|
|
|
|
94TH GENERAL ASSEMBLY
State of Illinois
2005 and 2006
SB3036
Introduced 1/20/2006, by Sen. Dave Syverson - Peter J. Roskam - Christine Radogno SYNOPSIS AS INTRODUCED:
|
|
|
|
Creates the Consumer Protection Against Computer Spyware Act. Sets forth provisions for unauthorized collection or culling of personally identifiable information, unauthorized access to or modifications of computer settings and computer damage, unauthorized interference with installation or disabling computer software, and other prohibited conduct. Provides that certain persons may bring a civil action against a violator of the Act. Provides a civil penalty for violations of the Act. Permits the Attorney General to obtain a restraining order or injunction for violations of the Act.
|
| |
|
|
| FISCAL NOTE ACT MAY APPLY | |
|
|
|
A BILL FOR
|
|
|
|
|
SB3036 |
|
LRB094 18891 LJB 54335 b |
|
|
| 1 |
| AN ACT concerning business.
|
| 2 |
| Be it enacted by the People of the State of Illinois,
|
| 3 |
| represented in the General Assembly:
|
| 4 |
| Section 1. Short title. This Act may be cited as the |
| 5 |
| Consumer Protection Against Computer Spyware Act.
|
| 6 |
| Section 5. Definitions. In this Act: |
| 7 |
| "Advertisement" means a communication that
includes the |
| 8 |
| promotion of a commercial product or service,
including |
| 9 |
| communication on an Internet website operated for a
commercial |
| 10 |
| purpose.
|
| 11 |
| "Cause computer software to be copied" means to
distribute |
| 12 |
| or transfer computer software or a component of computer
|
| 13 |
| software. The term does not include:
|
| 14 |
| (1) the transmission or routing of computer
software or |
| 15 |
| a component of the software;
|
| 16 |
| (2) the provision of intermediate temporary
storage or |
| 17 |
| caching of software;
|
| 18 |
| (3) the provision of a storage medium, such as a
|
| 19 |
| compact disk;
|
| 20 |
| (4) a website; |
| 21 |
| (5) the distribution of computer software by a
third |
| 22 |
| party through a computer server; or
|
| 23 |
| (6) the provision of an information location
tool, such |
| 24 |
| as a directory, index, reference, pointer, or hypertext
|
| 25 |
| link, through which the user of a computer is able to |
| 26 |
| locate
computer software.
|
| 27 |
| "Computer software" means a sequence of
instructions |
| 28 |
| written in a programming language that is executed on
a |
| 29 |
| computer. The term does not include:
|
| 30 |
| (1) a web page; or |
| 31 |
| (2) a data component of a web page that cannot be
|
| 32 |
| executed independently of that page.
|
|
|
|
SB3036 |
- 2 - |
LRB094 18891 LJB 54335 b |
|
|
| 1 |
| "Damage" means,
with respect to a computer, significant |
| 2 |
| impairment to the integrity or availability of data,
computer |
| 3 |
| software, a system, or information.
|
| 4 |
| "Execute" means, with respect to computer software,
to |
| 5 |
| perform a function or carry out instructions.
|
| 6 |
| "Keystroke-logging function" means a function of a
|
| 7 |
| computer software program that records all keystrokes made by a
|
| 8 |
| person using a computer and transfers that information from the
|
| 9 |
| computer to another person.
|
| 10 |
| "Owner or operator of a computer" means the owner
or lessee |
| 11 |
| of a computer or an individual using a computer with the
|
| 12 |
| authorization of the owner or lessee of the computer. "Owner or |
| 13 |
| operator of a computer" does not
include the person who owned |
| 14 |
| the computer before the date on which
the computer was sold if |
| 15 |
| a computer
was sold at retail.
|
| 16 |
| "Person" means any individual, partnership,
corporation, |
| 17 |
| limited liability company, or other organization or a
|
| 18 |
| combination of those organizations.
