[Congressional Record Volume 150, Number 22 (Thursday, February 26, 2004)]
[Senate]
[Pages S1684-S1688]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. BURNS (for himself, Mr. Wyden, and Mrs. Boxer):
  S. 2131. A bill to regulate the unauthorized installation of computer 
software, to require clear disclosure to computer users of certain 
computer software features that may pose a threat to user privacy, and 
for other purposes; to the Committee on Commerce, Science, and 
Transportation.
  Mr. WYDEN. Mr. President, my good friend Senator Burns and I have 
pioneered a number of legislative efforts aimed at protecting ordinary 
computer users from the tricks and schemes of those who would abuse the 
open and interconnected nature of the Internet. From online privacy to 
spam, we have sought to establish some basic, commonsense rules to 
address sleazy, intrusive, and anti-consumer practices that have arisen 
in the new world of the Internet. In each case, our goal has not been 
to stifle or restrict legitimate and innovative modes of e-commerce, 
but rather to promote them by reining in unfair and annoying behavior 
that undermines consumer confidence and use of the Internet.
  Today, we continue on that path by introducing the ``SPY BLOCK'' Act, 
together with our colleague Senator Boxer.
  This legislation will put the brakes on the growing problem of 
software being installed secretly on people's computers, for purposes 
they might object to if given the chance. Sometimes, the problem is a 
``drive-by download,'' where the consumer's mere visit to a website or 
decision to click on an advertisement secretly triggers the downloading 
of software onto the consumer's machine. Or, it can be a ``double 
whammy download,'' where the consumer's voluntary download of one 
software program also triggers the inadvertent download of a second 
software program which, although it may serve a very different purpose, 
has been bundled together with the first one.
  Once installed, the unwanted software operates in the background, 
performing functions that ordinary computer users cannot detect. As a 
result, the computer user may never even know the software is there, 
let alone what it is doing. And to add insult to injury, software that 
spreads in this fashion often is designed to be nearly impossible to 
uninstall.
  What might such software do, once it is installed? The legislation we 
are introducing today identifies several possible functions that pose 
concerns. First, some software, often referred to as ``spyware,'' 
collects information about the computer user and transmits that 
information over the Internet to the spyware's author. Second, software 
sometimes referred to as ``adware'' causes pop-up ads to appear on the 
user's computer, perhaps based on the user's apparent interests or on 
the websites he or she visits. Third, some software essentially hijacks 
the computer's processing and communications capability to forward 
spam, viruses, or other messages, all without the user's knowledge. 
Finally, some software changes user settings--for example, overriding 
the user's intended choice of homepage.
  If a computer user truly understands what the software is going to do 
and knowingly consents to it, that's fine. The issue really comes down 
to user knowledge and control. Too often, software like this allows a 
third party to wrest control of some of the computer's functions and 
commandeer

[[Page S1685]]

