Pages

SPY ACT


XoftSpySE is ourrecommended anti-spyware program to safely remove spyware from your computersystem and protect it against future infections.


109thCONGRESS
1st Session

H. R. 29

Toprotect users of the Internet from unknowing transmission of their personallyidentifiable information through spyware programs, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES

January 4, 2005


Mrs.BONO (for herself, Mr. TOWNS, Mr. BARTON of Texas, Mr. BUYER, Mr. GILLMOR, Mr.HALL, Mr. RADANOVICH, Mr. WALDEN of Oregon, Mr. FERGUSON, Mr. WHITFIELD, Mrs.CUBIN, Mr. STEARNS, Mr. BILIRAKIS, Mr. TERRY, and Mr. OTTER) introduced thefollowing bill; which was referred to the Committee on Energy and Commerce

A BILL

Toprotect users of the Internet from unknowing transmission of their personallyidentifiable information through spyware programs, and for other purposes.

Be itenacted by the Senate and House of Representatives of the United States ofAmerica in Congress assembled,

SECTION 1. SHORT TITLE.


ThisAct may be cited as the `Securely Protect Yourself Against Cyber Trespass Act'or the `SPY ACT'.

SEC. 2. PROHIBITION OFDECEPTIVE ACTS OR PRACTICES RELATING TO SPYWARE.


(a)Prohibition- It is unlawful for any person, who is not the owner or authorizeduser of a protected computer, to engage in deceptive acts or practices thatinvolve any of the following conduct with respect to the protected computer:

(1)Taking control of the computer by--

(A)utilizing such computer to send unsolicited information or material from theprotected computer to others;

(B)diverting the Internet browser of the computer, or similar program of thecomputer used to access and navigate the Internet—

(i)without authorization of the owner or authorized user of the computer; and

(ii)away from the site the user intended to view, to one or more other Web pages,such that the user is prevented from viewing the content at the intended Webpage, unless such diverting is otherwise authorized;

(C)accessing or using the modem, or Internet connection or service, for thecomputer and thereby causing damage to the computer or causing the owner orauthorized user to incur unauthorized financial charges;

(D)using the computer as part of an activity performed by a group of computersthat causes damage to another computer; or

(E)delivering advertisements that a user of the computer cannot close withoutturning off the computer or closing all sessions of the Internet browser forthe computer.

(2)Modifying settings related to use of the computer or to the computer's accessto or use of the Internet by altering—

(A)the Web page that appears when the owner or authorized user launches anInternet browser or similar program used to access and navigate the Internet;

(B)the default provider used to access or search the Internet, or other existingInternet connections settings;

(C)a list of bookmarks used by the computer to access Web pages; or

(D)security or other settings of the computer that protect information about theowner or authorized user for the purposes of causing damage or harm to thecomputer or owner or user.

(3)Collecting personally identifiable information through the use of a keystrokelogging function.

(4)Inducing the owner or authorized user to install a computer software componentonto the computer, or preventing reasonable efforts to block the installationor execution of, or to disable, a computer software component by—

(A)presenting the owner or authorized user with an option to decline installationof a software component such that, when the option is selected by the owner orauthorized user, the installation nevertheless proceeds; or

(B)causing a computer software component that the owner or authorized user hasproperly removed or disabled to automatically reinstall or reactivate on thecomputer.

(5)Misrepresenting that installing a separate software component or providinglog-in and password information is necessary for security or privacy reasons,or that installing a separate software component is necessary to open, view, orplay a particular type of content.

(6)Inducing the owner or authorized user to install or execute computer softwareby misrepresenting the identity or authority of the person or entity providingthe computer software to the owner or user.

(7)Inducing the owner or authorized user to provide personally identifiable,password, or account information to another person-

(A)by misrepresenting the identity of the person seeking the information; or

(B)without the authority of the intended recipient of the information.

(8)Removing, disabling, or rendering inoperative a security, anti-spyware, oranti-virus technology installed on the computer.

(9)Installing or executing on the computer one or more additional computersoftware components with the intent of causing a person to use such componentsin a way that violates any other provision of this section.

(b)Guidance- The Commission shall issue guidance regarding compliance with andviolations of this section. This subsection shall take effect upon the date ofthe enactment of this Act.

(c)Effective Date- Except as provided in subsection (b), this section shall takeeffect upon the expiration of the 6-month period that begins on the date of theenactment of this Act.

SEC. 3. PROHIBITION OFCOLLECTION OF CERTAIN INFORMATION WITHOUT NOTICE AND CONSENT.


