[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 687 Reported in Senate (RS)]


                                                       Calendar No. 467
109th CONGRESS
  2d Session
                                 S. 687

                          [Report No. 109-262]

  To regulate the unauthorized installation of computer software, to 
require clear disclosure to computer users of certain computer software 
    features that may pose a threat to user privacy, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 20, 2005

 Mr. Burns (for himself, Mr. Wyden, Mrs. Boxer, Mr. Nelson of Florida, 
and Ms. Snowe) introduced the following bill; which was read twice and 
   referred to the Committee on Commerce, Science, and Transportation

                             June 12, 2006

               Reported by Mr. Stevens, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
  To regulate the unauthorized installation of computer software, to 
require clear disclosure to computer users of certain computer software 
    features that may pose a threat to user privacy, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE; TABLE OF CONTENTS.</DELETED>

<DELETED>    (a) Short Title.--This Act may be cited as the ``Software 
Principles Yielding Better Levels of Consumer Knowledge Act'' or the 
``SPY BLOCK Act''.</DELETED>
<DELETED>    (b) Table of Contents.--The table of contents for this Act 
is as follows:</DELETED>

<DELETED>Sec. 1. Short title.
<DELETED>Sec. 2. Prohibited practices related to software installation 
                            in general.
<DELETED>Sec. 3. Installing surreptitious information collection 
                            features on a user's computer.
<DELETED>Sec. 4. Adware that conceals its operation.
<DELETED>Sec. 5. Other practices that thwart user control of computer.
<DELETED>Sec. 6. Limitations on liability.
<DELETED>Sec. 7. FTC rulemaking authority.
<DELETED>Sec. 8. Administration and enforcement.
<DELETED>Sec. 9. Actions by States.
<DELETED>Sec. 10. Effect on other laws.
<DELETED>Sec. 11. Liability protections for anti-spyware software or 
                            services.
<DELETED>Sec. 12. Penalties for certain unauthorized activities 
                            relating to computers. 
<DELETED>Sec. 13. Definitions.
<DELETED>Sec. 14. Effective date.

<DELETED>SEC. 2. PROHIBITED PRACTICES RELATED TO SOFTWARE INSTALLATION 
              IN GENERAL.</DELETED>

<DELETED>    (a) Surreptitious Installation.--</DELETED>
        <DELETED>    (1) In general.--It is unlawful for a person who 
        is not an authorized user of a protected computer to cause the 
        installation of software on the computer in a manner that--
        </DELETED>
                <DELETED>    (A) conceals from the user of the computer 
                the fact that the software is being installed; 
                or</DELETED>
                <DELETED>    (B) prevents the user of the computer from 
                having an opportunity to knowingly grant or withhold 
                consent to the installation.</DELETED>
        <DELETED>    (2) Exception.--This subsection does not apply 
        to--</DELETED>
                <DELETED>    (A) the installation of software that 
                falls within the scope of a previous grant of 
                authorization by an authorized user;</DELETED>
                <DELETED>    (B) the installation of an upgrade to a 
                software program that has already been installed on the 
                computer with the authorization of an authorized 
                user;</DELETED>
                <DELETED>    (C) the installation of software before 
                the first retail sale and delivery of the computer; 
                or</DELETED>
                <DELETED>    (D) the installation of software that 
                ceases to operate when the user of the computer exits 
                the software or service through which the user accesses 
                the Internet, if the software so installed does not 
                begin to operate again when the user accesses the 
                Internet via that computer in the future.</DELETED>
<DELETED>    (b) Misleading Inducements To Install.--It is unlawful for 
a person who is not an authorized user of a protected computer to 
induce an authorized user of the computer to consent to the 
installation of software on the computer by means of a materially false 
or misleading representation concerning--</DELETED>
        <DELETED>    (1) the identity of an operator of an Internet 
        website or online service at which the software is made 
        available for download from the Internet;</DELETED>
        <DELETED>    (2) the identity of the author, publisher, or 
        authorized distributor of the software;</DELETED>
        <DELETED>    (3) the nature or function of the software; 
        or</DELETED>
        <DELETED>    (4) the consequences of not installing the 
        software.</DELETED>
<DELETED>    (c) Preventing Reasonable Efforts To Uninstall.--
</DELETED>
        <DELETED>    (1) In general.--It is unlawful for a person who 
        is not an authorized user of a protected computer to cause the 
        installation of software on the computer if the software cannot 
        subsequently be uninstalled or disabled by an authorized user 
        through a program removal function that is usual and customary 
        with the user's operating system, or otherwise as clearly and 
        conspicuously disclosed to the user.</DELETED>
        <DELETED>    (2) Limitations.--</DELETED>
                <DELETED>    (A) Authority to uninstall.--Software that 
                enables an authorized user of a computer, such as a 
                parent, employer, or system administrator, to choose to 
                prevent another user of the same computer from 
                uninstalling or disabling the software shall not be 
                considered to prevent reasonable efforts to uninstall 
                or disable the software within the meaning of this 
                subsection if at least 1 authorized user retains the 
                ability to uninstall or disable the software.</DELETED>
                <DELETED>    (B) Construction.--This subsection shall 
                not be construed to require individual features or 
                functions of a software program, upgrades to a 
                previously installed software program, or software 
                programs that were installed on a bundled basis with 
                other software or with hardware to be capable of being 
                uninstalled or disabled separately from such software 
                or hardware.</DELETED>

<DELETED>SEC. 3. INSTALLING SURREPTITIOUS INFORMATION COLLECTION 
              FEATURES ON A USER'S COMPUTER.</DELETED>

<DELETED>    (a) In General.--It is unlawful for a person who is not an 
authorized user of a protected computer to--</DELETED>
        <DELETED>    (1) cause the installation on that computer of 
        software that includes a surreptitious information collection 
        feature; or</DELETED>
        <DELETED>    (2) use software installed in violation of 
        paragraph (1) to collect information about a user of the 
        computer or the use of a protected computer by that 
        user.</DELETED>
<DELETED>    (b) Authorization Status.--This section shall not be 
interpreted to prohibit a person from causing the installation of 
software that collects and transmits only information that is 
reasonably needed to determine whether or not the user of a protected 
computer is licensed or authorized to use the software.</DELETED>
<DELETED>    (c) Surreptitious Information Collection Feature 
Defined.--For purposes of this section, the term ``surreptitious 
information collection feature'' means a feature of software that--
</DELETED>
        <DELETED>    (1) collects information about a user of a 
        protected computer or the use of a protected computer by that 
        user, and transmits such information to any other person or 
        computer--</DELETED>
                <DELETED>    (A) on an automatic basis or at the 
                direction of person other than an authorized user of 
                the computer, such that no authorized user knowingly 
                triggers or controls the collection and 
                transmission;</DELETED>
                <DELETED>    (B) in a manner that is not transparent to 
                an authorized user at or near the time of the 
                collection and transmission, such that no authorized 
                user is likely to be aware of it when information 
                collection and transmission are occurring; 
                and</DELETED>
                <DELETED>    (C) for purposes other than--</DELETED>
                        <DELETED>    (i) facilitating the proper 
                        technical functioning of a capability, 
                        function, or service that an authorized user of 
                        the computer has knowingly used, executed, or 
                        enabled; or</DELETED>
                        <DELETED>    (ii) enabling the provider of an 
                        online service knowingly used or subscribed to 
                        by an authorized user of the computer to 
                        monitor or record the user's usage of the 
                        service, or to customize or otherwise affect 
                        the provision of the service to the user based 
                        on such usage; and</DELETED>
        <DELETED>    (2) begins to collect and transmit such 
        information without prior notification that--</DELETED>
                <DELETED>    (A) clearly and conspicuously discloses to 
                an authorized user of the computer the type of 
                information the software will collect and the types of 
                ways the information may be used and distributed; 
                and</DELETED>
                <DELETED>    (B) is provided at a time and in a manner 
                such that an authorized user of the computer has an 
                opportunity, after reviewing the information contained 
                in the notice, to prevent either--</DELETED>
                        <DELETED>    (i) the installation of the 
                        software; or</DELETED>
                        <DELETED>    (ii) the beginning of the 
                        operation of the information collection and 
                        transmission capability described in paragraph 
                        (1).</DELETED>

