[Congressional Record Volume 151, Number 35 (Sunday, March 20, 2005)]
[Senate]
[Pages S3105-S3109]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. BURNS (for himself, Mr. Wyden, Mrs. Boxer, and Mr. Nelson 
        of Florida):
  S. 687. A bill to regulate the unauthorized installation of computer 
software, to require clear disclosure to

[[Page S3106]]

computer users of certain computer software features that may pose a 
threat to user privacy, and for other purposes; to the Committee on 
Commerce, Science, and Transportation.
  Mr. BURNS. Mr. President, I rise today to introduce the SPYBLOCK 
bill, along with my good friend Senator Wyden of Oregon.
  The SPYBLOCK bill will help reduce one of the most damaging practices 
in the online world today--spyware, or computer software downloaded 
onto a computer without the user's permission or awareness--that then 
is often used to illicitly gather personal information, assist in 
identity theft, track a user's keystrokes or monitor browsing behavior.
  It is hard to overstate the potential damage that Spyware can do in 
cyberspace if it is allowed to grow unchecked. It could cripple e-
commerce, because consumers would be afraid to make their financial or 
other personal data available on-line. It could damage the activities 
of businesses large and small, by making their data or computer systems 
vulnerable to attack and abuse. It could fuel the growth of whole new 
categories of cybercriminals. The recent data theft incidents at 
ChoicePoint, Bank of America, and others only underscore the need for a 
much more proactive policing of cyberspace.
  The SPYBLOCK bill will give Federal enforcement authorities 
additional tools to curb spyware. It also bans adware programs that 
conceal their operation or purpose from users, because every consumer 
should have a reasonable opportunity to consent to the installation of 
software that generates pop-up ads on his or her computer.
  We have worked hard on this bill, and consulted extensively with 
industry and consumer groups to ensure all perspectives on this growing 
problem were heard. The issues are not new to the members of the 
Commerce Committee either, as this bill is very similiar to one we 
marked up toward the end of the last Congress.
  I look forward to working with my colleagues in the Commerce 
Committee and the full Senate to ensure prompt passage of this 
important measure. I thank my colleague Senator Wyden again for his 
work on this bill, and I yield back the balance of my time.
  I ask unanimous consent that the text of the bill be printed in the 
Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                 S. 687

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Software 
     Principles Yielding Better Levels of Consumer Knowledge Act'' 
     or the ``SPY BLOCK Act''.
       (b) Table of Contents.--The table of contents for this Act 
     is as follows:

Sec. 1. Short title.
Sec. 2. Prohibited practices related to software installation in 
              general.
Sec. 3. Installing surreptitious information collection features on a 
              user's computer.
Sec. 4. Adware that conceals its operation.
Sec. 5. Other practices that thwart user control of computer.
Sec. 6. Limitations on liability.
Sec. 7. FTC rulemaking authority.
Sec. 8. Administration and enforcement.
Sec. 9. Actions by States.
Sec. 10. Effect on other laws.
Sec. 11. Liability protections for anti-spyware software or services.
Sec. 12. Penalties for certain unauthorized activities relating to 
              computers. 
Sec. 13. Definitions.
Sec. 14. Effective date.

     SEC. 2. PROHIBITED PRACTICES RELATED TO SOFTWARE INSTALLATION 
                   IN GENERAL.

