To prevent deceptive software transmission practices in order to safeguard computer privacy, maintain computer control, and protect Internet commerce.

April 30, 2004

Mr. INSLEE introduced the following bill; which was referred to the Committee on Energy and Commerce, and in addition to the Committee on the Judiciary, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned

To prevent deceptive software transmission practices in order to safeguard computer privacy, maintain computer control, and protect Internet commerce.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Computer Software Privacy and Control Act'.

SEC. 2. DEFINITIONS.

As used in this Act, the following definitions apply:

(1) The terms `computer' and `protected computer' have the meanings given such terms in section 1030(e) of title 18, United States Code.

(2) The term `computer software' means a sequence of instructions written in any programming language that is stored or executed on a computer. Such term shall not include computer software that is a Web page, or data components of Web pages that are not executable independently of the Web page.

(3) The term `disable', with regards to computer software, or a component thereof, means to permanently prevent such software or component from executing any of the functions described in section 3 that such software is otherwise capable of executing, unless the owner or operator of a protected computer takes a subsequent affirmative action to enable the execution of such functions.

(4) The terms `execute', `execution', and `executable', when used with respect to computer software, refer to the performance of the functions or the carrying out of the instructions of the computer software.

(5) The term `first retail sale' means the first sale of a computer, for a purpose other than resale, after the manufacture, production, or importation of the computer. For purposes of this paragraph, the lease of a computer shall be considered a sale of the computer at retail.

(6) The term `Internet' has the meaning given such term in section 1302(6) of the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501(6)).

(7) The term `owner or operator', with respect to a protected computer, shall not include any person who owns a computer prior to the first retail sale of such computer.

(8) The term `person' has the meaning given that term in section 1030(e)(12) of title 18, United States Code.

(9) The term `personal information' means--

(A) a first and last name;

(B) a home or other physical address including street name;

(C) an electronic mail address;

(D) a telephone number;

(E) a Social Security number;

(F) a credit card or bank account number or any password or access code associated with a credit card or bank account; and

(G) a birth certificate number.

(10) The term `removal utility' means a means by which the owner or operator of a protected computer can remove, delete, or disable computer software, or a component thereof.

(11) The term `transmit' means to transfer, send, or make available computer software, or any component thereof, via the Internet or any other medium, including local area networks of computers, other non-wire transmission, and disc or other data storage device, for the purpose of or resulting in an economic benefit to the person transferring, sending, or making available such computer software, or component thereof, derived from the transmission or execution of such software, or component thereof. Such term shall not include any action by a person providing--

(A) the Internet connection, telephone connection, or other means of transmission capability such as a compact disk or digital video disk through which the software was made available;

(B) the storage or hosting of the software program or an Internet Web page through which the software was made available; or

(C) an information location tool, such as a directory, index, reference, pointer, or hypertext link, through which the user of the computer located the software,

unless such person receives a direct economic benefit from the execution of such software on the protected computer.

(12) The term `Web page' means a location that has a single Uniform Resource Locator with respect to the World Wide Web or other single location with respect to the Internet.

SEC. 3. UNFAIR AND DECEPTIVE ACTS AND PRACTICES IN THE TRANSMISSION OF COMPUTER SOFTWARE.

(a) Deceptive Acts Prohibited- It is unlawful for any person knowingly to transmit to a protected computer owned or operated by another person, or transmit to a protected computer prior to the first retail sale of such computer, any computer software, or any component thereof, that--

(1) collects personal information about an owner or operator of that protected computer and transfers such information to any person other than such owner or operator;

(2) monitors or analyzes the content of the Internet web pages accessed by an owner or operator of such computer and transfers information regarding the accessing of such web pages to any person other than such owner or operator; or

(3) modifies default computer settings or computer settings previously selected by the owner or operator of that computer that affect--

(A) the Web page that is first displayed by computer software used to access and navigate the Internet, such as an Internet browser;

(B) Internet connection settings, the modification of which can result in financial charges to the owner or operator without the owner or operator's knowledge; or

(C) the actions or operations of any service offered by a provider of a service used to search the Internet, or files and data stored on the protected computer,

unless, before the execution of the functions described in paragraphs (1) through (3), notice of such functions is provided to, and consent to such execution is obtained from, such owner or operator, and such software, or component thereof, includes a removal utility.

(b) Requirements for Advertising Software-

(1) Notice and consent- It is unlawful for any person knowingly to transmit to a protected computer owned or operated by another person, or transmit to a protected computer prior to the first retail sale of such computer, any computer software, or any component thereof, that includes a function to deliver or display advertisements, unless, before the execution of such function, notice of such function is provided to, and the consent to such execution is obtained from, such owner or operator, and such software, or component thereof, includes a removal utility.

(2) Software displayed as a web page- The requirements of paragraph (1) shall apply to computer software containing a function to deliver advertisements displayed as a Web page or by other means, but shall not include software that is a Web page or a component of a Web page.

(c) Knowledge Requirement- For purposes of this section, the term `knowingly', used with respect to transmitting computer software, or a component thereof, means that the person transmitting has actual knowledge that the software or component transmitted has the capacity to execute any of the functions described in this section.

(d) Notice and Consent Requirements-

(1) Notice- The notice required under subsections (a) and (b)--

(A) shall not be materially false or misleading; and

(B) shall include a description of and directions for the removal utility, or instructions for the removal, deletion, or disabling of the software, or component thereof.

(2) Consent- The consent required under subsections (a) and (b) shall be contiguous to the notice required under such subsections, such that the owner or operator of the protected computer may reasonably understand the function or functions to which such consent is granted.

