To provide the Federal Trade Commission with the resources necessary to protect users of the Internet from the unfair and deceptive acts and practices associated with spyware, and for other purposes.

May 11, 2005

Mr. ALLEN (for himself, Mr. SMITH, and Mr. ENSIGN) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation

To provide the Federal Trade Commission with the resources necessary to protect users of the Internet from the unfair and deceptive acts and practices associated with spyware, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Enhanced Consumer Protection Against Spyware Act of 2005'.

SEC. 2. CONGRESSIONAL FINDINGS.

Congress finds the following:

(1) Software commonly known as `spyware' can cause significant harm to consumers by, among other things, deceptively or unfairly causing a computer to malfunction, slow down, lose data, cease working properly, or share personal information without a consumer's knowledge.

(2) The unfair and deceptive practices associated with the distribution of spyware threaten the confidence of millions of Americans who use the Internet as a valuable medium for commerce and communications.

(3) The Federal Trade Commission's legal actions have clearly established the Commission's authority to combat unfair or deceptive acts or practices involving the Internet and consumers' computers.

(4) According to the Commission's statements to Congress, the vast majority of unfair or deceptive acts or practices involving spyware, such as deceptively asserting control over a consumer's computer and capturing keystroke information, are already unlawful under the Federal Trade Commission Act.

(5) The Commission has already taken legal action against spyware purveyors. For example, in FTC v. Seismic Entertainment, the Commission requested that a district court of the United States shut down a spyware operation that hijacks personal computers, secretly changes computer settings, barrages them with pop-up ads, and installs software programs that `spy' on consumers' web surfing.

(6) Because the fraudulent, deceptive, or unfair installation of spyware is already a violation of Federal law, Congress must focus on providing adequate resources to combat spyware. For example, because a large percentage of the purveyors of spyware are located outside of the United States, legislation that increases the Commission's authority to combat deceptive or unfair acts or practices that occur overseas would promote enforcement actions against spyware purveyors.

(7) Because spyware affects interstate commerce and over 20 States are considering legislation on spyware and 2 States have already enacted laws on spyware, Congress must establish a Federal regulatory and enforcement standard to protect against the growing patchwork of State laws that unnecessarily confuses and burdens consumers and legitimate software providers.

SEC. 3. SENSE OF CONGRESS.

On the basis of the findings in section 2, it is the sense of the Congress that--

(1) combating spyware should be established as a matter of high priority for Federal Trade Commission action; and

(2) the resources and tools available to the Commission should be enhanced and expanded to increase the breadth and strength of the Commission's spyware enforcement efforts.

SEC. 4. DEFINITIONS.

As used in this Act:

(1) CABLE OPERATOR- The term `cable operator' has the meaning given such term in section 602 of the Communications Act of 1934 (47 U.S.C. 522).

(2) COMPUTER; PROTECTED COMPUTER- The terms `computer' or `protected computer' have the meanings given such terms in section 1030(e) of the title 18, United States Code.

(3) COMMISSION- The term `Commission' means the Federal Trade Commission.

(4) INFORMATION SERVICE- The term `information service' has the meaning given such term in section 3 of the Communications Act of 1934 (47 U.S.C. 153).

(5) INTERACTIVE COMPUTER SERVICE- The term `interactive computer service' has the meaning given such term in section 230(f) of the Communications Act of 1934 (47 U.S.C. 230(f)).

(6) OWNER OR AUTHORIZED USER- The term `owner or authorized user' means--

(A) a natural person who owns a computer for commercial, family, household, or educational purposes; or

(B) an individual who operates a computer with the authorization of a natural person who owns the computer for commercial, personal, family, household, or educational purposes.

(7) TELECOMMUNICATIONS CARRIER- The term `telecommunications carrier' has the meaning given such term in section 3 of the Communications Act of 1934 (47 U.S.C. 153).

SEC. 5. FEDERAL TRADE COMMISSION AUTHORITY TO COMBAT DECEPTIVE ACTS OR PRACTICES RELATING TO SPYWARE.

(a) Restatement of Authority-

(1) VIOLATION- It is a violation of section 18 of the Federal Trade Commission Act (15 U.S.C. 57a) to install through deceptive acts or practices software on protected computers.

(2) ENFORCEMENT- Any violation of this Act or of any rules implementing this Act, shall be enforced by the Commission as if it were an unfair or deceptive act or practice proscribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

(b) Increased Fines- For any violation described in subsection (a), the Commission may, in its discretion, penalize such deceptive acts or practices by tripling the amounts prescribed in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).

