

	

		II

		109th CONGRESS

		1st Session

		S. 1004

		IN THE SENATE OF THE UNITED STATES

		

			May 11, 2005

			Mr. Allen (for himself,

			 Mr. Smith, and Mr. Ensign) introduced the following bill; which was

			 read twice and referred to the Committee

			 on Commerce, Science, and Transportation

		

		A BILL

		To provide the Federal Trade Commission

		  with the resources necessary to protect users of the Internet from the unfair

		  and deceptive acts and practices associated with spyware, and for other

		  purposes.

	

	

		1.Short titleThis Act may be cited as the

			 Enhanced Consumer Protection Against

			 Spyware Act of 2005.

		2.Congressional

			 findingsCongress finds the

			 following:

			(1)Software commonly known as

			 spyware can cause significant harm to consumers by, among other

			 things, deceptively or unfairly causing a computer to malfunction, slow down,

			 lose data, cease working properly, or share personal information without a

			 consumer’s knowledge.

			(2)The unfair and deceptive practices

			 associated with the distribution of spyware threaten the confidence of millions

			 of Americans who use the Internet as a valuable medium for commerce and

			 communications.

			(3)The Federal Trade Commission’s legal

			 actions have clearly established the Commission's authority to combat unfair or

			 deceptive acts or practices involving the Internet and consumers'

			 computers.

			(4)According to the Commission's statements to

			 Congress, the vast majority of unfair or deceptive acts or practices involving

			 spyware, such as deceptively asserting control over a consumer’s computer and

			 capturing keystroke information, are already unlawful under the Federal Trade

			 Commission Act.

			(5)The Commission has already taken legal

			 action against spyware purveyors. For example, in FTC v. Seismic Entertainment,

			 the Commission requested that a district court of the United States shut down a

			 spyware operation that hijacks personal computers, secretly changes computer

			 settings, barrages them with pop-up ads, and installs software programs that

			 spy on consumers’ web surfing.

			(6)Because the fraudulent, deceptive, or

			 unfair installation of spyware is already a violation of Federal law, Congress

			 must focus on providing adequate resources to combat spyware. For example,

			 because a large percentage of the purveyors of spyware are located outside of

			 the United States, legislation that increases the Commission’s authority to

			 combat deceptive or unfair acts or practices that occur overseas would promote

			 enforcement actions against spyware purveyors.

			(7)Because spyware affects interstate commerce

			 and over 20 States are considering legislation on spyware and 2 States have

			 already enacted laws on spyware, Congress must establish a Federal regulatory

			 and enforcement standard to protect against the growing patchwork of State laws

			 that unnecessarily confuses and burdens consumers and legitimate software

			 providers.

			3.Sense of

			 CongressOn the basis of the

			 findings in section 2, it is the sense of the Congress that—

			(1)combating spyware should be established as

			 a matter of high priority for Federal Trade Commission action; and

			(2)the resources and tools available to the

			 Commission should be enhanced and expanded to increase the breadth and strength

			 of the Commission's spyware enforcement efforts.

			4.DefinitionsAs used in this Act:

			(1)Cable

			 operatorThe term

			 cable operator has the meaning given such term in section 602 of

			 the Communications Act of 1934 (47 U.S.C. 522).

			(2)Computer;

			 protected computerThe terms

			 computer or protected computer have the meanings

			 given such terms in section 1030(e) of the title 18, United States Code.

			(3)CommissionThe term Commission means

			 the Federal Trade Commission.

			(4)Information

			 serviceThe term

			 information service has the meaning given such term in section 3

			 of the Communications Act of 1934 (47 U.S.C. 153).

			(5)Interactive

			 computer serviceThe term

			 interactive computer service has the meaning given such term in

			 section 230(f) of the Communications Act of 1934 (47 U.S.C. 230(f)).

			(6)Owner or

			 authorized userThe term

			 owner or authorized user means—

				(A)a natural person who owns a computer for

			 commercial, family, household, or educational purposes; or

				(B)an individual who operates a computer with

			 the authorization of a natural person who owns the computer for commercial,

			 personal, family, household, or educational purposes.

