From: "Rich Gauszka" 


'The bill very specifically pre-empts all state laws that regulate "unfair
or deceptive conduct" similar to that covered by the Spy Act. '

http://weblog.infoworld.com/gripeline/archives/2007/04/spy_act_only_pr.html?sou
rce=NLC-GRIPE&cgd=2007-04-24

Here we go again. Congress has decided it needs to protect us from spyware,
but - surprise, surprise - the bill they are most seriously considering
actually offers no help in that regard. What's worse, the bill seems
designed to make it harder for you to legally go after those who spy on
you, particularly if they are doing so to determine if you're authorized to
use a software product.



Last week a subcommittee of the House Committee on Energy and Commerce
approved H.R. 964, the Spy Act, which bans some of the more blatant forms
of spyware such as those that hijack computer or log keystrokes. The bill
now goes to the full committee for approval, and it's expected to move
quickly as it has strong bipartisan support.



But why? There are already plenty of federal and state laws regarding
computer fraud, trespass, and deceptive trade practices that make spyware
illegal. The existing laws have been sufficient to allow the FTC and/or
state attorneys general to even successfully go after some of the nastier
adware companies like Direct Revenue and Zango/180 Solutions. So what is
the purpose of this law?



A clue can be found in the Limitations section of the Act, which features
this rather broad exception:



  Exception Relating to Security- Nothing in this Act shall apply to--


  (1) any monitoring of, or interaction with, a subscriber's Internet or
other network connection or service, or a protected computer, by a
telecommunications carrier, cable operator, computer hardware or software
provider, or provider of information service or interactive computer
service, to the extent that such monitoring or interaction is for network
or computer security purposes, diagnostics, technical support, or repair,
or for the detection or prevention of fraudulent activities; or


  (2) a discrete interaction with a protected computer by a provider of
computer software solely to determine whether the user of the computer is
authorized to use such software, that occurs upon -- (A) initialization of
the software; or (B) an affirmative request by the owner or authorized user
for an update of, addition to, or technical service for, the software.


In other words, it's perfectly OK for basically any vendor you do business
with, or maybe thinks you do business with them for that matter, to use any
of the deceptive practices the bill prohibits to load spyware on your
computer. The company doesn't have to give you notice and it can collect
whatever information it thinks necessary to make sure there's no funny
business going on. And by the way, another exception provision specifically
protects computer manufacturers from any liability for spyware they load on
your computer before they send it to you. Of course, the exception for
software companies checking to make sure you're an authorized user is the
strongest evidence of what this bill is all about. After all, in terms of
function, there's not much difference between spyware and DRM. Too bad for
Sony this bill wasn't already the law when its rootkit-infected CDs came to
light.



Another disturbing aspect of the bill is its enforcement provisions. The
bill very specifically pre-empts all state laws that regulate "unfair
or deceptive conduct" similar to that covered by the Spy Act. Now, the
state spyware laws are pretty useless anyway, so that may not seem like a
big problem. But the bill vests all enforcement power in the FTC and says
that "no person other than the Attorney General of a State may bring a
civil action" under the law. Private rights of action under state
consumer protection laws are eliminated. So if you're victimized by a
spyware-like deception and want to sue the perpetrator, you've got to talk
the FTC or your state attorney general into taking up your case.



Let's sum up. If the Spy Act become law, hardware, software, and network
vendors will be granted carte blanche to use spyware themselves to police
their customers' use of their products and services. Incredibly broad
exceptions will probably allow even the worst of the adware outfits to
operate with legal cover. State attempts to deal with the spyware problem
will be pre-empted and enforcement left up almost entirely to the FTC. Gee,
what's not to like in that deal?



If Congress' approach on this sounds vaguely familiar, it should. It's
basically the same formula Congress adopted four years to deal with spam.
As we know, the dreadful Can Spam Act of 2003 proved to be the "Yes,
You Can Spam Act." If wiser heads in Congress don't prevail - and who
knows if there are any - I fear the Spy Act of 2007 will just prove to be
the "Vendors Can Spy Act."

--- BBBS/NT v4.01 Flag-5