PRINTER'S NO. 925
No. 711 Session of 2007
INTRODUCED BY GORDNER, WONDERLING, ARMSTRONG, BOSCOLA, BRUBAKER,
CORMAN, COSTA, ERICKSON, FERLO, FOLMER, FONTANA, KASUNIC,
LAVALLE, LOGAN, O'PAKE, ORIE, PIPPY, RAFFERTY, STACK,
TARTAGLIONE, VANCE, WASHINGTON, WAUGH, C. WILLIAMS AND
WOZNIAK, APRIL 30, 2007
REFERRED TO COMMUNICATIONS AND TECHNOLOGY, APRIL 30, 2007
AN ACT
1 Providing for the protection of consumers from having spyware
2 deceptively installed on their computers and for criminal and
3 civil enforcement.
4 TABLE OF CONTENTS
5 Section 1. Short title.
6 Section 2. Definitions.
7 Section 3. Computer spyware prohibitions.
8 Section 4. Control or modification.
9 Section 5. Misrepresentation and deception.
10 Section 6. Nonapplicability.
11 Section 7. Criminal enforcement.
12 Section 8. Penalty.
13 Section 9. Civil relief.
14 Section 10. Effective date.
15 The General Assembly of the Commonwealth of Pennsylvania
16 hereby enacts as follows:
17 Section 1. Short title.
1 This act shall be known and may be cited as the Consumer
2 Protection Against Computer Spyware Act.
3 Section 2. Definitions.
4 The following words and phrases when used in this act shall
5 have the meanings given to them in this section unless the
6 context clearly indicates otherwise:
7 "Authorized user." With respect to a computer, a person who
8 owns or is authorized by the owner or lessee to use the
9 computer.
10 "Cause to be copied." To distribute, transfer or procure the
11 copying of computer software or any component thereof. The term
12 shall not include the following:
13 (1) Transmission, routing, provision of intermediate
14 temporary storage or caching of software.
15 (2) A storage or hosting medium, such as a compact disc,
16 Internet website or computer server, through which the
17 software was distributed by a third party.
18 (3) An information location tool, such as a directory,
19 index, reference, pointer or hypertext link, through which
20 the user of the computer located the software.
21 "Communications provider." Entity providing communications
22 networks or services that enable consumers to access the
23 Internet or destinations on the public switched telephone
24 network via a computer modem. This term shall include cable
25 service providers that also provide telephone services and
26 providers of Voice over Internet Protocol services.
27 "Computer software." A sequence of instructions written in
28 any programming language that is executed on a computer. The
29 term shall not include a text or data file, an Internet website
30 or a data component of an Internet website that is not
20070S0711B0925 - 2 -
1 executable independently of the Internet website.
2 "Computer virus." A computer program or other set of
3 instructions that is designed to degrade the performance of or
4 disable a computer, computer network or computer software and is
5 designed to have the ability to replicate itself on other
6 computers or computer networks without the authorization of the
7 owners of those computers or computer networks.
8 "Damage." Any material impairment to the integrity,
9 functionality or availability of data, software, a computer, a
10 system or information.
11 "Deceptive" or "deception." Includes, but is not limited to:
12 (1) An intentionally and materially false or fraudulent
13 statement.
14 (2) A statement or description that intentionally omits
15 or misrepresents material information in order to deceive the
16 authorized user.
17 (3) An intentional and material failure to provide any
18 notice to an authorized user regarding the download or
19 installation of software in order to deceive the authorized
20 user.
21 "Execute." With respect to computer software, the
22 performance of the functions or the carrying out of the
23 instructions of the computer software.
24 "Internet." The global information system that is logically
25 linked together by a globally unique address space based on the
26 Internet Protocol (IP), or its subsequent extensions, and that
27 is able to support communications using the Transmission Control
28 Protocol/Internet Protocol (TCP/IP) suite, or its subsequent
29 extensions, or other IP-compatible protocols, and that provides,
30 uses or makes accessible, either publicly or privately, high-
20070S0711B0925 - 3 -
1 level services layered on the communications and related
2 infrastructure described in this act.