				(7)Telecommunications

			 carrierThe term

			 telecommunications carrier has the meaning given such term in

			 section 3 of the Communications Act of 1934 (47 U.S.C. 153).

			5.Federal trade

			 commission authority to combat deceptive acts or practices relating to

			 spyware

			(a)Restatement of

			 authority

				(1)ViolationIt is a violation of section 18 of the

			 Federal Trade Commission Act (15 U.S.C. 57a) to install through deceptive acts

			 or practices software on protected computers.

				(2)EnforcementAny violation of this Act or of any rules

			 implementing this Act, shall be enforced by the Commission as if it were an

			 unfair or deceptive act or practice proscribed under section 18(a)(1)(B) of the

			 Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

				(b)Increased

			 finesFor any violation

			 described in subsection (a), the Commission may, in its discretion, penalize

			 such deceptive acts or practices by tripling the amounts prescribed in the

			 Federal Trade Commission Act (15 U.S.C. 41 et seq.).

			(c)Penalty for

			 pattern or practice violations

				(1)In

			 generalNotwithstanding the

			 Federal Trade Commission Act (15 U.S.C. 41 et seq.), in the case of a person

			 who engages in a pattern or practice that violates subsection (a), the

			 Commission may, in its discretion, seek a civil penalty for such pattern or

			 practice of violations in an amount, as determined by the Commission, of not

			 more than $3,000,000 for each violation of subsection (a).

				(2)Treatment of

			 single action or conductFor

			 the purpose of enforcing paragraph (1), any single action or conduct that

			 violates subsection (a) with respect to multiple protected computers shall be

			 treated as a single violation.

				(d)Ill-Gotten

			 gainsFor any violation

			 described in subsection (a), the Commission shall have authority to disgorge

			 and seize any ill-gotten gains procured through such deceptive acts or

			 practices.

			(e)Preemption of

			 State or local lawThis

			 section supersedes any provision of a statute, regulation, or rule, and any

			 other requirement, prohibition or remedy under State law or the law of a

			 political subdivision of a State that relates to or affects installation of

			 software through deceptive acts or practices or the use of computer software

			 installed by means of the Internet.

			(f)Private right

			 of action

				(1)In

			 generalThis Act may not be

			 considered or construed to provide any private cause of action, including a

			 class action.

				(2)Civil

			 actionNo private civil

			 action relating to any act or practice governed under this Act may be commenced

			 or maintained in any State court or under State law, including a pendent State

			 claim to an action under Federal law.

				(g)Enforcement by

			 state attorney generals

				(1)Civil

			 actionsIn any case in which

			 the attorney general of a State has reason to believe that an interest of the

			 residents of that State has been or is threatened or adversely affected by the

			 engagement of any person in a practice that is prohibited under this section,

			 the State, as parens patriae, may bring a civil action on behalf of the

			 residents of that State in a Federal district court of the United States of

			 appropriate jurisdiction, or any other court of competent jurisdiction,

			 to—

					(A)enjoin that practice;

					(B)enforce compliance with this

			 section;

					(C)obtain actual damage and restitution on

			 behalf of residents of the State; or

					(D)obtain such other relief as the court may

			 consider to be appropriate.

					(2)Notice

					(A)In

			 generalBefore filing an

			 action under paragraph (1), the attorney general of a State shall provide to

			 the Commission and the Attorney General—

						(i)written notice of the action; and

						(ii)a copy of the complaint for the

			 action.

						(B)Exemption

						(i)In

			 generalSubparagraph (A)

			 shall not apply with respect to the filing of an action by an attorney general

			 of a State under this subsection, if the attorney general of a State determines

			 that it is not feasible to provide the notice described in such subparagraph

			 before the filing of the action.

						(ii)NotificationIn an action described in clause (i), the

			 attorney general of a State shall provide notice and a copy of the complaint to

			 the Commission and the Attorney General at the time the attorney general of a

			 State files the action.