<DELETED>SEC. 4. ADWARE THAT CONCEALS ITS OPERATION.</DELETED>

<DELETED>    (a) In General.--It is unlawful for a person who is not an 
authorized user of a protected computer to cause the installation on 
that computer of software that causes advertisements to be displayed to 
the user without a label or other reasonable means of identifying to 
the user of the computer, each time such an advertisement is displayed, 
which software caused the advertisement's delivery.</DELETED>
<DELETED>    (b) Exception.--Software that causes advertisements to be 
displayed without a label or other reasonable means of identification 
shall not give rise to liability under subsection (a) if those 
advertisements are displayed to a user of the computer--</DELETED>
        <DELETED>    (1) only when a user is accessing an Internet 
        website or online service--</DELETED>
                <DELETED>    (A) operated by the publisher of the 
                software; or</DELETED>
                <DELETED>    (B) the operator of which has provided 
                express consent to the display of such advertisements 
                to users of the website or service; or</DELETED>
        <DELETED>    (2) only in a manner or at a time such that a 
        reasonable user would understand which software caused the 
        delivery of the advertisements.</DELETED>

<DELETED>SEC. 5. OTHER PRACTICES THAT THWART USER CONTROL OF 
              COMPUTER.</DELETED>

<DELETED>    It is unlawful for a person who is not an authorized user 
of a protected computer to engage in an unfair or deceptive act or 
practice that involves--</DELETED>
        <DELETED>    (1) utilizing the computer to send unsolicited 
        information or material from the user's computer to other 
        computers;</DELETED>
        <DELETED>    (2) diverting an authorized user's Internet 
        browser away from the Internet website the user intended to 
        view to 1 or more other websites, unless such diversion has 
        been authorized by the website the user intended to 
        view;</DELETED>
        <DELETED>    (3) displaying an advertisement, series of 
        advertisements, or other content on the computer through 
        windows in an Internet browser, in such a manner that the user 
        of the computer cannot end the display of such advertisements 
        or content without turning off the computer or terminating all 
        sessions of the Internet browser (except that this paragraph 
        shall not apply to the display of content related to the 
        functionality or identity of the Internet browser);</DELETED>
        <DELETED>    (4) modifying settings relating to the use of the 
        computer or to the computer's access to or use of the Internet, 
        including--</DELETED>
                <DELETED>    (A) altering the default Web page that 
                initially appears when a user of the computer launches 
                an Internet browser;</DELETED>
                <DELETED>    (B) altering the default provider or Web 
                proxy used to access or search the Internet;</DELETED>
                <DELETED>    (C) altering bookmarks used to store 
                favorite Internet website addresses; or</DELETED>
                <DELETED>    (D) altering settings relating to security 
                measures that protect the computer and the information 
                stored on the computer against unauthorized access or 
                use; or</DELETED>
        <DELETED>    (5) removing, disabling, or rendering inoperative 
        a security or privacy protection technology installed on the 
        computer.</DELETED>

<DELETED>SEC. 6. LIMITATIONS ON LIABILITY.</DELETED>

<DELETED>    (a) Passive Transmission, Hosting, or Linking.--A person 
shall not be deemed to have violated any provision of this Act solely 
because the person provided--</DELETED>
        <DELETED>    (1) the Internet connection, telephone connection, 
        or other transmission or routing function through which 
        software was delivered to a protected computer for 
        installation;</DELETED>
        <DELETED>    (2) the storage or hosting of software or of an 
        Internet website through which software was made available for 
        installation to a protected computer; or</DELETED>
        <DELETED>    (3) an information location tool, such as a 
        directory, index, reference, pointer, or hypertext link, 
        through which a user of a protected computer located software 
        available for installation.</DELETED>
<DELETED>    (b) Network Security.--It is not a violation of section 2, 
3, or 5 for a provider of a network or online service used by an 
authorized user of a protected computer, or to which any authorized 
user of a protected computer subscribes, to monitor, interact with, or 
install software for the purpose of--</DELETED>
        <DELETED>    (1) protecting the security of the network, 
        service, or computer;</DELETED>
        <DELETED>    (2) facilitating diagnostics, technical support, 
        maintenance, network management, or repair; or</DELETED>
        <DELETED>    (3) preventing or detecting unauthorized, 
        fraudulent, or otherwise unlawful uses of the network or 
        service.</DELETED>
<DELETED>    (c) Manufacturer's Liability for Third-Party Software.--A 
manufacturer or retailer of a protected computer shall not be liable 
under any provision of this Act for causing the installation on the 
computer, prior to the first retail sale and delivery of the computer, 
of third-party branded software, unless the manufacturer or retailer--
</DELETED>
        <DELETED>    (1) uses a surreptitious information collection 
        feature included in the software to collect information about a 
        user of the computer or the use of a protected computer by that 
        user; or</DELETED>
        <DELETED>    (2) knows that the software will cause 
        advertisements for the manufacturer or retailer to be displayed 
        to a user of the computer.</DELETED>
<DELETED>    (d) Investigational Exception.--Nothing in this Act 
prohibits any lawfully authorized investigative, protective, or 
intelligence activity of a law enforcement agency of the United States, 
a State, or a political subdivision of a State, or of an intelligence 
agency of the United States.</DELETED>
<DELETED>    (e) Services Provided Over MVPD Systems.--It is not a 
violation of this Act for a multichannel video programming distributor 
(as defined in section 602(13) of the Communications Act of 1934 (47 
U.S.C. 522(13)) to utilize a navigation device, or interact with such a 
device, or to install or use software on such a device, in connection 
with the provision of multichannel video programming or other services 
offered over a multichannel video programming system or the collection 
or disclosure of subscriber information, if the provision of such 
service or the collection or disclosure of such information is subject 
to section 338(i) or section 631 of the Communications Act of 1934 (47 
U.S.C. 338(i) or 551).</DELETED>

<DELETED>SEC. 7. FTC RULEMAKING AUTHORITY.</DELETED>

<DELETED>    (a) In General.--Subject to the limitations of subsection 
(b), the Commission may issue such rules in accordance with section 553 
of title 5, United States Code, as may be necessary to implement or 
clarify the provisions of this Act.</DELETED>
<DELETED>    (b) Safe Harbors.--</DELETED>
        <DELETED>    (1) In general.--The Commission may issue 
        regulations establishing specific wordings or formats for--
        </DELETED>
                <DELETED>    (A) notification that is sufficient under 
                section 3(c)(2) to prevent a software feature from 
                being a surreptitious information collection feature 
                (as defined in section 3(c)); or</DELETED>
                <DELETED>    (B) labels or other means of 
                identification that are sufficient to avoid violation 
                of section 4(a).</DELETED>
        <DELETED>    (2) Function of commission's suggested wordings or 
        formats.--</DELETED>
                <DELETED>    (A) Usage is voluntary.--The Commission 
                may not require the use of any specific wording or 
                format prescribed under paragraph (1) to meet the 
                requirements of section 3 or 4.</DELETED>
                <DELETED>    (B) Other means of compliance.--The use of 
                a specific wording or format prescribed under paragraph 
                (1) shall not be the exclusive means of providing 
                notification, labels, or other identification that meet 
                the requirements of sections 3 and 4.</DELETED>
<DELETED>    (c) Limitations on Liability.--In addition to the 
limitations on liability specified in section 6, the Commission may by 
regulation establish additional limitations or exceptions upon a 
finding that such limitations or exceptions are reasonably necessary to 
promote the public interest and are consistent with the purposes of 
this Act. No such additional limitation of liability may be made 
contingent upon the adoption of any specific wording or format 
specified in regulations under subsection (b)(1).</DELETED>