       (a) Surreptitious Installation.--
       (1) In general.--It is unlawful for a person who is not an 
     authorized user of a protected computer to cause the 
     installation of software on the computer in a manner that--
       (A) conceals from the user of the computer the fact that 
     the software is being installed; or
       (B) prevents the user of the computer from having an 
     opportunity to knowingly grant or withhold consent to the 
     installation.
       (2) Exception.--This subsection does not apply to--
       (A) the installation of software that falls within the 
     scope of a previous grant of authorization by an authorized 
     user;
       (B) the installation of an upgrade to a software program 
     that has already been installed on the computer with the 
     authorization of an authorized user;
       (C) the installation of software before the first retail 
     sale and delivery of the computer; or
       (D) the installation of software that ceases to operate 
     when the user of the computer exits the software or service 
     through which the user accesses the Internet, if the software 
     so installed does not begin to operate again when the user 
     accesses the Internet via that computer in the future.
       (b) Misleading Inducements To Install.--It is unlawful for 
     a person who is not an authorized user of a protected 
     computer to induce an authorized user of the computer to 
     consent to the installation of software on the computer by 
     means of a materially false or misleading representation 
     concerning--
       (1) the identity of an operator of an Internet website or 
     online service at which the software is made available for 
     download from the Internet;
       (2) the identity of the author, publisher, or authorized 
     distributor of the software;
       (3) the nature or function of the software; or
       (4) the consequences of not installing the software.
       (c) Preventing Reasonable Efforts To Uninstall.--
       (1) In general.--It is unlawful for a person who is not an 
     authorized user of a protected computer to cause the 
     installation of software on the computer if the software 
     cannot subsequently be uninstalled or disabled by an 
     authorized user through a program removal function that is 
     usual and customary with the user's operating system, or 
     otherwise as clearly and conspicuously disclosed to the user.
       (2) Limitations.--
       (A) Authority to uninstall.--Software that enables an 
     authorized user of a computer, such as a parent, employer, or 
     system administrator, to choose to prevent another user of 
     the same computer from uninstalling or disabling the software 
     shall not be considered to prevent reasonable efforts to 
     uninstall or disable the software within the meaning of this 
     subsection if at least 1 authorized user retains the ability 
     to uninstall or disable the software.
       (B) Construction.--This subsection shall not be construed 
     to require individual features or functions of a software 
     program, upgrades to a previously installed software program, 
     or software programs that were installed on a bundled basis 
     with other software or with hardware to be capable of being 
     uninstalled or disabled separately from such software or 
     hardware.

     SEC. 3. INSTALLING SURREPTITIOUS INFORMATION COLLECTION 
                   FEATURES ON A USER'S COMPUTER.

       (a) In General.--It is unlawful for a person who is not an 
     authorized user of a protected computer to--
       (1) cause the installation on that computer of software 
     that includes a surreptitious information collection feature; 
     or
       (2) use software installed in violation of paragraph (1) to 
     collect information about a user of the computer or the use 
     of a protected computer by that user.
       (b) Authorization Status.--This section shall not be 
     interpreted to prohibit a person from causing the 
     installation of software that collects and transmits only 
     information that is reasonably needed to determine whether or 
     not the user of a protected computer is licensed or 
     authorized to use the software.
       (c) Surreptitious Information Collection Feature Defined.--
     For purposes of this section, the term ``surreptitious 
     information collection feature'' means a feature of software 
     that--
       (1) collects information about a user of a protected 
     computer or the use of a protected computer by that user, and 
     transmits such information to any other person or computer--
       (A) on an automatic basis or at the direction of person 
     other than an authorized user of the computer, such that no 
     authorized user knowingly triggers or controls the collection 
     and transmission;
       (B) in a manner that is not transparent to an authorized 
     user at or near the time of the collection and transmission, 
     such that no authorized user is likely to be aware of it when 
     information collection and transmission are occurring; and
       (C) for purposes other than--
       (i) facilitating the proper technical functioning of a 
     capability, function, or service that an authorized user of 
     the computer has knowingly used, executed, or enabled; or
       (ii) enabling the provider of an online service knowingly 
     used or subscribed to by an authorized user of the computer 
     to monitor or record the user's usage of the service, or to 
     customize or otherwise affect the provision of the service to 
     the user based on such usage; and
       (2) begins to collect and transmit such information without 
     prior notification that--
       (A) clearly and conspicuously discloses to an authorized 
     user of the computer the type of information the software 
     will collect and the types of ways the information may be 
     used and distributed; and
       (B) is provided at a time and in a manner such that an 
     authorized user of the computer has an opportunity, after 
     reviewing the information contained in the notice, to prevent 
     either--
       (i) the installation of the software; or
       (ii) the beginning of the operation of the information 
     collection and transmission capability described in paragraph 
     (1).