						(C)Attorney

			 general's right to interveneAfter having been notified, as provided in

			 subparagraph (A), the United States Attorney General shall have the

			 right—

						(i)to file an action;

						(ii)to intervene in the action;

						(iii)upon so intervening, to be heard on all

			 matters arising in that action;

						(iv)to remove the action to the appropriate

			 district court of the United States; and

						(v)to file petitions for appeal.

						(D)Prohibition on

			 State attorney generals if Attorney General actsIf the Attorney General institutes an

			 action under this Act, no attorney general of a State or official or agency of

			 a State may bring an action under this subsection for any violation of

			 subsection (a) alleged in the complaint.

					(E)Prohibition on

			 State attorney generals if Commission actsIf the Commission institutes an action

			 under this subsection, no attorney general of a State or official or agency of

			 a State may bring an action under this subsection for any violation of this

			 section alleged in the complaint.

					(h)Rule of

			 constructionFor purposes of

			 bringing any civil action under this section, nothing in this Act shall be

			 construed to prevent an attorney general of a State from exercising the powers

			 conferred on such attorney general by the laws of that State to—

				(1)conduct investigations;

				(2)administer oaths or affirmations; or

				(3)compel the attendance of witnesses or the

			 production of documentary and other evidence.

				(i)Venue; service

			 of process

				(1)VenueAny action brought under subsection (g) may

			 be brought in the district court of the United States that meets applicable

			 requirements relating to venue under section 1391 of title 28, United States

			 Code.

				(2)Service of

			 processIn an action brought

			 under subsection (g), process may be served in any district in which the

			 defendant—

					(A)is an inhabitant; or

					(B)may be found.

					6.Limitations on

			 liability

			(a)Law enforcement

			 authoritySection 5 shall not

			 apply to the transmission, installation, or execution of a computer program in

			 compliance with a law enforcement, investigatory, national security, or

			 regulatory agency or department of the United States, or any State in response

			 to a request or demand made under authority granted to that agency or

			 department, including—

				(1)a warrant issued under the Federal Rules of

			 Criminal Procedure;

				(2)an equivalent State warrant; or

				(3)a court order or other lawful

			 process.

				(b)Passive

			 transmission, hosting, or linkingA person shall not be deemed to have

			 violated any provision of this Act solely because the person provided—

				(1)the Internet connection, telephone

			 connection, or other transmission or routing function through which software

			 was delivered to a protected computer for installation;

				(2)the storage or hosting of software or of an

			 Internet website through which software was made available for installation to

			 a protected computer; or

				(3)an information location tool, such as a

			 directory, index, reference, pointer, or hypertext link, through which a user

			 of a protected computer located software available for installation.

				(c)Exception

			 relating to securityNothing

			 in this Act shall apply to—

				(1)any monitoring of, or interaction with, a

			 consumer’s Internet or other network connection or service, or a protected

			 computer, by a telecommunications carrier, cable operator, computer hardware or

			 software provider, or provider of information service or interactive computer

			 service, to the extent that such monitoring or interaction is for network or

			 computer security purposes, network management, maintenance, diagnostics,

			 technical support or repair, or for the detection or prevention of fraudulent

			 activities; or

				(2)a discrete interaction with a protected

			 computer by a provider of computer software solely to determine whether the

			 user of the computer is authorized to use such software, that occurs

			 upon—

					(A)initialization of the software; or

					(B)an affirmative request by the owner or

			 authorized user for an update of, addition to, or technical service for, the

			 software.

					(d)Limitation on

			 liabilityA manufacturer or

			 retailer of computer equipment shall not be liable under this Act to the extent

			 that the manufacturer or retailer is providing third party branded software

			 that is installed on the equipment the manufacturer or retailer is

			 manufacturing or selling.

			(e)Compliance with

			 lawNo person shall be liable

			 under this Act for engaging in any activity that is expressly permissible under

			 any other provision of Federal law.

