November 05, 2004
I-SPY - H.R. 4661
H.R. 4661, Internet Spyware (I-SPY) Prevention Act of 2004, a balanced approach focused on toughening up penalties for publishers of malicious software.
This bill would impose criminal penalties on individuals who intentionally access a personal computer without authorization by causing a computer program or code to be copied onto a protected computer, and intentionally using that program or code to harm a person or cause damage to a computer.
It represents the strongest measure yet and is truly a step forward in the right direction in the fight against Spyware.
Posted by Tuck at 02:17 PM | Comments (0)
November 03, 2004
SPYBLOCK - H.R. 2145
SPYBLOCK - The Software Principles Yielding Better Levels of Consumer Knowledge (SPYBLOCK) Act would "give consumers control over the programs that are downloaded onto their computers. SPYBLOCK was introduced by three senators. Two of the senators working on the bill (Wyden and Burns) were also co-sponsors that helped push through the CANSPAM act of January 2004. So far that act hasn't done much to stop spam, but it was a noble attempt.
SPYBLOCK would require all software to generate more detailed on-screen dialog boxes that would tell users that clicking "OK" will trigger the download of a program. The aim of the bill is to demand strict disclosure if software surreptitiously creates pop-ups, collects information and sends it elsewhere over the Internet, or modifies a computer's settings. SPYBLOCK also will prohibit programs that steer users to counterfeit Web sites. The bill would be enforced by the Federal Trade Commission (FTC) and state attorneys general, and would include provisions for injunctions and civil fines.
Posted by Tuck at 01:12 PM | Comments (0)
November 02, 2004
SPYACT - H.R. 2929
The SPYACT H.R. 2929 is a bill that quickly worked its way through Congress and became unanimously passed in late September. The bill showed strong Bipartisan support as it was passed 399 to 1. I guess there is always somebody who disagrees.
Enigma Software Group, Inc. (the Owner of this Website) publicly supports the SPYACT bill, and has been actively contacting representatives with letters.
This bill will impose heavy fines for redirecting URLs and spreading spyware. Under the bill those who spread spyware can receive fines of up to $3 million for annoying and privacy-invading practices such as installing keystroke loggers and even some pop-up ads. Whether the final bill will really make a difference is debatable. The last time Congress got involved in helping Internet users, they passed CanSPAM, and we all know that this legislation has done little to affect the daily spam deluge.
Posted by Tuck at 12:54 PM | Comments (0)
July 02, 2004
I-SPY
Internet Spyware (I-SPY) Prevention Act of 2004 (Received in Senate from House)
HR 4661 RDS
108th CONGRESS
2d Session
H. R. 4661
IN THE SENATE OF THE UNITED STATES
October 8, 2004
Received
--------------------------------------------------------------------------------
AN ACT
To amend title 18, United States Code, to discourage spyware, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Internet Spyware (I-SPY) Prevention Act of 2004'.
SEC. 2. PENALTIES FOR CERTAIN UNAUTHORIZED ACTIVITIES RELATING TO COMPUTERS.
(a) In General- Chapter 47 of title 18, United States Code, is amended by inserting after section 1030 the following:
`Sec. 1030A. Illicit indirect use of protected computers
`(a) Whoever intentionally accesses a protected computer without authorization, or exceeds authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and intentionally uses that program or code in furtherance of another Federal criminal offense shall be fined under this title or imprisoned not more than 5 years, or both.
`(b) Whoever intentionally accesses a protected computer without authorization, or exceeds authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and by means of that program or code--
`(1) intentionally obtains, or transmits to another, personal information with the intent to defraud or injure a person or cause damage to a protected computer; or
`(2) intentionally impairs the security protection of the protected computer;
shall be fined under this title or imprisoned not more than 2 years, or both.
`(c) No person may bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant's violating this section. For the purposes of this subsection, the term `State' includes the District of Columbia, Puerto Rico, and any other territory or possession of the United States.
`(d) As used in this section--
`(1) the terms `protected computer' and `exceeds authorized access' have, respectively, the meanings given those terms in section 1030; and
`(2) the term `personal information' means--
`(A) a first and last name;
`(B) a home or other physical address, including street name;
`(C) an electronic mail address;
`(D) a telephone number;
`(E) a Social Security number, tax identification number, drivers license number, passport number, or any other government-issued identification number; or
`(F) a credit card or bank account number or any password or access code associated with a credit card or bank account.
`(e) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.'.
(b) Conforming Amendment- The table of sections at the beginning of chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following new item:
`1030A. Illicit indirect use of protected computers.'.
SEC. 3. AUTHORIZATION OF APPROPRIATIONS.
In addition to any other sums otherwise authorized to be appropriated for this purpose, there are authorized to be appropriated for each of fiscal years 2005 through 2008, the sum of $10,000,000 to the Attorney General for prosecutions needed to discourage the use of spyware and the practice commonly called phishing.
SEC. 4. FINDINGS AND SENSE OF CONGRESS CONCERNING THE ENFORCEMENT OF CERTAIN CYBERCRIMES.
(a) Findings- Congress makes the following findings:
(1) Software and electronic communications are increasingly being used by criminals to invade individuals' and businesses' computers without authorization.
