Editor’s note: Braden Cox is Technology Counsel for the Competitive Enterprise Institute.
Bond: “Do you expect me to talk?”
Goldfinger: “No, Mr. Bond, I expect you to die!”
WASHINGTON,Just as Goldfinger wanted to stop Hollywood’s favorite spy, many people want spyware eliminated. There are a handful of bills that have been proposed in the House and Senate regarding the installation of computer software. Last week, a bill cleared a House Energy and Commerce subcommittee and is on its way to a full committee vote. Unfortunately, this bill, as amended, lacks the laser precision necessary to prohibit only the bad forms of spyware and will affect the installation of other positive software.
The devil is in the definition. The fear of having any spyware legislation is that it will be overbroad in its attempt to define “spyware.” Congress may very well succeed in mandating notice and consent, but in doing so it will burden many other forms of software installations while adding nothing new to the legal options that already exist to detect and curb fraudulent and deceptive behavior.
HR 2929 – now named with the catchier title “Securely Protect Yourself Against Cyber Trespass Act” or the “SPY ACT” — is an example of such over inclusive legislation. Introduced by Rep. Mary Bono (R-CA) and Rep. Edolphus Towns (D-NY), it prohibits the distribution of certain software programs over the internet without notice and consent. The bill creates an expansive category of what is a “spyware program” and directs the Federal Trade Commission (FTC) to create rules to implement the legislation.
Rules that the FTC does not need create by its own admission. The FTC is already on record that spyware legislation is unnecessary. A FTC hearing in April, a computer crimes expert at the Department of Justice stated that no new laws are needed to prosecute spyware crimes.
Focus on conduct, not technology
Innovation in the ever-evolving world of Internet commerce is stifled as software makers forgo tinkering with the online user experience for fear of regulatory persecution. The same underlying technology that can enable spyware also may power beneficial applications. There is a difference that legitimately tracks user activity like some online web sites and spyware that tracks activity for purposes of stealing private information. The spyware problem derives comes from bad people, not bad technology.
Legislation is premature; instead, industry still needs time to respond to the challenges of electronic commerce. And it appears that we don’t have to wait much longer, as a Microsoft representative testified at the FTC workshop that its upcoming service release to Windows XP will include popup and ActiveX blocking, improved install prompts, and a new software add-on manager. This testimony as well as other developments demonstrates that the consumer demand for spyware protections will be met by industry initiative.
Enforce existing law
Curbing spyware does not require special legislation as existing laws adequately address any misuse of software resulting in fraud or other deceptive acts. Title 5 of the Federal Trade Commission Act applies to unfair and deceptive trade practices. Provisions of the Computer Fraud and Abuse Act which make it illegal to intercept a communication without a court order could apply to some uses of spyware that co-opt control of computers or exploit Internet connections. This body of existing law adequately addresses misapplication of software, including spyware.
There is no doubt that some forms of spyware pose risks to consumers. But legislation that eliminates both good and bad characters in a class of software by direct prohibitions or burdensome regulatory requirements is not the answer. Just like Bond, consumers need a “license to kill” bad software, but at this point Congress should just “live and let die” and allow the combination of industry self-regulation, consumer education and the enforcement of existing laws to progress.
C:\SPIN is produced by the Competitive Enterprise Institute