The state of Utah has also proposed legislation to address
the problem of spyware, namely the Spyware Control Act
(H.B.323). As discussed in the Disclosures section,
I've had the opportunity to speak with Utah legislators on the subject of this
legislation, including reviewing proposed wording and even making some suggestions.
I've concluded that the bill would make good law -- would address and begin
to correct some serious problems facing consumers, and would do so without serious
damage to other important interests.
As the bill moved through Utah's legislative process, I wasn't
surprised to see criticism from the companies that would most obviously be subject
to this bill's requirements: Companies like Gator
and WhenU seem to stand only to lose if laws
come to constrain the way they can install their software on users' PCs, or
what their software can do once installed. But I've been quite surprised to
see concerns from big, well-established, mainstream Internet companies -- AOL,
Amazon, Google, Microsoft, Yahoo, and a dozen others -- whose programs and practices,
in my view, are far from what the Utah bill speaks to. (See e.g. a letter
(PDF) from these companies and others to sponsors of
the bill, voicing their opposition.) I've also been surprised to read articles
like Leading
Internet Providers Oppose Passage of Spyware Control Act and Spyware
Act Has Detractors. Both the letter and the news coverage seem to misunderstand
the bill -- overstating its effects and its scope, and failing to recognize
major checks present within the bill's text, that prevent the bill from having
the negative effects alleged.
I've concluded that some readers may be misunderstanding portions
of the bill or for whatever reason overstating the bill's effects. With that
in mind, this document attempts to offer a close reading of the bill -- going
through its major provisions, line by line, to understand how they fit together.
I've then added answers -- my answers, at least -- to some questions that have
already arisen, often repeatedly, e.g. in Slashdot
discussion. Throughout, I've tried to maintain a light conversational tone
-- I see no need to be overly formal or dry when discussing this important but
sometimes complicated subject.
Is this document perfect? No, quite the contrary. For one,
it's a work in progress -- subject to revision whenever I find points I can
explain more clearly, and whenever I find and take the time to update it. For
another, I readily admit to having written it in a hurry -- it was inspired
by reading Leading
Internet Providers Oppose Passage of Spyware Control Act (which I only received
on Monday afternoon, March 15) and the associated Slashdot
discussion, and I posted this document (in its earliest draft form) a mere
six hours after first reading these materials. So please send comments and suggestions
to me, Ben Edelman (email).
123 (1) A person may not:
124
(a) install
spyware on another person's computer;
125
(b) cause spyware to be installed on another person's computer; or
126
(c) use a context
based triggering mechanism to display an advertisement that partially
127
or wholly covers
or obscures paid advertising or other content on an Internet website in a way
128
that interferes
with a user's ability to view the Internet website.
Provisions (a) and (b) seem pretty straightforward - at least
if you know what spyware means. For guidance there, we turn to the bill's definition
of spyware. The definition is sufficiently detailed that it would be unwieldy
if copied here verbatim. I've struggled to find a way to helpfully depict its
hierarchical structure -- the way its many embedded requirements fit together.
Having tried a few alternatives, I think the following diagram might be helpful
to at least some readers: The bill takes the following structure (wording simplified
for brevity):
Spyware is software that
(a) monitor's the computer's usage
AND
(b)
(i) sends information about the computer's usage to a remote computer
AND
(c)
does not
obtain user's consent to a
license agreement
presented
in full, written in plain language
with
notice of specific information to be transmitted
with
examples of ads
with statement of ad
frequency
AND
with explanation of how to distinguish its ads from others
AND does not
provide an uninstall routine that
is quick and easy
has
no other effects on unrelated parts of user's computer
AND
uses obvious, standard methods
OR
(ii) displays advertisements in response to the computer's
usage, if the ads
don't
identify who delivered them
OR
use federal trademarks as a trigger for ad display (except
by trademark owner, licensee, or search engine)
OR
use a trigger mechanism to display ads according to websites
accessed
Then, even programs that satisfy these conditions still aren't
spyware if they're within the carve-outs in section
(5): The bill specifically excludes from its definition of spyware programs
that are designed and installed solely to diagnose or resolve technical problems;
that solely report information previously stored on the user's computer (e.g.
cookies, or HTML code, JavaScript used in this capacity); and operating systems.
123 (1) A person may not:
...
126
(c) use a context
based triggering mechanism to display an advertisement that partially
127
or wholly covers
or obscures paid advertising or other content on an Internet website in a way
128
that interferes
with a user's ability to view the Internet website.
41 (1) "Context based
triggering mechanism" means a software based trigger or program
42
residing on a consumer's computer that displays an advertisement according
to:
43
(a) the current Internet website accessed by a user; or
44
(b) the contents or characteristics of the current Internet website accessed
by a user.
