Computer Spyware Protection Act

Computer Spyware Protection Act

Computer Spyware Protection Act


Spyware is a catch-all term for computer programs that can track computer users’ movements online. There are hundreds of programs that range from innocuous “ad-ware,” which generates pop-up advertisements, to more dangerous programs that can record a user’s keystrokes to gather personal information such as credit card numbers and passwords without their knowledge and forward this information to another entity without the consumer’s consent. Spyware is a serious problem that can create substantial privacy risks, increase the risk of identity theft, and cause serious degradation to personal and business computers that can cost millions of dollars in lost productivity.

This bill prohibits the installation, transmission, and use of computer software that collects personally identifiable information, and authorizes the Attorney General to bring a civil action against anyone who violates any provision of this act and seek damages ranging from $1,000 to $1 million.

Model Legislation

Section 1. Title

This Act may be cited as the “Computer Spyware Protection Act.”

Section 2. Legislative Intent

It is the intent of the legislature to protect owners and operators of computers in this state from the use of spyware and malware that is deceptively or surreptitiously installed on the owner’s or the operator’s computer.

Section 3.  Definitions

1.  “Cause to be copied” means to distribute or transfer computer software, or any component thereof.  Such term shall not include providing—

a. transmission, routing, provision of intermediate temporary storage, or caching of software;

b. a storage or hosting medium, such as a compact disk, web site, or computer server through which the software was distributed by a third party; or

c. an information location tool, such as a directory, index, reference, pointer, or hypertext link, through which the user of the computer located the software.

2. “Computer software” means a sequence of instructions written in any programming language that is executed on a computer.  “Computer software” does not include a data component of a web page that is not executable independently of the web page.

3.  “Computer virus” means a computer program or other set of instructions that is designed to degrade the performance of or disable a computer or computer network and is designed to have the ability to replicate itself on other computers or computer networks without the authorization of the owners of those computers or computer networks.

4. “Damage” means any significant impairment to the integrity or availability of data, software, a system, or information.

5.  “Execute,” when used with respect to computer software, means the performance of the functions or the carrying out of the instructions of the computer software.

6.  “Intentionally deceptive” means any of the following:

a.  An intentionally and materially false or fraudulent statement.

b.  A statement or description that intentionally omits or misrepresents material information in order to deceive an owner or operator of a computer.

c.  An intentional and material failure to provide a notice to an owner or operator regarding the installation or execution of computer software for the purpose of deceiving the owner or operator.

7.  “Internet” means the global information system that is logically linked together by a globally unique address space based on the internet protocol (IP), or its subsequent extensions, and that is able to support communications using the transmission control protocol/internet protocol (TCP/IP) suite, or its subsequent extensions, or other IP-compatible protocols, and that provides, uses, or makes accessible, either publicly or privately, high-level services layered on the communications and related infrastructure described in this subsection.

8.  “Owner or operator” means the owner or lessee of a computer, or a person using such computer with the owner or lessee’s authorization, but does not include a person who owned a computer prior to the first retail sale of the computer.

9.  “Message” means a graphical or text communication presented to an authorized user of a computer.

10.  “Person” means any individual, partnership, corporation, limited liability company, or other organization, or any combination thereof.

11.  “Personally identifiable information” means any of the following information if it allows the entity holding the information to identify the owner or operator of a computer:

a.  The first name or first initial in combination with the last name.

b.  A home or other physical address including street name.

c.  Personal identification code in conjunction with a password required to access an identified account, other than a password, personal identification number or other identification number transmitted by an authorized user to the issuer of the account or its agent.

d.  Social security number, tax identification number, driver’s license number, passport number, or any other government-issued identification number.

e.  Account balance, overdraft history, or payment history that personally identifies an owner or operator of a computer.

Section 4.  Prohibitions, Use of Software

It is unlawful for a person who is not an owner or operator of a computer to cause computer software to be copied on such computer knowingly or with conscious avoidance of actual knowledge or willfully, and to use such software to do any of the following:

1.  Modify, through intentionally deceptive means, settings of a computer that control any of the following:

a.  The web page that appears when an owner or operator launches an Internet browser or similar computer software used to access and navigate the Internet.

b.  The default provider or web proxy that an owner or operator uses to access or search the Internet.

c.  An owner’s or an operator’s list of bookmarks used to access web pages.

2.  Collect, through intentionally deceptive means, personally identifiable information through any of the following means:

a.  The use of a keystroke-logging function that records all or substantially all keystrokes made by an owner or operator of a computer and transfers that information from the computer to another person.

b.  In a manner that correlates personally identifiable information with data regarding all or substantially all of the Web sites visited by an owner or operator, other than Web sites operated by the person providing such software, if the computer software was installed in a manner designed to conceal from all authorized users of the computer the fact that the software is being installed.

c.  By extracting from the hard drive of an owner’s or an operator’s computer, an owner’s or an operator’s social security number, tax identification number, driver’s license number, passport number, any other government-issued identification number, account balances, or overdraft history for a purpose unrelated to any of the purposes of the software or service described to an authorized user.

3.  Prevent, through intentionally deceptive means, an owner’s or an operator’s reasonable efforts to block the installation of or execution of, or to disable, computer software by causing computer software that the owner or operator has properly removed or disabled to automatically reinstall or reactivate on the computer without the authorization of an authorized user.

4.  Intentionally misrepresent that computer software will be uninstalled or disabled by an owner’s or an operator’s action.

5.  Through intentionally deceptive means, remove, disable, or render inoperative security, antispyware, or antivirus computer software installed on an owner’s or an operator’s computer.

