A U.S. House committee voted Thursday to approve legislation intended to protect consumers against spyware over objections from some lawmakers that the bill may force new regulations on legitimate software.
The House Committee on Energy and Commerce voted 45-4 to send an amended version of the Securely Protect Yourself Against Cyber Trespass Act (SPY ACT) to the House floor, pending a review by the House Judiciary Committee, but dissenters objected to the speed with which the legislation was pushed from a subcommittee to the full committee.
On June 17, the House Subcommittee on Commerce, Trade and Consumer Protection approved an amended version of the original bill, replacing nearly all the original language. A second amendment, approved by the full committee Thursday, was not available for lawmakers to see until about 11:30 p.m. ET Wednesday.
The bill allows fines as large as $3 million for actions unauthorized by a computer's owner, including hijacking browsers, changing a browser's default home page, changing the security settings of a computer, logging keystrokes, and delivering advertisements that the computer user cannot close without turning off the computer or closing all sessions of the browser. The bill requires computer users be notified and be allowed to give consent before software that collects and transmits personal information is installed on their computers.
Representative Anna Eshoo, a Democrat representing part of California's Silicon Valley, suggested that the bill, even after amended Thursday to respond to concerns by the software industry, was "too broad." The amended bill could force Microsoft to warn users each time it scans for software updates or force eBay to tell users it was scanning its site for fraudulent actions, Eshoo said.
"I think more work needs to be done," Eshoo said. "These are not easy issues at all. The technology is complicated. The privacy issues are difficult."
Eshoo and others who voted against the bill complained that they didn't have time to properly assess significant changes to an amendment offered by Representative Cliff Stearns (R-Fla.). Stearns, who offered the substitute for the original bill during the subcommittee meeting June 17, made several additional changes in an amendment approved Thursday.
Most committee members, however, praised the bill. "The bill we have before us today is the result of an enormously collaborative effort among committee members, industry and consumer groups," said Representative Mary Bono (R-Calif.) who originally sponsored the bill. "I feel that we have fashioned a bill that is strong enough to protect consumers from spyware-related privacy invasions without impeding the growth of technology."
Stearns called the latest amendment a balanced compromise and said he's willing to work on any concerns about the bill as it moves to the House floor. Most of the changes to the bill approved by the committee Tuesday were made in response to IT industry concerns, he added. "We have gone into enormous detail to try to help the industry," he said.
Among the changes approved Thursday:
The bill was reworded to tell software vendors they have to give notice to consumers about the nature of an installed program once, instead of multiple times.
The bill now exempts Internet servicer providers scanning for fraudulent activities or diagnosing network problems from requirements in the bill.
The bill now contains wording focused on preempting a Utah spyware law.
The original Stearns amendment allowed for only one type of notice when software is installed, warning computer users that the software will collect information about them and their computers. The new version of the bill includes two additional notices that software can use, telling computer users that the software is collecting information about the Web pages they visit in order to display advertising.
The Business Software Alliance (BSA), a trade group representing software vendors, applauded the committee for addressing spyware, with BSA president and CEO Robert Holleyman calling spyware "a reprehensible practice that harms each of us."
But Holleyman, in an e-mail statement, also expressed concern that "certain critical issues were not fully clarified to avert unintended consequences." The BSA hopes to work with the committee before the bill makes it to the House floor, he said.
"We fear that without further changes, elements of the bill on the standard for culpability and notice and consent could create substantial consumer confusion and impose considerable burdens on technology companies," Holleyman said. "These are critical issues for technology companies, and their resolution will enable the leading American software developers to support the bill."
Holleyman specifically objected to the bill's uniform notice and consent forms for most types of software, including spyware and legitimate software. "This requirement will not help consumers distinguish between legitimate software and software that uses personally identifiable information for reprehensible ends," he added. "In addition, we are concerned that the 'one size fits all' notices approach will not help to inform consumers about how their personal information is being used, and will become just another screen to click 'I agree.'"