Riding a wave of consumer outrage at sneaky programs that hijack computers, California Gov. Arnold Schwarzenegger signed into law a state bill prohibiting spyware.
According to Sen. Kevin Murray, author of the Consumer Protection Against Computer Spyware Act, or SB 1436, the bill makes it illegal to install spyware on someone's computer without first giving notice. It requires software makers and Web site operators to disclose whether they put spyware on your computer, as well as describe what it does. The bill also sets forth a private right of action whereby a consumer could seek damages of $1,000 per incident and applicable attorneys' fees.
"SB 1436 bans these deceitful practices and will give consumers a sense of true security when using their own computers," Murray said in a statement.
But two advocacy groups, the Privacy Rights Clearinghouse and the World Privacy Forum, released an open letter to Schwarzenegger after the bill passed Congress urging him to veto the bill, saying it would be worse than no legislation at all.
The groups said that SB 1436 is well-intentioned. However, they added, it would establish provisions that are virtually unenforceable, could well undermine existing law, and, further, would set a bad precedent nationwide for other spyware bills that are likely to be considered in other states and in the U.S. Congress.
They stated that because the significant changes occurred so late in the session, they weren't able to express their concerns in committee hearings before the bill was sent to the Assembly floor.
Pam Dixon, executive director of the World Privacy Forum, said that the bill sets a higher standard for unfair and deceptive business practices than does the FTC.
"In litigation, it's almost impossible to prove intent," she said. "The computer fraud and abuse act is an easier standard, but only applies to criminal cases, not cases of annoyance."
Murray and co-authors Debra Bowen (D-Redondo Beach) and Gloria Romero (D-Los Angeles) introduced the bill to the California State Senate in February. It was amended nine times by the Senate and the Assembly before passing on August 26.
But Bowen asked that her name be removed from the much-amended legislation, and she spoke out strongly against the law.
"This bill doesn't protect computer users who don't want their movements tracked or their personal information ripped off," she said. "It protects spyware companies who'd love nothing more than to have their product installed on every computer in the country."
Bowen, who has taken stands against the potential for invasion of consumers' privacy via RFID technology and has authored several e-mail privacy bills, noted that the intent-to-deceive standard doesn't apply to other legally prohibited practices, such as unsolicited fax ads or recording telephone conversations without notification.
Meanwhile, another spyware bill is making its way through Congress.
The SPYBLOCK (Software Principles Yielding Better Levels of Consumer Knowledge) Act sponsored by Sen. Conrad Burns (R-Mont.) requires that consumers be given clear and conspicuous notice prior to downloading software. The bill said the notice must be displayed on the computer screen until the user either grants or denies consent to installation.
Two committees in the House of Representatives have already passed similar legislation, and a full floor vote is expected by as early as next week. The Senate anticipates a full vote before the end of the month.
But the Federal Trade Commission insists that new legislation regulating spyware is unnecessary at either the state or federal levels. Instead, it advocates better technology solutions and consumer education.