(2) Two particularly egregious types of such schemes are the use of spyware and phishing scams.
(3) These schemes are often used to obtain personal information, such as bank account and credit card numbers, which can then be used as a means to commit other types of theft.
(4) In addition to the devastating damage that these heinous activities can inflict on individuals and businesses, they also undermine the confidence that citizens have in using the Internet.
(b) Sense of Congress- Because of the serious nature of these offenses, and the Internet's unique importance in the daily lives of citizens and in interstate commerce, it is the sense of Congress that the Department of Justice should use the amendments made by this Act, and all other available tools, vigorously to prosecute those
who use spyware to commit crimes and those that conduct phishing scams.
Passed the House of Representatives October 7, 2004.
Attest:
JEFF TRANDAHL,
Clerk.
Posted by Tuck at 02:23 PM | Comments (0)
SPYBLOCK
S 2145 IS
108th CONGRESS
2d Session
S. 2145
To regulate the unauthorized installation of computer software, to require clear disclosure to computer users of certain computer software features that may pose a threat to user privacy, and for other purposes.
IN THE SENATE OF THE UNITED STATES
February 27, 2004
Mr. BURNS (for himself, Mr. WYDEN, and Mrs. BOXER) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
--------------------------------------------------------------------------------
A BILL
To regulate the unauthorized installation of computer software, to require clear disclosure to computer users of certain computer software features that may pose a threat to user privacy, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Software Principles Yielding Better Levels of Consumer Knowledge Act' or the `SPY BLOCK Act'.
SEC. 2. UNAUTHORIZED INSTALLATION OF COMPUTER SOFTWARE.
(a) NOTICE, CHOICE, AND UNINSTALL PROCEDURES- It is unlawful for any person who is not the user of a protected computer to install computer software on that computer, or to authorize, permit, or cause the installation of computer software on that computer, unless--
(1) the user of the computer has received notice that satisfies the requirements of section 3;
(2) the user of the computer has granted consent that satisfies the requirements of section 3; and
(3) the computer software's uninstall procedures satisfy the requirements of section 3.
(b) RED HERRING PROHIBITION- It is unlawful for any person who is not the user of a protected computer to install computer software on that computer, or to authorize, permit, or cause the installation of computer software on that computer, if the design or operation of the computer software is intended, or may reasonably be expected, to confuse or mislead the user of the computer concerning the identity of the person or service responsible for the functions performed or content displayed by such computer software.
SEC. 3. NOTICE, CONSENT, AND UNINSTALL REQUIREMENTS.
(a) NOTICE- For purposes of section 2(a)(1), notice to the user of a computer shall--
(1) include a clear notification, displayed on the screen until the user either grants or denies consent to installation, of the name and general nature of the computer software that will be installed if the user grants consent; and
(2) include a separate disclosure, with respect to each information collection, advertising, distributed computing, and settings modification feature contained in the computer software, that--
(A) remains displayed on the screen until the user either grants or denies consent to that feature;
(B) in the case of an information collection feature, provides a clear description of--
(i) the type of personal or network information to be collected and transmitted by the computer software; and
(ii) the purpose for which the personal or network information is to be collected, transmitted, and used;
(C) in the case of an advertising feature, provides--
(i) a representative example of the type of advertisement that may be delivered by the computer software;
(ii) a clear description of--
(I) the estimated frequency with which each type of advertisement may be delivered; or
(II) the factors on which the frequency will depend; and
(iii) a clear description of how the user can distinguish each type of advertisement that the computer software delivers from advertisements generated by other software, Internet website operators, or services;
(D) in the case of a distributed computing feature, provides a clear description of--
(i) the types of information or messages the computer software will cause the computer to transmit;
(ii)(I) the estimated frequency with which the computer software will cause the computer to transmit such messages or information; or
(II) the factors on which the frequency will depend;
(iii) the estimated volume of such information or messages, and the likely impact, if any, on the processing or communications capacity of the user's computer; and
(iv) the nature, volume, and likely impact on the computer's processing capacity of any computational or processing tasks the computer software will cause the computer to perform in order to generate the information or messages the computer software will cause the computer to transmit;
(E) in the case of a settings modification feature, provides a clear description of the nature of the modification, its function, and any collateral effects the modification may produce; and
(F) provides a clear description of procedures the user may follow to turn off such feature or uninstall the computer software.
(b) CONSENT- For purposes of section 2(a)(2), consent requires--
(1) consent by the user of the computer to the installation of the computer software; and
(2) separate affirmative consent by the user of the computer to each information collection feature, advertising feature, distributed computing feature, and settings modification feature contained in the computer software.
(c) UNINSTALL PROCEDURES- For purposes of section 2(a)(3), computer software shall--
(1) appear in the `Add/Remove Programs' menu or any similar feature, if any, provided by each operating system with which the computer software functions;
(2) be capable of being removed completely using the normal procedures provided by each operating system with which the computer software functions for removing computer software; and
(3) in the case of computer software with an advertising feature, include an easily identifiable link clearly associated with each advertisement that the software causes to be displayed, such that selection of the link by the user of the computer generates an on-screen window that informs the user about how to turn off the advertising feature or uninstall the computer software.