3 "Message." A graphical or text communication presented to an
4 authorized user of a computer other than communications
5 originated and sent by the computer's operating system or
6 communications presented for any of the purposes described in
7 section 6.
8 "Person." Any individual, partnership, corporation, limited
9 liability company or other organization, or any combination
10 thereof.
11 "Personally identifiable information." The term shall
12 include any of the following:
13 (1) First name or first initial in combination with last
14 name.
15 (2) Credit or debit card numbers or other financial
16 account numbers.
17 (3) A password or personal identification number
18 required to access an identified financial account other than
19 a password, personal identification number or other
20 identification number transmitted by an authorized user to
21 the issuer of the account or its agent.
22 (4) Social Security number.
23 (5) Any of the following information in a form that
24 personally identifies an authorized user:
25 (i) Account balances.
26 (ii) Overdraft history.
27 (iii) Payment history.
28 (iv) A history of Internet websites visited.
29 (v) Home address.
30 (vi) Work address.
20070S0711B0925 - 4 -
1 (vii) A record of a purchase or purchases.
2 "Procure the copying." To pay or provide other consideration
3 to, or induce another person to cause software to be copied onto
4 a computer.
5 Section 3. Computer spyware prohibitions.
6 A person or entity that is not an authorized user shall not,
7 with actual knowledge, with conscious avoidance of actual
8 knowledge, or willfully, cause computer software to be copied or
9 procure the copying onto the computer of an authorized user in
10 this Commonwealth and use the software to do any of the
11 following acts or any other acts deemed to be deceptive:
12 (1) Modify through deceptive means any of the following
13 settings related to the computer's access to or use of the
14 Internet:
15 (i) The page that appears when an authorized user
16 launches an Internet browser or similar software program
17 used to access and navigate the Internet.
18 (ii) The default provider or Internet website proxy
19 the authorized user uses to access or search the
20 Internet.
21 (iii) The authorized user's list of bookmarks used
22 to access Internet website pages.
23 (2) Collect through deceptive means personally
24 identifiable information that meets any of the following
25 criteria:
26 (i) It is collected through the use of a keystroke-
27 logging function that records all keystrokes made by an
28 authorized user who uses the computer and transfers that
29 information from the computer to another person.
30 (ii) It includes all or substantially all of the
20070S0711B0925 - 5 -
1 Internet websites visited by an authorized user, other
2 than Internet websites of the provider of the software,
3 if the computer software was installed in a manner
4 designed to conceal from all authorized users of the
5 computer the fact that the software is being installed.
6 (iii) It is a data element described in paragraph
7 (2), (3), (4) or (5)(i) or (ii) of the definition of
8 "personally identifiable information" that is extracted
9 from the authorized user's computer hard drive for a
10 purpose wholly unrelated to any of the purposes of the
11 software or service described to an authorized user.
12 (3) Prevent, without the authorization of an authorized
13 user, through deceptive means an authorized user's reasonable
14 efforts to block the installation of or to disable software
15 by causing software that the authorized user has properly
16 removed or disabled to automatically reinstall or reactivate
17 on the computer without the authorization of an authorized
18 user.
19 (4) Misrepresent that software will be uninstalled or
20 disabled by an authorized user's action with knowledge that
21 the software will not be so uninstalled or disabled.
22 (5) Through deceptive means, remove, disable or render
23 inoperative security, antispyware or antivirus software
24 installed on the computer.
25 Section 4. Control or modification.
26 A person or entity that is not an authorized user shall not,
27 with actual knowledge, with conscious avoidance of actual
28 knowledge, or willfully, cause computer software to be copied or
29 procure the copying onto the computer of an authorized user in
30 this Commonwealth and use the software to do any of the
20070S0711B0925 - 6 -
1 following acts or any other acts deemed to be deceptive:
2 (1) Take control of the authorized user's computer by
3 doing any of the following:
4 (i) Transmitting or relaying commercial electronic
5 mail or a computer virus from the authorized user's
6 computer, where the transmission or relaying is initiated
7 by a person other than the authorized user and without
8 the authorization of an authorized user.
