[Congressional Bills 108th Congress]
[From the U.S. Government Publishing Office]
[S. 2145 Reported in Senate (RS)]






                                                       Calendar No. 811
108th CONGRESS
  2d Session
                                S. 2145

  To regulate the unauthorized installation of computer software, to 
require clear disclosure to computer users of certain computer software 
    features that may pose a threat to user privacy, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           February 27, 2004

   Mr. Burns (for himself, Mr. Wyden, Mrs. Boxer, and Mrs. Clinton) 
introduced the following bill; which was read twice and referred to the 
           Committee on Commerce, Science, and Transportation

                           November 19, 2004

               Reported by Mr. McCain, with an amendment
 [Strike all after the enacting clause and insert the part printed in 
                                italic]

_______________________________________________________________________

                                 A BILL


 
  To regulate the unauthorized installation of computer software, to 
require clear disclosure to computer users of certain computer software 
    features that may pose a threat to user privacy, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Software Principles 
Yielding Better Levels of Consumer Knowledge Act'' or the ``SPY BLOCK 
Act''.</DELETED>

<DELETED>SEC. 2. UNAUTHORIZED INSTALLATION OF COMPUTER 
              SOFTWARE.</DELETED>

<DELETED>    (a) Notice, Choice, and Uninstall Procedures.--It is 
unlawful for any person who is not the user of a protected computer to 
install computer software on that computer, or to authorize, permit, or 
cause the installation of computer software on that computer, unless--
</DELETED>
        <DELETED>    (1) the user of the computer has received notice 
        that satisfies the requirements of section 3;</DELETED>
        <DELETED>    (2) the user of the computer has granted consent 
        that satisfies the requirements of section 3; and</DELETED>
        <DELETED>    (3) the computer software's uninstall procedures 
        satisfy the requirements of section 3.</DELETED>
<DELETED>    (b) Red Herring Prohibition.--It is unlawful for any 
person who is not the user of a protected computer to install computer 
software on that computer, or to authorize, permit, or cause the 
installation of computer software on that computer, if the design or 
operation of the computer software is intended, or may reasonably be 
expected, to confuse or mislead the user of the computer concerning the 
identity of the person or service responsible for the functions 
performed or content displayed by such computer software.</DELETED>

<DELETED>SEC. 3. NOTICE, CONSENT, AND UNINSTALL REQUIREMENTS.</DELETED>

<DELETED>    (a) Notice.--For purposes of section 2(a)(1), notice to 
the user of a computer shall--</DELETED>
        <DELETED>    (1) include a clear notification, displayed on the 
        screen until the user either grants or denies consent to 
        installation, of the name and general nature of the computer 
        software that will be installed if the user grants consent; 
        and</DELETED>
        <DELETED>    (2) include a separate disclosure, with respect to 
        each information collection, advertising, distributed 
        computing, and settings modification feature contained in the 
        computer software, that--</DELETED>
                <DELETED>    (A) remains displayed on the screen until 
                the user either grants or denies consent to that 
                feature;</DELETED>
                <DELETED>    (B) in the case of an information 
                collection feature, provides a clear description of--
                </DELETED>
                        <DELETED>    (i) the type of personal or 
                        network information to be collected and 
                        transmitted by the computer software; 
                        and</DELETED>
                        <DELETED>    (ii) the purpose for which the 
                        personal or network information is to be 
                        collected, transmitted, and used;</DELETED>
                <DELETED>    (C) in the case of an advertising feature, 
                provides--</DELETED>
                        <DELETED>    (i) a representative example of 
                        the type of advertisement that may be delivered 
                        by the computer software;</DELETED>
                        <DELETED>    (ii) a clear description of--
                        </DELETED>
                                <DELETED>    (I) the estimated 
                                frequency with which each type of 
                                advertisement may be delivered; 
                                or</DELETED>
                                <DELETED>    (II) the factors on which 
                                the frequency will depend; 
                                and</DELETED>
                        <DELETED>    (iii) a clear description of how 
                        the user can distinguish each type of 
                        advertisement that the computer software 
                        delivers from advertisements generated by other 
                        software, Internet website operators, or 
                        services;</DELETED>
                <DELETED>    (D) in the case of a distributed computing 
                feature, provides a clear description of--</DELETED>
                        <DELETED>    (i) the types of information or 
                        messages the computer software will cause the 
                        computer to transmit;</DELETED>
                        <DELETED>    (ii)(I) the estimated frequency 
                        with which the computer software will cause the 
                        computer to transmit such messages or 
                        information; or</DELETED>
                        <DELETED>    (II) the factors on which the 
                        frequency will depend;</DELETED>
                        <DELETED>    (iii) the estimated volume of such 
                        information or messages, and the likely impact, 
                        if any, on the processing or communications 
                        capacity of the user's computer; and</DELETED>
                        <DELETED>    (iv) the nature, volume, and 
                        likely impact on the computer's processing 
                        capacity of any computational or processing 
                        tasks the computer software will cause the 
                        computer to perform in order to generate the 
                        information or messages the computer software 
                        will cause the computer to transmit;</DELETED>
                <DELETED>    (E) in the case of a settings modification 
                feature, provides a clear description of the nature of 
                the modification, its function, and any collateral 
                effects the modification may produce; and</DELETED>
                <DELETED>    (F) provides a clear description of 
                procedures the user may follow to turn off such feature 
                or uninstall the computer software.</DELETED>
<DELETED>    (b) Consent.--For purposes of section 2(a)(2), consent 
requires--</DELETED>
        <DELETED>    (1) consent by the user of the computer to the 
        installation of the computer software; and</DELETED>
        <DELETED>    (2) separate affirmative consent by the user of 
        the computer to each information collection feature, 
        advertising feature, distributed computing feature, and 
        settings modification feature contained in the computer 
        software.</DELETED>
<DELETED>    (c) Uninstall Procedures.--For purposes of section 
2(a)(3), computer software shall--</DELETED>
        <DELETED>    (1) appear in the ``Add/Remove Programs'' menu or 
        any similar feature, if any, provided by each operating system 
        with which the computer software functions;</DELETED>
        <DELETED>    (2) be capable of being removed completely using 
        the normal procedures provided by each operating system with 
        which the computer software functions for removing computer 
        software; and</DELETED>
        <DELETED>    (3) in the case of computer software with an 
        advertising feature, include an easily identifiable link 
        clearly associated with each advertisement that the software 
        causes to be displayed, such that selection of the link by the 
        user of the computer generates an on-screen window that informs 
        the user about how to turn off the advertising feature or 
        uninstall the computer software.</DELETED>

