[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 1004 Introduced in Senate (IS)]







109th CONGRESS
  1st Session
                                S. 1004

To provide the Federal Trade Commission with the resources necessary to 
 protect users of the Internet from the unfair and deceptive acts and 
       practices associated with spyware, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              May 11, 2005

   Mr. Allen (for himself, Mr. Smith, and Mr. Ensign) introduced the 
 following bill; which was read twice and referred to the Committee on 
                 Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
To provide the Federal Trade Commission with the resources necessary to 
 protect users of the Internet from the unfair and deceptive acts and 
       practices associated with spyware, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Enhanced Consumer Protection Against 
Spyware Act of 2005''.

SEC. 2. CONGRESSIONAL FINDINGS.

    Congress finds the following:
            (1) Software commonly known as ``spyware'' can cause 
        significant harm to consumers by, among other things, 
        deceptively or unfairly causing a computer to malfunction, slow 
        down, lose data, cease working properly, or share personal 
        information without a consumer's knowledge.
            (2) The unfair and deceptive practices associated with the 
        distribution of spyware threaten the confidence of millions of 
        Americans who use the Internet as a valuable medium for 
        commerce and communications.
            (3) The Federal Trade Commission's legal actions have 
        clearly established the Commission's authority to combat unfair 
        or deceptive acts or practices involving the Internet and 
        consumers' computers.
            (4) According to the Commission's statements to Congress, 
        the vast majority of unfair or deceptive acts or practices 
        involving spyware, such as deceptively asserting control over a 
        consumer's computer and capturing keystroke information, are 
        already unlawful under the Federal Trade Commission Act.
            (5) The Commission has already taken legal action against 
        spyware purveyors. For example, in FTC v. Seismic 
        Entertainment, the Commission requested that a district court 
        of the United States shut down a spyware operation that hijacks 
        personal computers, secretly changes computer settings, 
        barrages them with pop-up ads, and installs software programs 
        that ``spy'' on consumers' web surfing.
            (6) Because the fraudulent, deceptive, or unfair 
        installation of spyware is already a violation of Federal law, 
        Congress must focus on providing adequate resources to combat 
        spyware. For example, because a large percentage of the 
        purveyors of spyware are located outside of the United States, 
        legislation that increases the Commission's authority to combat 
        deceptive or unfair acts or practices that occur overseas would 
        promote enforcement actions against spyware purveyors.
            (7) Because spyware affects interstate commerce and over 20 
        States are considering legislation on spyware and 2 States have 
        already enacted laws on spyware, Congress must establish a 
        Federal regulatory and enforcement standard to protect against 
        the growing patchwork of State laws that unnecessarily confuses 
        and burdens consumers and legitimate software providers.

SEC. 3. SENSE OF CONGRESS.

    On the basis of the findings in section 2, it is the sense of the 
Congress that--
            (1) combating spyware should be established as a matter of 
        high priority for Federal Trade Commission action; and
            (2) the resources and tools available to the Commission 
        should be enhanced and expanded to increase the breadth and 
        strength of the Commission's spyware enforcement efforts.

SEC. 4. DEFINITIONS.

    As used in this Act:
            (1) Cable operator.--The term ``cable operator'' has the 
        meaning given such term in section 602 of the Communications 
        Act of 1934 (47 U.S.C. 522).
            (2) Computer; protected computer.--The terms ``computer'' 
        or ``protected computer'' have the meanings given such terms in 
        section 1030(e) of the title 18, United States Code.
            (3) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (4) Information service.--The term ``information service'' 
        has the meaning given such term in section 3 of the 
        Communications Act of 1934 (47 U.S.C. 153).
            (5) Interactive computer service.--The term ``interactive 
        computer service'' has the meaning given such term in section 
        230(f) of the Communications Act of 1934 (47 U.S.C. 230(f)).
            (6) Owner or authorized user.--The term ``owner or 
        authorized user'' means--
                    (A) a natural person who owns a computer for 
                commercial, family, household, or educational purposes; 
                or
                    (B) an individual who operates a computer with the 
                authorization of a natural person who owns the computer 
                for commercial, personal, family, household, or 
                educational purposes.
            (7) Telecommunications carrier.--The term 
        ``telecommunications carrier'' has the meaning given such term 
        in section 3 of the Communications Act of 1934 (47 U.S.C. 153).

SEC. 5. FEDERAL TRADE COMMISSION AUTHORITY TO COMBAT DECEPTIVE ACTS OR 
              PRACTICES RELATING TO SPYWARE.