[[Page S3107]]

     SEC. 4. ADWARE THAT CONCEALS ITS OPERATION.

       (a) In General.--It is unlawful for a person who is not an 
     authorized user of a protected computer to cause the 
     installation on that computer of software that causes 
     advertisements to be displayed to the user without a label or 
     other reasonable means of identifying to the user of the 
     computer, each time such an advertisement is displayed, which 
     software caused the advertisement's delivery.
       (b) Exception.--Software that causes advertisements to be 
     displayed without a label or other reasonable means of 
     identification shall not give rise to liability under 
     subsection (a) if those advertisements are displayed to a 
     user of the computer--
       (1) only when a user is accessing an Internet website or 
     online service--
       (A) operated by the publisher of the software; or
       (B) the operator of which has provided express consent to 
     the display of such advertisements to users of the website or 
     service; or
       (2) only in a manner or at a time such that a reasonable 
     user would understand which software caused the delivery of 
     the advertisements.

     SEC. 5. OTHER PRACTICES THAT THWART USER CONTROL OF COMPUTER.

       It is unlawful for a person who is not an authorized user 
     of a protected computer to engage in an unfair or deceptive 
     act or practice that involves--
       (1) utilizing the computer to send unsolicited information 
     or material from the user's computer to other computers;
       (2) diverting an authorized user's Internet browser away 
     from the Internet website the user intended to view to 1 or 
     more other websites, unless such diversion has been 
     authorized by the website the user intended to view;
       (3) displaying an advertisement, series of advertisements, 
     or other content on the computer through windows in an 
     Internet browser, in such a manner that the user of the 
     computer cannot end the display of such advertisements or 
     content without turning off the computer or terminating all 
     sessions of the Internet browser (except that this paragraph 
     shall not apply to the display of content related to the 
     functionality or identity of the Internet browser);
       (4) modifying settings relating to the use of the computer 
     or to the computer's access to or use of the Internet, 
     including--
       (A) altering the default Web page that initially appears 
     when a user of the computer launches an Internet browser;
       (B) altering the default provider or Web proxy used to 
     access or search the Internet;
       (C) altering bookmarks used to store favorite Internet 
     website addresses; or
       (D) altering settings relating to security measures that 
     protect the computer and the information stored on the 
     computer against unauthorized access or use; or
       (5) removing, disabling, or rendering inoperative a 
     security or privacy protection technology installed on the 
     computer.

     SEC. 6. LIMITATIONS ON LIABILITY.

       (a) Passive Transmission, Hosting, or Linking.--A person 
     shall not be deemed to have violated any provision of this 
     Act solely because the person provided--
       (1) the Internet connection, telephone connection, or other 
     transmission or routing function through which software was 
     delivered to a protected computer for installation;
       (2) the storage or hosting of software or of an Internet 
     website through which software was made available for 
     installation to a protected computer; or
       (3) an information location tool, such as a directory, 
     index, reference, pointer, or hypertext link, through which a 
     user of a protected computer located software available for 
     installation.
       (b) Network Security.--It is not a violation of section 2, 
     3, or 5 for a provider of a network or online service used by 
     an authorized user of a protected computer, or to which any 
     authorized user of a protected computer subscribes, to 
     monitor, interact with, or install software for the purpose 
     of--
       (1) protecting the security of the network, service, or 
     computer;
       (2) facilitating diagnostics, technical support, 
     maintenance, network management, or repair; or
       (3) preventing or detecting unauthorized, fraudulent, or 
     otherwise unlawful uses of the network or service.
       (c) Manufacturer's Liability for Third-Party Software.--A 
     manufacturer or retailer of a protected computer shall not be 
     liable under any provision of this Act for causing the 
     installation on the computer, prior to the first retail sale 
     and delivery of the computer, of third-party branded 
     software, unless the manufacturer or retailer--
       (1) uses a surreptitious information collection feature 
     included in the software to collect information about a user 
     of the computer or the use of a protected computer by that 
     user; or
       (2) knows that the software will cause advertisements for 
     the manufacturer or retailer to be displayed to a user of the 
     computer.
       (d) Investigational Exception.--Nothing in this Act 
     prohibits any lawfully authorized investigative, protective, 
     or intelligence activity of a law enforcement agency of the 
     United States, a State, or a political subdivision of a 
     State, or of an intelligence agency of the United States.
       (e) Services Provided over MVPD Systems.--It is not a 
     violation of this Act for a multichannel video programming 
     distributor (as defined in section 602(13) of the 
     Communications Act of 1934 (47 U.S.C. 522(13)) to utilize a 
     navigation device, or interact with such a device, or to 
     install or use software on such a device, in connection with 
     the provision of multichannel video programming or other 
     services offered over a multichannel video programming system 
     or the collection or disclosure of subscriber information, if 
     the provision of such service or the collection or disclosure 
     of such information is subject to section 338(i) or section 
     631 of the Communications Act of 1934 (47 U.S.C. 338(i) or 
     551).

