[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[S. 1625 Introduced in Senate (IS)]

  1st Session
                                S. 1625

To protect against the unauthorized installation of computer software, 
   to require clear disclosure to computer users of certain computer 
software features that may pose a threat to user privacy, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 14, 2007

    Mr. Pryor (for himself, Mr. Nelson of Florida, and Mrs. Boxer) 
introduced the following bill; which was read twice and referred to the 
           Committee on Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
To protect against the unauthorized installation of computer software, 
   to require clear disclosure to computer users of certain computer 
software features that may pose a threat to user privacy, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Counter Spy Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Federal Trade Commission authority to combat deceptive acts or 
                            practices relating to spyware.
Sec. 3. Prohibited behaviors.
Sec. 4. Installing personal information collection features on a user's 
                            computer.
Sec. 5. Adware that conceals its operation.
Sec. 6. Limitations on liability.
Sec. 7. FTC administration and enforcement.
Sec. 8. Enforcement by other agencies.
Sec. 9. State enforcement.
Sec. 10. Other enforcement.
Sec. 11. Effect on other laws.
Sec. 12. Definitions.
Sec. 13. Criminal penalties for certain unauthorized activities 
                            relating to computers.
Sec. 14. Effective date.

SEC. 2. FEDERAL TRADE COMMISSION AUTHORITY TO COMBAT DECEPTIVE ACTS OR 
              PRACTICES RELATING TO SPYWARE.

    (a) In General.--It is a violation of section 5 of the Federal 
Trade Commission Act (15 U.S.C. 45) to install through unfair or 
deceptive acts or practices software on protected computers.
    (b) Rule of Construction.--This Act shall not be construed to limit 
in any way what is an unfair or deceptive act or practice under the 
Federal Trade Commission Act (15 U.S.C. 41 et seq.).

SEC. 3. PROHIBITED BEHAVIORS.

    It is unlawful for a person who is not an authorized user of a 
protected computer to cause the installation on that computer of 
software that--
            (1) takes control of the protected computer by--
                    (A) Zombies.--Transmitting or relaying commercial 
                electronic mail or a computer virus from a protected 
                computer if the transmission or relaying is initiated 
                by a person other than an authorized user and without 
                the authorization of an authorized user;
                    (B) Modem hijacking.--Accessing or using the modem 
                or Internet service of an authorized user of a 
                protected computer for the purpose of--
                            (i) causing damage to the protected 
                        computer; or
                            (ii) causing the authorized user to incur 
                        financial charges for a service that is not 
                        authorized by that authorized user;
                    (C) Denial of service attacks.--Using a protected 
                computer as part of an activity performed by a group of 
                computers for the purpose of causing damage, including 
                launching a denial of service attack; or
                    (D) Endless loop pop-up advertisements.--Opening 
                multiple, sequential, stand-alone advertisements in an 
                authorized user's protected computer without the 
                authorization of that user and with knowledge that a 
                reasonable computer user cannot close the 
                advertisements without turning off the computer or 
                forcing an application to close using means other than 
                the ordinary means for closing the application, except 
                that this subparagraph does not apply to 
                communications--
                            (i) originated by the computer's operating 
                        system;
                            (ii) originated by software that the user 
                        knowingly chooses to activate;
                            (iii) originated by a service provider that 
                        the user chooses to use; or
                            (iv) presented for any of the purposes 
                        described in section 6;
            (2) modifies--
                    (A) Enabling identity theft.--An authorized user's 
                security or other settings related to access to, or use 
                of, the Internet on a protected computer that protect 
                information about the authorized user for the purpose 
                of stealing the authorized user's sensitive personal 
                information; or
                    (B) Disabling security.--The security settings of a 
                protected computer for the purpose of causing damage to 
                that computer or another computer; or
                    (C) Browser settings.--Through unfair or deceptive 
                means--
                            (i) the page that appears when an 
                        authorized user launches an Internet browser or 
                        similar software program used to access and 
                        navigate the Internet;
                            (ii) the default provider or Web proxy the 
                        authorized user uses to access or search the 
                        Internet;
                            (iii) the authorized user's list of 
                        bookmarks used to access Web pages; or
                            (iv) the toolbars, buttons, and other 
                        functions on a user's Internet browser or 
                        software used to access and navigate the 
                        Internet;
            (3) prevents, without authorization from the authorized 
        user, that user's reasonable efforts to block the installation 
        of, to disable, or to uninstall software by unfair or deceptive 
        means, including--
                    (A) Falsifying option to decline installs.--
                Presenting the authorized user with an option to 
                decline installation of software with knowledge that, 
                when the option is selected by the authorized user, the 
                installation nevertheless proceeds; or
                    (B) Evading uninstalls by unfair or deceptive 
                means.--
                            (i) falsely representing that the software 
                        has been disabled;
                            (ii) requiring in an unfair or deceptive 
                        manner the user to access the Internet to 
                        remove the software with knowledge or reckless 
                        disregard of the fact that the software 
                        frequently operates in a manner that prevents 
                        the user from accessing the Internet;
                            (iii) changing the name, location or other 
                        designation information of the software for the 
                        purpose of preventing an authorized user from 
                        locating the software to remove it;
                            (iv) using randomized or intentionally 
                        deceptive filenames, directory folders, 
                        formats, or registry entries for the purpose of 
                        avoiding detection and removal of the software 
                        by an authorized user;
                            (v) causing the installation of software in 
                        a particular computer directory or computer 
                        memory for the purpose of evading authorized 
                        users' attempts to remove the software from the 
                        computer; or
                            (vi) requiring, without the authority of 
                        the owner of the computer, that an authorized 
                        user obtain a special code or download software 
                        from a third party to uninstall the software.

