A Close Reading of Utah's Spyware Control Act
Benjamin Edelman - Spyware Research, Legislation, and Suits

[ Background - What Does the Bill Do? - Does the Bill Prohibit ...? - Comments on Letter from AOL et al. - Comments on Letter from CDT - Comments on MediaDailyNews Article - Comments on Deseret News Article - Comments on Richards Op-Ed - Related Links - Disclosures ]

 

Related Projects

Background

In recent years, users have come to face a growing array of software that gets installed on their computers, often without their knowledge, consent, and/or informed consent, and performs functions users dislike, often including tracking or transmitting personal information, or displaying targeted advertisements. These behaviors have been the subject of extensive litigation, and more recently of multiple pieces of proposed legislation. (Proposed federal legislation includes Rep. Mary Bono's Safeguard Against Privacy Invasions Act, as well as Sen. Conrad Burns' and Sen. Ron Wyden's Software Principles Yielding Better Levels of Consumer Knowledge. See full legislation listing.)

The state of Utah has also proposed legislation to address the problem of spyware, namely the Spyware Control Act (H.B.323). As discussed in the Disclosures section, I've had the opportunity to speak with Utah legislators on the subject of this legislation, including reviewing proposed wording and even making some suggestions. I've concluded that the bill would make good law -- would address and begin to correct some serious problems facing consumers, and would do so without serious damage to other important interests.

As the bill moved through Utah's legislative process, I wasn't surprised to see criticism from the companies that would most obviously be subject to this bill's requirements: Companies like Gator and WhenU seem to stand only to lose if laws come to constrain the way they can install their software on users' PCs, or what their software can do once installed. But I've been quite surprised to see concerns from big, well-established, mainstream Internet companies -- AOL, Amazon, Google, Microsoft, Yahoo, and a dozen others -- whose programs and practices, in my view, are far from what the Utah bill speaks to. (See e.g. a letter (PDF) from these companies and others to sponsors of the bill, voicing their opposition.) I've also been surprised to read articles like Leading Internet Providers Oppose Passage of Spyware Control Act and Spyware Act Has Detractors. Both the letter and the news coverage seem to misunderstand the bill -- overstating its effects and its scope, and failing to recognize major checks present within the bill's text, that prevent the bill from having the negative effects alleged.

I've concluded that some readers may be misunderstanding portions of the bill or for whatever reason overstating the bill's effects. With that in mind, this document attempts to offer a close reading of the bill -- going through its major provisions, line by line, to understand how they fit together. I've then added answers -- my answers, at least -- to some questions that have already arisen, often repeatedly, e.g. in Slashdot discussion. Throughout, I've tried to maintain a light conversational tone -- I see no need to be overly formal or dry when discussing this important but sometimes complicated subject.

Is this document perfect? No, quite the contrary. For one, it's a work in progress -- subject to revision whenever I find points I can explain more clearly, and whenever I find and take the time to update it. For another, I readily admit to having written it in a hurry -- it was inspired by reading Leading Internet Providers Oppose Passage of Spyware Control Act (which I only received on Monday afternoon, March 15) and the associated Slashdot discussion, and I posted this document (in its earliest draft form) a mere six hours after first reading these materials. So please send comments and suggestions to me, Ben Edelman (email).

Update (March 23): Governor Olene Walker signed the bill today.

Update (April 13): WhenU has filed suit seeking that the act be declared void and invalid. See case documents, WhenU.com, Inc., v. The State of Utah.

 

Return to top

What Does the Bill Do?

The prohibitions section gives the bill's main requirements:

             123          (1) A person may not:
             124                 (a) install spyware on another person's computer;
             125                 (b) cause spyware to be installed on another person's computer; or
             126                 (c) use a context based triggering mechanism to display an advertisement that partially
             127                 or wholly covers or obscures paid advertising or other content on an Internet website in a way
             128                 that interferes with a user's ability to view the Internet website.

