Privacy Rights Clearinghouse
Update, September 29, 2004. California Governor Schwarzenegger signed SB 1436 into law today, ignoring the advice of technology experts and consumer advocates to veto it.
The Honorable Arnold Schwarzenegger
Governor of California
State Capitol Building
Sacramento, CA 95814
RE: Recommendation to Veto SB 1436, Spyware
Dear Governor Schwarzenegger:
The California-based Privacy Rights Clearinghouse and the World Privacy Forum urge you to veto SB 1436, a bill dealing with spyware, authored by Senator Kevin Murray. In its earlier versions, this bill addressed spyware in a constructive way, and we chose to not get involved at that time because it appeared to be going in the right direction.
However, late in the legislative session in August, the author accepted several amendments from industry that in our estimation remove meaningful privacy and consumer protections. Because these changes occurred so late in the session, we were not able to express our concerns in committee hearings before the bill was sent to the Assembly floor.
While this bill is well-intentioned, it would establish provisions that are virtually unenforceable, could well undermine existing law, and further, would set a bad precedent nationwide for other spyware bills that are likely to be considered in other states and in Congress.
Attached is an analysis of the spyware issue that discusses the shortcomings of SB 1436 in detail. The analysis was prepared by Pam Dixon of the World Privacy Forum, in collaboration with the Privacy Rights Clearinghouse. To summarize our concerns:
- To implement SB 1436 into law might well prove to be worse than enacting no spyware law at all. Because SB 1436 sets such high standards regarding actual knowledge, conscious avoidance of knowledge, or willfulness, as explained in the next point, existing statutes to protect privacy and prohibit deceptive practices may well be undermined. Thus, an unintended consequence of SB 1436 could be the weakening of laws already on the books.
- SB 1436 generously applies the terms “intent to deceive,” “intentionally deceptive,” and “intentionally misleading” throughout the bill as modifiers prior to its descriptions of banned bad behavior. Unfortunately, proving intent is extremely difficult and raises the bar very high for litigation. These provisions in SB 1436 make it virtually unenforceable.
California should not be putting a law on the books that does not constructively address the core issues regarding spyware. Further, given that members of Congress and legislators in other states are likely to point to SB 1436 as a model for their spyware legislation, we certainly do not want an ineffective, and perhaps even worse, a harmful law on the books.
- During the negotiations for SB 1436, we are told the parties discussed two approaches to dealing with spyware legislatively – notice versus behavior. They ultimately decided that it’s better to prohibit bad behavior rather than require notice/consent, which they felt was an unrealistic approach. We do not see this issue as an “either-or.”
The attached analysis stresses the importance of basing spyware legislation on the OECD “fair information principles” of notice, consent, and purpose specification, as well as other principles such as collection limitation and access. The final version of SB 1436 lacks these important provisions, although earlier in the process it included notice, consent, and purpose specification. We do not believe that any spyware legislation should be enacted that is devoid of the fair information practices.
The following points illustrate SB 1436’s shortcomings regarding the legislative approach of banning bad behavior:
- SB 1436 is quite narrow in its conception of the types of behavior it classifies as bad. There are about 1,000 types of known spyware. We are concerned that SB 1436, by dealing with only a few types of spyware, will enable the majority of spyware to continue to be disseminated legally.
- Another provision in the bill that we believe is too narrow is the definition of virus – as software code that acts to degrade a computer’s performance and replicate itself. Yet there are thousands of actions of viruses that can harm computers by doing neither self-replication nor degrading system performance. In being overly narrow, SB 1436 has overlooked many types of viruses.
To conclude, spyware is a devilishly difficult issue to legislate. Rather than enact a bill that does not adequately address the problems inherent in spyware, and rather than implement a law that is virtually unenforceable, we urge you to veto this bill.
Because California is often regarded as the bellwether state regarding consumer and privacy protection laws, other states and Congress will likely view SB 1436 as a model. As such, SB 1436 will have the unintended effect of thwarting the development of more constructive approaches to tackling the problem of spyware.
All in all, SB 1436 is a step backward. It sets a bad precedent and may indeed have the unintended effect of weakening existing laws. For these reasons, we strongly urge you to veto SB 1436.
Thank you for your consideration.
Pam Dixon, Executive Director
World Privacy Forum
Beth Givens, Director
Privacy Rights Clearinghouse
Cc: Senator Kevin Murray
Mike Yang, Senate Judiciary Committee
Joanne McNabb, Calif. Office of Privacy Protection
Lenny Goldberg & Assoc.