[Congressional Bills 108th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2929 Reported in House (RH)]

                                                 Union Calendar No. 374
108th CONGRESS
  2d Session
                                H. R. 2929

                          [Report No. 108-619]

 To protect users of the Internet from unknowing transmission of their 
 personally identifiable information through spyware programs, and for 
                            other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 25, 2003

 Mrs. Bono (for herself and Mr. Towns) introduced the following bill; 
       which was referred to the Committee on Energy and Commerce

                             July 20, 2004

Additional sponsors: Mr. Shimkus, Mrs. Cubin, Mr. Ehlers, Mr. Calvert, 
  Mr. Buyer, Mr. Radanovich, Mr. Pickering, Mr. Wynn, Mr. Engel, Mr. 
  Rush, Mr. Boucher, Mr. Stupak, Mr. Green of Texas, Mr. Gordon, Mr. 
Deutsch, Ms. McCarthy of Missouri, Mr. Gillmor, Mr. Hall, Mr. Shadegg, 
    Mr. Bass, Mr. Greenwood, Mr. Gonzalez, Mr. Wamp, Mr. Otter, Mr. 
Doolittle, Mr. Upton, Mr. Burns, Mr. Israel, Mr. Sam Johnson of Texas, 
                    and Mr. Bradley of New Hampshire

                             July 20, 2004

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
 [For text of introduced bill, see copy of bill as introduced on July 
                               25, 2003]

_______________________________________________________________________

                                 A BILL


 
 To protect users of the Internet from unknowing transmission of their 
 personally identifiable information through spyware programs, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Securely Protect Yourself Against 
Cyber Trespass Act'' or the ``SPY ACT''.

SEC. 2. PROHIBITION OF DECEPTIVE ACTS OR PRACTICES RELATING TO SPYWARE.

    (a) Prohibition.--It is unlawful for any person, who is not the 
owner or authorized user of a protected computer, to engage in 
deceptive acts or practices in connection with any of the following 
conduct with respect to the protected computer:
            (1) Taking control of the computer by--
                    (A) utilizing such computer to send unsolicited 
                information or material from the protected computer to 
                others;
                    (B) diverting the Internet browser of the computer, 
                or similar program of the computer used to access and 
                navigate the Internet, away from the site the user 
                intended to view, to one or more other Web pages, such 
                that the user is prevented from viewing the content at 
                the intended Web page;
                    (C) accessing or using the modem, or Internet 
                connection or service, for the computer and thereby 
                causing damage to the computer or causing the owner or 
                authorized user to incur unauthorized financial 
                charges;
                    (D) using the computer as part of an activity 
                performed by a group of computers that causes damage to 
                another computer; or
                    (E) delivering advertisements that a user of the 
                computer cannot close without turning off the computer 
                or closing all sessions of the Internet browser for the 
                computer.
            (2) Modifying settings related to use of the computer or to 
        the computer's access to or use of the Internet by altering--
                    (A) the Web page that appears when the owner or 
                authorized user launches an Internet browser or similar 
                program used to access and navigate the Internet;
                    (B) the default provider used to access or search 
                the Internet, or other existing Internet connections 
                settings;
                    (C) a list of bookmarks used by the computer to 
                access Web pages; or
                    (D) security or other settings of the computer that 
                protect information about the owner or authorized user.
            (3) Collecting personally identifiable information through 
        the use of a keystroke logging function or similar function.
            (4) Inducing the owner or authorized user to install a 
        computer software component onto the computer, or preventing 
        reasonable efforts to block the installation or execution of, 
        or to disable, a computer software component by--
                    (A) presenting the owner or authorized user with an 
                option to decline installation of a software component 
                such that, when the option is selected by the owner or 
                authorized user, the installation nevertheless 
                proceeds; or
                    (B) causing a computer software component that the 
                owner or authorized user has properly removed or 
                disabled to automatically reinstall or reactivate on 
                the computer.
            (5) Misrepresenting that installing a separate software 
        component or providing log-in and password information is 
        necessary for security or privacy reasons, or that installing a 
        separate software component is necessary to open, view, or play 
        a particular type of content.
            (6) Inducing the owner or authorized user to install or 
        execute computer software by misrepresenting the identity or 
        authority of the person or entity providing the computer 
        software to the owner or user.
            (7) Inducing the owner or authorized user to provide 
        personally identifiable information to another person by 
        misrepresenting the identity or authority of the person seeking 
        the information.
            (8) Removing, disabling, or rendering inoperative a 
        security, anti-spyware, or anti-virus technology installed on 
        the computer.
            (9) Installing or executing on the computer one or more 
        additional computer software components with the intent of 
        causing a person to use such components in a way that violates 
        any other provision of this section.
    (b) Effective Date.--This section shall take effect on the date of 
the enactment of this Act.

