Imagine if Moses had come down from Mount Sinai not just with ten clear commandments, but with a list of all the different ways you could violate the Ten Commandments. The commandment against stealing would begin: “Thou shalt not engage in thieving practices in connection with any of the following conduct:” Then it would list all of the different ways things could be stolen. It couldn’t be printed on a stone tablet, of course. Moses would have had to carry Mount Sinai itself, plastered top to bottom with rules and regulations, just to get at all the different versions of stealing. It would all be quite bizarre.
But truth can be stranger than fiction. Anti‐spyware legislation now pending in the House of Representatives seems to have taken inspiration from Bizarro Moses and his Bizarro Ten Commandments.
“Spyware” is the amorphous term that describes a variety of bad software practices. The key section of the “SPY ACT,” intended to prevent them, doesn’t ban wrongful behavior in clear, general terms. Instead, it lists an array of deceptive practices relating to software which would be particularly illegal if the bill were to pass-“particularly” illegal, because they’re already illegal under basic anti‐fraud rules, laws against stealing, and anti‐trespass law, as well as various statutes dealing specifically with computer fraud.
Here’s what’s wrong with a statute that makes illegal stuff even more illegal this way: By definition, an innovation doesn’t fit into old categories and boxes. Under the SPY ACT, any new way to transmit and process information would not only have to comply with old rules against stealing (which is fine), it would have to be compared against descriptions of software based on old categories and boxes.
Some of the best innovations in software‐in everything, actually‐come from outside the system: from people who don’t have research budgets and certainly don’t have legal departments. And the ultimate uses and benefits of many innovations are not obvious from the outset, even to inventors themselves. So, faced with getting a new software process vetted against a federal statute like the SPY ACT, innovators are just as likely to give up as they are to hire lawyers to check over their work.
Established companies may have resigned themselves to flawed anti‐spyware legislation because they can absorb the costs. What these companies think doesn’t matter. The SPY ACT would not improve legal protections for consumers. It would deny consumers future life‐improving innovations from companies that don’t exist yet. And not just little innovations: potentially, innovations on the magnitude of hyper‐text markup language or peer‐to‐peer.
For the other major section of the SPY ACT, we leave the Old Testament and go to ancient Greece, where “hubris” was the term used to describe characters with exaggerated self‐confidence and a lack of humility. Because only hubris can explain legislators who believe that they can dictate the terms and timing of privacy notices that truly reach and benefit consumers.
But that is exactly what the SPY ACT does. It would mandate how terms of contracts between software providers and users are formed, including particular questions that must be posed to users at particular times. Federally mandated pop‐ups, if you will.
Congress has already failed dismally at dictating how privacy notices should look and when they should arrive. The Financial Services Modernization Act required the sending of billions of financial privacy notices, which topped off hundreds of millions of trash cans to serve a tiny minority of consumers.
In Greek law, “hubris” most often referred to drunken violence wreaked by aristocrats upon commoners. This is only too apt a description of what Congress would do if it passed anti‐spyware legislation that frustrated innovation and interfered so ham‐handedly with online contract formation. Commoners would bear the brunt of forgone innovations that would otherwise make their lives easier and more fun.
But the real kicker for the SPY ACT has no roots in the ancient world. It is the modern challenge to jurisdiction wrought by the Internet. The Internet is a global medium, which makes it very hard to find bad people, much less get control of them.
Purveyors of the worst spyware are no more likely to be found within the jurisdiction of the United States than they are anywhere else. Many are probably in foreign countries, and the rest are quite adept at masking their locations, identities, and activities. This makes law impotent. Congress cannot end spyware.
To illustrate: Ten months since the CAN-SPAM law passed, spam is only increasing. The best hopes for spam suppression are filtering services and sender verification built into the Internet and e‐mail protocols. Technical solutions are swarming over the spyware pathology, as well. Free anti‐spyware software is available and ISPs are taking aggressive steps to protect their customers.
If there is a saving grace for the SPY ACT, it may be the bill’s preemption of equally bad state law. Under current federal rules about state jurisdiction, states are able to haul into court some companies that do not affirmatively elect to sell their products in those states. That means a state like Utah can use its long‐arm rules to grab out‐of‐state software providers‐even ones that try to avoid doing business there. Until there’s an appropriate fix to long‐arm and choice‐of‐law rules, federal preemption of state software regulation might be justified.
Better, for now, that Congress should stay out of the spyware mess and work on rules about the structure of our governmental system. A simple, properly structured Commandment about state jurisdiction is needed much more than Bizarro federal spyware legislation.