[House Report 110-169] [From the U.S. Government Publishing Office] 110th Congress Report HOUSE OF REPRESENTATIVES 1st Session 110-169 ====================================================================== SECURELY PROTECT YOURSELF AGAINST CYBER TRESPASS ACT (SPY ACT) _______ May 24, 2007.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Dingell, from the Committee on Energy and Commerce, submitted the following R E P O R T [To accompany H.R. 964] [Including cost estimate of the Congressional Budget Office] The Committee on Energy and Commerce, to whom was referred the bill (H.R. 964) to protect users of the Internet from unknowing transmission of their personally identifiable information through spyware programs, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page Purpose and Summary.............................................. 10 Background and Need for Legislation.............................. 10 Hearings......................................................... 12 Committee Consideration.......................................... 12 Committee Votes.................................................. 13 Committee Oversight Findings..................................... 13 Statement of General Performance Goals and Objectives............ 13 New Budget Authority, Entitlement Authority, and Tax Expenditures 13 Earmarks and Tax and Tariff Benefits............................. 13 Committee Cost Estimate.......................................... 13 Congressional Budget Office Estimate............................. 13 Federal Mandates Statement....................................... 16 Advisory Committee Statement..................................... 16 Constitutional Authority Statement............................... 16 Applicability to Legislative Branch.............................. 16 Section-by-Section Analysis of the Legislation................... 16 Changes in Existing Law Made by the Bill, as Reported............ 26 The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Securely Protect Yourself Against Cyber Trespass Act'' or the ``Spy Act''. SEC. 2. PROHIBITION OF UNFAIR OR DECEPTIVE ACTS OR PRACTICES RELATING TO SPYWARE. (a) Prohibition.--It is unlawful for any person, who is not the owner or authorized user of a protected computer, to engage in unfair or deceptive acts or practices that involve any of the following conduct with respect to the protected computer: (1) Taking control of the computer by-- (A) utilizing such computer to send unsolicited information or material from the computer to others; (B) diverting the Internet browser of the computer, or similar program of the computer used to access and navigate the Internet-- (i) without authorization of the owner or authorized user of the computer; and (ii) away from the site the user intended to view, to one or more other Web pages, such that the user is prevented from viewing the content at the intended Web page, unless such diverting is otherwise authorized; (C) accessing, hijacking, or otherwise using the modem, or Internet connection or service, for the computer and thereby causing damage to the computer or causing the owner or authorized user or a third party defrauded by such conduct to incur charges or other costs for a service that is not authorized by such owner or authorized user; (D) using the computer as part of an activity performed by a group of computers that causes damage to another computer; or (E) delivering advertisements or a series of advertisements that a user of the computer cannot close or terminate without undue effort or knowledge by the user or without turning off the computer or closing all sessions of the Internet browser for the computer. (2) Modifying settings related to use of the computer or to the computer's access to or use of the Internet by altering-- (A) the Web page that appears when the owner or authorized user launches an Internet browser or similar program used to access and navigate the Internet; (B) the default provider used to access or search the Internet, or other existing Internet connections settings; (C) a list of bookmarks used by the computer to access Web pages; or (D) security or other settings of the computer that protect information about the owner or authorized user for the purposes of causing damage or harm to the computer or owner or user. (3) Collecting personally identifiable information through the use of a keystroke logging function. (4) Inducing the owner or authorized user of the computer to disclose personally identifiable information by means of a Web page that-- (A) is substantially similar to a Web page established or provided by another person; and (B) misleads the owner or authorized user that such Web page is provided by such other person. (5) Inducing the owner or authorized user to install a component of computer software onto the computer, or preventing reasonable efforts to block the installation or execution of, or to disable, a component of computer software by-- (A) presenting the owner or authorized user with an option to decline installation of such a component such that, when the option is selected by the owner or authorized user or when the owner or authorized user reasonably attempts to decline the installation, the installation nevertheless proceeds; or (B) causing such a component that the owner or authorized user has properly removed or disabled to automatically reinstall or reactivate on the computer. (6) Misrepresenting that installing a separate component of computer software or providing log-in and password information is necessary for security or privacy reasons, or that installing a separate component of computer software is necessary to open, view, or play a particular type of content. (7) Inducing the owner or authorized user to install or execute computer software by misrepresenting the identity or authority of the person or entity providing the computer software to the owner or user. (8) Inducing the owner or authorized user to provide personally identifiable, password, or account information to another person-- (A) by misrepresenting the identity of the person seeking the information; or (B) without the authority of the intended recipient of the information. (9) Removing, disabling, or rendering inoperative a security, anti-spyware, or anti-virus technology installed on the computer. (10) Installing or executing on the computer one or more additional components of computer software with the intent of causing a person to use such components in a way that violates any other provision of this section. (b) Guidance.--The Commission shall issue guidance regarding compliance with and violations of this section. This subsection shall take effect upon the date of the enactment of this Act. (c) Effective Date.--Except as provided in subsection (b), this section shall take effect upon the expiration of the 6-month period that begins on the date of the enactment of this Act. SEC. 3. PROHIBITION OF COLLECTION OF CERTAIN INFORMATION WITHOUT NOTICE AND CONSENT. (a) Opt-in Requirement.--Except as provided in subsection (e), it is unlawful for any person-- (1) to transmit to a protected computer, which is not owned by such person and for which such person is not an authorized user, any information collection program, unless-- (A) such information collection program provides notice in accordance with subsection (c) before downloading or installing any of the information collection program; and (B) such information collection program includes the functions required under subsection (d); or (2) to execute any information collection program installed on such a protected computer unless-- (A) before execution of any of the information collection functions of the program, the owner or an authorized user of the protected computer has consented to such execution pursuant to notice in accordance with subsection (c); and (B) such information collection program includes the functions required under subsection (d). (b) Information Collection Program.-- (1) In general.--For purposes of this section, the term ``information collection program'' means computer software that performs either of the following functions: (A) Collection of personally identifiable information.--The computer software-- (i) collects personally identifiable information; and (ii)(I) sends such information to a person other than the owner or authorized user of the computer, or (II) uses such information to deliver advertising to, or display advertising on, the computer. (B) Collection of information regarding internet activity to deliver advertising.--The computer software-- (i) collects information regarding the user's Internet activity using the computer; and (ii) uses such information to deliver advertising to, or display advertising on, the computer. (2) Exception for software collecting information regarding internet activity within a particular web site.--Computer software that otherwise would be considered an information collection program by reason of paragraph (1)(B) shall not be considered such a program if-- (A) the only information collected by the software regarding the user's internet activity, and used to deliver advertising to, or display advertising on, the protected computer, is-- (i) information regarding Web pages within a particular Web site; or (ii) in the case of any Internet-based search function, user-supplied search terms necessary to complete the search and return results to the user; (B) such information collected is not sent to a person other than-- (i) the provider of the Web site accessed or Internet-based search function; or (ii) a party authorized to facilitate the display or functionality of Web pages within the Web site accessed; and (C) the only advertising delivered to or displayed on the computer using such information is advertising on Web pages within that particular Web site. (c) Notice and Consent.-- (1) In general.--Notice in accordance with this subsection with respect to an information collection program is clear and conspicuous notice in plain language, set forth as the Commission shall provide, that meets all of the following requirements: (A) The notice clearly distinguishes a statement required under subparagraph (B) from any other information visually presented contemporaneously on the computer. (B) The notice contains one of the following statements, as applicable, or a substantially similar statement: (i) With respect to an information collection program described in subsection (b)(1)(A): ``This program will collect and transmit information about you. Do you accept?''