Congress may be stating that they need to protect ordinary citizens from spyware and adware, however, the new Securely Protect Yourself Against Cyber Trespass Act (Spy Act) isn’t the legislation that would do it.

The federal preemption provisions (Section 6), meanwhile, trump most of the stricter state laws that might have been used to go after badware vendors. This is particularly disappointing, as state laws have opened a new front in the war on badware. A few categories of state laws are preserved, including trespass, contract, tort, and fraud laws. And, in an interesting twist, H.R. 964 preserves state consumer protection statutes, but only if the state’s Attorney General is bringing the enforcement action.

If the Act passes, which seems likely at this point, and becomes law, it would override all current state laws protecting individual privacy and would prevent citizens from bringing lawsuits against spyware and adware vendors.  Section 6 is specifically aimed at individuals and keeping them out of the courtrooms.

While the United Kingdom’s government places their surveillance of its citizens, mostly, out in public, the United States’ government prefers to pass measures such as the Spy Act quietly so that they can have the cover of legality when they spy on its own citizens.  The United States does this because they know and understand that there will be many people that will oppose such legislation.

By continually repeating how spyware and adware is bad for us and they are only trying to protect us, many will believe that the government is looking out for our best interests.  They will point out that such legislation will protect our jobs, our children, our privacy.  What it will really allow is small peeks into our online lives that should be private.

H.R. 964 combines a variety of redundant prohibitions on deceptive practices (Section 2) and ambiguous “notice” requirements (Section 3) with broad federal preemption of state laws (Section 6). In fact, you can essentially skip the first 15 pages of the bill — the FTC already has the authority to police many, if not all, of the “unfair or deceptive acts or practices” prohibited therein. If anything, by creating a heightened intent requirement (Section 4(c)), this law could constrain the authority the FTC already possesses against badware vendors.

So these provisions are pure window dressing. Both the FTC and Department of Justice have said (see p. 21 of this 2005 FTC report) that they already have the enforcement authority they need. In just the last two years, the FTC has commenced 11 spyware enforcement actions, demonstrating that they’ve got the authority they need. Of course, more enforcement would be a good thing, but H.R. 964 allocates no new money for it. (There is one improvement tucked in Section 4 of the bill — granting the FTC the power to seek civil penalties against those who violate the law.)

Since the FTC and Department of Justice already have all the authority they need, then why create more legislation that adds nothing to current law?  This legislation would, basically, allow vendors to spy on you, searching your machine for illegal and/or fraudulent activities.  They don’t even have to know that you are doing something wrong.  They can simply search your machine looking for the possibility of your wrongdoing.  And, they do not need to tell you that they are doing it or have done it.

And by the way, another exception provision specifically protects computer manufacturers from any liability for spyware they load on your computer before they send it to you. Of course, the exception for software companies checking to make sure you’re an authorized user is the strongest evidence of what this bill is all about.

If you feel that you are being harassed by these vendors or that they have no justification for peeking around your computer, you must try to convince the FTC or your Attorney General to take up the case.  If you can’t convince them, there is nothing else you can do.

The Spy Act is as useless as the Can Spam Act if you’re an individual.  If you are a vendor, it’s great legislation.  It is supposed to outlaw spyware.  Instead, it actually allows it by installing exemptions to the law.  Anyone that is considered a vendor is going to be exempt from this law, creating a situation where the vendor can monitor and interact with you, legally, and there’s not a damned thing you can do about it.