them for the third party's own purposes. The software is essentially a 
parasite--it attaches itself without consent to the host computer and 
taps into the host's resources, making use of them for its own selfish 
purposes. Our bill would make such unauthorized practices clearly 
unlawful.
  How common is all this? There is little hard data, but one report 
last year estimated that 20 million people have downloaded software 
that serves them targeted advertising. I have to suspect that many of 
these downloads did not involve informed consent. It has also been 
widely reported that many of the most popular peer-to-peer file sharing 
software programs come packaged with other software that is not clearly 
disclosed to the user. So the number of affected users is likely very 
high.
  The bill we are introducing today would, for the first time, 
establish a clear legal principle that you cannot cause software to be 
installed on somebody else's computer without that person's knowledge 
and consent. This general notice and consent requirement could be 
satisfied by something as simple as an on-screen dialogue box telling 
the user that clicking ``ok'' will trigger the download of, say, a 
particular game program. In addition, the bill says that software must 
be capable of being uninstalled without resorting to extraordinary and 
highly technical procedures.
  Beyond these general requirements, the legislation calls for certain 
types of software features--those performing the four functions I 
discussed a moment ago--to be specifically and separately brought to 
the user's attention prior to installation. For example, if a software 
program has a spyware feature designed to collect and transmit 
information about the user, the user would need to be provided with 
sufficient notice based on criteria set forth in the bill. That notice 
would need to explain the types of information that would be collected 
and the purposes for which the information would be used. Following 
this notice, the user would have the option of granting or withholding 
consent. In the absence of such notice and consent, it would be 
unlawful to download the software onto the user's computer, or 
subsequently to use the software to gather information about that user.
  The bill contains some exceptions, for example, for pre-installed 
software and software features that are necessary to make basic 
features like e-mail or Internet browsing function properly. 
Enforcement under the bill would be by the Federal Trade Commission and 
state Attorneys General.
  I recognize that the bill we introduce today may benefit from further 
attention and input on the particular wording of the definitions, on 
the types of software or software features that should be listed in the 
exceptions, and so forth. Senator Burns, Senator Boxer, and I are open 
to further discussion about fine tuning the scope of the bill, so that 
we don't create a regime that ends up being impractical or imposing 
undue burdens on legitimate and useful software. This is the starting 
point, not the end point.
  It is important, however, to get this process moving. I believe it's 
time to send a clear message that unauthorized and privacy-compromising 
spyware, adware, and other software are unlawful and punishable. I urge 
my colleagues to join Senators Burns, Boxer, and myself in supporting 
this bill.
  Mr. BURNS. Mr. President, I rise in support of a measure that I 
introduce today, with the support of my colleague, Senator Wyden. We 
worked closely on the CAN SPAM bill together, and after four years of 
effort finally saw its successful passage last year. I am pleased to 
work with Senator Wyden again on another critical issue which is 
potentially of even greater concern than junk email given its invasive 
nature--that of spyware. I also appreciate the support of another of my 
colleagues on the Senate Commerce Committee, Senator Boxer. Together, 
we have crafted legislation aimed at ending the insidious operation of 
spyware, the SPYBLOCK Act of 2004. By introducing this legislation 
today, we take the first step in giving consumers the control to stop 
this deceitful practice.
  Spyware refers to software that is downloaded onto users' computers 
without their knowledge or consent. This sneaky software is then often 
used to track the movements of consumers online or even to steal 
passwords. The porous gaps spyware creates in a computer's security may 
be difficult to close. For example, one popular peer-to-peer file 
sharing network routinely installs spyware to track users' information 
and retrieves targeted banner ads and popups. As noted by a recent 
article in PC Magazine these file-sharing networks may be free, but at 
the cost of privacy, not money. Of the 60 million users, few know they 
are being watched. Of those who do discover spyware, uninstalling it 
may prove more difficult than other software programs. Some spyware 
includes tricklers, which reinstall the files as you delete them. Users 
may think they are getting rid of the problem, but the reality of the 
situation is far different.
  The creators of spyware have engineered the technology so that once 
it is installed on a computer, it is difficult and sometimes impossible 
to remove and in some cases requires the entire hard drive to be erased 
to get rid of this poisonous product. Such drastic measures must be 
taken, because often spyware tells the installer what websites a user 
visits, steals passwords or other sensitive documents on a personal 
computer, and also redirects Internet traffic through certain web 
sites.
  One of the most disturbing aspects about the spyware problem is that 
so few consumers are even aware of it. Bearing this factor in mind, the 
SPYBLOCK bill relies on a commonsense approach which prohibits the 
installation of software on consumers' computers without notice, 
consent and reasonable ``uninstall'' procedures.
  The notice and consent approach which SPYBLOCK takes would end the 
practice of so-called ``drive-by downloads'' which some bad actors use 
to secretly download programs onto users' computers without their 
knowledge. Under SPYBLOCK, software providers must give consumers clear 
and conspicuous notice that a software program will be downloaded to 
their computers and requires user consent. This simple provision could 
be fulfilled by clicking ``yes'' on a dialog box, for example.
  SPYBLOCK also requires notice and consent for other types of 
software. In the case of ``Adware,'' providers are required to tell 
consumers what types of ads will pop up on users' screens and with what 
frequency. Consent is required for software that modifies user settings 
or uses ``distributed computing'' methods to utilize the processing 
power of individual computers to create larger networks. Finally, 
software providers must allow for their programs to be easily 
``uninstalled'' by users after they are downloaded. As with the CAN-
SPAM law, enforcement authority would be given to the Federal Trade 
Commission. States attorneys general could take action against the 
purveyors of spyware.
  Clearly, it is time to call the bad actors to account. It is 
impossible to understand how any of the individuals or companies using 
spyware believe tracking Internet usage, stealing passwords, and 
hijacking the processors of someone else's computer, all without their 
knowledge, is justifiable.
  Working closely with my colleagues Senator Wyden and Senator Boxer, I 
am confident we can make major progress on this critical legislation, 
before spyware infects a critical mass of computers and renders them 
useless. Just trying to keep up with the latest anti-spyware software 
poses a tremendous cost to businesses, let alone individuals who have 
to spend their time online worried about the next spyware infestation. 
Again, I would like to thank Senators Wyden and Boxer for their hard 
work on this vital issue, and I urge my colleagues to support this 
measure. I ask unanimous consent that the text of the bill be printed 
in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 2131

