To regulate the unauthorized installation of computer software, to require clear disclosure to computer users of certain computer software features that may pose a threat to user privacy, and for other purposes.

February 27, 2004

Mr. BURNS (for himself, Mr. WYDEN, and Mrs. BOXER) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation

To regulate the unauthorized installation of computer software, to require clear disclosure to computer users of certain computer software features that may pose a threat to user privacy, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Software Principles Yielding Better Levels of Consumer Knowledge Act' or the `SPY BLOCK Act'.

SEC. 2. UNAUTHORIZED INSTALLATION OF COMPUTER SOFTWARE.

(a) NOTICE, CHOICE, AND UNINSTALL PROCEDURES- It is unlawful for any person who is not the user of a protected computer to install computer software on that computer, or to authorize, permit, or cause the installation of computer software on that computer, unless--

(1) the user of the computer has received notice that satisfies the requirements of section 3;

(2) the user of the computer has granted consent that satisfies the requirements of section 3; and

(3) the computer software's uninstall procedures satisfy the requirements of section 3.

(b) RED HERRING PROHIBITION- It is unlawful for any person who is not the user of a protected computer to install computer software on that computer, or to authorize, permit, or cause the installation of computer software on that computer, if the design or operation of the computer software is intended, or may reasonably be expected, to confuse or mislead the user of the computer concerning the identity of the person or service responsible for the functions performed or content displayed by such computer software.

SEC. 3. NOTICE, CONSENT, AND UNINSTALL REQUIREMENTS.

(a) NOTICE- For purposes of section 2(a)(1), notice to the user of a computer shall--

(1) include a clear notification, displayed on the screen until the user either grants or denies consent to installation, of the name and general nature of the computer software that will be installed if the user grants consent; and

(2) include a separate disclosure, with respect to each information collection, advertising, distributed computing, and settings modification feature contained in the computer software, that--

(A) remains displayed on the screen until the user either grants or denies consent to that feature;

(B) in the case of an information collection feature, provides a clear description of--

(i) the type of personal or network information to be collected and transmitted by the computer software; and

(ii) the purpose for which the personal or network information is to be collected, transmitted, and used;

(C) in the case of an advertising feature, provides--

(i) a representative example of the type of advertisement that may be delivered by the computer software;

(ii) a clear description of--

(I) the estimated frequency with which each type of advertisement may be delivered; or

(II) the factors on which the frequency will depend; and

(iii) a clear description of how the user can distinguish each type of advertisement that the computer software delivers from advertisements generated by other software, Internet website operators, or services;

(D) in the case of a distributed computing feature, provides a clear description of--

(i) the types of information or messages the computer software will cause the computer to transmit;

(ii)(I) the estimated frequency with which the computer software will cause the computer to transmit such messages or information; or

(II) the factors on which the frequency will depend;

(iii) the estimated volume of such information or messages, and the likely impact, if any, on the processing or communications capacity of the user's computer; and

(iv) the nature, volume, and likely impact on the computer's processing capacity of any computational or processing tasks the computer software will cause the computer to perform in order to generate the information or messages the computer software will cause the computer to transmit;

(E) in the case of a settings modification feature, provides a clear description of the nature of the modification, its function, and any collateral effects the modification may produce; and

(F) provides a clear description of procedures the user may follow to turn off such feature or uninstall the computer software.

(b) CONSENT- For purposes of section 2(a)(2), consent requires--

(1) consent by the user of the computer to the installation of the computer software; and

(2) separate affirmative consent by the user of the computer to each information collection feature, advertising feature, distributed computing feature, and settings modification feature contained in the computer software.

(c) UNINSTALL PROCEDURES- For purposes of section 2(a)(3), computer software shall--

(1) appear in the `Add/Remove Programs' menu or any similar feature, if any, provided by each operating system with which the computer software functions;

(2) be capable of being removed completely using the normal procedures provided by each operating system with which the computer software functions for removing computer software; and

(3) in the case of computer software with an advertising feature, include an easily identifiable link clearly associated with each advertisement that the software causes to be displayed, such that selection of the link by the user of the computer generates an on-screen window that informs the user about how to turn off the advertising feature or uninstall the computer software.

SEC. 4. UNAUTHORIZED USE OF CERTAIN COMPUTER SOFTWARE.

It is unlawful for any person who is not the user of a protected computer to use an information collection, advertising, distributed computing, or settings modification feature of computer software installed on that computer, if--

(1) the computer software was installed in violation of section 2;

(2) the use in question falls outside the scope of what was described to the user of the computer in the notice provided pursuant to section 3(a); or

(3) in the case of an information collection feature, the person using the feature fails to establish and maintain reasonable procedures to protect the security and integrity of personal information so collected.

