TheWeekInCongress.com
Week Ending May 27, 2005
HR 29 to protect users of the Internet from Unknowing transmission of their personally identifiable information through spyware programs, and for other purposes.
BRIEF
Spyware, the House committee finds, “presents privacy, security and functionality concerns” for computer users by gathering information without the computer user’s consent, sending it elsewhere or by just taking control of the computer without the computer user’s knowledge. Of most concern are those programs that gather personal information from a computer that can lead to identity and asset theft, profiling leading to unsolicited e-mail advertisements and even using a computer’s own camera to watch what is going on near the computer when it is connected to the Internet.
The key to this law is permission. All provisions in the bill are effective if you did not give permission to install the intrusive software or otherwise agree to the actions the software takes.
The law is extensive in that it covers most anything involving planting programs on your computer that gather and distribute information or damages the computers ability to function including blocking uninstall efforts and the like.
If you didn’t solicit it it is probably in violation of the bill. The exceptions are legitimate programs on Websites necessary for interaction and certain cookies necessary for Website viewing and interaction. Those immune from the law are law enforcement and people helping to erase such programs by installing similar programs.
Violations of the law can bring fines to $11,000 per incident to $3 million depending on the severity of the act and how frequently the criminal engaged in that type of behavior.
This bill passed the House last year along with similar Senate bills but none made it to public law. If this bill becomes law it would not take effect for 12 months and would expire in 2010.
Sponsor: Representative Mary Bono (R-CA-45th)
Vote: Passed House 393 to 4 (RC 201) (May 23, 2005)
Cost to the taxpayers: CBO estimates about $8 million through 2010.
## All Rights Reserved. © 2005 TheWeekInCongress.com No reproduction or distribution without written permission from TheWeekInCongress.com.
MORE INFORMATION
BACKGROUND AND NEED FOR THE LEGISLATION
SECTION BY SECTION ANALYSIS OF THE BILL.
The release of the Mosaic browser in January 1993, which provided the first graphical interface for navigating the Internet, is credited with bringing the Internet into the mainstream of public usage. In less than one decade, Internet usage was transformed from an academic tool into a commercial, educational, and communications portal accessed by more than 70% of Americans. To accommodate the enormous growth in Internet use and to meet the needs of online consumers, the market has responded with new technologies tailored to consumer Internet usage.
Many of the technologies that have emerged are designed to improve the efficiency and speed of data transfer. Websites may use browsers to run program-like functions on the user's computer, such as scripting and applets, to maximize server efficiency and thereby reduce time requirements for a web page to load on a user's computer. Technology has also allowed websites to use persistent identifiers to recognize a return visitor, and thereby enhance the online experience through personalization. The unique nature of the Internet has also facilitated other beneficial technologies that capitalize on the distributed network structure. Peer-to-peer file sharing software, instant messaging, and voice-over Internet are but a few examples of the developments that benefit millions of users.
Accompanying the growth in available technologies are emerging concerns regarding harmful uses of these same technologies. The Committee is aware that the same beneficial technologies that provide benefits to millions of users can be applied in ways that present serious problems for consumers when misused by those with unsavory motives. The Committee is particularly concerned about the growing use of what is commonly referred to as spyware. Computer software known as `spyware' can allow the unscrupulous to prey on unwitting consumers by stealing personal and financial information, or exposing them to unsolicited offensive material. In many instances, spyware software downloads from the Internet are occurring without the computer user's knowledge and consent. The covert nature of the software installation makes it very difficult for a user to detect the presence of the software. In fact, when the software begins to degrade the function of the computer, consumers often confuse the true source of the spyware with the browser they are using or the particular application they are running. Some of the same programs prevent a user from properly or completely uninstalling or disabling the software program.
Spyware presents privacy, security, and functionality concerns for consumers. The Federal Trade Commission (FTC) has described `spyware' as software `that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer's consent, or asserts control over a computer without the consumer's knowledge.' The Committee received testimony that spyware represents a range of software programs on a broad continuum from the most pernicious criminal activities on one end to the less threatening but still intrusive on the opposite end of the spectrum.