			(f)Commission

			 authorityIn addition to the

			 limitation of liability specified in this section, the Commission may by

			 regulation establish additional limitations or exceptions upon the finding that

			 such limitations or exceptions are reasonably necessary to promote the public

			 interest.

			7.International consumer

			 protection authority

			(a)Availability of

			 remediesSection 5(a) of the

			 Federal Trade Commission Act (15 U.S.C. 45(a)) is amended by adding at the end

			 the following:

				

					(4)(A)For purposes of this subsection, the term

				unfair or deceptive acts or practices includes unfair or

				deceptive acts or practices involving foreign commerce that—

							(i)cause or are likely to cause reasonable

				foreseeable injury within the United States; or

							(ii)involve material conduct occurring within

				the United States.

							(B)All remedies available to the Commission

				with respect to unfair and deceptive acts or practices shall be available for

				acts and practices described in this paragraph, including restitution to

				domestic or foreign

				victims.

						.

			8.Penalties for certain

			 unauthorized activities relating to computers

			(a)In

			 generalChapter 47 of title

			 18, United States Code, is amended by inserting after section 1030 the

			 following:

				

					1030A.Illicit indirect

				use of protected computers

						(a)Furtherance of

				criminal offenseWhoever

				intentionally accesses a protected computer without authorization, or exceeds

				authorized access to a protected computer, by causing a computer program or

				code to be copied onto the protected computer, and intentionally uses that

				program or code in furtherance of another Federal criminal offense shall be

				fined under this title or imprisoned not more than 5 years, or both.

						(b)Security

				protectionWhoever

				intentionally accesses a protected computer without authorization, or exceeds

				authorized access to a protected computer, by causing a computer program or

				code to be copied onto the protected computer, and by means of that program or

				code intentionally impairs the security protection of the protected computer

				shall be fined under this title or imprisoned not more than 2 years, or

				both.

						(c)Individual

				exemptionA person shall not

				violate this section who solely provides—

							(1)an Internet connection, telephone

				connection, or other transmission or routing function through which software is

				delivered to a protected computer for installation;

							(2)the storage or hosting of software, or of

				an Internet website, through which software is made available for installation

				to a protected computer; or

							(3)an information location tool, such as a

				directory, index, reference, pointer, or hypertext link, through which a user

				of a protected computer locates software available for installation.

							(d)Network

				exemptionA provider of a

				network or online service that an authorized user of a protected computer uses

				or subscribes to shall not violate this section by any monitoring or,

				interaction with, or installation of software for the purpose of—

							(1)protecting the security of the network,

				service, or computer;

							(2)facilitating diagnostics, technical

				support, maintenance, network management, or repair; or

							(3)preventing or detecting unauthorized,

				fraudulent, or otherwise unlawful uses of the network or service.

							(e)Exclusive

				jurisdictionNo person may

				bring a civil action under the law of any State if such action is premised in

				whole or in part upon the defendant’s violation of this section.

						(f)DefinitionsAs used in this section:

							(1)Computer;

				protected computerThe terms

				computer or protected computer have the meanings

				given such terms in section 1030(e) of this title.

							(2)StateThe term State includes each

				of the several States, the District of Columbia, Puerto Rico, and any other

				territory or possession of the United

				States.

							.

			(b)Conforming

			 amendmentThe table of

			 sections at the beginning of chapter 47 of title 18, United States Code, is

			 amended by inserting after the item relating to section 1030 the following new

			 item:

				

					1030A. Illicit indirect

				use of protected computers.. 

				

			9.Preservation of

			 federal trade commission authorityNothing in this Act may be construed in any

			 way to limit or affect the Commission’s authority under any other provision of

			 law, including the authority to issue advisory opinions, policy statements, or

			 guidance regarding this Act.

		10.Authorization of

			 appropriationsThere is

			 authorized to be appropriated, to the Commission for the purposes of enforcing

			 violations relating to the unfair and deceptive practices associated with

			 computer and Internet related crimes, not more than $10,000,000 for each fiscal

			 year beginning with fiscal year 2006.

		

