HOUSE AMENDED PRIOR PRINTER'S NOS. 858, 897, 1110, PRINTER'S NO. 1793 1524
No. 711 Session of 2005
INTRODUCED BY GORDNER, WONDERLING, C. WILLIAMS, RAFFERTY, COSTA, CORMAN, WOZNIAK, PIPPY, PICCOLA, VANCE, LOGAN, ERICKSON, WAUGH, RHOADES, BOSCOLA, TARTAGLIONE, KITCHEN, THOMPSON, O'PAKE, GREENLEAF, STACK, ROBBINS, FERLO AND KASUNIC, JUNE 3, 2005
AS AMENDED ON THIRD CONSIDERATION, HOUSE OF REPRESENTATIVES, MAY 3, 2006
AN ACT 1 Providing for the protection of consumers from having spyware 2 deceptively installed on their computers and for criminal and 3 civil enforcement; AND PROVIDING FOR CIVIL IMMUNITY UNDER <-- 4 CERTAIN CIRCUMSTANCES. 5 TABLE OF CONTENTS 6 Section 1. Short title. 7 Section 2. Definitions. <-- 8 Section 3. Computer spyware prohibitions. 9 Section 4. Control or modification. 10 Section 5. Misrepresentation and deception. 11 Section 6. Nonapplicability. 12 Section 7. Criminal enforcement. 13 Section 8. Penalty. 14 Section 9. Civil relief. 15 Section 10. Effective date. 16 SECTION 2. PURPOSE. <--
1 SECTION 3. DEFINITIONS.
2 SECTION 4. COMPUTER SPYWARE PROHIBITIONS.
3 SECTION 5. CONTROL OR MODIFICATION.
4 SECTION 6. MISREPRESENTATION AND DECEPTION.
5 SECTION 7. NONAPPLICABILITY.
6 SECTION 8. CRIMINAL ENFORCEMENT.
7 SECTION 9. PENALTY.
8 SECTION 10. CIVIL RELIEF.
9 SECTION 11. CIVIL IMMUNITY.
10 SECTION 12. EFFECTIVE DATE.
11 The General Assembly of the Commonwealth of Pennsylvania
12 hereby enacts as follows:
13 Section 1. Short title.
14 This act shall be known and may be cited as the Consumer
15 Protection Against Computer Spyware Act.
16 SECTION 2. PURPOSE. <--
17 THIS ACT IS INTENDED TO PROHIBIT DECEPTIVE PRACTICES USED BY
18 PURVEYORS OF SPYWARE AND OTHER POTENTIALLY HARMFUL SOFTWARE. IT
19 DOES NOT DEFINE SPYWARE, BUT INSTEAD FOCUSES ON DECEPTIVE
20 BEHAVIORS AND PERSONS OR ENTITIES WHO DISSEMINATE POTENTIALLY
21 HARMFUL SOFTWARE.
22 Section 2 3. Definitions. <--
23 The following words and phrases when used in this act shall
24 have the meanings given to them in this section unless the
25 context clearly indicates otherwise:
26 "Authorized user." With respect to a computer, a person who
27 owns or is authorized by the owner or lessee to use the
28 computer.
29 "Cause to be copied." To distribute, transfer or procure the
30 copying of computer software or any component thereof. The term
20050S0711B1793 - 2 -
1 shall not include the following:
2 (1) Transmission, routing, provision of intermediate
3 temporary storage or caching of software.
4 (2) A storage or hosting medium, such as a compact disc,
5 Internet website or computer server, through which the
6 software was distributed by a third party.
7 (3) An information location tool, such as a directory,
8 index, reference, pointer or hypertext link, through which
9 the user of the computer located the software.
10 "Communications provider." Entity providing communications
11 networks or services that enable consumers to access the
12 Internet or destinations on the public switched telephone
13 network via a computer modem. This term shall include cable
14 service providers that also provide telephone services and
15 providers of Voice over Internet Protocol services.
16 "Computer software." A sequence of instructions written in
17 any programming language that is executed on a computer. The
18 term shall not include a text or data file, an Internet website
19 or a data component of an Internet website that is not
20 executable independently of the Internet website.
21 "Computer virus." A computer program or other set of
22 instructions that is designed to degrade the performance of or
23 disable a computer or computer network, COMPUTER NETWORK OR <--
24 COMPUTER SOFTWARE and is designed to have the ability to
25 replicate itself on other computers or computer networks without
26 the authorization of the owners of those computers or computer
27 networks.
28 "Damage." Any material impairment to the integrity,
29 functionality or availability of data, software, a computer, a
30 system or information.