|
| 19 |
| "Personally identifiable information", with
respect to an |
| 20 |
| individual who is the owner or operator of a computer,
means:
|
| 21 |
| (1) the first name or first initial in combination
with |
| 22 |
| the last name;
|
| 23 |
| (2) a home or other physical address, including
street |
| 24 |
| name;
|
| 25 |
| (3) an electronic mail address; |
| 26 |
| (4) a credit or debit card number; |
| 27 |
| (5) a bank account number; |
| 28 |
| (6) a password or access code associated with a
credit |
| 29 |
| or debit card or bank account;
|
| 30 |
| (7) a social security number, tax identification
|
| 31 |
| number, driver's license number, passport number, or other
|
| 32 |
| government-issued identification number; or
|
| 33 |
| (8) any of the following information if the
information |
| 34 |
| alone or in combination with other information
personally |
| 35 |
| identifies the individual:
|
| 36 |
| (A) account balances; |
|
|
|
SB3036 |
- 3 - |
LRB094 18891 LJB 54335 b |
|
|
| 1 |
| (B) overdraft history; or |
| 2 |
| (C) payment history.
|
| 3 |
| Section 10. Applicability of Act. |
| 4 |
| (a) Section
20, other than subdivision (1) of that Section, |
| 5 |
| and Sections
25 and 35 do not apply to a telecommunications |
| 6 |
| carrier,
cable operator, computer hardware or software |
| 7 |
| provider, or provider
of information service or interactive |
| 8 |
| computer service that
monitors or has interaction with a |
| 9 |
| subscriber's Internet or other
network connection or service or |
| 10 |
| a protected computer for the following:
|
| 11 |
| (1) network or computer security purposes; |
| 12 |
| (2) diagnostics, technical support, or repair
|
| 13 |
| purposes;
|
| 14 |
| (3) authorized updates of computer software or system
|
| 15 |
| firmware;
|
| 16 |
| (4) authorized remote system management; or |
| 17 |
| (5) detection or prevention of unauthorized use of or
|
| 18 |
| fraudulent or other illegal activities in connection with a
|
| 19 |
| network, service, or computer software, including scanning |
| 20 |
| for and
removing software proscribed under this Act.
|
| 21 |
| (b) This Act does not apply to the following: |
| 22 |
| (1) the use of a navigation device, any interaction
|
| 23 |
| with a navigation device, or the installation or use of |
| 24 |
| computer
software on a navigation device by a multichannel |
| 25 |
| video programming
distributor or video programmer in |
| 26 |
| connection with the provision of
multichannel video |
| 27 |
| programming or other services offered over a
multichannel |
| 28 |
| video programming system if the provision of the
|
| 29 |
| programming or other service is subject to 47 U.S.C. |
| 30 |
| Section 338(i)
or 551; or
|
| 31 |
| (2) the collection or disclosure of subscriber
|
| 32 |
| information by a multichannel video programming |
| 33 |
| distributor or
video programmer in connection with the |
| 34 |
| provision of multichannel
video programming or other |
| 35 |
| services offered over a multichannel
video programming |
|
|
|
SB3036 |
- 4 - |
LRB094 18891 LJB 54335 b |
|
|
| 1 |
| system if the collection or disclosure of the
information |
| 2 |
| is subject to 47 U.S.C. Section 338(i) or 551.
|
| 3 |
| (c) In this Section, "multichannel video programming
|
| 4 |
| distributor" has the meaning assigned by 47 U.S.C. Section |
| 5 |
| 522(13).
|
| 6 |
| Section 15. Unauthorized collection or culling of
|
| 7 |
| personally identifiable information. If a person is not the |
| 8 |
| owner
or operator of the computer, the person may not knowingly |
| 9 |
| cause
computer software to be copied to a computer in this |
| 10 |
| State and use
the software to do any of the following:
|
| 11 |
| (1) collect, through intentionally deceptive means: |
| 12 |
| (A) personally identifiable information by using
a |
| 13 |
| keystroke-logging function; or
|
| 14 |
| (B) personally identifiable information in a
|
| 15 |
| manner that correlates that information with |
| 16 |
| information regarding
all or substantially all of the |
| 17 |
| websites visited by the owner or
operator of the |
| 18 |
| computer, other than websites operated by the
person |
| 19 |
| collecting the information; or
|
| 20 |
| (2) gather, through intentionally deceptive means, the
|
| 21 |
| following kinds of personally identifiable information |
| 22 |
| from the
consumer's computer hard drive for a purpose |
| 23 |
| wholly unrelated to
any of the purposes of the software or |
| 24 |
| service described to an owner
or operator of the computer:
|
| 25 |
| (A) a credit or debit card number; |
| 26 |
| (B) a bank account number; |
| 27 |
| (C) a password or access code associated with a
|
| 28 |
| credit or debit card number or a bank account;
|
| 29 |
| (D) a social security number; |
| 30 |
| (E) account balances; or |
| 31 |
| (F) overdraft history.