(a)Opt-In Requirement- Except as provided in subsection (e), it is unlawful forany person--

(1)to transmit to a protected computer, which is not owned by such person and forwhich such person is not an authorized user, any information collectionprogram, unless--

(A)such information collection program provides notice in accordance with subsection(c) before execution of any of the information collection functions of theprogram; and

(B)such information collection program includes the functions required undersubsection (d); or

(2)to execute any information collection program installed on such a protectedcomputer unless—

(A)before execution of any of the information collection functions of the program,the owner or an authorized user of the protected computer has consented to suchexecution pursuant to notice in accordance with subsection (c); and

(B)such information collection program includes the functions required undersubsection (d).

(b)Information Collection Program- For purposes of this section, the term`information collection program' means computer software that—

(1)(A)collects personally identifiable information; and

(B)(i)sends such information to a person other than the owner or authorized user ofthe computer, or

(ii)uses such information to deliver advertising to, or display advertising, on thecomputer; or

(2)(A)collects information regarding the Web pages accessed using the computer; and

(B)uses such information to deliver advertising to, or display advertising on, thecomputer.

(c)Notice and Consent-

(1)IN GENERAL- Notice in accordance with this subsection with respect to aninformation collection program is clear and conspicuous notice in plainlanguage, set forth as the Commission shall provide, that meets all of thefollowing requirements:

(A)The notice clearly distinguishes such notice from any other informationvisually presented contemporaneously on the protected computer.

(B)The notice contains one of the following statements, as applicable, or asubstantially similar statement:

(i)With respect to an information collection program described in subsection(b)(1): `This program will collect and transmit information about you. Do youaccept?'.

(ii) With respect to an information collection programdescribed in subsection (b)(2): `This program will collect information aboutWeb pages you access and will use that information to display advertising onyour computer. Do you accept?'.

(iii) With respect to an information collection programthat performs the actions described in both paragraphs (1) and (2) ofsubsection (b): `This program will collect and transmit information about youand your computer use and will collect information about Web pages you accessand use that information to display advertising on your computer. Do youaccept?'.

(C)The notice provides for the user—

(i)to grant or deny consent referred to in subsection (a) by selecting an optionto grant or deny such consent; and

(ii)to abandon or cancel the transmission or execution referred to in subsection(a) without granting or denying such consent.

(D)The notice provides an option for the user to select to display on thecomputer, before granting or denying consent using the option required undersubparagraph (C), a clear description of—

(i)the types of information to be collected and sent (if any) by the informationcollection program;

(ii)the purpose for which such information is to be collected and sent; and

(iii) in the case of an information collection programthat first executes any of the information collection functions of the programtogether with the first execution of other computer software, the identity ofany such software that is an information collection program.

(E) The notice provides for concurrent display of theinformation required under subparagraphs (B) and (C) and the option requiredunder subparagraph (D) until the user-

(i)grants or denies consent using the option required under subparagraph (C)(i);

(ii)abandons or cancels the transmission or execution pursuant to subparagraph(C)(ii); or

(ii)selects the option required under subparagraph (D).

(2) SINGLE NOTICE- The Commission shall provide that,in the case in which multiple information collection programs are provided tothe protected computer together, or as part of a suite of functionally-relatedsoftware, the notice requirements of paragraphs (1)(A) and (2)(A) of subsection(a) may be met by providing, before execution of any of the informationcollection functions of the programs, clear and conspicuous notice in plainlanguage in accordance with paragraph (1) of this subsection by means of asingle notice that applies to all such information collection programs, exceptthat such notice shall provide the option under subparagraph (D) of paragraph(1) of this subsection with respect to each such information collectionprogram.

(3)CHANGE IN INFORMATION COLLECTION- If an owner or authorized user has grantedconsent to execution of an information collection program pursuant to a noticein accordance with this subsection:

(A)IN GENERAL- No subsequent such notice is required, except as provided insubparagraph (B).

(B) SUBSEQUENT NOTICE- The person who transmitted theprogram shall provide another notice in accordance with this subsection andobtain consent before such program may be used to collect or send informationof a type or for a purpose that is materially different from, and outside thescope of, the type or purpose set forth in the initial or any previous notice.

(4)REGULATIONS- The Commission shall issue regulations to carry out thissubsection.

(d) Required Functions- The functions required underthis subsection to be included in an information collection program thatexecutes any information collection functions with respect to a protectedcomputer are as follows:

(1) DISABLING FUNCTION- With respect to any informationcollection program, a function of the program that allows a user of the programto remove the program or disable operation of the program with respect to suchprotected computer by a function that--

(A)is easily identifiable to a user of the computer; and

(B)can be performed without undue effort or knowledge by the user of the protectedcomputer.