<DELETED>SEC. 8. ADMINISTRATION AND ENFORCEMENT.</DELETED>

<DELETED>    (a) In General.--Except as provided in subsection (b), 
this Act shall be enforced by the Commission as if a violation of this 
Act or of any regulation promulgated by the Commission under this Act 
were an unfair or deceptive act or practice proscribed under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).</DELETED>
<DELETED>    (b) Enforcement by Certain Other Agencies.--Compliance 
with this Act shall be enforced under--</DELETED>
        <DELETED>    (1) section 8 of the Federal Deposit Insurance Act 
        (12 U.S.C. 1818), in the case of--</DELETED>
                <DELETED>    (A) national banks, and Federal branches 
                and Federal agencies of foreign banks, by the Office of 
                the Comptroller of the Currency;</DELETED>
                <DELETED>    (B) member banks of the Federal Reserve 
                System (other than national banks), branches and 
                agencies of foreign banks (other than Federal branches, 
                Federal agencies, and insured State branches of foreign 
                banks), commercial lending companies owned or 
                controlled by foreign banks, and organizations 
                operating under section 25 or 25A of the Federal 
                Reserve Act (12 U.S.C. 601 and 611), by the Board; 
                and</DELETED>
                <DELETED>    (C) banks insured by the Federal Deposit 
                Insurance Corporation (other than members of the 
                Federal Reserve System) and insured State branches of 
                foreign banks, by the Board of Directors of the Federal 
                Deposit Insurance Corporation;</DELETED>
        <DELETED>    (2) section 8 of the Federal Deposit Insurance Act 
        (12 U.S.C. 1818), by the Director of the Office of Thrift 
Supervision, in the case of a savings association the deposits of which 
are insured by the Federal Deposit Insurance Corporation;</DELETED>
        <DELETED>    (3) the Federal Credit Union Act (12 U.S.C. 1751 
        et seq.) by the National Credit Union Administration Board with 
        respect to any Federal credit union;</DELETED>
        <DELETED>    (4) part A of subtitle VII of title 49, United 
        States Code, by the Secretary of Transportation with respect to 
        any air carrier or foreign air carrier subject to that 
        part;</DELETED>
        <DELETED>    (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 
        181 et seq.) (except as provided in section 406 of that Act (7 
        U.S.C. 226, 227)), by the Secretary of Agriculture with respect 
        to any activities subject to that Act; and</DELETED>
        <DELETED>    (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et 
        seq.) by the Farm Credit Administration with respect to any 
        Federal land bank, Federal land bank association, Federal 
        intermediate credit bank, or production credit 
        association.</DELETED>
<DELETED>    (c) Exercise of Certain Powers.--For the purpose of the 
exercise by any agency referred to in subsection (b) of its powers 
under any Act referred to in that subsection, a violation of this Act 
is deemed to be a violation of a requirement imposed under that Act. In 
addition to its powers under any provision of law specifically referred 
to in subsection (b), each of the agencies referred to in that 
subsection may exercise, for the purpose of enforcing compliance with 
any requirement imposed under this Act, any other authority conferred 
on it by law.</DELETED>
<DELETED>    (d) Actions by the Commission.--The Commission shall 
prevent any person from violating this Act in the same manner, by the 
same means, and with the same jurisdiction, powers, and duties as 
though all applicable terms and provisions of the Federal Trade 
Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a 
part of this Act. Any entity that violates any provision of that 
section is subject to the penalties and entitled to the privileges and 
immunities provided in the Federal Trade Commission Act in the same 
manner, by the same means, and with the same jurisdiction, power, and 
duties as though all applicable terms and provisions of the Federal 
Trade Commission Act were incorporated into and made a part of that 
section.</DELETED>

<DELETED>SEC. 9. ACTIONS BY STATES.</DELETED>

<DELETED>    (a) In General.--</DELETED>
        <DELETED>    (1) Civil actions.--In any case in which the 
        attorney general of a State has reason to believe that an 
        interest of the residents of that State has been or is 
        threatened or adversely affected by the engagement of any 
        person in a practice that this Act prohibits, the State, as 
        parens patriae, may bring a civil action on behalf of the 
        residents of the State in a district court of the United States 
        of appropriate jurisdiction--</DELETED>
                <DELETED>    (A) to enjoin that practice;</DELETED>
                <DELETED>    (B) to enforce compliance with the 
                rule;</DELETED>
                <DELETED>    (C) to obtain damage, restitution, or 
                other compensation on behalf of residents of the State; 
                or</DELETED>
                <DELETED>    (D) to obtain such other relief as the 
                court may consider to be appropriate.</DELETED>
        <DELETED>    (2) Notice.--</DELETED>
                <DELETED>    (A) In general.--Before filing an action 
                under paragraph (1), the attorney general of the State 
                involved shall provide to the Commission--</DELETED>
                        <DELETED>    (i) written notice of that action; 
                        and</DELETED>
                        <DELETED>    (ii) a copy of the complaint for 
                        that action.</DELETED>
                <DELETED>    (B) Exemption.--</DELETED>
                        <DELETED>    (i) In general.--Subparagraph (A) 
                        shall not apply with respect to the filing of 
                        an action by an attorney general of a State 
                        under this subsection, if the attorney general 
                        determines that it is not feasible to provide 
                        the notice described in that subparagraph 
                        before the filing of the action.</DELETED>
                        <DELETED>    (ii) Notification.--In an action 
                        described in clause (i), the attorney general 
                        of a State shall provide notice and a copy of 
                        the complaint to the Commission at the same 
                        time as the attorney general files the 
                        action.</DELETED>
<DELETED>    (b) Intervention.--</DELETED>
        <DELETED>    (1) In general.--On receiving notice under 
        subsection (a)(2), the Commission shall have the right to 
        intervene in the action that is the subject of the 
        notice.</DELETED>
        <DELETED>    (2) Effect of intervention.--If the Commission 
        intervenes in an action under subsection (a), it shall have the 
        right--</DELETED>
                <DELETED>    (A) to be heard with respect to any matter 
                that arises in that action; and</DELETED>
                <DELETED>    (B) to file a petition for 
                appeal.</DELETED>
<DELETED>    (c) Construction.--For purposes of bringing any civil 
action under subsection (a), nothing in this subtitle shall be 
construed to prevent an attorney general of a State from exercising the 
powers conferred on the attorney general by the laws of that State to--
</DELETED>
        <DELETED>    (1) conduct investigations;</DELETED>
        <DELETED>    (2) administer oaths or affirmations; or</DELETED>
        <DELETED>    (3) compel the attendance of witnesses or the 
        production of documentary and other evidence.</DELETED>
<DELETED>    (d) Actions by the Commission.--In any case in which an 
action is instituted by or on behalf of the Commission for violation of 
this Act, no State may, during the pendency of that action, institute 
an action under subsection (a) against any defendant named in the 
complaint in that action for violation of that section.</DELETED>
<DELETED>    (e) Venue; Service of Process.--</DELETED>
        <DELETED>    (1) Venue.--Any action brought under subsection 
        (a) may be brought in the district court of the United States 
        that meets applicable requirements relating to venue under 
        section 1391 of title 28, United States Code.</DELETED>
        <DELETED>    (2) Service of process.--In an action brought 
        under subsection (a), process may be served in any district in 
        which the defendant--</DELETED>
                <DELETED>    (A) is an inhabitant; or</DELETED>
                <DELETED>    (B) may be found.</DELETED>

<DELETED>SEC. 10. EFFECT ON OTHER LAWS.</DELETED>

<DELETED>    (a) Federal Law.--Nothing in this Act shall be construed 
to limit or affect in any way the Commission's authority to bring 
enforcement actions or take any other measures under the Federal Trade 
Commission Act or any other provision of law.</DELETED>
<DELETED>    (b) State Law.--</DELETED>
        <DELETED>    (1) State law concerning information collection 
        software or adware.--This Act supersedes any statute, 
        regulation, or rule of a State or political subdivision of a 
        State that expressly limits or restricts the installation or 
        use of software on a protected computer to--</DELETED>
                <DELETED>    (A) collect information about the user of 
                the computer or the user's Internet browsing behavior 
                or other use of the computer; or</DELETED>
                <DELETED>    (B) cause advertisements to be delivered 
                to the user of the computer,</DELETED>
        <DELETED>except to the extent that any such statute, 
        regulation, or rule prohibits deception in connection with the 
        installation or use of such software.</DELETED>
        <DELETED>    (2) State law concerning notice of software 
        installation.--This Act supersedes any statute, regulation, or 
        rule of a State or political subdivision of a State that 
        prescribes specific methods for providing notification before 
        the installation of software on a computer.</DELETED>
        <DELETED>    (3) State law not specific to software.--This Act 
        shall not be construed to preempt the applicability of State 
        criminal, trespass, contract, tort, or anti-fraud 
        law.</DELETED>