<DELETED>SEC. 4. UNAUTHORIZED USE OF CERTAIN COMPUTER 
              SOFTWARE.</DELETED>

<DELETED>    It is unlawful for any person who is not the user of a 
protected computer to use an information collection, advertising, 
distributed computing, or settings modification feature of computer 
software installed on that computer, if--</DELETED>
        <DELETED>    (1) the computer software was installed in 
        violation of section 2;</DELETED>
        <DELETED>    (2) the use in question falls outside the scope of 
        what was described to the user of the computer in the notice 
        provided pursuant to section 3(a); or</DELETED>
        <DELETED>    (3) in the case of an information collection 
        feature, the person using the feature fails to establish and 
        maintain reasonable procedures to protect the security and 
        integrity of personal information so collected.</DELETED>

<DELETED>SEC. 5. EXCEPTIONS.</DELETED>

<DELETED>    (a) Preinstalled Software.--A person who installs, or 
authorizes, permits, or causes the installation of, computer software 
on a protected computer before the first retail sale of the computer 
shall be deemed to be in compliance with this Act if the user of the 
computer receives notice that would satisfy section 3(a)(2) and grants 
consent that would satisfy section 3(b)(2) prior to--</DELETED>
        <DELETED>    (1) the initial collection of personal or network 
        information, in the case of any information collection feature 
        contained in the computer software;</DELETED>
        <DELETED>    (2) the initial generation of an advertisement on 
        the computer, in the case of any advertising feature contained 
        in the computer software;</DELETED>
        <DELETED>    (3) the initial transmission of information or 
        messages, in the case of any distributed computing feature 
        contained in the computer software; and</DELETED>
        <DELETED>    (4) the initial modification of user settings, in 
        the case of any settings modification feature.</DELETED>
<DELETED>    (b) Other Exceptions.--Sections 3(a)(2), 3(b)(2), and 4 do 
not apply to any feature of computer software that is reasonably needed 
to--</DELETED>
        <DELETED>    (1) provide capability for general purpose online 
        browsing, electronic mail, or instant messaging, or for any 
        optional function that is directly related to such capability 
        and that the user knowingly chooses to use;</DELETED>
        <DELETED>    (2) determine whether or not the user of the 
        computer is licensed or authorized to use the computer 
        software; and</DELETED>
        <DELETED>    (3) provide technical support for the use of the 
        computer software by the user of the computer.</DELETED>
<DELETED>    (c) Passive Transmission, Hosting, or Link.--For purposes 
of this Act, a person shall not be deemed to have installed computer 
software, or authorized, permitted, or caused the installation of 
computer software, on a computer solely because that person provided--
</DELETED>
        <DELETED>    (1) the Internet connection or other transmission 
        capability through which the software was delivered to the 
        computer for installation;</DELETED>
        <DELETED>    (2) the storage or hosting, at the direction of 
        another person and without selecting the content to be stored 
        or hosted, of the software or of an Internet website through 
        which the software was made available for installation; 
        or</DELETED>
        <DELETED>    (3) a link or reference to an Internet website the 
        content of which was selected and controlled by another person, 
        and through which the computer software was made available for 
        installation.</DELETED>
<DELETED>    (d) Software Resident in Temporary Memory.--In the case of 
an installation of computer software that falls within the meaning of 
section 7(10)(B) but not within the meaning of section 7(10)(A), the 
requirements set forth in subsections (a)(1), (b)(1), and (c) of 
section 3 shall not apply.</DELETED>
<DELETED>    (e) Features Activated by User Options.--In the case of an 
information collection, advertising, distributed computing, or settings 
modification feature that remains inactive or turned off unless the 
user of the computer subsequently selects certain optional settings or 
functions provided by the computer software, the requirements of 
subsections (a)(2) and (b)(2) of section 3 may be satisfied by 
providing the applicable disclosure and obtaining the applicable 
consent at the time the user selects the option that activates the 
feature, rather than at the time of initial installation.</DELETED>