The most serious privacy and security concerns pertain to those programs that are intended to capture a user's personal information without knowledge and consent. The Committee received testimony demonstrating the software technology and tactics of some of these programs. They include keystroke logging software that captures a user's information (passwords, social security numbers, account numbers, etc.) and can lead to identity theft, and monitoring software that tracks a user's online activity, such as websites visited. Such information could be used for profiling. Other monitoring software can include audio or video capturing programs that use one's own computer video camera or microphone to watch or listen to whatever is happening around the Internet-connected computer. Furthermore, security experts and law enforcement officers report growing cooperation among spammers, virus writers, and con artists to steal financial assets from consumers through a device called `phishing' which captures passwords and other private financial data from consumers. Software can also impact the functioning of a computer by redirecting the user to websites the user does not intend to visit, preventing a user from altering settings on the computer, or using the computer to send unsolicited commercial electronic mail. The Committee is concerned that such attacks could erode the trust that makes electronic commerce and online banking possible.
Techniques for deceiving consumers into downloading spyware vary. Deceptive tactics include using pop-under windows that disguise the identity of the program distributor, offering misleading or deceptive end user licensing agreements, and failing to disclose the functionality of a program. More nefarious tactics include exploitation of security patches in a computer's operating system. Additionally, consumers who leave browser security settings on `low' open their systems to automatic `drive-by' downloads in which spyware programs are automatically downloaded when visiting certain websites.
Other software, known as adware, may not have the security risks associated with spyware but may raise significant privacy concerns. Adware is advertising software that can monitor online behavior and websites visited. Adware is often bundled, many times as a consideration, with other software a consumer voluntarily downloads. The adware usually directs targeted advertisements to the user's computer based on information gathered about the user's online activity. However, some adware has been used to push directed advertisements of material unrelated to online activity that a user may find objectionable. The Committee does not find adware per se objectionable, so long as a consumer has given informed consent to the software installation or execution.
The Committee recognizes that many of the technologies that are used for malicious and deceptive practices can also be used for beneficial and legitimate purposes. For example, parents utilizing software to monitor the online behavior of their children may find it to be an appropriate tool to protect their children. Similarly, software companies, Internet Service Providers, and other intermediaries may have legitimate business reasons to monitor and track activity. Examples include system performance, network efficiency, and automatic updates of anti-virus software. The Committee does not view the technology employed by spyware and adware as the source of the problem and therefore, does not seek to regulate the software. Rather, it is the misuse of this technology that has created significant policy concerns the Committee intends to address through this legislation and ongoing oversight.
SECTION BY SECTION ANALYSIS OF THE BILL
Section 1. Short title
Section 1 establishes the short title of the Act as the `Securely Protect Yourself Against Cyber Trespass Act,' or the `SPY ACT.'
Section 2. Prohibition of deceptive acts or practices relating to spyware
Section 2(a) prohibits any person who is not an owner or authorized user of a protected computer to engage in deceptive acts or practices in connection with spyware. Specifically it prohibits by means of deception: (1) taking control of a protected computer; (2) modifying settings related to the use of a computer or to the computer's access to or use of the Internet by altering certain information; (3) collecting personally identifiable information through the use of a keystroke logging function; (4) inducing the owner or authorized user to disclose personally identifiable information using a fraudulent Web page; (5) inducing the owner or authorized user to install a component of computer software onto the computer or preventing reasonable efforts to block the installation or execution of, or to disable, a component of computer software; (6) misrepresenting that installing a separate component of computer software or providing log-in and password information is necessary for security or privacy reasons, or that installing a separate component of computer software is necessary to open, view, or play a particular type of content; (7) inducing the owner or authorized user to install or execute computer software by misrepresenting the identity or authority of the person or entity providing the computer software; (8) inducing the owner or authorized user to provide personally identifiable information to another person by misrepresenting the identity of the person seeking the information, or without the authority of the intended recipient of the information; or (9) removing, disabling, or rendering inoperative a security, anti-spyware, or anti-virus technology installed on the computer, or installing or executing on the computer one or more additional components of computer software with the intent of causing a person to use such components in a way that violates any other provision of section 2.