Provisions (a) and (b) seem pretty straightforward - at least if you know what spyware means. For guidance there, we turn to the bill's definition of spyware. The definition is sufficiently detailed that it would be unwieldy if copied here verbatim. I've struggled to find a way to helpfully depict its hierarchical structure -- the way its many embedded requirements fit together. Having tried a few alternatives, I think the following diagram might be helpful to at least some readers: The bill takes the following structure (wording simplified for brevity):

Spyware is software that

(a) monitor's the computer's usageAND(b) (i) sends information about the computer's usage to a remote computerAND
(c) does not
obtain user's consent to a license agreement
presented in full, written in plain language
with notice of specific information to be transmitted
with examples of ads
with statement of ad frequency
  AND
with explanation of how to distinguish its ads from others
AND does not

provide an uninstall routine that

is quick and easy
has no other effects on unrelated parts of user's computer
  AND
uses obvious, standard methods

 

  OR

(ii) displays advertisements in response to the computer's usage, if the ads

don't identify who delivered them
  OR
use federal trademarks as a trigger for ad display (except by trademark owner, licensee, or search engine)
  OR
use a trigger mechanism to display ads according to websites accessed

 

Then, even programs that satisfy these conditions still aren't spyware if they're within the carve-outs in section (5): The bill specifically excludes from its definition of spyware programs that are designed and installed solely to diagnose or resolve technical problems; that solely report information previously stored on the user's computer (e.g. cookies, or HTML code, JavaScript used in this capacity); and operating systems.

That covers provisions (a) and (b) of the prohibitions section. What about (c)?

             123          (1) A person may not:
                              ...
             126                 (c) use a context based triggering mechanism to display an advertisement that partially
             127                 or wholly covers or obscures paid advertising or other content on an Internet website in a way
             128                 that interferes with a user's ability to view the Internet website.

So we now turn to the definition of context based triggering mechanisms.

             41          (1) "Context based triggering mechanism" means a software based trigger or program
             42           residing on a consumer's computer that displays an advertisement according to:
             43                   (a) the current Internet website accessed by a user; or
             44                   (b) the contents or characteristics of the current Internet website accessed by a user.

Together, these clauses prohibit programs from showing advertisements according to what web sites a user visits, if those advertisements cover other web sites and interfere with the user's use of those other web sites.

Want to see how the pieces fit together in a more concrete way? Read on to Does the Bill Prohibit ... ?, below.

 

Return to top

Does the Bill Prohibit ... ?

Recall that I began to draft this page in response to complaints -- and attempts to block the bill -- from folks apparently concerned that the bill would interfere with ordinary, legitimate activities. In principle that's a reasonable concern -- certainly legislation can be drafted in a way that's overbroad and that prohibits behavior that even drafters consider unobjectionable. So let's see whether this bill in fact prohibits ordinary, legitimate activities. Some examples to think about --

What kinds of software does the bill actually prohibit? For one, software that transmits usage information (as defined in the bill) without first disclosing the fact of such transmissions. For another, software that makes such transmissions without a proper uninstall routine.

So, sure enough, the bill prohibits any virus definition updates or search engine toolbars or other programs that transmit usage data (like what web sites users visit) or can't be uninstalled easily. Is this good or bad? I think it's good -- programs that transmit usage data ought to tell users what they're doing and let users change their mind later even if they accept initially. As among (for example) anti-virus programs, I don't think there are many violators of these basic rules. But any programs that send this data without telling users are already pushing the boundaries of legitimacy. Recall the lawsuit against RealNetworks when its software transmitted information about users' listening habits, without disclosing the fact of such transmissions in its privacy policy or license agreement.

 

Return to top

Comments on Letter from AOL et al.

I have received a letter (PDF) sent to sponsors of the bill, co-signed by AOL, Amazon, the Association for Competitive Technology, AT&T, the American Electronics Association, the Business Software Alliance, c|net, the Computer & Communication Industry Association, eBay, Google, the Information Technology Association of America, the Internet Commerce Coalition, Intraware, MCI, Microsoft, NetCoalition, Novell, Orbitz, the Software & Information Industry Association, Verizon, and Yahoo! These companies all express concerns about the bill as drafted, and I'm told that they've subsequently asked the governor to veto it.