SEC. 4. INSTALLING PERSONAL INFORMATION COLLECTION FEATURES ON A USER'S 
              COMPUTER.

    (a) In General.--It is unlawful for a person who is not an 
authorized user of a protected computer to cause the installation on 
that computer of software that collects sensitive personal information 
from an authorized user, unless that person provides a clear and 
conspicuous disclosure of such collection and obtains the authorized 
user's consent prior to any such collection of information in any case 
in which the software extracts from the hard drive or other storage 
medium of the protected computer the authorized user's--
            (1) Social Security number;
            (2) tax identification number;
            (3) driver's license number;
            (4) passport number;
            (5) any other government-issued identification number;
            (6) financial account, credit card, or debit card numbers;
            (7) account balances, or overdraft history; or
            (8) other sensitive personal information.
    (b) Other Personally Identifying Information.--It is unlawful for a 
person who is not an authorized user of a protected computer to cause 
the installation on that computer of software that engages in any of 
the following practices without a prior disclosure that is clearly and 
conspicuously available to, or with the knowledge of, the authorized 
user, and for a purpose unrelated to any of the purposes of the 
software or service described to an authorized user:
            (1) The use of a keystroke-logging function that records 
        all or substantially all keystrokes made by an owner or 
        operator of a computer and transfers that information from the 
        computer to another person.
            (2) Collection in a manner that correlates personally 
        identifying information with a history of all or substantially 
        all of the Web sites visited by an owner or operator, other 
        than Web sites operated by the person providing such software.
            (3) Extracting from the hard drive or other storage medium 
        of the computer--
                    (A) the substantive contents of files, data, 
                software, or other information knowingly saved or 
                installed by the authorized user of a protected 
                computer, exclusive of data that provide a purely 
                technical function; or
                    (B) the substantive contents of communications sent 
                by a user of a protected computer from that computer to 
                any other computer.
    (c) Exception.--This section shall not be interpreted to restrict a 
person from causing the installation of software that collects 
information for the provider of an online service or website knowingly 
used or subscribed to by an authorized user if the information 
collected is used only to affect the user's experience while using the 
online service or website.
    (d) Uninstall Functionality.--
            (1) In general.--It is unlawful for a person who is not an 
        authorized user of a protected computer to cause the 
        installation of software that performs any function described 
        in subsection (a) or (b) if the software cannot subsequently be 
        uninstalled or disabled by an authorized user through a program 
        removal function that is usual and customary with the 
        computer's operating system or otherwise as clearly and 
        conspicuously disclosed to the user.
            (2) Construction.--
                    (A) Authority to uninstall.--Software that enables 
                an authorized user of a protected computer, such as a 
                parent, employer, or system administrator, to choose to 
                prevent another user of the same computer from 
                uninstalling or disabling the software shall not be 
                considered to prevent reasonable efforts to uninstall 
                or disable the software within the meaning of paragraph 
                (1) if at least 1 authorized user retains the ability 
                to uninstall or disable the software.
                    (B) Rule of construction.--This subsection shall 
                not be construed to require individual features or 
                functions of a software program, upgrades to a 
                previously installed software program, or software 
                programs that were installed on a bundled basis with 
                other software or with hardware to be capable of being 
                uninstalled or disabled separately from such software 
                or hardware.