. (ii) With respect to an information collection program described in subsection (b)(1)(B): ``This program will collect information about Web pages you access and will use that information to display advertising on your computer. Do you accept?''. (iii) With respect to an information collection program that performs the actions described in both subparagraphs (A) and (B) of subsection (b)(1): ``This program will collect and transmit information about you and will collect information about Web pages you access and use that information to display advertising on your computer. Do you accept?''. (C) The notice provides for the user-- (i) to grant or deny consent referred to in subsection (a) by selecting an option to grant or deny such consent; and (ii) to abandon or cancel the transmission or execution referred to in subsection (a) without granting or denying such consent. (D) The notice provides an option for the user to select to display on the computer, before granting or denying consent using the option required under subparagraph (C), a clear description of-- (i) the types of information to be collected and sent (if any) by the information collection program; (ii) the purpose for which such information is to be collected and sent; and (iii) in the case of an information collection program that first executes any of the information collection functions of the program together with the first execution of other computer software, the identity of any such software that is an information collection program. (E) The notice provides for concurrent display of the information required under subparagraphs (B) and (C) and the option required under subparagraph (D) until the user-- (i) grants or denies consent using the option required under subparagraph (C)(i); (ii) abandons or cancels the transmission or execution pursuant to subparagraph (C)(ii); or (iii) selects the option required under subparagraph (D). (2) Single notice.--The Commission shall provide that, in the case in which multiple information collection programs are provided to the protected computer together, or as part of a suite of functionally related software, the notice requirements of paragraphs (1)(A) and (2)(A) of subsection (a) may be met by providing, before execution of any of the information collection functions of the programs, clear and conspicuous notice in plain language in accordance with paragraph (1) of this subsection by means of a single notice that applies to all such information collection programs, except that such notice shall provide the option under subparagraph (D) of paragraph (1) of this subsection with respect to each such information collection program. (3) Change in information collection.--If an owner or authorized user has granted consent to execution of an information collection program pursuant to a notice in accordance with this subsection: (A) In general.--No subsequent such notice is required, except as provided in subparagraph (B). (B) Subsequent notice.--The person who transmitted the program shall provide another notice in accordance with this subsection and obtain consent before such program may be used to collect or send information of a type or for a purpose that is materially different from, and outside the scope of, the type or purpose set forth in the initial or any previous notice. (4) Regulations.--The Commission shall issue regulations to carry out this subsection. (d) Required Functions.--The functions required under this subsection to be included in an information collection program that executes any information collection functions with respect to a protected computer are as follows: (1) Disabling function.--With respect to any information collection program, a function of the program that allows a user of the program to remove the program or disable operation of the program with respect to such protected computer by a function that-- (A) is easily identifiable to a user of the computer; and (B) can be performed without undue effort or knowledge by the user of the protected computer. (2) Identity function.-- (A) In general.--With respect only to an information collection program that uses information collected in the manner described in subparagraph (A)(ii)(II) or (B)(ii) of subsection (b)(1) and subject to subparagraph (B) of this paragraph, a function of the program that provides that each display of an advertisement directed or displayed using such information, when the owner or authorized user is accessing a Web page or online location other than of the provider of the computer software, is accompanied by the name of the information collection program, a logogram or trademark used for the exclusive purpose of identifying the program, or a statement or other information sufficient to clearly identify the program. (B) Exemption for embedded advertisements.--The Commission shall, by regulation, exempt from the applicability of subparagraph (A) the embedded display of any advertisement on a Web page that contemporaneously displays other information. (3) Rulemaking.--The Commission may issue regulations to carry out this subsection. (e) Limitation on Liability.--A telecommunications carrier, a provider of information service or interactive computer service, a cable operator, or a provider of transmission capability shall not be liable under this section to the extent that the carrier, operator, or provider-- (1) transmits, routes, hosts, stores, or provides connections for an information collection program through a system or network controlled or operated by or for the carrier, operator, or provider; or (2) provides an information location tool, such as a directory, index, reference, pointer, or hypertext link, through which the owner or user of a protected computer locates an information collection program. (f) Study and Additional Exemption.-- (1) Study and report.--The Commission shall conduct a study to determine the applicability of the information collection prohibitions of this section to information that is input directly by users in a field provided on a website. The study shall examine-- (A) the nature of such fields for user input; (B) the use of a user's information once input and whether such information is sent to a person other than the provider of the Web site; (C) whether such information is used to deliver advertisements to the user's computer; and (D) the extent of any notice provided to the user prior to such input. (2) Report.--The Commission shall transmit a report on such study to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate not later than the expiration of the 6-month period that begins on the date on which final regulations are issued under section 9. The requirements of subchapter I of chapter 35 of title 44, United States Code, shall not apply to the report required under this subsection. (3) Regulation.--If the Commission finds that users have adequate notice regarding the uses of any information input directly by the user in a field provided on a website, such that an exemption from the requirements of this section, or a modification of the notice required by this section is appropriate for such information, and that such an exemption or modification is consistent with the public interest, the protection of consumers, and the purposes of this Act, the Commission may prescribe such an exemption or modification by regulation. SEC. 4. ENFORCEMENT. (a) Unfair or Deceptive Act or Practice.--This Act shall be enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.). A violation of any provision of this Act or of a regulation issued under this Act shall be treated as an unfair or deceptive act or practice violating a rule promulgated under section 18 of the Federal Trade Commission Act (15 U.S.C. 57a). (b) Penalty for Pattern or Practice Violations.-- (1) In general.--Notwithstanding subsection (a) and the Federal Trade Commission Act, in the case of a person who engages in a pattern or practice that violates section 2 or 3, the Commission may, in its discretion, seek a civil penalty for such pattern or practice of violations in an amount, as determined by the Commission, of not more than-- (A) $3,000,000 for each violation of section 2; and (B) $1,000,000 for each violation of section 3. (2) Treatment of single action or conduct.--In applying paragraph (1)-- (A) any single action or conduct that violates section 2 or 3 with respect to multiple protected computers shall be treated as a single violation; and (B) any single action or conduct that violates more than one paragraph of section 2(a) shall be considered multiple violations, based on the number of such paragraphs violated. (c) Required Scienter.--Civil penalties sought under this section for any action may not be granted by the Commission or any court unless the Commission or court, respectively, establishes that the action was committed with actual knowledge or knowledge fairly implied on the basis of objective circumstances that such act is unfair or deceptive or violates this Act. (d) Factors in Amount of Penalty.--In determining the amount of any penalty pursuant to subsection (a) or (b), the court shall take into account the degree of culpability, any history of prior such conduct, ability to pay, effect on ability to continue to do business, and such other matters as justice may require. (e) Exclusiveness of Remedies.--The remedies in this section (and other remedies available to the Commission in an enforcement action against unfair and deceptive acts and practices) are the exclusive remedies for violations of this Act. (f) Effective Date.--To the extent only that this section applies to violations of section 2(a), this section shall take effect upon the expiration of the 6-month period that begins on the date of the enactment of this Act. SEC. 5. LIMITATIONS. (a) Law Enforcement Authority.--Sections 2 and 3 shall not apply to-- (1) any act taken by a law enforcement agent in the performance of official duties; or (2) the transmission or execution of an information collection program in compliance with a law enforcement, investigatory, national security, or regulatory agency or department of the United States or any State in response to a request or demand made under authority granted to that agency or department, including a warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant, a court order, or other lawful process. (b) Exception Relating to Security.