k) who don't have any money in the first place and will declare bankruptcy if they were actually caught.
So you think? Well any anti-spyware law is a step forward right? Nope. Not when a Federal bill like this supercedes many other, more stringent state laws. Ok, well maybe $3000 per offense will rack up for these people who infect 10,000 computers? Nope. Under this bill, infecting a zillion computers with the same spyware would be considered only a single offense.
Could this bill get worse? Yep. Individuals cannot use the law to seek damages themselves; only the state Attorney General. This bill effectively nullifies local jurisdictions' ability to impose effective anti-spyware and computer tampering laws, replacing it with a new set of rules which not only has no teeth, but makes it more comfortable and economically viable for spammers and spyware companies to operate. All they need to do is make more than $3000 per campaign and they may be covered. Lovely.
Securely Protect Yourself Against Cyber Trespass Act or SPY ACT - (Sec. 2) Makes it unlawful for any person who is not the owner or authorized user (user) of a protected computer (a computer exclusively for the use of a financial institution or the U.S. Government, or a computer used in interstate or foreign commerce or communication) to engage in deceptive acts or practices in connection with any of the following conduct with respect to the protected computer: (1) taking control of the computer by sending unsolicited material to others, diverting the Internet browser without authorization, using the modem or Internet to cause damage to the computer or to cause the user to incur unauthorized financial charges, using the computer as part of an activity performed by a group of computers that causes damage to another computer, or delivering advertisements that will not close without turning off either the computer or all sessions of the Internet browser; (2) modifying settings related to the use of the computer or to the computer's access to or use of the Internet by altering the Web page of the Internet browser, the default provider used to access the Internet, the bookmarks used to access Web pages, or the security or other settings of the computer that protect information about the user; (3) collecting personally identifiable information; (4) inducing the user to install a computer software component onto the computer or preventing efforts to block installation of a software component; (5) misrepresenting that installing a separate software component or providing log-in or password information is necessary for security or privacy reasons; (6) inducing a user to install computer software through misrepresentation; (7) inducing a user to provide personally identifiable information to another through misrepresentation or without the authority of the intended recipient of the information; (8) removing or disabling a security, anti-spyware, or anti-virus technology installed on the computer; or (9) installing or executing additional software components with the intent of causing a person to use such components in a way that violates any other provision of this section. Directs the Federal Trade Commission (FTC) to issue guidance regarding compliance with and violations of this section.
(Sec. 3) Makes it unlawful for a person to: (1) transmit to a protected computer for which such person is not a user any information collection program (a program that collects personally identifiable information and uses such information to send advertising), unless such program provides the notice required by this Act before execution of any of the collection functions of the program and such information collection program includes specified functions; or (2) execute any information collection program installed on such a protected computer, unless, before execution, the user has consented to such execution under notice requirements of this Act and such information collection program includes specified functions. Requires such notice clearly and conspicuously, and in plain language: (1) state that the program, if accepted, will collect personally identifiable information about the user and their computer use; (2) include an option for the user to grant or deny such consent, or to abandon or cancel the transmission or execution of an information collection program; and (3) include an option for the user to view a clear description of the types of information to be collected and the purposes for its intended use. Requires, if a user has consented, that an additional notice be sent if there is a material change in the way collected information will be used such that the use is outside the purpose set forth in the first notice. Requires the information collection program to contain a disabling function that easily allows the user to remove, or disable the operation of, the program. Requires that each display of a collected advertisement be accompanied by a statement that clearly identifies the information collection program. Limits the liability of a telecommunications carrier, provider of an information service or interactive computer service, cable operator, or provider of transmission capability with respect to violations described under this Act.
(Sec. 4) Provides for enforcement of violations as unfair or deceptive acts or practices under the Federal Trade Commission Act, with specified civil penalties. Requires a violation to have been committed with actual knowledge or knowledge fairly implied on the basis of objective circumstances.
SEC. 4. ENFORCEMENT.
(a) Unfair or Deceptive Act or Practice- This Act shall be enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.). A violation of any provision of this Act or of a regulation issued under this Act committed with actual knowledge or knowledge fairly implied on the basis of objective circumstances that such act is unfair or deceptive or violates this Act shall be treated as an unfair or deceptive act or practice violating a rule promulgated under section 18 of the Federal Trade Commission Act (15 U.S.C. 57a).
(b) PENALTY FOR PATTERN OR PRACTICE VIOLATIONS-
(1) IN GENERAL- Notwithstanding subsection (a) and the Federal Trade Commission Act, in the case of a person who engages in a pattern or practice that violates section 2 or 3, the Commission may, in its discretion, seek a civil penalty for such pattern or practice of violations in an amount, as determined by the Commission, of not more than--
(A) $3,000,000 for each violation of section 2; and
(B) $1,000,000 for each violation of section 3.
(2) TREATMENT OF SINGLE ACTION OR CONDUCT- In applying paragraph (1)--
(A) any single action or conduct that violates section 2 or 3 with respect to multiple protected computers shall be treated as a single violation; and
(B) any single action or conduct that violates more than one paragraph of section 2(a) shall be considered multiple violations, based on the number of such paragraphs violated.
(c) Exclusiveness of Remedies- The remedies in this section (including remedies available to the Commission under the Federal Trade Commission Act) are the exclusive remedies for violations of this Act.
(d) Effective Date- This section shall take effect on the date of the enactment of this Act, but only to the extent that this section applies to violations of section 2(a).
(Sec. 5) Makes the provisions of this Act inapplicable with respect to: (1) acts undertaken by law enforcement authorities in the performance of official duties, including acts relating to national security; (2) monitoring, or other computer interaction, undertaken by a subscriber's Internet provider, cable carrier, or provider of information service for network security purposes; (3) a discrete interaction with a protected computer by a computer software provider to confirm authorized use of software; and (4) Good Samaritan actions (actions taken in good faith, and with the user's consent, by a computer software or service provider to remove or disable a program which violates this Act).
(Sec. 7) Requires the FTC to: (1) report annually to Congress on enforcement actions taken; and (2) issue regulations.
(Sec. 8) Directs the FTC to report to Congress regarding the use of tracking cookies (devices used to transmit personally identifiable information, or information regarding Web pages accessed by the user, to a party other than the intended recipient) in the delivery or display of advertising to owners and users of computers.
(Sec. 10) Terminates this Act after December 31, 2009.
A second bill however, H.R. 4661, the Internet Spyware Prevention Act, or I-Spy Act, sets jail terms of up to five years for a person who uses spyware to access a PC without authorization and uses that computer to commit another federal crime. The I-Spy Act also would allow a jail term of up to two years for a person who uses spyware to obtain someone else's personal information or to defeat security protections on a computer with the intent of defrauding or injuring the computer owner.
There's a big difference between the two bills, both of which are currently stuck in the Senate. 4661 could make a difference, but like the other bill, it trumps state laws, and if history is any guide, will probably never be passed, or be neutered in the Senate. Now is the time to contact your Senators and ask that HR 4661 pass, possibly with even harsher penalties, and not superceding states rights to take action if the feds won't.