See other bills
under the
same topic
                                                       PRINTER'S NO. 858

THE GENERAL ASSEMBLY OF PENNSYLVANIA


SENATE BILL

No. 711 Session of 2005


        INTRODUCED BY GORDNER, WONDERLING, C. WILLIAMS, RAFFERTY, COSTA,
           CORMAN, WOZNIAK, PIPPY, PICCOLA, VANCE, LOGAN, ERICKSON,
           WAUGH, RHOADES, BOSCOLA, TARTAGLIONE, KITCHEN, THOMPSON,
           O'PAKE, GREENLEAF AND STACK, JUNE 3, 2005

        REFERRED TO COMMUNICATIONS AND TECHNOLOGY, JUNE 3, 2005

                                     AN ACT

     1  Providing for the protection of consumers from having spyware
     2     deceptively installed on their computers, for enforcement and
     3     for civil relief.

     4                         TABLE OF CONTENTS
     5  Section 1.  Short title.
     6  Section 2.  Definitions.
     7  Section 3.  Computer spyware prohibitions.
     8  Section 4.  Control or modification.
     9  Section 5.  Misrepresentation and deception.
    10  Section 6.  Nonapplicability.
    11  Section 7.  Enforcement.
    12  Section 8.  Civil relief.
    13  Section 9.  Effective date.
    14     The General Assembly of the Commonwealth of Pennsylvania
    15  hereby enacts as follows:
    16  Section 1.  Short title.
    17     This act shall be known and may be cited as the Consumer


     1  Protection Against Computer Spyware Act.
     2  Section 2.  Definitions.
     3     The following words and phrases when used in this act shall
     4  have the meanings given to them in this section unless the
     5  context clearly indicates otherwise:
     6     "Advertisement."  A communication, the primary purpose of
     7  which is the commercial promotion of a commercial product or
     8  service, including content on an Internet website operated for a
     9  commercial purpose.
    10     "Authorized user."  With respect to a computer, a person who
    11  owns or is authorized by the owner or lessee to use the
    12  computer.
    13     "Cause to be copied."  To distribute or transfer computer
    14  software or any component thereof. The term shall not include
    15  the following:
    16         (1)  Transmission, routing, provision of intermediate
    17     temporary storage or caching of software.
    18         (2)  A storage or hosting medium, such as a compact disc,
    19     Internet website or computer server, through which the
    20     software was distributed by a third party.
    21         (3)  An information location tool, such as a directory,
    22     index, reference, pointer or hypertext link, through which
    23     the user of the computer located the software.
    24     "Communications provider."  Entity providing communications
    25  networks or services that enable consumers to access the
    26  Internet or destinations on the public switched telephone
    27  network via a computer modem. This term shall include cable
    28  service providers that also provide telephone services and
    29  providers of Voice over Internet Protocol services.
    30     "Computer software."  A sequence of instructions written in
    20050S0711B0858                  - 2 -     

     1  any programming language that is executed on a computer. The
     2  term shall not include a text or data file, an Internet website
     3  or a data component of an Internet website that is not
     4  executable independently of the Internet website.
     5     "Computer virus."  A computer program or other set of
     6  instructions that is designed to degrade the performance of or
     7  disable a computer or computer network and is designed to have
     8  the ability to replicate itself on other computers or computer
     9  networks without the authorization of the owners of those
    10  computers or computer networks.
    11     "Damage."  Any significant impairment to the integrity,
    12  functionality or availability of data, software, a computer, a
    13  system or information.
    14     "Execute."  With respect to computer software, the
    15  performance of the functions or the carrying out of the
    16  instructions of the computer software.
    17     "Intentionally deceptive."  Includes, but is not limited to:
    18         (1)  An intentionally and materially false or fraudulent
    19     statement.
    20         (2)  A statement or description that intentionally omits
    21     or misrepresents material information in order to deceive the
    22     authorized user.
    23         (3)  An intentional and material failure to provide any
    24     notice to an authorized user regarding the download or
    25     installation of software in order to deceive the authorized
    26     user.
    27     "Internet."  The global information system that is logically
    28  linked together by a globally unique address space based on the
    29  Internet Protocol (IP), or its subsequent extensions, and that
    30  is able to support communications using the Transmission Control
    20050S0711B0858                  - 3 -     

     1  Protocol/Internet Protocol (TCP/IP) suite, or its subsequent
     2  extensions, or other IP-compatible protocols, and that provides,
     3  uses or makes accessible, either publicly or privately, high-
     4  level services layered on the communications and related
     5  infrastructure described in this act.
     6     "Person."  Any individual, partnership, corporation, limited
     7  liability company or other organization, or any combination
     8  thereof.
     9     "Personally identifiable information."  The term shall
    10  include any of the following:
    11         (1)  First name or first initial in combination with last
    12     name.
    13         (2)  Credit or debit card numbers or other financial
    14     account numbers.
    15         (3)  A password or personal identification number
    16     required to access an identified financial account other than
    17     a password, personal identification number or other
    18     identification number transmitted by an authorized user to
    19     the issuer of the account or its agent.
    20         (4)  Social Security number.
    21         (5)  Any of the following information in a form that
    22     personally identifies an authorized user:
    23             (i)  Account balances.
    24             (ii)  Overdraft history.
    25             (iii)  Payment history.
    26             (iv)  A history of Internet websites visited.
    27             (v)  Home address.
    28             (vi)  Work address.
    29             (vii)  A record of a purchase or purchases.
    30  Section 3.  Computer spyware prohibitions.
    20050S0711B0858                  - 4 -     

