[Congressional Bills 108th Congress]
[From the U.S. Government Publishing Office]
[S. 2145 Introduced in Senate (IS)]







108th CONGRESS
  2d Session
                                S. 2145

  To regulate the unauthorized installation of computer software, to 
require clear disclosure to computer users of certain computer software 
    features that may pose a threat to user privacy, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           February 27, 2004

   Mr. Burns (for himself, Mr. Wyden, and Mrs. Boxer) introduced the 
 following bill; which was read twice and referred to the Committee on 
                 Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
  To regulate the unauthorized installation of computer software, to 
require clear disclosure to computer users of certain computer software 
    features that may pose a threat to user privacy, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Software Principles Yielding Better 
Levels of Consumer Knowledge Act'' or the ``SPY BLOCK Act''.

SEC. 2. UNAUTHORIZED INSTALLATION OF COMPUTER SOFTWARE.

    (a) Notice, Choice, and Uninstall Procedures.--It is unlawful for 
any person who is not the user of a protected computer to install 
computer software on that computer, or to authorize, permit, or cause 
the installation of computer software on that computer, unless--
            (1) the user of the computer has received notice that 
        satisfies the requirements of section 3;
            (2) the user of the computer has granted consent that 
        satisfies the requirements of section 3; and
            (3) the computer software's uninstall procedures satisfy 
        the requirements of section 3.
    (b) Red Herring Prohibition.--It is unlawful for any person who is 
not the user of a protected computer to install computer software on 
that computer, or to authorize, permit, or cause the installation of 
computer software on that computer, if the design or operation of the 
computer software is intended, or may reasonably be expected, to 
confuse or mislead the user of the computer concerning the identity of 
the person or service responsible for the functions performed or 
content displayed by such computer software.

SEC. 3. NOTICE, CONSENT, AND UNINSTALL REQUIREMENTS.

    (a) Notice.--For purposes of section 2(a)(1), notice to the user of 
a computer shall--
            (1) include a clear notification, displayed on the screen 
        until the user either grants or denies consent to installation, 
        of the name and general nature of the computer software that 
        will be installed if the user grants consent; and
            (2) include a separate disclosure, with respect to each 
        information collection, advertising, distributed computing, and 
        settings modification feature contained in the computer 
        software, that--
                    (A) remains displayed on the screen until the user 
                either grants or denies consent to that feature;
                    (B) in the case of an information collection 
                feature, provides a clear description of--
                            (i) the type of personal or network 
                        information to be collected and transmitted by 
                        the computer software; and
                            (ii) the purpose for which the personal or 
                        network information is to be collected, 
                        transmitted, and used;
                    (C) in the case of an advertising feature, 
                provides--
                            (i) a representative example of the type of 
                        advertisement that may be delivered by the 
                        computer software;
                            (ii) a clear description of--
                                    (I) the estimated frequency with 
                                which each type of advertisement may be 
                                delivered; or
                                    (II) the factors on which the 
                                frequency will depend; and
                            (iii) a clear description of how the user 
                        can distinguish each type of advertisement that 
                        the computer software delivers from 
                        advertisements generated by other software, 
                        Internet website operators, or services;
                    (D) in the case of a distributed computing feature, 
                provides a clear description of--
                            (i) the types of information or messages 
                        the computer software will cause the computer 
                        to transmit;
                            (ii)(I) the estimated frequency with which 
                        the computer software will cause the computer 
                        to transmit such messages or information; or
                            (II) the factors on which the frequency 
                        will depend;
                            (iii) the estimated volume of such 
                        information or messages, and the likely impact, 
                        if any, on the processing or communications 
                        capacity of the user's computer; and
                            (iv) the nature, volume, and likely impact 
                        on the computer's processing capacity of any 
                        computational or processing tasks the computer 
                        software will cause the computer to perform in 
                        order to generate the information or messages 
                        the computer software will cause the computer 
                        to transmit;
                    (E) in the case of a settings modification feature, 
                provides a clear description of the nature of the 
                modification, its function, and any collateral effects 
                the modification may produce; and
                    (F) provides a clear description of procedures the 
                user may follow to turn off such feature or uninstall 
                the computer software.
    (b) Consent.--For purposes of section 2(a)(2), consent requires--
            (1) consent by the user of the computer to the installation 
        of the computer software; and
            (2) separate affirmative consent by the user of the 
        computer to each information collection feature, advertising 
        feature, distributed computing feature, and settings 
        modification feature contained in the computer software.
    (c) Uninstall Procedures.--For purposes of section 2(a)(3), 
computer software shall--
            (1) appear in the ``Add/Remove Programs'' menu or any 
        similar feature, if any, provided by each operating system with 
        which the computer software functions;
            (2) be capable of being removed completely using the normal 
        procedures provided by each operating system with which the 
        computer software functions for removing computer software; and
            (3) in the case of computer software with an advertising 
        feature, include an easily identifiable link clearly associated 
        with each advertisement that the software causes to be 
        displayed, such that selection of the link by the user of the 
        computer generates an on-screen window that informs the user 
        about how to turn off the advertising feature or uninstall the 
        computer software.

