PRIOR PRINTER'S NOS. 858, 897 PRINTER'S NO. 1110
No. 711 Session of 2005
INTRODUCED BY GORDNER, WONDERLING, C. WILLIAMS, RAFFERTY, COSTA,
CORMAN, WOZNIAK, PIPPY, PICCOLA, VANCE, LOGAN, ERICKSON,
WAUGH, RHOADES, BOSCOLA, TARTAGLIONE, KITCHEN, THOMPSON,
O'PAKE, GREENLEAF, STACK, ROBBINS, FERLO AND KASUNIC,
JUNE 3, 2005
SENATOR THOMPSON, APPROPRIATIONS, RE-REPORTED AS AMENDED,
SEPTEMBER 19, 2005
AN ACT
1 Providing for the protection of consumers from having spyware
2 deceptively installed on their computers and for criminal and
3 civil enforcement.
4 TABLE OF CONTENTS
5 Section 1. Short title.
6 Section 2. Definitions.
7 Section 3. Computer spyware prohibitions.
8 Section 4. Control or modification.
9 Section 5. Misrepresentation and deception.
10 Section 6. Nonapplicability.
11 Section 7. Enforcement. <--
12 Section 8. Civil relief.
13 Section 9. Effective date.
14 SECTION 7. CRIMINAL ENFORCEMENT. <--
15 SECTION 8. PENALTY.
16 SECTION 9. CIVIL RELIEF.
1 SECTION 10. EFFECTIVE DATE.
2 The General Assembly of the Commonwealth of Pennsylvania
3 hereby enacts as follows:
4 Section 1. Short title.
5 This act shall be known and may be cited as the Consumer
6 Protection Against Computer Spyware Act.
7 Section 2. Definitions.
8 The following words and phrases when used in this act shall
9 have the meanings given to them in this section unless the
10 context clearly indicates otherwise:
11 "Authorized user." With respect to a computer, a person who
12 owns or is authorized by the owner or lessee to use the
13 computer.
14 "Cause to be copied." To distribute, transfer or procure the
15 copying of computer software or any component thereof. The term
16 shall not include the following:
17 (1) Transmission, routing, provision of intermediate
18 temporary storage or caching of software.
19 (2) A storage or hosting medium, such as a compact disc,
20 Internet website or computer server, through which the
21 software was distributed by a third party.
22 (3) An information location tool, such as a directory,
23 index, reference, pointer or hypertext link, through which
24 the user of the computer located the software.
25 "Communications provider." Entity providing communications
26 networks or services that enable consumers to access the
27 Internet or destinations on the public switched telephone
28 network via a computer modem. This term shall include cable
29 service providers that also provide telephone services and
30 providers of Voice over Internet Protocol services.
20050S0711B1110 - 2 -
1 "Computer software." A sequence of instructions written in
2 any programming language that is executed on a computer. The
3 term shall not include a text or data file, an Internet website
4 or a data component of an Internet website that is not
5 executable independently of the Internet website.
6 "Computer virus." A computer program or other set of
7 instructions that is designed to degrade the performance of or
8 disable a computer or computer network and is designed to have
9 the ability to replicate itself on other computers or computer
10 networks without the authorization of the owners of those
11 computers or computer networks.
12 "Damage." Any significant MATERIAL impairment to the <--
13 integrity, functionality or availability of data, software, a
14 computer, a system or information.
15 "DECEPTIVE" OR "DECEPTION." INCLUDES, BUT IS NOT LIMITED TO: <--
16 (1) AN INTENTIONALLY AND MATERIALLY FALSE OR FRAUDULENT
17 STATEMENT.
18 (2) A STATEMENT OR DESCRIPTION THAT INTENTIONALLY OMITS
19 OR MISREPRESENTS MATERIAL INFORMATION IN ORDER TO DECEIVE THE
20 AUTHORIZED USER.
21 (3) AN INTENTIONAL AND MATERIAL FAILURE TO PROVIDE ANY
22 NOTICE TO AN AUTHORIZED USER REGARDING THE DOWNLOAD OR
23 INSTALLATION OF SOFTWARE IN ORDER TO DECEIVE THE AUTHORIZED
24 USER.
25 "Execute." With respect to computer software, the
26 performance of the functions or the carrying out of the
27 instructions of the computer software.
28 "Intentionally deceptive." Includes, but is not limited to: <--
29 (1) An intentionally and materially false or fraudulent
30 statement.
20050S0711B1110 - 3 -
1 (2) A statement or description that intentionally omits
2 or misrepresents material information in order to deceive the
3 authorized user.
4 (3) An intentional and material failure to provide any
5 notice to an authorized user regarding the download or
6 installation of software in order to deceive the authorized
7 user.