SEC. 5. ADWARE THAT CONCEALS ITS OPERATION.

    (a) In General.--It is unlawful for a person who is not an 
authorized user of a protected computer to cause the installation on 
that computer of software that causes advertising windows to appear on 
the protected computer regardless of whether any other non-advertising-
related functionality of the software or of other software installed as 
part of a bundle with such software is--
            (1) activated by the authorized user; or
            (2) conspicuously active on the protected computer unless 
        the software complies with subsection (b).
    (b) Label Required for Certain Advertisements.--Subsection (a) does 
not apply if--
            (1) the software displays to the user, each time the 
        software causes an advertisement to appear, a clear and 
        conspicuous label or other reasonable means of identifying to 
        the user of the computer the identity or name of the software 
        that caused the advertisement to appear;
            (2) the software was installed as part of a bundle of 
        software, and the software displays to the user the name of a 
        program in such bundle that the authorized user is likely to 
        identify as the main component of the software bundle; and
            (3) a clear and conspicuous hypertext link to instructions 
        concerning how the user may uninstall the software causing the 
        advertisement to appear through usual and customary means 
        within the computer's operating system.
    (c) Exception.--Software that causes advertisements to be displayed 
without a clear and conspicuous label or other reasonable means of 
identification shall not give rise to liability under subsection (a) if 
those advertisements are displayed to a user of the computer only when 
a user is accessing or using an Internet website or online service--
            (1) owned or operated by the author or publisher of the 
        software; or
            (2) the owner or operator of which has authorized the 
        author or publisher of the software to display such 
        advertisements to users of that website or service.

SEC. 6. LIMITATIONS ON LIABILITY.

    (a) In General.--The restrictions imposed by section 3, 4, and 5 of 
this Act do not apply to any monitoring of, or interaction with, a 
subscriber's Internet or other network connection or service, or a 
protected computer, by or at the direction of a telecommunications 
carrier, cable operator, computer hardware or software provider, 
financial institution or provider of information services or 
interactive computer service for--
            (1) network or computer security purposes;
            (2) diagnostics;
            (3) technical support;
            (4) repair;
            (5) network management;
            (6) authorized updates of software or system firmware;
            (7) authorized remote system management;
            (8) authorized provision of protection for users of the 
        computer from objectionable content;
            (9) authorized scanning for computer software used in 
        violation of sections 3, 4, or 5 for removal by an authorized 
        user; or
            (10) detection or prevention of the unauthorized use of 
        software fraudulent or other illegal activities.
    (b) Manufacturer's Liability for Third-Party Software.--A 
manufacturer or retailer of a computer shall not be liable under any 
provision of this Act for causing the installation on the computer, 
prior to the first retail sale and delivery of the computer, of third-
party branded software, unless the manufacturer or retailer--
            (1) uses the software to collect information about a user 
        of the computer or the use of a protected computer by that 
        user; or
            (2) knows that the software will cause advertisements for 
        the manufacturer or retailer to be displayed to a user of the 
        computer, or derives a financial benefit from other 
        advertisements displayed on the computer.
    (c) Exception for Authorized Investigative Agencies.--Nothing in 
this Act prohibits any lawfully authorized investigative, protective, 
or intelligence activity of a law enforcement agency of the United 
States, a State, or a political subdivision of a State, or of an 
intelligence agency of the United States.
    (d) Services Provided Over MVPD Systems.--It is not a violation of 
this Act for a multichannel video programming distributor (as defined 
in section 602(13) of the Communications Act of 1934 (47 U.S.C. 
522(13))) to utilize a navigation device, or interact with such a 
device, or to install or use software on such a device, in connection 
with the provision of multichannel video programming or other services 
offered over a multichannel video programming system or the collection 
or disclosure of subscriber information, if the provision of such 
service or the collection or disclosure of such information is subject 
to section 338(i) or section 631 of the Communications Act of 1934 (47 
U.S.C. 338(i); 551).