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Controlling Invasive and 
     Unauthorized Software Act''.

     SEC. 2. UNAUTHORIZED INSTALLATION OF COMPUTER SOFTWARE.

       (a) Notice, Choice, and Uninstall Procedures.--It is 
     unlawful for any person who is

[[Page S1686]]

     not the user of a protected computer to install computer 
     software on that computer, or to authorize, permit, or cause 
     the installation of computer software on that computer, 
     unless--
       (1) the user of the computer has received notice that 
     satisfies the requirements of section 3;
       (2) the user of the computer has granted consent that 
     satisfies the requirements of section 3; and
       (3) the computer software's uninstall procedures satisfy 
     the requirements of section 3.
       (b) Red Herring Prohibition.--It is unlawful for any person 
     who is not the user of a protected computer to install 
     computer software on that computer, or to authorize, permit, 
     or cause the installation of computer software on that 
     computer, if the design or operation of the computer software 
     is intended, or may reasonably be expected, to confuse or 
     mislead the user of the computer concerning the identity of 
     the person or service responsible for the functions performed 
     or content displayed by such computer software.

     SEC. 3. NOTICE, CONSENT, AND UNINSTALL REQUIREMENTS.

       (a) Notice.--For purposes of section 2(a)(1), notice to the 
     user of a computer shall--
       (1) include a clear notification, displayed on the screen 
     until the user either grants or denies consent to 
     installation, of the name and general nature of the computer 
     software that will be installed if the user grants consent; 
     and
       (2) include a separate disclosure, with respect to each 
     information collection, advertising, distributed computing, 
     and settings modification feature contained in the computer 
     software, that--
       (A) remains displayed on the screen until the user either 
     grants or denies consent to that feature;
       (B) in the case of an information collection feature, 
     provides a clear description of--
       (i) the type of personal or network information to be 
     collected and transmitted by the computer software; and
       (ii) the purpose for which the personal or network 
     information is to be collected, transmitted, and used;
       (C) in the case of an advertising feature, provides--
       (i) a representative full-size example of each type of 
     advertisement that may be delivered by the computer software;
       (ii) a clear description of the estimated frequency with 
     which each type of advertisement may be delivered; and
       (iii) a clear description of how the user can distinguish 
     each type of advertisement that the computer software 
     delivers from advertisements generated by other software, 
     Internet website operators, or services;
       (D) in the case of a distributed computing feature, 
     provides a clear description of--
       (i) the types of information or messages the computer 
     software will cause the computer to transmit;
       (ii) the estimated frequency with which the computer 
     software will cause the computer to transmit such messages or 
     information;
       (iii) the estimated volume of such information or messages, 
     and the likely impact, if any, on the processing or 
     communications capacity of the user's computer; and
       (iv) the nature, volume, and likely impact on the 
     computer's processing capacity of any computational or 
     processing tasks the computer software will cause the 
     computer to perform in order to generate the information or 
     messages the computer software will cause the computer to 
     transmit;
       (E) in the case of a settings modification feature, 
     provides a clear description of the nature of the 
     modification, its function, and any collateral effects the 
     modification may produce; and
       (F) provides a clear description of procedures the user may 
     follow to turn off such feature or uninstall the computer 
     software.
       (b) Consent.--For purposes of section 2(a)(2), consent 
     requires--
       (1) consent by the user of the computer to the installation 
     of the computer software; and
       (2) separate affirmative consent by the user of the 
     computer to each information collection feature, advertising 
     feature, distributed computing feature, and settings 
     modification feature contained in the computer software.
       (c) Uninstall Procedures.--For purposes of section 2(a)(3), 
     computer software shall--
       (1) appear in the ``Add/Remove Programs'' menu or any 
     similar feature, if any, provided by each operating system 
     with which the computer software functions;