     1     A person or entity that is not an authorized user shall not,
     2  with actual knowledge, with conscious avoidance of actual
     3  knowledge, or willfully, cause computer software to be copied
     4  onto the computer of an authorized user in this Commonwealth and
     5  use the software to do any of the following:
     6         (1)  Modify through intentionally deceptive means any of
     7     the following settings related to the computer's access to or
     8     use of the Internet:
     9             (i)  The page that appears when an authorized user
    10         launches an Internet browser or similar software program
    11         used to access and navigate the Internet.
    12             (ii)  The default provider or Internet website proxy
    13         the authorized user uses to access or search the
    14         Internet.
    15             (iii)  The authorized user's list of bookmarks used
    16         to access Internet website pages.
    17         (2)  Collect through intentionally deceptive means
    18     personally identifiable information that meets any of the
    19     following criteria:
    20             (i)  It is collected through the use of a keystroke-
    21         logging function that records all keystrokes made by an
    22         authorized user who uses the computer and transfers that
    23         information from the computer to another person.
    24             (ii)  It includes all or substantially all of the
    25         Internet websites visited by an authorized user, other
    26         than Internet websites of the provider of the software,
    27         if the computer software was installed in a manner
    28         designed to conceal from all authorized users of the
    29         computer the fact that the software is being installed.
    30             (iii)  It is a data element described in paragraph
    20050S0711B0858                  - 5 -     

     1         (2), (3), (4) or (5)(i) or (ii) of the definition of
     2         "personally identifiable information" that is extracted
     3         from the authorized user's computer hard drive for a
     4         purpose wholly unrelated to any of the purposes of the
     5         software or service described to an authorized user.
     6         (3)  Prevent, without the authorization of an authorized
     7     user, through intentionally deceptive means an authorized
     8     user's reasonable efforts to block the installation of or to
     9     disable software by causing software that the authorized user
    10     has properly removed or disabled to automatically reinstall
    11     or reactivate on the computer without the authorization of an
    12     authorized user.
    13         (4)  Intentionally misrepresent that software will be
    14     uninstalled or disabled by an authorized user's action with
    15     knowledge that the software will not be so uninstalled or
    16     disabled.
    17         (5)  Through intentionally deceptive means, remove,
    18     disable or render inoperative security, antispyware or
    19     antivirus software installed on the computer.
    20  Section 4.  Control or modification.
    21     A person or entity that is not an authorized user shall not,
    22  with actual knowledge, with conscious avoidance of actual
    23  knowledge, or willfully, cause computer software to be copied
    24  onto the computer of an authorized user in this Commonwealth and
    25  use the software to do any of the following:
    26         (1)  Take control of the authorized user's computer by
    27     doing any of the following:
    28             (i)  Transmitting or relaying commercial electronic
    29         mail or a computer virus from the authorized user's
    30         computer, where the transmission or relaying is initiated
    20050S0711B0858                  - 6 -     

     1         by a person other than the authorized user and without
     2         the authorization of an authorized user.
     3             (ii)  Accessing or using the authorized user's modem
     4         or Internet service for the purpose of causing damage to
     5         the authorized user's computer or of causing an
     6         authorized user to incur financial charges for a service
     7         that is not authorized by an authorized user.
     8             (iii)  Using the authorized user's computer as part
     9         of an activity performed by a group of computers for the
    10         purpose of causing damage to another computer, including,
    11         but not limited to, launching a denial of service attack.
    12             (iv)  Opening a series of stand-alone advertisements
    13         in the authorized user's computer without the
    14         authorization of an authorized user and with knowledge
    15         that a reasonable computer user cannot close the
    16         advertisements without turning off the computer or
    17         closing the Internet application.
    18         (2)  Modify any of the following settings related to the
    19     computer's access to or use of the Internet:
    20             (i)  An authorized user's security or other settings
    21         that protect information about the authorized user for
    22         the purpose of stealing personal information of an
    23         authorized user.
    24             (ii)  The security settings of the computer for the
    25         purpose of causing damage to one or more computers.
    26         (3)  Prevent, without the authorization of an authorized
    27     user, an authorized user's reasonable efforts to block the
    28     installation of or to disable software by doing any of the
    29     following:
    30             (i)  Presenting the authorized user with an option to
    20050S0711B0858                  - 7 -     