SEC. 4. UNAUTHORIZED USE OF CERTAIN COMPUTER SOFTWARE.

    It is unlawful for any person who is not the user of a protected 
computer to use an information collection, advertising, distributed 
computing, or settings modification feature of computer software 
installed on that computer, if--
            (1) the computer software was installed in violation of 
        section 2;
            (2) the use in question falls outside the scope of what was 
        described to the user of the computer in the notice provided 
        pursuant to section 3(a); or
            (3) in the case of an information collection feature, the 
        person using the feature fails to establish and maintain 
        reasonable procedures to protect the security and integrity of 
        personal information so collected.

SEC. 5. EXCEPTIONS.

    (a) Preinstalled Software.--A person who installs, or authorizes, 
permits, or causes the installation of, computer software on a 
protected computer before the first retail sale of the computer shall 
be deemed to be in compliance with this Act if the user of the computer 
receives notice that would satisfy section 3(a)(2) and grants consent 
that would satisfy section 3(b)(2) prior to--
            (1) the initial collection of personal or network 
        information, in the case of any information collection feature 
        contained in the computer software;
            (2) the initial generation of an advertisement on the 
        computer, in the case of any advertising feature contained in 
        the computer software;
            (3) the initial transmission of information or messages, in 
        the case of any distributed computing feature contained in the 
        computer software; and
            (4) the initial modification of user settings, in the case 
        of any settings modification feature.
    (b) Other Exceptions.--Sections 3(a)(2), 3(b)(2), and 4 do not 
apply to any feature of computer software that is reasonably needed 
to--
            (1) provide capability for general purpose online browsing, 
        electronic mail, or instant messaging, or for any optional 
        function that is directly related to such capability and that 
        the user knowingly chooses to use;
            (2) determine whether or not the user of the computer is 
        licensed or authorized to use the computer software; and
            (3) provide technical support for the use of the computer 
        software by the user of the computer.
    (c) Passive Transmission, Hosting, or Link.--For purposes of this 
Act, a person shall not be deemed to have installed computer software, 
or authorized, permitted, or caused the installation of computer 
software, on a computer solely because that person provided--
            (1) the Internet connection or other transmission 
        capability through which the software was delivered to the 
        computer for installation;
            (2) the storage or hosting, at the direction of another 
        person and without selecting the content to be stored or 
        hosted, of the software or of an Internet website through which 
        the software was made available for installation; or
            (3) a link or reference to an Internet website the content 
        of which was selected and controlled by another person, and 
        through which the computer software was made available for 
        installation.
    (d) Software Resident in Temporary Memory.--In the case of an 
installation of computer software that falls within the meaning of 
section 7(10)(B) but not within the meaning of section 7(10)(A), the 
requirements set forth in subsections (a)(1), (b)(1), and (c) of 
section 3 shall not apply.
    (e) Features Activated by User Options.--In the case of an 
information collection, advertising, distributed computing, or settings 
modification feature that remains inactive or turned off unless the 
user of the computer subsequently selects certain optional settings or 
functions provided by the computer software, the requirements of 
subsections (a)(2) and (b)(2) of section 3 may be satisfied by 
providing the applicable disclosure and obtaining the applicable 
consent at the time the user selects the option that activates the 
feature, rather than at the time of initial installation.

SEC. 6. ADMINISTRATION AND ENFORCEMENT.