SEC. 4. UNAUTHORIZED USE OF CERTAIN COMPUTER SOFTWARE.
It is unlawful for any person who is not the user of a protected computer to use an information collection, advertising, distributed computing, or settings modification feature of computer software installed on that computer, if--
(1) the computer software was installed in violation of section 2;
(2) the use in question falls outside the scope of what was described to the user of the computer in the notice provided pursuant to section 3(a); or
(3) in the case of an information collection feature, the person using the feature fails to establish and maintain reasonable procedures to protect the security and integrity of personal information so collected.
SEC. 5. EXCEPTIONS.
(a) PREINSTALLED SOFTWARE- A person who installs, or authorizes, permits, or causes the installation of, computer software on a protected computer before the first retail sale of the computer shall be deemed to be in compliance with this Act if the user of the computer receives notice that would satisfy section 3(a)(2) and grants consent that would satisfy section 3(b)(2) prior to--
(1) the initial collection of personal or network information, in the case of any information collection feature contained in the computer software;
(2) the initial generation of an advertisement on the computer, in the case of any advertising feature contained in the computer software;
(3) the initial transmission of information or messages, in the case of any distributed computing feature contained in the computer software; and
(4) the initial modification of user settings, in the case of any settings modification feature.
(b) OTHER EXCEPTIONS- Sections 3(a)(2), 3(b)(2), and 4 do not apply to any feature of computer software that is reasonably needed to--
(1) provide capability for general purpose online browsing, electronic mail, or instant messaging, or for any optional function that is directly related to such capability and that the user knowingly chooses to use;
(2) determine whether or not the user of the computer is licensed or authorized to use the computer software; and
(3) provide technical support for the use of the computer software by the user of the computer.
(c) PASSIVE TRANSMISSION, HOSTING, OR LINK- For purposes of this Act, a person shall not be deemed to have installed computer software, or authorized, permitted, or caused the installation of computer software, on a computer solely because that person provided--
(1) the Internet connection or other transmission capability through which the software was delivered to the computer for installation;
(2) the storage or hosting, at the direction of another person and without selecting the content to be stored or hosted, of the software or of an Internet website through which the software was made available for installation; or
(3) a link or reference to an Internet website the content of which was selected and controlled by another person, and through which the computer software was made available for installation.
(d) SOFTWARE RESIDENT IN TEMPORARY MEMORY- In the case of an installation of computer software that falls within the meaning of section 7(10)(B) but not within the meaning of section 7(10)(A), the requirements set forth in subsections (a)(1), (b)(1), and (c) of section 3 shall not apply.
(e) FEATURES ACTIVATED BY USER OPTIONS- In the case of an information collection, advertising, distributed computing, or settings modification feature that remains inactive or turned off unless the user of the computer subsequently selects certain optional settings or functions provided by the computer software, the requirements of subsections (a)(2) and (b)(2) of section 3 may be satisfied by providing the applicable disclosure and obtaining the applicable consent at the time the user selects the option that activates the feature, rather than at the time of initial installation.
SEC. 6. ADMINISTRATION AND ENFORCEMENT.
(a) IN GENERAL- Except as provided in subsection (b), this Act shall be enforced by the Commission as if the violation of this Act were an unfair or deceptive act or practice proscribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(b) ENFORCEMENT BY CERTAIN OTHER AGENCIES- Compliance with this Act shall be enforced under--
(1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the case of--
(A) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;
(B) member banks of the Federal Reserve System (other than national banks), branches
and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 and 611), by the Board; and
(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System) and insured State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance Corporation;
(2) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the Director of the Office of Thrift Supervision, in the case of a savings association the deposits of which are insured by the Federal Deposit Insurance Corporation;
(3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board with respect to any Federal credit union;
(4) part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that part;
(5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of Agriculture with respect to any activities subject to that Act; and
(6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.
(c) EXERCISE OF CERTAIN POWERS- For the purpose of the exercise by any agency referred to in subsection (b) of its powers under any Act referred to in that subsection, a violation of this Act is deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (b), each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under this Act, any other authority conferred on it by law.
(d) ACTIONS BY THE COMMISSION- The Commission shall prevent any person from violating this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any entity that violates any provision of that section is subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of that section.
(e) PRESERVATION OF COMMISSION AUTHORITY- Nothing contained in this section shall be construed to limit the authority of the Commission under any other provision of law.
SEC. 7. ACTIONS BY STATES.
(a) IN GENERAL-
(1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that this Act prohibits, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction--
(A) to enjoin that practice;
(B) to enforce compliance with the rule;
(C) to obtain damage, restitution, or other compensation on behalf of residents of the State; or
(D) to obtain such other relief as the court may consider to be appropriate.
(2) NOTICE-
(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Commission--
(i) written notice of that action; and
(ii) a copy of the complaint for that action.
(B) EXEMPTION-
(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to provide the notice described in that subparagraph before the filing of the action.
(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.
(b) INTERVENTION-
(1) IN GENERAL- On receiving notice under subsection (a)(2), the Commission shall have the right to intervene in the action that is the subject of the notice.