20050S0711B1793 - 3 -
1 "Deceptive" or "deception." Includes, but is not limited to:
2 (1) An intentionally and materially false or fraudulent
3 statement.
4 (2) A statement or description that intentionally omits
5 or misrepresents material information in order to deceive the
6 authorized user.
7 (3) An intentional and material failure to provide any
8 notice OR, IN THE CASE OF AN ACTIVITY DESCRIBED IN SECTION <--
9 4(2) OR (5)(1) OR (2), CLEAR AND CONSPICUOUS NOTICE, to an
10 authorized user regarding the download or installation of
11 software in order to deceive the authorized user.
12 "Execute." With respect to computer software, the
13 performance of the functions or the carrying out of the
14 instructions of the computer software.
15 "Internet." The global information system that is logically
16 linked together by a globally unique address space based on the
17 Internet Protocol (IP), or its subsequent extensions, and that
18 is able to support communications using the Transmission Control
19 Protocol/Internet Protocol (TCP/IP) suite, or its subsequent
20 extensions, or other IP-compatible protocols, and that provides,
21 uses or makes accessible, either publicly or privately, high-
22 level services layered on the communications and related
23 infrastructure described in this act.
24 "Message." A graphical or text communication presented to an
25 authorized user of a computer other than communications
26 originated and sent by the computer's operating system or
27 communications presented for any of the purposes described in
28 section 6 7. <--
29 "Person." Any individual, partnership, corporation, limited
30 liability company or other organization, or any combination
20050S0711B1793 - 4 -
1 thereof. 2 "PROCURE THE COPYING." TO PAY OR PROVIDE OTHER CONSIDERATION <-- 3 TO, OR INDUCE ANOTHER PERSON TO CAUSE SOFTWARE TO BE COPIED ONTO 4 A COMPUTER. 5 "Personally identifiable "PROTECTED information." The term <-- 6 shall include any of the following: 7 (1) First name or first initial in combination with last <-- 8 name. 9 (2) (1) Credit or debit card numbers or other financial <-- 10 account numbers. 11 (3) A password or personal (2) A PASSWORD OR PROTECTED <-- 12 identification number required to access an identified 13 financial account other than a password, personal PROTECTED <-- 14 identification number or other identification number 15 transmitted by an authorized user to the issuer of the 16 account or its agent. 17 (4) (3) Social Security number. <-- 18 (5) (4) Any of the following information in a form that <-- 19 personally identifies an authorized user: 20 (i) Account balances. 21 (ii) Overdraft history. 22 (iii) Payment history. 23 (iv) A history of Internet websites visited. 24 (v) Home address. 25 (vi) Work address. 26 (vii) A record of a purchase or purchases. 27 "Procure the copying." To pay or provide other consideration <-- 28 to, or induce another person to cause software to be copied onto 29 a computer. 30 Section 3 4. Computer spyware prohibitions. <-- 20050S0711B1793 - 5 -
1 A person or entity that is not an authorized user shall not, 2 with actual knowledge, with conscious avoidance of actual 3 knowledge, or willfully, cause computer software to be copied or 4 procure the copying onto the computer of an authorized user in 5 this Commonwealth and use the software to do any of the 6 following acts or any other acts deemed to be deceptive: 7 (1) Modify through deceptive means any of the following 8 settings related to the computer's access to or use of the 9 Internet: 10 (i) The page that appears when an authorized user 11 launches an Internet browser or similar software program 12 used to access and navigate the Internet. 13 (ii) The default provider or Internet website proxy 14 the authorized user uses to access or search the 15 Internet. 16 (iii) The authorized user's list of bookmarks used 17 to access Internet website pages. 18 (2) Collect through deceptive means personally <-- 19 identifiable PROTECTED information that meets any of the <-- 20 following criteria: 21 (i) It is collected through the use of a keystroke- 22 logging function that records all keystrokes made by an 23 authorized user who uses the computer and transfers that 24 information from the computer to another person. 25 (ii) It includes all or substantially all of the 26 Internet websites visited by an authorized user, other 27 than Internet websites of the provider of the software, 28 if the computer software was installed in a manner 29 designed to conceal from all authorized users of the 30 computer the fact that the software is being installed. 20050S0711B1793 - 6 -
1 (iii) It is a data element described in paragraph 2 (2), (3), (4) or (5)(i) or (ii) (1), (2), (3) OR (4)(I) <-- 3 OR (II) of the definition of "personally identifiable <-- 4 "PROTECTED information" that is extracted from the <-- 5 authorized user's computer hard drive for a purpose 6 wholly unrelated to any of the purposes of the software 7 or service described to an authorized user. 8 (3) Prevent, without the authorization of an authorized 9 user, through deceptive means an authorized user's reasonable 10 efforts to block the installation of or to disable software 11 by causing software that the authorized user has properly 12 removed or disabled to automatically reinstall or reactivate 13 on the computer without the authorization of an authorized 14 user. 15 (4) Misrepresent that software will be uninstalled or 16 disabled by an authorized user's action with knowledge that 17 the software will not be so uninstalled or disabled. 18 (5) Through deceptive means, remove, disable or render 19 inoperative security, antispyware or antivirus software 20 installed on the computer. 21 Section 4 5. Control or modification. <-- 22 A person or entity that is not an authorized user shall not, 23 with actual knowledge, with conscious avoidance of actual 24 knowledge, or willfully, cause computer software to be copied or 25 procure the copying onto the computer of an authorized user in 26 this Commonwealth and use the software to do any of the 27 following acts or any other acts deemed to be deceptive: 28 (1) Take control of the authorized user's computer by 29 doing any of the following: 30 (i) Transmitting or relaying commercial electronic 20050S0711B1793 - 7 -
1 mail or a computer virus from the authorized user's
2 computer, where the transmission or relaying is initiated
3 by a person other than the authorized user and without
4 the authorization of an authorized user.
