WASHINGTON
-- Spyware replaced spam as the Internet and e-commerce
issue de jour in the states this year. Legislators' interest
in spam faded after Congress passed the CAN-SPAM Act, which
preempted all state laws except those dealing with "falsity
and deception."
https://www.lynxtrack.com/signup.php
California and Utah became the first states to pass laws
governing spyware-related practices. Michigan, one of five
states still in session, is expected to have a serious
debate on spyware before the end of the year.
Michigan SB 1361, the Spyware Control Act, is sponsored by
Sen. Cameron Brown, R.-Fawn River. More importantly,
President Pro-Tempore Patricia Birkholz, R.-Lansing, is a
cosponsor. The issue of spyware will percolate in the states
for at least another year, and more states will consider it
in 2005.
Utah took the lead by passing the first spyware bill in any
of the 50 states. However, the Utah law, which bans the
installation of spyware, is seriously flawed. Problems
include the following:
* Contains overly broad definitions of “spyware”
* Captures good software as well as bad
* Interferes with NetNanny, a children's Internet content
filter
* Contains an inadequate exemption for law enforcement
The Utah law is mired in litigation. We do not expect it to
be copied in other states.
California took a very different approach. SB 1436, signed
this week by Governor Arnold Schwarzenegger, is
fundamentally a fraud law for software.
Prohibited activities under SB 1436:
1) Knowingly, and without authorization, causing computer
software to be copied and used to do the following:
* Intentionally and deceptively modify the user's home page,
default Internet service provider or web proxy, or the
user's bookmarks.
* Intentionally and deceptively collect personally
identifiable information that is collected via keystroke
logging, includes substantially all of the Web sites visited
by a user, or consists of specified data elements extracted
from the user's hard drive for a purpose unrelated to the
purposes of the software or service.
* Deceptively and without authorization prevent a user's
efforts to block installation or disable software by causing
unauthorized reinstallation or reactivation.
* Intentionally misrepresent that software will be
uninstalled or disabled when it will not be.
* Intentionally and deceptively remove, disable, or render
inoperative any security, anti-spyware, or antivirus
software installed on the computer.
2) Taking control of a consumer's computer by transmitting
or relaying commercial email or a virus, using the modem or
Internet service to cause damage to the computer or to cause
unauthorized financial charges, launching a
denial-of-service attack or causing other damage to another
computer, or opening multiple ads that cannot be closed.
3) Modifying settings on the user's computer that protect
information about the user for the purpose of stealing
personally identifiable information or for the purpose of
causing damage to computers.
4) Preventing a user's effort to block installation by
presenting a nonfunctional decline option, or by falsely
representing that the software has been disabled.
5) Inducing the installation of software by intentionally
misrepresenting that it is necessary for security, privacy,
accessing certain content.
The bill contains a definition of personally identifiable
information that includes name, card account numbers,
financial account access codes, social security numbers, and
specific personally identifiable financial account
information, addresses, Internet activity, or purchase
history.
SB 1436 does not specifically address enforcement. It
utilizes the mechanism established in California's existing
unfair business practices laws. SB 1436 also preempts local
government ordinances regarding spyware and information
collection notices.
RESOURCES
Recently Published Consumer Resources:
Spyware Information and Tools for Consumers
http://spotlight.getnetwise.org/spyware/
FTC Publication - Spyware Consumer Alert www.ftc.gov/bcp/conline/pubs/alerts/spywarealrt.htm
Phishing Survey Puts Consumer Loss to Reach $500 Millon http://truste.org/about/press_release/09_29_04.php
Industry Guidance and Consumer Information:
Anti-Phishing Working Group
http://www.antiphishing.org
California Office of Privacy Protection
http://www.privacy.ca.gov
Federal Trade Commission ID Theft Information http://www.consumer.gov/IDtheft
Wiredkids.org
http://www.internetsuperheroes.org
TRUSTe (www.truste.org)
and the Internet Alliance (www.internetalliance.org)
are working in collaboration to publish the Policy Flash, a monthly email
newsletter. Each Policy Flash includes a legislative update, practical
guidance from the TRUSTe Policy team, and online resources for further
information. The Policy Flash is a TRUSTe member-only benefit and is
designed to keep TRUSTe sealholders up to date on trends in privacy
legislation and policies across the United States and in California. For
more information on becoming a TRUSTe member or on the Policy Flash,
please email TRUSTe on privacyseals@truste.org.