SEC. 3. PROHIBITION OF COLLECTION OF CERTAIN INFORMATION WITHOUT NOTICE 
              AND CONSENT.

    (a) Opt-In Requirement.--Except as provided in subsection (e), it 
is unlawful for any person--
            (1) to transmit to a protected computer, which is not owned 
        by such person and for which such person is not an authorized 
        user, any information collection program, or
            (2) to execute any information collection program installed 
        on such a protected computer,
unless, before the first execution of any of the information collection 
functions of the program, the owner or an authorized user of the 
protected computer has consented to such execution pursuant to notice 
in accordance with subsection (c) and such information collection 
program includes the functions required under subsection (d).
    (b) Information Collection Program.--For purposes of this section, 
the term ``information collection program'' means computer software 
that--
            (1)(A) collects personally identifiable information; and
            (B)(i) sends such information to a person other than the 
        owner or authorized user of the computer, or
            (ii) uses such information to deliver advertising to, or 
        display advertising, on the computer; or
            (2)(A) collects information regarding the Web pages 
        accessed using the computer; and
            (B) uses such information to deliver advertising to, or 
        display advertising on, the computer.
    (c) Notice and Consent.--
            (1) In general.--Notice in accordance with this subsection 
        with respect to an information collection program is clear and 
        conspicuous notice in plain language, set forth in a form and 
        manner as the Commission shall provide, that meets all of the 
        following requirements:
                    (A) The notice clearly distinguishes such notice 
                from any other information visually presented 
                contemporaneously on the protected computer.
                    (B) The notice contains one of the following 
                statements, as applicable, or substantially similar 
                language:
                            (i) With respect to an information 
                        collection program described in subsection 
                        (b)(1): ``This program will collect and 
                        transmit information about you. Do you 
                        accept?''.
                            (ii) With respect to an information 
                        collection program described in subsection 
                        (b)(2): ``This program will collect information 
                        about Web pages you access and will use that 
                        information to display advertising on your 
                        computer. Do you accept?''.
                            (iii) With respect to an information 
                        collection program that performs the actions 
                        described in both paragraphs (1) and (2) of 
                        subsection (b): ``This program will collect and 
                        transmit information about you and your 
                        computer use and will collect information about 
                        Web pages you access and use that information 
                        to display advertising on your computer. Do you 
                        accept?''.
                    (C) The notice provides for the user to grant or 
                deny consent referred to in subsection (a) by selecting 
                an option to grant or deny such consent.
                    (D) The notice provides an option for the user to 
                select to display on the computer, before granting or 
                denying consent using the option required under 
                subparagraph (C), a clear description of--
                            (i) the types of information to be 
                        collected and sent (if any) by the information 
                        collection program;
                            (ii) the purpose for which such information 
                        is to be collected and sent; and
                            (iii) in the case of an information 
                        collection program that first executes any of 
                        the information collection functions of the 
                        program together with the first execution of 
                        other computer software, the identity of any 
                        such software that is an information collection 
                        program.
                    (E) The notice provides for concurrent display of 
                the information required under subparagraphs (B) and 
                (C) and the option required under subparagraph (D) 
                until the user grants or denies consent using the 
                option required under subparagraph (C) (or selects the 
                option required under subparagraph (D)).
            (2) Single notice.--The Commission shall provide that, in 
        the case in which multiple information collection programs 
        first execute any of the information collection functions of 
        the programs together, notice in accordance with paragraph (1) 
        may be provided through a single notice that applies to all 
        such information collection programs, except that such notice 
        shall provide the option under subparagraph (D) of paragraph 
        (1) with respect to each such information collection program.
             (3) Change in information collected.--After an owner or 
        authorized user has granted consent to execution of an 
        information collection program pursuant to a notice in 
        accordance with this subsection, the person who transmitted the 
        program shall provide another notice in accordance with this 
        subsection and obtain consent before such program may be used 
        to collect or send information of any type or for any purpose 
        that is materially different from, and outside the scope of, 
        the type or purpose set forth in the initial or any previous 
        notice.
            (4) Regulations.--The Commission shall issue regulations to 
        carry out this subsection.
    (d) Required Functions.--The functions required under this 
subsection to be included in an information collection program that 
first executes any information collection functions with respect to a 
protected computer are as follows:
            (1) Disabling function.--With respect to any information 
        collection program, a function of the program that allows a 
        user of the program to remove the program or disable operation 
        of the program with respect to such protected computer by a 
        function that--
                    (A) is easily identifiable to a user of the 
                computer; and
                    (B) can be performed without undue effort or 
                knowledge by the user of the protected computer.
        The Commission may issue regulations to carry out this 
        paragraph.
            (2) Identity function.--With respect only to an information 
        collection program that uses information collected in the 
        manner described in paragraph (1)(B)(ii) or (2)(B) of 
subsection (b), a function of the program that provides that each 
display of an advertisement directed or displayed using such 
information is accompanied by a statement that clearly identifies the 
information collection program.
    (e) Limitation on Liability.--A telecommunications carrier, a 
provider of information service or interactive computer service, a 
cable operator, or a provider of transmission capability shall not be 
liable under this section to the extent that the carrier, operator, or 
provider--
            (1) transmits, routes, hosts, stores, or provides 
        connections for an information collection program through a 
        system or network controlled or operated by or for the carrier, 
        operator, or provider; or
            (2) provides an information location tool, such as a 
        directory, index, reference, pointer, or hypertext link, 
        through which the owner or user of a protected computer locates 
        an information collection program.