       (2) be capable of being removed completely using the normal 
     procedures provided by each operating system with which the 
     computer software functions for removing computer software; 
     and
       (3) in the case of computer software with an advertising 
     feature, include an easily identifiable link clearly 
     associated with each advertisement that the software causes 
     to be displayed, such that selection of the link by the user 
     of the computer generates an on-screen window that informs 
     the user about how to turn off the advertising feature or 
     uninstall the computer software.

     SEC. 4. UNAUTHORIZED USE OF CERTAIN COMPUTER SOFTWARE.

       It is unlawful for any person who is not the user of a 
     protected computer to use an information collection, 
     advertising, distributed computing, or settings modification 
     feature of computer software installed on that computer, if--
       (1) the computer software was installed in violation of 
     section 2;
       (2) the use in question falls outside the scope of what was 
     described to the user of the computer in the notice provided 
     pursuant to section 3(a); or
       (3) in the case of an information collection feature, the 
     person using the feature fails to establish and maintain 
     reasonable procedures to protect the security and integrity 
     of personal information so collected.

     SEC. 5. EXCEPTIONS.

       (a) Preinstalled Software.--A person who installs, or 
     authorizes, permits, or causes the installation of, computer 
     software on a protected computer before the first retail sale 
     of the computer shall be deemed to be in compliance with this 
     Act if the user of the computer receives notice that would 
     satisfy section 3(a)(2) and grants consent that would satisfy 
     section 3(b)(2) prior to--
       (1) the initial collection of personal or network 
     information, in the case of any information collection 
     feature contained in the computer software;
       (2) the initial generation of an advertisement on the 
     computer, in the case of any advertising feature contained in 
     the computer software;
       (3) the initial transmission of information or messages, in 
     the case of any distributed computing feature contained in 
     the computer software; and
       (4) the initial modification of user settings, in the case 
     of any settings modification feature.
       (b) Other Exceptions.--Sections 3(a)(2), 3(b)(2), and 4 do 
     not apply to any feature of computer software that is 
     reasonably needed to--
       (1) provide capability for general purpose online browsing, 
     electronic mail, or instant messaging, or for any optional 
     function that is directly related to such capability and that 
     the user knowingly chooses to use;
       (2) determine whether or not the user of the computer is 
     licensed or authorized to use the computer software; and
       (3) provide technical support for the use of the computer 
     software by the user of the computer.
       (c) Passive Transmission, Hosting, or Link.--For purposes 
     of this Act, a person shall not be deemed to have installed 
     computer software, or authorized, permitted, or caused the 
     installation of computer software, on a computer solely 
     because that person provided--
       (1) the Internet connection or other transmission 
     capability through which the software was delivered to the 
     computer for installation;
       (2) the storage or hosting, at the direction of another 
     person and without selecting the content to be stored or 
     hosted, of the software or of an Internet website through 
     which the software was made available for installation; or
       (3) a link or reference to an Internet website the content 
     of which was selected and controlled by another person, and 
     through which the computer software was made available for 
     installation.
       (d) Software Resident in Temporary Memory.--In the case of 
     an installation of computer software that falls within the 
     meaning of section 7(10)(B) but not within the meaning of 
     section 7(10)(A), the requirements set forth in subsections 
     (a)(1), (b)(1), and (c) of section 3 shall not apply.
       (e) Features Activated by User Options.--In the case of an 
     information collection, advertising, distributed computing, 
     or settings modification feature that remains inactive or 
     turned off unless the user of the computer subsequently 
     selects certain optional settings or functions provided by 
     the computer software, the requirements of subsections (a)(2) 
     and (b)(2) of section 3 may be satisfied by providing the 
     applicable disclosure and obtaining the applicable consent at 
     the time the user selects the option that activates the 
     feature, rather than at the time of initial installation.