This bill addresses software practices that affect end user computers, whether those of consumers or of businesses, connected to the Internet or similar public networks. Routers and other computers on the Internet interact with one another and give each other instructions regularly as part of the routine operation of the Internet. The Committee does not intend that these and other activities that occur in the network itself, rather than on the edge of the network, be covered by the bill's definitions of `computer' or `protected computer,' within the meaning of section 10(3), or that they be considered `taking control' of a computer within the meaning of section 2(a)(1).
Section 2(a)(4) provides the FTC with enforcement authority against `evil-twin attacks' and web-based phishing. It is not intended to apply in instances of legitimate trademark dispute.
Many software installations of updated security, anti-spyware, or anti-virus technologies requested by a computer user will disable or render inoperable a prior version of that software upon installation of the updated version. Section 2(a)(8) is not intended to apply to these circumstances.
Section 2(b) directs the FTC to use its authority to issue advisory opinions, policy statements, and guidance to advise companies on the parameters of this section. For example, the FTC should issue guidance on required disclosures or material omissions that would trigger liability under section 2. Section 2(b) also provides that this subsection will take effect upon the date of enactment of the Act.
Section 2(c) provides that, except as provided in subsection (b), section 2 shall take effect upon the expiration of the 6-month period that begins on the date of enactment of the Act.
Section 3. Prohibition of collection of certain information without notice and consent
Section 3(a) prohibits the transmission of an information collection program to a protected computer unless the program provides for notice and consent, as set forth in section 3(c), before the first execution of the information collection program and contains the functions set forth in section 3(d). It also prohibits the execution of any information collection program on a protected computer without meeting the requirements in 3(c) and 3(d).
This section contemplates a single notice at the first execution of the software. If the same information collection program executes more than one time on the same protected computer, notice is required only at the initial execution. Subsequent notice is only required if the information collection program will collect or send information that is materially different from, and outside the scope of, the type or purpose set forth in the initial or, in the case of prior subsequent notice, previous notice.
Section 3(b)(1) provides a definition for information collection program. An information collection program is computer software that (a) collects personally identifiable information and either (1) sends such information to a person other than the owner or authorized user of the computer or (2) uses such information to deliver advertising to or display advertising on the computer; or (b) collects information regarding web pages accessed using the computer and uses the information to deliver advertising to or display advertising on the computer. The reference to `a person other than the owner or authorized user of the computer' in section 3(b)(1)(A)(ii)(I) is intended to include the entity that transmitted or executed the information collection program.
Section 3(b)(2) provides an exception to the definition of information collection program. Computer software that otherwise would be considered an information collection program under section 3(b)(1)(B) shall not be considered such a program if: (1) the only information collected regarding Web pages accessed using the computer is information about web pages within a particular Web site; (2) such information is not sent to anyone other than the provider of the Web site accessed, or a party authorized to facilitate the display or functionality of Web pages within the Web site accessed; and, (3) the only advertising delivered to or displayed on the computer using such information is advertising on the Web pages within the Web site. This section is intended to exempt from the requirements of section 3 HTML, Java, Java Script, Web beacons, and other similar tools used in the everyday functioning of the Internet to the extent that they facilitate the ordinary construction of Web pages and do not collect personally identifiable information. The Committee does not intend to interfere with the benign functioning of the Internet. This exception also allows Web site providers, or their agents, to monitor activity on their Web site, and to direct advertising on their Web site based on that monitoring, without being subject to the requirements of section 3. The Committee understands that Web site owners often use internal navigation tracking for rights management, security, site management, and similar purposes not associated with malicious spyware and adware, in order to facilitate positive interactions with consumers.