--Nothing in this Act shall apply to-- (1) any monitoring of, or interaction with, a protected computer-- (A) in connection with the provision of a network access service or other service or product with respect to which the user of the protected computer is an actual or prospective customer, subscriber, registered user, or account holder; (B) by the provider of that service or product or with such provider's authorization; and (C) that involves or enables the collection of information about the user's activities only with respect to the user's relationship with or use of such service or product, to the extent that such monitoring or interaction is for the purpose of network security, computer security, diagnostics, technical support or repair, network management, authorized updates of software, or for the detection or prevention of fraudulent activities; or (2) a discrete interaction with a protected computer by a provider of computer software solely to determine whether the user of the computer is authorized to use such software, that occurs upon-- (A) initialization of the software; or (B) an affirmative request by the owner or authorized user for an update of, addition to, or technical service for, the software. (c) Good Samaritan Protection.-- (1) In general.--No provider of computer software or of interactive computer service may be held liable under this Act on account of any action voluntarily taken, or service provided, in good faith to remove or disable a program used to violate section 2 or 3 that is installed on a computer of a customer of such provider, if such provider notifies the customer and obtains the consent of the customer before undertaking such action or providing such service. (2) Construction.--Nothing in this subsection shall be construed to limit the liability of a provider of computer software or of an interactive computer service for any anti- competitive act otherwise prohibited by law. (d) Limitation on Liability.--A manufacturer or retailer of computer equipment shall not be liable under this Act to the extent that the manufacturer or retailer is providing third party branded computer software that is installed on the equipment the manufacturer or retailer is manufacturing or selling. (e) Services Provided by Cable Operators and Satellite Carriers.--It shall not be a violation of section 3 for a satellite carrier (as such term is defined in section 338(k) of the Communications Act of 1934 (47 U.S.C. 338(k)) or cable operator (as such term is defined in section 631(a)(2) of such Act (47 U.S.C. 551(a)(2))) to-- (1) utilize a navigation device (as such term is defined in the rules of the Federal Communications Commission); (2) interact with such a navigation device; or (3) transmit software to or execute software installed on such a navigation device to provide service or collect or disclose subscriber information, if the provision of such service, the utilization of or the interaction with such device, or the collection of or disclosure of such information, is subject to section 338(i) or section 631 of the Communications Act of 1934. SEC. 6. EFFECT ON OTHER LAWS. (a) Preemption of State Law.-- (1) Preemption of spyware laws.--This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State that expressly regulates-- (A) unfair or deceptive conduct with respect to computers similar to that described in section 2(a); (B) the transmission or execution of a computer program similar to that described in section 3; or (C) the use of computer software that displays advertising content based on the Web pages accessed using a computer. (2) Additional preemption.-- (A) In general.--No person other than the Attorney General of a State may bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act. (B) Protection of consumer protection laws.--This paragraph shall not be construed to limit the enforcement of any State consumer protection law by an Attorney General of a State. (3) Protection of certain state laws.--This Act shall not be construed to preempt the applicability of-- (A) State trespass, contract, or tort law; or (B) other State laws to the extent that those laws relate to acts of fraud. (4) Effective date.--The preemption provided for under this subsection shall take effect, with respect to specific provisions of this Act, on the effective date for such provisions. (b) Preservation of FTC Authority.--Nothing in this Act may be construed in any way to limit or affect the Commission's authority under any other provision of law, including the authority to issue advisory opinions (under part 1 of volume 16 of the Code of Federal Regulations), policy statements, or guidance regarding this Act. SEC. 7. FTC REPORT ON COOKIES. (a) In General.--Not later than the expiration of the 6-month period that begins on the date on which final regulations are issued under section 9, the Commission shall submit a report to the Congress regarding the use of cookies in the delivery or display of advertising to the owners and users of computers. The report shall examine the extent to which cookies are or may be used to transmit to a third party personally identifiable information of a computer owner or user, information regarding Web pages accessed by the owner or user, or information regarding advertisements previously delivered to a computer, for the purpose of-- (1) delivering or displaying advertising to the owner or user; or (2) assisting the intended recipient to deliver or display advertising to the owner, user, or others. The report shall examine and describe the methods by which cookies and the Web sites that place them on computers function separately and together, and shall compare the use of cookies with the use of information collection programs (as such term is defined in section 3) to determine the extent to which such uses are similar or different. The report may include such recommendations as the Commission considers necessary and appropriate, including treatment of cookies under this Act or other laws. (b) Effective Date.--This section shall take effect on the date of the enactment of this Act. (c) Paperwork Reduction Requirements.--The requirements of subchapter I of chapter 35 of title 44, United States Code, shall not apply to the report required under this section. SEC. 8. FTC REPORT ON INFORMATION COLLECTION PROGRAMS INSTALLED BEFORE EFFECTIVE DATE. Not later than the expiration of the 6-month period that begins on the date on which final regulations are issued under section 9, the Commission shall submit a report to the Congress on the extent to which there are installed on protected computers information collection programs that, but for installation prior to the effective date under section 11(a), would be subject to the requirements of section 3. The report shall include recommendations regarding the means of affording computer users affected by such information collection programs the protections of section 3, including recommendations regarding requiring a one-time notice and consent by the owner or authorized user of a computer to the continued collection of information by such a program so installed on the computer. The requirements of subchapter I of chapter 35 of title 44, United States Code, shall not apply to the report required under this section. SEC. 9. REGULATIONS. (a) In General.--The Commission shall issue the regulations required by this Act not later than the expiration of the 9-month period beginning on the date of the enactment of this Act. In exercising its authority to issue any regulation under this Act, the Commission shall determine that the regulation is consistent with the public interest and the purposes of this Act. Any regulations issued pursuant to this Act shall be issued in accordance with section 553 of title 5, United States Code. (b) Effective Date.--This section shall take effect on the date of the enactment of this Act. SEC. 10. DEFINITIONS. For purposes of this Act: (1) Cable operator.--The term ``cable operator'' has the meaning given such term in section 602 of the Communications Act of 1934 (47 U.S.C. 522). (2) Collect.--The term ``collect'', when used with respect to information and for purposes only of section 3(b)(1)(A), does not include obtaining of the information by a party who is intended by the owner or authorized user of a protected computer to receive the information or by a third party authorized by such intended recipient to receive the information, pursuant to the owner or authorized user-- (A) transferring the information to such intended recipient using the protected computer; or (B) storing the information on the protected computer in a manner so that it is accessible by such intended recipient. (3) Computer; protected computer.--The terms ``computer'' and ``protected computer'' have the meanings given such terms in section 1030(e) of title 18, United States Code. (4) Computer software.-- (A) In general.--Except as provided in subparagraph (B), the term ``computer software'' means a set of statements or instructions that can be installed and executed on a computer for the purpose of bringing about a certain result. (B) Exceptions.--Such term does not include-- (i) computer software that is placed on the computer system of a user by an Internet service provider, interactive computer service, or Internet Web site solely to enable the user subsequently to use such provider or service or to access such Web site; or (ii) a text or data file known as a cookie, to the extent that the text or data file-- (I) is used, written to, or placed on the computer of a user by an Internet service provider, interactive computer service, or Internet website, or any entity acting with the authorization of and on behalf of such Internet service provider, interactive computer service, or Internet website; and (II) can be read or recognized solely to return information to such Internet service provider, interactive computer service, or Internet website, or any entity acting with the authorization of and on behalf of such Internet service provider, interactive computer service, or Internet website. (5) Commission.--The term ``Commission'' means the Federal Trade Commission. (6) Damage.--The term ``damage'' has the meaning given such term in section 1030(e) of title 18, United States Code. (7) Unfair or deceptive acts or practices.--The term ``unfair or deceptive acts or practices'' has the meaning applicable to such term for purposes of section 5 of the Federal Trade Commission Act (15 U.S.C. 45). (8) Disable.--The term ``disable'' means, with respect to an information collection program, to permanently prevent such program from executing any of the functions described in section 3(b)(1) that such program is otherwise capable of executing (including by removing, deleting, or disabling the program), unless the owner or operator of a protected computer takes a subsequent affirmative action to enable the execution of such functions. (9) Information collection functions.