Together, these clauses prohibit programs from showing advertisements
according to what web sites a user visits, if those advertisements cover other
web sites and interfere with the user's use of those other web sites.
Recall that I began to draft this page in response to complaints
-- and attempts to block the bill -- from folks apparently concerned that the
bill would interfere with ordinary, legitimate activities. In principle that's
a reasonable concern -- certainly legislation can be drafted in a way that's
overbroad and that prohibits behavior that even drafters consider unobjectionable.
So let's see whether this bill in fact prohibits ordinary, legitimate
activities. Some examples to think about --
Virus definition updaters. Anti-virus software might
be taken to monitor a computer's usage -- although, to be sure, it's not obvious
what information antivirus software needs as among the information within
the definition of usage. Any anti-virus software
that monitors a computer's usage might well send this information to a remote
server -- to aid in diagnosis and cure of the infection. So provisions (a)
and (b)(i) of the definition of spyware might seem to be satisfied, at least
for those anti-virus programs that monitor usage as defined. But it's hard
to imagine a legitimate, mainstream antivirus software that lacks a license
agreement presented to the user, that fails to tell the user what information
it will transmit to remote servers, or that lacks an uninstall program. So
the legitimate, mainstream anti-virus program is well within the safe harbors
in (c), and as a result it's not spyware within the meaning of this bill.
Search engine toolbars. Search engine toolbars often
need information about the web sites users visit; for example, the Google
Toolbar obtains and transmits this information so that it can offer users
related sites, site rankings, and the like. Search engine toolbars are therefore
likely to satisfy (a) and (b)(i) of the definition of spyware. But like virus
definition updaters, legitimate mainstream search engine toolbars have clear
license agreements with appropriate disclosure of what information is transmitted,
and they have fine uninstall programs. So neither are search engine toolbars
spyware within the meaning of this bill. What if the toolbars don't have license
agreements and uninstall programs? Well, if they do monitor and transmit usage
data (as defined), then they'd be in violation of this bill. But if they're
really sending to their servers (for example) information about which web
sites users visit, it doesn't seem so unreasonable for a law to say the programs
ought to ("must"!) provide and obtain consent to a license
agreement that says as much, and must provide an uninstall program that lets
users change their minds later on.
Personal firewalls. Not spyware, per (c), as above.
That aside, I'd be surprised if many personal firewalls send information about
a computer's usage to any remote server -- certainly that's not what I thought
I was signing on for when I installed a personal firewall.
Internet filtering software
(e.g. programs that prevent users from viewing sexually-explicit sites). In
general, filtering programs neither transmit usage data nor show context-triggered
advertisements, so they can't be spyware under this bill because they satisfy
neither clause (b)(i) nor (b)(ii).
As to those programs that for some reason do transmit
usage data (perhaps to assist filtering companies in determining what
other web sites to review for possible filtering): The bill requires only
that such programs include a license agreement (that explains the transmissions)
and an uninstall routine. Unreasonable? If the programs are actually going
to transmit information about what web sites users visit, then they ought
to tell users they're doing so. Seems perfectly sensible to me.
As to the concern that the uninstall program must be
"quick and easy" (seemingly in conflict with the goal of making
filtering software permanent on a computer lest unauthorized computer
users remove it): Recall that the bill defines
a user of a computer to mean a computer's owner. So, unauthorized
"users" (presumptively not computer owners) need not have the
ability, under the removal requirement, to remove the software.
What kinds of software does the bill actually prohibit? For
one, software that transmits usage information (as defined in the bill) without
first disclosing the fact of such transmissions. For another, software that
makes such transmissions without a proper uninstall routine.
So, sure enough, the bill prohibits any virus definition updates
or search engine toolbars or other programs that transmit usage data (like what
web sites users visit) or can't be uninstalled easily. Is this good or bad?
I think it's good -- programs that transmit usage data ought to tell users what
they're doing and let users change their mind later even if they accept initially.
As among (for example) anti-virus programs, I don't think there are many violators
of these basic rules. But any programs that send this data without telling users
are already pushing the boundaries of legitimacy. Recall
the lawsuit against RealNetworks when its
software transmitted information about users' listening habits, without disclosing
the fact of such transmissions in its privacy policy or license agreement.
I have received a letter (PDF)
sent to sponsors of the bill, co-signed by AOL, Amazon, the Association for
Competitive Technology, AT&T, the American Electronics Association, the
Business Software Alliance, c|net, the Computer & Communication Industry
Association, eBay, Google, the Information Technology Association of America,
the Internet Commerce Coalition, Intraware, MCI, Microsoft, NetCoalition, Novell,
Orbitz, the Software & Information Industry Association, Verizon, and Yahoo!