    (a) Restatement of Authority.--
            (1) Violation.--It is a violation of section 18 of the 
        Federal Trade Commission Act (15 U.S.C. 57a) to install through 
        deceptive acts or practices software on protected computers.
            (2) Enforcement.--Any violation of this Act or of any rules 
        implementing this Act, shall be enforced by the Commission as 
        if it were an unfair or deceptive act or practice proscribed 
        under section 18(a)(1)(B) of the Federal Trade Commission Act 
        (15 U.S.C. 57a(a)(1)(B)).
    (b) Increased Fines.--For any violation described in subsection 
(a), the Commission may, in its discretion, penalize such deceptive 
acts or practices by tripling the amounts prescribed in the Federal 
Trade Commission Act (15 U.S.C. 41 et seq.).
    (c) Penalty for Pattern or Practice Violations.--
            (1) In general.--Notwithstanding the Federal Trade 
        Commission Act (15 U.S.C. 41 et seq.), in the case of a person 
        who engages in a pattern or practice that violates subsection 
        (a), the Commission may, in its discretion, seek a civil 
        penalty for such pattern or practice of violations in an 
        amount, as determined by the Commission, of not more than 
        $3,000,000 for each violation of subsection (a).
            (2) Treatment of single action or conduct.--For the purpose 
        of enforcing paragraph (1), any single action or conduct that 
        violates subsection (a) with respect to multiple protected 
        computers shall be treated as a single violation.
    (d) Ill-Gotten Gains.--For any violation described in subsection 
(a), the Commission shall have authority to disgorge and seize any ill-
gotten gains procured through such deceptive acts or practices.
    (e) Preemption of State or Local Law.--This section supersedes any 
provision of a statute, regulation, or rule, and any other requirement, 
prohibition or remedy under State law or the law of a political 
subdivision of a State that relates to or affects installation of 
software through deceptive acts or practices or the use of computer 
software installed by means of the Internet.
    (f) Private Right of Action.--
            (1) In general.--This Act may not be considered or 
        construed to provide any private cause of action, including a 
        class action.
            (2) Civil action.--No private civil action relating to any 
        act or practice governed under this Act may be commenced or 
        maintained in any State court or under State law, including a 
        pendent State claim to an action under Federal law.
    (g) Enforcement by State Attorney Generals.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that is prohibited under this section, the State, as 
        parens patriae, may bring a civil action on behalf of the 
        residents of that State in a Federal district court of the 
        United States of appropriate jurisdiction, or any other court 
        of competent jurisdiction, to--
                    (A) enjoin that practice;
                    (B) enforce compliance with this section;
                    (C) obtain actual damage and restitution on behalf 
                of residents of the State; or
                    (D) obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of a State shall 
                provide to the Commission and the Attorney General--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the attorney general of a State 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Commission and the Attorney 
                        General at the time the attorney general of a 
                        State files the action.
                    (C) Attorney general's right to intervene.--After 
                having been notified, as provided in subparagraph (A), 
                the United States Attorney General shall have the 
                right--
                            (i) to file an action;
                            (ii) to intervene in the action;
                            (iii) upon so intervening, to be heard on 
                        all matters arising in that action;
                            (iv) to remove the action to the 
                        appropriate district court of the United 
                        States; and
                            (v) to file petitions for appeal.
                    (D) Prohibition on state attorney generals if 
                attorney general acts.--If the Attorney General 
                institutes an action under this Act, no attorney 
                general of a State or official or agency of a State may 
                bring an action under this subsection for any violation 
                of subsection (a) alleged in the complaint.
                    (E) Prohibition on state attorney generals if 
                commission acts.--If the Commission institutes an 
                action under this subsection, no attorney general of a 
                State or official or agency of a State may bring an 
                action under this subsection for any violation of this 
                section alleged in the complaint.
    (h) Rule of Construction.--For purposes of bringing any civil 
action under this section, nothing in this Act shall be construed to 
prevent an attorney general of a State from exercising the powers 
conferred on such attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (i) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (g) may be 
        brought in the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (g), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 6. LIMITATIONS ON LIABILITY.

    (a) Law Enforcement Authority.--Section 5 shall not apply to the 
transmission, installation, or execution of a computer program in 
compliance with a law enforcement, investigatory, national security, or 
regulatory agency or department of the United States, or any State in 
response to a request or demand made under authority granted to that 
agency or department, including--
            (1) a warrant issued under the Federal Rules of Criminal 
        Procedure;
            (2) an equivalent State warrant; or
            (3) a court order or other lawful process.
    (b) Passive Transmission, Hosting, or Linking.--A person shall not 
be deemed to have violated any provision of this Act solely because the 
person provided--
            (1) the Internet connection, telephone connection, or other 
        transmission or routing function through which software was 
        delivered to a protected computer for installation;
            (2) the storage or hosting of software or of an Internet 
        website through which software was made available for 
        installation to a protected computer; or
            (3) an information location tool, such as a directory, 
        index, reference, pointer, or hypertext link, through which a 
        user of a protected computer located software available for 
        installation.
    (c) Exception Relating to Security.--Nothing in this Act shall 
apply to--
            (1) any monitoring of, or interaction with, a consumer's 
        Internet or other network connection or service, or a protected 
        computer, by a telecommunications carrier, cable operator, 
        computer hardware or software provider, or provider of 
        information service or interactive computer service, to the 
        extent that such monitoring or interaction is for network or 
        computer security purposes, network management, maintenance, 
        diagnostics, technical support or repair, or for the detection 
        or prevention of fraudulent activities; or
            (2) a discrete interaction with a protected computer by a 
        provider of computer software solely to determine whether the 
        user of the computer is authorized to use such software, that 
        occurs upon--
                    (A) initialization of the software; or
                    (B) an affirmative request by the owner or 
                authorized user for an update of, addition to, or 
                technical service for, the software.
    (d) Limitation on Liability.--A manufacturer or retailer of 
computer equipment shall not be liable under this Act to the extent 
that the manufacturer or retailer is providing third party branded 
software that is installed on the equipment the manufacturer or 
retailer is manufacturing or selling.
    (e) Compliance With Law.--No person shall be liable under this Act 
for engaging in any activity that is expressly permissible under any 
other provision of Federal law.
    (f) Commission Authority.--In addition to the limitation of 
liability specified in this section, the Commission may by regulation 
establish additional limitations or exceptions upon the finding that 
such limitations or exceptions are reasonably necessary to promote the 
public interest.