(2) EFFECT OF INTERVENTION- If the Commission intervenes in an action under subsection (a), it shall have the right--
(A) to be heard with respect to any matter that arises in that action; and
(B) to file a petition for appeal.
(c) CONSTRUCTION- For purposes of bringing any civil action under subsection (a), nothing in this subtitle shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of documentary and other evidence.
(d) ACTIONS BY THE COMMISSION- In any case in which an action is instituted by or on behalf of the Commission for violation of section 2 of this Act, no State may, during the pendency of that action, institute an action under subsection (a) against any defendant named in the complaint in that action for violation of that section.
(e) VENUE; SERVICE OF PROCESS-
(1) VENUE- Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.
(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 8. DEFINITIONS.
In this Act:
(1) ADVERTISEMENT- The term `advertisement' means a commercial promotion for a product or service, but does not include promotions for products or services that appear on computer software help or support pages that are displayed in response to a request by the user.
(2) ADVERTISING FEATURE- The term `advertising feature' means a function of computer software that, when installed on a computer, delivers advertisements to the user of that computer.
(3) AFFIRMATIVE CONSENT- The term `affirmative consent' means consent expressed through action by the user of a computer other than default action specified by the installation sequence and independent from any other consent solicited from the user during the installation process.
(4) CLEAR DESCRIPTION- The term `clear description' means a description that is clear, conspicuous, concise, and in a font size that is at least as large as the largest default font displayed to the user by the software.
(5) COMPUTER SOFTWARE- The term `computer software'--
(A) means any program designed to cause a computer to perform a desired function or functions; and
(B) does not include any cookie.
(6) COOKIE- The term `cookie' means a text file--
(A) that is placed on a computer by an Internet service provider, interactive computer service, or Internet website; and
(B) the sole function of which is to record information that can be read or recognized by an Internet service provider, interactive computer service, or Internet website when the user of the computer uses or accesses such provider, service, or website.
(7) DISTRIBUTED COMPUTING FEATURE- The term `distributed computing feature' means a function of computer software that, when installed on a computer, transmits information or messages, other than personal or network information about the user of the computer, to any other computer without the knowledge or direction of the user and for purposes unrelated to the tasks or functions the user intentionally performs using the computer.
(8) FIRST RETAIL SALE- The term `first retail sale' means the first sale of a computer, for a purpose other than resale, after the manufacture, production, or importation of the computer. For purposes of this paragraph, the lease of a computer shall be considered a sale of the computer at retail.
(9) INFORMATION COLLECTION FEATURE- The term `information collection feature' means a function of computer software that, when installed on a computer, collects personal or network information about the user of the computer and transmits such information to any other party on an automatic basis or at the direction of a party other than the user of the computer.
(10) INSTALL- The term `install' means--
(A) to write computer software to a computer's persistent storage medium, such as the computer's hard disk, in such a way that the computer software is retained on the computer after the computer is turned off and subsequently restarted; or
(B) to write computer software to a computer's temporary memory, such as random access memory, in such a way that the software is retained and continues to operate after the user of the computer turns off or exits the Internet service, interactive computer service, or Internet website from which the computer software was obtained.
(11) NETWORK INFORMATION- The term `network information' means--
(A) an Internet protocol address or domain name of a user's computer; or
(B) a Uniform Resource Locator or other information that identifies Internet web sites or other online resources accessed by a user of a computer.
(12) PERSONAL INFORMATION- The term `personal information' means--
(A) a first and last name, whether given at birth or adoption, assumed, or legally changed;
(B) a home or other physical address including street name, name of a city or town, and zip code;
(C) an electronic mail address or online username;
(D) a telephone number;
(E) a social security number;
(F) any personal identification number;
(G) a credit card number, any access code associated with the credit card, or both;
(H) a birth date, birth certificate number, or place of birth; or
(I) any password or access code.
(13) PERSON- The term `person' has the meaning given that term in section 3(32) of the Communications Act of 1934 (47 U.S.C. 153(32)).
(14) PROTECTED COMPUTER- The term `protected computer' has the meaning given that term in section 1030(e)(2)(B) of title 18, United States Code.
(15) SETTINGS MODIFICATION FEATURE- The term `settings modification feature' means a function of computer software that, when installed on a computer--
(A) modifies an existing user setting, without direction from the user of the computer, with respect to another computer software application previously installed on that computer; or
(B) enables a user setting with respect to another computer software application previously installed on that computer to be modified in the future without advance notification to and consent from the user of the computer.
(16) USER OF A COMPUTER- The term `user of a computer' means a computer's lawful owner or an individual who operates a computer with the authorization of the computer's lawful owner.
SEC. 9. EFFECTIVE DATE.
This Act shall take effect 180 days after the date of enactment of this Act.
END
Posted by Tuck at 01:14 PM | Comments (0)
SPYACT
Securely Protect Yourself Against Cyber Trespass.
H.R.2929
Title: To protect users of the Internet from unknowing transmission of their personally identifiable information through spyware programs, and for other purposes.