     SEC. 7. FTC RULEMAKING AUTHORITY.

       (a) In General.--Subject to the limitations of subsection 
     (b), the Commission may issue such rules in accordance with 
     section 553 of title 5, United States Code, as may be 
     necessary to implement or clarify the provisions of this Act.
       (b) Safe Harbors.--
       (1) In general.--The Commission may issue regulations 
     establishing specific wordings or formats for--
       (A) notification that is sufficient under section 3(c)(2) 
     to prevent a software feature from being a surreptitious 
     information collection feature (as defined in section 3(c)); 
     or
       (B) labels or other means of identification that are 
     sufficient to avoid violation of section 4(a).
       (2) Function of commission's suggested wordings or 
     formats.--
       (A) Usage is voluntary.--The Commission may not require the 
     use of any specific wording or format prescribed under 
     paragraph (1) to meet the requirements of section 3 or 4.
       (B) Other means of compliance.--The use of a specific 
     wording or format prescribed under paragraph (1) shall not be 
     the exclusive means of providing notification, labels, or 
     other identification that meet the requirements of sections 3 
     and 4.
       (c) Limitations on Liability.--In addition to the 
     limitations on liability specified in section 6, the 
     Commission may by regulation establish additional limitations 
     or exceptions upon a finding that such limitations or 
     exceptions are reasonably necessary to promote the public 
     interest and are consistent with the purposes of this Act. No 
     such additional limitation of liability may be made 
     contingent upon the adoption of any specific wording or 
     format specified in regulations under subsection (b)(1).

     SEC. 8. ADMINISTRATION AND ENFORCEMENT.

       (a) In General.--Except as provided in subsection (b), this 
     Act shall be enforced by the Commission as if a violation of 
     this Act or of any regulation promulgated by the Commission 
     under this Act were an unfair or deceptive act or practice 
     proscribed under section 18(a)(1)(B) of the Federal Trade 
     Commission Act (15 U.S.C. 57a(a)(1)(B)).
       (b) Enforcement by Certain Other Agencies.--Compliance with 
     this Act shall be enforced under--
       (1) section 8 of the Federal Deposit Insurance Act (12 
     U.S.C. 1818), in the case of--
       (A) national banks, and Federal branches and Federal 
     agencies of foreign banks, by the Office of the Comptroller 
     of the Currency;
       (B) member banks of the Federal Reserve System (other than 
     national banks), branches and agencies of foreign banks 
     (other than Federal branches, Federal agencies, and insured 
     State branches of foreign banks), commercial lending 
     companies owned or controlled by foreign banks, and 
     organizations operating under section 25 or 25A of the 
     Federal Reserve Act (12 U.S.C. 601 and 611), by the Board; 
     and
       (C) banks insured by the Federal Deposit Insurance 
     Corporation (other than members of the Federal Reserve 
     System) and insured State branches of foreign banks, by the 
     Board of Directors of the Federal Deposit Insurance 
     Corporation;
       (2) section 8 of the Federal Deposit Insurance Act (12 
     U.S.C. 1818), by the Director of the Office of Thrift 
     Supervision, in the case of a savings association the 
     deposits of which are insured by the Federal Deposit 
     Insurance Corporation;
       (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
     by the National Credit Union Administration Board with 
     respect to any Federal credit union;
       (4) part A of subtitle VII of title 49, United States Code, 
     by the Secretary of Transportation with respect to any air 
     carrier or foreign air carrier subject to that part;
       (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et 
     seq.) (except as provided in section 406 of that Act (7 
     U.S.C. 226, 227)), by the Secretary of Agriculture with 
     respect to any activities subject to that Act; and
       (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by 
     the Farm Credit Administration with respect to any Federal 
     land bank, Federal land bank association, Federal 
     intermediate credit bank, or production credit association.
       (c) Exercise of Certain Powers.--For the purpose of the 
     exercise by any agency referred to in subsection (b) of its 
     powers under any Act referred to in that subsection, a 
     violation of this Act is deemed to be a violation of a 
     requirement imposed under that Act. In addition to its powers 
     under any provision of law specifically referred to in 
     subsection (b), each of the agencies referred to in that 
     subsection may exercise, for the purpose of enforcing 
     compliance with any requirement imposed under this Act, any 
     other authority conferred on it by law.