--The term ``information collection functions'' means, with respect to an information collection program, the functions of the program described in subsection (b)(1) of section 3. (10) Information service.--The term ``information service'' has the meaning given such term in section 3 of the Communications Act of 1934 (47 U.S.C. 153). (11) Interactive computer service.--The term ``interactive computer service'' has the meaning given such term in section 230(f) of the Communications Act of 1934 (47 U.S.C. 230(f)). (12) Internet.--The term ``Internet'' means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio. (13) Personally identifiable information.-- (A) In general.--The term ``personally identifiable information'' means the following information, to the extent only that such information allows a living individual to be identified from that information: (i) First and last name of an individual. (ii) A home or other physical address of an individual, including street name, name of a city or town, and zip code. (iii) An electronic mail address. (iv) A telephone number. (v) A social security number, tax identification number, passport number, driver's license number, or any other government-issued identification number. (vi) A credit card number. (vii) Any access code, password, or account number, other than an access code or password transmitted by an owner or authorized user of a protected computer to the intended recipient to register for, or log onto, a Web page or other Internet service or a network connection or service of a subscriber that is protected by an access code or password. (viii) Date of birth, birth certificate number, or place of birth of an individual, except in the case of a date of birth transmitted or collected for the purpose of compliance with the law. (B) Rulemaking.--The Commission may, by regulation, add to the types of information described in subparagraph (A) that shall be considered personally identifiable information for purposes of this Act, except that such additional types of information shall be considered personally identifiable information only to the extent that such information allows living individuals, particular computers, particular users of computers, or particular email addresses or other locations of computers to be identified from that information. (14) Suite of functionally related software.--The term suite of ``functionally related software'' means a group of computer software programs distributed to an end user by a single provider, which programs enable features or functionalities of an integrated service offered by the provider. (15) Telecommunications carrier.--The term ``telecommunications carrier'' has the meaning given such term in section 3 of the Communications Act of 1934 (47 U.S.C. 153). (16) Transmit.--The term ``transmit'' means, with respect to an information collection program, transmission by any means. (17) Web page.--The term ``Web page'' means a location, with respect to the World Wide Web, that has a single Uniform Resource Locator or another single location with respect to the Internet, as the Federal Trade Commission may prescribe. (18) Web site.--The term ``Web site'' means a collection of Web pages that are presented and made available by means of the World Wide Web as a single Web site (or a single Web page so presented and made available), which Web pages have any of the following characteristics: (A) A common domain name. (B) Common ownership, management, or registration. SEC. 11. APPLICABILITY AND SUNSET. (a) Effective Date.--Except as specifically provided otherwise in this Act, this Act shall take effect upon the expiration of the 12- month period that begins on the date of the enactment of this Act. (b) Applicability.--Section 3 shall not apply to an information collection program installed on a protected computer before the effective date under subsection (a) of this section. (c) Sunset.--This Act shall not apply after December 31, 2013. PURPOSE AND SUMMARY H.R. 964, the Securely Protect Yourself Against Cyber Trespass Act, prohibits unfair or deceptive acts or practices related to spyware or adware programs, and requires notice and consent for the execution of information collection programs. BACKGROUND AND NEED FOR LEGISLATION The release of the Mosaic browser in January 1993, which provided the first graphical interface for navigating the Internet, is credited with bringing the Internet into the mainstream of public usage. In the intervening time, Internet usage has been transformed from an academic tool into a commercial, educational, and communications portal accessed by more than 70 percent of Americans. It comes as no surprise that the market has responded with new technologies tailored to consumer Internet usage. Many of these technologies are designed to improve the efficiency and speed of data transfer. For example, some maximize server efficiency and thereby reduce time requirements for a Web page to load on a user's computer. Other technologies allow Web sites to use persistent identifiers to recognize a return visitor, and thereby enhance the online experience through personalization. The unique nature of the Internet has also facilitated other beneficial technologies, such as peer-to-peer file sharing software, instant messaging, and voice-over Internet, that capitalize on the distributed network structure. At the same time, the Committee is aware that these technologies are capable of visiting great harm on consumers and commerce when misapplied by scam artists, criminals, and others with unsavory motives. The Committee is particularly concerned about the growing use of what is commonly referred to as ``spyware.'' Spyware presents privacy, security, and functionality concerns for consumers. The Federal Trade Commission (FTC) has described spyware as software ``that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer's consent, or asserts control over a computer without the consumer's knowledge.'' The Committee received testimony that spyware represents a range of software programs on a broad continuum from the most pernicious criminal activities on one end to the less threatening but still intrusive on the opposite end. The most serious privacy and security concerns pertain to those programs that are intended to capture a user's personal information without knowledge and consent. The Committee received testimony demonstrating the software technology and tactics of some of these programs. They include keystroke logging software that captures a user's information (passwords, Social Security numbers, account numbers, etc.) and can lead to identity theft, and monitoring software that tracks a user's online activity, such as Web sites visited. This information could be used for profiling. Other monitoring software can include audio or video capturing programs that use one's own computer video camera or microphone to watch or listen to whatever is happening around the Internet-connected computer. Furthermore, security experts and law enforcement officers report growing cooperation among spammers, virus writers, and con artists in schemes to steal financial assets from consumers through a practice known as ``phishing'' by which bad actors fraudulently convince users to disclose passwords and other private financial data. Software can also affect the functioning of a computer by redirecting the user to Web sites that the user does not intend to visit, preventing a user from altering settings on the computer, or using the computer to send unsolicited commercial electronic mail. The Committee is concerned that such attacks could erode the trust that makes electronic commerce and online financial transactions possible. Techniques for deceiving consumers into downloading spyware vary. Deceptive tactics include using pop-under windows that disguise the identity of the program distributer, offering misleading or deceptive end user licensing agreements, and failing to disclose the functionality of a program. Some spyware programs masquerade as anti-spyware technology. More nefarious tactics include exploitation of security patches in a computer's operating system. Additionally, consumers who leave browser security settings on ``low'' open their systems to automatic ``drive-by'' downloads in which spyware programs are automatically downloaded when visiting certain sites. The Committee also is concerned with the growth of abusive ``adware.'' Adware is advertising software that can monitor online behavior and Web sites visited. Adware is often bundled, many times as a consideration, with other software that a consumer voluntarily downloads. Adware usually directs targeted advertisements to the user based on his or her online activity. The Committee does not find adware per se objectionable, so long as a consumer has given informed consent to the software installation or execution. On the other hand, the Committee has received testimony and other information indicating that some adware has been used to push directed advertisements of material unrelated to a user's online activity and that the user finds objectionable. Adware also has been used to barrage consumers with pop-up ads that disrupt Internet usage. Many consumers have lost important data because this malware crashed their computers, or were forced to junk perfectly good computers that were so burdened with unwanted adware that they were useless. Increasingly, adware is being coupled with spyware or other deceptive or malicious software programs. See, for example, the FTC case In Re Direct Revenue LLC, et al., File No. 052 313 (February 2007). DirectRevenue LLC, a large distributer of adware, installs its adware on consumer's computers directly and through a large network of affiliates and sub-affiliates. According to the FTC complaint detailing charges that DirectRevenue settled, the company and its affiliates frequently offered consumers free content and software, such as screen savers, games, and utilities without disclosing adequately that downloading them would result in installation of the adware. In other instances, according to the FTC's complaint, some of DirectRevenue's affiliates exploited security vulnerabilities in Web browsers to install the adware. In addition, the FTC charged that DirectRevenue deliberately made it difficult to identify, locate, and remove the adware once it was installed. For example, DirectRevenue allegedly failed to label its pop-up ads to identify their source, stored the adware files in rarely accessed locations on consumers' hard drives, failed to list the adware in the Windows Add/Remove utility