Section 3(c) sets out the requirements for notice and consent with respect to information collection programs. The notice must be clear and conspicuous in plain language and clearly distinguished from any other information contemporaneously displayed. The Committee expects the notice to be simple and clear so that consumers can easily understand that software collects information about them. Section 3(c)(1)(A) is not intended to impose specific design mandates on hardware manufacturers or software developers. The intent of the provision is to require a clearly distinct notice to the extent practicable in light of the technical and functional limitations of the information collection program or the device on which it is installed and executed. The notice must also contain a statement identifying whether the information collection program collects personally identifiable information or web pages accessed, or both. The provider of the information collection program may use the provided language or a substantially similar statement. The language `or a substantially similar statement' has been added to section 3(c)(1)(B) to ensure that vendors of information collection programs have adequate flexibility to tailor section 3 notices to the user experience and in light of evolving technologies and consumer expectations. The notice must provide for the user to grant or deny consent, or to simply abandon or cancel the transaction without granting or denying consent. The notice must also provide for the user to access, before granting or denying consent, a clear description of the types of information being collected, the purpose for which the information is being collected and sent, and in the case of bundled software, the identity of the programs that qualify as information collection programs under the Act. The software provider may provide access to the information required under section 3(c)(1)(D) by a link or some other web-based mechanism. A single notice is sufficient for bundled software programs so long as it meets the requirements under section 3(c)(1)(D)(iii). Section 3(c)(1)(E) requires concurrent display of the specified information in sections 3(c)(1)(B), (C), and (D) to the extent reasonably practicable. Section 3(c)(4) grants the FTC authority to issue regulations to carry out the subsection.
Section 3(d) provides that an information collection program must contain a disable function and, if applicable, an identity function. The disable function must allow a user of the program to remove or disable operation of the program by a mechanism that is easily identifiable to the user and can be performed without undue effort or knowledge by the user of the protected computer. The Committee has included this provision because of evidence that purveyors of spyware have infected consumers' computers with software that cannot be removed or disabled absent destruction of the computer hard drive. The Committee expects that the FTC will take action to educate consumers on the dangers of uninstallable software that may already be residing on consumers' computers without their knowledge. Section 3(d)(1) does not require information collection programs to provide users with both a remove and a disable option. Developers of information collection programs will satisfy the requirements of section 3(d)(1) so long as the program includes at least one of these options. The identity function must provide that display of an advertisement generated by information collected through the program must be accompanied by the name of the information collection program, a logogram or trademark used for the exclusive purpose of identifying the program, or a statement or other information sufficient to clearly identify the program. Section 3(d)(2)(B) directs the FTC to promulgate rules exempting from this required function the embedded display of any advertisement on a Web page that contemporaneously displays other information. Section 3(d)(3) gives the FTC authority to issue regulations to carry out the subsection.
Section 3(e) provides that a telecommunications carrier, provider of information or interactive computer service, cable operator, or a provider of transmission capability shall not be liable under section 3 to the extent that it transmits, routes, hosts, stores, or provides connections for an information collection program or provides an information location tool through which the owner or authorized user of a protected computer locates an information collection program.
For purposes of commercial computing networks, the `authorized user' of computer software will be the corporate licensee of the software. As a practical matter, for purposes of sections 2 and 3, the Committee understands in many instances that system administrators are the `authorized users' in the context of commercial computing networks.