[[Page S3108]]

       (d) Actions by the Commission.--The Commission shall 
     prevent any person from violating this Act in the same 
     manner, by the same means, and with the same jurisdiction, 
     powers, and duties as though all applicable terms and 
     provisions of the Federal Trade Commission Act (15 U.S.C. 41 
     et seq.) were incorporated into and made a part of this Act. 
     Any entity that violates any provision of that section is 
     subject to the penalties and entitled to the privileges and 
     immunities provided in the Federal Trade Commission Act in 
     the same manner, by the same means, and with the same 
     jurisdiction, power, and duties as though all applicable 
     terms and provisions of the Federal Trade Commission Act were 
     incorporated into and made a part of that section.

     SEC. 9. ACTIONS BY STATES.

       (a) In General.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been or is threatened or 
     adversely affected by the engagement of any person in a 
     practice that this Act prohibits, the State, as parens 
     patriae, may bring a civil action on behalf of the residents 
     of the State in a district court of the United States of 
     appropriate jurisdiction--
       (A) to enjoin that practice;
       (B) to enforce compliance with the rule;
       (C) to obtain damage, restitution, or other compensation on 
     behalf of residents of the State; or
       (D) to obtain such other relief as the court may consider 
     to be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under paragraph 
     (1), the attorney general of the State involved shall provide 
     to the Commission--
       (i) written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exemption.--
       (i) In general.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general 
     determines that it is not feasible to provide the notice 
     described in that subparagraph before the filing of the 
     action.
       (ii) Notification.--In an action described in clause (i), 
     the attorney general of a State shall provide notice and a 
     copy of the complaint to the Commission at the same time as 
     the attorney general files the action.
       (b) Intervention.--
       (1) In general.--On receiving notice under subsection 
     (a)(2), the Commission shall have the right to intervene in 
     the action that is the subject of the notice.
       (2) Effect of intervention.--If the Commission intervenes 
     in an action under subsection (a), it shall have the right--
       (A) to be heard with respect to any matter that arises in 
     that action; and
       (B) to file a petition for appeal.
       (c) Construction.--For purposes of bringing any civil 
     action under subsection (a), nothing in this subtitle shall 
     be construed to prevent an attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of that State to--
       (1) conduct investigations;
       (2) administer oaths or affirmations; or
       (3) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (d) Actions by the Commission.--In any case in which an 
     action is instituted by or on behalf of the Commission for 
     violation of this Act, no State may, during the pendency of 
     that action, institute an action under subsection (a) against 
     any defendant named in the complaint in that action for 
     violation of that section.
       (e) Venue; Service of Process.--
       (1) Venue.--Any action brought under subsection (a) may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (2) Service of process.--In an action brought under 
     subsection (a), process may be served in any district in 
     which the defendant--
       (A) is an inhabitant; or
       (B) may be found.