or named the adware files to resemble core systems software or applications, and installed technology on consumers' computers to secretly reinstall the adware when consumers attempted to remove it or when the adware was deleted by consumers' anti-spyware programs. In addition, when DirectRevenue provided an uninstall tool at separate Web sites, it allegedly required consumers to follow a 10-step procedure involving the download of additional software and deactivation of all third-party firewalls, thus exposing consumers' computers to security risks. The Committee supports honest online advertising but intends for the FTC to use its existing authorities and the tools in this Act to take vigorous enforcement action against unfair or deceptive acts or practices. See also, ``The Plot To Hijack Your Computer,'' Business Week cover story (July 17, 2006). The increasing popularity and convenience of e-commerce and the benefits that it brings to our national economy make it critical for the Committee and the Congress to act expeditiously to preserve the integrity of the system and thus consumer confidence. The Committee's bipartisan legislation accomplishes that goal by striking a careful balance between cracking down on abuse while preserving beneficial uses of software applications. Similar legislation passed the House by overwhelming votes in the 108th and 109th Congresses. HEARINGS The Committee on Energy and Commerce held a hearing on the legislation on March 15, 2007. The Committee received testimony from the following: Mr. Jerry Cerasale, Senior Vice President, Direct Marketing Association, Inc.; Ms. Fran Maier, Executive Director, TRUSTe; Mr. Dave Morgan, Founder and Chairman, TACODA, Inc.; Mr. Ari Schwartz, Deputy Director, Center for Democracy and Technology; and Ms. Christine A. Varney, Esquire, Hogan & Hartson LLP, on behalf of Zango. COMMITTEE CONSIDERATION On Thursday, April 19, 2007, the Subcommittee on Commerce, Trade, and Consumer Protection met in open markup session and approved H.R. 964 for full Committee consideration, amended, by voice vote. On Thursday, May 10, 2007, the full Committee met in open markup session and ordered H.R. 964 favorably reported to the House, amended, by voice vote. COMMITTEE VOTES Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the record votes on the motion to report legislation and amendments thereto. There were no record votes taken on amendments or in connection with ordering H.R. 964 reported. A motion by Mr. Dingell to order H.R. 964 favorably reported to the House was agreed to by voice vote. COMMITTEE OVERSIGHT FINDINGS Regarding clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the Committee held a legislative hearing and made findings that are reflected in this report. STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES The goal of H.R. 964 is to protect consumers by prohibiting deceptive practices related to spyware and adware programs and by requiring notice and consent for the execution of information collection programs. NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES Regarding compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 964 would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. EARMARKS AND TAX AND TARIFF BENEFITS Regarding compliance with clause 9 of rule XXI of the Rules of the House of Representatives, H.R. 964 does not contain any congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(d), 9(e), or 9(f) of rule XXI. COMMITTEE COST ESTIMATE The Committee adopts as its own the cost estimate provided by the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. CONGRESSIONAL BUDGET OFFICE ESTIMATE Pursuant to clause 3(c)(3) of rule XIII of the Rules of the House of Representatives, the following is the cost estimate provided by the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974: May 24, 2007. Hon. John D. Dingell, Chairman, Committee on Energy and Commerce, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 964, the Securely Protect Yourself Against Cyber Trespass Act. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Susan Willie. Sincerely, Peter R. Orszag. Enclosure. H.R. 964--Securely Protect Yourself Against Cyber Trespass Act Summary: H.R. 964 would prohibit the use of computer software (known as spyware) to collect personal information and to monitor the behavior of computer users without a user's consent. The bill would direct the Federal Trade Commission (FTC) to enforce the bill's provisions relating to spyware, including assessing and collecting civil penalties for unfair or deceptive business practices. Based on information provided by the FTC, CBO estimates that implementing the bill would increase spending by $1 million in 2008 and $7 million over the 2008-2012 period, assuming appropriation of the necessary amounts. Enacting H.R. 964 could increase civil penalties and thus could affect Federal revenues, but CBO estimates that such effects would not be significant in any year. Enacting H.R. 964 would not affect direct spending. H.R. 964 contains an intergovernmental mandate as defined in the Unfunded Mandates Reform Act (UMRA), but CBO estimates that the resulting costs to states would fall significantly below the threshold established in UNRA ($66 million in 2007, adjusted annually for inflation). H.R. 964 would impose private-sector mandates, as defined in UMRA, on persons who use computer programs to collect certain information from another person's computer. In addition, by preempting certain State laws, the bill would impose a mandate on private entities by eliminating any private right of action under those laws. CBO estimates that the direct cost of complying with most of those mandates would be small and fall below the annual threshold for private-sector mandates established by UMRA ($131 million in 2007, adjusted annually for inflation). However, due to a lack of information about the number of claims that would be filed by private entities under state laws in the absence of this legislation and the value of awards in such cases, CBO has no basis to determine the loss of compensation from awards or settlements, if any. Consequently, CBO cannot determine whether the aggregate direct cost of all the mandates in the bill would exceed the annual threshold. Estimated cost to the Federal Government: The estimated budgetary impact of H.R. 964 is shown in the following table. The costs of this legislation fall within budget function 370 (commerce and housing credit). ---------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- ------------------------------------------------- 2008 2009 2010 2011 2012 ---------------------------------------------------------------------------------------------------------------- CHANGES IN SPENDING SUBJECT TO APPROPRIATION Estimated Authorization Level................................. 1 1 1 2 2 Estimated Outlays............................................. 1 1 1 2 2 ---------------------------------------------------------------------------------------------------------------- Basis of estimate: For this estimate, CBO assumes that the bill will be enacted during fiscal year 2007, that the necessary amounts will be provided for each year, and that spending will follow historical patterns for similar programs. Implementing H.R. 964 would increase spending by the FTC to enforce regulations prohibiting the unlawful use of spyware, subject to the availability of appropriated funds. Based on information from the agency, CBO estimates that such activities would cost about $1 million in 2008 and about $7 million over the 2008-2012 period. Enacting H.R. 964 could increase federal revenues from civil penalties assessed for committing unfair or deceptive acts or practices in commerce; however, based on information provided by the FTC, CBO estimates that any new collections would be less than $500,000 a year. Estimated impact on state, local, and tribal governments: H.R. 964 would preempt state laws that specifically regulate the use of spyware. This preemption constitutes a mandate as defined in UMRA. Some states may incur costs in the form of lost court settlements, however, because the bill would preserve the rights of states to enforce their own consumer protection, trespass, contract, and/or laws, CBO estimates that any such costs would fall significantly below the threshold established in UMRA ($66 million in 2007, adjusted annually for inflation). Estimated impact on the private sector: H.R. 964 would impose private-sector mandates, as defined in UMRA, on persons who use computer programs to collect certain information from another person's computer. The bill would require a person who transmits or executes an information collection program on someone's computer to receive prior consent from the owner or authorized user of that computer. An information collection program is defined in the legislation as computer software that (1) collects personally identifiable information and sends the information to someone else or uses such information for advertising purposes, or (2) collects information regarding the user's Internet activity and uses such information for advertising purposes, except for software collecting information within particular Web sites. The bill would require the Federal Trade Commission to provide the manner and form of the notice to obtain consent. In addition, the bill would require an information collection program installed on someone's computer to be easily identifiable and removable. Based on information provided by industry sources and the FTC, CBO expects that the direct costs of complying with those mandates would fall below the annual threshold established by UMRA for private-sector mandates ($131 million in 2007, adjusted annually for inflation). Also, by preempting state laws that expressly regulate the same activities covered by the bill, H.R. 964 would impose a mandate on private entities by eliminating any private right of action under those laws. The direct cost of the mandate would be the net loss of compensation from awards and settlements in cases where the private entity could recover full compensation for its injuries only through a private right of action that would be eliminated by H.R. 964. Because of uncertainty about the number of claims that would be filed in the absence of this legislation and the value of awards in such cases, CBO cannot estimate the cost of the mandate. Consequently, CBO cannot determine whether the cost of the mandate would exceed the annual threshold established by UMRA. Previous CBO estimate: On May 7, 2007, CBO transmitted an estimate for H.R. 1525, the Internet Spyware