SEC. 5. EXCEPTIONS.

(a) PREINSTALLED SOFTWARE- A person who installs, or authorizes, permits, or causes the installation of, computer software on a protected computer before the first retail sale of the computer shall be deemed to be in compliance with this Act if the user of the computer receives notice that would satisfy section 3(a)(2) and grants consent that would satisfy section 3(b)(2) prior to--

(1) the initial collection of personal or network information, in the case of any information collection feature contained in the computer software;

(2) the initial generation of an advertisement on the computer, in the case of any advertising feature contained in the computer software;

(3) the initial transmission of information or messages, in the case of any distributed computing feature contained in the computer software; and

(4) the initial modification of user settings, in the case of any settings modification feature.

(b) OTHER EXCEPTIONS- Sections 3(a)(2), 3(b)(2), and 4 do not apply to any feature of computer software that is reasonably needed to--

(1) provide capability for general purpose online browsing, electronic mail, or instant messaging, or for any optional function that is directly related to such capability and that the user knowingly chooses to use;

(2) determine whether or not the user of the computer is licensed or authorized to use the computer software; and

(3) provide technical support for the use of the computer software by the user of the computer.

(c) PASSIVE TRANSMISSION, HOSTING, OR LINK- For purposes of this Act, a person shall not be deemed to have installed computer software, or authorized, permitted, or caused the installation of computer software, on a computer solely because that person provided--

(1) the Internet connection or other transmission capability through which the software was delivered to the computer for installation;

(2) the storage or hosting, at the direction of another person and without selecting the content to be stored or hosted, of the software or of an Internet website through which the software was made available for installation; or

(3) a link or reference to an Internet website the content of which was selected and controlled by another person, and through which the computer software was made available for installation.

(d) SOFTWARE RESIDENT IN TEMPORARY MEMORY- In the case of an installation of computer software that falls within the meaning of section 7(10)(B) but not within the meaning of section 7(10)(A), the requirements set forth in subsections (a)(1), (b)(1), and (c) of section 3 shall not apply.

(e) FEATURES ACTIVATED BY USER OPTIONS- In the case of an information collection, advertising, distributed computing, or settings modification feature that remains inactive or turned off unless the user of the computer subsequently selects certain optional settings or functions provided by the computer software, the requirements of subsections (a)(2) and (b)(2) of section 3 may be satisfied by providing the applicable disclosure and obtaining the applicable consent at the time the user selects the option that activates the feature, rather than at the time of initial installation.

SEC. 6. ADMINISTRATION AND ENFORCEMENT.

(a) IN GENERAL- Except as provided in subsection (b), this Act shall be enforced by the Commission as if the violation of this Act were an unfair or deceptive act or practice proscribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

(b) ENFORCEMENT BY CERTAIN OTHER AGENCIES- Compliance with this Act shall be enforced under--

(1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the case of--

(A) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;

(B) member banks of the Federal Reserve System (other than national banks), branches

and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 and 611), by the Board; and

(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System) and insured State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance Corporation;

(2) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the Director of the Office of Thrift Supervision, in the case of a savings association the deposits of which are insured by the Federal Deposit Insurance Corporation;

(3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board with respect to any Federal credit union;

(4) part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that part;

(5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of Agriculture with respect to any activities subject to that Act; and

(6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.

(c) EXERCISE OF CERTAIN POWERS- For the purpose of the exercise by any agency referred to in subsection (b) of its powers under any Act referred to in that subsection, a violation of this Act is deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (b), each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under this Act, any other authority conferred on it by law.

(d) ACTIONS BY THE COMMISSION- The Commission shall prevent any person from violating this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any entity that violates any provision of that section is subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of that section.

(e) PRESERVATION OF COMMISSION AUTHORITY- Nothing contained in this section shall be construed to limit the authority of the Commission under any other provision of law.

SEC. 7. ACTIONS BY STATES.

(a) IN GENERAL-

(1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that this Act prohibits, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction--

(A) to enjoin that practice;

(B) to enforce compliance with the rule;

(C) to obtain damage, restitution, or other compensation on behalf of residents of the State; or

(D) to obtain such other relief as the court may consider to be appropriate.

(2) NOTICE-

(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Commission--

(i) written notice of that action; and

(ii) a copy of the complaint for that action.

(B) EXEMPTION-

(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to provide the notice described in that subparagraph before the filing of the action.

(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.

(b) INTERVENTION-

(1) IN GENERAL- On receiving notice under subsection (a)(2), the Commission shall have the right to intervene in the action that is the subject of the notice.

(2) EFFECT OF INTERVENTION- If the Commission intervenes in an action under subsection (a), it shall have the right--

(A) to be heard with respect to any matter that arises in that action; and

(B) to file a petition for appeal.

