US Congress sets $3m fines for spyware

A US House subcommittee has approved a spyware bill that would allow fines up to $3m (£1.6m) for collecting personal information,...

A US House subcommittee has approved a spyware bill that would allow fines up to $3m (£1.6m) for collecting personal information, diverting browsers and delivering some pop-up advertisements to computer users without their consent.

The Securely Protect Yourself Against Cyber Trespass (Spy Act) bill also requires software that collects the personal information of computer users to notify the users of its installation, to get the users' consent before installation, and to provide users with easy uninstall options.

Spy Act was approved by the House Subcommittee on Commerce, Trade and Consumer Protection as an amendment to a spyware bill introduced last year.

The amendment is an attempt to outlaw bad actions without outlawing technologies similar to spyware that have legitimate uses, such as parental monitoring software or anti-virus software.

The early version of the bill called the Safeguard Against Privacy Invasions Act, defined all computer programs that transmit information without action from the user as spyware. But that raised objections from several IT suppliers, including anti-virus companies.

A later draft of the bill, which authorised the US Federal Trade Commission to create rules for spyware notice and consent, included several exceptions, including parental control software, anti-virus software and software that scans for licence compliance.

The amendment now allows fines of up to $3m for actions unauthorised by a computer's owner, including hijacking browsers, changing a browser's default home page, changing the security settings of a computer, logging keystrokes, and delivering advertisements that the computer user cannot close without turning off the computer or closing all sessions of the browser.

The bill requires computer users be notified and be allowed to give consent before software that collects and transmits personal information is installed on their computers. But the notice provision in the bill may not be strong enough, said Ari Schwartz, associate director of the Center for Democracy and Technology.

Although the bill requires the spyware notice be "distinguished" from other notices, the spyware notice could end up buried at the end of a lengthy end-user licence agreement, Schwartz said.

"Then we end up where we are now," he said. "Can we do a notice provision that won't confuse consumers more?"

The bill is expected to pass through the full House Energy and Commerce Committee.

"We are one step closer to restoring safety, confidence and control to consumers when using their own computers," she said.

Grant Gross writes for IDG News Service

Read more on IT legislation and regulation