PRINTER'S NO. 2924
No. 2005 Session of 2005
INTRODUCED BY FLICK, PRESTON, RAMALEY, REICHLEY, ADOLPH, ARGALL, ARMSTRONG, BAKER, BALDWIN, BELARDI, BENNINGHOFF, BOYD, BUNT, BUXTON, CALTAGIRONE, CAPPELLI, CIVERA, CLYMER, COHEN, CRAHALLA, DALEY, DALLY, DENLINGER, DeWEESE, FABRIZIO, FAIRCHILD, FICHTER, GEIST, GEORGE, GOODMAN, HARHAI, HARRIS, HENNESSEY, HERMAN, JOSEPHS, KOTIK, LEDERER, LEH, MANN, MARKOSEK, R. MILLER, MUNDY, PETRARCA, PHILLIPS, PICKETT, READSHAW, RUBLEY, SEMMEL, SHANER, SHAPIRO, B. SMITH, SOLOBAY, R. STEVENSON, E. Z. TAYLOR, THOMAS, TIGUE, WANSACZ, WILT, WOJNAROSKI, WRIGHT AND YOUNGBLOOD, OCTOBER 25, 2005
REFERRED TO COMMITTEE ON CONSUMER AFFAIRS, OCTOBER 25, 2005
AN ACT 1 Prohibiting the installation, transmission and use of computer 2 software that collects personally identifiable information; 3 authorizing the Attorney General and district attorneys to 4 bring civil actions against persons who violate this act; and 5 providing for damages. 6 The General Assembly of the Commonwealth of Pennsylvania 7 hereby enacts as follows: 8 Section 1. Short title. 9 This act shall be known and may be cited as the Computer 10 Spyware Protection Act. 11 Section 2. Legislative intent. 12 It is the intent of the General Assembly to protect owners 13 and operators of computers in this Commonwealth from the use of 14 spyware and malicious software, commonly referred to as malware, 15 that is deceptively or surreptitiously installed on the owner's
1 or the operator's computer. 2 Section 3. Definitions. 3 The following words and phrases when used in this act shall 4 have the meanings given to them in this section unless the 5 context clearly indicates otherwise: 6 "Cause to be copied." To distribute or transfer computer 7 software, or any component thereof. The term shall not include 8 the following: 9 (1) Transmission, routing, provision of intermediate 10 temporary storage or caching of software. 11 (2) A storage or hosting medium, such as a compact disc, 12 web site or computer server through which the software was 13 distributed by a third party. 14 (3) An information location tool, such as a directory, 15 index, reference, pointer or hypertext link, through which 16 the user of the computer located the software. 17 "Computer software." A sequence of instructions written in 18 any programming language that is executed on a computer. The 19 term does not include a data component of a web page that is not 20 executable independently of the web page. 21 "Computer virus." A computer program or other set of 22 instructions that is designed to degrade the performance of or 23 disable a computer or computer network and is designed to have 24 the ability to replicate itself on other computers or computer 25 networks without the authorization of the owners of those 26 computers or computer networks. 27 "Damage." Any significant impairment to the integrity or 28 availability of data, software, a system or information. 29 "Execute." When used with respect to computer software, the 30 term means the performance of the functions or the carrying out 20050H2005B2924 - 2 -
1 of the instructions of the computer software. 2 "Intentionally deceptive." Any of the following: 3 (1) An intentionally and materially false or fraudulent 4 statement. 5 (2) A statement or description that intentionally omits 6 or misrepresents material information in order to deceive an 7 owner or operator of a computer. 8 (3) An intentional and material failure to provide a 9 notice to an owner or operator regarding the installation or 10 execution of computer software for the purpose of deceiving 11 the owner or operator. 12 "Internet." The global information system that is logically 13 linked together by a globally unique address space based on the 14 Internet Protocol (IP), or its subsequent extensions, and that 15 is able to support communications using the Transmission Control 16 Protocol/Internet Protocol (TCP/IP) suite, or its subsequent 17 extensions, or other IP-compatible protocols, and that provides, 18 uses or makes accessible, either publicly or privately, high- 19 level services layered on the communications and related 20 infrastructure described in this section. 21 "Message." A graphical or text communication presented to an 22 authorized user of a computer. 23 "Owner or operator." The owner or lessee of a computer or a 24 person using such computer with the owner or lessee's 25 authorization. The term does not include a person who owned a 26 computer prior to the first retail sale of the computer. 27 "Person." Any individual, partnership, corporation, limited 28 liability company or other organization, or any combination 29 thereof. 30 "Personally identifiable information." Any of the following 20050H2005B2924 - 3 -
1 information if it allows the entity holding the information to 2 identify the owner or operator of a computer: 3 (1) The first name or first initial in combination with 4 the last name. 5 (2) A home or other physical address, including street 6 name. 7 (3) Personal identification code in conjunction with a 8 password required to access an identified account, other than 9 a password, personal identification number or other 10 identification number transmitted by an authorized user to 11 the issuer of the account or its agent. 12 (4) Social Security number, tax identification number, 13 driver's license number, passport number or any other 14 government-issued identification number. 15 (5) Account balance, overdraft history or payment 16 history that personally identifies an owner or operator of a 17 computer. 18 Section 4. Prohibitions; use of software. 19 It is unlawful for a person who is not an owner or operator 20 of a computer to cause computer software to be copied on such 21 computer knowingly or with conscious avoidance of actual 22 knowledge or willfully use such software to do any of the 23 following: 24 (1) Modify, through intentionally deceptive means, 25 settings of a computer that control any of the following: 26 (i) The web page that appears when an owner or 27 operator launches an Internet browser or similar computer 28 software used to access and navigate the Internet. 29 (ii) The default provider or web proxy that an owner 30 or operator uses to access or search the Internet. 20050H2005B2924 - 4 -