(c) CONSTRUCTION- For purposes of bringing any civil action under subsection (a), nothing in this subtitle shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--

(1) conduct investigations;

(2) administer oaths or affirmations; or

(3) compel the attendance of witnesses or the production of documentary and other evidence.

(d) ACTIONS BY THE COMMISSION- In any case in which an action is instituted by or on behalf of the Commission for violation of section 2 of this Act, no State may, during the pendency of that action, institute an action under subsection (a) against any defendant named in the complaint in that action for violation of that section.

(e) VENUE; SERVICE OF PROCESS-

(1) VENUE- Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--

(A) is an inhabitant; or

(B) may be found.

SEC. 8. DEFINITIONS.

In this Act:

(1) ADVERTISEMENT- The term `advertisement' means a commercial promotion for a product or service, but does not include promotions for products or services that appear on computer software help or support pages that are displayed in response to a request by the user.

(2) ADVERTISING FEATURE- The term `advertising feature' means a function of computer software that, when installed on a computer, delivers advertisements to the user of that computer.

(3) AFFIRMATIVE CONSENT- The term `affirmative consent' means consent expressed through action by the user of a computer other than default action specified by the installation sequence and independent from any other consent solicited from the user during the installation process.

(4) CLEAR DESCRIPTION- The term `clear description' means a description that is clear, conspicuous, concise, and in a font size that is at least as large as the largest default font displayed to the user by the software.

(5) COMPUTER SOFTWARE- The term `computer software'--

(A) means any program designed to cause a computer to perform a desired function or functions; and

(B) does not include any cookie.

(6) COOKIE- The term `cookie' means a text file--

(A) that is placed on a computer by an Internet service provider, interactive computer service, or Internet website; and

(B) the sole function of which is to record information that can be read or recognized by an Internet service provider, interactive computer service, or Internet website when the user of the computer uses or accesses such provider, service, or website.

(7) DISTRIBUTED COMPUTING FEATURE- The term `distributed computing feature' means a function of computer software that, when installed on a computer, transmits information or messages, other than personal or network information about the user of the computer, to any other computer without the knowledge or direction of the user and for purposes unrelated to the tasks or functions the user intentionally performs using the computer.

(8) FIRST RETAIL SALE- The term `first retail sale' means the first sale of a computer, for a purpose other than resale, after the manufacture, production, or importation of the computer. For purposes of this paragraph, the lease of a computer shall be considered a sale of the computer at retail.

(9) INFORMATION COLLECTION FEATURE- The term `information collection feature' means a function of computer software that, when installed on a computer, collects personal or network information about the user of the computer and transmits such information to any other party on an automatic basis or at the direction of a party other than the user of the computer.

(10) INSTALL- The term `install' means--

(A) to write computer software to a computer's persistent storage medium, such as the computer's hard disk, in such a way that the computer software is retained on the computer after the computer is turned off and subsequently restarted; or

(B) to write computer software to a computer's temporary memory, such as random access memory, in such a way that the software is retained and continues to operate after the user of the computer turns off or exits the Internet service, interactive computer service, or Internet website from which the computer software was obtained.

(11) NETWORK INFORMATION- The term `network information' means--

(A) an Internet protocol address or domain name of a user's computer; or

(B) a Uniform Resource Locator or other information that identifies Internet web sites or other online resources accessed by a user of a computer.

(12) PERSONAL INFORMATION- The term `personal information' means--

(A) a first and last name, whether given at birth or adoption, assumed, or legally changed;

(B) a home or other physical address including street name, name of a city or town, and zip code;

(C) an electronic mail address or online username;

(D) a telephone number;

(E) a social security number;

(F) any personal identification number;

(G) a credit card number, any access code associated with the credit card, or both;

(H) a birth date, birth certificate number, or place of birth; or

(I) any password or access code.

(13) PERSON- The term `person' has the meaning given that term in section 3(32) of the Communications Act of 1934 (47 U.S.C. 153(32)).

(14) PROTECTED COMPUTER- The term `protected computer' has the meaning given that term in section 1030(e)(2)(B) of title 18, United States Code.

(15) SETTINGS MODIFICATION FEATURE- The term `settings modification feature' means a function of computer software that, when installed on a computer--

(A) modifies an existing user setting, without direction from the user of the computer, with respect to another computer software application previously installed on that computer; or

(B) enables a user setting with respect to another computer software application previously installed on that computer to be modified in the future without advance notification to and consent from the user of the computer.

(16) USER OF A COMPUTER- The term `user of a computer' means a computer's lawful owner or an individual who operates a computer with the authorization of the computer's lawful owner.

SEC. 9. EFFECTIVE DATE.

This Act shall take effect 180 days after the date of enactment of this Act.

END