     SEC. 6. ADMINISTRATION AND ENFORCEMENT.

       (a) In General.--Except as provided in subsection (b), this 
     Act shall be enforced by the Commission as if the violation 
     of this Act were an unfair or deceptive act or practice 
     proscribed under section 18(a)(1)(B) of the Federal Trade 
     Commission Act (15 U.S.C. 57a(a)(1)(B)).
       (b) Enforcement by Certain Other Agencies.--Compliance with 
     this Act shall be enforced under--
       (1) section 8 of the Federal Deposit Insurance Act (12 
     U.S.C. 1818), in the case of--
       (A) national banks, and Federal branches and Federal 
     agencies of foreign banks, by the Office of the Comptroller 
     of the Currency;
       (B) member banks of the Federal Reserve System (other than 
     national banks), branches and agencies of foreign banks 
     (other than Federal branches, Federal agencies, and insured 
     State branches of foreign banks), commercial lending 
     companies owned or controlled by foreign banks, and 
     organizations operating under section 25 or 25A of the 
     Federal Reserve Act (12 U.S.C. 601 and 611), by the Board; 
     and
       (C) banks insured by the Federal Deposit Insurance 
     Corporation (other than members of the Federal Reserve 
     System) and insured State branches of foreign banks, by the 
     Board of Directors of the Federal Deposit Insurance 
     Corporation;
       (2) section 8 of the Federal Deposit Insurance Act (12 
     U.S.C. 1818), by the Director of the Office of Thrift 
     Supervision, in the case of a savings association the 
     deposits of which

[[Page S1687]]

     are insured by the Federal Deposit Insurance Corporation;
       (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
     by the National Credit Union Administration Board with 
     respect to any Federal credit union;
       (4) part A of subtitle VII of title 49, United States Code, 
     by the Secretary of Transportation with respect to any air 
     carrier or foreign air carrier subject to that part;
       (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et 
     seq.) (except as provided in section 406 of that Act (7 
     U.S.C. 226, 227)), by the Secretary of Agriculture with 
     respect to any activities subject to that Act; and
       (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by 
     the Farm Credit Administration with respect to any Federal 
     land bank, Federal land bank association, Federal 
     intermediate credit bank, or production credit association.
       (c) Exercise of Certain Powers.--For the purpose of the 
     exercise by any agency referred to in subsection (b) of its 
     powers under any Act referred to in that subsection, a 
     violation of this Act is deemed to be a violation of a 
     requirement imposed under that Act. In addition to its powers 
     under any provision of law specifically referred to in 
     subsection (b), each of the agencies referred to in that 
     subsection may exercise, for the purpose of enforcing 
     compliance with any requirement imposed under this Act, any 
     other authority conferred on it by law.
       (d) Actions by the Commission.--The Commission shall 
     prevent any person from violating this Act in the same 
     manner, by the same means, and with the same jurisdiction, 
     powers, and duties as though all applicable terms and 
     provisions of the Federal Trade Commission Act (15 U.S.C. 41 
     et seq.) were incorporated into and made a part of this Act. 
     Any entity that violates any provision of that section is 
     subject to the penalties and entitled to the privileges and 
     immunities provided in the Federal Trade Commission Act in 
     the same manner, by the same means, and with the same 
     jurisdiction, power, and duties as though all applicable 
     terms and provisions of the Federal Trade Commission Act were 
     incorporated into and made a part of that section.
       (e) Preservation of Commission Authority.--Nothing 
     contained in this section shall be construed to 8 limit the 
     authority of the Commission under any other provision of law.