     SEC. 10. EFFECT ON OTHER LAWS.

       (a) Federal Law.--Nothing in this Act shall be construed to 
     limit or affect in any way the Commission's authority to 
     bring enforcement actions or take any other measures under 
     the Federal Trade Commission Act or any other provision of 
     law.
       (b) State Law.--
       (1) State law concerning information collection software or 
     adware.--This Act supersedes any statute, regulation, or rule 
     of a State or political subdivision of a State that expressly 
     limits or restricts the installation or use of software on a 
     protected computer to--
       (A) collect information about the user of the computer or 
     the user's Internet browsing behavior or other use of the 
     computer; or
       (B) cause advertisements to be delivered to the user of the 
     computer,

     except to the extent that any such statute, regulation, or 
     rule prohibits deception in connection with the installation 
     or use of such software.
       (2) State law concerning notice of software installation.--
     This Act supersedes any statute, regulation, or rule of a 
     State or political subdivision of a State that prescribes 
     specific methods for providing notification before the 
     installation of software on a computer.
       (3) State law not specific to software.--This Act shall not 
     be construed to preempt the applicability of State criminal, 
     trespass, contract, tort, or anti-fraud law.

     SEC. 11. LIABILITY PROTECTIONS FOR ANTI-SPYWARE SOFTWARE OR 
                   SERVICES.

       No provider of computer software or of an interactive 
     computer service may be held liable under this Act or any 
     other provision of law for identifying, naming, removing, 
     disabling, or otherwise affecting the operation or potential 
     operation on a computer of computer software published by a 
     third party, if--
       (1) the provider's software or interactive computer service 
     is intended to identify, prevent the installation or 
     execution of, remove, or disable computer software that is or 
     was installed in violation of section 2, 3, or 4 of this Act 
     or used to violate section 5 of this Act;
       (2) an authorized user of the computer has consented to the 
     use of the provider's computer software or interactive 
     computer service on the computer;
       (3) the provider believes in good faith that the 
     installation or operation of the third-party computer 
     software involved or involves a violation of section 2, 3, 4, 
     or 5 of this Act; and
       (4) the provider either notifies and obtains the consent of 
     an authorized user of the computer before taking any action 
     to remove, disable, or otherwise affect the operation or 
     potential operation of the third-party software on the 
     computer, or has obtained prior authorization from an 
     authorized user to take such action without providing such 
     notice and consent.

     SEC. 12. PENALTIES FOR CERTAIN UNAUTHORIZED ACTIVITIES 
                   RELATING TO COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``Sec. 1030A. Illicit indirect use of protected computers

       ``(a) Whoever intentionally accesses a protected computer 
     without authorization, or exceeds authorized access to a 
     protected computer, by causing a computer program or code to 
     be copied onto the protected computer, and intentionally uses 
     that program or code in furtherance of another Federal 
     criminal offense shall be fined under this title or 
     imprisoned 5 years, or both.
       ``(b) Whoever intentionally accesses a protected computer 
     without authorization, or exceeds authorized access to a 
     protected computer, by causing a computer program or code to 
     be copied onto the protected computer, and by means of that 
     program or code intentionally impairs the security protection 
     of the protected computer shall be fined under this title or 
     imprisoned not more than 2 years, or both.
       ``(c) A person shall not violate this section who solely 
     provides--
       ``(1) an Internet connection, telephone connection, or 
     other transmission or routing function through which software 
     is delivered to a protected computer for installation;
       ``(2) the storage or hosting of software, or of an Internet 
     website, through which software is made available for 
     installation to a protected computer; or
       ``(3) an information location tool, such as a directory, 
     index, reference, pointer, or hypertext link, through which a 
     user of a protected computer locates software available for 
     installation.
       ``(d) A provider of a network or online service that an 
     authorized user of a protected computer uses or subscribes to 
     shall not violate this section by any monitoring of, 
     interaction with, or installation of software for the purpose 
     of--
       ``(1) protecting the security of the network, service, or 
     computer;
       ``(2) facilitating diagnostics, technical support, 
     maintenance, network management, or repair; or
       ``(3) preventing or detecting unauthorized, fraudulent, or 
     otherwise unlawful uses of the network or service.
       ``(e) No person may bring a civil action under the law of 
     any State if such action is premised in whole or in part upon 
     the defendant's violating this section. For the purposes of 
     this subsection, the term `State' includes the District of 
     Columbia, Puerto Rico, and any other territory or possession 
     of the United States.''.
       (b) Conforming Amendment.--The table of sections at the 
     beginning of chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following new item:

``1030A. Illicit indirect use of protected computers''

     SEC. 13. DEFINITIONS.

       In this Act:
       (1) Authorized user.--The term ``authorized user'', when 
     used with respect to a computer, means the owner or lessee of 
     a computer, or someone using or accessing a computer with the 
     actual or apparent authorization of the owner or lessee.
       (2) Cause the installation.--The term ``cause the 
     installation'' when used with respect to particular software, 
     means to knowingly provide the technical means by which the 
     software is installed, or to knowingly pay or provide other 
     consideration to, or to knowingly induce or authorize, 
     another person to do so.
       (3) Commission.--The term ``Commission'' means the Federal 
     Trade Commission.
       (4) Cookie.--The term ``cookie'' means a text file--

[[Page S3109]]

       (A) that is placed on a computer by, or on behalf of, an 
     Internet service provider, interactive computer service, or 
     Internet website; and
       (B) the sole function of which is to record information 
     that can be read or recognized when the user of the computer 
     subsequently accesses particular websites or online locations 
     or services.
       (5) First retail sale and delivery.--The term ``first 
     retail sale and delivery'' means the first sale, for a 
     purpose other than resale, of a protected computer and the 
     delivery of that computer to the purchaser or a recipient 
     designated by the purchaser at the time of such first sale. 
     For purposes of this paragraph, the lease of a computer shall 
     be considered a sale of the computer for a purpose other than 
     resale.
       (6) Install.--
       (A) In general.--The term ``install'' means--
       (i) to write computer software to a computer's persistent 
     storage medium, such as the computer's hard disk, in such a 
     way that the computer software is retained on the computer 
     after the computer is turned off and subsequently restarted; 
     or
       (ii) to write computer software to a computer's temporary 
     memory, such as random access memory, in such a way that the 
     software is retained and continues to operate after the user 
     of the computer turns off or exits the Internet service, 
     interactive computer service, or Internet website from which 
     the computer software was obtained.
       (B) Exception for temporary cache.--The term ``install'' 
     does not include the writing of software to an area of the 
     persistent storage medium that is expressly reserved for the 
     temporary retention of recently accessed or input data or 
     information if the software retained in that area remains 
     inoperative unless a user of the computer chooses to access 
     that temporary retention area.
       (7) Person.--The term ``person'' has the meaning given that 
     term in section 3(32) of the Communications Act of 1934 (47 
     U.S.C. 153(32)).
       (8) Protected computer.--The term ``protected computer'' 
     has the meaning given that term in section 1030(e)(2)(B) of 
     title 18, United States Code.
       (9) Software.--The term ``software'' means any program 
     designed to cause a computer to perform a desired function or 
     functions. Such term does not include any cookie.
       (10) Unfair or deceptive act or practice.--The term 
     ``unfair or deceptive act or practice'' has the same meaning 
     as when used in section 5 of the Federal Trade Commission Act 
     (15 U.S.C. 45).
       (11) Upgrade.--The term ``upgrade'', when used with respect 
     to a previously installed software program, means additional 
     software that is issued by, or with the authorization of, the 
     publisher or any successor to the publisher of the software 
     program to improve, correct, repair, enhance, supplement, or 
     otherwise modify the software program.

     SEC. 14. EFFECTIVE DATE.

       This Act shall take effect 180 days after the date of 
     enactment of this Act.

                          ____________________