Anti spyware bill faces controversy over limiting citizens' ability to sue

Stupid congressional acronyms reached a new level with the introduction in the House of the SPY ACT, standing for Securely Protect Yourself Against Cyber Trespass Act. This may be the first use of the second person in federal law. In any case, the bill is controversial for reasons other than its name, Ars Technica says.

The Electronic Frontier Foundation says the bill to ban a range of nasty malware will actually make things worse. While it seems to give the FTC a range of powers to go after bad guys, the FTC already has those powers, EFF's Fred Lohmann says. One important change, though: the bill does allow the FTC to file civil actions as well as criminal prosecutions. Distressingly to Lohmann, the bill includes a "federal preemption" section, which limits all malware suits to state Attorneys General and the FTC.

this section is intended primarily to block the ability of private citizens to sue badware vendors under state laws. By consolidating all the enforcement authority against badware in the hands of the FTC and state Attorneys Generals, software and adware vendors are trying to quietly block consumer class actions that could target their misbehavior. For example, H.R. 964 would have made it impossible for EFF to use California's Business and Professions Code 17200 (which allows private citizens to sue for unfair and unlawful business practices) against Sony-BMG for its spyware-laden copy-protection software.

On the other hand, the Center for Democracy and Technology, is "generally supportive" of the legislation. A CDT representative told Congress that "all of the state spyware cases have invoked state consumer protection laws," and noted that these laws would be left intact. Ars Technica explains, though:

What would change, though, is that state Attorneys General could not bring actions under specific state statutes against spyware; these would instead be replaced by the uniform federal standard. The CDT also notes that the FTC has been busy busting some of the biggest spyware vendors, but it has been unable to secure much in the way of financial penalties. The new civil penalty authority should give the agency the power to seek fines against companies, not just "disgorgements" of improperly earned revenue.

And what about this little loophole? One of the exemptions if for software used "solely to determine whether the user of the computer is authorized to use such software." Ars says that's aimed at DRM that connects to servers, but might it be broad enough to include the Sony rootkit? Ars says not:

Even Sony BMG's rootkit would have been in trouble for collecting consumer data without clear notice and consent, and because it was not simple to uninstall.