PRINTER'S NO. 2924
No. 2005 Session of 2005
INTRODUCED BY FLICK, PRESTON, RAMALEY, REICHLEY, ADOLPH, ARGALL,
ARMSTRONG, BAKER, BALDWIN, BELARDI, BENNINGHOFF, BOYD, BUNT,
BUXTON, CALTAGIRONE, CAPPELLI, CIVERA, CLYMER, COHEN,
CRAHALLA, DALEY, DALLY, DENLINGER, DeWEESE, FABRIZIO,
FAIRCHILD, FICHTER, GEIST, GEORGE, GOODMAN, HARHAI, HARRIS,
HENNESSEY, HERMAN, JOSEPHS, KOTIK, LEDERER, LEH, MANN,
MARKOSEK, R. MILLER, MUNDY, PETRARCA, PHILLIPS, PICKETT,
READSHAW, RUBLEY, SEMMEL, SHANER, SHAPIRO, B. SMITH, SOLOBAY,
R. STEVENSON, E. Z. TAYLOR, THOMAS, TIGUE, WANSACZ, WILT,
WOJNAROSKI, WRIGHT AND YOUNGBLOOD, OCTOBER 25, 2005
REFERRED TO COMMITTEE ON CONSUMER AFFAIRS, OCTOBER 25, 2005
AN ACT
1 Prohibiting the installation, transmission and use of computer
2 software that collects personally identifiable information;
3 authorizing the Attorney General and district attorneys to
4 bring civil actions against persons who violate this act; and
5 providing for damages.
6 The General Assembly of the Commonwealth of Pennsylvania
7 hereby enacts as follows:
8 Section 1. Short title.
9 This act shall be known and may be cited as the Computer
10 Spyware Protection Act.
11 Section 2. Legislative intent.
12 It is the intent of the General Assembly to protect owners
13 and operators of computers in this Commonwealth from the use of
14 spyware and malicious software, commonly referred to as malware,
15 that is deceptively or surreptitiously installed on the owner's
1 or the operator's computer.
2 Section 3. Definitions.
3 The following words and phrases when used in this act shall
4 have the meanings given to them in this section unless the
5 context clearly indicates otherwise:
6 "Cause to be copied." To distribute or transfer computer
7 software, or any component thereof. The term shall not include
8 the following:
9 (1) Transmission, routing, provision of intermediate
10 temporary storage or caching of software.
11 (2) A storage or hosting medium, such as a compact disc,
12 web site or computer server through which the software was
13 distributed by a third party.
14 (3) An information location tool, such as a directory,
15 index, reference, pointer or hypertext link, through which
16 the user of the computer located the software.
17 "Computer software." A sequence of instructions written in
18 any programming language that is executed on a computer. The
19 term does not include a data component of a web page that is not
20 executable independently of the web page.
21 "Computer virus." A computer program or other set of
22 instructions that is designed to degrade the performance of or
23 disable a computer or computer network and is designed to have
24 the ability to replicate itself on other computers or computer
25 networks without the authorization of the owners of those
26 computers or computer networks.
27 "Damage." Any significant impairment to the integrity or
28 availability of data, software, a system or information.
29 "Execute." When used with respect to computer software, the
30 term means the performance of the functions or the carrying out
20050H2005B2924 - 2 -
1 of the instructions of the computer software.
2 "Intentionally deceptive." Any of the following:
3 (1) An intentionally and materially false or fraudulent
4 statement.
5 (2) A statement or description that intentionally omits
6 or misrepresents material information in order to deceive an
7 owner or operator of a computer.
8 (3) An intentional and material failure to provide a
9 notice to an owner or operator regarding the installation or
10 execution of computer software for the purpose of deceiving
11 the owner or operator.
12 "Internet." The global information system that is logically
13 linked together by a globally unique address space based on the
14 Internet Protocol (IP), or its subsequent extensions, and that
15 is able to support communications using the Transmission Control
16 Protocol/Internet Protocol (TCP/IP) suite, or its subsequent
17 extensions, or other IP-compatible protocols, and that provides,
18 uses or makes accessible, either publicly or privately, high-
19 level services layered on the communications and related
20 infrastructure described in this section.
21 "Message." A graphical or text communication presented to an
22 authorized user of a computer.
23 "Owner or operator." The owner or lessee of a computer or a
24 person using such computer with the owner or lessee's
25 authorization. The term does not include a person who owned a
26 computer prior to the first retail sale of the computer.
27 "Person." Any individual, partnership, corporation, limited
28 liability company or other organization, or any combination
29 thereof.
30 "Personally identifiable information." Any of the following
20050H2005B2924 - 3 -
1 information if it allows the entity holding the information to
2 identify the owner or operator of a computer:
3 (1) The first name or first initial in combination with
4 the last name.
5 (2) A home or other physical address, including street
6 name.
7 (3) Personal identification code in conjunction with a
8 password required to access an identified account, other than
9 a password, personal identification number or other
10 identification number transmitted by an authorized user to
11 the issuer of the account or its agent.
12 (4) Social Security number, tax identification number,
13 driver's license number, passport number or any other
14 government-issued identification number.
