Spyware bill cloaks a mini-UCITA

The holy grail for the software industry’s political muscle has long been what in UCITA was called “electronic self help” – the right of software publishers to remotely disable their software on the mere suspicion that it hasn’t been paid for. UCITA was ultimately stopped, but last Wednesday the Senate Commerce Committee held a hearing on a bill that nominally is supposed to fight spyware but seems intended to make remote disabling legal.

As I suggested last week, S. 1625 — the Counter Spy Act — takes an anti-spyware approach that’s very similar to the way the failed Can-Spam Act of 2003 attacked spam. Its list of prohibited behaviors – like taking over computers with zombies and collecting information for identity theft — are all already clearly illegal under existing laws. Its various loopholes would allow some bad actors to claim they’re actually following the law. And actual victims would have virtually no recourse but to beg the FTC to take action.

But one aspect of the Counter Spy Act is far more troubling than anything that was in Can-Spam. It’s the “Limits on Liability” provision, more specifically Section 6(a). That says the whole laundry list of prohibited acts in the bill:

“do not apply to any monitoring of, or interaction with, a subscriber’s Internet or other network connection or service, or a protected computer, by or at the direction of a telecommunications carrier, cable operator, computer hardware or software provider, financial institution or provider of information services or interactive computer service…”

These institutions have immunity under the Counter Spy Act when what they’re doing is done for purposes network security, diagnostics, technical support and other mostly innocuous-sounding activities. In fact, with the first nine of these liability exemptions it seems rather odd that they would need to be mentioned at all in the context of the clearly nefarious behaviors prohibited by the bill. But the tenth and final exemption is granted for when the otherwise prohibited acts are done for:

“(10) detection or prevention of the unauthorized use of software fraudulent or other illegal activities.”

Besides the fact that the clause needs a comma or two, what does preventing “the unauthorized use of software” have to do with spyware? Is the Counter Spy Act fighting for privacy or against piracy? To understand the real purpose of 6(a)(10), we need only look at the written testimony of Vincent Weafer, a vice president of Symantec who was representing the Business Software Alliance (BSA) before the committee. The BSA, by the way, was by far the primary lobbyist – some might even say the primary authors — of UCITA and its electronic self help concept.

Weaver praised Section 6(a) as “a provision allowing legitimate security and anti-piracy activities.” Along with the obviously legitimate activities that are provided exemption, he went on to say that “Section 6(a) also covers the detection and prevention of the unauthorized use of software. This is essential to our industry’s ability to protect our products against theft. Software piracy results in almost 50 billion dollars in losses to the software industry each year, including more than 8 billion dollars in the US alone. Given these massive losses, it is absolutely critical that companies that engage in otherwise lawful conduct to detect or prevent piracy or other unlawful acts are not unwittingly subject to liability under anti-spyware laws.”

OK, but which software providers (not to mention telecommunication carriers, financial institutions, etc.) get to conduct these anti-piracy activities? After all, the spyware purveyors themselves often claim to be authorized software providers who got the user to click OK to their EULA. The troubling questions raised by 6(a)(10) were pointed out to the Senate committee in the written testimony of Art Butler, an attorney representing Americans for Fair Electronic Commerce Transactions (AFFECT). By the way, AFFECT is the organization that stopped UCITA from being passed in any more states after it was rushed into law in Virginia and Maryland. And it’s an organization that I’ve been a member of since its inception, so there’s no question whose side I’m on.

Subsection 6(a)(10) would allow a software vendor to surreptitiously download code onto a user’s computer and freely violate their privacy, Butler wrote. “It would allow the provider to set itself up as an ad hoc police force to conduct warrantless searches and to act as judge and jury to conduct unilateral seizures. Private entities do not and should not have the right to conduct law enforcement activities. More troubling is the fact that the language of Subsection 6(a)(10) would effectively allow a software provider to unilaterally decide to remotely shut down the user’s computer or Internet or other network connection or service. But whether the use of a particular software is ‘unauthorized,’ ‘fraudulent,’ or ‘illegal’ is often subject to legitimate dispute and merits some judicial consideration before a provider is allowed to unilaterally employ a drastic remedy like remote disablement.”

AFFECT has a very modest proposal for tweaking 6(a)(10), but on that I personally feel they don’t go nearly far enough. Even if 6(a)(10) were removed entirely, the net effect of the Counter Spy Act would still be to make the spyware problem worse. The basic approach of prohibiting a list of specific acts is a fatally flawed way of defining a moving target like spyware. Inevitably, it will let bad guys do bad things that weren’t included on the list.

In its hearing last Wednesday the committee clearly struggled with the basic issue of how to define spyware, so perhaps there is hope they’ll realize they need a completely different approach. They’ve been given some good advice in that regard. In his testimony, spyware expert Ben Edelman argued for a radical simplification of S.1625 that would focus on increasing the penalties such as a treble fine in FTC actions. And the FTC itself in its testimony before the Senate committee and in comments last year about similar bills in the House has made it clear it doesn’t want new definitions of spyware but the ability to bring civil actions against those it goes after under existing laws.

So who is it that actually wants spyware laws to take this laundry list approach, and why? The only thing I can figure is it’s the software industry and perhaps the major ISPs who know they can’t have their exemptions if there aren’t specific prohibited acts to exempt them from.

Of course, the BSA side also questions the motives behind opposing arguments. Weafer in his testimony warned the Commerce committee that “certain interest groups” would seek to weaken or delete Section 6(a). “The purpose of weakening this provision is not to protect against spyware, but to make it harder for legitimate companies to fight piracy, or other fraudulent or illegal activities,” he wrote. “The laudable anti-spyware goals of this Act should not be subverted for this purpose.”

Well, I agree with him that the laudable goals of the Counter Spy Act should not be subverted, but I would say the BSA is the certain interest group that is trying to do so for its long-held purpose of legalizing electronic self help. And if you agree with me, you should consider writing your U.S. Senators and telling them that you’d like to see S. 1625 dumped. Congress needs to find ways to help fight spyware, but handing a host of commercial entities unfettered powers over our computers isn’t one of them.

Post your comments about this story below or write Ed Foster at Foster@gripe2ed.com.