<DELETED>SEC. 6. ADMINISTRATION AND ENFORCEMENT.</DELETED>

<DELETED>    (a) In General.--Except as provided in subsection (b), 
this Act shall be enforced by the Commission as if the violation of 
this Act were an unfair or deceptive act or practice proscribed under 
section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).</DELETED>
<DELETED>    (b) Enforcement by Certain Other Agencies.--Compliance 
with this Act shall be enforced under--</DELETED>
        <DELETED>    (1) section 8 of the Federal Deposit Insurance Act 
        (12 U.S.C. 1818), in the case of--</DELETED>
                <DELETED>    (A) national banks, and Federal branches 
                and Federal agencies of foreign banks, by the Office of 
                the Comptroller of the Currency;</DELETED>
                <DELETED>    (B) member banks of the Federal Reserve 
                System (other than national banks), branches and 
agencies of foreign banks (other than Federal branches, Federal 
agencies, and insured State branches of foreign banks), commercial 
lending companies owned or controlled by foreign banks, and 
organizations operating under section 25 or 25A of the Federal Reserve 
Act (12 U.S.C. 601 and 611), by the Board; and</DELETED>
                <DELETED>    (C) banks insured by the Federal Deposit 
                Insurance Corporation (other than members of the 
                Federal Reserve System) and insured State branches of 
                foreign banks, by the Board of Directors of the Federal 
                Deposit Insurance Corporation;</DELETED>
        <DELETED>    (2) section 8 of the Federal Deposit Insurance Act 
        (12 U.S.C. 1818), by the Director of the Office of Thrift 
        Supervision, in the case of a savings association the deposits 
        of which are insured by the Federal Deposit Insurance 
        Corporation;</DELETED>
        <DELETED>    (3) the Federal Credit Union Act (12 U.S.C. 1751 
        et seq.) by the National Credit Union Administration Board with 
        respect to any Federal credit union;</DELETED>
        <DELETED>    (4) part A of subtitle VII of title 49, United 
        States Code, by the Secretary of Transportation with respect to 
        any air carrier or foreign air carrier subject to that 
        part;</DELETED>
        <DELETED>    (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 
        181 et seq.) (except as provided in section 406 of that Act (7 
        U.S.C. 226, 227)), by the Secretary of Agriculture with respect 
        to any activities subject to that Act; and</DELETED>
        <DELETED>    (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et 
        seq.) by the Farm Credit Administration with respect to any 
        Federal land bank, Federal land bank association, Federal 
        intermediate credit bank, or production credit 
        association.</DELETED>
<DELETED>    (c) Exercise of Certain Powers.--For the purpose of the 
exercise by any agency referred to in subsection (b) of its powers 
under any Act referred to in that subsection, a violation of this Act 
is deemed to be a violation of a requirement imposed under that Act. In 
addition to its powers under any provision of law specifically referred 
to in subsection (b), each of the agencies referred to in that 
subsection may exercise, for the purpose of enforcing compliance with 
any requirement imposed under this Act, any other authority conferred 
on it by law.</DELETED>
<DELETED>    (d) Actions by the Commission.--The Commission shall 
prevent any person from violating this Act in the same manner, by the 
same means, and with the same jurisdiction, powers, and duties as 
though all applicable terms and provisions of the Federal Trade 
Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a 
part of this Act. Any entity that violates any provision of that 
section is subject to the penalties and entitled to the privileges and 
immunities provided in the Federal Trade Commission Act in the same 
manner, by the same means, and with the same jurisdiction, power, and 
duties as though all applicable terms and provisions of the Federal 
Trade Commission Act were incorporated into and made a part of that 
section.</DELETED>
<DELETED>    (e) Preservation of Commission Authority.--Nothing 
contained in this section shall be construed to limit the authority of 
the Commission under any other provision of law.</DELETED>

