Download this document in MS Word format


AutoFill Template

S.235

Introduced by   Senator Campbell of Windsor District

Referred to Committee on

Date:

Subject:  Commerce and trade; computer spyware

Statement of purpose:  This bill proposes to establish limitations on the use of computer spyware.

AN ACT RELATING TO COMPUTER SPYWARE

It is hereby enacted by the General Assembly of the State of Vermont:

Sec. 1.  9 V.S.A. chapter 144 is added to read:

CHAPTER 144.  CONSUMER PROTECTION AGAINST COMPUTER SPYWARE

§ 4611.  SHORT TITLE

This chapter may be cited as the Consumer Protection Against Computer Spyware Act.

§ 4612.  DEFINITIONS

As used in this chapter:

(1)  “Advertisement” means a communication that includes the promotion of a commercial product or service, including communication on an internet website operated for a commercial purpose.

(2)  “Cause computer software to be copied” means to distribute or transfer computer software or a component of computer software.  The term does not include:

(A)  the transmission or routing of computer software or a component of the software;

(B)  the provision of intermediate temporary storage or caching of software;

(C)  the provision of a storage medium such as a compact disk;

(D)  a website;

(E)  the distribution of computer software by a third party through a computer server; or

(F)  the provision of an information location tool, such as a directory, index, reference, pointer, or hypertext link, through which the user of a computer is able to locate computer software.

(3)  “Computer software” means a sequence of instructions written in a programming language that is executed on a computer.  The term does not include:

(A)  a web page; or

(B)  a data component of a web page that cannot be executed independently of that page.

(4)  “Damage,” with respect to a computer, means significant impairment of the integrity or availability of data, computer software, a system, or information.

(5)  “Execute,” with respect to computer software, means to perform a function or carry out instructions.

(6)  “Keystroke-logging function” means a function of a computer software program that records all keystrokes made by a person using a computer and transfers that information from the computer to another person.

(7)  “Owner or operator of a computer” means the owner or lessee of a computer or an individual using a computer with the authorization of the owner or lessee of the computer.  If a computer was sold at retail, the phrase “owner of a computer” does not include the person who owned the computer before the date on which the computer was sold.

(8)  “Person” means any individual, partnership, corporation, limited liability company, or other organization, or a combination of those organizations.

(9)  “Personally identifiable information,” with respect to an individual who is the owner or operator of a computer, means:

(A)  the first name or first initial in combination with last name;

(B)  a home or other physical address, including street name;

(C)  an electronic mail address;

(D)  a credit or debit card number;

(E)  a bank account number;

(F)  a password or access code associated with a credit or debit card or bank account;

(G)  a Social Security number, tax identification number, driver’s license number, passport number, or other government-issued identification number; or

(H)  any of the following information if the information alone or in combination with other information personally identifies the individual:

(i)  account balances;

(ii)  overdraft history; or

(iii)  payment history.

§ 4613.  APPLICABILITY OF CHAPTER

(a)  This chapter shall not apply to a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service that monitors or has interaction with a subscriber’s internet or other network connection or service or a protected computer for:

(1)  network or computer security purposes;

(2)  diagnostics, technical support, or repair purposes;

(3)  authorized updates of computer software or system firmware;

(4)  authorized remote system management; or

(5)  detection or prevention of unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter.

(b)  This chapter does not apply to:

(1)  the use of a navigation device, any interaction with a navigation device, or the installation or use of computer software on a navigation device by a multichannel video programming distributor or video programmer in connection with the provision of multichannel video programming or other services offered over a multichannel video programming system if the provision of the programming or other service is subject to 47 U.S.C. § 338(i) or 551; or

(2)  the collection or disclosure of subscriber information by a multichannel video programming distributor or video programmer in connection with the provision of multichannel video programming or other services offered over a multichannel video programming system if the collection or disclosure of the information is subject to 47 U.S.C. § 338(i) or 551.