8 "Internet." The global information system that is logically
9 linked together by a globally unique address space based on the
10 Internet Protocol (IP), or its subsequent extensions, and that
11 is able to support communications using the Transmission Control
12 Protocol/Internet Protocol (TCP/IP) suite, or its subsequent
13 extensions, or other IP-compatible protocols, and that provides,
14 uses or makes accessible, either publicly or privately, high-
15 level services layered on the communications and related
16 infrastructure described in this act.
17 "Message." A graphical or text communication presented to an
18 authorized user of a computer other than communications
19 originated and sent by the computer's operating system or
20 communications presented for any of the purposes described in
21 section 6.
22 "Person." Any individual, partnership, corporation, limited
23 liability company or other organization, or any combination
24 thereof.
25 "Personally identifiable information." The term shall
26 include any of the following:
27 (1) First name or first initial in combination with last
28 name.
29 (2) Credit or debit card numbers or other financial
30 account numbers.
20050S0711B1110 - 4 -
1 (3) A password or personal identification number
2 required to access an identified financial account other than
3 a password, personal identification number or other
4 identification number transmitted by an authorized user to
5 the issuer of the account or its agent.
6 (4) Social Security number.
7 (5) Any of the following information in a form that
8 personally identifies an authorized user:
9 (i) Account balances.
10 (ii) Overdraft history.
11 (iii) Payment history.
12 (iv) A history of Internet websites visited.
13 (v) Home address.
14 (vi) Work address.
15 (vii) A record of a purchase or purchases.
16 "Procure the copying." To intentionally pay or provide other <--
17 consideration to, or induce another person to cause software to
18 be copied onto a computer.
19 Section 3. Computer spyware prohibitions.
20 A person or entity that is not an authorized user shall not,
21 with actual knowledge, with conscious avoidance of actual
22 knowledge, or willfully, cause computer software to be copied or
23 procure the copying onto the computer of an authorized user in
24 this Commonwealth and use the software to do any of the
25 following ACTS OR ANY OTHER ACTS DEEMED TO BE DECEPTIVE: <--
26 (1) Modify through intentionally deceptive means any of <--
27 the following settings related to the computer's access to or
28 use of the Internet:
29 (i) The page that appears when an authorized user
30 launches an Internet browser or similar software program
20050S0711B1110 - 5 -
1 used to access and navigate the Internet.
2 (ii) The default provider or Internet website proxy
3 the authorized user uses to access or search the
4 Internet.
5 (iii) The authorized user's list of bookmarks used
6 to access Internet website pages.
7 (2) Collect through intentionally deceptive means <--
8 personally identifiable information that meets any of the
9 following criteria:
10 (i) It is collected through the use of a keystroke-
11 logging function that records all keystrokes made by an
12 authorized user who uses the computer and transfers that
13 information from the computer to another person.
14 (ii) It includes all or substantially all of the
15 Internet websites visited by an authorized user, other
16 than Internet websites of the provider of the software,
17 if the computer software was installed in a manner
18 designed to conceal from all authorized users of the
19 computer the fact that the software is being installed.
20 (iii) It is a data element described in paragraph
21 (2), (3), (4) or (5)(i) or (ii) of the definition of
22 "personally identifiable information" that is extracted
23 from the authorized user's computer hard drive for a
24 purpose wholly unrelated to any of the purposes of the
25 software or service described to an authorized user.
26 (3) Prevent, without the authorization of an authorized
27 user, through intentionally deceptive means an authorized <--
28 user's reasonable efforts to block the installation of or to
29 disable software by causing software that the authorized user
30 has properly removed or disabled to automatically reinstall
20050S0711B1110 - 6 -
1 or reactivate on the computer without the authorization of an
2 authorized user.
3 (4) Intentionally misrepresent MISREPRESENT that <--
4 software will be uninstalled or disabled by an authorized
5 user's action with knowledge that the software will not be so
6 uninstalled or disabled.
7 (5) Through intentionally deceptive means, remove, <--
8 disable or render inoperative security, antispyware or
9 antivirus software installed on the computer.
10 Section 4. Control or modification.
11 A person or entity that is not an authorized user shall not,
12 with actual knowledge, with conscious avoidance of actual
13 knowledge, or willfully, cause computer software to be copied OR <--
14 PROCURE THE COPYING onto the computer of an authorized user in
15 this Commonwealth and use the software to do any of the
16 following ACTS OR ANY OTHER ACTS DEEMED TO BE DECEPTIVE: <--
17 (1) Take control of the authorized user's computer by
18 doing any of the following:
19 (i) Transmitting or relaying commercial electronic
20 mail or a computer virus from the authorized user's
21 computer, where the transmission or relaying is initiated
22 by a person other than the authorized user and without
23 the authorization of an authorized user.
24 (ii) Accessing or using the authorized user's modem
25 or Internet service for the purpose of causing damage to
26 the authorized user's computer or of causing an
27 authorized user to incur financial charges for a service
28 that is not authorized by an authorized user.