<DELETED>SEC. 7. ACTIONS BY STATES.</DELETED>

<DELETED>    (a) In General.--</DELETED>
        <DELETED>    (1) Civil actions.--In any case in which the 
        attorney general of a State has reason to believe that an 
        interest of the residents of that State has been or is 
        threatened or adversely affected by the engagement of any 
        person in a practice that this Act prohibits, the State, as 
        parens patriae, may bring a civil action on behalf of the 
        residents of the State in a district court of the United States 
        of appropriate jurisdiction--</DELETED>
                <DELETED>    (A) to enjoin that practice;</DELETED>
                <DELETED>    (B) to enforce compliance with the 
                rule;</DELETED>
                <DELETED>    (C) to obtain damage, restitution, or 
                other compensation on behalf of residents of the State; 
                or</DELETED>
                <DELETED>    (D) to obtain such other relief as the 
                court may consider to be appropriate.</DELETED>
        <DELETED>    (2) Notice.--</DELETED>
                <DELETED>    (A) In general.--Before filing an action 
                under paragraph (1), the attorney general of the State 
                involved shall provide to the Commission--</DELETED>
                        <DELETED>    (i) written notice of that action; 
                        and</DELETED>
                        <DELETED>    (ii) a copy of the complaint for 
                        that action.</DELETED>
                <DELETED>    (B) Exemption.--</DELETED>
                        <DELETED>    (i) In general.--Subparagraph (A) 
                        shall not apply with respect to the filing of 
                        an action by an attorney general of a State 
                        under this subsection, if the attorney general 
                        determines that it is not feasible to provide 
                        the notice described in that subparagraph 
                        before the filing of the action.</DELETED>
                        <DELETED>    (ii) Notification.--In an action 
                        described in clause (i), the attorney general 
                        of a State shall provide notice and a copy of 
                        the complaint to the Commission at the same 
                        time as the attorney general files the 
                        action.</DELETED>
<DELETED>    (b) Intervention.--</DELETED>
        <DELETED>    (1) In general.--On receiving notice under 
        subsection (a)(2), the Commission shall have the right to 
        intervene in the action that is the subject of the 
        notice.</DELETED>
        <DELETED>    (2) Effect of intervention.--If the Commission 
        intervenes in an action under subsection (a), it shall have the 
        right--</DELETED>
                <DELETED>    (A) to be heard with respect to any matter 
                that arises in that action; and</DELETED>
                <DELETED>    (B) to file a petition for 
                appeal.</DELETED>
<DELETED>    (c) Construction.--For purposes of bringing any civil 
action under subsection (a), nothing in this subtitle shall be 
construed to prevent an attorney general of a State from exercising the 
powers conferred on the attorney general by the laws of that State to--
</DELETED>
        <DELETED>    (1) conduct investigations;</DELETED>
        <DELETED>    (2) administer oaths or affirmations; or</DELETED>
        <DELETED>    (3) compel the attendance of witnesses or the 
        production of documentary and other evidence.</DELETED>
<DELETED>    (d) Actions by the Commission.--In any case in which an 
action is instituted by or on behalf of the Commission for violation of 
section 2 of this Act, no State may, during the pendency of that 
action, institute an action under subsection (a) against any defendant 
named in the complaint in that action for violation of that 
section.</DELETED>
<DELETED>    (e) Venue; Service of Process.--</DELETED>
        <DELETED>    (1) Venue.--Any action brought under subsection 
        (a) may be brought in the district court of the United States 
        that meets applicable requirements relating to venue under 
        section 1391 of title 28, United States Code.</DELETED>
        <DELETED>    (2) Service of process.--In an action brought 
        under subsection (a), process may be served in any district in 
        which the defendant--</DELETED>
                <DELETED>    (A) is an inhabitant; or</DELETED>
                <DELETED>    (B) may be found.</DELETED>