Sponsor: Rep Bono, Mary [CA-45] (introduced 7/25/2003) Cosponsors (31)
Latest Major Action: 10/6/2004 Received in the Senate.
House Reports: 108-619
108th CONGRESS
2d Session
H. R. 2929
IN THE SENATE OF THE UNITED STATES
October 6, 2004
Received
--------------------------------------------------------------------------------
AN ACT
To protect users of the Internet from unknowing transmission of their personally identifiable information through spyware programs, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Securely Protect Yourself Against Cyber Trespass Act' or the `SPY ACT'.
SEC. 2. PROHIBITION OF DECEPTIVE ACTS OR PRACTICES RELATING TO SPYWARE.
(a) Prohibition- It is unlawful for any person, who is not the owner or authorized user of a protected computer, to engage in deceptive acts or practices that involve any of the following conduct with respect to the protected computer:
(1) Taking control of the computer by--
(A) utilizing such computer to send unsolicited information or material from the protected computer to others;
(B) diverting the Internet browser of the computer, or similar program of the computer used to access and navigate the Internet--
(i) without authorization of the owner or authorized user of the computer; and
(ii) away from the site the user intended to view, to one or more other Web pages, such that the user is prevented from viewing the content at the intended Web page, unless such diverting is otherwise authorized;
(C) accessing or using the modem, or Internet connection or service, for the computer and thereby causing damage to the computer or causing the owner or authorized user to incur unauthorized financial charges;
(D) using the computer as part of an activity performed by a group of computers that causes damage to another computer; or
(E) delivering advertisements that a user of the computer cannot close without turning off the computer or closing all sessions of the Internet browser for the computer.
(2) Modifying settings related to use of the computer or to the computer's access to or use of the Internet by altering--
(A) the Web page that appears when the owner or authorized user launches an Internet browser or similar program used to access and navigate the Internet;
(B) the default provider used to access or search the Internet, or other existing Internet connections settings;
(C) a list of bookmarks used by the computer to access Web pages; or
(D) security or other settings of the computer that protect information about the owner or authorized user for the purposes of causing damage or harm to the computer or owner or user.
(3) Collecting personally identifiable information through the use of a keystroke logging function.
(4) Inducing the owner or authorized user to install a computer software component onto the computer, or preventing reasonable efforts to block the installation or execution of, or to disable, a computer software component by--
(A) presenting the owner or authorized user with an option to decline installation of a software component such that, when the option is selected by the owner or authorized user, the installation nevertheless proceeds; or
(B) causing a computer software component that the owner or authorized user has properly removed or disabled to automatically reinstall or reactivate on the computer.
(5) Misrepresenting that installing a separate software component or providing log-in and password information is necessary for security or privacy reasons, or that installing a separate software component is necessary to open, view, or play a particular type of content.
(6) Inducing the owner or authorized user to install or execute computer software by misrepresenting the identity or authority of the person or entity providing the computer software to the owner or user.
(7) Inducing the owner or authorized user to provide personally identifiable, password, or account information to another person--
(A) by misrepresenting the identity of the person seeking the information; or
(B) without the authority of the intended recipient of the information.
(8) Removing, disabling, or rendering inoperative a security, anti-spyware, or anti-virus technology installed on the computer.
(9) Installing or executing on the computer one or more additional computer software components with the intent of causing a person to use such components in a way that violates any other provision of this section.
(b) Guidance- The Commission shall issue guidance regarding compliance with and violations of this section. This subsection shall take effect upon the date of the enactment of this Act.
(c) Effective Date- Except as provided in subsection (b), this section shall take effect upon the expiration of the 6-month period that begins on the date of the enactment of this Act.
SEC. 3. PROHIBITION OF COLLECTION OF CERTAIN INFORMATION WITHOUT NOTICE AND CONSENT.
(a) OPT-IN REQUIREMENT- Except as provided in subsection (e), it is unlawful for any person--
(1) to transmit to a protected computer, which is not owned by such person and for which such person is not an authorized user, any information collection program, unless--
(A) such information collection program provides notice in accordance with subsection (c) before execution of any of the information collection functions of the program; and
(B) such information collection program includes the functions required under subsection (d); or
(2) to execute any information collection program installed on such a protected computer unless--
(A) before execution of any of the information collection functions of the program, the owner or an authorized user of the protected computer has consented to such execution pursuant to notice in accordance with subsection (c); and
(B) such information collection program includes the functions required under subsection (d).
(b) Information Collection Program- For purposes of this section, the term `information collection program' means computer software that--
(1)(A) collects personally identifiable information; and
(B)(i) sends such information to a person other than the owner or authorized user of the computer, or
(ii) uses such information to deliver advertising to, or display advertising, on the computer; or
(2)(A) collects information regarding the Web pages accessed using the computer; and
(B) uses such information to deliver advertising to, or display advertising on, the computer.
(c) Notice and Consent-
(1) IN GENERAL- Notice in accordance with this subsection with respect to an information collection program is clear and conspicuous notice in plain language, set forth as the Commission shall provide, that meets all of the following requirements:
(A) The notice clearly distinguishes such notice from any other information visually presented contemporaneously on the protected computer.