Section 4. Enforcement
Section 4(a) provides that the Act shall be enforced by the FTC under the Federal Trade Commission Act and that a violation of the Act shall be treated as an unfair or deceptive act or practice violating a rule promulgated under section 18 of the Federal Trade Commission Act. Section 4 gives the FTC the discretion to seek civil penalties for violations of the Act in one of two ways: (1) seeking civil penalties of up to $11,000 per violation under section 5(m)(1)(A) of the FTC Act; or, (2) seeking civil penalties under section 4(b) of this Act. Section 4(b) establishes an alternative enforcement mechanism for pattern or practice violations of the Act. It provides for significantly higher penalties for those whom the FTC has determined engaged in a pattern or practice of violating the Act, but also directs the FTC to treat as a single violation a single action that violates the Act but affects multiple computers. It also directs that any single action or conduct that violates more than one section of 2(a) shall be considered multiple violations. The higher damages for a pattern or practice of violation may be up to $3,000,000 for each violation of section 2 and $1,000,000 for each violation of section 3.
Furthermore, section 4(c) provides that civil penalties sought under the Act may not be granted by the FTC or any court unless the FTC or the court, respectively, establishes that the conduct was committed with actual knowledge or knowledge fairly implied on the basis of objective circumstances that such conduct is unfair and deceptive and is prohibited by this Act. This is the existing scienter requirement under the FTC Act. Section 4(d) directs the FTC and the court, in determining the amount of any such civil penalty, to take into account the degree of culpability, any prior history of such conduct, ability to pay, effect on ability to continue to do business, and such other matters as justice may require. The Committee expects the FTC to enforce the law to protect consumers from unfair or deceptive acts or practices involving spyware vigorously. It also expects the agency to act reasonably to avoid seeking damages out of proportion to the harm caused by the offending conduct.
Section 4(e) provides that remedies available under this section and remedies available under the Federal Trade Commission Act are the exclusive remedies for violation of the Act.
Section 4(f) provides that the section shall take effect upon the expiration of the 6-month period that begins on the date of enactment of the Act to the extent that the section applies to violations of section 2(a).
Section 5. Limitations
Section 5(a) provides that sections 2 and 3 of the Act shall not apply to any act taken by a law enforcement agent in performance of official duties or the transmission or execution of an information collection program in compliance with a law enforcement, investigatory, national security, regulatory, agency or department of the United States, or any State in response to a request or demand made under authority granted to that agency or department. The Committee intends that this section shall be interpreted to exclude from sections 2 and 3 of the Act intelligence agencies and bona fide intelligence gathering.
Section 5(b) provides that nothing in the Act shall apply to any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service to the extent that such monitoring or interaction is for network or computer security purposes, diagnostics, technical support, or repair, or for the detection or prevention of fraudulent activities. The section also provides that the Act shall not apply to a discrete interaction with a protected computer by a provider of computer software solely to determine whether the user of the computer is authorized to use such software, that occurs upon initialization of the software or an affirmative request by that user for an update of, addition to, or technical service for, the software. The intent of this provision is to allow software providers to verify that requests for technical support are coming from licensed users of software.
Section 5(c) provides that no provider of an interactive computer service may be held liable under the Act on account of any action voluntarily taken, or service provided, in good faith to remove or disable a program used to violate section 2 or 3 that is installed on a customer's computer, if the provider notifies the customer and obtains consent before undertaking such action.
Section 5(d) provides that a manufacturer or retailer of computer equipment shall not be liable under this Act to the extent that that manufacturer or retailer is providing third party branded computer software that is installed on the equipment the manufacturer or retailer is manufacturing or selling. This provision does not excuse from liability a manufacturer that includes its own software on computers it manufactures.
Section 6. Effect on other laws
Section 6(a) provides that the Act supercedes any provision of a statute, regulation, or rule of a state or political subdivision that expressly regulates deceptive conduct with respect to computers similar to that of section 2(a), the transmission or execution of a computer program similar to that in section 3, and the use of computer software that displays advertising content based on the Web pages accessed using a computer. The section also prohibits any person other than the Attorney General of a State to bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act, but makes clear that this prohibition shall not be construed to limit the enforcement of any State consumer protection law by an Attorney General of a State. The section specifically preserves state trespass, contract, and tort law, and other state laws to the extent those acts relate to acts of general consumer fraud. The Committee intends to preserve the ability of State Attorneys General to enforce these laws as an important backstop to FTC enforcement. However, the Committee intends to preempt state legislation that makes illegal an information collection program or other computer software that displays advertising in a way that complies with this Act by simply calling it a trespass, tort, or other statute in an effort to avoid preemption. The Committee specifically intends to preempt the Utah Spyware Control Act, section 13-39-101, Utah Code Annotated 1953.