29 (iii) Using the authorized user's computer as part
30 of an activity performed by a group of computers for the
20050S0711B1110 - 7 -
1 purpose of causing damage to another computer, including,
2 but not limited to, launching a denial of service attack.
3 (iv) Opening a series of stand-alone messages in the
4 authorized user's computer without the authorization of
5 an authorized user and with knowledge that a reasonable
6 computer user cannot close the advertisements without
7 turning off the computer or closing the Internet
8 application.
9 (2) Modify any of the following settings related to the
10 computer's access to or use of the Internet:
11 (i) An authorized user's security or other settings
12 that protect information about the authorized user for
13 the purpose of stealing personal information of an
14 authorized user.
15 (ii) The security settings of the computer for the
16 purpose of causing damage to one or more computers.
17 (3) Prevent, without the authorization of an authorized
18 user, an authorized user's reasonable efforts to block the
19 installation of or to disable software by doing any of the
20 following:
21 (i) Presenting the authorized user with an option to
22 decline installation of software with knowledge that,
23 when the option is selected by the authorized user, the
24 installation nevertheless proceeds.
25 (ii) Falsely representing that software has been
26 disabled.
27 (iii) Requiring in an intentionally A deceptive <--
28 manner the user to access the Internet to remove the
29 software with knowledge or reckless disregard of the fact
30 that the software frequently operates in a manner that
20050S0711B1110 - 8 -
1 prevents the user from accessing the Internet.
2 (iv) Changing the name, location or other
3 designation information of the software for the purpose
4 of preventing an authorized user from locating the
5 software to remove it.
6 (v) Using randomized or intentionally deceptive file <--
7 names, directory folders, formats or registry entries for
8 the purpose of avoiding detection and removal of the
9 software by an authorized user.
10 (vi) Causing the installation of software in a
11 particular computer directory or computer memory for the
12 purpose of evading authorized users' attempts to remove
13 the software from the computer.
14 (vii) Requiring, without the authority of the owner
15 of the computer, that an authorized user obtain a special
16 code or download software from a third party to uninstall
17 the software.
18 Section 5. Misrepresentation and deception.
19 A person or entity who is not an authorized user shall not do
20 any of the following OR ANY OTHER MISREPRESENTING AND DECEPTIVE <--
21 ACTS with regard to the computer of an authorized user in this
22 Commonwealth:
23 (1) Induce an authorized user to install a software
24 component onto the computer by intentionally misrepresenting <--
25 that installing software is necessary for security or privacy
26 reasons or in order to open, view or play a particular type
27 of content.
28 (2) Deceptively causing CAUSING the copying and <--
29 execution on the computer of a computer software component
30 with the intent of causing an authorized user to use the
20050S0711B1110 - 9 -
1 component in a way that violates any other provision of this
2 section.
3 Section 6. Nonapplicability.
4 (1) Nothing in section 4 or 5 shall apply to any
5 monitoring of or interaction with a user's Internet or other
6 network connection or service, or a protected computer, by a
7 cable operator, computer hardware or software provider or
8 provider of information service or interactive computer
9 service for network or computer security purposes,
10 diagnostics, technical support, repair, authorized updates of
11 software or system firmware, network management or
12 maintenance, authorized remote system management or detection
13 or prevention of the unauthorized use of or fraudulent or
14 other illegal activities in connection with a network,
15 service or computer software, including scanning for and
16 removing software proscribed under this act.
17 (2) Nothing in this act shall limit the rights of
18 providers of wire and electronic communications under 18
19 U.S.C. § 2511 (relating to interception and disclosure of
20 wire, oral, or electronic communications prohibited).
21 Section 7. Criminal enforcement.
22 (a) District attorneys.--The district attorneys of the
23 several counties shall have authority to investigate and to
24 institute criminal proceedings for any violations of this act.