These companies all express concerns about the bill as drafted, and I'm told
that they've subsequently asked the governor to veto it.
It's hard not to be impressed - indeed, overwhelmed! -- by
so large a list of signators. But I nonetheless want to take a close look at
the specific concerns offered in their letter, with reference to the actual
provisions of the bill itself. The letter offers seven distinct problems with
the bill as it stands:
Letter's concern: "Erecting obstacles to routine,
benign Internet software. H.B. 323 is structurally flawed and cannot be fixed
through exceptions because its definition of spyware is extremely broad and
would cover a host of important and beneficial Internet communication software,
and even the communication of routine network information. These communications
are essential to provide basic functions on the Internet. They may include
information necessary to provide upgrade computer security [s.i.c.] to protect
against hacker attacks, to provide interactivity on web sites, to provide
software patches, to improve Internet browser performance, or enhance search
capabilities. Consequently, the ability to communicate routine information
may be severely impaired by the bill."
My reaction: I don't quite know what
to make of this concern because I can't understand precisely what the
authors have in mind. The text refers to six classes of programs. Let
me try to take each in turn:
communications that "provide
basic functions on the Internet" - Too vague to analyze in
a meaningful way. I'm just not sure what we're talking about.
programs that "upgrade computer
security" - In general, updates are not within the scope
of the bill. Analogous to "virus definition
updates" example above.
programs that "provide interactivity
on web sites" - Not clear exactly what we're talking about
here. JavaScript menus, rollovers, that sort of thing? Or ordinary
HTML code that is interactive? These are explicitly
excluded from the bill, though in any event they're hardly "software"
"installed on a user's computer" within the meaning of the
bill. To the extent that a site provides an actual software program
to be installed on a user's computer -- some kind of executable plug-in
or full application -- the program would have to comply with the bill.
But if the program included a proper license and uninstall routine,
the program can't be spyware. Are a license and uninstall routine
too much to ask for, for those web sites that actually load software
onto users' computers?
programs that "provide software
patches" - In general, not within the scope of the bill.
Analogous to "virus definition updates"
example above.
programs that "enhance search
capabilities" - In general, not within the scope of the bill.
See "search engine toolbars" example
above.
So my sense is that the specified programs
in fact aren't prohibited by the bill as drafted. Some license agreements
will have to be included where previously none were needed, as a matter
of law. Same for uninstall routines. But that doesn't seem like such a
bad thing. (More on this, below.)
Letter's concern: "Interfering with Computer Security:
The bill also would create serious barriers to collection of data that Internet
companies and security companies use to analyze and prevent hacker attacks
on the Internet. This security problem is exacerbated by the fact that computer
hackers, and other criminals could refuse to consent to use the software that
law enforcement officials need to be able to conduct investigations."
My reaction: I don't get it. If I were
an ISP and wanted to analyze hacker attacks on the Internet, I'd do that
by watching traffic flowing over my network -- monitoring -- not by asking
or requiring each of my users to install software, which might or might
not be compromised by the very attacks I'm trying to study. Certainly
news coverage and technical journals don't reflect that ISPs currently
block or analyze hacker attacks by installing software on individual users'
PCs. Beyond limited protections like personal firewalls, I've never heard
of such a practice, and I don't believe I have (or have ever been offered)
such software for my cablemodem-connected PC.
But suppose such software 1) does exist,
and 2) does help with blocking or analyzing hacker attacks. What's so
bad about providing a license agreement and uninstall routine? Satisfy
these two requirements, then definition section (c) is satisfied and the
software can't be spyware under the bill's definition. And if the software
is going to transmit users' usage data to remote servers, they ought to
have the right to know what it's doing and to take it off if they wish.
As to software somehow
required for law enforcement purposes: My understanding is that the doctrine
of sovereign immunity would prevent users from suing the government for
installing spyware on their computers, even if the government actually
did so. Per the Electric
Law Library, it's not possible to sue a sovereign (e.g. a government)
unless the government specifically grants its consent, and it's pretty
clear that there's no such grant here.
Letter's concern: "Slowing the Use of the Internet
and Burdening Users with Notices: It is hard to quantify the enormous number
of notices that the bill would require. This kind of traffic would seriously
interfere with the user experience on the Web. Some consumers would ignore
all the disclosures, thereby missing a notice concerning software they wouldn’t
want installed on their computers. Other consumers will be so confused by
the volume of notices that they will not permit the installation of software
that they need."
My reaction: It's not hard to quantify
the number of notices that the bill would require, because the bill would
require at most one notice per program to be installed on users' computers,
that meets the definition of spyware in sections
(a) and (b), and doesn't fall under an exception in section
(5).