<DELETED>SEC. 11. LIABILITY PROTECTIONS FOR ANTI-SPYWARE SOFTWARE OR 
              SERVICES.</DELETED>

<DELETED>    No provider of computer software or of an interactive 
computer service may be held liable under this Act or any other 
provision of law for identifying, naming, removing, disabling, or 
otherwise affecting the operation or potential operation on a computer 
of computer software published by a third party, if--</DELETED>
        <DELETED>    (1) the provider's software or interactive 
        computer service is intended to identify, prevent the 
        installation or execution of, remove, or disable computer 
        software that is or was installed in violation of section 2, 3, 
        or 4 of this Act or used to violate section 5 of this 
        Act;</DELETED>
        <DELETED>    (2) an authorized user of the computer has 
        consented to the use of the provider's computer software or 
        interactive computer service on the computer;</DELETED>
        <DELETED>    (3) the provider believes in good faith that the 
        installation or operation of the third-party computer software 
        involved or involves a violation of section 2, 3, 4, or 5 of 
        this Act; and</DELETED>
        <DELETED>    (4) the provider either notifies and obtains the 
        consent of an authorized user of the computer before taking any 
        action to remove, disable, or otherwise affect the operation or 
        potential operation of the third-party software on the 
        computer, or has obtained prior authorization from an 
        authorized user to take such action without providing such 
        notice and consent.</DELETED>

<DELETED>SEC. 12. PENALTIES FOR CERTAIN UNAUTHORIZED ACTIVITIES 
              RELATING TO COMPUTERS.</DELETED>

<DELETED>    (a) In General.--Chapter 47 of title 18, United States 
Code, is amended by inserting after section 1030 the 
following:</DELETED>
<DELETED>``Sec. 1030A. Illicit indirect use of protected 
              computers</DELETED>
<DELETED>    ``(a) Whoever intentionally accesses a protected computer 
without authorization, or exceeds authorized access to a protected 
computer, by causing a computer program or code to be copied onto the 
protected computer, and intentionally uses that program or code in 
furtherance of another Federal criminal offense shall be fined under 
this title or imprisoned 5 years, or both.</DELETED>
<DELETED>    ``(b) Whoever intentionally accesses a protected computer 
without authorization, or exceeds authorized access to a protected 
computer, by causing a computer program or code to be copied onto the 
protected computer, and by means of that program or code intentionally 
impairs the security protection of the protected computer shall be 
fined under this title or imprisoned not more than 2 years, or 
both.</DELETED>
<DELETED>    ``(c) A person shall not violate this section who solely 
provides--</DELETED>
        <DELETED>    ``(1) an Internet connection, telephone 
        connection, or other transmission or routing function through 
        which software is delivered to a protected computer for 
        installation;</DELETED>
        <DELETED>    ``(2) the storage or hosting of software, or of an 
        Internet website, through which software is made available for 
        installation to a protected computer; or</DELETED>
        <DELETED>    ``(3) an information location tool, such as a 
        directory, index, reference, pointer, or hypertext link, 
        through which a user of a protected computer locates software 
        available for installation.</DELETED>
<DELETED>    ``(d) A provider of a network or online service that an 
authorized user of a protected computer uses or subscribes to shall not 
violate this section by any monitoring of, interaction with, or 
installation of software for the purpose of--</DELETED>
        <DELETED>    ``(1) protecting the security of the network, 
        service, or computer;</DELETED>
        <DELETED>    ``(2) facilitating diagnostics, technical support, 
        maintenance, network management, or repair; or</DELETED>
        <DELETED>    ``(3) preventing or detecting unauthorized, 
        fraudulent, or otherwise unlawful uses of the network or 
        service.</DELETED>
<DELETED>    ``(e) No person may bring a civil action under the law of 
any State if such action is premised in whole or in part upon the 
defendant's violating this section. For the purposes of this 
subsection, the term `State' includes the District of Columbia, Puerto 
Rico, and any other territory or possession of the United 
States.''.</DELETED>
<DELETED>    (b) Conforming Amendment.--The table of sections at the 
beginning of chapter 47 of title 18, United States Code, is amended by 
inserting after the item relating to section 1030 the following new 
item:</DELETED>

<DELETED>``1030A. Illicit indirect use of protected computers.''.

<DELETED>SEC. 13. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Authorized user.--The term ``authorized 
        user'', when used with respect to a computer, means the owner 
        or lessee of a computer, or someone using or accessing a 
computer with the actual or apparent authorization of the owner or 
lessee.</DELETED>
        <DELETED>    (2) Cause the installation.--The term ``cause the 
        installation'' when used with respect to particular software, 
        means to knowingly provide the technical means by which the 
        software is installed, or to knowingly pay or provide other 
        consideration to, or to knowingly induce or authorize, another 
        person to do so.</DELETED>
        <DELETED>    (3) Commission.--The term ``Commission'' means the 
        Federal Trade Commission.</DELETED>
        <DELETED>    (4) Cookie.--The term ``cookie'' means a text 
        file--</DELETED>
                <DELETED>    (A) that is placed on a computer by, or on 
                behalf of, an Internet service provider, interactive 
                computer service, or Internet website; and</DELETED>
                <DELETED>    (B) the sole function of which is to 
                record information that can be read or recognized when 
                the user of the computer subsequently accesses 
                particular websites or online locations or 
                services.</DELETED>
        <DELETED>    (5) First retail sale and delivery.--The term 
        ``first retail sale and delivery'' means the first sale, for a 
        purpose other than resale, of a protected computer and the 
        delivery of that computer to the purchaser or a recipient 
        designated by the purchaser at the time of such first sale. For 
        purposes of this paragraph, the lease of a computer shall be 
        considered a sale of the computer for a purpose other than 
        resale.</DELETED>
        <DELETED>    (6) Install.--</DELETED>
                <DELETED>    (A) In general.--The term ``install'' 
                means--</DELETED>
                        <DELETED>    (i) to write computer software to 
                        a computer's persistent storage medium, such as 
                        the computer's hard disk, in such a way that 
                        the computer software is retained on the 
                        computer after the computer is turned off and 
                        subsequently restarted; or</DELETED>
                        <DELETED>    (ii) to write computer software to 
                        a computer's temporary memory, such as random 
                        access memory, in such a way that the software 
                        is retained and continues to operate after the 
                        user of the computer turns off or exits the 
                        Internet service, interactive computer service, 
                        or Internet website from which the computer 
                        software was obtained.</DELETED>
                <DELETED>    (B) Exception for temporary cache.--The 
                term ``install'' does not include the writing of 
                software to an area of the persistent storage medium 
                that is expressly reserved for the temporary retention 
                of recently accessed or input data or information if 
                the software retained in that area remains inoperative 
                unless a user of the computer chooses to access that 
                temporary retention area.</DELETED>
        <DELETED>    (7) Person.--The term ``person'' has the meaning 
        given that term in section 3(32) of the Communications Act of 
        1934 (47 U.S.C. 153(32)).</DELETED>
        <DELETED>    (8) Protected computer.--The term ``protected 
        computer'' has the meaning given that term in section 
        1030(e)(2)(B) of title 18, United States Code.</DELETED>
        <DELETED>    (9) Software.--The term ``software'' means any 
        program designed to cause a computer to perform a desired 
        function or functions. Such term does not include any 
        cookie.</DELETED>
        <DELETED>    (10) Unfair or deceptive act or practice.--The 
        term ``unfair or deceptive act or practice'' has the same 
        meaning as when used in section 5 of the Federal Trade 
        Commission Act (15 U.S.C. 45).</DELETED>
        <DELETED>    (11) Upgrade.--The term ``upgrade'', when used 
        with respect to a previously installed software program, means 
        additional software that is issued by, or with the 
        authorization of, the publisher or any successor to the 
        publisher of the software program to improve, correct, repair, 
        enhance, supplement, or otherwise modify the software 
        program.</DELETED>

<DELETED>SEC. 14. EFFECTIVE DATE.</DELETED>

<DELETED>    This Act shall take effect 180 days after the date of 
enactment of this Act.</DELETED>

SECTION 1. TABLE OF CONTENTS.