     1         decline installation of software with knowledge that,
     2         when the option is selected by the authorized user, the
     3         installation nevertheless proceeds.
     4             (ii)  Falsely representing that software has been
     5         disabled.
     6             (iii)  Requiring in an intentionally deceptive manner
     7         the user to access the Internet to remove the software
     8         with knowledge or reckless disregard of the fact that the
     9         software frequently operates in a manner that prevents
    10         the user from accessing the Internet.
    11             (iv)  Changing the name, location or other
    12         designation information of the software for the purpose
    13         of preventing an authorized user from locating the
    14         software to remove it.
    15             (v)  Using randomized or intentionally deceptive file
    16         names, directory folders, formats or registry entries for
    17         the purpose of avoiding detection and removal of the
    18         software by an authorized user.
    19             (vi)  Causing the installation of software in a
    20         particular computer directory or computer memory for the
    21         purpose of evading authorized users' attempts to remove
    22         the software from the computer.
    23             (vii)  Requiring, without the authority of the owner
    24         of the computer, that an authorized user obtain a special
    25         code or download software from a third party to uninstall
    26         the software.
    27  Section 5.  Misrepresentation and deception.
    28     A person or entity who is not an authorized user shall not do
    29  any of the following with regard to the computer of an
    30  authorized user in this Commonwealth:
    20050S0711B0858                  - 8 -     

     1         (1)  Induce an authorized user to install a software
     2     component onto the computer by intentionally misrepresenting
     3     that installing software is necessary for security or privacy
     4     reasons or in order to open, view or play a particular type
     5     of content.
     6         (2)  Deceptively causing the copying and execution on the
     7     computer of a computer software component with the intent of
     8     causing an authorized user to use the component in a way that
     9     violates any other provision of this section.
    10  Section 6.  Nonapplicability.
    11     Nothing in section 4 or 5 shall apply to any monitoring of or
    12  interaction with a user's Internet or other network connection
    13  or service, or a protected computer, by a cable operator,
    14  computer hardware or software provider or provider of
    15  information service or interactive computer service for network
    16  or computer security purposes, diagnostics, technical support,
    17  repair, authorized updates of software or system firmware,
    18  network management or maintenance, authorized remote system
    19  management or detection or prevention of the unauthorized use of
    20  or fraudulent or other illegal activities in connection with a
    21  network, service or computer software, including scanning for
    22  and removing software proscribed under this act.
    23  Section 7.  Enforcement.
    24     Any person that violates the provisions of sections 3(2) and
    25  4(1)(i), (ii) and (iii) and (2)(i) and (ii) shall be guilty of a
    26  felony and, upon conviction thereof, shall be sentenced to
    27  imprisonment for not less than one nor more than ten years or a
    28  fine of not more than $3,000,000, or both.
    29  Section 8.  Civil relief.
    30     (a)  General rule.--The following persons may bring a civil
    20050S0711B0858                  - 9 -     

     1  action against a person who violates this act:
     2         (1)  A provider of computer software who is adversely
     3     affected by the violation.
     4         (2)  An Internet Service Provider who is adversely
     5     affected by the violation.
     6         (3)  A trademark owner whose trademark is used without
     7     the authorization of the owner to deceive users in the course
     8     of any of the deceptive practices prohibited by this section.
     9         (4)  The Attorney General.
    10     (b)  Additional remedies.--In addition to any other remedy
    11  provided by law, a person bringing an action under this section
    12  may:
    13         (1)  Seek injunctive relief to restrain the violator from
    14     continuing the violation.
    15         (2)  Recover damages in an amount equal to the greater
    16     of:
    17             (i)  Actual damages arising from the violation.
    18             (ii)  Up to $100,000 for each violation, as the court
    19         considers just.
    20         (3)  Seek both injunctive relief and recovery of damages
    21     as provided by this subsection.
    22     (c)  Increase by court.--The court may increase an award of
    23  actual damages in an action brought under this section to an
    24  amount not to exceed three times the actual damages sustained if
    25  the court finds that the violations have occurred with a
    26  frequency as to constitute a pattern or practice.
    27     (d)  Fees and costs.--A plaintiff who prevails in an action
    28  filed under this section is entitled to recover reasonable
    29  attorney fees and court costs.
    30     (e)  Communications provider relief.--In the case of a
    20050S0711B0858                 - 10 -     

     1  violation of section 4(1)(ii) that causes a communications
     2  provider to incur costs for the origination, transport or
     3  termination of a call triggered using the modem of a customer of
     4  the communications provider as a result of a violation, the
     5  communications provider may bring a civil action against the
     6  violator to recover any or all of the following:
     7         (1)  The charges the carrier is obligated to pay to
     8     another carrier or to an information service provider as a
     9     result of the violation, including, but not limited to,
    10     charges for the origination, transport or termination of the
    11     call.
    12         (2)  Costs of handling customer inquiries or complaints
    13     with respect to amounts billed for calls.
    14         (3)  Costs and a reasonable attorney fee.
    15         (4)  An order to enjoin the violation.
    16     (f)  Multiple violations.--For purposes of this section,
    17  multiple violations of this section resulting from any single
    18  action or conduct shall constitute one violation. In addition,
    19  any single action or conduct that violates more than one
    20  subsection of this section shall be considered multiple
    21  violations based on the number of subsections violated.
    22  Section 9.  Effective date.
    23     This act shall take effect in 60 days.





    E25L12BIL/20050S0711B0858       - 11 -