1 (iii) An owner's or an operator's list of bookmarks 2 used to access web pages. 3 (2) Collect, through intentionally deceptive means, 4 personally identifiable information through any of the 5 following means: 6 (i) The use of a keystroke-logging function that 7 records all or substantially all keystrokes made by an 8 owner or operator of a computer and transfers that 9 information from the computer to another person. 10 (ii) In a manner that correlates personally 11 identifiable information with data regarding all or 12 substantially all of the Internet sites visited by an 13 owner or operator, other than Internet sites operated by 14 the person providing such software, if the computer 15 software was installed in a manner designed to conceal 16 from all authorized users of the computer the fact that 17 the software is being installed. 18 (iii) By extracting from the hard drive of an 19 owner's or an operator's computer, an owner's or an 20 operator's Social Security number, tax identification 21 number, driver's license number, passport number, any 22 other government-issued identification number, account 23 balances or overdraft history for a purpose unrelated to 24 any of the purposes of the software or service described 25 to an authorized user. 26 (3) Prevent, through intentionally deceptive means, an 27 owner's or an operator's reasonable efforts to block the 28 installation of or execution of or to disable computer 29 software by causing computer software that the owner or 30 operator has properly removed or disabled to automatically 20050H2005B2924 - 5 -
1 reinstall or reactivate on the computer without the 2 authorization of an authorized user. 3 (4) Intentionally misrepresent that computer software 4 will be uninstalled or disabled by an owner's or an 5 operator's action. 6 (5) Through intentionally deceptive means, remove, 7 disable or render inoperative security, antispyware or 8 antivirus computer software installed on an owner's or an 9 operator's computer. 10 (6) Enable use of an owner's or an operator's computer 11 to do any of the following: 12 (i) Accessing or using a modem or Internet service 13 for the purpose of causing damage to an owner's or an 14 operator's computer or causing an owner or operator or a 15 third party affected by such conduct to incur financial 16 charges for a service that the owner or operator did not 17 authorize. 18 (ii) Opening multiple, sequential, stand-alone 19 messages in an owner's or an operator's computer without 20 the authorization of an owner or operator and with 21 knowledge that a reasonable computer user could not close 22 the messages without turning off the computer or closing 23 the software application in which the messages appear; 24 provided that this paragraph shall not apply to 25 communications originated by the computer's operating 26 system, originated by a software application that the 27 user chooses to activate, originated by a service 28 provider that the user chooses to use or presented for 29 any of the purposes described in section 6. 30 (iii) Transmitting or relaying commercial electronic 20050H2005B2924 - 6 -
1 mail or a computer virus from the computer, where the 2 transmission or relaying is initiated by a person other 3 than the authorized user and without the authorization of 4 an authorized user. 5 (7) Modify any of the following settings related to the 6 computer's access to or use of the Internet: 7 (i) Settings that protect information about an owner 8 or operator for the purpose of taking personally 9 identifiable information of the owner or operator. 10 (ii) Security settings for the purpose of causing 11 damage to a computer. 12 (iii) Settings that protect the computer from the 13 uses identified in paragraph (6). 14 (8) Prevent, without the authorization of an owner or 15 operator, an owner's or an operator's reasonable efforts to 16 block the installation of or to disable computer software by 17 doing any of the following: 18 (i) Presenting the owner or operator with an option 19 to decline installation of computer software with 20 knowledge that, when the option is selected by the 21 authorized user, the installation nevertheless proceeds. 22 (ii) Falsely representing that computer software has 23 been disabled. 24 (iii) Requiring in an intentionally deceptive manner 25 the user to access the Internet to remove the software 26 with knowledge or reckless disregard of the fact that the 27 software frequently operates in a manner that prevents 28 the user from accessing the Internet. 29 (iv) Changing the name, location or other 30 designation information of the software for the purpose 20050H2005B2924 - 7 -
1 of preventing an authorized user from locating the 2 software to remove it. 3 (v) Using randomized or intentionally deceptive 4 filenames, directory folders, formats or registry entries 5 for the purpose of avoiding detection and removal of the 6 software by an authorized user. 7 (vi) Causing the installation of software in a 8 particular computer directory or computer memory for the 9 purpose of evading authorized users' attempts to remove 10 the software from the computer. 11 (vii) Requiring, without the authority of the owner 12 of the computer, that an authorized user obtain a special 13 code or download software from a third party to uninstall 14 the software. 15 Section 5. Other prohibitions. 16 It is unlawful for a person who is not an owner or operator 17 of a computer to do any of the following with regard to the 18 computer: 19 (1) Induce an owner or operator to install a computer 20 software component onto the owner's or the operator's 21 computer by intentionally misrepresenting that installing 22 computer software is necessary for security or privacy 23 reasons or in order to open, view or play a particular type 24 of content. 25 (2) Using intentionally deceptive means to cause the 26 execution of a computer software component with the intent of 27 causing the computer to use such component in a manner that 28 violates any other provision of this chapter. 29 Section 6. Exceptions. 30 Sections 4 and 5 shall not apply to the monitoring of or 20050H2005B2924 - 8 -
