X

Spyware, data privacy bills reappear in House

Congress has tried for years to enact spyware regulations and restrictions on Social Security numbers, with no luck so far.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read
In October 2004, all but one member of the U.S. House of Representatives voted for a bill that was supposed to curtail the threat of malicious PC-disrupting spyware.

But the Senate ignored it. So the House once again approved spyware regulations in May 2005, which yielded precisely the same lack of a result.

Hoping that the third time proves the charm, House leaders on Thursday introduced a bill that would once again try to impose 31 pages of regulations on the software industry in an effort to define what types of activities are permissible and which ones aren't.

Rep. John Dingell, a Michigan Democrat and the chairman of the House Energy and Commerce Committee, called the announcement "a serious down payment on resolving the scourge of identity theft and related abuse." He promised that legislation would be sent to the House floor "expeditiously."

A legislative fusillade

The House of Representatives saw a flurry of technology-related proposals introduced on Thursday, some almost identical to unsuccessful bills last year. This follows recent announcements on topics including pretexting, data breaches, Net neutrality, image monitoring, and data retention.

Anti-pretexting bill (Sponsors include: Rep. Dingell and Rep. Barton)

Bill to restrict the sale of Social Security numbers (Sponsors include: Rep. Markey and Rep. Barton)

Data breach notification bill (Sponsors include: Rep. Rush and Rep. Stearns)

Spyware regulation bill (Sponsors include: Rep. Towns and Rep. Bono)

Dingell was referring not only to the spyware measure but also to three other proposals announced at the same time: a bill to regulate telephone pretexting, one to curb the sale of Social Security numbers, and one to impose many additional security requirements including data breach notifications on private companies (though not federal agencies).

Taken together, the measures represent a broad and surprisingly bipartisan attempt by House leaders to rewrite many electronic privacy laws. But they still face substantial obstacles in the form of senators who proposed an alternative security breach approach two days earlier, opposition from telephone companies, and fatigue from politicians who recently approved another anti-pretexting bill that President Bush signed into law just last month.

Another political obstacle could be large data brokers that buy and sell personal information on Americans including Social Security numbers, and the police agencies that are their customers and might find some of their data flow drying up. As far back as July 2000, Congress held a hearing on a bill to restrict the sale of Social Security numbers--an idea that died quietly in a Senate committee.

Here's a summary of the four bills introduced on Thursday:

•  Reps. Edolphus Towns (D-N.Y.) and Mary Bono (R-Calif.) announced the so-called Spy Act, which contains extensive regulations on what types of actions software may perform. Resetting the browser's home page is not allowed, for instance, but "good faith" efforts to remove malicious software are permitted.

•  The Data Accountability and Trust Act, sponsored by Reps. Bobby Rush (D-Ill.) and Cliff Stearns (R-Fla.), says that any business that houses personal information must implement specific security practices, including methods for dealing with disposal of "obsolete" information. Like many of the data security proposals that have been circulating in Congress during the past few years, it would also mandate notification requirements in the event of a breach of personal data.

In a letter to Congress on Thursday, representatives from the liberal advocacy groups Consumers Union and Consumer Federation of America endorsed the effort, calling it "a reasonable approach to this alarming problem that will provide consumers with significant protections from the harms that can arise from preventable data breaches." A Washington representative of RSA, part of EMC Corp., also expressed support for the bill, saying it would be better to have one national standard for breach notification rather than a patchwork of state rules.

•  Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) want to make it unlawful to sell or purchase Social Security numbers, an approach also proposed by Sen. Dianne Feinstein (D-Calif.). Exceptions include law enforcement and national security purposes, public health reasons, research for the "purpose of advancing public knowledge," "legitimate" consumer credit verification and emergency situations.

•  Dingell and Barton also are behind the Prevention of Fraudulent Access to Phone Records Act, which targets pretexting of phone records--that is, fraudulent access to them--and would impose sweeping and expensive regulations on telephone companies. They could, for instance, share customer information with third parties, including business partners, only if a customer gave "express prior authorization."

CTIA-The Wireless Association representative Joseph Farren said a law that criminalizes pretexting and received President Bush's signature last month goes far enough.

"The new law will serve as a significant and meaningful deterrent to individuals who would contemplate this criminal trade and feel additional legislation is unnecessary at this time," he said in an e-mail interview Thursday. An AT&T spokesman also expressed skepticism.