5 (ii) Accessing or using the authorized user's modem
6 or Internet service for the purpose of causing damage to
7 the authorized user's computer or of causing an
8 authorized user to incur financial charges for a service
9 that is not authorized by an authorized user.
10 (iii) Using the authorized user's computer as part
11 of an activity performed by a group of computers for the
12 purpose of causing damage to another computer, including,
13 but not limited to, launching a denial of service attack.
14 (iv) Opening a series of stand-alone messages in the
15 authorized user's computer without the authorization of
16 an authorized user and with knowledge that a reasonable
17 computer user cannot close the advertisements without
18 turning off the computer or closing the Internet
19 application.
20 (2) Modify any of the following settings related to the
21 computer's access to or use of the Internet:
22 (i) An authorized user's security or other settings
23 that protect information about the authorized user for
24 the purpose of stealing personal PROTECTED information of <--
25 an authorized user.
26 (ii) The security settings of the computer for the
27 purpose of causing damage to one or more computers.
28 (3) Prevent, without the authorization of an authorized
29 user, an authorized user's reasonable efforts to block the
30 installation of or to disable software by doing any of the
20050S0711B1793 - 8 -
1 following:
2 (i) Presenting the authorized user with an option to
3 decline installation of software with knowledge that,
4 when the option is selected by the authorized user, the
5 installation nevertheless proceeds.
6 (ii) Falsely representing that software has been
7 disabled.
8 (iii) Requiring in a deceptive manner the user to
9 access the Internet to remove the software with knowledge
10 or reckless disregard of the fact that the software
11 frequently operates in a manner that prevents the user
12 from accessing the Internet.
13 (iv) Changing the name, location or other
14 designation information of the software for the purpose
15 of preventing an authorized user from locating the
16 software to remove it.
17 (v) Using randomized or deceptive file names,
18 directory folders, formats or registry entries for the
19 purpose of avoiding detection and removal of the software
20 by an authorized user.
21 (vi) Causing the installation of software in a
22 particular computer directory or computer memory for the
23 purpose of evading authorized users' attempts to remove
24 the software from the computer.
25 (vii) Requiring, without the authority of the owner
26 of the computer, that an authorized user obtain a special
27 code or download software from a third party to uninstall
28 the software.