Section 6(b) preserves the Federal Trade Commission's authority under any other provision of law, including the authority to issue advisory opinions, policy statements, or guidance regarding the Act.
Section 7. Annual FTC report
Section 7 requires the Federal Trade Commission to submit annual reports to Congress. The report must detail the actions taken to enforce sections 2(a) and 3 and describe administrative structure and personnel and other resources committed to enforcement of the Act. The Committee expects the Commission to include in its long range planning an assessment of the adequacy of its enforcement resources and its technology expertise.
Section 8. FTC report on cookies
Section 8 requires that, not later than the expiration of the 6-month period that beings on the date of the enactment of this Act, the FTC submit a report to the Congress regarding the use of cookies, including tracking cookies, in the delivery or display of advertising to the owners and users of computers. The report shall compare the use of cookies with the use of information collection programs to determine the extent to which such uses are similar or different. Section 8(b) defines `tracking cookie' for the purposes of this section. This Act contains a rule of construction in section 10 (4)(C) clarifying that cookies are not subject to the requirements of section 3 because they are not `computer software.' The Committee understands that traditional cookies are innocuous and a part of the basic functioning of most Web sites. On the other hand, the Committee has received information about so-called `tracking' or `persistent' cookies that collect identifying information and increasingly act as spyware and adware. The Committee intends for the Commission to look into these and other functionally similar information collection programs to determine whether and if so how they use and transmit consumer information.
Section 8(c) provides that the section shall take effect on the date of enactment of the Act.
Section 9. Regulations
Section 9(a) provides that any regulations issued under the Act shall be issued not later than the expiration of the 6-month period beginning on the date of enactment of this Act, and in accordance with section 553 of title 5, United States Code. The subsection also provides a public interest standard to guide the FTC rulemaking under the Act.
Section 9(b) provides that the section shall take effect on the date of enactment of the Act.
Section 10. Definitions
Section 10 provides definitions for terms in the Act including `computer software,' `deceptive acts or practices,' `disable,' `personally identifiable information,' `transmit,' `Web page,' and `Web site.'
The definition of `collect' makes clear that personally identifiable information that is input by the user of a protected computer and transferred to the intended recipient, or stored on the protected computer in a manner so that it is accessible by such intended recipient, is outside the scope of section 3 of the Act. This is intended to facilitate ease of use for consumers and providers of Internet services or websites. The Committee intends the exclusion from `collect' to be based on active conduct on the part of the computer user. The mere acceptance of an end user license agreement by a computer user would not be sufficient to meet this test of active conduct.
The definition of `computer software' makes clear that such term does not include: (1) software placed on the computer system of a user by an Internet service provider, interactive computer service, or Internet Web site solely to enable the user subsequently to use such provider or service or to access such Web site; (2) cookies; and, (3) any other type of text or data file that solely may be read or transferred by a computer.
The Committee does not intend to include in the definition of `computer' and `protected computer' consumer devices to the extent utilized by a multichannel video programming distributor or video programmer to provide multichannel video programming services or to collect or disclose subscriber information, to the extent covered under 47 U.S.C. Sec. 338(i) and 47 U.S.C. 551.
Section 11. Applicability and sunset
Section 11 provides that, except as otherwise provided in the Act, the Act shall take effect 12 months after the date of enactment. Section 10 also provides for a sunset of the bill on December 31, 2010.
## All Rights Reserved. © 2005 TheWeekInCongress.com.
No reproduction or distribution without written permission from TheWeekInCongress.com.