<DELETED>SEC. 8. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Advertisement.--The term ``advertisement'' 
        means a commercial promotion for a product or service, but does 
        not include promotions for products or services that appear on 
        computer software help or support pages that are displayed in 
        response to a request by the user.</DELETED>
        <DELETED>    (2) Advertising feature.--The term ``advertising 
        feature'' means a function of computer software that, when 
        installed on a computer, delivers advertisements to the user of 
        that computer.</DELETED>
        <DELETED>    (3) Affirmative consent.--The term ``affirmative 
        consent'' means consent expressed through action by the user of 
        a computer other than default action specified by the 
        installation sequence and independent from any other consent 
        solicited from the user during the installation 
        process.</DELETED>
        <DELETED>    (4) Clear description.--The term ``clear 
        description'' means a description that is clear, conspicuous, 
        concise, and in a font size that is at least as large as the 
        largest default font displayed to the user by the 
        software.</DELETED>
        <DELETED>    (5) Computer software.--The term ``computer 
        software''--</DELETED>
                <DELETED>    (A) means any program designed to cause a 
                computer to perform a desired function or functions; 
                and</DELETED>
                <DELETED>    (B) does not include any cookie.</DELETED>
        <DELETED>    (6) Cookie.--The term ``cookie'' means a text 
        file--</DELETED>
                <DELETED>    (A) that is placed on a computer by an 
                Internet service provider, interactive computer 
                service, or Internet website; and</DELETED>
                <DELETED>    (B) the sole function of which is to 
                record information that can be read or recognized by an 
                Internet service provider, interactive computer 
                service, or Internet website when the user of the 
                computer uses or accesses such provider, service, or 
                website.</DELETED>
        <DELETED>    (7) Distributed computing feature.--The term 
        ``distributed computing feature'' means a function of computer 
        software that, when installed on a computer, transmits 
        information or messages, other than personal or network 
        information about the user of the computer, to any other 
        computer without the knowledge or direction of the user and for 
        purposes unrelated to the tasks or functions the user 
        intentionally performs using the computer.</DELETED>
        <DELETED>    (8) First retail sale.--The term ``first retail 
        sale'' means the first sale of a computer, for a purpose other 
        than resale, after the manufacture, production, or importation 
        of the computer. For purposes of this paragraph, the lease of a 
        computer shall be considered a sale of the computer at 
        retail.</DELETED>
        <DELETED>    (9) Information collection feature.--The term 
        ``information collection feature'' means a function of computer 
        software that, when installed on a computer, collects personal 
        or network information about the user of the computer and 
        transmits such information to any other party on an automatic 
        basis or at the direction of a party other than the user of the 
        computer.</DELETED>
        <DELETED>    (10) Install.--The term ``install'' means--
        </DELETED>
                <DELETED>    (A) to write computer software to a 
                computer's persistent storage medium, such as the 
                computer's hard disk, in such a way that the computer 
                software is retained on the computer after the computer 
                is turned off and subsequently restarted; or</DELETED>
                <DELETED>    (B) to write computer software to a 
                computer's temporary memory, such as random access 
                memory, in such a way that the software is retained and 
                continues to operate after the user of the computer 
                turns off or exits the Internet service, interactive 
                computer service, or Internet website from which the 
                computer software was obtained.</DELETED>
        <DELETED>    (11) Network Information.--The term ``network 
        information'' means--</DELETED>
                <DELETED>    (A) an Internet protocol address or domain 
                name of a user's computer; or</DELETED>
                <DELETED>    (B) a Uniform Resource Locator or other 
                information that identifies Internet web sites or other 
                online resources accessed by a user of a 
                computer.</DELETED>
        <DELETED>    (12) Personal information.--The term ``personal 
        information'' means--</DELETED>
                <DELETED>    (A) a first and last name, whether given 
                at birth or adoption, assumed, or legally 
                changed;</DELETED>
                <DELETED>    (B) a home or other physical address 
                including street name, name of a city or town, and zip 
                code;</DELETED>
                <DELETED>    (C) an electronic mail address or online 
                username;</DELETED>
                <DELETED>    (D) a telephone number;</DELETED>
                <DELETED>    (E) a social security number;</DELETED>
                <DELETED>    (F) any personal identification 
                number;</DELETED>
                <DELETED>    (G) a credit card number, any access code 
                associated with the credit card, or both;</DELETED>
                <DELETED>    (H) a birth date, birth certificate 
                number, or place of birth; or</DELETED>
                <DELETED>    (I) any password or access code.</DELETED>
        <DELETED>    (13) Person.--The term ``person'' has the meaning 
        given that term in section 3(32) of the Communications Act of 
        1934 (47 U.S.C. 153(32)).</DELETED>
        <DELETED>    (14) Protected computer.--The term ``protected 
        computer'' has the meaning given that term in section 
        1030(e)(2)(B) of title 18, United States Code.</DELETED>
        <DELETED>    (15) Settings modification feature.--The term 
        ``settings modification feature'' means a function of computer 
        software that, when installed on a computer--</DELETED>
                <DELETED>    (A) modifies an existing user setting, 
                without direction from the user of the computer, with 
                respect to another computer software application 
                previously installed on that computer; or</DELETED>
                <DELETED>    (B) enables a user setting with respect to 
                another computer software application previously 
                installed on that computer to be modified in the future 
                without advance notification to and consent from the 
                user of the computer.</DELETED>
        <DELETED>    (16) User of a computer.--The term ``user of a 
        computer'' means a computer's lawful owner or an individual who 
        operates a computer with the authorization of the computer's 
        lawful owner.</DELETED>

<DELETED>SEC. 9. EFFECTIVE DATE.</DELETED>

<DELETED>    This Act shall take effect 180 days after the date of 
enactment of this Act.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Software Principles Yielding Better 
Levels of Consumer Knowledge Act'' or the ``SPY BLOCK Act''.

SEC. 2. PROHIBITED PRACTICES IN RELATION TO SOFTWARE INSTALLATION IN 
              GENERAL.

    (a) Surreptitious Installation.--
            (1) In general.--It shall be unlawful for a person who is 
        not an authorized user of a protected computer to cause the 
        installation of software on the computer in a manner designed 
        to--
                    (A) conceal from the user of the computer the fact 
                that the software is being installed; or
                    (B) prevent the user of the computer from having an 
                opportunity to knowingly grant or withhold consent to 
                the installation.
            (2) Exception.--This subsection shall not apply to--
                    (A) the installation of software that falls within 
                the scope of a previous grant of authorization by an 
                authorized user;
                    (B) the installation of an upgrade to a software 
                program that has already been installed on the computer 
                with the authorization of an authorized user; or
                    (C) the installation of software before the first 
                retail sale of the computer.
    (b) Misleading Inducements To Install.--It shall be unlawful for a 
person who is not an authorized user of a protected computer to induce 
an authorized user of the computer to consent to the installation of 
software on the computer by means of a materially false or misleading 
representation concerning--
            (1) the identity of an operator of an Internet website or 
        online service at which the software is made available for 
        download from the Internet;
            (2) the identity of the author or publisher of the 
        software;
            (3) the nature or function of the software; or
            (4) the consequences of not installing the software.
    (c) Preventing Reasonable Efforts To Uninstall.--
            (1) In general.--It shall be unlawful for a person who is 
        not an authorized user of a protected computer to authorize or 
        cause the installation of software on the computer if the 
        software is designed to prevent reasonable efforts by an 
        authorized user of the computer to uninstall or disable the 
        software once it has been installed.
            (2) Limitations.--
                    (A) Authority to uninstall.--Software that enables 
                1 authorized user of a computer, such as a parent or 
                system administrator, to choose to prevent another user 
                of the same computer from uninstalling or disabling the 
                software shall not be considered to prevent reasonable 
                efforts to uninstall or disable the software within the 
                meaning of this subsection, provided that at least 1 
                authorized user retains the ability to uninstall or 
                disable the software.
                    (B) Construction.--This subsection shall not be 
                construed to require individual features or functions 
                of a software program, updates to a previously 
                installed software program, or software programs that 
                were installed on a bundled basis to be capable of 
                being uninstalled or disabled on an individual basis.

