SPYWARE: CIVIL REMEDIES S.B. 151: COMMITTEE SUMMARY




Senate Bill 151 (as introduced 2-2-05)
Sponsor: Senator Cameron S. Brown
Committee: Technology and Energy


Date Completed: 2-16-05

CONTENT The bill would create the "Spyware Control Act" to do the following:

-- Prohibit a person from installing spyware on another person's computer, or causing spyware to be installed on another person's computer.
-- Prohibit a person from using a context-based triggering mechanism to display an advertisement that covered content on a website in a way that interfered with a user's ability to view the internet.
-- Allow an adversely affected person to bring an action against a person for violating the proposed Act.
-- Require the Department of Labor and Economic Growth (DLEG) to establish procedures for reporting a violation of the proposed Act.
-- Require DLEG to review the proposed Act on an annual basis and recommend to the Legislature amendments it considered appropriate.

Prohibited Activity; Definitions


The bill would prohibit a person from installing spyware on another person's computer or causing spyware to be installed on another person's computer. The bill also would prohibit a person from using a context-based triggering mechanism to display an advertisement that wholly or partially covered or obscured paid advertising or other internet website content in a way that interfered with a user's ability to view the internet.


The bill would define "Spyware" as software residing on a computer that collected protected information and sent the information to a remote computer or server, and/or displayed or caused to be displayed in response to protected information an advertisement to which any of the following applied:

-- The advertisement did not identify clearly the full legal name of the entity responsible for delivering it.
-- The advertisement used a Federally registered trademark as a trigger for its display by a person other than the trademark owner or the owner's authorized agent or licensee, or a recognized internet search engine.
-- The advertisement used a triggering mechanism to display the advertisement based on the internet websites the computer accessed.
-- The advertisement was displayed using a context-based triggering mechanism and partially or wholly covered or obscured paid advertising or other content on a website in a manner that interfered with the computer user's ability to view the website.

"Context-based triggering mechanism" would mean a software-based trigger or program residing on a computer that displayed an advertisement based on either the internet website to which the computer gained access, or the website's contents or characteristic.

"User" would mean a computer owner or a person who gained access to an internet website.
"Protected information" would mean the internet websites accessed with the computer; the contents or characteristics of the websites; and/or personal information entered or revealed during the computer's operation, including all of the following:

-- An individual's first and last name, whether given at birth or adoption, assumed, or legally changed.
-- An individual's street name, city or town, zip code, or physical address.
-- An e-mail address.
-- A telephone number.
-- A social security, personal identification, or credit card number, or access code associated with a credit card.
-- A date or place of birth or birth certificate number.
-- A password or access code.


Additionally, "protected information" would include information submitted via forms on an internet website.


The bill specifies that the term "spyware" would not include software designed and installed solely to diagnose or resolve technical difficulties. The term also would exclude software or data that reported to an internet website information previously stored by the website on the computer, including cookies, HTML code, Java scripts, and a computer operating system.


The term "spyware" would not include software for which all of the following were obtained:

-- A license agreement for the software that was presented in full and written in plain English.
-- A notice of the collection of each specific type of information to be transmitted as a result of the software installation.
-- A clear and representative full-sized example of each type of advertisement that could be delivered as a result of the software installation.
-- A truthful statement of the frequency with which each type of advertisement could be delivered as a result of the software installation.
-- For each type of advertisement delivered as a result of the software installation, a clear description of a method by which a user could distinguish the advertisement by its appearance from an advertisement generated by other software services.
-- A method by which the computer user quickly and easily, using obvious, standard, usual, and ordinary methods, could disable and remove the software with no other effect on the nonaffiliated parts of the computer.


Legal Action


Any of the following who was adversely affected by a violation of the proposed Act could bring an action against a person for the violation: a user, an internet website owner or registrant, a trademark or copyright owner, or an authorized advertiser on an internet website. In an action, a person could obtain an injunction to prohibit further violations, and/or actual damages or $10,000 per violation, whichever was greater. For a knowing violation, a person could obtain the greater of three times the amount of actual damages, or $30,000 per violation, in addition to an injunction.


The bill specifies that each instance of obtaining access to user information and each display of an advertisement would be a separate violation of the proposed Act. It would not be a defense to an action that a user could remove or hide spyware or an advertisement.


The bill provides that it would not authorize a person to file an action against an internet service provider (ISP) for the routine transmission of security information, or information that contained an advertisement in violation of the proposed Act. Also, a person could not file a class action under the proposed Act.


DLEG Requirements


The bill would require DLEG to establish procedures by which a person could report a violation of the proposed Act to the Department either by an internet website the Department maintained, or by a toll-free telephone number.


The Department also would have to review the proposed Act annually and recommend in writing to the committees of the Senate and House of Representatives with primary jurisdiction over technology issues any amendments it considered appropriate based on the review.

BACKGROUND

According to webroot.com, Spyware is any application that may track an individual's online and offline computer activity and is capable of saving that information locally or transmitting it to third parties, often without the user's consent or knowledge.


Spyware can be installed on a person's computer through a pop-up window or advertisement, via an instant messenger service, through a file-sharing program, or through spam e-mail or an attachment in an e-mail.


Some spyware programs enable online companies to track a person's activities on a website and tailor pop-up advertising to the person's choices. Other programs are capable of monitoring the person's keystrokes and online screenshots, and revealing personal information such as login names, passwords, and social security, credit card, and bank account numbers.


Legislative Analyst: Julie Koval

FISCAL IMPACT
The bill would increase the administrative costs of the Department of Labor and Economic Growth by an unknown amount due to the responsibility to receive reports of violations from individual computer users. The bill would have no impact on local government.

Fiscal Analyst: Elizabeth Pratt

Analysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent. sb151/0506