     SEC. 7. ACTIONS BY STATES.

       (a) In General.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been or is threatened or 
     adversely affected by the engagement of any person in a 
     practice that this Act prohibits, the State, as parens 
     patriae, may bring a civil action on behalf of the residents 
     of the State in a district court of the United States of 
     appropriate jurisdiction--
       (A) to enjoin that practice;
       (B) to enforce compliance with the rule;
       (C) to obtain damage, restitution, or other compensation on 
     behalf of residents of the State; or
       (D) to obtain such other relief as the court may consider 
     to be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under paragraph 
     (1), the attorney general of the State involved shall provide 
     to the Commission--
       (i) written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exemption.--
       (i) In general.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general 
     determines that it is not feasible to provide the notice 
     described in that subparagraph before the filing of the 
     action.
       (ii) Notification.--In an action described in clause (i), 
     the attorney general of a State shall provide notice and a 
     copy of the complaint to the Commission at the same time as 
     the attorney general files the action.
       (b) Intervention.--
       (1) In general.--On receiving notice under subsection 
     (a)(2), the Commission shall have the right to intervene in 
     the action that is the subject of the notice.
       (2) Effect of intervention.--If the Commission intervenes 
     in an action under subsection (a), it shall have the right--
       (A) to be heard with respect to any matter that arises in 
     that action; and
       (B) to file a petition for appeal.
       (c) Construction.--For purposes of bringing any civil 
     action under subsection (a), nothing in this subtitle shall 
     be construed to prevent an attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of that State to--
       (1) conduct investigations;
       (2) administer oaths or affirmations; or
       (3) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (d) Actions by the Commission.--In any case in which an 
     action is instituted by or on behalf of the Commission for 
     violation of section 2 of this Act, no State may, during the 
     pendency of that action, institute an action under subsection 
     (a) against any defendant named in the complaint in that 
     action for violation of that section.
       (e) Venue; Service of Process.--
       (1) Venue.--Any action brought under subsection (a) may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (2) Service of process.--In an action brought under 
     subsection (a), process may be served in any district in 
     which the defendant--
       (A) is an inhabitant; or
       (B) may be found.

     SEC. 8. DEFINITIONS.

