Federal Spyware Legislation: Some Lessons from Antiquity


Good law speaks in clear, general terms. Here's an example:"Thou shalt not steal." It's short, sweet, and to the point. If youneed a further gloss, modern laws define stealing as takingsomething with the intent to permanently deprive the owner of it.This includes defrauding a person of money, labor, or property.

Imagine if Moses had come down from Mount Sinai not just withten clear commandments, but with a list of all the different waysyou could violate the Ten Commandments. The commandment againststealing would begin: "Thou shalt not engage in thieving practicesin connection with any of the following conduct:" Then it wouldlist all of the different ways things could be stolen. It couldn'tbe printed on a stone tablet, of course. Moses would have had tocarry Mount Sinai itself, plastered top to bottom with rules andregulations, just to get at all the different versions of stealing.It would all be quite bizarre.

But truth can be stranger than fiction. Anti-spyware legislationnow pending in the House of Representatives seems to have takeninspiration from Bizarro Moses and his Bizarro TenCommandments.

"Spyware" is the amorphous term that describes a variety of badsoftware practices. The key section of the "SPY ACT," intended to prevent them, doesn't banwrongful behavior in clear, general terms. Instead, it lists anarray of deceptive practices relating to software which would beparticularly illegal if the bill were to pass-"particularly"illegal, because they're already illegal under basic anti-fraudrules, laws against stealing, and anti-trespass law, as well as various statutes dealingspecifically with computer fraud.

Here's what's wrong with a statute that makes illegal stuff evenmore illegal this way: By definition, an innovation doesn't fitinto old categories and boxes. Under the SPY ACT, any new way totransmit and process information would not only have to comply withold rules against stealing (which is fine), it would have to becompared against descriptions of software based on old categoriesand boxes.

Some of the best innovations in software-in everything,actually-come from outside the system: from people who don't haveresearch budgets and certainly don't have legal departments. Andthe ultimate uses and benefits of many innovations are not obviousfrom the outset, even to inventors themselves. So, faced withgetting a new software process vetted against a federal statutelike the SPY ACT, innovators are just as likely to give up as theyare to hire lawyers to check over their work.

Established companies may have resigned themselves to flawedanti-spyware legislation because they can absorb the costs. Whatthese companies think doesn't matter. The SPY ACT would not improvelegal protections for consumers. It would deny consumers futurelife-improving innovations from companies that don't exist yet. Andnot just little innovations: potentially, innovations on themagnitude of hyper-text markup language or peer-to-peer.

For the other major section of the SPY ACT, we leave the OldTestament and go to ancient Greece, where "hubris" was the termused to describe characters with exaggerated self-confidence and alack of humility. Because only hubris can explain legislators whobelieve that they can dictate the terms and timing of privacynotices that truly reach and benefit consumers.

But that is exactly what the SPY ACT does. It would mandate howterms of contracts between software providers and users are formed,including particular questions that must be posed to users atparticular times. Federally mandated pop-ups, if you will.

Congress has already failed dismally at dictating how privacynotices should look and when they should arrive. The FinancialServices Modernization Act required the sending of billions offinancial privacy notices, which topped off hundreds of millions oftrash cans to serve a tiny minority of consumers.

In Greek law, "hubris" most often referred to drunken violencewreaked by aristocrats upon commoners. This is only too apt adescription of what Congress would do if it passed anti-spywarelegislation that frustrated innovation and interfered soham-handedly with online contract formation. Commoners would bearthe brunt of forgone innovations that would otherwise make theirlives easier and more fun.

But the real kicker for the SPY ACT has no roots in the ancientworld. It is the modern challenge to jurisdiction wrought by theInternet. The Internet is a global medium, which makes it very hardto find bad people, much less get control of them.

Purveyors of the worst spyware are no more likely to be foundwithin the jurisdiction of the United States than they are anywhereelse. Many are probably in foreign countries, and the rest arequite adept at masking their locations, identities, and activities.This makes law impotent. Congress cannot end spyware.

To illustrate: Ten months since the CAN-SPAM law passed, spam isonly increasing. The best hopes for spam suppression are filteringservices and sender verification built into the Internet and e-mailprotocols. Technical solutions are swarming over the spywarepathology, as well. Free anti-spyware software is available andISPs are taking aggressive steps to protect their customers.

If there is a saving grace for the SPY ACT, it may be the bill'spreemption of equally bad state law. Under current federal rulesabout state jurisdiction, states are able to haul into court somecompanies that do not affirmatively elect to sell their products inthose states. That means a state like Utah can use its long-armrules to grab out-of-state software providers-even ones that try toavoid doing business there. Until there's an appropriate fix tolong-arm and choice-of-law rules, federal preemption of statesoftware regulation might be justified.

Better, for now, that Congress should stay out of the spywaremess and work on rules about thestructure of our governmental system. A simple, properlystructured Commandment about state jurisdiction is needed much morethan Bizarro federal spyware legislation.