(c)  As used in this section, “multichannel video programming distributor” shall have the same meaning as in 47 U.S.C. § 522(13).

§ 4614.  UNAUTHORIZED COLLECTION OR CULLING OF

              PERSONALLY IDENTIFIABLE INFORMATION

No person who is not the owner or operator of the computer shall knowingly cause computer software to be copied to a computer and use the software to:

(1)  collect, through intentionally deceptive means:

(A)  personally identifiable information by using a keystroke-logging function; or

(B)  personally identifiable information in a manner that correlates that information with information regarding all or substantially all of the websites visited by the owner or operator of the computer, other than websites operated by the person collecting the information; or

(2)  cull, through intentionally deceptive means, the following kinds of personally identifiable information from the consumer’s computer hard drive for a purpose wholly unrelated to any of the purposes of the software or service described to an owner or operator of the computer:

(A)  a credit or debit card number;

(B)  a bank account number;

(C)  a password or access code associated with a credit or debit card number or a bank account;

(D)  a Social Security number;

(E)  account balances; or

(F)  overdraft history.

§ 4615.  UNAUTHORIZED ACCESS TO OR MODIFICATIONS OF

              COMPUTER SETTINGS; COMPUTER DAMAGE

No person who is not the owner or operator of the computer shall knowingly cause computer software to be copied to a computer and use the software to:

(1)  modify, through intentionally deceptive means, a setting that controls:

(A)  the page that appears when an internet browser or a similar software program is launched to access and navigate the internet;

(B)  the default provider or web proxy used to access or search the internet; or

(C)  a list of bookmarks used to access web pages;

(2)  take control of the computer by:

(A)  accessing or using the computer’s modem or internet service to:

(i)  cause damage to the computer;

(ii)  cause the owner or operator of the computer to incur financial charges for a service not previously authorized by the owner or operator; or

(iii)  cause a third party affected by the conduct to incur financial charges for a service not previously authorized by the third party; or

(B)  opening, without the consent of the owner or operator of the computer, an advertisement that:

(i)  is in the owner’s or operator’s internet browser in a multiple, sequential, or stand-alone form; and

(ii)  cannot be closed by an ordinarily reasonable person using the computer without closing the browser or shutting down the computer;

(3)  modify settings on the computer that relate to access to or use of the internet and protection of information for purposes of stealing personally identifiable information of the owner or operator of the computer; or

(4)  modify security settings on the computer relating to access to or use of the internet for purposes of causing damage to one or more computers.

§ 4616.  UNAUTHORIZED INTERFERENCE WITH INSTALLATION

              OR DISABLING OF COMPUTER SOFTWARE

No person who is not the owner or operator of the computer shall knowingly cause computer software to be copied to a computer and use the software to:

(1)  prevent, through intentionally deceptive means, reasonable efforts of the owner or operator of the computer to block the installation or execution of or to disable computer software by causing computer software that the owner or operator has properly removed or disabled to automatically reinstall or reactivate on the computer;

(2)  intentionally misrepresent to another that computer software will be uninstalled or disabled by the actions of the owner or operator of the computer;

(3)  remove, disable, or render inoperative, through intentionally deceptive means, security, antispyware, or antivirus computer software installed on the computer;

(4)  prevent the owner’s or operator’s reasonable efforts to block the installation of or to disable computer software by:

(A)  presenting the owner or operator with an option to decline the installation of software knowing that, when the option is selected, the installation process will continue to proceed; or

(B)  misrepresenting that software has been disabled;

(5)  change the name, location, or other designation of computer software to prevent the owner from locating and removing the software; or

(6)  create randomized or intentionally deceptive file names or random or intentionally deceptive directory folders, formats, or registry entries to avoid detection and prevent the owner from removing computer software.

§ 4617.  KNOWING VIOLATION

A person knowingly violates section 4614, 4615, or 4616 of this chapter if the person:

(1)  acts with actual knowledge of the facts that constitute the violation; or

(2)  consciously avoids information that would establish actual knowledge of those facts.