(3) Definition- For purposes of this subsection, the term `materially false or misleading notice' includes--

(A) a failure to describe any of the functions requiring notice; and

(B) an unauthorized material modification to or obstruction of a notice, description, or warning provided by computer software previously stored or executed on the protected computer.

SEC. 4. ENFORCEMENT.

(a) Federal Trade Commission-

(1) Unfair or deceptive act or practice- A violation of this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a) of the Federal Trade Commission Act (15 U.S.C. 57a(a)).

(2) Actions by the commission- The Federal Trade Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.

(b) Criminal Penalties-

(1) In general- Section 1030(a) of title 18, United States Code, is amended--

(A) by inserting `or' at the end of paragraph (7); and

(B) by adding at the end the following:

`(8) knowingly causes the transmission of a program, information, code, or command with the intent to obtain access without authorization or exceeding authorized access to a protected computer by means of a knowingly and materially false or misleading notice or description of function, effect, or origin of such computer software;'.

(2) Definitions- Section 1030(e) of title 18, United States Code, is amended--

(A) in paragraph (6)--

(i) by inserting `, or to obtain further access to or control over the computer' after `in the computer'; and

(ii) by striking `or alter' and inserting `, alter, access, or control'; and

(B) by adding at the end the following:

`(13) The term `knowingly and materially false or misleading notice or description' includes a knowing and material omission regarding function of program, information, code, or command that provides access to or control over a protected computer.'.

(3) Penalties- Section 1030(c)(3) of title 18, United States Code is amended--

(A) in subparagraph (A), by striking `or (a)(7)' and inserting `(a)(7), or (a)(8)'; and

(B) in subparagraph (B), by striking `or (a)(7)' and inserting `(a)(7), or (a)(8)'.

(c) State Action-

(1) In general- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by a violation of section 3 of this Act, the State may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to--

(A) enjoin that practice;

(B) enforce compliance with this Act; or

(C) obtain damages, restitution, or other compensation on behalf of residents of the State.

(2) Notice-

(A) In general- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Federal Trade Commission--

(i) written notice of that action; and

(ii) a copy of the complaint for that action.

(B) Exemption- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to provide the notice described in that subparagraph before filing of the action. In such case, the attorney general of a State shall provide notice and a copy of the complaint to the Federal Trade Commission at the same time as the attorney general files the action.

(3) Intervention by federal trade commission-

(A) In general- On receiving notice under paragraph (2), the Federal Trade Commission shall have the right to intervene in the action that is the subject of the notice.

(B) Effect of intervention- If the Federal Trade Commission intervenes in an action under subparagraph (A), it shall have the right--

(i) to be heard with respect to any matter that arises in that action; and

(ii) to file a petition for appeal.

(4) Construction- For purposes of bringing any civil action under paragraph (1), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--

(A) conduct investigations;

(B) administer oaths or affirmations; or

(C) compel the attendance of witnesses or the production of documentary and other evidence.

(5) Preemption- In any case in which an action is instituted by or on behalf of the Commission for a violation of section 3, no State may, during the pendency of that action, institute an action under paragraph (1) against any defendant named in the complaint in that action.

(6) Service of process- In an action brought under paragraph (1), process may be served in any district in which the defendant--

(A) is an inhabitant; or

(B) may be found.

SEC. 5. EFFECT ON OTHER LAWS.

This Act supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the transmission of computer software similar to that described in section 3.

SEC. 6. LAW ENFORCEMENT REPORTING REQUIREMENTS.

(a) Semiannual Reports to Congress on Transmission of Computer Software for Surveillance Activities- Not later than 1 year after the date of enactment of this Act, and every 6 months thereafter, the Attorney General shall transmit to the Committees on the Judiciary of the Senate and of the House of Representatives a report concerning any warrant, order, or extension of an order applied for by law enforcement agencies of the Department of Justice, whose implementation involved the transmission or execution of computer software on a protected computer to record computer activity or intercept any wire, oral, or electronic communications. Such reports shall include information concerning--

(1) the type of warrant, order, or extension of an order applied for;

(2) the information sought by the warrant, period of interceptions authorized by the order, and the number and duration of any extensions of the warrant or order;

(3) the offense specified in the application, warrant, order, or extension of an order;

(4) the identity of the applying investigative or law enforcement officer and agency making the application and the person authorizing the application;

(5) the nature of the facilities from which or place where activities were to be recorded or communications were to be intercepted;

(6) a general description of the recordings or interceptions made under such order or extension, including--

(A) the approximate nature and frequency of incriminating activities recorded or communications intercepted;

(B) the approximate nature and frequency of other activities recorded or communications intercepted;

(C) the approximate number of persons whose activities were recorded or communications were intercepted;

(D) the number of warrants or orders in which encryption was encountered and whether such encryption prevented law enforcement from obtaining access to any information pursuant to such warrant or the plain text of communications intercepted pursuant to such order; and

(E) the approximate nature, amount, and cost of the manpower and other resources used in the recordings or interceptions;

(7) the number of arrests resulting from recordings or interceptions made under such warrant, order, or extension of an order, and the offenses for which arrests were made;

(8) the number of trials resulting from such recordings or interceptions;

(9) the number of motions to suppress made with respect to such recordings or interceptions, and the number of such motions granted or denied;

(10) the number of convictions resulting from such recordings or interceptions and the offenses for which the convictions were obtained, and a general assessment of the importance of the recordings or interceptions; and

(11) the specific persons authorizing the use of such computer software in the implementation of such warrant, order, or extension of an order.

END