6.  Enable use of an owner’s or an operator’s computer to do any of the following:

a.  Accessing or using a modem or Internet service for the purpose of causing damage to an owner’s or an operator’s computer or causing an owner or operator , or a third party affected by such conduct to incur financial charges for a service that the owner or operator did not authorize.

b.  Opening multiple, sequential, stand-alone messages in an owner’s or an operator’s computer without the authorization of an owner or operator and with knowledge that a reasonable computer user could not close the messages without turning off the computer or closing the software application in which the messages appear; provided that this paragraph shall not apply to communications originated by the computer’s operating system, originated by a software application that the user chooses to activate, originated by a service provider that the user chooses to use, or presented for any of the purposes described in section 6.

c. Transmitting or relaying commercial electronic mail or a computer virus from the computer, where the transmission or relaying is initiated by a person other than the authorized user and without the authorization of an authorized user.

7.  Modify any of the following settings related the computer’s access to, or use of, the Internet:

a.  Settings that protect information about an owner or operator for the purpose of taking personally identifiable information of the owner or operator.

b.  Security settings for the purpose of causing damage to a computer.

c. Settings that protect the computer from the uses identified in subsection (6) of this section.

8.  Prevent, without the authorization of an owner or operator, an owner’s or an operator’s reasonable efforts to block the installation of, or to disable, computer software by doing any of the following:

a.  Presenting the owner or operator with an option to decline installation of computer software with knowledge that, when the option is selected by the authorized user, the installation nevertheless proceeds.

b.  Falsely representing that computer software has been disabled.

c.  Requiring in an intentionally deceptive manner the user to access the Internet to remove the software with knowledge or reckless disregard of the fact that the software frequently operates in a manner that prevents the user from accessing the Internet.

d. Changing the name, location or other designation information of the software for the purpose of preventing an authorized user from locating the software to remove it.

e. Using randomized or intentionally deceptive filenames, directory folders, formats, or registry entries for the purpose of avoiding detection and removal of the software by an authorized user.

f. Causing the installation of software in a particular computer directory or computer memory for the purpose of evading authorized users’ attempts to remove the software from the computer;

g. Requiring, without the authority of the owner of the computer, that an authorized user obtain a special code or download software from a third party to uninstall the software.

Section 5.  Other Prohibitions

It is unlawful for a person who is not an owner or operator of a computer to do any of the following with regard to the computer:

1.  Induce an owner or operator to install a computer software component onto the owner’s or the operator’s computer by intentionally misrepresenting that installing computer software is necessary for security or privacy reasons or in order to open, view, or play a particular type of content.

2.  Using intentionally deceptive means to cause the execution of a computer software component with the intent of causing the computer to use such component in a manner that violates any other provision of this chapter.

Section 6.  Exceptions

Sections 4 and 5 shall not apply to the monitoring of, or interaction with, an owner’s or an operator’s Internet or other network connection, service, or computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, maintenance, repair, network management, authorized updates of computer software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing computer software prescribed under this chapter.

Section 7.  Remedies

1.  The attorney general, an Internet service provider or software company that expends resources in good faith assisting authorized users harmed by a violation of this chapter, or a trademark owner whose mark is used to deceive authorized users in violation of this chapter,  may bring a civil action against a person who violates any provision of this chapter to recover actual damages, liquidated damages of at least one thousand dollars per violation of this chapter, not to exceed one million dollars for a pattern or practice of such violations, attorney fees, and costs.

2.  The court may increase a damage award to an amount equal to not more than three times the amount otherwise recoverable under subsection 1 if the court determines that the defendant committed the violation willfully and knowingly.

3.  The court may reduce liquidated damages recoverable under subsection 1, to a minimum of one hundred dollars, not to exceed one hundred thousand dollars for each violation if the court finds that the defendant established and implemented practices and procedures reasonably designed to prevent a violation of this chapter.

4. In the case of a violation of section 4(6)a. that causes a telecommunications carrier or provider of voice over internet protocol service to incur costs for the origination, transport, or termination of a call triggered using the modem or Internet-capable device of a customer of such telecommunications carrier or provider as a result of such violation, the telecommunications carrier may bring a civil action against the violator to recover any or all of the following—

a. the charges such carrier or provider is obligated to pay to another carrier or to an information service provider as a result of the violation, including but not limited to charges for the origination, transport or termination of the call;

b. costs of handling customer inquiries or complaints with respect to amounts billed for such calls;

c. costs and a reasonable attorneys’ fee; and

d. an order to enjoin the violation.

5. For purposes of a civil action under paragraphs (1), (2) and (3) any single action or conduct that violates more than one paragraph of this chapter shall be considered multiple violations based on the number of such paragraphs violated.

Section 8. Good Samaritan

1. No provider of computer software or of an interactive computer service may be held liable for identifying, naming, removing, disabling, or otherwise affecting a computer program through any action voluntarily undertaken, or service provided, where the provider:

a. Intends to identify accurately, prevent the installation or execution of, remove, or disable another computer program on a computer of a customer of such provider; and

b. Reasonably believes the computer program exhibits behavior that violates this act; and

c. Notifies the authorized user and obtains clear and conspicuous consent before undertaking such action or providing such service.

2. A provider of computer software or interactive computer service is entitled to protection under this section only if such provider:

a. Has established internal practices and procedures to evaluate computer programs reasonably designed to determine whether or not a computer program exhibits behavior that violates this act; and

b. Has established a process for managing disputes and inquiries regarding misclassification or false positive identifications of computer programs.

Nothing in this section is intended to limit the ability of the Attorney General, or a district attorney to bring an action against a provider of computer software or of an interactive computer service.

Section 9. {Severability clause.}

Section 10. {Repealer clause.}

Section 11. {Effective date.}

Approved by the ALEC Board of Directors September 2005.

Approved by the ALEC Board of Directors December 2012.