(2) IDENTITY FUNCTION- With respect only to aninformation collection program that uses information collected in the mannerdescribed in paragraph (1)(B)(ii) or (2)(B) of subsection (b), a function ofthe program that provides that each display of an advertisement directed ordisplayed using such information when the owner or authorized user is accessinga Web page or online location other than of the provider of the software isaccompanied by the name of the information collection program, a logogram ortrademark used for the exclusive purpose of identifying the program, or astatement or other information sufficient to clearly identify the program.

(3)RULEMAKING- The Commission may issue regulations to carry out this subsection.

(e)Limitation on Liability- A telecommunications carrier, a provider ofinformation service or interactive computer service, a cable operator, or aprovider of transmission capability shall not be liable under this section tothe extent that the carrier, operator, or provider—

(1)transmits, routes, hosts, stores, or provides connections for an informationcollection program through a system or network controlled or operated by or forthe carrier, operator, or provider; or

(2) provides an information location tool, such as adirectory, index, reference, pointer, or hypertext link, through which theowner or user of a protected computer locates an information collectionprogram.

SEC. 4. ENFORCEMENT.


(a) Unfair or Deceptive Act or Practice- This Act shallbe enforced by the Commission under the Federal Trade Commission Act (15 U.S.C.41 et seq.). A violation of any provision of this Act or of a regulation issuedunder this Act committed with actual knowledge or knowledge fairly implied onthe basis of objective circumstances that such act is unfair or deceptive orviolates this Act shall be treated as an unfair or deceptive act or practiceviolating a rule promulgated under section 18 of the Federal Trade CommissionAct (15 U.S.C. 57a).

(b)Penalty for Pattern or Practice Violations-

(1) IN GENERAL- Notwithstanding subsection (a) and theFederal Trade Commission Act, in the case of a person who engages in a patternor practice that violates section 2 or 3, the Commission may, in itsdiscretion, seek a civil penalty for such pattern or practice of violations inan amount, as determined by the Commission, of not more than--

(A)$3,000,000 for each violation of section 2; and

(B)$1,000,000 for each violation of section 3.

(2)TREATMENT OF SINGLE ACTION OR CONDUCT- In applying paragraph (1)—

(A)any single action or conduct that violates section 2 or 3 with respect tomultiple protected computers shall be treated as a single violation; and

(B)any single action or conduct that violates more than one paragraph of section2(a) shall be considered multiple violations, based on the number of suchparagraphs violated.

(c) Exclusiveness of Remedies- The remedies in thissection (including remedies available to the Commission under the Federal TradeCommission Act) are the exclusive remedies for violations of this Act.
(d) Effective Date- This section shall take effect onthe date of the enactment of this Act, but only to the extent that this sectionapplies to violations of section 2(a).

SEC. 5. LIMITATIONS.


(a)Law Enforcement Authority- Sections 2 and 3 of this Act shall not apply to--

(1)any act taken by a law enforcement agent in the performance of official duties;or

(2) the transmission or execution of an informationcollection program in compliance with a law enforcement, investigatory,national security, or regulatory agency or department of the United States orany State in response to a request or demand made under authority granted tothat agency or department, including a warrant issued under the Federal Rulesof Criminal Procedure, an equivalent State warrant, a court order, or otherlawful process.

(b)Exception Relating to Security- Nothing in this Act shall apply to—

(1) any monitoring of, or interaction with, asubscriber's Internet or other network connection or service, or a protectedcomputer, by a telecommunications carrier, cable operator, computer hardware orsoftware provider, or provider of information service or interactive computerservice, to the extent that such monitoring or interaction is for network orcomputer security purposes, diagnostics, technical support, or repair, or forthe detection or prevention of fraudulent activities; or
(2) a discrete interaction with a protected computer bya provider of computer software solely to determine whether the user of thecomputer is authorized to use such software, that occurs upon—

(A)initialization of the software; or

(B)an affirmative request by the owner or authorized user for an update of,addition to, or technical service for, the software.

(c) Good Samaritan Protection- No provider of computersoftware or of interactive computer service may be held liable under this Acton account of any action voluntarily taken, or service provided, in good faithto remove or disable a program used to violate section 2 or 3 that is installedon a computer of a customer of such provider, if such provider notifies thecustomer and obtains the consent of the customer before undertaking such actionor providing such service.