25 (b) Attorney General.--In addition to the authority
26 conferred upon the Attorney General under the act of October 15,
27 1980 (P.L.950, No.164), known as the Commonwealth Attorneys Act,
28 the Attorney General shall have the authority to investigate and
29 institute criminal proceedings for any violation of this act. A
30 person charged with a violation of this act by the Attorney
20050S0711B1110 - 10 -
1 General shall not have standing to challenge the authority of
2 the Attorney General to investigate or prosecute the case, and,
3 if any such challenge is made, the challenge shall be dismissed
4 and no relief shall be available in the courts of this
5 Commonwealth to the person making the challenge.
6 (C) PROCEEDINGS AGAINST PERSONS OUTSIDE COMMONWEALTH.--IN <--
7 ADDITION TO POWERS CONFERRED UPON DISTRICT ATTORNEYS AND THE
8 ATTORNEY GENERAL IN SUBSECTIONS (A) AND (B), DISTRICT ATTORNEYS
9 AND THE ATTORNEY GENERAL SHALL HAVE THE AUTHORITY TO INVESTIGATE
10 AND INITIATE CRIMINAL PROCEEDINGS AGAINST PERSONS FOR VIOLATIONS
11 OF THIS ACT IN ACCORDANCE WITH 42 PA.C.S. § 5322 (RELATING TO
12 BASES OF PERSONAL JURISDICTION OVER PERSONS OUTSIDE THIS
13 COMMONWEALTH).
14 Section 8. Penalty.
15 Any person that violates the provisions of sections 3(2) and
16 4(1)(i), (ii) and (iii) and (2)(i) and (ii) shall be guilty of a
17 felony of the second degree and, upon conviction thereof, shall
18 be sentenced to imprisonment for not less than one nor more than
19 ten years or a fine, notwithstanding 18 Pa.C.S. § 1101 (relating
20 to fines), of not more than $3,000,000 $25,000, or both. <--
21 Section 9. Civil relief.
22 (a) General rule.--The SUBJECT TO THE LIMITATION SET FORTH <--
23 IN SUBSECTION (G), THE following persons may bring a civil
24 action against a person who violates this act:
25 (1) A provider of computer software who is adversely
26 affected by the violation.
27 (2) An Internet Service Provider who is adversely
28 affected by the violation.
29 (3) A trademark owner whose trademark is used without
30 the authorization of the owner to deceive users in the course
20050S0711B1110 - 11 -
1 of any of the deceptive practices prohibited by this section.
2 (4) The Attorney General.
3 (b) Additional remedies.--In addition to any other remedy
4 provided by law, a PERMITTED person bringing an action under <--
5 this section may:
6 (1) Seek injunctive relief to restrain the violator from
7 continuing the violation.
8 (2) Recover damages in an amount equal to the greater
9 of:
10 (i) Actual damages arising from the violation.
11 (ii) Up to $100,000 for each violation, as the court
12 considers just.
13 (3) Seek both injunctive relief and recovery of damages
14 as provided by this subsection.
15 (c) Increase by court.--The court may increase an award of
16 actual damages in an action brought under this section to an
17 amount not to exceed three times the actual damages sustained if
18 the court finds that the violations have occurred with a
19 frequency with respect to a group of victims as to constitute a
20 pattern or practice.
21 (d) Fees and costs.--A plaintiff who prevails in an action
22 filed under this section is entitled to recover reasonable
23 attorney fees and court costs.
24 (e) Communications provider relief.--In the case of a
25 violation of section 4(1)(ii) that causes a communications
26 provider to incur costs for the origination, transport or
27 termination of a call triggered using the modem of a customer of
28 the communications provider as a result of a violation, the
29 communications provider may bring a civil action against the
30 violator to recover any or all of the following:
20050S0711B1110 - 12 -
1 (1) The charges the carrier is obligated to pay to
2 another carrier or to an information service provider as a
3 result of the violation, including, but not limited to,
4 charges for the origination, transport or termination of the
5 call.
6 (2) Costs of handling customer inquiries or complaints
7 with respect to amounts billed for calls.
8 (3) Costs and a reasonable attorney fee.
9 (4) An order to enjoin the violation.
10 (f) Multiple violations.--For purposes of this section, <--
11 multiple violations of this section resulting from any single
12 action or conduct shall constitute one violation. In addition,
13 any single action or conduct that violates more than one
14 subsection of this section shall be considered multiple
15 violations based on the number of subsections violated.
16 (F) MULTIPLE VIOLATIONS.--FOR PURPOSES OF A CIVIL ACTION <--
17 UNDER THIS SECTION, ANY SINGLE ACTION OR CONDUCT THAT VIOLATES
18 MORE THAN ONE PARAGRAPH OF THIS ACT SHALL BE CONSIDERED MULTIPLE
19 VIOLATIONS BASED ON THE NUMBER OF SUCH PARAGRAPHS VIOLATED.
20 (G) UNFAIR TRADE PRACTICE.--A VIOLATION OF THIS ACT SHALL BE
21 DEEMED TO BE AN UNFAIR OR DECEPTIVE ACT OR PRACTICE IN VIOLATION
22 OF THE ACT OF DECEMBER 17, 1968 (P.L.1224, NO.387), KNOWN AS THE
23 UNFAIR TRADE PRACTICES AND CONSUMER PROTECTION LAW. THE OFFICE
24 OF ATTORNEY GENERAL SHALL HAVE EXCLUSIVE AUTHORITY TO BRING AN
25 ACTION UNDER THE UNFAIR TRADE PRACTICES AND CONSUMER PROTECTION
26 LAW FOR A VIOLATION OF THAT ACT.
27 Section 10. Effective date.
28 This act shall take effect in 60 days.
E25L12BIL/20050S0711B1110 - 13 -