29 Section 5 6. Misrepresentation and deception. <--
30 A person or entity who is not an authorized user shall not do
20050S0711B1793 - 9 -
1 any of the following or any other misrepresenting and deceptive 2 acts with regard to the computer of an authorized user in this 3 Commonwealth: 4 (1) Induce an authorized user to install a software 5 component onto the computer by misrepresenting that 6 installing software is necessary for security or privacy 7 reasons or in order to open, view or play a particular type 8 of content. 9 (2) Causing the copying and execution on the computer of 10 a computer software component with the intent of causing an 11 authorized user to use the component in a way that violates 12 any other provision of this section. 13 Section 6 7. Nonapplicability. <-- 14 (1) Nothing in section 4 or 5 shall apply to any <-- 15 (A) GENERAL RULE.--NOTHING IN SECTION 4, 5 OR 6 SHALL APPLY <-- 16 TO ANY monitoring of or interaction with a user's Internet or 17 other network connection or service, or a protected computer, by 18 a cable operator, computer hardware or software provider or 19 provider of information service or interactive computer service 20 for network or computer security purposes, diagnostics, 21 technical support, repair, authorized updates of software or 22 system firmware, network management or maintenance, authorized 23 remote system management or detection or prevention of the 24 unauthorized use of or fraudulent or other illegal activities in 25 connection with a network, service or computer software, 26 including scanning for and removing software proscribed under 27 this act. 28 (2) Nothing in this act shall limit the rights of <-- 29 (B) CONSTRUCTION.--NOTHING IN THIS ACT SHALL BE CONSTRUED TO <-- 30 LIMIT THE RIGHTS OF providers of wire and electronic 20050S0711B1793 - 10 -
1 communications under 18 U.S.C. § 2511 (relating to interception 2 and disclosure of wire, oral, or electronic communications 3 prohibited). 4 Section 7 8. Criminal enforcement. <-- 5 (a) District attorneys.--The district attorneys of the 6 several counties shall have authority to investigate and to 7 institute criminal proceedings for any violations of this act. 8 (b) Attorney General.--In addition to the authority 9 conferred upon the Attorney General under the act of October 15, 10 1980 (P.L.950, No.164), known as the Commonwealth Attorneys Act, 11 the Attorney General shall have the authority to investigate and 12 institute criminal proceedings for any violation of this act. A 13 person charged with a violation of this act by the Attorney 14 General shall not have standing to challenge the authority of 15 the Attorney General to investigate or prosecute the case, and, 16 if any such challenge is made, the challenge shall be dismissed 17 and no relief shall be available in the courts of this 18 Commonwealth to the person making the challenge. 19 (c) Proceedings against persons outside Commonwealth.--In 20 addition to powers conferred upon district attorneys and the 21 Attorney General in subsections (a) and (b), district attorneys 22 and the Attorney General shall have the authority to investigate 23 and initiate criminal proceedings against persons for violations 24 of this act in accordance with 42 Pa.C.S. § 5322 (relating to <-- 25 bases of personal jurisdiction over persons outside this 26 Commonwealth). 18 PA.C.S. § 102 (RELATING TO TERRITORIAL <-- 27 APPLICABILITY). 28 Section 8 9. Penalty. <-- 29 Any person that violates the provisions of sections 3(2) and <-- 30 4(1)(i), 4(2) AND 5(1)(I), (ii) and (iii) and (2)(i) and (ii) <-- 20050S0711B1793 - 11 -
1 shall be guilty of a felony of the second degree and, upon 2 conviction thereof, shall be sentenced to imprisonment for not 3 less than one nor more than ten years or a fine, notwithstanding 4 18 Pa.C.S. § 1101 (relating to fines), of not more than $25,000, 5 or both. 6 Section 9 10. Civil relief. <-- 7 (a) General rule.--Subject to the limitation set forth in 8 subsection (g), the following persons may bring a civil action 9 against a person who violates this act: 10 (1) A provider of computer software who is THAT EXPENDS <-- 11 RESOURCES ASSISTING CUSTOMERS WHO ARE adversely affected by 12 the violation. 13 (2) An Internet Service Provider who is THAT EXPENDS <-- 14 RESOURCES ASSISTING CUSTOMERS WHO ARE adversely affected by 15 the violation. 16 (3) A trademark owner whose trademark is used without 17 the authorization of the owner to deceive users in the course 18 of any of the deceptive practices prohibited by this section. 19 (4) The Attorney General. 20 (b) Additional remedies.--In addition to any other remedy 21 provided by law, a permitted person bringing an action under 22 this section may: 23 (1) Seek injunctive relief to restrain the violator from 24 continuing the violation. 25 (2) Recover damages in an amount equal to the greater 26 of: 27 (i) Actual damages arising from the violation. 28 (ii) Up to $100,000 for each violation, as the court 29 considers just. 30 (3) Seek both injunctive relief and recovery of damages 20050S0711B1793 - 12 -
1 as provided by this subsection.
2 (c) Increase by court.--The court may increase an award of
3 actual damages in an action brought under this section to an
4 amount not to exceed three times the actual damages sustained if
5 the court finds that the violations have occurred with a
6 frequency with respect to a group of victims as to constitute a
7 pattern or practice.
8 (d) Fees and costs.--A plaintiff who prevails in an action
9 filed under this section is entitled to recover reasonable
10 attorney fees and court costs.
11 (e) Communications provider relief.--In the case of a
12 violation of section 4(1)(ii) 5(1)(II) that causes a <--
13 communications provider to incur costs for the origination,
14 transport or termination of a call triggered using the modem of
15 a customer of the communications provider as a result of a
16 violation, the communications provider may bring a civil action
17 against the violator to recover any or all of the following:
18 (1) The charges the carrier is obligated to pay to
19 another carrier or to an information service provider as a
20 result of the violation, including, but not limited to,
21 charges for the origination, transport or termination of the
22 call.