(c) Penalty for Pattern or Practice Violations-

(1) IN GENERAL- Notwithstanding the Federal Trade Commission Act (15 U.S.C. 41 et seq.), in the case of a person who engages in a pattern or practice that violates subsection (a), the Commission may, in its discretion, seek a civil penalty for such pattern or practice of violations in an amount, as determined by the Commission, of not more than $3,000,000 for each violation of subsection (a).

(2) TREATMENT OF SINGLE ACTION OR CONDUCT- For the purpose of enforcing paragraph (1), any single action or conduct that violates subsection (a) with respect to multiple protected computers shall be treated as a single violation.

(d) Ill-Gotten Gains- For any violation described in subsection (a), the Commission shall have authority to disgorge and seize any ill-gotten gains procured through such deceptive acts or practices.

(e) Preemption of State or Local Law- This section supersedes any provision of a statute, regulation, or rule, and any other requirement, prohibition or remedy under State law or the law of a political subdivision of a State that relates to or affects installation of software through deceptive acts or practices or the use of computer software installed by means of the Internet.

(f) Private Right of Action-

(1) IN GENERAL- This Act may not be considered or construed to provide any private cause of action, including a class action.

(2) CIVIL ACTION- No private civil action relating to any act or practice governed under this Act may be commenced or maintained in any State court or under State law, including a pendent State claim to an action under Federal law.

(g) Enforcement by State Attorney Generals-

(1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that is prohibited under this section, the State, as parens patriae, may bring a civil action on behalf of the residents of that State in a Federal district court of the United States of appropriate jurisdiction, or any other court of competent jurisdiction, to--

(A) enjoin that practice;

(B) enforce compliance with this section;

(C) obtain actual damage and restitution on behalf of residents of the State; or

(D) obtain such other relief as the court may consider to be appropriate.

(2) NOTICE-

(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of a State shall provide to the Commission and the Attorney General--

(i) written notice of the action; and

(ii) a copy of the complaint for the action.

(B) EXEMPTION-

(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general of a State determines that it is not feasible to provide the notice described in such subparagraph before the filing of the action.

(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission and the Attorney General at the time the attorney general of a State files the action.

(C) ATTORNEY GENERAL'S RIGHT TO INTERVENE- After having been notified, as provided in subparagraph (A), the United States Attorney General shall have the right--

(i) to file an action;

(ii) to intervene in the action;

(iii) upon so intervening, to be heard on all matters arising in that action;

(iv) to remove the action to the appropriate district court of the United States; and

(v) to file petitions for appeal.

(D) PROHIBITION ON STATE ATTORNEY GENERALS IF ATTORNEY GENERAL ACTS- If the Attorney General institutes an action under this Act, no attorney general of a State or official or agency of a State may bring an action under this subsection for any violation of subsection (a) alleged in the complaint.

(E) PROHIBITION ON STATE ATTORNEY GENERALS IF COMMISSION ACTS- If the Commission institutes an action under this subsection, no attorney general of a State or official or agency of a State may bring an action under this subsection for any violation of this section alleged in the complaint.

(h) Rule of Construction- For purposes of bringing any civil action under this section, nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to--

(1) conduct investigations;

(2) administer oaths or affirmations; or

(3) compel the attendance of witnesses or the production of documentary and other evidence.

(i) Venue; Service of Process-

(1) VENUE- Any action brought under subsection (g) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

(2) SERVICE OF PROCESS- In an action brought under subsection (g), process may be served in any district in which the defendant--

(A) is an inhabitant; or

(B) may be found.

SEC. 6. LIMITATIONS ON LIABILITY.

(a) Law Enforcement Authority- Section 5 shall not apply to the transmission, installation, or execution of a computer program in compliance with a law enforcement, investigatory, national security, or regulatory agency or department of the United States, or any State in response to a request or demand made under authority granted to that agency or department, including--

(1) a warrant issued under the Federal Rules of Criminal Procedure;

(2) an equivalent State warrant; or

(3) a court order or other lawful process.

(b) Passive Transmission, Hosting, or Linking- A person shall not be deemed to have violated any provision of this Act solely because the person provided--

(1) the Internet connection, telephone connection, or other transmission or routing function through which software was delivered to a protected computer for installation;

(2) the storage or hosting of software or of an Internet website through which software was made available for installation to a protected computer; or

(3) an information location tool, such as a directory, index, reference, pointer, or hypertext link, through which a user of a protected computer located software available for installation.