SEC. 4. ENFORCEMENT.

    (a) Unfair or Deceptive Act or Practice.--This Act shall be 
enforced by the Commission under the Federal Trade Commission Act (15 
U.S.C. 41 et seq.). A violation of any provision of this Act or of a 
regulation issued under this Act shall be treated as an unfair or 
deceptive act or practice violating a rule promulgated under section 18 
of the Federal Trade Commission Act (15 U.S.C. 57a), except that the 
maximum civil penalty for a violation of this Act shall be one of the 
following amounts, as the Commission, in its discretion, seeks for such 
a violation:
            (1) Treatment of conduct affecting multiple computers as 
        separate violations.--$33,000 for each violation of section 2, 
        and $11,000 for each violation of section 3, except that in 
        applying this paragraph each separate protected computer with 
        respect to which a violation of such section occurs as a result 
        of a single action or conduct that violates section 2 or 3 
        shall be treated as a separate violation.
            (2) Treatment of conduct affecting multiple computers as a 
        single violation.--$3,000,000 for each violation of section 2, 
        and $1,000,000 for each violation of section 3, except that in 
        applying this paragraph--
                    (A) any single action or conduct that violates such 
                section with respect to multiple protected computers 
                shall be treated as a single violation; and
                    (B) any single action or conduct that violates more 
                than one paragraph of section 2(a) shall be considered 
                multiple violations, based on the number of such 
                paragraphs violated.
    (b) Exclusiveness of Remedies.--The remedies in this section 
(including remedies available under the Federal Trade Commission Act) 
are the exclusive remedies for violations of this Act.
    (c) Effective Date.--This section shall take effect on the date of 
the enactment of this Act, but only to the extent that this section 
applies to violations of section 2(a).

SEC. 5. LIMITATIONS.