       In this Act:
       (1) Advertisement.--The term ``advertisement'' means a 
     commercial promotion for a product or service, but does not 
     include promotions for products or services that appear on 
     computer software help or support pages that are displayed in 
     response to a request by the user.
       (2) Advertising feature.--The term ``advertising feature'' 
     means a function of computer software that, when installed on 
     a computer, delivers advertisements to the user of that 
     computer.
       (3) Affirmative consent.--The term ``affirmative consent'' 
     means consent expressed through action by the user of a 
     computer other than default action specified by the 
     installation sequence and independent from any other consent 
     solicited from the user during the installation process.
       (4) Clear description.--The term ``clear description'' 
     means a description that is clear, conspicuous, concise, and 
     in a font size that is at least as large as the largest 
     default font displayed to the user by the software.
       (5) Computer software.--The term ``computer software''--
       (A) means any program designed to cause a computer to 
     perform a desired function or functions; and
       (B) does not include any cookie.
       (6) Cookie.--The term ``cookie'' means a text file--
       (A) that is placed on a computer by an Internet service 
     provider, interactive computer service, or Internet website; 
     and
       (B) the sole function of which is to record information 
     that can be read or recognized by an Internet service 
     provider, interactive computer service, or Internet website 
     when the user of the computer uses or accesses such provider, 
     service, or website.
       (7) Distributed computing feature.--The term ``distributed 
     computing feature'' means a function of computer software 
     that, when installed on a computer, transmits information or 
     messages, other than personal or network information about 
     the user of the computer, to any other computer without the 
     knowledge or direction of the user and for purposes unrelated 
     to the tasks or functions the user intentionally performs 
     using the computer.
       (8) First retail sale.--The term ``first retail sale'' 
     means the first sale of a computer, for a purpose other than 
     resale, after the manufacture, production, or importation of 
     the computer. For purposes of this paragraph, the lease of a 
     computer shall be considered a sale of the computer at 
     retail.
       (9) Information collection feature.--The term ``information 
     collection feature'' means a function of computer software 
     that, when installed on a computer, collects personal or 
     network information about the user of the computer and 
     transmits such information to any other party on an automatic 
     basis or at the direction of a party other than the user of 
     the computer.
       (10) Install.--The term ``install'' means--
       (A) to write computer software to a computer's persistent 
     storage medium, such as the computer's hard disk, in such a 
     way that the computer software is retained on the computer 
     after the computer is turned off and subsequently restarted; 
     or
       (B) to write computer software to a computer's temporary 
     memory, such as random access memory, in such a way that the 
     software is retained and continues to operate after the user 
     of the computer turns off or exits the Internet service, 
     interactive computer service, or Internet website from which 
     the computer software was obtained.
       (11) Network Information.--The term ``network information'' 
     means--
       (A) an Internet protocol address or domain name of a user's 
     computer;
       (B) a cookie or other unique identifier of a computer user 
     or a computer user's computer; or
       (C) a Uniform Resource Locator or other information that 
     identifies Internet web sites or other online resources 
     accessed by a user of a computer.
       (12) Personal information.--The term ``personal 
     information'' means--
       (A) a first and last name, whether given at birth or 
     adoption, assumed, or legally changed;
       (B) a home or other physical address including street name, 
     name of a city or town, and zip code;
       (C) an electronic mail address or online username;
       (D) a telephone number;
       (E) a social security number;
       (F) any personal identification number;
       (G) a credit card number, any access code associated with 
     the credit card, or both;
       (H) a birth date, birth certificate number, or place of 
     birth; or
       (I) any password or access code.
       (13) Person.--The term ``person'' has the meaning given 
     that term in section 3(32) of the Communications Act of 1934 
     (47 U.S.C. 153(32)).
       (14) Protected computer.--The term ``protected computer'' 
     has the meaning given that term in section 1030(e)(2)(B) of 
     title 18, United States Code.
       (15) Settings modification feature.--The term ``settings 
     modification feature'' means

[[Page S1688]]

     a function of computer software that, when installed on a 
     computer--
       (A) modifies an existing user setting, without direction 
     from the user of the computer, with respect to another 
     computer software application previously installed on that 
     computer; or
       (B) enables a user setting with respect to another computer 
     software application previously installed on that computer to 
     be modified in the future without advance notification to and 
     consent from the user of the computer.
       (16) User of a computer.--The term ``user of a computer'' 
     means an individual who operates a computer with the 
     authorization of the computer's lawful owner.

     SEC. 9. EFFECTIVE DATE.

       This Act shall take effect 180 days after the date of 
     enactment of this Act.
                                 ______