SEC. 7. INTERNATIONAL CONSUMER PROTECTION AUTHORITY.

    (a) Availability of Remedies.--Section 5(a) of the Federal Trade 
Commission Act (15 U.S.C. 45(a)) is amended by adding at the end the 
following:
    ``(4)(A) For purposes of this subsection, the term `unfair or 
deceptive acts or practices' includes unfair or deceptive acts or 
practices involving foreign commerce that--
            ``(i) cause or are likely to cause reasonable foreseeable 
        injury within the United States; or
            ``(ii) involve material conduct occurring within the United 
        States.
    ``(B) All remedies available to the Commission with respect to 
unfair and deceptive acts or practices shall be available for acts and 
practices described in this paragraph, including restitution to 
domestic or foreign victims.''.

SEC. 8. PENALTIES FOR CERTAIN UNAUTHORIZED ACTIVITIES RELATING TO 
              COMPUTERS.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by inserting after section 1030 the following:
``Sec. 1030A. Illicit indirect use of protected computers
    ``(a) Furtherance of Criminal Offense.--Whoever intentionally 
accesses a protected computer without authorization, or exceeds 
authorized access to a protected computer, by causing a computer 
program or code to be copied onto the protected computer, and 
intentionally uses that program or code in furtherance of another 
Federal criminal offense shall be fined under this title or imprisoned 
not more than 5 years, or both.
    ``(b) Security Protection.--Whoever intentionally accesses a 
protected computer without authorization, or exceeds authorized access 
to a protected computer, by causing a computer program or code to be 
copied onto the protected computer, and by means of that program or 
code intentionally impairs the security protection of the protected 
computer shall be fined under this title or imprisoned not more than 2 
years, or both.
    ``(c) Individual Exemption.--A person shall not violate this 
section who solely provides--
            ``(1) an Internet connection, telephone connection, or 
        other transmission or routing function through which software 
        is delivered to a protected computer for installation;
            ``(2) the storage or hosting of software, or of an Internet 
        website, through which software is made available for 
        installation to a protected computer; or
            ``(3) an information location tool, such as a directory, 
        index, reference, pointer, or hypertext link, through which a 
        user of a protected computer locates software available for 
        installation.
    ``(d) Network Exemption.--A provider of a network or online service 
that an authorized user of a protected computer uses or subscribes to 
shall not violate this section by any monitoring or, interaction with, 
or installation of software for the purpose of--
            ``(1) protecting the security of the network, service, or 
        computer;
            ``(2) facilitating diagnostics, technical support, 
        maintenance, network management, or repair; or
            ``(3) preventing or detecting unauthorized, fraudulent, or 
        otherwise unlawful uses of the network or service.
    ``(e) Exclusive Jurisdiction.--No person may bring a civil action 
under the law of any State if such action is premised in whole or in 
part upon the defendant's violation of this section.
    ``(f) Definitions.--As used in this section:
            ``(1) Computer; protected computer.--The terms `computer' 
        or `protected computer' have the meanings given such terms in 
        section 1030(e) of this title.
            ``(2) State.--The term `State' includes each of the several 
        States, the District of Columbia, Puerto Rico, and any other 
        territory or possession of the United States.''.
    (b) Conforming Amendment.--The table of sections at the beginning 
of chapter 47 of title 18, United States Code, is amended by inserting 
after the item relating to section 1030 the following new item:

``1030A. Illicit indirect use of protected computers.''.

SEC. 9. PRESERVATION OF FEDERAL TRADE COMMISSION AUTHORITY.

    Nothing in this Act may be construed in any way to limit or affect 
the Commission's authority under any other provision of law, including 
the authority to issue advisory opinions, policy statements, or 
guidance regarding this Act.

SEC. 10. AUTHORIZATION OF APPROPRIATIONS.

    There is authorized to be appropriated, to the Commission for the 
purposes of enforcing violations relating to the unfair and deceptive 
practices associated with computer and Internet related crimes, not 
more than $10,000,000 for each fiscal year beginning with fiscal year 
2006.
                                 <all>