15 (5) Account balance, overdraft history or payment
16 history that personally identifies an owner or operator of a
17 computer.
18 Section 4. Prohibitions; use of software.
19 It is unlawful for a person who is not an owner or operator
20 of a computer to cause computer software to be copied on such
21 computer knowingly or with conscious avoidance of actual
22 knowledge or willfully use such software to do any of the
23 following:
24 (1) Modify, through intentionally deceptive means,
25 settings of a computer that control any of the following:
26 (i) The web page that appears when an owner or
27 operator launches an Internet browser or similar computer
28 software used to access and navigate the Internet.
29 (ii) The default provider or web proxy that an owner
30 or operator uses to access or search the Internet.
20050H2005B2924 - 4 -
1 (iii) An owner's or an operator's list of bookmarks
2 used to access web pages.
3 (2) Collect, through intentionally deceptive means,
4 personally identifiable information through any of the
5 following means:
6 (i) The use of a keystroke-logging function that
7 records all or substantially all keystrokes made by an
8 owner or operator of a computer and transfers that
9 information from the computer to another person.
10 (ii) In a manner that correlates personally
11 identifiable information with data regarding all or
12 substantially all of the Internet sites visited by an
13 owner or operator, other than Internet sites operated by
14 the person providing such software, if the computer
15 software was installed in a manner designed to conceal
16 from all authorized users of the computer the fact that
17 the software is being installed.
18 (iii) By extracting from the hard drive of an
19 owner's or an operator's computer, an owner's or an
20 operator's Social Security number, tax identification
21 number, driver's license number, passport number, any
22 other government-issued identification number, account
23 balances or overdraft history for a purpose unrelated to
24 any of the purposes of the software or service described
25 to an authorized user.
26 (3) Prevent, through intentionally deceptive means, an
27 owner's or an operator's reasonable efforts to block the
28 installation of or execution of or to disable computer
29 software by causing computer software that the owner or
30 operator has properly removed or disabled to automatically
20050H2005B2924 - 5 -
1 reinstall or reactivate on the computer without the
2 authorization of an authorized user.
3 (4) Intentionally misrepresent that computer software
4 will be uninstalled or disabled by an owner's or an
5 operator's action.
6 (5) Through intentionally deceptive means, remove,
7 disable or render inoperative security, antispyware or
8 antivirus computer software installed on an owner's or an
9 operator's computer.
10 (6) Enable use of an owner's or an operator's computer
11 to do any of the following:
12 (i) Accessing or using a modem or Internet service
13 for the purpose of causing damage to an owner's or an
14 operator's computer or causing an owner or operator or a
15 third party affected by such conduct to incur financial
16 charges for a service that the owner or operator did not
17 authorize.
18 (ii) Opening multiple, sequential, stand-alone
19 messages in an owner's or an operator's computer without
20 the authorization of an owner or operator and with
21 knowledge that a reasonable computer user could not close
22 the messages without turning off the computer or closing
23 the software application in which the messages appear;
24 provided that this paragraph shall not apply to
25 communications originated by the computer's operating
26 system, originated by a software application that the
27 user chooses to activate, originated by a service
28 provider that the user chooses to use or presented for
29 any of the purposes described in section 6.
30 (iii) Transmitting or relaying commercial electronic
20050H2005B2924 - 6 -
1 mail or a computer virus from the computer, where the
2 transmission or relaying is initiated by a person other
3 than the authorized user and without the authorization of
4 an authorized user.
5 (7) Modify any of the following settings related to the
6 computer's access to or use of the Internet:
7 (i) Settings that protect information about an owner
8 or operator for the purpose of taking personally
9 identifiable information of the owner or operator.
10 (ii) Security settings for the purpose of causing
11 damage to a computer.
12 (iii) Settings that protect the computer from the
13 uses identified in paragraph (6).
14 (8) Prevent, without the authorization of an owner or
15 operator, an owner's or an operator's reasonable efforts to
16 block the installation of or to disable computer software by
17 doing any of the following:
18 (i) Presenting the owner or operator with an option
19 to decline installation of computer software with
20 knowledge that, when the option is selected by the
21 authorized user, the installation nevertheless proceeds.
22 (ii) Falsely representing that computer software has
23 been disabled.
24 (iii) Requiring in an intentionally deceptive manner
25 the user to access the Internet to remove the software
26 with knowledge or reckless disregard of the fact that the
27 software frequently operates in a manner that prevents
28 the user from accessing the Internet.
29 (iv) Changing the name, location or other
30 designation information of the software for the purpose
20050H2005B2924 - 7 -
1 of preventing an authorized user from locating the
2 software to remove it.
3 (v) Using randomized or intentionally deceptive
4 filenames, directory folders, formats or registry entries
5 for the purpose of avoiding detection and removal of the
6 software by an authorized user.
7 (vi) Causing the installation of software in a
8 particular computer directory or computer memory for the
9 purpose of evading authorized users' attempts to remove
10 the software from the computer.
11 (vii) Requiring, without the authority of the owner
12 of the computer, that an authorized user obtain a special
13 code or download software from a third party to uninstall
14 the software.
