The California Spyware Law (Shallow Thoughts)

Akkana's Musings on Open Source, Science, and Nature.

Wed, 05 Jan 2005

The California Spyware Law

An article in the LA Times on New Year's Day caught my eye: California has an anti-spyware law going into effect as of January 1. The Times was rather sketchy, though, on what constitutes spyware, though they did say that there were no actual penalties under the law, merely that the law makes it possible to sue a company for installing spyware (whatever that's defined to be).

I've seen it covered in other publications now as well, and every article I read defines spyware differently, without mentioning how the actual law defines it (which you might think would be somewhat relevant). Nor do any of them provide, or link to, the text of the law, or its number in the CA code.

It turns out the bill was SB 1436, with a history here: and here is the text of the bill. It amends section 22947 of the Business and Professions code: here's an attempt at a link to the actual law, but if that doesn't work, go to leginfo and search for 22947 in the Business and Professions code. It's fairly concise and readable.

One point which on which I've long been curious is whether the various proposed anti-spyware laws cover the invasive end user license agreements, or EULAs, which Microsoft, Apple and other software companies love so much these days. You know, "clicking here gives you permission for us to snoop on what files you have on your system, what songs you've been listening to, and what extra software you have installed, and you have to click here or you can't get security updates" (stories on Win2k, WinXP, and issues with Windows Media Player; I think Apple does similar things with iTunes but don't have any story links handy).

It turns out that SB 1436 specifically disallows collection of a user's web browsing history, or browser bookmarks (so google search might be in trouble, depending on how it works) because it's "personal information", along with your name, address and credit card information; but it says nothing against collection of information regarding files, installed software, music, movies, or email. I guess none of those constitute "personal information" and it's fine to sneak software onto your system to collect such details.

However, consider this interesting section:

22947.4. (a) A person or entity, who is not an authorized user, as defined in Section 22947.1, shall not do any of the following with regard to the computer of a consumer in this state:
(1) Induce an authorized user to install a software component onto the computer by intentionally misrepresenting that installing software is necessary for security or privacy reasons or in order to open, view, or play a particular type of content.
At issue here is the definition of "software component". If a system update installs a new media player with a new invasive EULA which suggests that the player may collect information on songs installed or played, under the aegis of a security update, wouldn't this fall afoul of the new law?

22947.2 (c) is also interesting:

[an entity who is not the owner or authorized user of a computer shall not] Prevent, without the authorization of an authorized user, through intentionally deceptive means, an authorized user's reasonable efforts to block the installation of, or to disable, software, by causing software that the authorized user has properly removed or disabled to automatically reinstall or reactivate on the computer without the authorization of an authorized user.

If you've ever disabled a feature in a piece of software, only to have it mysteriously re-enable itself the next time you updated the software, or if you use software whose EULA allows that, you may have grounds to sue if you can prove that it was re-enabled intentionally. This may be a bit farther than the authors of the bill really intended to go; quite a lot of software companies (and perhaps some freeware and open source authors as well) may be exposed here. Software providers beware!

SB 1436 has some good and non-controversial effects. It explicitly makes it illegal to install, without the user's knowledge: keystroke loggers (presumably this does not apply to the CIA or anyone else operating under the Patriot Act), spam email relays, denial-of-service zombies, multiple popup ads which can't be closed (we're in 22947.3 (a) now, which applies to software copied onto the user's computer; but this may apply even to Javascript on a web page, if you read the definitions at the beginning of the bill). All good things to disallow.

What about that no-penalty comment in the Times? As far as I can tell, they're right. SB1436 makes no mention of fines or other punishments. This Infotex post says there's a $1000 fine per incident, plus attorney's fees; but I can't figure out where they're getting that: I don't see it in either the bill or the law anywhere.

[ 10:45 Jan 05, 2005    More tech | permalink to this entry ]