SEC. 3. INSTALLING SURREPTITIOUS INFORMATION COLLECTION FEATURES ON A 
              USER'S COMPUTER.

    (a) In General.--It shall be unlawful for a person who is not an 
authorized user of a protected computer to authorize or cause the 
installation on that computer of software that collects information 
about the user of the computer or about the user's Internet browsing 
behavior or other use of the computer and transmits such information to 
any other person on an automatic basis or at the direction of a person 
other than an authorized user of the computer, if--
            (1) the software's collection and transmission of such 
        information is not functionally related to or in support of a 
        software capability or function that an authorized user of the 
        computer has chosen or consented to execute or enable; and
            (2) either--
                    (A) there has been no notification to an authorized 
                user of the computer, prior to the software beginning 
                to collect and transmit such information, explaining 
                the type of information the software will collect and 
                transmit and the types of ways the information may be 
                used and distributed;
                    (B) notification pursuant to subparagraph (A) was 
                not provided in a manner reasonably calculated to 
                provide actual notice to an authorized user of the 
                computer; or
                    (C) notification pursuant to subparagraph (A) 
                occurred at a time or in a manner that did not enable 
                an authorized user of the computer to consider the 
                information contained in the notification before 
                choosing whether to permit the collection or 
                transmission of information.
    (b) Authorization Status.--This section shall not be interpreted to 
prohibit a person from authorizing or causing the installation of 
software that collects and transmits information that is reasonably 
needed to determine whether or not the user of a protected computer is 
licensed or authorized to use the software.
    (c) Intentional Transmission of Information by User.--Information 
shall not be construed to have been collected and transmitted on an 
automatic basis or at the direction of a person other than a user of 
the protected computer, within the meaning of this section, if the 
collection or transmission of the information is intentionally 
initiated by an authorized user for the purpose of allowing the direct 
or indirect access to the information by an intended recipient.

SEC. 4. ADWARE THAT CONCEALS ITS OPERATION.

    It shall be unlawful for a person who is not an authorized user of 
a protected computer to authorize or cause the installation on that 
computer of software if--
            (1) the software causes advertisements to be displayed to 
        the user--
                    (A) at a time when the user is not accessing an 
                Internet website or online service operated by the 
                publisher of the software; and
                    (B) in a manner or at a time such that a reasonable 
                user would not understand that the software is 
                responsible for delivering the advertisements; and
            (2) the advertisements referred to in paragraph (1) do not 
        contain a label or other reasonable means of identifying to the 
        user of the computer, each time such an advertisement is 
        displayed, which software is responsible for the 
        advertisements' delivery.

SEC. 5. OTHER PRACTICES THAT THWART USER CONTROL OF COMPUTER.

    It shall be unlawful for a person who is not an authorized user of 
a protected computer to knowingly and without authorization of an 
authorized user of the computer--
            (1) utilize the computer to send unsolicited information or 
        material from the user's computer to other computers;
            (2) divert an authorized user's Internet browser away from 
        the Internet website the user intended to view to 1 or more 
        other websites, unless such diversion has been authorized by 
        the website the user intended to view;
            (3) display an advertisement, series of advertisements, or 
        other content on the computer through windows in an Internet 
        browser, in such a manner that the user of the computer cannot 
        end the display of such advertisements or content without 
        turning off the computer or terminating all sessions of the 
        Internet browser, provided that this paragraph shall not apply 
        to the display of content related to the functionality or 
        identity of the Internet browser;
            (4) covertly modify settings relating to the use of the 
        computer or to the computer's access to or use of the Internet, 
        including--
                    (A) altering the default Web page that initially 
                appears when a user of the computer launches an 
                Internet browser;
                    (B) altering the default provider or Web proxy used 
                to access or search the Internet;
                    (C) altering bookmarks used to store favorite 
                Internet website addresses; or
                    (D) altering settings relating to security measures 
                that protect the computer and the information stored on 
                the computer against unauthorized access or use;
        provided that this paragraph shall not apply to any 
        modification that restores settings previously changed without 
        user consent;
            (5) use software installed in violation of section 3 to 
        collect information about the user or the user's Internet 
        browsing behavior; or
            (6) remove, disable, or render inoperative a security or 
        privacy protection technology installed on the computer.

SEC. 6. LIMITATIONS ON LIABILITY.

