I'm not sure that one approach is the right one for all the elements of the bill. For example, when it comes to spam, you could either narrow the definition of spam and make sure you catch all the bad behaviour, or you could take a broader definition of spam but work quite a bit on inferred consent and implied consent.
With spyware, you could either create a longer list of things you think are good--software downloads and update patches--and make sure all those exceptions are covered and the regulations can add more, or you could just put in the definitions of the elements of spyware.
In the case of spam, it might work better to look at implied consent and legislation that's been used in other countries that we know works in practice. We could take the best of that and make sure we go through the practical examples and say, “Okay, if we write it this way, then these good examples will not get picked up.” So those are the pros and cons there.
I think everybody would agree pretty quickly on the list of five or six things that constitute malware--the bad things in spyware. You can say in the regulations that we can add to that if the bad guys think of new ways we haven't thought of to date. I think there would be very few examples of that happening. If you try to do the reverse and define all the good things that take place that shouldn't be captured by your anti-spyware provision, we'll have a much harder time exploring that total universe. You have very different types of transactions that take place.
I think the pros and cons weigh in favour of defining upfront the bad things you're going after and allowing additions to that, rather than trying to define upfront exceptions that wind up being longer and longer. You're going to fear that you haven't caught certain circumstances, and someone might find themselves subject to massive administrative monetary penalties or private lawsuits while you think through the legislative changes or the regulatory changes, because regulations don't get changed in 24 hours.