9 (ii) Accessing or using the authorized user's modem
10 or Internet service for the purpose of causing damage to
11 the authorized user's computer or of causing an
12 authorized user to incur financial charges for a service
13 that is not authorized by an authorized user.
14 (iii) Using the authorized user's computer as part
15 of an activity performed by a group of computers for the
16 purpose of causing damage to another computer, including,
17 but not limited to, launching a denial of service attack.
18 (iv) Opening a series of stand-alone messages in the
19 authorized user's computer without the authorization of
20 an authorized user and with knowledge that a reasonable
21 computer user cannot close the advertisements without
22 turning off the computer or closing the Internet
23 application.
24 (2) Modify any of the following settings related to the
25 computer's access to or use of the Internet:
26 (i) An authorized user's security or other settings
27 that protect information about the authorized user for
28 the purpose of stealing personal information of an
29 authorized user.
30 (ii) The security settings of the computer for the
20070S0711B0925 - 7 -
1 purpose of causing damage to one or more computers.
2 (3) Prevent, without the authorization of an authorized
3 user, an authorized user's reasonable efforts to block the
4 installation of or to disable software by doing any of the
5 following:
6 (i) Presenting the authorized user with an option to
7 decline installation of software with knowledge that,
8 when the option is selected by the authorized user, the
9 installation nevertheless proceeds.
10 (ii) Falsely representing that software has been
11 disabled.
12 (iii) Requiring in a deceptive manner the user to
13 access the Internet to remove the software with knowledge
14 or reckless disregard of the fact that the software
15 frequently operates in a manner that prevents the user
16 from accessing the Internet.
17 (iv) Changing the name, location or other
18 designation information of the software for the purpose
19 of preventing an authorized user from locating the
20 software to remove it.
21 (v) Using randomized or deceptive file names,
22 directory folders, formats or registry entries for the
23 purpose of avoiding detection and removal of the software
24 by an authorized user.
25 (vi) Causing the installation of software in a
26 particular computer directory or computer memory for the
27 purpose of evading authorized users' attempts to remove
28 the software from the computer.
29 (vii) Requiring, without the authority of the owner
30 of the computer, that an authorized user obtain a special
20070S0711B0925 - 8 -
1 code or download software from a third party to uninstall
2 the software.
3 Section 5. Misrepresentation and deception.
4 A person or entity who is not an authorized user shall not do
5 any of the following or any other misrepresenting and deceptive
6 acts with regard to the computer of an authorized user in this
7 Commonwealth:
8 (1) Induce an authorized user to install a software
9 component onto the computer by misrepresenting that
10 installing software is necessary for security or privacy
11 reasons or in order to open, view or play a particular type
12 of content.
13 (2) Causing the copying and execution on the computer of
14 a computer software component with the intent of causing an
15 authorized user to use the component in a way that violates
16 any other provision of this section.
17 Section 6. Nonapplicability.
18 (1) Nothing in section 4 or 5 shall apply to any
19 monitoring of or interaction with a user's Internet or other
20 network connection or service, or a protected computer, by a
21 cable operator, computer hardware or software provider or
22 provider of information service or interactive computer
23 service for network or computer security purposes,
24 diagnostics, technical support, repair, authorized updates of
25 software or system firmware, network management or
26 maintenance, authorized remote system management or detection
27 or prevention of the unauthorized use of or fraudulent or
28 other illegal activities in connection with a network,
29 service or computer software, including scanning for and
30 removing software proscribed under this act.
20070S0711B0925 - 9 -
1 (2) Nothing in this act shall limit the rights of
2 providers of wire and electronic communications under 18
3 U.S.C. § 2511 (relating to interception and disclosure of
4 wire, oral, or electronic communications prohibited).
5 Section 7. Criminal enforcement.
6 (a) District attorneys.--The district attorneys of the
7 several counties shall have authority to investigate and to
8 institute criminal proceedings for any violations of this act.
