[Congressional Record (Bound Edition), Volume 146 (2000), Part 15]
[Senate]
[Pages 21277-21279]
[From the U.S. Government Publishing Office, www.gpo.gov]



             THE SPYWARE CONTROL AND PRIVACY PROTECTION ACT

  Mr. EDWARDS. Mr. President, how would you feel if someone was 
eavesdropping on your private phone conversations without your 
knowledge? Well, if it happened to me, I would be very disturbed. And I 
think that most Americans would be very disturbed to know that 
something similar may be happening every time they use their computers.
  The shocking fact is that many software programs contain something 
called spyware. Spyware is computer code that surreptitiously uses our 
Internet connection to transmit information about things like our 
purchasing patterns and our health and financial status. This 
information is collected without our knowledge or explicit permission 
and the spyware programs run undetected while you surf the Internet.
  Spyware has been found in Quicken software, which is manufactured by 
Intuit, Inc. So let me use this as an example. Imagine you purchase 
Quicken software or download it from the Internet. You install it on 
your computer to help you with your finances. However, unbeknownst to 
you, Quicken does more than install financial planning tools on your 
computer. It also installs a little piece of spyware. The spyware lies 
dormant until one day when you get on the Internet.
  As you start surfing the Internet, the spyware sends back information 
to Intuit about what you buy and what you are interested in. And all of 
this happens without your knowledge. You could be on Amazon.com or 
researching health issues and at the very same time Intuit spyware is 
using your Internet connection, transmitting some of your most private 
data to someone you never heard of.
  In the months since it was reported that Quicken contained spyware, 
the folks at Intuit may have decided to remove the spyware from 
Quicken. However, Quicken is not the only software program that may 
contain spyware. One computer expert recently found spyware programs in 
popular children's software that is designed to help them learn, such 
as Mattel Interactive's Reader Rabbit and Arthur's Thinking Games. And, 
according to another expert's assessment, spyware is present in four 
hundred software programs, including commonly used software such as 
RealNetworks RealDownload, Netscape/AOL Smart Download, and NetZip 
Download Demon. Spyware in these software programs can transmit 
information about every file you download from the Internet.
  I rise today to introduce the Spyware Control and Privacy Protection 
Act of 2000. I believe that this legislation will help Americans regain 
some control over their personal information and will help stop the 
loss of their privacy and the privacy of their families.
  My proposal is common-sense and simple. It incorporates all four fair 
information practices of notice, choice, access and security--practices 
that I believe are essential to effective computer privacy legislation.
  First, the Act requires that any software that contains spyware must 
provide consumers with clear and conspicuous notice--at the time the 
software is installed--that the software contains spyware. The notice 
must also describe the information that the spyware will collect and 
indicate to whom it will be transmitted.
  Another critical provision of my bill requires that software users 
must first give their affirmative consent before the spyware is enabled 
and allowed to start obtaining and sharing users' personal information 
with third parties. In other words, software users must ``opt-in'' to 
the collection and transmission of their information. My bill gives 
software users a choice whether they will allow the spyware to collect 
and share their information.
  The Spyware Control and Privacy Protection Act allows for some 
common-sense exceptions to the notice and opt-in requirements. Under my 
proposal, software users would not have to receive notice and give 
their permission to enable the spyware if the software user's 
information is gathered in order to provide technical support for use 
of the software. In addition, users' information may be collected if it 
is necessary to determine if they are licensed users of the software. 
And finally, the legislation would not apply to situations where 
employers are using spyware to monitor Internet usage by their 
employees. I believe that this last issue is a serious one and deserves 
to be addressed in separate legislation.
  Another important aspect of the Spyware Control and Privacy 
Protection Act is that it would incorporate the fair information 
practice known as ``access.'' What this means is that an individual 
software user would have the ability to find out what information has 
been collected about them, and would be given a reasonable chance to 
correct any errors.
  And finally, the fourth fair information practice guaranteed by my 
bill is ``security.'' Anyone that uses spyware to collect information 
about software users must establish procedures to keep that information 
confidential and safe from hackers.
  Spyware is a modern day Trojan horse. You install software on your 
computer thinking it's designed to help you, and it turns out that 
something else is hidden inside that may be quite harmful.
  I have been closely following the privacy debate for some time now. 
And I am struck by how often I discover new ways in which our privacy 
is being eroded. Spyware is among the more startling examples of how 
this erosion is occurring.
  Most people would agree that modern technology has been 
extraordinarily beneficial. It has enabled us to obtain information 
more quickly and easily than ever before. And companies have 
streamlined their processes for providing goods and services.
  But these remarkable developments can have a startling downside. They 
have made it easier to track personal information such as medical and 
financial records, and buying habits. In turn, our ability to keep our 
personal information private is being eroded.
  Even sophisticated computer software users are unlikely to be aware 
that information is being collected about their Internet surfing habits 
and is likely being fed into a growing personal profile maintained at a 
data warehouse. They don't know that companies can and do extract the 
information from the warehouse to create a so-called cyber-profile of 
what they are likely to buy, what the status of their health may be, 
what their family is like, and what their financial situation may be.
  I believe that in the absence of government regulation, it is 
difficult, if not impossible for people to control the use of their own 
personal information. Consumers are not properly informed, and 
businesses are under no legal obligation to protect consumers' privacy.
  I believe that the Spyware Control and Privacy Protection Act is a 
reasonable way to help Americans regain

[[Page 21278]]

some of their privacy. My legislation does not prevent software 
manufacturers from using their software to collect a consumer's online 
information. However, it gives back some control to the consumer by 
allowing him or her to decide whether their information may be 
gathered.
  My bill protects consumer privacy, while enabling software companies 
and marketing firms to continue obtaining consumers' information if the 
consumer so chooses. Confidence in these companies will be enhanced if 
they are able to assure their customers that they will not collect 
their personal information without their permission.
  Privacy protections should not stop with computer software. I am also 
proud to be a cosponsor of the Consumer Privacy Protection Act, a much-
needed measure that would prevent Internet service providers, 
individual web sites, network advertisers, and other third parties from 
gathering information about our online surfing habits without our 
permission.
  And last fall, I introduced the Telephone Call Privacy Act in order 
to prevent phone companies from disclosing consumers' private phone 
records without their permission. Although there are only a few weeks 
left in this congressional session, it is my hope that Congress will 
pass meaningful privacy legislation soon.
  Increasingly, technology is impacting our lives and the lives of our 
families. I believe that while it is important to encourage 
technological growth, we must also balance new developments with our 
fundamental right to privacy. Otherwise, we may wake up one day and 
realize that our privacy has been so thoroughly eroded that it is 
impossible to recover.
  I urge my colleagues to support the Spyware Control and Privacy 
Protection Act.
  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 3180

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Spyware Control and Privacy 
     Protection Act of 2000''.

     SEC. 2. COLLECTION OF INFORMATION BY COMPUTER SOFTWARE.

       (a) Notice and Choice Required.--
       (1) In general.--Any computer software made available to 
     the public, whether by sale or without charge, that includes 
     a capability to collect information about the user of such 
     computer software, the hardware on which such computer 
     software is used, or the manner in which such computer 
     software is used, and to disclose to such information to any 
     person other than the user of such computer software, shall 
     include--
       (A) a clear and conspicuous written notice, on the first 
     electronic page of the instructions for the installation of 
     such computer software, that such computer software includes 
     such capability;
       (B) a description of the information subject to collection 
     and the name and address of each person to whom such computer 
     software will transmit or otherwise communicate such 
     information; and
       (C) a clear and conspicuous written electronic notice, in a 
     manner reasonably calculated to provide the user of such 
     computer software with easily understood instructions on how 
     to disable such capability without affecting the performance 
     or operation of such computer software for the purposes for 
     which such computer software was intended.
       (2) Enablement of capability.--A capability of computer 
     software described in paragraph (1) may not be enabled unless 
     the user of such computer software provides affirmative 
     consent, in advance, to the enablement of the capability.
       (3) Exception.--The requirements in paragraphs (1) and (2) 
     shall not apply to any capability of computer software that 
     is reasonably needed to--
       (A) determine whether or not the user is a licensed or 
     authorized user of such computer software;
       (B) provide, upon request of the user, technical support of 
     the use of such computer software by the user; or
       (C) enable an employer to monitor computer usage by its 
     employees while such employees are within the scope of 
     employment as authorized by applicable Federal, State, or 
     local law.
       (4) Use of information collected through excepted 
     capability.--Any information collected through a capability 
     described in paragraph (1) for a purpose referred to in 
     paragraph (3) may be utilized only for the purpose for which 
     such information is collected under paragraph (3).
       (5) Access to information collected through excepted 
     capability.--Any person collecting information about a user 
     of computer software through a capability described in 
     paragraph (1) shall--
       (A) upon request of the user, provide reasonable access by 
     user to information so collected;
       (B) provide a reasonable opportunity for the user to 
     correct, delete, or supplement such information; and
       (C) make the correction or supplementary information a part 
     of the information about the user for purposes of any future 
     use of such information under this subsection.
       (6) Security of information collected through excepted 
     capability.--Any person collecting information through a 
     capability described in paragraph (1) shall establish and 
     maintain reasonable procedures necessary to protect the 
     security, confidentiality, and integrity of such information.
       (b) Preinstallation.--In the case of computer software 
     described in subsection (a)(1) that is installed on a 
     computer by someone other than the user of such computer 
     software, whether through preinstallation by the provider of 
     such computer or computer software, by installation by 
     someone before delivery of such computer to the user, or 
     otherwise, the notice and instructions under that subsection 
     shall be provided in electronic form to the user before the 
     first use of such computer software by the user.
       (c) Violations.--A violation of subsection (a) or (b) shall 
     be treated as an unfair or deceptive act or practice 
     proscribed by section 18(a)(1)(B) of the Federal Trade 
     Commission Act (15 U.S.C. 57a(a)(1)(B)).
       (d) Disclosure to Law Enforcement or Under Court Order.--
       (1) In general.--Notwithstanding any other provision of 
     this section, a computer software provider that collects 
     information about users of the computer software may disclose 
     information about a user of the computer software--
       (A) to a law enforcement agency in response to a warrant 
     issued under the Federal Rules of Criminal Procedure, an 
     equivalent State warrant, or a court order issued in 
     accordance with paragraph (3); or
       (B) in response to a court order in a civil proceeding 
     granted upon a showing of compelling need for the information 
     that cannot be accommodated by any other means if--
       (i) the user to whom the information relates is given 
     reasonable notice by the person seeking the information of 
     the court proceeding at which the order is requested; and
       (ii) the user is afforded a reasonable opportunity to 
     appear and contest the issuance of the requested order or to 
     narrow its scope.
       (2) Safeguards against further disclosure.--A court that 
     issues an order described in paragraph (1) shall impose 
     appropriate safeguards on the use of the information to 
     protect against its unauthorized disclosure.
       (3) Court orders.--A court order authorizing disclosure 
     under paragraph (1)(A) may issue only with prior notice to 
     the user and only if the law enforcement agency shows that 
     there is probable cause to believe that the user has engaged, 
     is engaging, or is about to engage in criminal activity and 
     that the records or other information sought are material to 
     the investigation of such activity. In the case of a State 
     government authority, such a court order shall not issue if 
     prohibited by the law of such State. A court issuing an order 
     pursuant to this paragraph, on a motion made promptly by the 
     computer software provider may quash or modify such order if 
     the information or records requested are unreasonably 
     voluminous in nature or if compliance with such order 
     otherwise would cause an unreasonable burden on the provider.
       (e) Private Right of Action.--
       (1) Actions Authorized.--A person may, if otherwise 
     permitted by the laws or rules of court of a State, bring in 
     an appropriate Federal court, if such laws or rules prohibit 
     such actions, either or both of the actions as follows:
       (A) An action based on a violation of subsection (a) or (b) 
     to enjoin such violation.
       (B) An action to recover actual monetary loss for a 
     violation of subsection (a) or (b) in an amount equal to the 
     greater of--
       (i) the amount of such actual monetary loss; or
       (ii) $2,500 for such violation, not to exceed a total 
     amount of $500,000.
       (2) Additional remedy.--If the court in an action under 
     paragraph (1) finds that the defendant willfully, knowingly, 
     or repeatedly violated subsection (a) or (b), the court may, 
     in its discretion, increase the amount of the award under 
     paragraph (1)(B) to an amount not greater than three times 
     the amount available under paragraph (1)(B)(ii).
       (3) Litigation costs and attorney fees.--In any action 
     under paragraph (1), the court may, in its discretion, 
     require an undertaking for the payment of the costs of such 
     action and assess reasonable costs, including reasonable 
     attorney fees, against the defendant.
       (4) Venue.--In addition to any contractual provision 
     otherwise, venue for an action under paragraph (1) shall lie 
     where the computer software concerned was installed or used 
     or where the person alleged to have committed the violation 
     concerned is found.

[[Page 21279]]

       (5) Protection of trade secrets.--At the request of any 
     party to an action under paragraph (1), or any other 
     participant in such action, the court may, in its discretion, 
     issue a protective order and conduct proceedings in such 
     action so as to protect the secrecy and security of the 
     computer, computer network, computer data, computer program, 
     and computer software involved in order to--
       (A) prevent possible recurrence of the same or a similar 
     act by another person; or
       (B) protect any trade secrets of such party or participant.
       (f) Definitions.--In this section:
       (1) Collect.--The term ``collect'' means the gathering of 
     information about a computer or a user of computer software 
     by any means, whether direct or indirect and whether active 
     or passive.
       (2) Computer.--The term ``computer'' means a programmable 
     electronic device that can store, retrieve, and process data.
       (3) Computer software.--(A) Except as provided in 
     subparagraph (B), the term ``computer software'' means any 
     program designed to cause a computer to perform a desired 
     function or functions.
       (B) The term does not include a text file, or cookie, 
     placed on a person's computer system by an Internet service 
     provider, interactive computer service, or commercial 
     Internet website to return information to the Internet 
     service provider, interactive computer service, commercial 
     Internet website, or third party if the person subsequently 
     uses the Internet service provider or interactive computer 
     service, or accesses the commercial Internet website.
       (4) Information.--The term ``information'' means 
     information that personally identifies a user of computer 
     software, including the following:
       (A) A first and last name, whether given at birth or 
     adoption, assumed, or legally changed.
       (B) A home or other physical address including street name 
     and name of a city or town.
       (C) An electronic mail address.
       (D) A telephone number.
       (E) A social security number.
       (F) A credit card number, any access code associated with 
     the credit card, or both.
       (G) A birth date, birth certificate number, or place of 
     birth.
       (H) Any other unique information identifying an individual 
     that a computer software provider, Internet service provider, 
     interactive computer service, or operator of a commercial 
     Internet website collects and combines with information 
     described in subparagraphs (A) through (G) of this paragraph.
       (5) Person.--The term ``person'' has the meaning given that 
     term in section 3(32) of the Communications Act of 1934 (47 
     U.S.C. 153(32)).
       (6) User.--The term ``user'' means an individual who 
     acquires, through purchase or otherwise, computer software 
     for purposes other than resale.
       (g) Effective Date.--This section shall take effect 180 
     days after the date of the enactment of this Act.

                          ____________________