I agree that, in principle, excessive
disclosures can cause a problem -- can cause users to ignore all the disclosures
and "tune out." But to me this is an inadequate argument to
outweigh the overwhelming benefit of telling users what software on their
computer is going to do. If the software is going to transmit to a remote
server information about (for example) what web sites I visit, then the
software ought to tell me it's going to do that. Failure to tell users
what the programs will do isn't "for their own good" (e.g. to
avoid wasting their time) -- it's deceptive and misleading.
Ultimately, users will learn how to
interpret this information -- just as consumers learned to interpret the
nutritional information on food containers, or the ratings on movies.
In the transition, a few folks might get confused and decline the installation
of software that might be helpful. But for those programs that users really
"need" (as the letter mentions), it seems unlikely that
users won't take the time to read the disclosure, or perhaps jump past
the disclosure and just install the software anyway.
Note also that the bill requires that the disclosure
be written "in plain language," which
somewhat reduces users' difficulty in understanding what programs will
do.
Letter's concern: "Disadvantaging Local Businesses:
The bill would impair the ability of consumers to receive targeted advertisements
based on, for example, the location of the user. These kinds of advertisements
are extremely beneficial to small or regional companies that cannot afford
to purchase advertisements that are broadcast nationwide over the Internet.
Many of the companies that purchase these kinds of regional ads are located
in states such as Utah."
My reaction: This really seems like
a stretch to me. The bill only affects targeted advertisements that 1)
are context-triggered, 2) partially or wholly cover or obscure advertising
or other content on a web site, and 3) interfere with a user's ability
to view that web site (see prohibitions section).
In short, the only ads foreclosed by this legislation are context-driven
pop-ups. Pop-unders would still be fine. Offers that accumulate in an
off-screen listing (e.g. for a user's subsequent review) would be fine.
Offers that appear after a user exits a web site would be fine. Offers
that pop up but somehow avoid covering web content (e.g. they appear in
a toolbar that doesn't cover web content) would be fine. And of course
the bill does nothing to foreclose the many other ways that local businesses
can reach local consumers -- sponsored links on search engines, advertising
on relevant local web sites (e.g. local newspapers), opt-in newsletters,
etc.
Even if the bill hurt some advertisers, proper analysis
requires comparing that harm with the substantial benefits to consumers
-- e.g. that consumers would no longer be bombarded with context-triggered
pop-ups. It's well known that these pop-ups are much hated by most users
(see e.g. Bunnyfood
Universality White Paper) and have been estimated to cause substantial
economic harm to consumers (due to the time taken to close so many pop-ups)
(citation TBD).
Letter's concern: "Obstacle to Routine Uses of Internet
Software : The bill would make unlawful routine Webbased functions that consumers
are increasingly relying on to improve their productivity and use of the Internet.
The bill prevents the delivery of information that “partially or wholly covers”
an advertisement or other content of an Internet web site. This provision
would prohibit the delivery of a notice that a user has received a mail message
or a reminder of an upcoming appointment."
My reaction: I'm not sure what specifically
the first sentence has in mind ("routine Webbased [sic] functions"),
so I can't respond to that.
The second sentence makes two mistakes: First, the letter
misquotesthe legislation: The bill does not prohibit the
delivery of "information" that "partially or
wholly covers" web content. Rather, it prohibits "advertisements"
that partially or wholly cover web content. Second, such advertisements
are only prohibited if they are triggered by the web address or web content
being visited. Notifications or advertisements triggered by anything other
than the web site being visited (e.g. triggered by receiving a new email
or an incoming instant message) are permitted. These errors in the letter
lead precisely to the mistaken conclusion in the third sentence above:
Because notifications of mail messages or upcoming appointments are not
advertisements, and because they're not triggered by the web site being
visited, such notifications are in no way prohibited by the bill.
Letter's concern: "Wasteful Litigation:
H.B. 323 risks creating many of the litigation problems caused by Utah’s spam
law. It contains strict liability and very large statutory damage bounties
($10,000 per incident of collection of even anonymous information, or per
advertisement) with treble damages for “knowing” violations without any cap
on awards. This would give plaintiffs’ lawyers incentives to file lawsuits
against innocent companies on behalf of websites or trademark owners. Honest
companies would be unable to get frivolous lawsuits dismissed because of subjective
standards in the bill, such as whether a company has provided a “method by
which a user may quickly and easily disable and remove” software from a user’s
computer in a way that does not impact the “non-affiliated” parts of a user’s
computer. These terms have no standard definition in the industry. The section
includes a provision for treble damages without any cap on awards. The result
would be a litigation bonanza."
My reaction: There is minimal risk of
wasteful litigation under this bill, because only a very few parties have
standing to sue. In the enforcement section,
notice that actions may only be brought by Internet web site owners, trademark
or copyright owners, or web site advertisers who are adversely affected
by a violation of the bill (lines 138-141).
