On March 15, 2007, the House Subcommittee on Commerce, Trade and Consumer Protection held a hearing to consider H.R. 964, the Securely Protect Yourself Against Cyber Trespass Act (“SPY Act”) and testimony from the Direct Marketing Association, Inc. (“DMA”), Interactive Advertising Bureau, Center for Democracy and Technology, TRUSTe, and Zango, Inc. The witnesses generally supported the legislation’s purpose, but expressed reservations that Sections 3 and 5 of the bill could have unintended consequences on legitimate businesses. While receptive to the concerns presented by the witnesses, the subcommittee members were clear that legislation is necessary to stop the proliferation of spyware, and stated that they expect the bill to move quickly through the Committee.

H.R. 964 is intended to protect consumers from unknowingly transferring personally identifiable information through spyware programs surreptitiously loaded onto consumers’ personal computers. Specifically, this bipartisan legislation would require that consumers be given notice and provide consent before software that collects personally identifiable information could be downloaded to a consumer’s personal computer.

While stating support for the intentions of the bill, Jerry Cerasale of DMA expressed concern that the legislation would have unintended consequences on legitimate marketing practices and undermine the effectiveness of fraud prevention tools. He explained that there is no silver-bullet technology, industry practice, or legislation that will address spyware because spyware technology and illegitimate practices will continue to outpace legislation and anti-spyware practices. As Fran Maier of TRUSTe explained, there are good actors and bad actors; there is no perfect solution.

Mr. Cerasale also expressed concern that the legislation would have unintended consequences for fraud detection software. He explained that the current bill would extend immunity to specified entities (i.e., telecommunications carriers, cable operators, and computer hardware or software providers) that undertake monitoring for purposes including security and fraud detection and prevention. This immunity should be broadened to include financial institutions, online retailers, and those entities providing services on their behalf. He is concerned that excluding these service providers from an immunity protection would isolate their anti-fraud tools, which would undermine the overall security of online transactions.

The bill’s provision to require a Federal Trade Commission report on cookies and the use of cookies in general were widely discussed at the hearing. Witnesses expressed concern that the definition of “information collection program” would implicate legitimate uses of technology by imposing unnecessary notice and consent requirements for the use of certain web tools, such as cookie-like technologies. These passive tools (i.e. javascript, html, and web beacons) are unlike the programs used in spyware, but would be treated in the same manner under the legislation. Restraining the use of such technologies would severely inhibit online marketing and advertising practices.