1 interaction with an owner's or an operator's Internet or other 2 network connection, service or computer by a telecommunications 3 carrier, cable operator, computer hardware or software provider 4 or provider of information service or interactive computer 5 service for network or computer security purposes, diagnostics, 6 technical support, maintenance, repair, network management, 7 authorized updates of computer software or system firmware, 8 authorized remote system management or detection or prevention 9 of the unauthorized use of or fraudulent or other illegal 10 activities in connection with a network, service or computer 11 software, including scanning for and removing computer software 12 prescribed under this act. 13 Section 7. Remedies. 14 (a) Civil actions.--The Attorney General, an Internet 15 service provider or software company that expends resources in 16 good faith assisting authorized users harmed by a violation of 17 this act; or a trademark owner whose mark is used to deceive 18 authorized users in violation of this act, may bring a civil 19 action against a person who violates any provision of this act 20 to recover actual damages, liquidated damages of at least $1,000 21 per violation of this act, not to exceed $1,000,000 for a 22 pattern or practice of such violations, attorney fees and costs. 23 (b) Trebel damages.--The court may increase a damage award 24 to an amount equal to not more than three times the amount 25 otherwise recoverable under subsection (a) if the court 26 determines that the defendant committed the violation willfully 27 and knowingly. 28 (c) Liquidated damages.--The court may reduce liquidated 29 damages recoverable under subsection (a), to a minimum of $100, 30 not to exceed $100,000 for each violation if the court finds 20050H2005B2924 - 9 -
1 that the defendant established and implemented practices and 2 procedures reasonably designed to prevent a violation of this 3 act. 4 (d) Other damages.--In the case of a violation of section 5 4(6)(i) that causes a telecommunications carrier or provider of 6 voice over Internet protocol service to incur costs for the 7 origination, transport or termination of a call triggered using 8 the modem or Internet-capable device of a customer of such 9 telecommunications carrier or provider as a result of such 10 violation, the telecommunications carrier may bring a civil 11 action against the violator to recover any or all of the 12 following: 13 (1) The charges such carrier or provider is obligated to 14 pay to another carrier or to an information service provider 15 as a result of the violation, including, but not limited to, 16 charges for the origination, transport or termination of the 17 call. 18 (2) Costs of handling customer inquiries or complaints 19 with respect to amounts billed for such calls. 20 (3) Costs and a reasonable attorney fee. 21 (4) An order to enjoin the violation. 22 (e) Multiple violations.--For purposes of a civil action 23 under subsections (a), (b) and (c), any single action or conduct 24 that violates more than one of the provisions of this act shall 25 be considered multiple violations based on the number of 26 provisions violated. 27 Section 8. Good Samaritan. 28 (a) Liability.--No provider of computer software or of an 29 interactive computer service may be held liable for identifying, 30 naming, removing, disabling or otherwise affecting a computer 20050H2005B2924 - 10 -
1 program through any action voluntarily undertaken or service 2 provided where the provider: 3 (1) Intends to identify accurately, prevent the 4 installation or execution of, remove or disable another 5 computer program on a computer of a customer of the provider. 6 (2) Reasonably believes the computer program exhibits 7 behavior that violates this act. 8 (3) Notifies the authorized user and obtains clear and 9 conspicuous consent before undertaking such action or 10 providing such service. 11 (b) Requirements.--A provider of computer software or 12 interactive computer service is entitled to protection under 13 this section only if such provider: 14 (1) Has established internal practices and procedures to 15 evaluate computer programs reasonably designed to determine 16 whether or not a computer program exhibits behavior that 17 violates this act. 18 (2) Has established a process for managing disputes and 19 inquiries regarding misclassification or false positive 20 identifications of computer programs. 21 (c) Attorney General, district attorney.--Nothing in this 22 section is intended to limit the ability of the Attorney General 23 or a district attorney to bring an action against a provider of 24 computer software or of an interactive computer service. 25 Section 9. Severability. 26 The provisions of this act are severable. If any provision of 27 this act or its application to any person or circumstance is 28 held invalid, the invalidity shall not affect other provisions 29 or applications of this act which can be given effect without 30 the invalid provision or application. 20050H2005B2924 - 11 -
1 Section 10. Repeal. 2 All acts and parts of acts are repealed insofar as they are 3 inconsistent with this act. 4 Section 11. Effective date. 5 This act shall take effect in 60 days. J4L12JS/20050H2005B2924 - 12 -