    The table of contents for this Act is as follows:

Sec. 1. Table of contents.

                            TITLE I--SPYWARE

Sec. 101. Short title.
Sec. 102. Federal Trade Commission authority to combat deceptive acts 
                            or practices relating to spyware.
Sec. 103. Prohibited behaviors.
Sec. 104. Installing personal information collection features on a 
                            user's computer.
Sec. 105. Adware that conceals its operation.
Sec. 106. Limitations on liability.
Sec. 107. FTC administration and enforcement.
Sec. 108. Enforcement by other agencies.
Sec. 109. State enforcement.
Sec. 110. Other enforcement.
Sec. 111. Effect on other laws.
Sec. 112. Definitions.
Sec. 113. Criminal penalties for certain unauthorized activities 
                            relating to computers.
Sec. 114. Effective date.

                TITLE II--INCREASE IN CERTAIN PENALTIES

Sec. 201. Increase in penalties for unfair or deceptive acts or 
                            practices exploiting reaction to certain 
                            emergencies and major disasters.

                            TITLE I--SPYWARE

SEC. 101. SHORT TITLE.

    This title may be cited as the ``Software Principles Yielding 
Better Levels of Consumer Knowledge Act'' or the ``SPY BLOCK Act''.

SEC. 102. FEDERAL TRADE COMMISSION AUTHORITY TO COMBAT DECEPTIVE ACTS 
              OR PRACTICES RELATING TO SPYWARE.

    (a) In General.--It is a violation of section 5 of the Federal 
Trade Commission Act (15 U.S.C. 45) to install through unfair or 
deceptive acts or practices software on protected computers.
    (b) Rule of Construction.--This title shall not be construed to 
limit in any way what is an unfair or deceptive act or practice under 
the Federal Trade Commission Act (15 U.S.C. 41 et seq.).

SEC. 103. PROHIBITED BEHAVIORS.

    It is unlawful for a person who is not an authorized user of a 
protected computer to cause the installation on that computer of 
software that--
            (1) takes control of the protected computer by--
                    (A) Zombies.--transmitting or relaying commercial 
                electronic mail or a computer virus from a protected 
                computer if the transmission or relaying is initiated 
                by a person other than an authorized user and without 
                the authorization of an authorized user;
                    (B) Modem hijacking.--accessing or using the modem 
                or Internet service of an authorized user of a 
                protected computer for the purpose of--
                            (i) causing damage to the protected 
                        computer; or
                            (ii) causing the authorized user to incur 
                        financial charges for a service that is not 
                        authorized by that authorized user;
                    (C) Denial of service attacks.--using a protected 
                computer as part of an activity performed by a group of 
                computers for the purpose of causing damage, including 
                launching a denial of service attack; or
                    (D) Endless loop pop-up advertisements.--opening 
                multiple, sequential, stand-alone advertisements in an 
                authorized user's protected computer without the 
                authorization of that user and with knowledge that a 
                reasonable computer user cannot close the 
                advertisements without turning off the computer or 
                forcing an application to close using means other than 
                the ordinary means for closing the application, except 
                that this subparagraph does not apply to 
                communications--
                            (i) originated by the computer's operating 
                        system;
                            (ii) originated by software that the user 
                        knowingly chooses to activate;
                            (iii) originated by a service provider that 
                        the user chooses to use; or
                            (iv) presented for any of the purposes 
                        described in section 106;
            (2) modifies--
                    (A) Enabling identity theft.--an authorized user's 
                security or other settings related to access to, or use 
                of, the Internet on a protected computer that protect 
                information about the authorized user for the purpose 
                of stealing the authorized user's sensitive personal 
                information; or
                    (B) Disabling security.--the security settings of a 
                protected computer for the purpose of causing damage to 
                that computer or another computer; or
                    (C) Browser settings.--through unfair or deceptive 
                means--
                            (i) the page that appears when an 
                        authorized user launches an Internet browser or 
                        similar software program used to access and 
                        navigate the Internet;
                            (ii) the default provider or Web proxy the 
                        authorized user uses to access or search the 
                        Internet; or
                            (iii) the authorized user's list of 
                        bookmarks used to access Web pages; or
            (3) prevents, without authorization from the authorized 
        user, that user's reasonable efforts to block the installation 
        of, to disable, or to uninstall software by unfair or deceptive 
        means, including--
                    (A) Falsifying option to decline installs.--
                presenting the authorized user with an option to 
                decline installation of software with knowledge that, 
                when the option is selected by the authorized user, the 
                installation nevertheless proceeds; or
                    (B) evading uninstalls by unfair or deceptive 
                means.--
                            (i) falsely representing that the software 
                        has been disabled;
                            (ii) requiring in an unfair or deceptive 
                        manner the user to access the Internet to 
                        remove the software with knowledge or reckless 
                        disregard of the fact that the software 
                        frequently operates in a manner that prevents 
                        the user from accessing the Internet;
                            (iii) changing the name, location or other 
                        designation information of the software for the 
                        purpose of preventing an authorized user from 
                        locating the software to remove it;
                            (iv) using randomized or intentionally 
                        deceptive filenames, directory folders, 
                        formats, or registry entries for the purpose of 
                        avoiding detection and removal of the software 
                        by an authorized user;
                            (v) causing the installation of software in 
                        a particular computer directory or computer 
                        memory for the purpose of evading authorized 
                        users' attempts to remove the software from the 
                        computer; or
                            (vi) requiring, without the authority of 
                        the owner of the computer, that an authorized 
                        user obtain a special code or download software 
                        from a third party to uninstall the software.

SEC. 104. INSTALLING PERSONAL INFORMATION COLLECTION FEATURES ON A 
              USER'S COMPUTER.

    (a) In General.--It is unlawful for a person who is not an 
authorized user of a protected computer to cause the installation on 
that computer of software that collects sensitive personal information 
from an authorized user, unless that person provides a clear and 
conspicuous disclosure of such collection and obtains the authorized 
user's consent prior to any such collection of information in any case 
in which the software extracts from the hard drive or other storage 
medium of the protected computer the authorized user's--
            (1) Social Security number;
            (2) tax identification number;
            (3) driver's license number;
            (4) passport number;
            (5) any other government-issued identification number;
            (6) financial account, credit card, or debit card numbers;
            (7) account balances, or overdraft history; or
            (8) other sensitive personal information.
    (b) Other Personally Identifying Information.--It is unlawful for a 
person who is not an authorized user of a protected computer to cause 
the installation on that computer of software that engages in any of 
the following practices without a prior disclosure that is clearly and 
conspicuously available to, or with the knowledge of, the authorized 
user, and for a purpose unrelated to any of the purposes of the 
software or service described to an authorized user:
            (1) The use of a keystroke-logging function that records 
        all or substantially all keystrokes made by an owner or 
        operator of a computer and transfers that information from the 
        computer to another person.
            (2) Collection in a manner that correlates personally 
        identifying information with a history of all or substantially 
        all of the Web sites visited by an owner or operator, other 
        than Web sites operated by the person providing such software, 
        if the computer software was installed in a manner designed to 
        conceal from all authorized users of the computer the fact that 
        the software is being installed and would perform such a 
        function.
            (3) Extracting from the hard drive or other storage medium 
        of the computer--
                    (A) the substantive contents of files, data, 
                software, or other information knowingly saved or 
                installed by the authorized user of a protected 
                computer, exclusive of data that provide a purely 
                technical function; or
                    (B) the substantive contents of communications sent 
                by a user of a protected computer from that computer to 
                any other computer.
    (c) Exception.--This section shall not be interpreted to restrict a 
person from causing the installation of software that collects 
information for the provider of an online service or website knowingly 
used or subscribed to by an authorized user if the information 
collected is used only to affect the user's experience while using the 
online service or website.
    (d) Uninstall Functionality.--
            (1) In general.--It is unlawful for a person who is not an 
        authorized user of a protected computer to cause the 
        installation of software that performs any function described 
        in subsection (a) or (b) if the software cannot subsequently be 
        uninstalled or disabled by an authorized user through a program 
        removal function that is usual and customary with the 
        computer's operating system or otherwise as clearly and 
        conspicuously disclosed to the user.
            (2) Construction.--
                    (A) Authority to uninstall.--Software that enables 
                an authorized user of a protected computer, such as a 
                parent, employer, or system administrator, to choose to 
                prevent another user of the same computer from 
                uninstalling or disabling the software shall not be 
                considered to prevent reasonable efforts to uninstall 
                or disable the software within the meaning of paragraph 
                (1) if at least 1 authorized user retains the ability 
                to uninstall or disable the software.
                    (B) Rule of construction.--This subsection shall 
                not be construed to require individual features or 
                functions of a software program, upgrades to a 
                previously installed software program, or software 
                programs that were installed on a bundled basis with 
                other software or with hardware to be capable of being 
                uninstalled or disabled separately from such software 
                or hardware.