15 Section 5. Other prohibitions.
16 It is unlawful for a person who is not an owner or operator
17 of a computer to do any of the following with regard to the
18 computer:
19 (1) Induce an owner or operator to install a computer
20 software component onto the owner's or the operator's
21 computer by intentionally misrepresenting that installing
22 computer software is necessary for security or privacy
23 reasons or in order to open, view or play a particular type
24 of content.
25 (2) Using intentionally deceptive means to cause the
26 execution of a computer software component with the intent of
27 causing the computer to use such component in a manner that
28 violates any other provision of this chapter.
29 Section 6. Exceptions.
30 Sections 4 and 5 shall not apply to the monitoring of or
20050H2005B2924 - 8 -
1 interaction with an owner's or an operator's Internet or other
2 network connection, service or computer by a telecommunications
3 carrier, cable operator, computer hardware or software provider
4 or provider of information service or interactive computer
5 service for network or computer security purposes, diagnostics,
6 technical support, maintenance, repair, network management,
7 authorized updates of computer software or system firmware,
8 authorized remote system management or detection or prevention
9 of the unauthorized use of or fraudulent or other illegal
10 activities in connection with a network, service or computer
11 software, including scanning for and removing computer software
12 prescribed under this act.
13 Section 7. Remedies.
14 (a) Civil actions.--The Attorney General, an Internet
15 service provider or software company that expends resources in
16 good faith assisting authorized users harmed by a violation of
17 this act; or a trademark owner whose mark is used to deceive
18 authorized users in violation of this act, may bring a civil
19 action against a person who violates any provision of this act
20 to recover actual damages, liquidated damages of at least $1,000
21 per violation of this act, not to exceed $1,000,000 for a
22 pattern or practice of such violations, attorney fees and costs.
23 (b) Trebel damages.--The court may increase a damage award
24 to an amount equal to not more than three times the amount
25 otherwise recoverable under subsection (a) if the court
26 determines that the defendant committed the violation willfully
27 and knowingly.
28 (c) Liquidated damages.--The court may reduce liquidated
29 damages recoverable under subsection (a), to a minimum of $100,
30 not to exceed $100,000 for each violation if the court finds
20050H2005B2924 - 9 -
1 that the defendant established and implemented practices and
2 procedures reasonably designed to prevent a violation of this
3 act.
4 (d) Other damages.--In the case of a violation of section
5 4(6)(i) that causes a telecommunications carrier or provider of
6 voice over Internet protocol service to incur costs for the
7 origination, transport or termination of a call triggered using
8 the modem or Internet-capable device of a customer of such
9 telecommunications carrier or provider as a result of such
10 violation, the telecommunications carrier may bring a civil
11 action against the violator to recover any or all of the
12 following:
13 (1) The charges such carrier or provider is obligated to
14 pay to another carrier or to an information service provider
15 as a result of the violation, including, but not limited to,
16 charges for the origination, transport or termination of the
17 call.
18 (2) Costs of handling customer inquiries or complaints
19 with respect to amounts billed for such calls.
20 (3) Costs and a reasonable attorney fee.
21 (4) An order to enjoin the violation.
22 (e) Multiple violations.--For purposes of a civil action
23 under subsections (a), (b) and (c), any single action or conduct
24 that violates more than one of the provisions of this act shall
25 be considered multiple violations based on the number of
26 provisions violated.
27 Section 8. Good Samaritan.
28 (a) Liability.--No provider of computer software or of an
29 interactive computer service may be held liable for identifying,
30 naming, removing, disabling or otherwise affecting a computer
20050H2005B2924 - 10 -
1 program through any action voluntarily undertaken or service
2 provided where the provider:
3 (1) Intends to identify accurately, prevent the
4 installation or execution of, remove or disable another
5 computer program on a computer of a customer of the provider.
6 (2) Reasonably believes the computer program exhibits
7 behavior that violates this act.
8 (3) Notifies the authorized user and obtains clear and
9 conspicuous consent before undertaking such action or
10 providing such service.
11 (b) Requirements.--A provider of computer software or
12 interactive computer service is entitled to protection under
13 this section only if such provider:
14 (1) Has established internal practices and procedures to
15 evaluate computer programs reasonably designed to determine
16 whether or not a computer program exhibits behavior that
17 violates this act.
18 (2) Has established a process for managing disputes and
19 inquiries regarding misclassification or false positive
20 identifications of computer programs.
21 (c) Attorney General, district attorney.--Nothing in this
22 section is intended to limit the ability of the Attorney General
23 or a district attorney to bring an action against a provider of
24 computer software or of an interactive computer service.
25 Section 9. Severability.
26 The provisions of this act are severable. If any provision of
27 this act or its application to any person or circumstance is
28 held invalid, the invalidity shall not affect other provisions
29 or applications of this act which can be given effect without
30 the invalid provision or application.
20050H2005B2924 - 11 -
1 Section 10. Repeal.
2 All acts and parts of acts are repealed insofar as they are
3 inconsistent with this act.
4 Section 11. Effective date.
5 This act shall take effect in 60 days.
J4L12JS/20050H2005B2924 - 12 -