(d) Limitation on Liability- A manufacturer or retailerof computer equipment shall not be liable under this Act to the extent that themanufacturer or retailer is providing third party branded software that isinstalled on the equipment the manufacturer or retailer is manufacturing orselling.

SEC. 6. EFFECT ON OTHERLAWS.


(a)Preemption of State Law-

(1)PREEMPTION OF SPYWARE LAWS- This Act supersedes any provision of a statute,regulation, or rule of a State or political subdivision of a State thatexpressly regulates--

(A)deceptive conduct with respect to computers similar to that described insection 2(a);

(B)the transmission or execution of a computer program similar to that describedin section 3; or

(C)the use of computer software that displays advertising content based on the Webpages accessed using a computer.

(2)ADDITIONAL PREEMPTION-

(A)IN GENERAL- No person other than the Attorney General of a State may bring acivil action under the law of any State if such action is premised in whole orin part upon the defendant violating any provision of this Act.

(B)PROTECTION OF CONSUMER PROTECTION LAWS- This paragraph shall not be construedto limit the enforcement of any State consumer protection law by an AttorneyGeneral of a State.

(3)PROTECTION OF CERTAIN STATE LAWS- This Act shall not be construed to preemptthe applicability of—

(A)State trespass, contract, or tort law; or

(B)other State laws to the extent that those laws relate to acts of fraud.

(b) Preservation of FTC Authority- Nothing in this Actmay be construed in any way to limit or affect the Commission's authority underany other provision of law, including the authority to issue advisory opinions(under Part 1 of Volume 16 of the Code of Federal Regulations), policystatements, or guidance regarding this Act.

SEC. 7. ANNUAL FTC REPORT.


Forthe 12-month period that begins upon the effective date under section 11(a) andfor each 12-month period thereafter, the Commission shall submit a report tothe Congress that—

(1) specifies the number and types of actions takenduring such period to enforce sections 2(a) and 3, the disposition of each suchaction, any penalties levied in connection with such actions, and any penaltiescollected in connection with such actions; and

(2) describes the administrative structure andpersonnel and other resources committed by the Commission for enforcement ofthis Act during such period.

Each report under this subsection for a 12-month periodshall be submitted not later than 90 days after the expiration of such period.

SEC. 8. FTC REPORT ONCOOKIES.


(a) In General- Not later than the expiration of the6-month period that begins on the date of the enactment of this Act, theCommission shall submit a report to the Congress regarding the use of trackingcookies in the delivery or display of advertising to the owners and users ofcomputers. The report shall examine and describe the methods by which suchtracking cookies and the websites that place them on computers functionseparately and together, and the extent to which they are covered or affectedby this Act. The report may include such recommendations as the Commissionconsiders necessary and appropriate, including treatment of tracking cookiesunder this Act or other laws.

(b) Definition- For purposes of this section, the term`tracking cookie' means a cookie or similar text or data file used alone or inconjunction with one or more websites to transmit or convey personallyidentifiable information of a computer owner or user, or information regardingWeb pages accessed by the owner or user, to a party other than the intendedrecipient, for the purpose of—

(1)delivering or displaying advertising to the owner or user; or

(2)assisting the intended recipient to deliver or display advertising to theowner, user, or others.

(c)Effective Date- This section shall take effect on the date of the enactment ofthis Act.

SEC. 9. REGULATIONS.


(a) In General- The Commission shall issue theregulations required by this Act not later than the expiration of the 6-monthperiod beginning on the date of the enactment of this Act. Any regulationsissued pursuant to this Act shall be issued in accordance with section 553 oftitle 5, United States Code.

(b)Effective Date- This section shall take effect on the date of the enactment ofthis Act.

SEC. 10. DEFINITIONS.


Forpurposes of this Act:

(1) CABLE OPERATOR- The term `cable operator' has themeaning given such term in section 602 of the Communications Act of 1934 (47U.S.C. 522).

(2) COLLECT- The term `collect', when used with respectto information and for purposes only of section 3, does not include obtainingof the information by a party who is intended by the owner or authorized userof a protected computer to receive the information pursuant to the owner orauthorized user—

(A)transferring the information to such intended recipient using the protectedcomputer; or

(B)storing the information on the protected computer in a manner so that it isaccessible by such intended recipient.

(3)COMPUTER; PROTECTED COMPUTER- The terms `computer' and `protected computer'have the meanings given such terms in section 1030(e) of title 18, UnitedStates Code.