SEC. 105. ADWARE THAT CONCEALS ITS OPERATION.

    (a) In General.--It is unlawful for a person who is not an 
authorized user of a protected computer to cause the installation on 
that computer of software that causes advertising windows to appear on 
the protected computer regardless of whether any other non-advertising-
related functionality of the software or of other software installed as 
part of bundle with such software is--
            (1) activated by the authorized user; or
            (2) conspicuously active on the protected computer unless 
        the software complies with subsection (b).
    (b) Label Required for Certain Advertisements.--Subsection (a) does 
not apply if--
            (1) the software displays to the user, each time the 
        software causes an advertisement to appear, a clear and 
        conspicuous label or other reasonable means of identifying to 
        the user of the computer the identity or name of the software 
        that caused the advertisement to appear;
            (2) the software was installed as part of a bundle of 
        software, the name of a program in such bundle that the 
        authorized user is likely to identify as the main component of 
        the software bundle; and
            (3) a clear and conspicuous hypertext link to instructions 
        concerning how the user may uninstall the software causing the 
        advertisement to appear through usual and customary means 
        within the computer's operating system.
    (c) Exception.--Software that causes advertisements to be displayed 
without a clear and conspicuous label or other reasonable means of 
identification shall not give rise to liability under subsection (a) if 
those advertisements are displayed to a user of the computer only when 
a user is accessing or using an Internet website or online service--
            (1) owned or operated by the author or publisher of the 
        software; or
            (2) the owner or operator of which has authorized the 
        author or publisher of the software to display such 
        advertisements to users of that website or service.

SEC. 106. LIMITATIONS ON LIABILITY.

    (a) In General.--The restrictions imposed by sections 103, 104, and 
105 of this title do not apply to any monitoring of, or interaction 
with, a subscriber's Internet or other network connection or service, 
or a protected computer, by or at the direction of a telecommunications 
carrier, cable operator, computer hardware or software provider, 
financial institution or provider of information services or 
interactive computer service for--
            (1) network or computer security purposes;
            (2) diagnostics;
            (3) technical support;
            (4) repair;
            (5) network management;
            (6) authorized updates of software or system firmware;
            (7) authorized remote system management;
            (8) authorized provision of protection for users of the 
        computer from objectionable content;
            (9) authorized scanning for computer software used in 
        violation of sections 103, 104, or 105 for removal by an 
        authorized user; or
            (10) detection or prevention of the unauthorized use of 
        software fraudulent or other illegal activities.
    (b) Manufacturer's Liability for Third-Party Software.--A 
manufacturer or retailer of a computer shall not be liable under any 
provision of this title for causing the installation on the computer, 
prior to the first retail sale and delivery of the computer, of third-
party branded software, unless the manufacturer or retailer--
            (1) uses the software to collect information about a user 
        of the computer or the use of a protected computer by that 
        user; or
            (2) knows that the software will cause advertisements for 
        the manufacturer or retailer to be displayed to a user of the 
        computer, or derives a direct financial benefit from other 
        advertisements displayed on the computer.
    (c) Exception for Authorized Investigative Agencies.--Nothing in 
this title prohibits any lawfully authorized investigative, protective, 
or intelligence activity of a law enforcement agency of the United 
States, a State, or a political subdivision of a State, or of an 
intelligence agency of the United States.
    (d) Services Provided Over MVPD Systems.--It is not a violation of 
this title for a multichannel video programming distributor (as defined 
in section 602(13) of the Communications Act of 1934 (47 U.S.C. 
522(13))) to utilize a navigation device, or interact with such a 
device, or to install or use software on such a device, in connection 
with the provision of multichannel video programming or other services 
offered over a multichannel video programming system or the collection 
or disclosure of subscriber information, if the provision of such 
service or the collection or disclosure of such information is subject 
to section 338(i) or section 631 of the Communications Act of 1934 (47 
U.S.C. 338(i); 551).

SEC. 107. FTC ADMINISTRATION AND ENFORCEMENT.

    (a) In General.--Except as provided in section 108, 109, and 110, 
this title shall be enforced by the Commission as if a violation of 
this title or of any regulation promulgated by the Commission under 
this title were an unfair or deceptive act or practice proscribed under 
section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).
    (b) Penalties.--
            (1) Treble fine.--The penalty for a violation of this title 
        or of any regulation promulgated by the Commission under this 
        title may be increased by the Commission to threefold the 
        amount of penalty otherwise applicable under section 5 of the 
        Federal Trade Commission Act (15 U.S.C. 45).
            (2) Penalty for Pattern or Practice of Violations.--
                    (A) In general.--If the Commission determines that 
                a person has engaged in a pattern or practice of 
                activity that violates the provisions of this title, 
                the Commission may, in its discretion, seek a civil 
                penalty for such pattern or practice of violations in 
                an amount, as determined by the Commission, of not more 
                than $3,000,000 for each such violation of this title.
                    (B) Treatment of single action or conduct.--For 
                purposes of subparagraph (A), any single action or 
                conduct that violates this title with respect to 
                multiple protected computers shall be treated as a 
                single violation.
    (c) Seizure and Forfeiture of Tainted Assets of Violator.--In an 
enforcement action brought for a violation of this title under section 
19(b) of the Federal Trade Commission Act (15 U.S.C. 57b(b)), the 
Commission may petition the court to order the seizure and forfeiture 
of any assets of the violator attributable to violation of this title.
    (d) Ill-Gotten Gains.--The Commission may require any person who 
violates this title to disgorge any ill-gotten gains procured through 
unfair or deceptive acts or practices in violation of this title and 
shall seize any such gains it has required to be disgorged.
    (e) Actions by the Commission.--
            (1) In general.--The Commission shall prevent any person 
        from violating this title in the same manner, by the same 
        means, and with the same jurisdiction, powers, and duties as 
        though all applicable terms and provisions of the Federal Trade 
        Commission Act (15 U.S.C. 41 et seq.) were incorporated into 
        and made a part of this title. Any entity that violates any 
        provision of this title is subject to the penalties and 
        entitled to the privileges and immunities provided in the 
        Federal Trade Commission Act in the same manner, by the same 
        means, and with the same jurisdiction, power, and duties as 
        though all applicable terms and provisions of the Federal Trade 
        Commission Act were incorporated into and made a part of this 
        title.
            (2) Other authority not affected.--Nothing in this title 
        shall be construed to limit or affect in any way the 
        Commission's authority to bring enforcement actions or take any 
        other measure under the Federal Trade Commission Act (15 U.S.C. 
        41 et seq.) or any other provision of law.

SEC. 108. ENFORCEMENT BY OTHER AGENCIES.