SEC. 7. FTC ADMINISTRATION AND ENFORCEMENT.

    (a) In General.--Except as provided in sections 8, 9, and 10, this 
Act shall be enforced by the Commission as if a violation of this Act 
or of any regulation promulgated by the Commission under this Act were 
an unfair or deceptive act or practice proscribed under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).
    (b) Penalties.--
            (1) Treble fine.--The penalty for a violation of this Act 
        or of any regulation promulgated by the Commission under this 
        Act may be increased by the Commission to threefold the amount 
        of penalty otherwise applicable under section 5 of the Federal 
        Trade Commission Act (15 U.S.C. 45).
            (2) Penalty for pattern or practice of violations.--
                    (A) In general.--If the Commission determines that 
                a person has engaged in a pattern or practice of 
                activity that violates the provisions of this Act, the 
                Commission may, in its discretion, seek a civil penalty 
                for such pattern or practice of violations in an 
                amount, as determined by the Commission, of not more 
                than $3,000,000 for each such violation of this Act.
                    (B) Treatment of single action or conduct.--For 
                purposes of subparagraph (A), any single action or 
                conduct that violates this Act with respect to multiple 
                protected computers shall be treated as a single 
                violation.
    (c) Seizure and Forfeiture of Tainted Assets of Violator.--In an 
enforcement action brought for a violation of this Act under section 
19(b) of the Federal Trade Commission Act (15 U.S.C. 57b(b)), the 
Commission may petition the court to order the seizure and forfeiture 
of any assets of the violator attributable to violation of this Act.
    (d) Ill-Gotten Gains.--The Commission may require any person who 
violates this Act to disgorge any ill-gotten gains procured through 
unfair or deceptive acts or practices in violation of this Act and 
shall seize any such gains it has required to be disgorged.
    (e) Actions by the Commission.--
            (1) In general.--The Commission shall prevent any person 
        from violating this Act in the same manner, by the same means, 
        and with the same jurisdiction, powers, and duties as though 
        all applicable terms and provisions of the Federal Trade 
        Commission Act (15 U.S.C. 41 et seq.) were incorporated into 
        and made a part of this Act. Any entity that violates any 
        provision of this Act is subject to the penalties and entitled 
        to the privileges and immunities provided in the Federal Trade 
        Commission Act in the same manner, by the same means, and with 
        the same jurisdiction, power, and duties as though all 
        applicable terms and provisions of the Federal Trade Commission 
        Act were incorporated into and made a part of this Act.
            (2) Other authority not affected.--Nothing in this Act 
        shall be construed to limit or affect in any way the 
        Commission's authority to bring enforcement actions or take any 
        other measure under the Federal Trade Commission Act (15 U.S.C. 
        41 et seq.) or any other provision of law.

SEC. 8. ENFORCEMENT BY OTHER AGENCIES.

    (a) In General.--Compliance with this Act shall be enforced 
exclusively under--
            (1) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and 
                Federal agencies of foreign banks, and any subsidiaries 
                of such entities (except brokers, dealers, persons 
                providing insurance, investment companies, and 
                investment advisers), by the Office of the Comptroller 
                of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, organizations operating under section 25 
                or 25A of the Federal Reserve Act (12 U.S.C. 601 and 
                611), and bank holding companies and their nonbank 
                subsidiaries or affiliates (except brokers, dealers, 
                persons providing insurance, investment companies and 
                investment advisers), by the Board of Governors of the 
                Federal Reserve System;
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System), insured State branches of foreign banks, and 
                any subsidiaries of such entities (except brokers, 
                dealers, persons providing insurance, investment 
                companies and investment advisers), by the Board of 
                Directors of the Federal Deposit Insurance Corporation; 
                and
                    (D) savings associations the deposits of which are 
                insured by the Federal Deposit Insurance Corporation, 
                and any subsidiaries of such savings associations 
                (except brokers, dealers, persons providing insurance, 
                investment companies and investment advisers), by the 
                Director of the Office of Thrift Supervision;
            (2) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
        by the Board of the National Credit Union Administration Board 
        with respect to any Federal credit union and any subsidiaries 
        of such a credit union;
            (3) the Securities and Exchange Act of 1934 (15 U.S.C. 78a 
        et seq.) by the Securities and Exchange Commission with respect 
        to--
                    (A) a broker or dealer subject to that Act;
                    (B) an investment company subject to the Investment 
                Company Act of 1940 (15 U.S.C. 80a-1 et seq.); and
                    (C) an investment advisor subject to the Investment 
                Advisers Act of 1940 (15 U.S.C. 80b-1 et seq.);
            (4) the Communications Act of 1934 (47 U.S.C. 151 et seq.) 
        by the Federal Communications Commission with respect to any 
        person subject to the provisions of that Act;
            (5) part A of subtitle VII of title 49, United States Code, 
        by the Secretary of Transportation with respect to any air 
        carrier or foreign air carrier subject to that part; and
            (6) State insurance law, in the case of any person engaged 
        in providing insurance, by the applicable State insurance 
        authority of the State in which the person is domiciled.
    (b) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (a) of its powers under any Act 
referred to in that subsection, a violation of this Act is deemed to be 
a violation of a requirement imposed under that Act. In addition to its 
powers under any provision of law specifically referred to in 
subsection (a), each of the agencies referred to in that subsection may 
exercise, for the purpose of enforcing compliance with any requirement 
imposed under this Act, any other authority conferred on it by law.