(c) Exception Relating to Security- Nothing in this Act shall apply to--

(1) any monitoring of, or interaction with, a consumer's Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service, to the extent that such monitoring or interaction is for network or computer security purposes, network management, maintenance, diagnostics, technical support or repair, or for the detection or prevention of fraudulent activities; or

(2) a discrete interaction with a protected computer by a provider of computer software solely to determine whether the user of the computer is authorized to use such software, that occurs upon--

(A) initialization of the software; or

(B) an affirmative request by the owner or authorized user for an update of, addition to, or technical service for, the software.

(d) Limitation on Liability- A manufacturer or retailer of computer equipment shall not be liable under this Act to the extent that the manufacturer or retailer is providing third party branded software that is installed on the equipment the manufacturer or retailer is manufacturing or selling.

(e) Compliance With Law- No person shall be liable under this Act for engaging in any activity that is expressly permissible under any other provision of Federal law.

(f) Commission Authority- In addition to the limitation of liability specified in this section, the Commission may by regulation establish additional limitations or exceptions upon the finding that such limitations or exceptions are reasonably necessary to promote the public interest.

SEC. 7. INTERNATIONAL CONSUMER PROTECTION AUTHORITY.

(a) Availability of Remedies- Section 5(a) of the Federal Trade Commission Act (15 U.S.C. 45(a)) is amended by adding at the end the following:

`(4)(A) For purposes of this subsection, the term `unfair or deceptive acts or practices' includes unfair or deceptive acts or practices involving foreign commerce that--

`(i) cause or are likely to cause reasonable foreseeable injury within the United States; or

`(ii) involve material conduct occurring within the United States.

`(B) All remedies available to the Commission with respect to unfair and deceptive acts or practices shall be available for acts and practices described in this paragraph, including restitution to domestic or foreign victims.'.

SEC. 8. PENALTIES FOR CERTAIN UNAUTHORIZED ACTIVITIES RELATING TO COMPUTERS.

(a) In General- Chapter 47 of title 18, United States Code, is amended by inserting after section 1030 the following:

`Sec. 1030A. Illicit indirect use of protected computers

`(a) Furtherance of Criminal Offense- Whoever intentionally accesses a protected computer without authorization, or exceeds authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and intentionally uses that program or code in furtherance of another Federal criminal offense shall be fined under this title or imprisoned not more than 5 years, or both.

`(b) Security Protection- Whoever intentionally accesses a protected computer without authorization, or exceeds authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and by means of that program or code intentionally impairs the security protection of the protected computer shall be fined under this title or imprisoned not more than 2 years, or both.

`(c) Individual Exemption- A person shall not violate this section who solely provides--

`(1) an Internet connection, telephone connection, or other transmission or routing function through which software is delivered to a protected computer for installation;

`(2) the storage or hosting of software, or of an Internet website, through which software is made available for installation to a protected computer; or

`(3) an information location tool, such as a directory, index, reference, pointer, or hypertext link, through which a user of a protected computer locates software available for installation.

`(d) Network Exemption- A provider of a network or online service that an authorized user of a protected computer uses or subscribes to shall not violate this section by any monitoring or, interaction with, or installation of software for the purpose of--

`(1) protecting the security of the network, service, or computer;

`(2) facilitating diagnostics, technical support, maintenance, network management, or repair; or

`(3) preventing or detecting unauthorized, fraudulent, or otherwise unlawful uses of the network or service.

`(e) Exclusive Jurisdiction- No person may bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant's violation of this section.

`(f) Definitions- As used in this section:

`(1) COMPUTER; PROTECTED COMPUTER- The terms `computer' or `protected computer' have the meanings given such terms in section 1030(e) of this title.

`(2) STATE- The term `State' includes each of the several States, the District of Columbia, Puerto Rico, and any other territory or possession of the United States.'.

(b) Conforming Amendment- The table of sections at the beginning of chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following new item:

`1030A. Illicit indirect use of protected computers.'.

SEC. 9. PRESERVATION OF FEDERAL TRADE COMMISSION AUTHORITY.

Nothing in this Act may be construed in any way to limit or affect the Commission's authority under any other provision of law, including the authority to issue advisory opinions, policy statements, or guidance regarding this Act.

SEC. 10. AUTHORIZATION OF APPROPRIATIONS.

There is authorized to be appropriated, to the Commission for the purposes of enforcing violations relating to the unfair and deceptive practices associated with computer and Internet related crimes, not more than $10,000,000 for each fiscal year beginning with fiscal year 2006.

END