    (a) In General.--Compliance with this title shall be enforced 
exclusively under--
            (1) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and 
                Federal agencies of foreign banks, and any subsidiaries 
                of such entities (except brokers, dealers, persons 
                providing insurance, investment companies, and 
                investment advisers), by the Office of the Comptroller 
                of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, organizations operating under section 25 
                or 25A of the Federal Reserve Act (12 U.S.C. 601 and 
                611), and bank holding companies and their nonbank 
                subsidiaries or affiliates (except brokers, dealers, 
                persons providing insurance, investment companies and 
                investment advisers), by the Board of Governors of the 
                Federal Reserve System;
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System), insured State branches of foreign banks, and 
                any subsidiaries of such entities (except brokers, 
                dealers, persons providing insurance, investment 
                companies and investment advisers), by the Board of 
                Directors of the Federal Deposit Insurance Corporation; 
                and
                    (D) savings associations the deposits of which are 
                insured by the Federal Deposit Insurance Corporation, 
                and any subsidiaries of such savings associations 
                (except brokers, dealers, persons providing insurance, 
                investment companies and investment advisers), by the 
                Director of the Office of Thrift Supervision;
            (2) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
        by the Board of the National Credit Union Administration Board 
        with respect to any Federal credit union and any subsidiaries 
        of such a credit union;
            (3) the Securities and Exchange Act of 1934 (15 U.S.C. 78a 
        et seq.) by the Securities and Exchange Commission with respect 
        to--
                    (A) a broker or dealer subject to that Act;
                    (B) an investment company subject to the Investment 
                Company Act of 1940 (15 U.S.C. 80a-1 et seq.); and
                    (C) an investment advisor subject to the Investment 
                Advisers Act of 1940 (15 U.S.C. 80b-1 et seq.);
            (4) the Communications Act of 1934 (47 U.S.C. 151 et seq.) 
        by the Federal Communications Commission with respect to any 
        person subject to the provisions of that Act;
            (5) part A of subtitle VII of title 49, United States Code, 
        by the Secretary of Transportation with respect to any air 
        carrier or foreign air carrier subject to that part; and
            (6) State insurance law, in the case of any person engaged 
        in providing insurance, by the applicable State insurance 
        authority of the State in which the person is domiciled.
    (b) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (a) of its powers under any Act 
referred to in that subsection, a violation of this title is deemed to 
be a violation of a requirement imposed under that Act. In addition to 
its powers under any provision of law specifically referred to in 
subsection (a), each of the agencies referred to in that subsection may 
exercise, for the purpose of enforcing compliance with any requirement 
imposed under this title, any other authority conferred on it by law.

SEC. 109. STATE ENFORCEMENT.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that is prohibited under this section, the State, as 
        parens patriae, may bring a civil action on behalf of the 
        residents of that State in a district court of the United 
        States of appropriate jurisdiction, or any other court of 
        competent jurisdiction--
                    (A) to enjoin that practice;
                    (B) to enforce compliance with this title;
                    (C) to obtain damage, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) to obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of a State shall 
                provide to the Commission--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the attorney general of a State 
                        determines that it is not feasible to provide 
                        the notice described in that subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Commission at the same time as 
                        the attorney general files the action.
    (b) Intervention.--
            (1) In general.--On receiving notice under subsection 
        (a)(2), the Commission shall have the right to intervene in the 
        action that is the subject of the notice.
            (2) Effect of intervention.--If the Commission intervenes 
        in an action under subsection (a), it shall have the right--
                    (A) to be heard with respect to any matter that 
                arises in that action; and
                    (B) to file a petition for appeal.
    (c) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this title shall be construed to prevent an 
attorney general of a State from exercising the powers conferred on the 
attorney general by the laws of that State--
            (1) to conduct investigations;
            (2) to administer oaths or affirmations; or
            (3) to compel the attendance of witnesses or the production 
        of documentary and other evidence.
    (d) Action by the Commission May Preclude State Action.--In any 
case in which an action is instituted by or on behalf of the Commission 
for violation of this title, no State may, during the pendency of that 
action, institute an action under subsection (a) against any defendant 
named in the complaint in that action for violation of that section.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 110. OTHER ENFORCEMENT.

    (a) Additional Enforcement of Modem Hijacking Violations.--In the 
case of a violation of section 103(1)(B)(ii) that causes a 
telecommunications carrier to incur costs for the origination, 
transport, or termination of a call triggered using the modem of a 
customer of such telecommunications carrier as a result of such 
violation, the telecommunications carrier may bring a civil action 
against the violator--
            (1) to recover--
                    (A) the charges such carrier is obligated to pay to 
                another carrier or to an information service provider 
                as a result of the violation, including but not limited 
                to charges for the origination, transport, or 
                termination of the call;
                    (B) the costs of handling customer inquiries or 
                complaints with respect to amounts billed for such 
                calls; and
                    (C) other related costs and reasonable attorneys 
                fees; and
            (2) to obtain an order to enjoin the violation.
    (b) State Action Premised on a Violation of This Title.--No person 
may bring a civil action under the law of any State to the extent that 
such action is premised in whole or in part upon the defendant's 
violation of any provision of this title.

SEC. 111. EFFECT ON OTHER LAWS.

    (a) Federal Law.--Nothing in this title shall be construed to limit 
or affect in any way the Commission's authority to bring enforcement 
actions or take any other measures under the Federal Trade Commission 
Act or any other provision of law.
    (b) Preemption of State or Local Law.--This title supersedes any 
provision of a statute, regulation, or rule, and any requirement, 
prohibition, or remedy under the law of any State or political 
subdivision thereof that relates to, or confers a remedy for--
            (1) the installation or use of software to deliver 
        advertisements to a protected computer;
            (2) the installation or use of software to collect 
        information about a user of a protected computer or the user's 
        use of that computer;
            (3) the installation or use of software to allow a person 
        other than an authorized user of the computer to direct or 
        control a protected computer; or
            (4) the method or manner of uninstalling or disabling 
        software that performs any of the functions described in 
        paragraphs (1) through (3).
    (c) State Law Not Specific to Software.--This title shall not be 
construed to preempt actions or remedies based upon--
            (1) a State's generally applicable common law; or
            (2) any provision of generally applicable State consumer 
        protection law.

SEC. 112. DEFINITIONS.

    In this title:
            (1) Advertising window.--The term ``advertising window'' 
        means a window--
                    (A) that is displayed separately from other windows 
                displayed to the authorized user (at the time a 
                software program is activated) by any other active 
                program; and
                    (B) the content of which is entirely or in 
                substantial part related to advertising.
            (2) Authorized user.--The term ``authorized user'', when 
        used with respect to a computer, means the owner or lessee of a 
        computer, or someone using or accessing a computer with the 
        authorization of the owner or lessee.
            (3) Bundle.--With respect to software, the term ``bundle'' 
        means a set of executable software programs that are installed 
        together.
            (4) Cause the installation.--
                    (A) In general.--The term ``cause the 
                installation'' when used with respect to particular 
                software, means (with knowledge or conscious avoidance 
                of actual knowledge that software performs a function 
                described in section 103, 104, or 105)--
                            (i) knowingly to provide the technical 
                        means by which the software is installed; or
                            (ii) knowingly to pay or provide other 
                        consideration to, or knowingly to induce or 
                        authorize, another person to provide the 
                        technical means by which the software is 
                        installed.
                    (B) Exceptions.--The term ``cause the 
                installation'' does not include providing--
                            (i) the Internet connection, telephone 
                        connection, or other transmission or routing 
                        function through which software was delivered 
                        to a protected computer for installation;
                            (ii) the storage or hosting of software or 
                        of an Internet website through which the 
                        software was made available by a third party 
                        for installation to the protected computer; or
                            (iii) an information location tool, such as 
                        a directory, index, reference, pointer, or 
                        hypertext link, through which a user of a 
                        protected computer located software available 
                        for installation.
            (5) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (6) Cookie.--The term ``cookie'' means a text file--
                    (A) that is placed on a computer by, or on behalf 
                of, an Internet service provider, interactive computer 
                service, or Internet website; and
                    (B) the sole function of which is to record 
                information that can be read or recognized when the 
                user of the computer subsequently accesses particular 
                websites or online locations or services.
            (7) Damage.--The term ``damage'' has the meaning given that 
        term in section 1030(e)(8) of title 18, United States Code.
            (8) Install.--
                    (A) In general.--The term ``install'' means--
                            (i) to write computer software to a 
                        computer's persistent storage medium, such as 
                        the computer's hard disk, in such a way that 
                        the computer software is retained on the 
                        computer after the computer is turned off and 
                        subsequently restarted; or
                            (ii) to write computer software to a 
                        computer's temporary memory, such as random 
                        access memory, in such a way that the software 
                        is retained and continues to operate after the 
                        user of the computer turns off or exits the 
                        Internet service, interactive computer service, 
                        or Internet website from which the computer 
                        software was obtained.
                    (B) Exception for temporary cache.--The term 
                ``install'' does not include the writing of software to 
                an area of the persistent storage medium that is 
                expressly reserved for the temporary retention of 
                recently accessed or input data or information, if the 
                software retained in that area remains inoperative 
                unless a user of the computer chooses to access that 
                temporary retention area.
    (9) Loss.--The term ``loss'' has the meaning given that term in 
section 1030(e)(11) of title 18, United States Code.
            (10) Person.--The term ``person'' has the meaning given 
        that term in section 3(32) of the Communications Act of 1934 
        (47 U.S.C. 153(32)).
            (11) Protected computer.--The term ``protected computer'' 
        has the meaning given that term in section 1030(e)(2)(B) of 
        title 18, United States Code.
            (12) Personally identifying information.--The term 
        ``personally identifying information'' means, with respect to a 
        protected computer--
                    (A) the authorized user's last name, combined with 
                the user's first initial or first name;
                    (B) the authorized user's home address;
                    (C) the authorized user's telephone number; or
                    (D) or other information that is sufficient to 
                identify an authorized user by name.
            (13) Sensitive personal information.--The term ``sensitive 
        personal information'' means an individual's name, address, or 
        telephone number, when combined with that individual's--
                    (A) Social Security number, taxpayer identification 
                number, or an employer identification number that is 
                the same as or is derived from the Social Security 
                number;
                    (B) financial account number, or credit card or 
                debit card number, combined with any required security 
                code, access code, or password that would permit access 
                to such individual's account; or
                    (C) driver's license identification number or State 
                resident identification number.
            (14) Software.--The term ``software'' means any program 
        designed to cause a computer to perform a function or 
        functions, but does not include a cookie.
            (15) Unfair or deceptive act or practice.--The term 
        ``unfair or deceptive act or practice'' has the same meaning as 
        when used in section 5 of the Federal Trade Commission Act (15 
        U.S.C. 45).