SEC. 9. STATE ENFORCEMENT.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that is prohibited under this section, the State, as 
        parens patriae, may bring a civil action on behalf of the 
        residents of that State in a district court of the United 
        States of appropriate jurisdiction, or any other court of 
        competent jurisdiction--
                    (A) to enjoin that practice;
                    (B) to enforce compliance with this Act;
                    (C) to obtain damage, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) to obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of a State shall 
                provide to the Commission--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the attorney general of a State 
                        determines that it is not feasible to provide 
                        the notice described in that subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Commission at the same time as 
                        the attorney general files the action.
    (b) Intervention.--
            (1) In general.--On receiving notice under subsection 
        (a)(2), the Commission shall have the right to intervene in the 
        action that is the subject of the notice.
            (2) Effect of intervention.--If the Commission intervenes 
        in an action under subsection (a), it shall have the right--
                    (A) to be heard with respect to any matter that 
                arises in that action; and
                    (B) to file a petition for appeal.
    (c) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this Act shall be construed to prevent an 
attorney general of a State from exercising the powers conferred on the 
attorney general by the laws of that State--
            (1) to conduct investigations;
            (2) to administer oaths or affirmations; or
            (3) to compel the attendance of witnesses or the production 
        of documentary and other evidence.
    (d) Action by the Commission May Preclude State Action.--In any 
case in which an action is instituted by or on behalf of the Commission 
for violation of this Act, no State may, during the pendency of that 
action, institute an action under subsection (a) against any defendant 
named in the complaint in that action for violation of that section.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 10. OTHER ENFORCEMENT.

    In the case of a violation of section 3(1)(B)(ii) that causes a 
telecommunications carrier to incur costs for the origination, 
transport, or termination of a call triggered using the modem of a 
customer of such telecommunications carrier as a result of such 
violation, the telecommunications carrier may bring a civil action 
against the violator--
            (1) to recover--
                    (A) the charges such carrier is obligated to pay to 
                another carrier or to an information service provider 
                as a result of the violation, including but not limited 
                to charges for the origination, transport, or 
                termination of the call;
                    (B) the costs of handling customer inquiries or 
                complaints with respect to amounts billed for such 
                calls; and
                    (C) other related costs and reasonable attorneys 
                fees; and
            (2) to obtain an order to enjoin the violation.

SEC. 11. EFFECT ON OTHER LAWS.

    (a) Federal Law.--Nothing in this Act shall be construed to limit 
or affect in any way the Commission's authority to bring enforcement 
actions or take any other measures under the Federal Trade Commission 
Act or any other provision of law.
    (b) Preemption of State or Local Law.--Except as provided in 
subsection (c), this Act supersedes any provision of a statute, 
regulation, or rule, and any requirement, prohibition, or remedy under 
the law of any State or political subdivision thereof that relates to, 
or confers a remedy for--
            (1) the installation or use of software to deliver 
        advertisements to a protected computer;
            (2) the installation or use of software to collect 
        information about a user of a protected computer or the user's 
        use of that computer;
            (3) the installation or use of software to allow a person 
        other than an authorized user of the computer to direct or 
        control a protected computer; or
            (4) the method or manner of uninstalling or disabling 
        software that performs any of the functions described in 
        paragraphs (1) through (3).
    (c) State Law Not Specific to Software.--This Act shall not be 
construed to preempt actions or remedies based upon--
            (1) a State's generally applicable common law; or
            (2) any provision of generally applicable State consumer 
        protection law.

