Net firms lose in House spyware vote

By a 368-48 vote, with 43 of the opposing votes coming from Republicans, the House endorsed the Spy Act, which is broader and more regulatory than a second bill that was backed by politicians from Silicon Valley. The House approved the second bill on May 22.

The more regulatory version approved Wednesday, which has been revised (PDF) in the last few weeks, proposes punishments for anyone who slips code onto computers without authorization in an attempt to "impair" a machine's security features, to transmit personal information about the machine's user without the user's knowledge, or to commit other federal crimes such as identity theft. It would also require that unwanted programs be easy for consumers to disable.

On one level, the differences in the two bills represent a long-standing turf war between two House committees. On another, though, they reflect starkly different views of how to deal with online threats: through a narrow approach that seeks to criminalize breaking into computers, or through a broader approach that would levy a new and complex raft of regulations on the software industry and Web publishers. Which version prevails will depend on what the Senate decides.

In a letter to House Speaker Nancy Pelosi on Wednesday, a wide range of groups including the American Bankers Association, the Interactive Advertising Bureau, the Information Technology Association of America, and NetCoalition (which counts Yahoo, Google, and News.com publisher CNET Networks as members) warned that the Spy Act would be problematic.

"The bill, as currently drafted, would regulate every Web site on the Internet and for any site that collects any 'personal' information, a proscriptive notice pop-up box would appear," Mike Zaneis, a vice president with the Interactive Advertising Bureau, said in an e-mail interview. "Congress is not capable of carving out all of the benign technologies that currently exist or will be developed in the future."

One unusual aspect of this political tussle is that spyware is already illegal and, according to government officials, no new laws are probably necessary. The Federal Trade Commission has told politicians it already possesses broad authority to punish any fraudulent and deceptive adware or spyware practices with fines, and has sued spyware purveyors in the past. Department of Justice prosecutors have said the same thing about filing criminal charges and have already engaged in prosecutions.

But on Wednesday, the Spy Act's sponsors--including Reps. Edolphus Towns (D-N.Y.) and Mary Bono (R-Calif.)--promised the legislation would help consumers.

"Today's legislation provides consumers with new tools to protect themselves from unwanted, harmful software," Towns said in prepared remarks on the House floor Wednesday morning.

Towns said he was confident that the bill struck an appropriate balance. "Anytime we legislate on highly technical matters, there is always a danger of stifling innovation and making the use of legitimate software too burdensome," he said. "It is a very difficult tightrope to walk, but I think we have done an excellent job in walking that line."

Bono, for her part, said in a statement that she would remain a strong proponent of antispyware legislation because she believes "consumers should have the final say about what plants itself on their computer--not a third party with potentially conflicting interests."

"Antispyware" measure regulates Web cookies too
Opponents of the Spy Act, however, argue that such restrictions are worded broadly enough to threaten the viability of a vast array of Web sites that rely on cookies to provide their services. (The shopping cart function on e-commerce sites and ad-supported Web services like search engines and news sites, for instance, depend on cookies.) The bill's authors have attempted to exempt cookies, but opponents say the approved version doesn't go far enough to ease their concerns and could prevent the adoption of technologies no one has even dreamed up yet.

FTC Chairwoman Deborah Platt Majoras also has cautioned Congress against requiring a notice-and-consent approach to spyware, arguing at a hearing in October 2005 that consumers bombarded with such notices may not read them, unwittingly accepting all notices and finding harmful spyware downloaded onto their machines as a result.

Chiefly sponsored by Reps. Zoe Lofgren (D-Calif.) and Bob Goodlatte (R-Va.), the narrower version that came out of the House Judiciary Committee is called the I-Spy Act. It takes a less regulatory approach, imposing fines and up to five years in prison for anyone who intentionally causes software "to be copied onto" a computer--and damages the machine or steals personal information in the process.

Attempts by Congress at enacting new laws targeting spyware are nothing new. The House approved some kind of antispyware legislation both in 2004 and 2005, but the Senate never acted.

Some technology firms are hedging their bets by saying they support both bills. "By passing the Spy Act, the House of Representatives sent a clear message to spyware purveyors everywhere that their days of secretly infecting innocent and unsuspecting consumers' computers with spyware are numbered," Kevin Richards, Symantec's government relations manager, said Wednesday.

A Symantec spokesman said the Business Software Alliance and the Cyber Security Industry Alliance, of which Symantec is a member, also support both proposals.