Last year spyware legislation overwhelmingly passed the House (399 to 1).  The Senate didn't act on it.  We're going to see a lot of activity on this front again this year.  But I'm not so sure legislation is such a great idea.

Three reasons: 

1.  Spyware is being conceived of as an assault on privacy interests, and draft legislation may be intended to set the stage for future broad privacy statutes.  But spyware is a different kind of issue -- it's about the imposition of an inappropriate, unsought-for relationship in code.  That relationship can only be dealt with, to my mind, by tort law and with the help of juries and judges. It's impossible to define "spyware" in a way that won't capture lots of helpful software.  The fact that FTC has been able to act with respect to spyware signals that a new statute isn't needed.

2.  The draft House bill, HR 29, takes a very heavy-handed regulatory approach.  It suggests that the FTC will spend an enormous amount of its resources (resources that could be spent bringing cases) on adopting a very detailed set of rules about the design of software.  It mandates notices for online applications.  These notices will be both annoying and ultimately meaningless (who will understand what it is they are consenting to?).  GLB for bits.

3.  And it won't work.  Bad actors will move offshore and won't follow the rules anyway.  Sure, a federal bill may preempt some wacky state approaches, but the cure may be both worse than the disease (design mandates for software! swirling useless notices!) and ineffective.

It's better to encourage evolutionary, adaptive, tool-based approaches to spyware.  Indeed, the evidence is that spyware attacks are diminishing due to better tools being used by ISPs and network operators. 

We have two models for viruses/attacks on our system:  inoculation (or search and destroy) and the immune system.  Let's go with the immune system approach: learning, memory, watching for unexpected data flows, and networks of helpful systems.