While I dislike spyware on general principle, I have to argue that overly onerous notification regulations such as this one are not the way to fight it.
(1) IN GENERAL- Any computer software made available to the public, whether by sale or without charge, that includes a capability to collect information about the user of such computer software, the hardware on which such computer software is used, or the manner in which such computer software is used, and to disclose to such information to any person other than the user of such computer software, shall include--
(A) a clear and conspicuous written notice, on the first electronic page of the instructions for the installation of such computer software, that such computer software includes such capability;
Standard warning label type deal. I can handle that, though I don't like how specific it is. What if I don't include electronic instructions for installation?
(B) a description of the information subject to collection and the name and address of each person to whom such computer software will transmit or otherwise communicate such information; and
(C) a clear and conspicuous written electronic notice, in a manner reasonably calculated to provide the user of such computer software with easily understood instructions on how to disable such capability without affecting the performance or operation of such computer software for the purposes for which such computer software was intended.
What if the software's purpose is to collect such information? I'm now legally required to provide instructions for the impossible?
(2) ENABLEMENT OF CAPABILITY- A capability of computer software described in paragraph (1) may not be enabled unless the user of such computer software provides affirmative consent, in advance, to the enablement of the capability.
This is ambiguous. How do we define "consent"? With a click through EULA? Probably. Does running make when such notice is in the INSTALL file count? Probably not. This is, of course, a severe inconvenience to developers and users of Free software, where EULA's don't exist.
(3) EXCEPTION- The requirements in paragraphs (1) and (2) shall not apply to any capability of computer software that is reasonably needed to--
(A) determine whether or not the user is a licensed or authorized user of such computer software;
Henceforth, this shall be known as the "Microsoft Loophole"
(B) provide, upon request of the user, technical support of the use of such computer software by the user; or
This is risky. Sure, You can't use this loophole to rip off my Social Security Number, all my Email, my PGP private key, or my secret pr0n stash, but there's still a lot of information that I'd like to keep private that might be considered "necessary to provide technical support". If you're going to require disclosure for everyone else, why not disclosure of what it's collecting for tech support, at the time that such support is required.
Look at Netscape's Quality Feedback Agent for a good example of a piece of software (voluntarily) doing this right.
(C) enable an employer to monitor computer usage by its employees while such employees are within the scope of employment as authorized by applicable Federal, State, or local law.
I understand not allowing employees to disable monitoring software, but I think it's ridiculous to exempt employers from the notification requirement.
[Snip sections 4 and 5: What they can do with the info they collect, and your right to access it.]
(6) SECURITY OF INFORMATION COLLECTED THROUGH EXCEPTED CAPABILITY- Any person collecting information through a capability described in paragraph (1) shall establish and maintain reasonable procedures necessary to protect the security, confidentiality, and integrity of such information.
Hmm, "reasonable"... Dual rot13 on an unupdateded NT installation, anyone?
(b) PREINSTALLATION- In the case of computer software described in subsection (a)(1) that is installed on a computer by someone other than the user of such computer software, whether through preinstallation by the provider of such computer or computer software, by installation by someone before delivery of such computer to the user, or otherwise, the notice and instructions under that subsection shall be provided in electronic form to the user before the first use of such computer software by the user.
This just adds to the "who's responsible" mess which I will cover in more detail below.
(c) VIOLATIONS- A violation of subsection (a) or (b) shall be treated as an unfair or deceptive act or practice proscribed by section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
This seems as good a place as any to address the "who's responsible" issue. All the above rules take the form of "The software must...", and not "The Author of the software must..." or "The distributor of the software must..." or whatever. Now, IANAL, so perhaps there's some legal precedent or other to cover this, but here's a hypothetical situation: I write FooWare, and release it under the GPL. J. Random Hacker takes his copy of FooWare, adds a spyware-type module, and a couple of bells and whistles, and releases it as BarProgram. The source is available, but nobody bothers with it, they just grab the binaries from freedownloads.example.com.
So, when the truth about BarProgram comes out, who's in the hot seat? Is it me, the original author? Is it JRH, who wrote the spyware code? Or is it the download site, who were distributing it?
(d) DISCLOSURE TO LAW ENFORCEMENT OR UNDER COURT ORDER-
(1) IN GENERAL- Notwithstanding any other provision of this section, a computer software provider that collects information about users of the computer software may disclose information about a user of the computer software--
(A) to a law enforcement agency in response to a warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant, or a court order issued in accordance with paragraph (3); or
Well, at least they need a warrant.
(B) in response to a court order in a civil proceeding granted upon a showing of compelling need for the information that cannot be accommodated by any other means if--
(i) the user to whom the information relates is given reasonable notice by the person seeking the information of the court proceeding at which the order is requested; and
(ii) the user is afforded a reasonable opportunity to appear and contest the issuance of the requested order or to narrow its scope.
Bah. Any jackass who wants to pester you with a nuisance lawsuit. can get a court order in a civil proceeding.
[Snip the rest, mostly about how you can sue someone for violations.]
Bottom line: The solution to spyware is (1)Technical measures such as ZoneAlarm, (2) Open Source software, and (3) prosecuting purveyors of spyware under existing fraud laws. Additional government interference into what kind of software I can write and distribute is not.