    (a) Passive Transmission, Hosting, or Linking.--A person shall not 
be deemed to have violated any provision of this Act solely because the 
person provided--
            (1) the Internet connection, telephone connection, or other 
        transmission or routing function through which software was 
        delivered to a protected computer for installation;
            (2) the storage or hosting of software or of an Internet 
        website through which software was made available for 
        installation to a protected computer; or
            (3) an information location tool, such as a directory, 
        index, reference, pointer, or hypertext link, through which a 
        user of a protected computer located software available for 
        installation.
    (b) Network Security.--A provider of a network or online service 
that an authorized user of a protected computer uses or subscribes to 
shall not be deemed to have violated section 3 or 5 for any monitoring 
of, interaction with, or installation of software for the purposes of--
            (1) protecting the security of the network, service, or 
        computer;
            (2) facilitating diagnostics, technical support, 
        maintenance, network management, or repair; or
            (3) preventing or detecting unauthorized, fraudulent, or 
        otherwise unlawful uses of the network or service.

SEC. 7. ADMINISTRATION AND ENFORCEMENT.

    (a) In General.--Except as provided in subsection (b), this Act 
shall be enforced by the Commission as if the violation of this Act 
were an unfair or deceptive act or practice proscribed under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).
    (b) Enforcement by Certain Other Agencies.--Compliance with this 
Act shall be enforced under--
            (1) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and 
                Federal agencies of foreign banks, by the Office of the 
                Comptroller of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, and organizations operating under 
                section 25 or 25A of the Federal Reserve Act (12 U.S.C. 
                601 and 611), by the Board; and
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System) and insured State branches of foreign banks, by 
                the Board of Directors of the Federal Deposit Insurance 
                Corporation;
            (2) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), by the Director of the Office of Thrift 
        Supervision, in the case of a savings association the deposits 
        of which are insured by the Federal Deposit Insurance 
        Corporation;
            (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
        by the National Credit Union Administration Board with respect 
        to any Federal credit union;
            (4) part A of subtitle VII of title 49, United States Code, 
        by the Secretary of Transportation with respect to any air 
        carrier or foreign air carrier subject to that part;
            (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et 
        seq.) (except as provided in section 406 of that Act (7 U.S.C. 
        226, 227)), by the Secretary of Agriculture with respect to any 
        activities subject to that Act; and
            (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by 
        the Farm Credit Administration with respect to any Federal land 
        bank, Federal land bank association, Federal intermediate 
        credit bank, or production credit association.
    (c) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (b) of its powers under any Act 
referred to in that subsection, a violation of this Act is deemed to be 
a violation of a requirement imposed under that Act. In addition to its 
powers under any provision of law specifically referred to in 
subsection (b), each of the agencies referred to in that subsection may 
exercise, for the purpose of enforcing compliance with any requirement 
imposed under this Act, any other authority conferred on it by law.
    (d) Actions by the Commission.--The Commission shall prevent any 
person from violating this Act in the same manner, by the same means, 
and with the same jurisdiction, powers, and duties as though all 
applicable terms and provisions of the Federal Trade Commission Act (15 
U.S.C. 41 et seq.) were incorporated into and made a part of this Act. 
Any entity that violates any provision of that section is subject to 
the penalties and entitled to the privileges and immunities provided in 
the Federal Trade Commission Act in the same manner, by the same means, 
and with the same jurisdiction, power, and duties as though all 
applicable terms and provisions of the Federal Trade Commission Act 
were incorporated into and made a part of that section.

SEC. 8. ACTIONS BY STATES.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that this Act prohibits, the State, as parens patriae, 
        may bring a civil action on behalf of the residents of the 
        State in a district court of the United States of appropriate 
        jurisdiction--
                    (A) to enjoin that practice;
                    (B) to enforce compliance with the rule;
                    (C) to obtain damage, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) to obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Commission--
                            (i) written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the attorney general determines 
                        that it is not feasible to provide the notice 
                        described in that subparagraph before the 
                        filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Commission at the same time as 
                        the attorney general files the action.
    (b) Intervention.--
            (1) In general.--On receiving notice under subsection 
        (a)(2), the Commission shall have the right to intervene in the 
        action that is the subject of the notice.
            (2) Effect of intervention.--If the Commission intervenes 
        in an action under subsection (a), it shall have the right--
                    (A) to be heard with respect to any matter that 
                arises in that action; and
                    (B) to file a petition for appeal.
    (c) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this subtitle shall be construed to prevent 
an attorney general of a State from exercising the powers conferred on 
the attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (d) Actions by the Commission.--In any case in which an action is 
instituted by or on behalf of the Commission for violation of section 
2, no State may, during the pendency of that action, institute an 
action under subsection (a) against any defendant named in the 
complaint in that action for violation of that section.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 9. EFFECT ON OTHER LAWS.

    (a) Federal Law.--Nothing in this Act shall be construed to limit 
or affect in any way the Commission's authority to bring enforcement 
actions or take any other measures under the Federal Trade Commission 
Act or any other provision of law.
    (b) State Law.--
            (1) State law concerning information collection software or 
        adware.--This Act supersedes any statute, regulation, or rule 
        of a State or political subdivision of a State that expressly 
        limits or restricts the installation or use of software on a 
        protected computer to--
                    (A) collect information about the user of the 
                computer or the user's Internet browsing behavior or 
                other use of the computer; or
                    (B) cause advertisements to be delivered to the 
                user of the computer,
        except to the extent that any such statute, regulation, or rule 
        prohibits deception in connection with the installation or use 
        of such software.
            (2) State law not specific to software.--This Act shall not 
        be construed to preempt the applicability of State trespass, 
        contract, tort, or anti-fraud law.