(4)COMPUTER SOFTWARE-

(A) IN GENERAL- Except as provided in subparagraph (B),the term `computer software' means a set of statements or instructions that canbe installed and executed on a computer for the purpose of bringing about acertain result.

(B)EXCEPTION FOR COOKIES- Such term does not include—

(i) a cookie or other text or data file that is placedon the computer system of a user by an Internet service provider, interactivecomputer service, or Internet website to return information to such provider,service, or website; or

(ii) computer software that is placed on the computersystem of a user by an Internet service provider, interactive computer service,or Internet website solely to enable the user subsequently to use such provideror service or to access such website.

(5)COMMISSION- The term `Commission' means the Federal Trade Commission.

(6)DAMAGE- The term `damage' has the meaning given such term in section 1030(e) oftitle 18, United States Code.

(7) DECEPTIVE ACTS OR PRACTICES- The term `deceptiveacts or practices' has the meaning applicable to such term for purposes ofsection 5 of the Federal Trade Commission Act (15 U.S.C. 45).

(8) DISABLE- The term `disable' means, with respect toan information collection program, to permanently prevent such program fromexecuting any of the functions described in section 3(b) that such program isotherwise capable of executing (including by removing, deleting, or disablingthe program), unless the owner or operator of a protected computer takes asubsequent affirmative action to enable the execution of such functions.

(9) INFORMATION COLLECTION FUNCTIONS- The term`information collection functions' means, with respect to an informationcollection program, the functions of the program described in subsection (b) ofsection 3.

(10) INFORMATION SERVICE- The term `informationservice' has the meaning given such term in section 3 of the Communications Actof 1934 (47 U.S.C. 153).

(11)INTERACTIVE COMPUTER SERVICE- The term `interactive computer service' has themeaning given such term in section 230(f) of the Communications Act of 1934 (47U.S.C. 230(f)).

(12) INTERNET- The term `Internet' means collectivelythe myriad of computer and telecommunications facilities, including equipmentand operating software, which comprise the interconnected world-wide network ofnetworks that employ the Transmission Control Protocol/Internet Protocol, orany predecessor or successor protocols to such protocol, to communicateinformation of all kinds by wire or radio.

(13)PERSONALLY IDENTIFIABLE INFORMATION-

(A) IN GENERAL- The term `personally identifiableinformation' means the following information, to the extent only that suchinformation allows a living individual to be identified from that information:

(i)First and last name of an individual.

(ii) A home or other physical address of an individual,including street name, name of a city or town, and zip code.

(iii)An electronic mail address.

(iv)A telephone number.

(v) A social security number, tax identificationnumber, passport number, driver's license number, or any othergovernment-issued identification number.

(vi)A credit card number.

(vii) Any access code, password, or account number,other than an access code or password transmitted by an owner or authorizeduser of a protected computer to the intended recipient to register for, or logonto, a Web page or other Internet service or a network connection or serviceof a subscriber that is protected by an access code or password.

(viii) Date of birth, birth certificate number, orplace of birth of an individual, except in the case of a date of birthtransmitted or collected for the purpose of compliance with the law.

(B) RULEMAKING- The Commission may, by regulation, addto the types of information specified under paragraph (1) that shall beconsidered personally identifiable information for purposes of this Act, exceptthat such information may not include any record of aggregate data that doesnot identify particular persons, particular computers, particular users ofcomputers, or particular email addresses or other locations of computers withrespect to the Internet

(14) SUITE OF FUNCTIONALLY RELATED SOFTWARE- The term`suite of functionally related software' means a group of computer softwareprograms distributed to an end user by a single provider, which programs arenecessary to enable features or functionalities of an integrated serviceoffered by the provider.

(15) TELECOMMUNICATIONS CARRIER- The term`telecommunications carrier' has the meaning given such term in section 3 ofthe Communications Act of 1934 (47 U.S.C. 153).

(16)TRANSMIT- The term `transmit' means, with respect to an information collectionprogram, transmission by any means.

(17) WEB PAGE- The term `Web page' means a location,with respect to the World Wide Web, that has a single Uniform Resource Locatoror another single location with respect to the Internet, as the Federal TradeCommission may prescribe.

SEC. 11. APPLICABILITY ANDSUNSET.


(a) Effective Date- Except as specifically providedotherwise in this Act, this Act shall take effect upon the expiration of the12-month period that begins on the date of the enactment of this Act.

(b) Applicability- Section 3 shall not apply to aninformation collection program installed on a protected computer before theeffective date under subsection (a) of this section.

(c)Sunset- This Act shall not apply after December 31, 2010.