Ordinary users would have no right to
sue. Instead, ordinary users may file reports of violations to the Division
of Consumer Protection. See the section entitled Duties
of Division.
The restriction of standing to web sites
-- as distinguished by users, individually or in classes -- reduces the
risk of frivolous suits. Certainly comparisons with Utah's spam law are
inapt for this reason.
The requirement that web sites demonstrate harm by violation
of the bill further reduces the risk of frivolous lawsuits. Suppose that
(say) a search engine toolbar collected and transmitted individual usage
data without the license agreement and uninstall provision that this bill
requires. This program might be in violation of the bill, by hypothesis.
But could an aggrieved web site operator sue the creators of the program?
I think not, because the web site wouldn't have been harmed by the usage
transmissions made by the toolbar. No adverse effect, no standing to sue.
This should be a straightforward issue to resolve, even at an early stage
of litigation -- there's just no colorable way a web site can say the
toolbar caused it injury.
Stifling innovation: "Stifling Innovation:
The bill is so broad that it would severely impair the ability of our companies
to develop innovative and consumer-friendly technologies that have been at
the core of what has made the Internet such a dynamic medium."
My reaction: Certainly no one wants to kill the golden
goose that laid the Internet egg. But is it so serious to provide a license
agreement in plain language, and an uninstall routine? It's hardly obvious
how these requirements would "severely impair" anything.
Comments on Letter from the Center for
Democracy and Technology
I have received a copy of a letter
(PDF) sent from Ari
Schwartz, Associate Director of the Center
for Democracy and Technology, to Governor Walker, asking her to veto the
bill. The letter offers three major concerns about the bill:
Letter's concern: "Drafting appropriate
notice and consent requirements for consumer software raises difficult definitional
issues. The definition of “spyware” in HB 323 may be both over- and under-
inclusive, negatively impacting many legitimate practices, while failing to
cover many of the worst offenders. These definitional questions are the subject
of ongoing discussions among industry groups, in federal regulatory bodies,
and in Congress. The Federal Trade Commission is holding a workshop in April
on “spyware” where it will be raising the question of “Defining and Understanding
Spyware.” CDT is currently leading discussions among consumer groups, ISPs,
consumer software companies, anti-spyware technology vendors, and advertising
companies regarding definitions relating to consumer software and spyware,
in preparation for the FTC’s workshop. We believe legislation is premature
before these efforts have resolved the definitional issues."
My reaction: Saying that the definition
of spyware "may" be underinclusive or overinclusive is
a content-less statement. Anything is possible. Is the definition in fact
underinclusive or overinclusive? CDT fails to offer even a single specific
example of a legitimate program that is prohibited by the bill. Neither
does CDT describe any illegitimate programs that the bill fails to prohibit.
It's hard to assess the merits of such vague claims -- and to say the
question will be discussed elsewhere, later, doesn't do anything to solve
the problems the bill actually takes on.
See also Ed
Felten's analysis in his Utah
Anti-Spyware Bill blog entry, concluding that "I have not seen
specific examples of legitimate software that would be affected."
Letter's concern: "The specific
requirements for presentation of notice in HB 323 are weak, and could set
a bad precedent for what constitutes acceptable notice for consumers. Many
“spyware” programs already provide nominal disclosure to consumers, hidden
in long and legalistic licensing agreements. These types of notice would appear
to fulfill the requirements of HB 323, although they fail to provide meaningful
notice or choice to consumers."
My reaction: Certainly the bill's notice
requirements are simple, namely the six requirements shown below (copied
from section (c) of the definition of spyware):
(i) obtain the consent of the user, at the time of, or after
installation of the software but before the software does any of the actions described in Subsection (4)(b); (A) to a license agreement: (I) presented in full; and (II) written in plain language; (B) to a notice of the collection of each specific type of information
to be transmitted as a result of the software installation; (C) to a clear and representative full-size example of each type of advertisement
that may be delivered; (D) to a truthful statement of the frequency with which each type of advertisement
may be delivered; and (E) for each type of advertisement delivered by the software, a clear
description of a method by which a user may distinguish the advertisement by its appearance
from an advertisement generated by other software services;
Are these requirements in fact "weak"?
It may sound weak to require that license agreements be presented in full
-- what a simple and minimal requirement! But of the spyware programs that
currently include license agreements, many only say "click here to
view license agreement" rather than actually showing users their license
agreements. The bill would at least prohibit this practice, guaranteeing
that users actually see the licenses under which their software operates.
As to the plain language requirement, I think this provision is actually
quite powerful in its elegance: If a program tries to trick users with complicated
language, it violates this requirement.