(B) The notice contains one of the following statements, as applicable, or a substantially similar statement:
(i) With respect to an information collection program described in subsection (b)(1): `This program will collect and transmit information about you. Do you accept?'.
(ii) With respect to an information collection program described in subsection (b)(2): `This program will collect information about Web pages you access and will use that information to display advertising on your computer. Do you accept?'.
(iii) With respect to an information collection program that performs the actions described in both paragraphs (1) and (2) of subsection (b): `This program will collect and transmit information about you and your computer use and will collect information about Web pages you access and use that information to display advertising on your computer. Do you accept?'.
(C) The notice provides for the user--
(i) to grant or deny consent referred to in subsection (a) by selecting an option to grant or deny such consent; and
(ii) to abandon or cancel the transmission or execution referred to in subsection (a) without granting or denying such consent.
(D) The notice provides an option for the user to select to display on the computer, before granting or denying consent using the option required under subparagraph (C), a clear description of--
(i) the types of information to be collected and sent (if any) by the information collection program;
(ii) the purpose for which such information is to be collected and sent; and
(iii) in the case of an information collection program that first executes any of the information collection functions of the program together with the first execution of other computer software, the identity of any such software that is an information collection program.
(E) The notice provides for concurrent display of the information required under subparagraphs (B) and (C) and the option required under subparagraph (D) until the user--
(i) grants or denies consent using the option required under subparagraph (C)(i);
(ii) abandons or cancels the transmission or execution pursuant to subparagraph (C)(ii); or
(ii) selects the option required under subparagraph (D).
(2) SINGLE NOTICE- The Commission shall provide that, in the case in which multiple information collection programs are provided to the protected computer together, or as part of a suite of functionally-related software, the notice requirements of paragraphs (1)(A) and (2)(A) of subsection (a) may be met by providing, before execution of any of the information collection functions of the programs, clear and conspicuous notice in plain language in accordance with paragraph (1) of this subsection by means of a single notice that applies to all such information collection programs, except that such notice shall provide the option under subparagraph (D) of paragraph (1) of this subsection with respect to each such information collection program.
(3) CHANGE IN INFORMATION COLLECTION- If an owner or authorized user has granted consent to execution of an information collection program pursuant to a notice in accordance with this subsection:
(A) IN GENERAL- No subsequent such notice is required, except as provided in subparagraph (B).
(B) SUBSEQUENT NOTICE- The person who transmitted the program shall provide another notice in accordance with this subsection and obtain consent before such program may be used to collect or send information of a type or for a purpose that is materially different from, and outside the scope of, the type or purpose set forth in the initial or any previous notice.
(4) REGULATIONS- The Commission shall issue regulations to carry out this subsection.
(d) Required Functions- The functions required under this subsection to be included in an information collection program that executes any information collection functions with respect to a protected computer are as follows:
(1) DISABLING FUNCTION- With respect to any information collection program, a function of the program that allows a user of the program to remove the program or disable operation of the program with respect to such protected computer by a function that--
(A) is easily identifiable to a user of the computer; and
(B) can be performed without undue effort or knowledge by the user of the protected computer.
(2) IDENTITY FUNCTION- With respect only to an information collection program that uses information collected in the manner described in paragraph (1)(B)(ii) or (2)(B) of subsection (b), a function of the program that provides that each display of an advertisement directed or displayed using such information when the owner or authorized user is accessing a Web page or online location other than of the provider of the software is accompanied by the name of the information collection program, a logogram or trademark used for the exclusive purpose of identifying the program, or a statement or other information sufficient to clearly identify the program.
(3) RULEMAKING- The Commission may issue regulations to carry out this subsection.
(e) Limitation on Liability- A telecommunications carrier, a provider of information service or interactive computer service, a cable operator, or a provider of transmission capability shall not be liable under this section to the extent that the carrier, operator, or provider--
(1) transmits, routes, hosts, stores, or provides connections for an information collection program through a system or network controlled or operated by or for the carrier, operator, or provider; or
(2) provides an information location tool, such as a directory, index, reference, pointer, or hypertext link, through which the owner or user of a protected computer locates an information collection program.
SEC. 4. ENFORCEMENT.
(a) Unfair or Deceptive Act or Practice- This Act shall be enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.). A violation of any provision of this Act or of a regulation issued under this Act committed with actual knowledge or knowledge fairly implied on the basis of objective circumstances that such act is unfair or deceptive or violates this Act shall be treated as an unfair or deceptive act or practice violating a rule promulgated under section 18 of the Federal Trade Commission Act (15 U.S.C. 57a).
(b) PENALTY FOR PATTERN OR PRACTICE VIOLATIONS-
(1) IN GENERAL- Notwithstanding subsection (a) and the Federal Trade Commission Act, in the case of a person who engages in a pattern or practice that violates section 2 or 3, the Commission may, in its discretion, seek a civil penalty for such pattern or practice of violations in an amount, as determined by the Commission, of not more than--
(A) $3,000,000 for each violation of section 2; and
(B) $1,000,000 for each violation of section 3.