Prevention Act of 2007, as ordered reported by the House Committee on the Judiciary on May 2, 2007. That bill would establish a new federal crime for the use of certain computer software (spyware) to collect personal information or to commit a federal criminal offense, and would authorize the appropriation of $40 million over the 2008-2012 period to prosecute violations of the new law. Estimate prepared by: Federal costs: Susan Willie; Impact on state, local, and tribal governments: Theresa Gullo; Impact on the private sector: Amy Petz. Estimate approved by: Peter H. Fontaine, Deputy Assistant Director for Budget Analysis. FEDERAL MANDATES STATEMENT The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. ADVISORY COMMITTEE STATEMENT No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. CONSTITUTIONAL AUTHORITY STATEMENT Pursuant to clause 3(d)(1) of rule XIII of the Rules of the House of Representatives, the Committee finds that the Constitutional authority for this legislation is provided in Article I, section 8, clause 3, which grants Congress the power to regulate commerce with foreign nations, among the several States, and with the Indian Tribes. APPLICABILITY TO LEGISLATIVE BRANCH The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION Section 1. Short title Section 1 establishes the short title of the Act as the ``Securely Protect Yourself Against Cyber Trespass Act,'' or the ``Spy Act.'' Section 2. Prohibition of unfair or deceptive acts or practices relating to spyware Section 2(a) prohibits any person who is not an owner or authorized user of a protected computer to engage in deceptive acts or practices in connection with spyware. Specifically, it prohibits the following conduct: (1) taking control of a protected computer; (2) modifying settings related to the use of a computer or to the computer's access to or use of the Internet by altering certain information; (3) collecting personally identifiable information through the use of a keystroke logging function; (4) inducing the owner or authorized user to disclose personally identifiable information using a fraudulent Web page; (5) inducing the owner or authorized user to install a component of computer software onto the computer or preventing reasonable efforts to block the installation or execution of, or to disable, a component of computer software; (6) misrepresenting that installing a separate component of computer software or providing log-in and password information is necessary for security or privacy reasons, or that installing a separate component of computer software is necessary to open, view, or play a particular type of content; (7) inducing the owner or authorized user to install or execute computer software by misrepresenting the identity or authority of the person or entity providing the computer software; (8) inducing the owner or authorized user to provide personally identifiable information to another person by misrepresenting the identity of the person seeking the information, or without the authority of the intended recipient of the information; or (9) removing, disabling, or rendering inoperative a security, anti-spyware, or anti-virus technology installed on the computer, or (10) installing or executing on the computer software with the intent of causing a person to use such components in a way that violates any other provision of section 2. This bill addresses software practices that affect end user computers, whether those of individual consumers or of businesses, connected to the Internet or similar public networks. Routers and other computers on the Internet interact with one another and give each other instructions regularly as part of the routine operation of the Internet. The Committee does not intend that these and other activities that occur in the network itself, rather than on the edge of the network, be covered by the bill's definitions of ``computer'' or ``protected computer,'' within the meaning of section 10(3), or that they be considered ``taking control'' of a computer within the meaning of section 2(a)(1). Section 2(a)(4) provides the FTC with enforcement authority against ``evil-twin attacks'' and Web-based phishing. It is not intended to apply in instances of legitimate trademark dispute. Many software installations of updated security, anti- spyware, or anti-virus technologies requested by a computer user will disable or render inoperable a prior version of that software upon installation of the updated version. Section 2(a)(9) is not intended to apply to these circumstances. Section 2(b) directs the FTC to use its authority to issue advisory opinions, policy statements, and guidance to advise companies on the parameters of this section. For example, the FTC should issue guidance on required disclosures or material omissions that would trigger liability under section 2. Section 2(b) also provides that this subsection will take effect upon the date of enactment of the Act. Section 2(c) provides that, except as provided in subsection (b), section 2 shall take effect upon the expiration of the 6-month period that begins on the date of enactment of the Act. Section 3. Prohibition of collection of certain information without notice and consent Section 3(a) prohibits the transmission of an information collection program to a protected computer unless the program provides for notice and consent, as set forth in section 3(c), before the first execution of the information collection program and contains the functions set forth in section 3(d). It also prohibits the execution of any information collection program on a protected computer without meeting the requirements in subsections (c) and (d). This section contemplates a single notice at the first execution of the software. If the same information collection program executes more than one time on the same protected computer, notice is required only at the initial execution. Subsequent notice is only required if the information collection program will collect or send information that is materially different from, and outside the scope of, the type or purpose set forth in the initial or, in the case of prior subsequent notice, previous notice. Section 3(b)(1) provides a definition for ``information collection program.'' An information collection program is computer software that (a) collects personally identifiable information and either (1) sends such information to a person other than the owner or authorized user of the computer or (2) uses such information to deliver advertising to or display advertising on the computer; or (b) collects information regarding Web pages accessed using the computer and uses the information to deliver advertising to or display advertising on the computer. The reference to ``a person other than the owner or authorized user of the computer'' in section 3(b)(1)(A)(ii)(I) is intended to include the entity that transmitted or executed the information collection program. Section 3(b)(2) provides an exception to the definition of information collection program for software collecting information regarding Internet activity within a particular Web site. Computer software that otherwise would be considered an information collection program under section 3(b)(1)(B) shall not be considered such a program if: (1) the only information collected regarding the user's Internet activity, and used to deliver advertising to or display advertising on the protected computer, is either (A) information regarding Web pages within a particular Web site, or (B) in the case of any Internet-based search function, user-supplied search terms necessary to complete the search and return results to the user; (2) such information is not sent to anyone other than the provider of the Web site accessed or Internet-based search function, or a party authorized to facilitate the display or functionality of Web pages within the Web site accessed; and (3) the only advertising delivered to or displayed on the computer using such information is advertising on the Web pages within the Web site. This section exempts this narrow activity. It does not create a blanket exemption for Internet search functions from the notice and consent requirements of section 3. It does not exempt the collection of other Internet activity by toolbars if it is used to deliver or display ads, nor does it exempt toolbars that are downloaded onto consumers' computers surreptitiously as figured in the FTC's cases in the matter of Enternet Media and ERG Ventures. This section also is intended to exempt from the requirements of section 3 HTML, Java, Java Script, Web beacons, and other similar tools used in the everyday functioning of the Internet to the extent that they facilitate the ordinary construction of Web pages and do not collect personally identifiable information. The Committee does not intend to interfere with the benign functioning of the Internet. This exception also allows Web site providers, or their agents, to monitor activity on their Web site, and to direct advertising on their Web site based on that monitoring, without being subject to the requirements of section 3. The Committee understands that Web site owners often use internal navigation tracking for rights management, security, site management, and similar purposes not associated with malicious spyware and adware, in order to facilitate positive interactions with consumers. Section 3(c) sets out the requirements for notice and consent with respect to information collection programs. The notice must be clear and conspicuous in plain language and clearly distinguished from any other information contemporaneously displayed. The Committee expects the notice to be simple and clear so that consumers can easily understand that software collects information about them. Section 3(c)(1)(A) is not intended to impose specific design mandates on hardware manufacturers or software developers. The intent of the provision is to require a clearly distinct notice to the extent practicable in light of the technical and functional limitations of the information collection program or the device on which it is installed and executed. The notice must also contain a statement identifying whether the information collection program collects personally identifiable information or Web pages accessed, or both. The provider of the information collection program may use the provided language or a substantially similar statement. The language ``substantially similar statement'' has been added to section 3(c)(1)(B) to ensure that vendors of information collection programs have adequate flexibility to tailor section 3 notices to the user