In what's become almost an annual ritual, Congress is considering legislation that would criminalize spyware, or the unauthorized installation of computer software.
The Senate's SPY BLOCK Act would also require clear disclosure to computer users of software features that may pose a threat to privacy. The Commerce Committee approved the bill on November 17, 2005.
The would-be law targets three main threats to consumers: software that seizes control of a user's computer; software that triggers advertising out of context with the use of the computer; and the undisclosed collection of personal information. It identifies a series of unfair and deceptive practices related to spyware, including computer hijacking, spam zombies, endless-loop pop-up ads, and fraudulent and false installation. The bill also bans modem hijacking, which allows spyware companies to charge overseas phone calls to victims, and Denial-of-Service attacks, which coordinate computers to attack Web sites.
The legislation also strengthens Federal Trade Commission enforcement and gives both the FTC and state attorneys general the authority to enforce provisions of the bill. Additionally, it creates a new section in the criminal code establishing criminal penalties for the unauthorized copying of software to a protected computer. An amendment would increase civil penalties for violations involving unfair or deceptive acts or practices that exploit public reaction to an emergency or major disaster.
The U.S. House of Representatives approved its own anti-spyware legislation earlier this year. Known as the Internet Spyware (I-SPY) Prevention Act of 2005, the bill imposes prison terms for intentionally accessing a computer without authorization for the purpose of planting unwanted software. Under I-SPY, gaining unauthorized access to a computer to commit a crime is punishable by a fine or imprisonment for up to five years. If the access is used to transmit personal information for the purposes of fraud or damaging a computer, the prison terms can go up to two years.
The House also passed the Securely Protect Yourself Against Cyber Trespass Act (SPY Act), which toughens penalties on spyware purveyors. But it goes much further than the I-SPY Act by imposing an opt-in, notice, and consent regime for legal software that collects personally identifiable information from consumers. Among the spyware practices prohibited by the bill are phishing, keystroke logging, homepage hijacking, and ads that can't be closed except by shutting down a computer. Violators could face civil penalties of up to $3 million.