    (a) Law Enforcement Authority.--Sections 2 and 3 of this Act shall 
not apply to--
            (1) any act taken by a law enforcement agent in the 
        performance of official duties; or
            (2) the transmission or execution of an information 
        collection program in compliance with a law enforcement, 
        investigatory, national security, or regulatory agency or 
        department of the United States in response to a request or 
        demand made under authority granted to that agency or 
        department, including a warrant issued under the Federal Rules 
        of Criminal Procedure, an equivalent State warrant, a court 
        order, or other lawful process.
    (b) Exception Relating to Network Security.--Nothing in this Act 
shall apply to any monitoring of, or interaction with, a subscriber's 
Internet or other network connection or service by a telecommunications 
carrier, cable operator, or provider of information service or 
interactive computer service for network security purposes, diagnostics 
or repair in connection with a network or service, or detection or 
prevention of fraudulent activities in connection with a service or 
user agreement.
    (c) Good Samaritan Protection.--No provider of computer software or 
of interactive computer service may be held liable under this Act on 
account of any action voluntarily taken, or service provided, in good 
faith to remove or disable a program used to violate section 2 or 3 
that is installed on a computer of a customer of such provider, if such 
provider notifies the customer and obtains the consent of the customer 
before undertaking such action or providing such service.

SEC. 6. EFFECT ON OTHER LAWS.

    (a) Preemption of State Law.--
            (1) Preemption.--This Act supersedes any provision of a 
        statute, regulation, or rule of a State or political 
        subdivision of a State that expressly regulates--
                    (A) deceptive conduct with respect to computers 
                similar to that described in section 2(a);
                    (B) the transmission or execution of a computer 
                program similar to that described in section 3; or
                    (C) the use of context-based triggering mechanisms 
                or similar means to display an advertisement that 
                partially or wholly covers or obscures content on a Web 
                page in a way that interferes with the ability of the 
                user of a computer to view the Web page.
            (2) Protection of certain state laws.--This Act shall not 
        be construed to preempt the applicability of--
                    (A) State trespass, contract, or tort law; or
                    (B) other State laws to the extent that those laws 
                relate to acts of fraud.
    (b) Preservation of FTC Authority.--Nothing in this Act may be 
construed in any way to limit or affect the Commission's authority 
under any other provision of law, including the authority to issue 
advisory opinions (under Part 1 of Volume 16 of the Code of Federal 
Regulations), policy statements, or guidance regarding this Act.

SEC. 7. ANNUAL FTC REPORT.

    For the 12-month period that begins upon the effective date under 
section 10(a) and for each 12-month period thereafter, the Commission 
shall submit a report to the Congress that--
            (1) specifies the number and types of actions taken during 
        such period to enforce sections 2(a) and 3, the disposition of 
each such action, any penalties levied in connection with such actions, 
and any penalties collected in connection with such actions; and
            (2) describes the administrative structure and personnel 
        and other resources committed by the Commission for enforcement 
        of this Act during such period.
Each report under this subsection for a 12-month period shall be 
submitted not later than 90 days after the expiration of such period.

SEC. 8. REGULATIONS.

    The Commission shall issue the regulations required by this Act not 
later than the expiration of the 6-month period beginning on the date 
of the enactment of this Act. Any regulations issued pursuant to this 
Act shall be issued in accordance with section 553 of title 5, United 
States Code.

SEC. 9. DEFINITIONS.