experience and in light of evolving technologies and consumer expectations. The notice must provide for the user to grant or deny consent, or to simply abandon or cancel the transaction without granting or denying consent. The notice must also provide for the user to access, before granting or denying consent, a clear description of the types of information being collected, the purpose for which the information is being collected and sent, and in the case of bundled software, the identity of the programs that qualify as information collection programs under the Act. The software provider may provide access to the information required under section 3(c)(1)(D) by a link or some other Web-based mechanism. A single notice is sufficient for bundled software programs so long as it meets the requirements under section 3(c)(1)(D)(iii). Section 3(c)(1)(E) requires concurrent display of the specified information in sections 3(c)(1)(B), (C), and (D) to the extent reasonably practicable. Section 3(c)(4) grants the FTC authority to issue regulations to carry out the subsection. Section 3(d) provides that an information collection program must contain a disable function and, if applicable, an identity function. The disable function must allow a user of the program to remove or disable operation of the program by a mechanism that is easily identifiable to the user and can be performed without undue effort or knowledge by the user of the protected computer. The Committee has included this provision because of evidence that purveyors of spyware have infected consumers' computers with software that cannot be removed or disabled absent destruction of the computer hard drive. The Committee expects that the FTC will take ongoing action to educate consumers on the dangers of uninstallable software that may already be residing on consumers' computers without their knowledge. Section 3(d)(1) does not require information collection programs to provide users with both a remove and a disable function. Developers of information collection programs will satisfy the requirements of section 3(d)(1) so long as the program includes at least one of these options. The identity function must provide that display of an advertisement generated by information collected through the program must be accompanied by the name of the information collection program, a logogram or trademark used for the exclusive purpose of identifying the program, or a statement or other information sufficient to clearly identify the program. Section 3(d)(2)(B) directs the FTC to promulgate rules exempting from this required function the embedded display of any advertisement on a Web page that contemporaneously displays other information. Section 3(d)(3) gives the FTC authority to carry out the subsection. Section 3(e) provides that a telecommunications carrier, provider of information or interactive computer service, cable operator, or a provider of transmission capability shall not be liable under section 3 to the extent that it transmits, routes, hosts, stores, or provides connections for an information collection program or provides an information location tool through which the owner or authorized user of a protected computer locates an information collection program. For purposes of commercial computing networks, the ``authorized user'' of computer software will be the corporate licensee of the software. As a practical matter, for purposes of sections 2 and 3, the Committee understands in many instances that system administrators are the ``authorized users'' in the context of commercial computing networks. Section 3(f) directs the FTC to conduct a study to determine the applicability of the information collection prohibitions of section 3 to personally identifiable information that is input directly by users in a field provided on a Web site. The FTC is directed to examine: (1) the nature of the fields for user input; (2) how the user's information is used once input and whether it is sent to a person other than the provider of the Web site; (3) whether such information is used to deliver advertisements to the user's computer; and (4) the extent of any notice provided to the user prior to such input. The FTC is required to transmit a report, including its findings and recommendations, to the House and Senate Commerce Committees not later than six months after final regulations are issued under section 9. The FTC is authorized to adopt rules granting an exemption from the requirements of this section or modifying the notice requirements of this section with respect to such information input directly by the user, if the agency finds that users have adequate notice regarding the uses of this information, and that the exemption or modification is consistent with the public interest, the protection of consumers, and the purposes of this Act. The Committee does not intend to deny consumers the important protections provided by this Act, but is willing to have the FTC take a serious look at this issue. While the Committee understands that responsible online marketers and retailers have readily available privacy policies, the Committee has received information about abuses and enforcement actions that militate against providing an exemption without such a study and assurances that such an exemption or modification is appropriate and not contrary to the public interest, the protection of consumers, and the purposes of this Act. Section 4. Enforcement Section 4(a) provides that the Act shall be enforced by the FTC under the Federal Trade Commission Act and that a violation of the Act shall be treated as an unfair or deceptive act or practice violating a rule promulgated under section 18 of the Federal Trade Commission Act. Section 4 gives the FTC the discretion to seek civil penalties for violations of the Act in one of two ways: (1) seeking civil penalties of up to $11,000 per violation under section 5(m)(1)(A) of the FTC Act; or (2) seeking civil penalties under section 4(b) of this Act. Section 4(b) establishes an alternative enforcement mechanism for pattern or practice violations of the Act. It provides for significantly higher penalties for those whom the FTC has determined engaged in a pattern or practice of violating the Act, but also directs the FTC to treat as a single violation a single action that violates the Act but affects multiple computers. It also directs that any single action or conduct that violates more than one section of 2(a) shall be considered multiple violations. The higher damages for a pattern or practice of violation may be up to $3,000,000 for each violation of section 2 and $1,000,000 for each violation of section 3. Furthermore, section 4(c) provides that civil penalties sought under the Act may not be granted by the FTC or any court unless the FTC or the court, respectively, establishes that the conduct was committed with actual knowledge or knowledge fairly implied on the basis of objective circumstances that such conduct is unfair or deceptive and is prohibited by this Act. This is the existing scienter requirement under the FTC Act. Section 4(d) directs the FTC and the court, in determining the amount of any such civil penalty, to take into account the degree of culpability, any prior history of such conduct, ability to pay, effect on ability to continue to do business, and such other matters as justice may require. The Committee expects the FTC to enforce the law to protect consumers from unfair or deceptive acts or practices involving spyware vigorously. The Committee also expects the agency to act reasonably to avoid seeking damages out of proportion to the harm caused by the offending conduct. Section 4(e) provides that remedies available under this section and remedies available under the FTC Act are the exclusive remedies for violation of the Act. Section 4(f) provides that the section shall take effect upon the expiration of the 6-month period that begins on the date of enactment of the Act to the extent that the section applies to violations of section 2(a). Section 5. Limitations Section 5(a) provides that sections 2 and 3 of the Act shall not apply to (1) any act taken by a law enforcement agent in the performance of official duties, or (2) the transmission or execution of an information collection program in compliance with a law enforcement, investigatory, national security, regulatory, agency or department of the United States, or any State in response to a request or demand made under authority granted to that agency or department. The Committee intends that this section shall be interpreted to exclude from sections 2 and 3 of the Act intelligence agencies and bona fide intelligence gathering. The Committee further intends that the activities covered by this exemption shall be carried out in accordance with all other applicable laws. Section 5(b) provides an exception for monitoring or interaction with a protected computer for legitimate security, fraud prevention, and technical support purposes. This important exemption provides that nothing in this Act shall apply to any monitoring of, or interaction with, a protected computer (1) in connection with the provision of a network access service or other service or product with respect to which the user of the protected computer is an actual or prospective customer, subscriber, registered user, or account holder, (2) by the provider of that service or product or with such provider's authorization, and (3) that involves or enables the collection of information about the user's activities only with respect to the user's relationship with or use of such service or product, to the extent that such monitoring or interaction is for the purpose of network security, computer security, diagnostics, technical support or repair, network management, authorized updates of software, or for the detection or prevention of fraudulent activities. The primary goal of this legislation is to combat fraudulent and abusive Internet practices resulting from spyware and related nefarious technologies. The Committee intends to exempt technologies that combat practices that result in fraudulent transactions. For example, companies like Experian partner with financial institutions and online retailers in providing fraud prevention software where consumers apply for credit online. It is important to ensure that these fraud detection tools are not undermined. Section 5(b) also provides that the Act shall not apply to a discrete interaction with a protected computer by a provider of computer software solely to determine whether the user of the computer is authorized to use such software, that occurs