    (a) In General.--Except as provided in subsection (b), this Act 
shall be enforced by the Commission as if the violation of this Act 
were an unfair or deceptive act or practice proscribed under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).
    (b) Enforcement by Certain Other Agencies.--Compliance with this 
Act shall be enforced under--
            (1) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and 
                Federal agencies of foreign banks, by the Office of the 
                Comptroller of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
foreign banks (other than Federal branches, Federal agencies, and 
insured State branches of foreign banks), commercial lending companies 
owned or controlled by foreign banks, and organizations operating under 
section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 and 611), 
by the Board; and
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System) and insured State branches of foreign banks, by 
                the Board of Directors of the Federal Deposit Insurance 
                Corporation;
            (2) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), by the Director of the Office of Thrift 
        Supervision, in the case of a savings association the deposits 
        of which are insured by the Federal Deposit Insurance 
        Corporation;
            (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
        by the National Credit Union Administration Board with respect 
        to any Federal credit union;
            (4) part A of subtitle VII of title 49, United States Code, 
        by the Secretary of Transportation with respect to any air 
        carrier or foreign air carrier subject to that part;
            (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et 
        seq.) (except as provided in section 406 of that Act (7 U.S.C. 
        226, 227)), by the Secretary of Agriculture with respect to any 
        activities subject to that Act; and
            (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by 
        the Farm Credit Administration with respect to any Federal land 
        bank, Federal land bank association, Federal intermediate 
        credit bank, or production credit association.
    (c) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (b) of its powers under any Act 
referred to in that subsection, a violation of this Act is deemed to be 
a violation of a requirement imposed under that Act. In addition to its 
powers under any provision of law specifically referred to in 
subsection (b), each of the agencies referred to in that subsection may 
exercise, for the purpose of enforcing compliance with any requirement 
imposed under this Act, any other authority conferred on it by law.
    (d) Actions by the Commission.--The Commission shall prevent any 
person from violating this Act in the same manner, by the same means, 
and with the same jurisdiction, powers, and duties as though all 
applicable terms and provisions of the Federal Trade Commission Act (15 
U.S.C. 41 et seq.) were incorporated into and made a part of this Act. 
Any entity that violates any provision of that section is subject to 
the penalties and entitled to the privileges and immunities provided in 
the Federal Trade Commission Act in the same manner, by the same means, 
and with the same jurisdiction, power, and duties as though all 
applicable terms and provisions of the Federal Trade Commission Act 
were incorporated into and made a part of that section.
    (e) Preservation of Commission Authority.--Nothing contained in 
this section shall be construed to limit the authority of the 
Commission under any other provision of law.

SEC. 7. ACTIONS BY STATES.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that this Act prohibits, the State, as parens patriae, 
        may bring a civil action on behalf of the residents of the 
        State in a district court of the United States of appropriate 
        jurisdiction--
                    (A) to enjoin that practice;
                    (B) to enforce compliance with the rule;
                    (C) to obtain damage, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) to obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Commission--
                            (i) written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the attorney general determines 
                        that it is not feasible to provide the notice 
                        described in that subparagraph before the 
                        filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Commission at the same time as 
                        the attorney general files the action.
    (b) Intervention.--
            (1) In general.--On receiving notice under subsection 
        (a)(2), the Commission shall have the right to intervene in the 
        action that is the subject of the notice.
            (2) Effect of intervention.--If the Commission intervenes 
        in an action under subsection (a), it shall have the right--
                    (A) to be heard with respect to any matter that 
                arises in that action; and
                    (B) to file a petition for appeal.
    (c) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this subtitle shall be construed to prevent 
an attorney general of a State from exercising the powers conferred on 
the attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (d) Actions by the Commission.--In any case in which an action is 
instituted by or on behalf of the Commission for violation of section 2 
of this Act, no State may, during the pendency of that action, 
institute an action under subsection (a) against any defendant named in 
the complaint in that action for violation of that section.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 8. DEFINITIONS.