(2) TREATMENT OF SINGLE ACTION OR CONDUCT- In applying paragraph (1)--
(A) any single action or conduct that violates section 2 or 3 with respect to multiple protected computers shall be treated as a single violation; and
(B) any single action or conduct that violates more than one paragraph of section 2(a) shall be considered multiple violations, based on the number of such paragraphs violated.
(c) Exclusiveness of Remedies- The remedies in this section (including remedies available to the Commission under the Federal Trade Commission Act) are the exclusive remedies for violations of this Act.
(d) Effective Date- This section shall take effect on the date of the enactment of this Act, but only to the extent that this section applies to violations of section 2(a).
SEC. 5. LIMITATIONS.
(a) Law Enforcement Authority- Sections 2 and 3 of this Act shall not apply to--
(1) any act taken by a law enforcement agent in the performance of official duties; or
(2) the transmission or execution of an information collection program in compliance with a law enforcement, investigatory, national security, or regulatory agency or department of the United States or any State in response to a request or demand made under authority granted to that agency or department, including a warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant, a court order, or other lawful process.
(b) Exception Relating to Security- Nothing in this Act shall apply to--
(1) any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service, to the extent that such monitoring or interaction is for network or computer security purposes, diagnostics, technical support, or repair, or for the detection or prevention of fraudulent activities; or
(2) a discrete interaction with a protected computer by a provider of computer software solely to determine whether the user of the computer is authorized to use such software, that occurs upon--
(A) initialization of the software; or
(B) an affirmative request by the owner or authorized user for an update of, addition to, or technical service for, the software.
(c) Good Samaritan Protection- No provider of computer software or of interactive computer service may be held liable under this Act on account of any action voluntarily taken, or service provided, in good faith to remove or disable a program used to violate section 2 or 3 that is installed on a computer of a customer of such provider, if such provider notifies the customer and obtains the consent of the customer before undertaking such action or providing such service.
(d) Limitation on Liability- A manufacturer or retailer of computer equipment shall not be liable under this Act to the extent that the manufacturer or retailer is providing third party branded software that is installed on the equipment the manufacturer or retailer is manufacturing or selling.
SEC. 6. EFFECT ON OTHER LAWS.
(a) Preemption of State Law-
(1) PREEMPTION OF SPYWARE LAWS- This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State that expressly regulates--
(A) deceptive conduct with respect to computers similar to that described in section 2(a);
(B) the transmission or execution of a computer program similar to that described in section 3; or
(C) the use of computer software that displays advertising content based on the Web pages accessed using a computer.
(2) ADDITIONAL PREEMPTION-
(A) IN GENERAL- No person other than the Attorney General of a State may bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act.
(B) PROTECTION OF CONSUMER PROTECTION LAWS- This paragraph shall not be construed to limit the enforcement of any State consumer protection law by an Attorney General of a State.
(3) PROTECTION OF CERTAIN STATE LAWS- This Act shall not be construed to preempt the applicability of--
(A) State trespass, contract, or tort law; or
(B) other State laws to the extent that those laws relate to acts of fraud.
(b) Preservation of FTC Authority- Nothing in this Act may be construed in any way to limit or affect the Commission's authority under any other provision of law, including the authority to issue advisory opinions (under Part 1 of Volume 16 of the Code of Federal Regulations), policy statements, or guidance regarding this Act.
SEC. 7. ANNUAL FTC REPORT.
For the 12-month period that begins upon the effective date under section 11(a) and for each 12-month period thereafter, the Commission shall submit a report to the Congress that--
(1) specifies the number and types of actions taken during such period to enforce sections 2(a) and 3, the disposition of each such action, any penalties levied in connection with such actions, and any penalties collected in connection with such actions; and
(2) describes the administrative structure and personnel and other resources committed by the Commission for enforcement of this Act during such period.
Each report under this subsection for a 12-month period shall be submitted not later than 90 days after the expiration of such period.
SEC. 8. FTC REPORT ON COOKIES.
(a) In General- Not later than the expiration of the 6-month period that begins on the date of the enactment of this Act, the Commission shall submit a report to the Congress regarding the use of tracking cookies in the delivery or display of advertising to the owners and users of computers. The report shall examine and describe the methods by which such tracking cookies and the websites that place them on computers function separately and together, and the extent to which they are covered or affected by this Act. The report may include such recommendations as the Commission considers necessary and appropriate, including treatment of tracking cookies under this Act or other laws.
(b) DEFINITION- For purposes of this section, the term `tracking cookie' means a cookie or similar text or data file used alone or in conjunction with one or more websites to transmit or convey personally identifiable information of a computer owner or user, or information regarding Web pages accessed by the owner or user, to a party other than the intended recipient, for the purpose of--
(1) delivering or displaying advertising to the owner or user; or
(2) assisting the intended recipient to deliver or display advertising to the owner, user, or others.
(c) Effective Date- This section shall take effect on the date of the enactment of this Act.
SEC. 9. REGULATIONS.
(a) In General- The Commission shall issue the regulations required by this Act not later than the expiration of the 6-month period beginning on the date of the enactment of this Act. Any regulations issued pursuant to this Act shall be issued in accordance with section 553 of title 5, United States Code.