    For purposes of this Act:
            (1) Cable operator.--The term ``cable operator'' has the 
        meaning given such term in section 602 of the Communications 
        Act of 1934 (47 U.S.C. 522).
            (2) Collect.--The term ``collect'' means, with respect to 
        information and for purposes only of section 3, to obtain in a 
        manner other than by transfer by an owner or authorized user of 
        a protected computer to the party intended as recipient of the 
        transferred information.
            (3) Computer; protected computer.--The terms ``computer'' 
        and ``protected computer'' have the meanings given such terms 
        in section 1030(e) of title 18, United States Code.
            (4) Computer software.--
                    (A) In general.--Except as provided in subparagraph 
                (B), the term ``computer software'' means a set of 
                statements or instructions that can be installed and 
                executed on a computer for the purpose of bringing 
                about a certain result.
                    (B) Exception for cookies.--Such term does not 
                include a cookie or other text file, data, or computer 
                software, that is placed on the computer system of a 
                user by an Internet service provider, interactive 
                computer service, or Internet website to return 
                information to such provider, service, or website 
                solely to enable the user subsequently to use such 
                provider or service or to access such website.
            (5) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (6) Damage.--The term ``damage'' has the meaning given such 
        term in section 1030(e) of title 18, United States Code.
            (7) Deceptive acts or practices.--The term ``deceptive acts 
        or practices'' has the meaning applicable to such term for 
        purposes of section 5 of the Federal Trade Commission Act (15 
        U.S.C. 45).
            (8) Disable.--The term ``disable'' means, with respect to 
        an information collection program, to permanently prevent such 
        program from executing any of the functions described in 
        section 3(b) that such program is otherwise capable of 
        executing (including by removing, deleting, or disabling the 
        program), unless the owner or operator of a protected computer 
        takes a subsequent affirmative action to enable the execution 
        of such functions.
            (9) Information collection functions.--The term 
        ``information collection functions'' means, with respect to an 
        information collection program, the functions of the program 
        described in subsection (b) of section 3.
            (10) Information service.--The term ``information service'' 
        has the meaning given such term in section 3 of the 
        Communications Act of 1934 (47 U.S.C. 153).
            (11) Interactive computer service.--The term ``interactive 
        computer service '' has the meaning given such term in section 
        230(f) of the Communications Act of 1934 (47 U.S.C. 230(f)).
            (12) Internet.--The term ``Internet'' means collectively 
        the myriad of computer and telecommunications facilities, 
        including equipment and operating software, which comprise the 
        interconnected world-wide network of networks that employ the 
        Transmission Control Protocol/Internet Protocol, or any 
        predecessor or successor protocols to such protocol, to 
        communicate information of all kinds by wire or radio.
            (13) Personally identifiable information.--
                    (A) In general.--The term ``personally identifiable 
                information'' means the following information, to the 
                extent only that such information allows a living 
                individual to be identified from that information:
                            (i) First and last name of an individual.
                            (ii) A home or other physical address of an 
                        individual, including street name, name of a 
                        city or town, and zip code.
                            (iii) An electronic mail address.
                            (iv) A telephone number.
                            (v) A social security number, tax 
                        identification number, passport number, 
                        driver's license number, or any other 
                        government-issued identification number.
                            (vi) A credit card number.
                            (vii) An account number.
                            (viii) Any access code or password, other 
                        than an access code or password transmitted by 
                        an owner or authorized user of a protected 
                        computer to register for, or log onto, a Web 
                        page or other Internet service that is 
                        protected by an access code or password.
                            (ix) Date of birth, birth certificate 
                        number, or place of birth of an individual, 
                        except in the case of a date of birth required 
                        by law to be transmitted or collected.
                    (B) Rulemaking.--The Commission may, by regulation, 
                add to the types of information specified under 
                paragraph (1) that shall be considered personally 
                identifiable information for purposes of this Act, 
                except that such information may not include any record 
                of aggregate data that does not identify particular 
                persons, particular computers, particular users of 
                computers, or particular email addresses or other 
                locations of computers with respect to the Internet.
            (14) Telecommunications carrier.--The term 
        ``telecommunications carrier'' has the meaning given such term 
        in section 3 of the Communications Act of 1934 (47 U.S.C. 153).
            (15) Transmit.--The term ``transmit'' means, with respect 
        to an information collection program, transmission by any 
        means.
            (16) Web page.--The term ``Web page'' means a location, 
        with respect to the World Wide Web, that has a single Uniform 
        Resource Locator or another single location with respect to the 
        Internet, as the Federal Trade Commission may prescribe.

SEC. 10. APPLICABILITY AND SUNSET.

    (a) Effective Date.--Except as specifically provided otherwise in 
this Act, this Act shall take effect upon the expiration of the 12-
month period that begins on the date of the enactment of this Act.
    (b) Applicability.--Section 3 shall not apply to an information 
collection program installed on a protected computer before the 
effective date under subsection (a) of this section.
    (c) Sunset.--This Act shall not apply after December 31, 2009.




                                                 Union Calendar No. 374

108th CONGRESS

  2d Session

                               H. R. 2929

                          [Report No. 108-619]

_______________________________________________________________________

                                 A BILL

 To protect users of the Internet from unknowing transmission of their 
 personally identifiable information through spyware programs, and for 
                            other purposes.

_______________________________________________________________________

                             July 20, 2004

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed