[Senate Report 108-424]
[From the U.S. Government Publishing Office]
108th Congress Report
SENATE
2d Session 108-424
_______________________________________________________________________
Calendar No. 811
THE SPY BLOCK ACT
__________
R E P O R T
OF THE
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
on
S. 2145
DATE deg.December 7, 2004.--Ordered to be printed
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
one hundred eighth congress
second session
JOHN McCAIN, Arizona, Chairman
TED STEVENS, Alaska ERNEST F. HOLLINGS, South Carolina
CONRAD BURNS, Montana DANIEL K. INOUYE, Hawaii
TRENT LOTT, Mississippi JOHN D. ROCKEFELLER IV, West
KAY BAILEY HUTCHISON, Texas Virginia
OLYMPIA J. SNOWE, Maine JOHN F. KERRY, Massachusetts
SAM BROWNBACK, Kansas JOHN B. BREAUX, Louisiana
GORDON SMITH, Oregon BYRON L. DORGAN, North Dakota
PETER G. FITZGERALD, Illinois RON WYDEN, Oregon
JOHN ENSIGN, Nevada BARBARA BOXER, California
GEORGE ALLEN, Virginia BILL NELSON, Florida
JOHN E. SUNUNU, New Hampshire MARIA CANTWELL, Washington
FRANK LAUTENBERG, New Jersey
Jeanne Bumpus, Staff Director and General Counsel
Rob Freeman, Deputy Staff Director
Samuel Whitehorn, Democratic Staff Director and Chief Counsel
Margaret Spring, Democratic Senior Counsel
Calendar No. 811
108th Congress Report
SENATE
2d Session 108-424
======================================================================
THE SPY BLOCK ACT
_______
December 7, 2004.--Ordered to be printed
_______
Mr. McCain, from the Committee on Commerce, Science, and
Transportation, submitted the following
R E P O R T
[To accompany S. 2145]
The Committee on Commerce, Science, and Transportation, to
which was referred the bill joint resolution deg. (S.
2145) TITLE deg. to regulate the unauthorized
installation of computer software, to require clear disclosure
to computer users of certain computer software features that
may pose a threat to user privacy, and for other purposes,
having considered the same, reports favorably thereon
without amendment deg. with amendments deg.
with an amendment (in the nature of a substitute) and
recommends that the bill joint resolution deg. (as
amended) do pass.
Purpose of the Bill
The purpose of this legislation is to prohibit a variety of
deceptive software and online practices that may result in
spyware or other unwanted software being placed on consumers'
computers. Specifically, the legislation would prohibit (1)
deceptive software installation and removal practices; (2)
software that collects information about consumers or their
computer usage and transmits it to others automatically without
consent or notice of such features to consumers prior to the
collection of the information; (3) software delivering
advertisements on consumers' computers without identifying
itself as the source of the ads; and (4) various other
practices that may frustrate a consumer's control of his or her
computer.
Background and Needs
The term ``spyware'' commonly refers to software that
secretly monitors a computer user's activities, or collects his
or her personal information, and shares it with others via the
Internet without that user's knowledge or consent. Spyware may
be downloaded onto a consumer's computer in several different
forms: as self-executing programs contained in unsolicited e-
mail messages (spam); as advertisement-serving software
(adware); as keystroke-logging software (key-loggers); or as
what appears to be a harmless program or data file a user
downloads from a website or obtains through a file-sharing
program that actually contains malicious, self-executing
software code much like a virus (Trojan horses). \1\ Spyware
may be used for many criminal, deceptive, and privacy-intrusive
purposes, including: to record a user's keystroke data and
transmit to others his or her captured log-in account names,
passwords and e-mail addresses; to steal a user's financial and
other personally identifiable information (PII); to barrage
users with pop-up advertisements; to change a computer's dial-
up connection to dial a ``900 number'' pay-per-minute call
instead of the user's Internet service provider; and to
redirect browser home pages to promotional or pornographic
sites. According to a 2004 online safety study of home computer
users conducted jointly by the National Cyber Security Alliance
and America Online, Inc., eighty percent of those surveyed had
spyware or adware programs on their home computer. \2\
---------------------------------------------------------------------------
\1\ Internet industry experts differ in how they define the term
``spyware.'' For some, the terms ``spyware'', ``adware'',
``sneakware'', and ``malware'' are all used interchangeably. For
others, especially Internet advertising companies, there are
significant differences between spyware and adware, which will be
further discussed below.
\2\ Press Release, National Cyber Security Alliance, October 25,
2004 (see www.staysafeonline.info).
---------------------------------------------------------------------------
As further discussed below, the legislation addresses
deceptive practices and information collection with respect to
two types of software: ``spyware'' and ``adware''.
SPYWARE
The term spyware could be applied to software that does any
number of monitoring activities without a consumer's knowledge
or consent. However, most proponents of spyware legislation
agree that certain practices are clearly anti-consumer
practices that should be either prohibited because of privacy
concerns (i.e., spyware) or regulated for other consumer
protection purposes (i.e., deceptive trade practices). Taken
together, these illegal or, at the very least, unacceptable
practices typically are based on three types of problems: (1)
threats to the privacy and security of a user's computer
without his or her knowledge or consent; (2) the transparency
of the process used in distributing the programs, including
downloading and installing software on a consumer's computer;
and (3) the availability of easy-to-understand user controls to
remove any unwanted software. For example, most distributors of
legitimate software would agree that the following practices
should be, or are already, prohibited by law: reconfiguring a
consumer's operating system or other software on the computer
without the consumer's knowledge or consent; installing
software on a consumer's computer without permission, through
deceptive means, or by coercion; and preventing a consumer--by
either software design or by artificially creating an
unnecessarily complicated procedure--from easily removing
unwanted software from his or her computer.
In the prototypical case of spyware, a computer user is
unaware that a software program has been installed on his or
her computer, and if the user does becomes aware of it, he or
she often has a difficult time uninstalling it. In some cases,
spyware programs piggyback on other applications or trick users
into authorizing their download and installation through
deceptive ``pop-up'' ads. Additionally, some forms of spyware
spread themselves by exploiting security vulnerabilities in e-
mail attachments or browsers. Most often, consumers unknowingly
get spyware on their computer while downloading free
applications such as screensavers, games, basic utility
programs (e.g., calendars or calculators), or peer-to-peer
(P2P) file-sharing programs. Even if some actual notice of the
software's purpose is provided at the time of download, it is
often buried in the complexities of an End User License
Agreement (EULA) that obfuscates the warning. The usual result
is that consumers typically do not know that spyware is being
downloaded on their computer nor appreciate the level of
permission that they are unwittingly giving others to access
their computers, obtain their PII, or monitor their Internet
browsing habits.
By unintentionally allowing access to their computers,
consumers run the risk, among other things, of having their
credit card numbers and account passwords stolen, which may
ultimately result in the crime of identity theft being
perpetrated against them. Additionally, if a consumer gets
enough spyware on his or her computer, important resources such
as virtual memory and processing power may become over-
burdened, hindering the normal operation of the computer and
preventing the consumer from doing other tasks. Disturbingly, a
consumer in such situations normally experiences increasingly
sluggish computer performance, and in some cases inoperability,
without any clear indication to him or her of either the nature
of the problem, the responsible software, or the solution by
which to remedy it.
These performance issues are compounded by the inherent
characteristic of most spyware programs to not only be
difficult to find, but also difficult to remove. Often a user
will not be aware, even after the fact, that spyware has been
installed and is running because the software automatically
operates in the background. Additionally, most spyware programs
will not list themselves in the operating system's installed
program list, which is the most common way consumers would find
software that they wanted to remove from their computer.
Instead, the software code that runs spyware is often
intentionally dispersed into many separate file folders
throughout the computer, which usually makes it difficult for
even professional computer technicians to remove it completely
once installed. Some spyware programs also use separate stand-
alone features, such as a ``tickler'', which can reinstall the
program after a user has attempted to remove it. Other spyware
programs, dubbed ``burrower'' programs, implant themselves so
deeply into a computer's operating system that they cannot be
found because they effectively hide behind standard operating
system filenames.
ADWARE
One type of software program that some may refer to as
spyware is more accurately described as ``adware''. Adware is
software that resides on consumers' computers and serves
advertisements to them based upon their Internet browsing
habits. The ads are usually displayed in the form of pop-up
graphical message boxes (or``windows'') separate from the web
browser.\3\ Advertising executives typically refer to this more
targeted means of advertising as ``contextual advertising'' because it
is based on an individual consumer's preferences derived from the
context of the webpages he or she actually views. For example, when a
computer user types a search term into a browser or clicks on a link
indicating some interest in a type of commercial activity, an adware
program will typically cause a pop-up window--containing an
advertisement, coupon, or both--to be displayed on the user's screen
until he or she either acts on it (i.e., by clicking on a link in the
ad) or otherwise closes the pop-up window (if possible). Like
telemarketing, this type of advertising and the methods companies
employ to deliver it have raised privacy concerns for consumers who do
not wish to receive the ads.
---------------------------------------------------------------------------
\3\ These windows may appear on top of the current webpage a user
is viewing (``pop-over'' ads), or underneath a webpage being viewed so
that the user will not see them until they close their browser window
(``pop-under'' ads).
---------------------------------------------------------------------------
Adware is normally bundled with free software that a
consumer downloads to his or her computer. Adware distributors
often describe the adware as pop-up ad or coupon programs that
make the free distribution of the other software economically
viable in the first place. Adware company executives also argue
that their companies do not distribute ``spyware'' because they
provide consumers with clear and concise notices about the
nature of their software and require a consumer's affirmative
consent (i.e., opt-in consent) before any adware programs are
downloaded or installed. Additionally, some adware companies
have provided testimony to the Committee explaining that their
programs do not collect PII nor share any information about a
user's computer with third parties. Rather, they testified, the
ad-serving software resident on a computer is used only to
monitor that user's web-browsing patterns in order to request a
highly contextual ad to be served to the computer that is
targeted to that user's known preferences.\4\
---------------------------------------------------------------------------
\4\ Additionally, other kinds of advertisement-serving software may
operate in real time and have no need to store or transmit PII that
might be ephemerally collected in the process of serving an
advertisement to a computer.
---------------------------------------------------------------------------
Adware companies maintain that these advertising practices
are not only legal and consistent with good software practices,
but that they are also consistent with traditional advertising
practices in other mediums as well. For example, adware
companies point out that this business model of receiving
advertisements in return for free content is similar to many
other legal, advertising-supported business models such as free
over-the-air television supported by TV commercials, free
Internet services like online e-mail supported by banner ads,
and free Internet access provided by ISPs that serve
advertisements through a proprietary browser that the user is
required to use to obtain Internet access. In each of these
other models, adware companies claim that consumers have no
control over the content, frequency, or length of time they are
forced to view ads. In addition, they argue that in each of
these other models, consumers face a stark choice: either
receive the free content with the ads, or not at all. Adware
companies therefore defend their model as no different than the
others--you may remove the adware, but when you do, the free
software with which it was bundled will also be removed. For
these reasons, adware companies argue that software operating
as their programs do should not be prohibited or regulated like
spyware.
Consumer advocacy groups and privacy experts argue in
response, however, that the other forms of advertising are mass
market advertising, and traditionally do not involve the
collection of PII or the monitoring of users' off-site viewing
habits in order to serve ads.\5\ Furthermore, these observers
argue that adware practices raise privacy concerns that are not
raised by traditional one-way, mass market advertising
practices, a key difference which justifies closer scrutiny and
regulation by the government. Finally, some commercial websites
contend that adware programs have enabled their competitors'
pop-over ads to be displayed on top of their webpages' content,
raising concerns of unfair trade practices, consumer deception,
and trademark infringement. Companies concerned about the
competitive fairness of contextual advertising claim that
customers are being confused by the pop-up ads, and that the
adware distributors are unjustly enriching themselves by
selling advertising space to companies on their competitors'
websites without authorization. Industry observers who support
adware-based business models counter that these issues of
competitive fairness should be addressed in traditional forums,
such as the courts, the Federal Trade Commission and the
Department of Justice, and that these developing business
models should not be prohibited preemptively by legislation.
---------------------------------------------------------------------------
\5\ For example, when browsing a financial website, you may see ads
for mortgage loans. However, the financial website typically will not
serve you ads for herbal medicines (even if you normally browse medical
sites) because the website typically does not track your viewing habits
on webpages not hosted by that financial website.
---------------------------------------------------------------------------
CURRENT EFFORTS TO ADDRESS CONSUMER CONCERNS
Anti-spyware Software. In response to the growing
proliferation of spyware and adware, manufacturers of privacy
and security software are now offering anti-spyware software to
consumers. Some of these companies have extensive previous
experience creating firewall, anti-virus, or anti-spam
software, and have begun including new anti-spyware features in
their existing titles as they release the latest versions.
Other companies have launched targeted anti-spyware programs
specifically designed to address the more complex tasks
associated with spyware. These programs may include features
such as detecting, removing, and preventing users from
unwittingly downloading spyware and other unknown malicious
software that may threaten the user's privacy, or the security
or operational integrity of the user's computer system.
Operationally, anti-spyware applications act much like
anti-virus software in that these programs are only able to
find and remove spyware and other programs that have been
identified by their programmers. The increasing proliferation
of malicious programs, however, creates an overwhelming problem
for anti-spyware programmers who have a difficult time keeping
up with the onslaught of new variations of spyware. For
example, PestPatrol, a leading anti-spyware program, only
recognized six types of spyware programs at the beginning of
2003, but within six months the company had identified over
forty different types of spyware.\6\ Theseanti-spyware
companies are facing an uphill battle very similar to the one fought by
spam-filtering companies in their fight to keep spam out of users' e-
mail inboxes. As more investment dollars flow to privacy and security
software developers, consumers can expect the release of many more
titles of anti-spyware software that employ the latest technological
means to combat spyware creators' ever-evolving techniques.
---------------------------------------------------------------------------
\6\ PC Magazine, ``Special Report: Spyware and Identity Theft,''
March 2, 2004.
---------------------------------------------------------------------------
Operating System and Internet Browser Upgrades. Microsoft
recently released an operating system upgrade to its popular
Windows XP system that contains the code for an enhanced-
security Windows Internet browser. This latest release, Service
Pack 2 (or SP2), has been widely reported as a significant step
in resolving numerous security issues found with previous
versions of XP. It is expected that a number of the new
features contained in SP2 will alleviate some of the problems
experienced by consumers that have been attributable to
spyware. In particular, SP2 provides a new firewall program for
users. Unlike XP's earlier firewall, this one is automatically
enabled as a default and protects every connection on a
computer, even if a user already has third-party software
firewalls running on the computer. The new system also monitors
the activities of all computer programs that are running--if
one of them attempts to open up a new channel of communication
with the Internet, the user is prompted to first approve the
action. This latter feature may help prevent the type of
spyware that collects personal information and, unbeknownst to
the user, surreptitiously transmits it through an open Internet
connection to a destination where it may be stored. In addition
to Microsoft's efforts, other developers of operating systems
and Internet browsers are working to update their systems to
provide better security from all Internet threats including
spyware.
Consumer Awareness of Safe Browsing Practices. Many public
interest organizations and consumer advocacy groups that
monitor Internet practices have begun initiatives to educate
consumers about the proliferation and harmfulness of spyware.
The Center for Democracy and Technology (CD&T), in particular,
released a report in November 2003 entitled Ghosts in Our
Machines: Background and Policy Proposals on the ``Spyware''
Problem.\7\ Much of the information on the spyware practices
reported by CD&T has been previously summarized in the
background section above, but the report also provides tips for
computer users about what steps they can take today to protect
their personal information and programs from spyware. For
example, in addition to running spyware detection and removal
utilities, CD&T recommends that consumers avoid installing
free, ad-supported applications unless they are from a trusted
party, particularly if the advertising component is provided by
an unknown third party. CD&T also advises consumers to
diligently monitor their Internet browsing, being mindful of
webpages or pop-up ads with automated download procedures that
may start running without their consent or active input. As
suggest by the report, Internet users who wish to prevent
spyware on their computers should raise the security level of
their Internet browsers so that automated, self-executing
downloads are prohibited.\8\
---------------------------------------------------------------------------
\7\ Copies of this report may be obtained at http://www.cdt.org/
privacy/spyware.
\8\ Using a browser's highest security setting, however, may cause
the loss of some functionality, particularly on webpages that contain
significant amounts of graphic or video content, or interactive
features.
---------------------------------------------------------------------------
In addition to consumer advocacy groups, government
officials at the Federal Trade Commission and the Organization
for Economic Co-operation and Development (OECD) have
spearheaded efforts at both organizations to develop a set of
understandable Internet security principles that should be
publicly promoted and voluntarily adopted in order to keep
consumers safe online.\9\ The spread of spyware and the
proliferation of computer viruses are greatly aided by computer
users' lack of awareness of the risks of such harmful programs.
Through government and private efforts to strengthen consumer
awareness of the potential risks arising from indiscriminately
downloading unfamiliar software, the spread of spyware and
malicious programs could potentially be reduced.
---------------------------------------------------------------------------
\9\ The Federal Trade Commission's ``Stay Safe Online'' initiative
and related resources can be viewed at http://www.ftc.gov/infosecurity.
---------------------------------------------------------------------------
Software Industry Efforts. One of the concerns raised by
business software companies with respect to proposed spyware
legislation is that the definition of spyware must be narrowly
tailored. If not, they explain, important business software
relied on by corporate America will be unintentionally pulled
into a web of burdensome regulatory practices that may not only
prevent the software's most efficient use, but also limit its
future innovation and development. Software industry efforts
have therefore focused on identifying a set of industry best
practices for the download, installation, and removal of
software programs on consumers' computers in order to define
legitimate practices that should remain free of regulation.
Likewise, the industry's help in identifying ``unacceptable''
or deliberately criminal or deceptive trade practices will not
only aid policymakers, but also will help consumer advocacy
groups shape the message to consumers as to the type of
suspicious software practices they should be mindful of while
using a computer. Many spyware experts suggest that
policymakers, consumer groups, and software developers should
work cooperatively together to identify areas ripe for
legislation, to improve consumer awareness of spyware-related
problems, and to encourage safe online browsing and downloading
practices.
State Legislation. In 2004, several State legislatures
considered, and in some cases passed, spyware legislation to
address many of the deceptive practices outlined above.
Industry representatives opposed to State legislation have
argued that many of these spyware practices already violate
existing Federal and State civil laws and regulations governing
computer fraud and abuse, electronic privacy, and consumer
protection, as well as criminal fraud laws. Industry observers
supporting Federal legislation, however, contend that one
uniform national law regulating spyware is necessary to preempt
States from enacting 50 different laws in the future that may
create uncertainty for business models or unintentionally
capture legitimate software practices within the scope of their
regulations.
Legislative History
On February 27, 2004, Senator Burns introduced S. 2145, the
``SPY BLOCK Act of 2004,'' which was referred to the Committee
on Commerce, Science, and Transportation for consideration. The
bill was originally cosponsored by Senators Wyden and Boxer,
and is also cosponsored by Senator Clinton. Additionally,
spyware legislation was introduced in the House of
Representatives by Rep. Bono on July 25, 2003 (H.R. 2929), and
by Rep. Goodlatte on June 23, 2004 (H.R. 4661).
On March 23, 2004, the Committee's Communications
Subcommittee held a hearing on S. 2145 at which Subcommittee
Chairman Burns presided. Witnesses at the hearing included a
diverse group of representatives from a company, an industry
association, a public interest group, and a private party, each
of whom had expertise on spyware, adware, and other Internet
matters raising consumer protection concerns.
On September 22, 2004, the Committee met in open executive
session to consider an amendment in the nature of a substitute
to S. 2145 offered by Senator Burns that made several
substantive changes to the bill's provisions as introduced.
Additionally, Senator Allen offered an amendment to add
criminal penalties for using unauthorized software
installations on a computer to engage in federal criminal
activities or impair the computer's security protections. The
amendments were adopted by voice vote and the bill, as amended,
was ordered to be reported.
Estimated Costs
In accordance with paragraph 11(a) of rule XXVI of the
Standing Rules of the Senate and section 403 of the
Congressional Budget Act of 1974, the Committee provides the
following cost estimate, prepared by the Congressional Budget
Office:
U.S. Congress,
Congressional Budget Office,
Washington, DC, October 5, 2004.
Hon. John McCain,
Chairman, Committee on Commerce, Science, and Transportation,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 2145, the SPY BLOCK
Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contacts are Susanne S.
Mehlman (for federal costs), and Sarah Puro (for the impact on
state, local, and tribal governments).
Sincerely,
Elizabeth Robinson,
(For Douglas Holtz-Eakin, Director).
Enclosure.
S. 2145--SPY BLOCK Act
Summary: S. 2145 would prohibit the use of computer
software (known as spyware) to collect personal information and
to monitor the behavior of computer users without permission.
Enacting S. 2145 could affect direct spending and receipts
because those individuals who violate the provisions under this
legislation could be subject to civil and criminal penalties.
Based on information provided by the Federal Trade Commission
(FTC), CBO estimates that implementing S. 2145 would not have a
significant effect on revenues, direct spending, or spending
subject to appropriation.
S. 2145 contains intergovernmental mandates as defined in
the Unfunded Mandates Reform Act (UMRA), but CBO estimates that
the resulting costs for state, local, and tribal governments
would be minimal and would not exceed the threshold established
in UMRA ($60 million in 2004, adjusted annually for inflation).
The bill would impose mandates on the private sector. CBO's
analysis of the cost of those mandates will be provided later
in a separate report.
Estimated cost to the Federal Government: Enacting S. 2145
could increase federal direct spending and revenues from the
criminal and civil penalties assessed for violations under the
bill's provisions, but CBO estimates that any new collections
and subsequent spending would be less than $500,000 a year.
Implementing the bill also could increase spending by the
FTC and other federal agencies for law enforcement, subject to
the availability of appropriated funds. However, due to the
relatively small number of cases likely to be involved, CBO
expects that any such increase would be insignificant.
Estimated impact on state, local, and tribal governments:
Section 8 would require the Attorney General of a state who
files a civil suit against a person engaging in activities
prohibited by this bill to notify the FTC and would grant the
FTC the right to intervene in such a suit. This requirement on
the officers of a state constitutes a mandate as defined in
UMRA.
Section 9(b) would preempt state laws that prohibit the use
of certain types of computer software and would establish
penalties for violators. Section 1030A would prohibit states
from creating civil penalties that specifically reference the
provisions of this bill. Those preemptions and prohibitions are
mandates as defined in UMRA but would specifically preserve
state authority to pursue fraud, trespass, contract, and tort
cases under state law. They also would not prohibit states from
enacting similar criminal and civil statutes.
CBO estimates that any costs to state, local, or tribal
governments would be insignificant and would fall significantly
below the threshold established in UMRA ($60 million in 2004,
adjusted annually for inflation).
Estimated impact on the private sector: The bill would
impose mandates on the private sector. CBO's analysis of the
cost of those mandates will be provided later in a separate
report.
Previous CBO estimates: On July 8, 2004, CBO transmitted a
cost estimate for H.R. 2929, the Securely Protect Yourself
Against Cyber Trespass Act, as ordered reported by the House
Committee on Energy and Commerce on June 24, 2004. In addition,
on September 28, 2004, CBO transmitted a cost estimate for H.R.
4661, the Internet Spyware (I-SPY) Prevention Act of 2004, as
ordered reported by the House Committee on the Judiciary on
September 8, 2004. All three pieces of legislation are similar,
although H.R. 4661 would authorize the appropriation of funds
to enforce its provisions. The intergovernmental mandates in S.
2145 also were contained in H.R. 2929 and H.R. 4661.
Estimate prepared by: Federal Costs: Susanne S. Mehlman.
Impact on State, Local, and Tribal Governments: Sarah Puro.
Estimate approved by: Robert A. Sunshine, Assistant
Director for Budget Analysis.
Regulatory Impact Statement
In accordance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee provides the
following evaluation of the regulatory impact of the
legislation, as reported:
NUMBER OF PERSONS COVERED
S. 2145 would establish Federal regulations for certain
practices that may result in spyware or other unwanted software
being placed on consumers' computers without their consent. The
bill would therefore cover every person or entity that causes
the installation of software or the delivery of advertisements
in a proscribed manner on consumers' computers, subject to
certain limitations set forth in the legislation.
ECONOMIC IMPACT
S. 2145 would require software distributors, websites,
Internet service providers, and other online entities involved
in the distribution, download, installation, operation, or
removal of software, or in the delivery of advertisements in a
certain manner, to comply with notice, consent, and removal
requirements when causing the installation of software or
delivery of advertisements in such manner on consumers'
computers. Although such entities may already voluntarily
provide notice, consent, and other protections for consumers,
the legislation could nonetheless create compliance costs on
such providers in the form of equipment upgrades or personnel
additions in order to ensure that their practices satisfy the
new federal requirements. Such expenditures may have an
economic impact on such businesses and the software
distribution or online advertising industries in general, and
the costs may be passed on to Internet users through increased
costs of software, Internet access, website premium fees, or
other charges.
PRIVACY
S. 2145 would likely increase consumer privacy by imposing
limitations on the installation of software that may collect
and transmit information about a user, a user's web-browsing
habits, or other use of a computer without the user's consent
or prior notice. Such restrictions should result in a reduced
likelihood of Internet users having unwanted software installed
on their computer and personal information shared without their
consent. In this regard, the legislation is similar to online
privacy legislation which the Committee has previously
considered.
PAPERWORK
S. 2145 is expected to have minimal or no impact on current
paperwork levels.
Section-by-Section Analysis
Section 1. Short title
Section 1 would set forth the short title of the
legislation as the ``Software Principles Yielding Better Levels
of Consumer Knowledge Act'' or the ``SPY BLOCK Act''.
Section 2. Prohibited practices in relation to software installation in
general
Section 2 would prohibit certain installation and removal
practices for computer software. Subsection (a) would prohibit
the surreptitious installation of software by persons other
than the authorized user of a computer. For purposes of this
subsection, surreptitious installation would mean the
installation of software in a manner that is designed either to
conceal from the computer user the fact that the software is
being installed or to prevent the user from having an
opportunity to knowingly grant or withhold his or her consent
to the installation.
Subsection (b) would prohibit third parties wishing to
install software on users' computers from using misleading
inducements to achieve that result. For purposes of this
subsection, misleading inducements to install would be inducing
an authorized user of a computer to consent to the installation
of software by making false representations about any of the
following: the identity of an operator of an Internet website
or online service at which the software is made available for
download from the Internet; the identity of the author or
publisher of the software; the nature or function of the
software; or the consequences of not installing the software.
Subsection (c) would prohibit the installation of software
on a computer if such software could not be uninstalled or
disabled by the reasonable efforts of the user. This
prohibition would not, however, require that individual
features or functions of a software program, updates to a
previously installed software program, or software programs
that were installed on a bundled basis be separately capable of
being uninstalled or disabled on an individual basis.
Section 3. Installing surreptitious information collection features on
a user's computer
Section 3 would prohibit software having surreptitious
information collection features from being installed on a
user's computer without first informing and obtaining the
consent of the user.
Specifically, this section would prohibit a person who is
not an authorized user of a computer to cause the installation
of software on that computer that collects and transmits
information about an authorized user of the computer, or an
authorized user's Internet browsing behavior or other use of
the computer, to any other person, on an automatic basis or at
the direction of a person other than the authorized user of the
computer, if--
(1) the software's collection and transmission of
such information is not functionally related to or in
support of a software capability or function that an
authorized user of the computer has chosen or consented
to execute or enable, and
(2) either--
(A) there has been no notification to an
authorized user of the computer, prior to the
collection of such information, explaining the
type or manner of information collection, or
(B) if notice has been provided--
(i) it was not provided in a manner
reasonably calculated to provide actual
notice to an authorized user of the
computer, or
(ii) it occurred at a time or in a
manner that did not enable an
authorized user of the computer to
consider the information contained in
the notification before choosing
whether to permit the collection or
transmission of information.
This section also provides an exception to these
requirements for software that is reasonably necessary to
determine whether a user of a computer is licensed or
authorized to use the software.
Section 4. Adware that conceals its operation
Section 4 would prohibit adware that conceals its operation
by delivering ads to a computer at a time or in a manner such
that a reasonable user of the computer may not understand that
the software is responsible for delivering the advertisements,
and the ads do not contain a label or other reasonable means of
identifying which software is responsible for its delivery.
Section 5. Other practices that thwart user control of computer
Section 5 would prohibit certain practices that thwart user
control of a computer. Under the provisions of this section, it
would be unlawful for any person who is not the authorized user
of a computer knowingly and without authorization--
to utilize the computer to send unsolicited
information or material from the computer to other
computers;
to divert the Internet browser of the
computer away from the website the user intended to
view to one or more other websites, unless such
diversion has been authorized by the website the user
intended to view;
to display an advertisement, series of
advertisements, or other content through windows in the
computer's Internet browser in such a manner that the
user of the computer cannot end the display of such
advertisements or content without turning off the
computer or closing the Internet browser;
to covertly modify settings relating to the
use of the computer or to the computer's access to or
use of the Internet, including--
altering the default webpage that
initially appears when a user of the computer
launches an Internet browser;
altering the default provider or web
proxy used to access or search the Internet;
altering bookmarks used to store
favorite Internet website addresses; or
altering settings relating to
security measures that protect the computer and
the information stored on the computer against
unauthorized access or use;
to use software installed in violation of
section 3 to collect information about the user or the
user's Internet browsing behavior; or
to remove, disable, or render inoperative a
security or privacy protection technology installed on
the computer.
Section 6. Limitations on liability
Section 6 would limit the liability of any person who may
inadvertently provide services, such as Internet access or web
hosting services, over which prohibited software practices are
conducted without their active participation in such practices.
Under this section, a person would not be liable for violations
of the Act solely because the person provided the Internet
connection, telephone connection, or other transmission or
routing function through which software was delivered to a
protected computer for installation. Additionally, a person
would not be liable for violations of the Act solely for
providing storage for software or for hosting an Internet
website through which such software was made available for
installation to a computer. Finally, a person would not be
liable for violations of the Act solely for providing an
information location tool (i.e., a directory, index, reference,
pointer, or hypertext link) through which a user of a protected
computer located software available for installation.
This section would also ensure that providers of a network
or online service shall not be deemed to have violated sections
3 or 5 of the Act for any installation, monitoring or use of
software for the purposes of (1) protecting the security of the
network, service, or computer, (2) facilitating diagnostics,
technical support, maintenance, network management, or repair
of the network or services, or (3) preventing or detecting
unauthorized, fraudulent, or otherwise unlawful uses of the
network or service.
Section 7. Administration and enforcement
Section 7 would provide that the Act be enforced by the
Federal Trade Commission (FTC) as if the violation of this Act
were an unfair or deceptive act or practice proscribed by an
FTC trade rule or regulation pursuant to the Commission's
authority under section 18(a)(1)(B) of the FTC Act (15 U.S.C.
57a(a)(1)(B)). The FTC would be required to prevent persons
from violating this legislation in the same manner, by the same
means, and with the same jurisdiction, powers, and duties as
though all applicable terms and provisions of the FTC Act were
incorporated and made a part of this legislation.
This section would also provide for enforcement by other
agencies for entities subject to their jurisdiction due to the
jurisdictional limitations of the FTC. These agencies would be
permitted under the Act to exercise authority provided by their
own statutory grants to enforce the substantive provisions of
this legislation.
Section 8. Actions by States
Section 8 would grant State attorneys general the right to
bring a civil action for violations of the Act. A State may
bring an action in parens patriae for aggrieved residents of
the State in a district court of the United States of
appropriate jurisdiction to enjoin practices, enforce
compliance with a rule that has been violated, obtain damage,
restitution or other compensation on behalf of its residents,
or obtain such other relief as the court may consider
appropriate.
Except where an attorney general determines that it is not
feasible prior to the filing of an action, this section would
require a State to provide the FTC with written notice of the
action and a copy of the complaint for that action prior to its
filing. In the event such prior notification is not feasible,
the State would be required to provide such notification
simultaneously with the filing of the action. Upon receipt of
the notice, the FTC would have the right to intervene in the
action, and if it intervenes, would have the further rights to
be heard with respect to any matter that arises in that action
and to file a petition for appeal.
Section 9. Effect on other laws
Section 9 would clarify the effect the legislation would
have on current Federal and State law. This section would set
forth that nothing in the Act should be construed to limit or
affect in any way the FTC's authority to bring enforcement
actions or take any other measures under the FTC Act or any
other provision of law.
Additionally, this section would provide a general rule
preempting any State statute, regulation, or rule that
expressly limits or restricts the installation or use of
software (1) to collect information about the user of the
computer, or the user's Internet browsing behavior or other use
of the computer, or (2) to cause advertisements to be delivered
to the user of the computer. Exceptions to this general rule of
preemption would be provided for State laws that prohibit
deception in connection with the installation or use of such
software and any other State laws not specific to software,
including State trespass, contract, tort, or anti-fraud law.
Section 10. Penalties for certain unauthorized activities relating to
computers
Section 10 would provide criminal liability for certain
acts carried out using software without the authorization of
the user of the computer. This section would make it a crime to
intentionally access a computer without authorization, or
intentionally exceed authorized access, by causing a computer
program or code to be copied onto the computer and using that
program or code in furtherance of another federal criminal
offense. Such conduct would be punishable by fine or
imprisonment for up to 5 years. Additionally, this section
would make it a crime to intentionally access a computer
without authorization, or intentionally exceed authorized
access, by causing a computer program or code to be copied onto
the computer and using that program or code to intentionally
impair the security protections of a computer. Such conduct
would be punishable by fine or imprisonment for up to 2 years.
Section 10 would also provide the same limitations on
liability for purposes of this section's provisions that are
provided under section 6 for purposes of the bill's civil
provisions. Specifically, under these limitations on liability,
providers of certain services, such as Internet access, website
hosting, website indexing, or network monitoring services,
would not be criminally liable under this section solely for
providing those services through which software may be used in
violation of this section. This section would also prohibit the
bringing of State civil actions under the law of any State
where the action is premised in whole or in part on the
defendant's violating this section. For purposes of this
section, then term ``State'' would include the District of
Columbia, Puerto Rico, and any other territory or possession of
the United States.
Section 11. Definitions
Section 11 would define 10 terms used throughout the Act.
The following definitions included in the Act are of particular
importance to understanding the legislation and the explanation
of the Act's provisions provided in this section-by-section
analysis:
Software. The term ``software'' would mean any
program designed to cause a computer to perform a
desired function or functions. Such term would not
include a cookie, as defined in this section.
Cookie. The term ``cookie'' would mean a text file
that is placed on a computer by an ISP, an interactive
computer service, or Internet website, the sole
function of which is to record information that can be
read or recognized when the user of the computer
subsequently accesses particular websites or online
locations or services.
Install. The term ``install'' would mean to write
computer software to a computer's persistent storage
medium, such as the computer's hard disk, in such a way
that the computersoftware is retained on the computer
after the computer is turned off and subsequently restarted. The term
``install'' would also mean to write computer software to a computer's
temporary memory, such as random access memory, in such a way that the
software is retained and continues to operate after the user of the
computer turns off or exits the Internet service, interactive computer
service, or Internet website from which the computer software was
obtained.
Cause the installation. The term ``cause the
installation'' would mean to knowingly provide the
technical means by which the software is installed, or
to knowingly induce or pay or provide other
consideration to another person to do so.
Section 12. Effective date
Section 12 would provide that the provisions of this
legislation would take effect 180 days after the date of
enactment.
Changes in Existing Law
In compliance with paragraph 12 of rule XXVI of the Standing
Rules of the Senate, changes in existing law made by the bill,
as reported, are shown as follows (existing law proposed to be
omitted is enclosed in black brackets, new material is printed
in italic, existing law in which no change is proposed is shown
in roman):
TITLE 18, UNITED STATES CODE
PART I. CRIMES
CHAPTER 47. FRAUD AND FALSE STATEMENTS
* * * * * * *
Sec. 1030A Illicit indirect use of protected computers
(a) Whoever intentionally accesses a protected computer
without authorization, or exceeds authorized access to a
protected computer, by causing a computer program or code to be
copied onto the protected computer, and intentionally uses that
program or code in furtherance of another Federal criminal
offense shall be fined under this title or imprisoned 5 years,
or both.
(b) Whoever intentionally accesses a protected computer
without authorization, or exceeds authorized access to a
protected computer, by causing a computer program or code to be
copied onto the protected computer, and by means of that
program or code intentionally impairs the security protection
of the protected computer shall be fined under this title or
imprisoned not more than 2 years, or both.
(c) A person shall not violate this section who solely
provides--
(1) an Internet connection, telephone connection, or
other transmission or routing function through which
software is delivered to a protected computer for
installation;
(2) the storage or hosting of software, or of an
Internet website, through which software is made
available for installation to a protected computer; or
(3) an information location tool, such as a
directory, index, reference, pointer, or hypertext
link, through which a user of a protected computer
locates software available for installation.
(d) A provider of a network or online service that an
authorized user of a protected computer uses or subscribes to
shall not violate this section by any monitoring of,
interaction with, or installation of software for the purpose
of--
(1) protecting the security of the network, service,
or computer;
(2) facilitating diagnostics, technical support,
maintenance, network management, or repair; or
(3) preventing or detecting unauthorized, fraudulent,
or otherwise unlawful uses of the network or service.
(e) No person may bring a civil action under the law of any
State if such action is premised in whole or in part upon the
defendant's violating this section. For the purposes of this
subsection, the term `State' includes the District of Columbia,
Puerto Rico, and any other territory or possession of the
United States.