Interestingly, the worrisome example CDT offers in its
second sentence (disclosures "hidden in long and legalistic licensing
agreements") is precisely what the bill prohibits. If a disclosure
is hidden (not presented in full), it violates the full-presentation requirement
in (i)(A)(I) above. If a disclosure is legalistic, it's in violation of
the plain-language requirement, (i)(A)(II). Since this is the sort of situation
CDT says it is worried about, it's surprising that CDT doesn't endorse the
bill's approach, for the bill precisely speaks to and rules out the situation
CDT describes.
Letter's concern: "The bill offers
few enforcement provisions that can actually protect consumers. The bill does
not provide for a private right of action by consumers who are impacted by
the installation of “spyware,” nor does it allow the attorney general to take
action against offending companies. Since many of the companies involved in
the distribution of spyware are already committing fraud by deceiving consumers,
HB323 may actually have the unintended effect of confusing cases where individuals
or the attorney general can take action today."
My response: It's true that users can't
bring suit under the bill as drafted. Is that good or bad? Other critics
of this bill (and other legislation, like Utah's earlier anti-spam legislation)
worry that private rights of action could create excessive litigation.
So others would praise precisely this characteristic of the bill.
As to the attorney general bringing
suit, CDT staff may not be aware that an earlier version of the bill considered
precisely this approach. See first
draft of the bill, as posted to the Utah
State Legislature site. But public enforcement entailed costs to state
taxpayers: The Office of the Legislative Fiscal Analyst estimated that
$260,000+ would be required in each of FY2005 and 2006 in order to fund
investigators, attorneys, experts, and analysts. See fiscal
note. I gather it's for precisely this reason that Utah legislators
chose an alternative approach. Note that others would criticize the bill,
perhaps rightly, if it entailed an unfunded half-million dollar cost to
Utah taxpayers.
Consumers would benefit greatly from
the increased and improved disclosures and uninstall routines that would
result from this bill, and from the resulting reduction of pop-up ads.
So it's not correct to say that the bill offers few provisions that protect
consumers.
Certainly some spyware programs are
already committing fraud, and I share CDT's sense that more prosecutions
should be attempted under existing laws. But CDT's analysis fails to consider
the fact that, of cases against major spyware companies like Gator
and WhenU, to date approximately as
many cases have failed as have prevailed. CDT's comment suggests that
it believes these companies' behavior should change, but since current
claims (based on existing legislation) fail to consistently constrain
these programs, new legislation seems to be required to address the harms
they cause.
CDT staff fail to mention, and seem to fail to consider,
the substantial benefit that results from suits by web sites that are
harmed by spyware: Suits will be relatively few (compared to a world of
many individual consumers bringing claims), but no public money need be
spent on enforcement. I gather it is precisely this elegant and desirable
result that caused Utah legislators to favor the approach that the bill
sets out.
It's not the case that spyware and adware (as defined in
the article: "software that tracks a consumer's online activities
and uses the data it collects to serve pop-up advertisements and other promotional
messages") are unambiguously "legal," as the article
states as fact in its fifth paragraph. One court has denied a preliminary
injunction against the makers of such software, on the grounds that plaintiffs'
suits hadn't met the high standard required for issuance of preliminary injunctions.
(See the Quicken Loans and Wells
Fargo case against WhenU.) One court has dismissed similar claims (U-Haul
v. WhenU). But two courts have granted preliminary injunctions on similar
facts: In Virginia, in a case brought in 2002 by the New
York Times, Washington Post,
Wall Street Journal, and others against Gator,
and in New York in a case brought by 1-800
Contacts against WhenU. All that's to say, the question of the legality
(under existing law) of the behaviors at issue is very much in question --
certainly not sufficiently settled that the author is correct to say "This
is legal as long as it is clearly stated to users ..."
My research indicates that it's not correct to say that
the bill passed "quickly" through the Utah state legislature.
See the official Bill
Status page at the Utah Legislature
site. Notice that the first draft of the bill was distributed on January 31,
but it wasn't until March 3 that the bill was passed by the Senate and received
its final vote in the House. Does a four and a half week lag constitute "quick"
passage? For comparison, the Utah Supplemental Appropriations Act (H.B.0001)
took two days less from introduction to final vote. (See its Bill
Status.) Other bills from the Utah Legislature's 2004
General Session seem to have taken roughly comparable time. So the absolute
time delay doesn't seem particularly unusual or noteworthy. Also, there's
plenty of evidence that the companies opposing this legislation had an opportunity
to influence it: I'm told that WhenU hired a lobbyist in Utah, and its president
met with the bill's sponsors. Other companies (including some signators of
the letter (PDF) discussed
above) submitted detailed comments suggesting revisions to the bill. (Some
of these comments are available upon request by email.) All in all, I find
it hard to conclude that the bill was "quickly" passed. Opponents
of the bill may not like the substance of the outcome, but that doesn't mean
the procedure was improper.
