1 / 17

Spyware: Legislative Responses

Spyware: Legislative Responses. Jody Blanke Mercer University ALSB, Ottawa August 20, 2004. Background. Floppy disks Hard drives Modems Prodigy Cookies Spam Spyware and adware. What is Spyware?.

owena
Download Presentation

Spyware: Legislative Responses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Spyware: Legislative Responses Jody Blanke Mercer University ALSB, Ottawa August 20, 2004

  2. Background • Floppy disks • Hard drives • Modems • Prodigy • Cookies • Spam • Spyware and adware

  3. What is Spyware? • FTC definition – “software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer’s consent, or asserts control over a computer without the consumer’s knowledge” • Spyware • Adware • Hijacker • Trojan • Keystroke logger • Browser helper object (BHO)

  4. Federal Legislation • SPYACT (H.R. 2929) • Section 2: Prohibits “deceptive acts and practices” • Taking control of computer by diverting browser or delivering ads that cannot be closed • Modifying settings for default home page or bookmarks • Collecting PII with keystroke logger • Inducing installation or preventing efforts to block installation • Inducing installation by misrepresenting identity of software • Removing or disabling anti-virus or anti-spyware technology

  5. SPYACT (H.R. 2929) • Section 3: Prohibits “collection of certain information without notice and consent” • Opt-in requirement • Notice, consent and functions • Information collection program • Collects PII and sends it or uses it to display advertising • Notice and consent • Notice must be clear, conspicuous and in plain language • “This program will collect and transmit information about you. Do you accept?” • Change in information collected requires new notice • Required functions • Disabling function • Identity function

  6. SPYACT (H.R. 2929) • Personally identifiable information • First and last name of an individual. • A home or other physical address of an individual, including street name, name of a city or town, and zip code. • An electronic mail address. • A telephone number. • A social security number, tax identification number, passport number, driver's license number, or any other government-issued identification number. • A credit card number. • An account number. • Any access code or password, other than an access code or password transmitted by an owner or authorized user of a protected computer to register for, or log onto, a Web page or other Internet service that is protected by an access code or password. • Date of birth, birth certificate number, or place of birth of an individual, except in the case of a date of birth required by law to be transmitted or collected

  7. SPYACT (H.R. 2929) • Enforcement by FTC • Civil penalties for violation of Section 2: $11,000 (or $1M) • Section 3: $33,000 (or $3M) • Act would preempt state law • Deceptive conduct ala Section 2 • Transmission of programs similar to Section 3 • Use of context-based triggering mechanisms to display ads • Act would not preempt state law • Trespass • Contract • Tort • Relating to acts of fraud

  8. SPY BLOCK Act (S. 2145) • Section 2: Unauthorized Installation of Computer Software • Software cannot be installed unless • The user has received notice that satisfies the requirements of Section 3 • The user has granted consent that satisfies the requirements of Section 3 • The software’s uninstall procedures satisfy the requirements of Section 3 • “Red herring” prohibition • Bans installation of software designed to confuse or mislead the user as to the identity of the software

  9. SPY BLOCK Act (S. 2145) • Section 3: Notice, Consent and Uninstall Requirements • Notice must be clear and remain on screen until user grants or denies consent • Additional separate disclosures for: • An “information collection feature” • An “advertising feature” • A “distributed computing feature” • A “settings modification feature” • There must be a “clear description” of how to turn off a feature or uninstall the software • There must be consent to installation of the software, plus “affirmative consent” to each of the four features

  10. SPY BLOCK Act (S. 2145) • Section 3: Notice, Consent and Uninstall Requirements • Uninstall procedures require that software shall • Appear in “Add/Remove Programs” menu of operating system • Be capable of being removed completely using normal procedures • For advertising feature, shall have an easily identifiable link that will inform the user how to turn off the feature or uninstall the software

  11. SPY BLOCK Act (S. 2145) • Enforcement by FTC • Enforcement by state attorneys general, who may seek to • Enjoin prohibited practices • Enforce compliance • Obtain damages, restitution or other compensation

  12. Computer Software Privacy and Control Act (H.R. 4255) • Prohibits “unfair and deceptive acts and practices in the transmission of computer software” • Unlawful to transmit software that • Collects personal information and transmits it • Monitors the web pages accessed by the user and transmits that information • Modifies default settings like browser home page • unless appropriate notice is given and appropriate consent obtained, and unless the software contains a removal utility • Unlawful to transmit software that displays advertising unless appropriate notice is given and appropriate consent obtained, and unless the software contains a removal utility

  13. Computer Software Privacy and Control Act (H.R. 4255) • Enforcement by FTC • Enforcement by state attorneys general, who may seek to • Enjoin prohibited practices • Enforce compliance • Obtain damages, restitution or other compensation • Act would preempt state law that expressly regulates the transmission of computer software similar to that described in Section 3 • Act would create a criminal offense

  14. I-SPY Act (H.R. 4661) • Would establish two new criminal offenses within Section 1030(a) of Title 18

  15. State Legislation • Utah • Enacted Spyware Control Act on March 23, 2004 • Basic prohibitions against • Installing spyware • Causing spyware to be installed • Using a context based triggering mechanism to display advertising • But, extremely complex definition of “spyware” • Court issued preliminary injunction enjoining enforcement of law despite finding challenge regarding “spyware” lacking

  16. California • 2 comprehensive bills would prohibit the downloading of software onto a computer in California without the user’s knowledge and consent • Iowa • Bill would create criminal misdemeanor offense of unauthorized collection and disclosure of personal information by computer, as well as civil cause of action by AG • Michigan • Bill would establish criminal offense for installing or attempting to install spyware

  17. New York • Bill would establish the crime of unlawful dissemination of spyware • Pennsylvania • Bill modeled after early California bill would create the crime of misuse of adware or spyware • Virginia • Bill would require public bodies to conduct privacy impact analyses whenever authorizing or prohibiting the use of “invasive technologies,” such as spyware, hidden cameras, tracking systems, and facial recognition systems

More Related