SEC. 113. CRIMINAL PENALTIES FOR CERTAIN UNAUTHORIZED ACTIVITIES 
              RELATING TO COMPUTERS.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by inserting after section 1030 the following:
``Sec. 1030A. Illicit indirect use of protected computers
    ``(a) Furtherance of Criminal Offense.--Whoever intentionally 
accesses a protected computer without authorization, or exceeds 
authorized access to a protected computer, by causing a computer 
program or code to be copied onto the protected computer, and 
intentionally uses that program or code in furtherance of another 
Federal criminal offense shall be fined under this title or imprisoned 
not more than 5 years, or both.
    ``(b) Security Protection.--Whoever intentionally accesses a 
protected computer without authorization, or exceeds authorized access 
to a protected computer, by causing a computer program or code to be 
copied onto the protected computer, and by means of that program or 
code intentionally impairs the security protection of the protected 
computer shall be fined under this title or imprisoned not more than 2 
years, or both.
    ``(c) Individual Exemption.--A person shall not violate this 
section who solely provides--
            ``(1) an Internet connection, telephone connection, or 
        other transmission or routing function through which software 
        is delivered to a protected computer for installation;
            ``(2) the storage or hosting of software, or of an Internet 
        website, through which software is made available for 
        installation to a protected computer; or
            ``(3) an information location tool, such as a directory, 
        index, reference, pointer, or hypertext link, through which a 
        user of a protected computer locates software available for 
        installation.
    ``(d) Network Exemption.--A provider of a network or online service 
that an authorized user of a protected computer uses or subscribes to 
shall not violate this section by any monitoring or, interaction with, 
or installation of software for the purpose of--
            ``(1) protecting the security of the network, service, or 
        computer;
            ``(2) facilitating diagnostics, technical support, 
        maintenance, network management, or repair; or
            ``(3) preventing or detecting unauthorized, fraudulent, or 
        otherwise unlawful uses of the network or service.
    ``(e) Definitions.--In this section:
            ``(1) Computer; protected computer.--The terms `computer' 
        and `protected computer' have the meanings given such terms in 
        section 1030(e) of this title.
            ``(2) State.--The term `State' includes each of the several 
        States, the District of Columbia, Puerto Rico, and any other 
        territory or possession of the United States.''.
    (b) Conforming Amendment.--The table of sections at the beginning 
of chapter 47 of title 18, United States Code, is amended by inserting 
after the item relating to section 1030 the following new item:

``1030A. Illicit indirect use of protected computers.''.

SEC. 114. EFFECTIVE DATE.

    This title shall take effect 180 days after the date of enactment 
of this Act.

                TITLE II--INCREASE IN CERTAIN PENALTIES

SEC. 201. INCREASE IN PENALTIES FOR UNFAIR OR DECEPTIVE ACTS OR 
              PRACTICES EXPLOITING REACTION TO CERTAIN EMERGENCIES AND 
              MAJOR DISASTERS.

    (a) Violations of Prohibition Against Unfair or Deceptive Acts or 
Practices.--Section 5(m)(1) of the Federal Trade Commission Act (15 
U.S.C. 45(m)(1)) is amended by adding at the end the following:
    ``(D) In the case of a violation involving an unfair or deceptive 
act or practice in a national emergency period or disaster period, or 
relating to an international disaster, the amount of the civil penalty 
under this paragraph shall be double the amount otherwise provided in 
this paragraph, if the act or practice exploits popular reaction to the 
national emergency or major disaster that is the basis for such period, 
or to the international disaster.
    ``(E) In this paragraph:
            ``(i) The term `national emergency period' means the period 
        that--
                    ``(I) begins on the date the President declares a 
                national emergency under the National Emergencies Act 
                (50 U.S.C. 1601 et seq.); and
                    ``(II) ends on the expiration of the 1-year period 
                beginning on the date of the termination of the 
                national emergency.
            ``(ii) The term `disaster period' means the 1-year period 
        beginning on the date the President declares an emergency or 
        major disaster under the Robert T. Stafford Disaster Relief and 
        Emergency Assistance Act (42 U.S.C. 5121 et seq.).
            ``(iii) The term `international disaster' means any natural 
        or man-made disaster in response to which the President 
        furnishes assistance to any foreign country, international 
        organization, or private voluntary organization pursuant to 
        section 491 of the Foreign Assistance Act (22 U.S.C. 
        2292(b)).''.
    (b) Violations of Other Laws Enforced by the Federal Trade 
Commission.--Section 13 of the Federal Trade Commission Act (15 U.S.C. 
53) is amended by adding at the end the following:
    ``(e) National Emergency or Disaster Period.--
            ``(1) In general.--If a person, partnership, or corporation 
        is found, in an action under subsection (b), to have committed 
        a violation involving an unfair or deceptive act or practice in 
        a national emergency period or a disaster period, or relating 
        to an international disaster, and if the act or practice 
        exploits popular reaction to the national emergency or major 
        disaster that is the basis for such period, or to the 
        international disaster, the court, after awarding equitable 
        relief (if any) under any other authority of the court, shall 
        hold the person, partnership, or corporation liable for a civil 
        penalty of not more than $22,000 for each such violation.
            ``(2) Definitions.--In this subsection:
                    ``(A) National emergency period.--The term 
                `national emergency period' means the period that--
                            ``(i) begins on the date the President 
                        declares a national emergency under the 
                        National Emergencies Act (50 U.S.C. 1601 et 
                        seq.); and
                            ``(ii) ends on the expiration of the 1-year 
                        period beginning on the date of the termination 
                        of the national emergency.
                    ``(B) Disaster period.--The term `disaster period' 
                means the 1-year period beginning on the date the 
                President declares an emergency or major disaster under 
                the Robert T. Stafford Disaster Relief and Emergency 
                Assistance Act (42 U.S.C. 5121 et seq.).
                    ``(C) International disaster.--The term 
                `international disaster' means any natural or man-made 
                disaster in response to which the President furnishes 
                assistance to any foreign country, international 
                organization, or private voluntary organization 
                pursuant to section 491 of the Foreign Assistance Act 
                (22 U.S.C. 2292(b)).''.
                                                       Calendar No. 467

109th CONGRESS

  2d Session

                                 S. 687

                          [Report No. 109-262]

_______________________________________________________________________

                                 A BILL

  To regulate the unauthorized installation of computer software, to 
require clear disclosure to computer users of certain computer software 
    features that may pose a threat to user privacy, and for other 
                               purposes.

_______________________________________________________________________

                             June 12, 2006

                       Reported with an amendment