    In this Act:
            (1) Advertisement.--The term ``advertisement'' means a 
        commercial promotion for a product or service, but does not 
        include promotions for products or services that appear on 
        computer software help or support pages that are displayed in 
        response to a request by the user.
            (2) Advertising feature.--The term ``advertising feature'' 
        means a function of computer software that, when installed on a 
        computer, delivers advertisements to the user of that computer.
            (3) Affirmative consent.--The term ``affirmative consent'' 
        means consent expressed through action by the user of a 
        computer other than default action specified by the 
        installation sequence and independent from any other consent 
        solicited from the user during the installation process.
            (4) Clear description.--The term ``clear description'' 
        means a description that is clear, conspicuous, concise, and in 
        a font size that is at least as large as the largest default 
        font displayed to the user by the software.
            (5) Computer software.--The term ``computer software''--
                    (A) means any program designed to cause a computer 
                to perform a desired function or functions; and
                    (B) does not include any cookie.
            (6) Cookie.--The term ``cookie'' means a text file--
                    (A) that is placed on a computer by an Internet 
                service provider, interactive computer service, or 
                Internet website; and
                    (B) the sole function of which is to record 
                information that can be read or recognized by an 
                Internet service provider, interactive computer 
                service, or Internet website when the user of the 
                computer uses or accesses such provider, service, or 
                website.
            (7) Distributed computing feature.--The term ``distributed 
        computing feature'' means a function of computer software that, 
        when installed on a computer, transmits information or 
        messages, other than personal or network information about the 
        user of the computer, to any other computer without the 
        knowledge or direction of the user and for purposes unrelated 
        to the tasks or functions the user intentionally performs using 
        the computer.
            (8) First retail sale.--The term ``first retail sale'' 
        means the first sale of a computer, for a purpose other than 
        resale, after the manufacture, production, or importation of 
        the computer. For purposes of this paragraph, the lease of a 
        computer shall be considered a sale of the computer at retail.
            (9) Information collection feature.--The term ``information 
        collection feature'' means a function of computer software 
        that, when installed on a computer, collects personal or 
        network information about the user of the computer and 
        transmits such information to any other party on an automatic 
        basis or at the direction of a party other than the user of the 
        computer.
            (10) Install.--The term ``install'' means--
                    (A) to write computer software to a computer's 
                persistent storage medium, such as the computer's hard 
                disk, in such a way that the computer software is 
                retained on the computer after the computer is turned 
                off and subsequently restarted; or
                    (B) to write computer software to a computer's 
                temporary memory, such as random access memory, in such 
                a way that the software is retained and continues to 
                operate after the user of the computer turns off or 
                exits the Internet service, interactive computer 
                service, or Internet website from which the computer 
                software was obtained.
            (11) Network Information.--The term ``network information'' 
        means--
                    (A) an Internet protocol address or domain name of 
                a user's computer; or
                    (B) a Uniform Resource Locator or other information 
                that identifies Internet web sites or other online 
                resources accessed by a user of a computer.
            (12) Personal information.--The term ``personal 
        information'' means--
                    (A) a first and last name, whether given at birth 
                or adoption, assumed, or legally changed;
                    (B) a home or other physical address including 
                street name, name of a city or town, and zip code;
                    (C) an electronic mail address or online username;
                    (D) a telephone number;
                    (E) a social security number;
                    (F) any personal identification number;
                    (G) a credit card number, any access code 
                associated with the credit card, or both;
                    (H) a birth date, birth certificate number, or 
                place of birth; or
                    (I) any password or access code.
            (13) Person.--The term ``person'' has the meaning given 
        that term in section 3(32) of the Communications Act of 1934 
        (47 U.S.C. 153(32)).
            (14) Protected computer.--The term ``protected computer'' 
        has the meaning given that term in section 1030(e)(2)(B) of 
        title 18, United States Code.
            (15) Settings modification feature.--The term ``settings 
        modification feature'' means a function of computer software 
        that, when installed on a computer--
                    (A) modifies an existing user setting, without 
                direction from the user of the computer, with respect 
                to another computer software application previously 
                installed on that computer; or
                    (B) enables a user setting with respect to another 
                computer software application previously installed on 
                that computer to be modified in the future without 
                advance notification to and consent from the user of 
                the computer.
            (16) User of a computer.--The term ``user of a computer'' 
        means a computer's lawful owner or an individual who operates a 
        computer with the authorization of the computer's lawful owner.

SEC. 9. EFFECTIVE DATE.

    This Act shall take effect 180 days after the date of enactment of 
this Act.
                                 <all>