It's hard not to be impressed - indeed, overwhelmed! -- by so large a list of signators. But I nonetheless want to take a close look at the specific concerns offered in their letter, with reference to the actual provisions of the bill itself. The letter offers seven distinct problems with the bill as it stands:

 

Return to top

Comments on Letter from the Center for Democracy and Technology

I have received a copy of a letter (PDF) sent from Ari Schwartz, Associate Director of the Center for Democracy and Technology, to Governor Walker, asking her to veto the bill. The letter offers three major concerns about the bill:

                                           (i) obtain the consent of the user, at the time of, or after installation of the software but before the
                                           software does any of the actions described in Subsection (4)(b);
                                                       (A) to a license agreement:
                                                                   (I) presented in full; and
                                                                   (II) written in plain language;
                                                       (B) to a notice of the collection of each specific type of information to be transmitted
                                                       as a result of the software installation;
                                                       (C) to a clear and representative full-size example of each type of advertisement that
                                                       may be delivered;
                                                       (D) to a truthful statement of the frequency with which each type of advertisement may
                                                       be delivered; and
                                                       (E) for each type of advertisement delivered by the software, a clear description of a
                                                       method by which a user may distinguish the advertisement by its appearance from an
                                                       advertisement generated by other software services;

 

 

Return to top

Comments on MediaDailyNews Article

On March 15, Ross Fadner of the MediaDailyNews published Leading Internet Providers Oppose Passage of Spyware Control Act. My reading of this article is that it includes several notable inaccuracies:

More generally, I'm puzzled by the approach and tone taken by this article. In paragraphs two and three, the article presents what critics have said is wrong with the bill, but the article doesn't even attempt to explain what the bill actually does until paragraph ten. Similarly, the article quotes the president of WhenU extensively, in three different paragraphs, and it explains the concerns of critics in two additional paragraphs. But nowhere does the article quote or present the purported benefits of the bill as viewed by any of its sponsor or any of the hundred-odd legislators who voted for it. Admittedly the article's inspiration is precisely the fact that major companies are criticizing the bill -- that is, the article is about criticism, not about the bill itself. But when critiquing a bill that's not widely known and that could well be misunderstood or misportrayed by its critics, it seems puzzling to put criticism eight paragraphs before the thing being criticized. Is this fair and unbiased reporting?

 

Return to top

Comments on Deseret News Article

On March 15, Brian Wallace of the Deseret News published Spyware Act Has Detractors. My reading of this article is that it includes at least eight notable inaccuracies:

More generally, I'm puzzled and surprised to see such extensive quotes of two critics of the bill (quoting them and their positions in a total of nineteen paragraphs), while offering only four paragraphs of discussion of the bill itself (namely paragraphs one through three and ten). The article is all the more puzzling because it lacks any comments or quotes from the legislators who sponsored or supported the bill, or the companies or users that would benefit from it.

 

Return to top

Comments on Richards Op-Ed

On March 19, the Deseret News published an op-ed by Ryan Richards, vice president and deputy general counsel of Novell, entitled 'Spyware' bill would hurt Net use. My reading of this article is that it includes at least half a dozen notable inaccuracies:

 

Return to top

Related Links

This section attempts to provide links to other web sites with critical analysis of the bill:

 

Return to top

Disclosures

My interest in spyware originally arose in part from a prior consulting engagement in which I served as an expert to parties adverse to Gator in litigation. See Washingtonpost.Newsweek Interactive Company, LLC, et al. v. the Gator Corporation. More recently, I have served as an expert or consultant to other parties adverse to spyware companies in litigation or contemplated litigation.

Among my current clients is 1-800 Contacts, a company that was intensively targeted by WhenU pop-up ads. At 1-800 Contacts' suggestion, I've made myself available to interested Utah legislators who sought more information about spyware.

This page is my own work - created on my own, without approval by any client, without payment from any client.


Last Updated: May 12, 2004 - Sign up for notification of major updates and related work.