Most importantly, the article simply misstates the contents
of the bill. Paragraph 10 of the article states that the bill prohibits "any
software that reports its users' online actions, sends personal data to other
companies, or serves pop-up ads without permission." This is at best
a simplification, and arguably an error. What the bill actually requires is
a license agreement meeting specified requirements (e.g. plain language and
full presentation), as well as an uninstall feature. See discussion in section
What Does the Bill Do?, above. "Permission" loosely
maps to the license agreement requirement, but imperfectly, and the article
completely omits discussion of the uninstall requirement.
More generally, I'm puzzled by the approach and tone taken
by this article. In paragraphs two and three, the article presents what critics
have said is wrong with the bill, but the article doesn't even attempt to explain
what the bill actually does until paragraph ten. Similarly, the article quotes
the president of WhenU extensively, in three different paragraphs, and it explains
the concerns of critics in two additional paragraphs. But nowhere does the article
quote or present the purported benefits of the bill as viewed by any of its
sponsor or any of the hundred-odd legislators who voted for it. Admittedly the
article's inspiration is precisely the fact that major companies are criticizing
the bill -- that is, the article is about criticism, not about the bill itself.
But when critiquing a bill that's not widely known and that could well be misunderstood
or misportrayed by its critics, it seems puzzling to put criticism eight paragraphs
before the thing being criticized. Is this fair and unbiased reporting?
Contrary to paragraph eight of the article,
it's not the case that the bill was "rushed" through the Utah legislature.
Rather, it took roughly as long as other legislation passed this term. See
discussion in second bullet point of MediaDailyNews
analysis, above.
In paragraph ten, the article calls pop-ups
"competition" when they cover one site and "look
as if they were generated" by that site, but were in fact caused
by spyware at the request of a competing site. Is "competition"
a fair characterization of that activity? Perhaps a better description would
be "unfair competition" -- a legal claim that has been alleged in
similar cases by other targeted sites. But this behavior was found illegal
by a New York court, reviewing precisely these facts as to precisely these
sites. See preliminary
injunction order in 1-800 Contacts v. WhenU (PDF).
Since the behavior was illegal, per the court's decision, it seems out of
place to use the favorable word "competition" to describe what happened.
Paragraph twelve reports that critics of
the bill say it would weaken parents' ability to limit web content seen by
their children, by allegedly creating liability for makers of filtering software.
This claim is false -- no such liability would accrue. See discussion above,
explaining why Internet filtering software is not covered
by the bill.
Paragraph thirteen alleges that, if the
bill were law, law enforcement staff couldn't use certain monitoring techniques
to track criminals. This too is false. See law enforcement
discussion above, noting that sovereign immunity can only be waived by
specific government action to that effect, which certainly hasn't happened
here.
Paragraph fifteen alleges that spyware disclosures
would be "lengthy and confusing." In fact the bill precisely
requires that the disclosures be "written in plain language" (definition
of spyware, line 71). Programs would have to tell users what information
they will transmit -- and, presumably, why. This won't "clog up the screen";
rather, it will assure that users only go forward if they're in fact comfortable
with what their computers will be doing. Would it really be better for computers
to transmit user activities without telling users what will take place?
Paragraph sixteen alleges that there will
be many wasteful lawsuits. But the two examples the paragraph offers are both
false. Even if one pop-up ad covered another, no one would be liable unless
the second ad was context-triggered -- displayed by a spyware program that
watches users' activities and shows advertising accordingly. Instant message
senders could never be liable for covering web content, because the bill only
imposes liability for covering web content when the covering material is triggered
by which web sites a user visits. An IM message, triggered by a user receiving
an IM communication, wouldn't invoke this section of the bill. See the definition
of context based triggering mechanism at line 41 (which doesn't include
pop-ups triggered by events other than websites accessed).
As a result of these errors, the conclusory
statements in paragraph eighteen are unfounded.
Paragraph twenty alleges that consumers
are protected from pop-up ads using toolbar pop-up blockers. This statement
is apparently thinking of tools like the Google
Toolbar, which can indeed block some pop-ups. But these programs block
only ordinary web site pop-ups; they can't and don't block the
context-triggered pop-ups that are precisely the subject of this legislation.
So the availability of such tools does nothing to solve the problem addressed
by this bill. As to state laws that might be taken to restrict look-alike
pop-ups trying to steal sales, I share the author's sense that these laws
ought to be read to prohibit most or all context-triggered pop-up advertising,
but courts have not universally agreed with this statement. One of the benefits
of this bill would be precisely to clarify the legislature's position on this
subject, preventing courts from having to interpret more vague doctrines developed
long before this age of pop-up advertising.