23 (2) Costs of handling customer inquiries or complaints
24 with respect to amounts billed for calls.
25 (3) Costs and a reasonable attorney fee.
26 (4) An order to enjoin the violation.
27 (f) Multiple violations.--For purposes of a civil action
28 under this section, any single action or conduct that violates
29 more than one paragraph of this act shall be considered multiple
30 violations based on the number of such paragraphs violated.
20050S0711B1793 - 13 -
1 (g) Unfair trade practice.--A violation of this act shall be 2 deemed to be an unfair or deceptive act or practice in violation 3 of the act of December 17, 1968 (P.L.1224, No.387), known as the 4 Unfair Trade Practices and Consumer Protection Law. The Office 5 of Attorney General shall have exclusive authority to bring an 6 action under the Unfair Trade Practices and Consumer Protection 7 Law for a violation of that act. 8 SECTION 11. CIVIL IMMUNITY. <-- 9 (A) GENERAL RULE.--NO PROVIDER OF COMPUTER SOFTWARE OR OF AN 10 INTERACTIVE COMPUTER SERVICE MAY BE HELD CIVILLY LIABLE UNDER 11 THIS ACT OR ANY OTHER PROVISION OF LAW FOR ACTIONS TAKEN TO 12 ENABLE A CUSTOMER OF ITS PRODUCTS OR SERVICES TO PREVENT AN ACT 13 OR PRACTICE THAT IT REASONABLY BELIEVES VIOLATES SECTION 4, 5 OR 14 6 IF THE PROVIDER: 15 (1) INTENDS TO IDENTIFY ACCURATELY, PREVENT THE 16 INSTALLATION OR EXECUTION OF, REMOVE OR DISABLE COMPUTER 17 PROGRAMS WHICH ARE INSTALLED OR OPERATED IN A MANNER THAT 18 VIOLATES SECTION 4, 5 OR 6 ON A COMPUTER OF A CUSTOMER OF THE 19 PROVIDER OR ENABLES A USER TO DO SO. 20 (2) NOTIFIES THE AUTHORIZED USER OF THE COMPUTER AND 21 OBTAINS CONSENT BEFORE UNDERTAKING SUCH ACTION OR PROVIDING 22 SUCH SERVICE. 23 (3) HAS ESTABLISHED AND ADHERES TO INTERNAL PRACTICES 24 AND PROCEDURES, BASED ON GENERALLY ACCEPTED AND UNDERSTOOD 25 SOFTWARE INDUSTRY PRACTICES, WHICH ARE REASONABLY DESIGNED TO 26 DETERMINE WHETHER A COMPUTER PROGRAM HAS OR WILL INSTALL OR 27 OPERATE OR CAUSE BEHAVIOR IN A MANNER THAT VIOLATES SECTION 28 4, 5 OR 6. 29 (4) HAS ESTABLISHED AND ADHERES TO A REASONABLE PROCESS 30 FOR MANAGING DISPUTES AND INQUIRIES REGARDING 20050S0711B1793 - 14 -
1 MISCLASSIFICATION OR FALSE POSITIVE IDENTIFICATIONS OF
2 COMPUTER PROGRAMS BASED ON GENERALLY ACCEPTED AND UNDERSTOOD
3 SOFTWARE INDUSTRY PRACTICES.
4 (B) EFFECT ON OTHER DEFENSES.--THE FAILURE OF A PROVIDER TO
5 QUALIFY FOR THE CIVIL IMMUNITY PROVIDED IN SUBSECTION (A) SHALL
6 HAVE NO BEARING UPON THE CONSIDERATION OF ANY OTHER DEFENSE BY
7 THE PROVIDER THAT ITS CONDUCT DOES NOT VIOLATE APPLICABLE LAW.
8 (C) CONSTRUCTION.--NOTHING IN THIS SECTION SHALL BE
9 CONSTRUED TO LIMIT THE AUTHORITY OF A LOCAL DISTRICT ATTORNEY,
10 THE ATTORNEY GENERAL OR ANY OTHER PUBLIC AUTHORITY TO BRING AN
11 ACTION AGAINST A PROVIDER OF COMPUTER SOFTWARE OR OF AN
12 INTERACTIVE COMPUTER SERVICE.
13 Section 10 30. Effective date. <--
14 This act shall take effect in 60 days.
E25L12BIL/20050S0711B1793 - 15 -