SEC. 12. DEFINITIONS.

    In this Act:
            (1) Advertising window.--The term ``advertising window'' 
        means a window--
                    (A) that is displayed separately from other windows 
                displayed to the authorized user (at the time a 
                software program is activated) by any other active 
                program; and
                    (B) the content of which is entirely or in 
                substantial part related to advertising.
            (2) Authorized user.--The term ``authorized user'', when 
        used with respect to a computer, means the owner or lessee of a 
        computer, or someone using or accessing a computer with the 
        authorization of the owner or lessee.
            (3) Bundle.--With respect to software, the term ``bundle'' 
        means a set of executable software programs that are installed 
        together.
            (4) Cause the installation.--
                    (A) In general.--The term ``cause the 
                installation'' when used with respect to particular 
                software, means (with knowledge or conscious avoidance 
                of actual knowledge that software performs a function 
                described in section 3, 4, or 5)--
                            (i) knowingly to provide the technical 
                        means by which the software is installed; or
                            (ii) knowingly to pay or provide other 
                        consideration to, or knowingly to induce or 
                        authorize, another person to provide the 
                        technical means by which the software is 
                        installed.
                    (B) Exceptions.--The term ``cause the 
                installation'' does not include providing--
                            (i) the Internet connection, telephone 
                        connection, or other transmission or routing 
                        function through which software was delivered 
                        to a protected computer for installation;
                            (ii) the storage or hosting of software or 
                        of an Internet website through which the 
                        software was made available by a third party 
                        for installation to the protected computer; or
                            (iii) an information location tool, such as 
                        a directory, index, reference, pointer, or 
                        hypertext link, through which a user of a 
                        protected computer located software available 
                        for installation.
            (5) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (6) Cookie.--The term ``cookie'' means a text file--
                    (A) that is placed on a computer by, or on behalf 
                of, an Internet service provider, interactive computer 
                service, or Internet website; and
                    (B) the sole function of which is to record 
                information that can be read or recognized when the 
                user of the computer subsequently accesses particular 
                websites or online locations or services.
            (7) Damage.--The term ``damage'' has the meaning given that 
        term in section 1030(e)(8) of title 18, United States Code.
            (8) Install.--
                    (A) In general.--The term ``install'' means--
                            (i) to write computer software to a 
                        computer's persistent storage medium, such as 
                        the computer's hard disk, in such a way that 
                        the computer software is retained on the 
                        computer after the computer is turned off and 
                        subsequently restarted; or
                            (ii) to write computer software to a 
                        computer's temporary memory, such as random 
                        access memory, in such a way that the software 
                        is retained and continues to operate after the 
                        user of the computer turns off or exits the 
                        Internet service, interactive computer service, 
                        or Internet website from which the computer 
                        software was obtained.
                    (B) Exception for temporary cache.--The term 
                ``install'' does not include the writing of software to 
                an area of the persistent storage medium that is 
                expressly reserved for the temporary retention of 
                recently accessed or input data or information, if the 
                software retained in that area remains inoperative 
                unless a user of the computer chooses to access that 
                temporary retention area.
    (9) Loss.--The term ``loss'' has the meaning given that term in 
section 1030(e)(11) of title 18, United States Code.
            (10) Person.--The term ``person'' has the meaning given 
        that term in section 3(32) of the Communications Act of 1934 
        (47 U.S.C. 153(32)).
            (11) Protected computer.--The term ``protected computer'' 
        has the meaning given that term in section 1030(e)(2)(B) of 
        title 18, United States Code.
            (12) Personally identifying information.--The term 
        ``personally identifying information'' means, with respect to a 
        protected computer--
                    (A) the authorized user's last name, combined with 
                the user's first initial or first name;
                    (B) the authorized user's home address;
                    (C) the authorized user's telephone number; or
                    (D) or other information that is sufficient to 
                identify an authorized user by name.
            (13) Sensitive personal information.--The term ``sensitive 
        personal information'' means an individ