Spyware rivals spam as the top gripe of PC owners, but a bill that aims to crack down on the sneaky programs could make them more common, consumer and privacy advocates warned Friday.
The groups are urging Gov. Arnold Schwarzenegger to veto the bill, saying it contains loopholes that could make it easier for unscrupulous programmers to legally install their wares on the hard drives of unsuspecting computer users.
“The bottom line is that it undermines current privacy protections in the law,” said Valerie Small Navarro of the American Civil Liberties Union.
The term “spyware” encompasses a wide variety of unwanted programs that are often installed secretly when users download screen savers and other seemingly innocuous software.
Some spyware is designed to track where computer users go on the Web. Other programs take control of Internet browsers. Even more insidious versions record computer users’ keystrokes to capture passwords and financial information.
SB 1436 initially would have required spyware distributors to tell computer users exactly what they were installing and get their consent first. But lobbying efforts by Dell Inc., Amazon.com Inc. and other blue-chip tech firms led to a series of amendments that turned former supporters of the bill against it.
The rewritten bill passed both chambers of the Legislature and has gone to Schwarzenegger, who has until Sept. 30 to sign it, veto it or let it become law automatically. He has taken no position on the legislation.
Staffers who worked on the bill said they had to accept a series of compromises with technology industry lobbyists to get it through the Assembly Business and Professions Committee.
Silicon Valley trade group TechNet said the original bill might have complicated the work of many legitimate firms, such as those that copy computer viruses from home PCs to study them.
“You don’t want the functioning of the security services to be inadvertently affected by broad notice and consent requirements,” said TechNet general counsel Jim Hawley.
Bill author Sen. Kevin Murray (D-Culver City) said the legislation still took a “significant step forward” on a difficult issue.
“It gets rid of what we thought were the most egregious forms of spyware,” Murray said.
But the ACLU and two privacy groups this week asked Schwarzenegger to veto the bill anyway. They worry that some spyware companies could argue that the new bill supersedes broad prohibitions on deceptive business practices enshrined in current law.
Instead of forcing greater disclosure whenever computerized information is automatically transmitted, as the original bill did, the legislation now prohibits a set of specific behaviors, including the surreptitious taking of passwords and Web-browsing history. Other provisions were changed to bar “intentionally deceptive” acts; the civil liberties groups say intent is hard to prove.
The amendments also did away with financial penalties to punish misconduct.
“The lack of penalties is, to us, a problem,” said Ari Schwartz, associate director of the Center for Democracy & Technology in Washington, a civil liberties group that gets funding from charitable foundations and some technology companies.
Schwartz said the final bill’s protections for certain kinds of data collected in specific ways also could create new loopholes. “People are just going to start collecting information in ways that get around the definition,” he said.
Schwartz and others said consumers might benefit more from legislation pending in Congress that could bar more types of spyware. One of the bills would impose criminal penalties of as much as five years in prison for the worst violations.
Consumers also would benefit from greater enforcement of existing rules by the U.S. Federal Trade Commission and an overarching federal computer privacy law dealing with more than just spyware, Schwartz said.