§ 4618.  OTHER PROHIBITED CONDUCT

No person who is not the owner or operator of the computer shall:

(1)  induce the owner or operator of a computer to install a computer software component to the computer by intentionally misrepresenting the extent to which the installation is necessary for security or privacy reasons, to open or view text, or to play a particular type of musical or other content; or

(2)  copy and execute or cause the copying and execution of a computer software component to a computer in a deceptive manner with the intent of causing the owner or operator of the computer to use the component in a manner that violates this chapter.

§ 4619.  DECEPTIVE ACT OR OMISSION

For purposes of this chapter, a person is considered to have acted through intentionally deceptive means if the person, with the intent to deceive an owner or operator of a computer:

(1)  intentionally makes a materially false or fraudulent statement;

(2)  intentionally makes a statement or uses a description that omits or misrepresents material information; or

(3)  intentionally and materially fails to provide to the owner or operator any notice regarding the installation or execution of computer software.

§ 4620.  CIVIL REMEDIES

(a)  The following persons, if adversely affected by the violation, may bring a civil action against a person who violates this chapter:

(1)  a provider of computer software;

(2)  an owner of a web page or trademark;

(3)  a telecommunications carrier;

(4)  a cable operator; or

(5)  an internet service provider.

(b)  In addition to any other remedy provided by law and except as provided in subsection (g) of this section, a person bringing an action under this section may:

(1)  seek injunctive relief to restrain the violator from continuing the violation; and

(2)  recover damages in an amount equal to the greater of:

(A)  actual damages arising from the violation; or

(B)  $100,000.00 for each violation of the same nature.

(c)  The court may increase an award of actual damages in an action brought under subsection (b) of this section to an amount not to exceed treble the actual damages sustained if the court finds that the violations have occurred with a frequency as to constitute a pattern or practice.

(d)  A plaintiff who prevails in an action filed under subsection (b) of this section is entitled to recover reasonable attorney’s fees and court costs.

(e)  Each separate violation of this chapter is an actionable violation.

(f)  For purposes of subsection (b) of this section, violations are of the same nature as if the violations consist of the same course of conduct or action, regardless of the number of times the conduct or act occurred.

(g)  If a violation of section 4615 of this title occurs that causes a telecommunications carrier or cable operator to incur costs for the origination, transport, or termination of a call triggered using the modem of a customer of the telecommunications carrier or cable operator, the telecommunications carrier or cable operator bringing an action under this section may:

(1)  apply to a court for an order to enjoin the violation;

(2)  recover the charges the telecommunications carrier or cable operator is obligated to pay to a telecommunications carrier, cable operator, other provider of transmission capability, or an information service provider as a result of the violation, including charges for the origination, transport, or termination of the call;

(3)  recover the costs of handling customer inquiries or complaints with respect to amounts billed for calls as a result of the violation;

(4)  recover other costs, including court costs, and reasonable attorney’s fees; or

(5)  both apply for injunctive relief and recover charges and other costs as provided by this subsection.

§ 4621.  CIVIL PENALTY; INJUNCTION

(a)  A person who violates this chapter is liable to the state for a civil penalty in an amount not to exceed $100,000.00 for each violation.  The attorney general may bring suit to recover the civil penalty imposed by this subsection.

(b)  If it appears to the attorney general that a person is engaging in, has engaged in, or is about to engage in conduct that violates this chapter, the attorney general may bring an action in the name of this state against the person to restrain the violation by a temporary restraining order or a permanent or temporary injunction.

(c)  The attorney general is entitled to recover reasonable expenses incurred in obtaining injunctive relief, civil penalties, or both, under this section, including reasonable attorney’s fees and court costs.

Sec. 2.  EFFECTIVE DATE

This act shall take effect on September 1, 2006.



Published by:

The Vermont General Assembly
115 State Street
Montpelier, Vermont


www.leg.state.vt.us