SEC. 10. PENALTIES FOR CERTAIN UNAUTHORIZED ACTIVITIES RELATING TO 
              COMPUTERS.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by inserting after section 1030 the following:
``Sec. 1030A. Illicit indirect use of protected computers
    ``(a) Whoever intentionally accesses a protected computer without 
authorization, or exceeds authorized access to a protected computer, by 
causing a computer program or code to be copied onto the protected 
computer, and intentionally uses that program or code in furtherance of 
another Federal criminal offense shall be fined under this title or 
imprisoned 5 years, or both.
    ``(b) Whoever intentionally accesses a protected computer without 
authorization, or exceeds authorized access to a protected computer, by 
causing a computer program or code to be copied onto the protected 
computer, and by means of that program or code intentionally impairs 
the security protection of the protected computer shall be fined under 
this title or imprisoned not more than 2 years, or both.
    ``(c) A person shall not violate this section who solely provides--
            ``(1) an Internet connection, telephone connection, or 
        other transmission or routing function through which software 
        is delivered to a protected computer for installation;
            ``(2) the storage or hosting of software, or of an Internet 
        website, through which software is made available for 
        installation to a protected computer; or
            ``(3) an information location tool, such as a directory, 
        index, reference, pointer, or hypertext link, through which a 
        user of a protected computer locates software available for 
        installation.
    ``(d) A provider of a network or online service that an authorized 
user of a protected computer uses or subscribes to shall not violate 
this section by any monitoring of, interaction with, or installation of 
software for the purpose of--
            ``(1) protecting the security of the network, service, or 
        computer;
            ``(2) facilitating diagnostics, technical support, 
        maintenance, network management, or repair; or
            ``(3) preventing or detecting unauthorized, fraudulent, or 
        otherwise unlawful uses of the network or service.
    ``(e) No person may bring a civil action under the law of any State 
if such action is premised in whole or in part upon the defendant's 
violating this section. For the purposes of this subsection, the term 
`State' includes the District of Columbia, Puerto Rico, and any other 
territory or possession of the United States.''.
    (b) Conforming Amendment.--The table of sections at the beginning 
of chapter 47 of title 18, United States Code, is amended by inserting 
after the item relating to section 1030 the following new item:

``1030A. Illicit indirect use of protected computers''

SEC. 11. DEFINITIONS.

    In this Act:
            (1) Authorized user.--The term ``authorized user'', when 
        used with respect to a computer, means the owner or lessee of a 
        computer, or someone using or accessing a computer with the 
        actual or apparent authorization of the owner or lessee.
            (2) Cause the installation.--The term ``cause the 
        installation'' when used with respect to particular software, 
        means to knowingly provide the technical means by which the 
        software is installed, or to knowingly pay or provide other 
        consideration to, or induce, another person to do so.
            (3) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (4) Cookie.--The term ``cookie'' means a text file--
                    (A) that is placed on a computer by an Internet 
                service provider, interactive computer service, or 
                Internet website; and
                    (B) the sole function of which is to record 
                information that can be read or recognized when the 
                user of the computer subsequently accesses particular 
                websites or online locations or services.
            (5) First retail sale.--The term ``first retail sale'' 
        means the first sale of a computer, for a purpose other than 
        resale, after the manufacture, production, or importation of 
        the computer. For purposes of this paragraph, the lease of a 
        computer shall be considered a sale of the computer at retail.
            (6) Install.--The term ``install'' means--
                    (A) to write computer software to a computer's 
                persistent storage medium, such as the computer's hard 
                disk, in such a way that the computer software is 
                retained on the computer after the computer is turned 
                off and subsequently restarted; or
                    (B) to write computer software to a computer's 
                temporary memory, such as random access memory, in such 
                a way that the software is retained and continues to 
                operate after the user of the computer turns off or 
                exits the Internet service, interactive computer 
                service, or Internet website from which the computer 
                software was obtained.
            (7) Person.--The term ``person'' has the meaning given that 
        term in section 3(32) of the Communications Act of 1934 (47 
        U.S.C. 153(32)).
            (8) Protected computer.--The term ``protected computer'' 
        has the meaning given that term in section 1030(e)(2)(B) of 
        title 18, United States Code.
            (9) Software.--The term ``software'' means any program 
        designed to cause a computer to perform a desired function or 
        functions. Such term does not include any cookie.
            (10) Upgrade.--The term ``upgrade'', when used with respect 
        to a previously installed software program, means additional 
        software that is issued by the publisher or any successor to 
        the publisher of the software program to improve, correct, 
        repair, enhance, supplement, or otherwise modify the software 
        program.

SEC. 12. EFFECTIVE DATE.

    This Act shall take effect 180 days after the date of enactment of 
this Act.
                                                       Calendar No. 811

108th CONGRESS

  2d Session

                                S. 2145

_______________________________________________________________________

                                 A BILL

  To regulate the unauthorized installation of computer software, to 
require clear disclosure to computer users of certain computer software 
    features that may pose a threat to user privacy, and for other 
                               purposes.

_______________________________________________________________________

                           November 19, 2004

                       Reported with an amendment