Bohannon is wrong to allege, in paragraphs 22 and 23, that
only web sites would benefit from this bill. Users would receive fewer pop-up
ads, and would have the benefit of proper disclosures and uninstall routines
when installing software that transmits their personal information. These
are substantial benefits that shouldn't be ignored.
More generally, I'm puzzled and surprised to see such extensive
quotes of two critics of the bill (quoting them and their positions in a total
of nineteen paragraphs), while offering only four paragraphs of
discussion of the bill itself (namely paragraphs one through three and ten).
The article is all the more puzzling because it lacks any comments or quotes
from the legislators who sponsored or supported the bill, or the companies or
users that would benefit from it.
On March 19, the Deseret
News published an op-ed by Ryan Richards, vice president and deputy general
counsel of Novell, entitled 'Spyware'
bill would hurt Net use. My reading of this article is that it includes
at least half a dozen notable inaccuracies:
Paragraph two claims that the bill "would
have serious unintended consequences on everyday, legitimate activities"
but lists them only generally: "use of software that consumers depend
on to ensure a positive and safe experience in their shopping and e-commerce
transactions and tools that combat fraud and theft over the Internet."
From this description, at least, readers basically have to take Richards'
word for it -- it's hardly obvious what specific software would be affected
or how. What software do consumers install on their computers to ensure a
"positive and safe experience" when shopping online? It's
just not clear what Richards can have in mind here.
Paragraph four claims that the bill "could
potentially criminalize ... media players, anti-virus programs, Internet services,
e-mail programs, and networking software." This is a lot to cover
in a single sentence. Is it true? Recall from What does the
bill do?, above, that programs aren't be spyware, even if they monitor
and transmit usage data, so long as they show suitable license agreements
and offer uninstall routines. It's a rare anti-virus program that lacks a
license agreement and can't be uninstalled. Same for networking software and
media players. As to e-mail programs and "Internet services,"
perhaps Richards is concerned that pop-up alerts ("You've got mail"
dialog boxes) might invoke the bill's restrictions on pop-up ads -- but here
too he'd be mistaken, for these alerts are not triggered by users' web browsing
activities, and that's the only kind of pop-ups that the bill regulates.
Paragraph seven claims that if the bill
were law, Internet companies would be less likely to provide "interactive
seamless software that makes use of the Internet easy and engaging,"
and further claims that such programs would "have to bury consumers with
notices. But according to the bill's definition of
spyware, so long as the requisite notice is provided (presented in full,
in plain language) (along with an uninstall routine), there's no reason for
software companies to worry about liability. It's hard to see how these small
requirements would affect companies' decisions to supply software. Would a
single notice requirement, shown only once for each program (when that program
is installed) "bury" users? I think not -- this is just a
single extra step in the process of installing software, and informing users
about what their new software will do is an important part of software installation,
that shouldn't be omitted in the name of brevity.
Paragraph eight says the bill's definition
of spyware "includes" "fraud-preventing tools"
-- puzzling, since the rest of the article nowhere mentions a single fraud
preventing tool. The paragraph further accuses the notice requirements of
being "confusing." But is it confusing to say licenses must
be 1) presented in full, and 2) written in plain language? (See definition
of spyware.) Seems straightforward to me.
Paragraph nine alleges that the bill "contains
outright bans on common Internet advertising." It's true that the
bill bans pop-up advertisements that cover other web content, that are displayed
by software installed on users' PC, and that appear according to users' web
activities. Is this "common"? It's a class of functionality
provided by a few programs, some of which have come to be installed on quite
a few users' PCs. But it's by no means mainstream -- it's the subject of extensive
litigation, and it's quite controversial.
As to paragraph nine's conclusory statement
that the definition of spyware is "extremely broad": That's
too general a claim, too duplicative with other claims in the article, to
call for further comments here.
Paragraph eleven claims that the bill would "deny[]
consumers accurate information" but neither mentions nor references
any specific provision of the bill alleged to cause this result. This is a
strong claim -- and it would be a compelling complaint were it true. But it's
just not true -- there's just no part of the bill that actually requires what
Richards alleges. It's telling that he wasn't more precise in his claim here.
My interest in spyware originally arose in part from a prior
consulting engagement in which I served as an expert to parties adverse to Gator
in litigation. See Washingtonpost.Newsweek
Interactive Company, LLC, et al. v. the Gator Corporation. More recently,
I have served as an expert or consultant to other parties adverse to spyware
companies in litigation or contemplated litigation.
Among my current clients is 1-800
Contacts, a company that was intensively targeted by WhenU pop-up ads. At
1-800 Contacts' suggestion, I've made myself available to interested Utah legislators
who sought more information about spyware.
This page is my own
work - created on my own, without approval by any client, without payment from
any client.