9 (b) Attorney General.--In addition to the authority
10 conferred upon the Attorney General under the act of October 15,
11 1980 (P.L.950, No.164), known as the Commonwealth Attorneys Act,
12 the Attorney General shall have the authority to investigate and
13 institute criminal proceedings for any violation of this act. A
14 person charged with a violation of this act by the Attorney
15 General shall not have standing to challenge the authority of
16 the Attorney General to investigate or prosecute the case, and,
17 if any such challenge is made, the challenge shall be dismissed
18 and no relief shall be available in the courts of this
19 Commonwealth to the person making the challenge.
20 (c) Proceedings against persons outside Commonwealth.--In
21 addition to powers conferred upon district attorneys and the
22 Attorney General in subsections (a) and (b), district attorneys
23 and the Attorney General shall have the authority to investigate
24 and initiate criminal proceedings against persons for violations
25 of this act in accordance with 18 Pa.C.S. § 102 (relating to
26 territorial applicability).
27 Section 8. Penalty.
28 Any person that violates the provisions of sections 3(2) and
29 4(1)(i), (ii) and (iii) and (2) commits a felony of the second
30 degree and shall, upon conviction, be sentenced to imprisonment
20070S0711B0925 - 10 -
1 for not less than one nor more than ten years or to pay a fine,
2 notwithstanding 18 Pa.C.S. § 1101 (relating to fines), of not
3 more than $25,000, or both.
4 Section 9. Civil relief.
5 (a) General rule.--Subject to the limitation set forth in
6 subsection (g), the following persons may bring a civil action
7 against a person who violates this act:
8 (1) A provider of computer software who is adversely
9 affected by the violation.
10 (2) An Internet Service Provider who is adversely
11 affected by the violation.
12 (3) A trademark owner whose trademark is used without
13 the authorization of the owner to deceive users in the course
14 of any of the deceptive practices prohibited by this section.
15 (4) The Attorney General.
16 (b) Additional remedies.--In addition to any other remedy
17 provided by law, a permitted person bringing an action under
18 this section may:
19 (1) Seek injunctive relief to restrain the violator from
20 continuing the violation.
21 (2) Recover damages in an amount equal to the greater
22 of:
23 (i) Actual damages arising from the violation.
24 (ii) Up to $100,000 for each violation, as the court
25 considers just.
26 (3) Seek both injunctive relief and recovery of damages
27 as provided by this subsection.
28 (c) Increase by court.--The court may increase an award of
29 actual damages in an action brought under this section to an
30 amount not to exceed three times the actual damages sustained if
20070S0711B0925 - 11 -
1 the court finds that the violations have occurred with a
2 frequency with respect to a group of victims as to constitute a
3 pattern or practice.
4 (d) Fees and costs.--A plaintiff who prevails in an action
5 filed under this section is entitled to recover reasonable
6 attorney fees and court costs.
7 (e) Communications provider relief.--In the case of a
8 violation of section 4(1)(ii) that causes a communications
9 provider to incur costs for the origination, transport or
10 termination of a call triggered using the modem of a customer of
11 the communications provider as a result of a violation, the
12 communications provider may bring a civil action against the
13 violator to recover any or all of the following:
14 (1) The charges the carrier is obligated to pay to
15 another carrier or to an information service provider as a
16 result of the violation, including, but not limited to,
17 charges for the origination, transport or termination of the
18 call.
19 (2) Costs of handling customer inquiries or complaints
20 with respect to amounts billed for calls.
21 (3) Costs and a reasonable attorney fee.
22 (4) An order to enjoin the violation.
23 (f) Multiple violations.--For purposes of a civil action
24 under this section, any single action or conduct that violates
25 more than one paragraph of this act shall be considered multiple
26 violations based on the number of such paragraphs violated.
27 (g) Unfair trade practice.--A violation of this act shall be
28 deemed to be an unfair or deceptive act or practice in violation
29 of the act of December 17, 1968 (P.L.1224, No.387), known as the
30 Unfair Trade Practices and Consumer Protection Law. The Office
20070S0711B0925 - 12 -
1 of Attorney General shall have exclusive authority to bring an
2 action under the Unfair Trade Practices and Consumer Protection
3 Law for a violation of that act.
4 Section 10. Effective date.
5 This act shall take effect in 60 days.
D10L12BIL/20070S0711B0925 - 13 -