(b) Effective Date- This section shall take effect on the date of the enactment of this Act.
SEC. 10. DEFINITIONS.
For purposes of this Act:
(1) CABLE OPERATOR- The term `cable operator' has the meaning given such term in section 602 of the Communications Act of 1934 (47 U.S.C. 522).
(2) COLLECT- The term `collect', when used with respect to information and for purposes only of section 3, does not include obtaining of the information by a party who is intended by the owner or authorized user of a protected computer to receive the information pursuant to the owner or authorized user--
(A) transferring the information to such intended recipient using the protected computer; or
(B) storing the information on the protected computer in a manner so that it is accessible by such intended recipient.
(3) COMPUTER; PROTECTED COMPUTER- The terms `computer' and `protected computer' have the meanings given such terms in section 1030(e) of title 18, United States Code.
(4) COMPUTER SOFTWARE-
(A) IN GENERAL- Except as provided in subparagraph (B), the term `computer software' means a set of statements or instructions that can be installed and executed on a computer for the purpose of bringing about a certain result.
(B) EXCEPTION FOR COOKIES- Such term does not include--
(i) a cookie or other text or data file that is placed on the computer system of a user by an Internet service provider, interactive computer service, or Internet website to return information to such provider, service, or website; or
(ii) computer software that is placed on the computer system of a user by an Internet service provider, interactive computer service, or Internet website solely to enable the user subsequently to use such provider or service or to access such website.
(5) COMMISSION- The term `Commission' means the Federal Trade Commission.
(6) DAMAGE- The term `damage' has the meaning given such term in section 1030(e) of title 18, United States Code.
(7) DECEPTIVE ACTS OR PRACTICES- The term `deceptive acts or practices' has the meaning applicable to such term for purposes of section 5 of the Federal Trade Commission Act (15 U.S.C. 45).
(8) DISABLE- The term `disable' means, with respect to an information collection program, to permanently prevent such program from executing any of the functions described in section 3(b) that such program is otherwise capable of executing (including by removing, deleting, or disabling the program), unless the owner or operator of a protected computer takes a subsequent affirmative action to enable the execution of such functions.
(9) INFORMATION COLLECTION FUNCTIONS- The term `information collection functions' means, with respect to an information collection program, the functions of the program described in subsection (b) of section 3.
(10) INFORMATION SERVICE- The term `information service' has the meaning given such term in section 3 of the Communications Act of 1934 (47 U.S.C. 153).
(11) INTERACTIVE COMPUTER SERVICE- The term `interactive computer service' has the meaning given such term in section 230(f) of the Communications Act of 1934 (47 U.S.C. 230(f)).
(12) INTERNET- The term `Internet' means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.
(13) PERSONALLY IDENTIFIABLE INFORMATION-
(A) IN GENERAL- The term `personally identifiable information' means the following information, to the extent only that such information allows a living individual to be identified from that information:
(i) First and last name of an individual.
(ii) A home or other physical address of an individual, including street name, name of a city or town, and zip code.
(iii) An electronic mail address.
(iv) A telephone number.
(v) A social security number, tax identification number, passport number, driver's license number, or any other government-issued identification number.
(vi) A credit card number.
(vii) Any access code, password, or account number, other than an access code or password transmitted by an owner or authorized user of a protected computer to the intended recipient to register for, or log onto, a Web page or other Internet service or a network connection or service of a subscriber that is protected by an access code or password.
(viii) Date of birth, birth certificate number, or place of birth of an individual, except in the case of a date of birth transmitted or collected for the purpose of compliance with the law.
(B) RULEMAKING- The Commission may, by regulation, add to the types of information specified under paragraph (1) that shall be considered personally identifiable information for purposes of this Act, except that such information may not include any record of aggregate data that does not identify particular persons, particular computers, particular users of computers, or particular email addresses or other locations of computers with respect to the Internet.
(14) SUITE OF FUNCTIONALLY RELATED SOFTWARE- The term `suite of functionally related software` means a group of computer software programs distributed to an end user by a single provider, which programs are necessary to enable features or functionalities of an integrated service offered by the provider.
(15) TELECOMMUNICATIONS CARRIER- The term `telecommunications carrier' has the meaning given such term in section 3 of the Communications Act of 1934 (47 U.S.C. 153).
(16) TRANSMIT- The term `transmit' means, with respect to an information collection program, transmission by any means.
(17) WEB PAGE- The term `Web page' means a location, with respect to the World Wide Web, that has a single Uniform Resource Locator or another single location with respect to the Internet, as the Federal Trade Commission may prescribe.
SEC. 11. APPLICABILITY AND SUNSET.
(a) Effective Date- Except as specifically provided otherwise in this Act, this Act shall take effect upon the expiration of the 12-month period that begins on the date of the enactment of this Act.
(b) Applicability- Section 3 shall not apply to an information collection program installed on a protected computer before the effective date under subsection (a) of this section.
(c) Sunset- This Act shall not apply after December 31, 2009.
Passed the House of Representatives October 5, 2004.
Attest:
JEFF TRANDAHL,
Clerk.
END
Posted by Tuck at 12:42 PM | Comments (0)