upon initialization of the software or an affirmative request by that user for an update of, addition to, or technical service for, the software. The intent of this provision is to allow software providers to verify that requests for technical support are coming from licensed users of software. Section 5(c), the so-called ``Good Samaritan'' provision, provides protection from the threat of Federal Trade Commission enforcement to the developers of anti-spyware software and services under specified circumstances. The section thus provides that no provider of an interactive computer service may be held liable ``under this Act'' on account of any action voluntarily taken, or service provided, in good faith to remove or disable a program used to violate section 2 or 3 that is installed on a customer's computer, if the provider notifies the customer and obtains consent before undertaking such action. This protection would not apply to litigation between private parties or to enforcement of State law by State attorneys general. The section also provides that nothing in subsection (c) shall be construed to limit the liability of a provider of computer software or of an interactive computer service for any anti-competitive act otherwise prohibited by law. Section 5(d) provides that a manufacturer or retailer of computer equipment shall not be liable under this Act to the extent that the manufacturer or retailer is providing third party branded computer software that is installed on the equipment that the manufacturer or retailer is manufacturing or selling. This provision does not excuse from liability a manufacturer that includes its own software on computers that it manufactures. Section 5(e) provides a limited exemption for certain services provided by cable operators or satellite carriers. The section provides that it shall not be a violation of section 3 for a satellite carrier or cable operator to (1) utilize a navigation device, (2) interact with such a navigation device, or (3) transmit software to or execute software installed on such a navigation device to provide service or to collect or disclose subscriber information, if such actions with respect to such information are subject to section 338 or section 631 of the Communications Act of 1934. The Committee intends to avoid duplicative regulation, not to deny consumers the protections afforded by this Act. Accordingly, if there is a provision in Section 3 of this Act that does not have a corollary in Section 631 of the Communications Act, then the scope of this exemption would be limited to what the Federal Communications Commission actually has required of cable operators. The Committee expects the FTC to consult with the Federal Communications Commission in connection with interpretation and enforcement of this provision. Section 6. Effect on other laws Section 6(a) provides that the Act supercedes any provision of a statute, regulation, or rule of a State or political subdivision that expressly regulates deceptive conduct with respect to computers similar to that of section 2(a), the transmission or execution of a computer similar to that in section 3, and the use of computer software that displays advertising content based on the Web pages accessed using a computer. The section also prohibits any person other than the Attorney General of a State to bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act, but makes clear that this prohibition shall not be construed to limit the enforcement of any State consumer protection law by an Attorney General of a State. The section specifically preserves State trespass, contract, and tort law, and other State laws to the extent that those acts relate to acts of general consumer fraud. The Committee intends to preserve the ability of State Attorneys General to enforce these law as an important backstop to FTC enforcement. However, the Committee intends to preempt State legislation that makes illegal an information collection program or other computer software that displays advertising in a way that complies with this Act by simply calling it a trespass, tort, or other statute in an effort to avoid preemption. The Committee specifically intends to preempt the Utah Spyware Control Act, section 13-39-101, Utah Code Annotated 1953. Section 6(b) preserves the FTC's authority under any other provision of law, including the authority to issue advisory opinions, policy statements, or guidance regarding the Act. Section 7. FTC report on cookies Section 7(a) requires that, no later than the expiration of the 6-month period that begins on the date on which final regulations are issued under section 9, the FTC submit a report to the Congress regarding the use of cookies in the delivery or display of advertising to the owners and users of computers. The report shall examine the extent to which cookies are or may be used to transmit to a third party personally identifiable information of a computer owner or user, information regarding Web pages accessed by the owner or user, or information regarding advertisements previously delivered to a computer, for the purpose of (1) delivering or displaying advertising to the owner or user, or (2) assisting the intended recipient to deliver or display advertising to the owner, user, or others. The report shall compare the use of cookies with the use of information collection programs, as such programs are defined in section 3, to determine the extent to which such uses are similar or different. Section 10(4)(B)(ii) contains an exception clarifying when cookies are not ``computer software'' subject to the requirements of section 3. The Committee understands that traditional cookies are innocuous and a part of the basic functioning of most Web sites. On the other hand, the Committee has received information about so-called ``tracking'' or ``persistent'' cookies that collect identifying information and increasingly act as spyware and adware. The Committee intends for the FTC to look into these and other functionally similar information collection programs to determine whether and, if so, how they use and transmit consumer information. The Committee also intends for the FTC to examine privacy safeguards that currently exist regarding the management of cookies by online entities. Section 7(b) provides that the section shall take effect on the date of enactment of this Act. Section 7(c) provides an exemption from the Paperwork Reduction Act for any such report in order to facilitate its completion within the statutory time frame. Section 8. FTC report on information collection programs installed before effective date Section 8 requires that, no later than the expiration of the 6-month period that begins on the date on which final regulations are issued under section 9, the FTC submit a report to the Congress on the extent to which there are installed on protected computers information collection programs that are not covered by the notice and consent requirements of section 3 because such programs were installed prior to the effective date under section 11(a) of the Act. The report shall include recommendations regarding the means of affording computer users affected by such programs the protections of section 3, including recommendations regarding requiring a one-time notice and consent by the owner or authorized user of a computer to the continued collection of information by such a program. Section 8 also provides an exemption from the Paperwork Reduction Act for any such report in order to facilitate its completion within the statutory time frame. Section 9. Regulations Section 9(a) provides that any regulations issued under the Act shall be issued not later than the expiration of the 9- month period beginning on the date of enactment of this Act, and in accordance with section 553 of title 5, United States Code. The subsection also provides a standard to guide FTC rulemaking under the Act, requiring a determination that such regulations are consistent with the public interest and the purposes of this Act. Section 9(b) provides that the section shall take effect on the date of enactment of the Act. Section 10. Definitions Section 10 provides definitions for terms in the Act including ``collect,'' ``computer software,'' ``disable,'' ``personally identifiable information,'' ``transmit,'' ``unfair or deceptive acts or practices,'' ``Web page,'' and ``Web site.'' The definition of ``collect'' makes clear that personally identifiable information that is input by the user of a protected computer and transferred to the recipient, or stored on the protected computer in a manner such that it is accessible by such intended recipient, is outside the scope of section 3 of the Act. This is intended to facilitate ease of use for consumers and providers of Internet services or Web sites. The Committee intends the exclusion from ``collect'' to be based on active conduct on the part of the computer user. The mere acceptance of an end user license agreement by a computer user would not be sufficient to meet this test of active conduct. The definition of ``computer software'' makes clear that such term does not include software placed on the computer system of a user by an Internet service provider, interactive computer service, or Internet Web site solely to enable the user subsequently to use such provider or service or to access such Web site. The term also does not include text or data files known as cookies to the extent that such text or data file: (1) is used, written to, or placed on the computer of a user by such provider, service, or Web site, or any entity acting with the authorization of and on behalf of such provider, service, or Web site, and (2) can be read or recognized solely to return information to such provider, service, or Web site, or any entity action with the authorization of and on behalf of such provider, service, or Web site. The Committee intends to offer an amendment during Floor consideration to clarify that computer software does not include a cookie or any other type of text or data file that solely may be read or transferred by a computer. Section 11. Applicability and sunset Section 11 provides that, except as otherwise provided in the Act, the Act shall take effect 12 months after the date of enactment, and further that it will sunset on December 31, 2013. Section 10 also provides that the notice and consent requirements of section 3 shall not apply to an information collection program installed on a protected computer before the effective date of the Act. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED H.R. 964 does not amend any existing Federal statute.