|
| 32 |
| Section 20. Unauthorized access to or modifications of
|
| 33 |
| computer settings; computer damage. If a person is not the |
| 34 |
| owner or
operator of the computer, the person may not knowingly |
|
|
|
SB3036 |
- 5 - |
LRB094 18891 LJB 54335 b |
|
|
| 1 |
| cause
computer software to be copied to a computer in this |
| 2 |
| State and use
the software to do any of the following:
|
| 3 |
| (1) Modify, through intentionally deceptive means, a
|
| 4 |
| setting that controls:
|
| 5 |
| (A) the page that appears when an Internet
browser |
| 6 |
| or a similar software program is launched to access and
|
| 7 |
| navigate the Internet;
|
| 8 |
| (B) the default provider or web proxy used to
|
| 9 |
| access or search the Internet; or
|
| 10 |
| (C) a list of bookmarks used to access web pages. |
| 11 |
| (2) Take control of the computer by: |
| 12 |
| (A) accessing or using the computer's modem or
|
| 13 |
| Internet service to:
|
| 14 |
| (i) cause damage to the computer; |
| 15 |
| (ii) cause the owner or operator of the
|
| 16 |
| computer to incur financial charges for a service |
| 17 |
| not previously
authorized by the owner or |
| 18 |
| operator; or
|
| 19 |
| (iii) cause a third party affected by the
|
| 20 |
| conduct to incur financial charges for a service |
| 21 |
| not previously
authorized by the third party; or
|
| 22 |
| (B) opening, without the consent of the owner or
|
| 23 |
| operator of the computer, an advertisement that:
|
| 24 |
| (i) is in the owner's or operator's Internet
|
| 25 |
| browser in a multiple, sequential, or stand-alone |
| 26 |
| form; and
|
| 27 |
| (ii) cannot be closed by an ordinarily
|
| 28 |
| reasonable person using the computer without |
| 29 |
| closing the browser or
shutting down the computer.
|
| 30 |
| (3) Modify settings on the computer that relate to
|
| 31 |
| access to or use of the Internet and protection of |
| 32 |
| information for
purposes of stealing personally |
| 33 |
| identifiable information of the
owner or operator of the |
| 34 |
| computer.
|
| 35 |
| (4) Modify security settings on the computer relating
|
| 36 |
| to access to or use of the Internet for purposes of causing |
|
|
|
SB3036 |
- 6 - |
LRB094 18891 LJB 54335 b |
|
|
| 1 |
| damage
to one or more computers.
|
| 2 |
| Section 25. Unauthorized interference with installation
or |
| 3 |
| disabling of computer software. If a person is not the owner or
|
| 4 |
| operator of the computer, the person may not knowingly cause
|
| 5 |
| computer software to be copied to a computer in this State and |
| 6 |
| use
the software to do any of the following:
|
| 7 |
| (1) Prevent, through intentionally deceptive means,
|
| 8 |
| reasonable efforts of the owner or operator of the computer |
| 9 |
| to block
the installation or execution of or to disable |
| 10 |
| computer software by
causing computer software that the |
| 11 |
| owner or operator has properly
removed or disabled to |
| 12 |
| automatically reinstall or reactivate on the
computer.
|
| 13 |
| (2) Intentionally misrepresent to another that
|
| 14 |
| computer software will be uninstalled or disabled by the |
| 15 |
| actions of
the owner or operator of the computer.
|
| 16 |
| (3) Remove, disable, or render inoperative, through
|
| 17 |
| intentionally deceptive means, security, antispyware, or |
| 18 |
| antivirus
computer software installed on the computer. |
| 19 |
| (4) Prevent the owner's or operator's reasonable
|
| 20 |
| efforts to block the installation of or to disable computer
|
| 21 |
| software by:
|
| 22 |
| (A) presenting the owner or operator with an
option |
| 23 |
| to decline the installation of software knowing that, |
| 24 |
| when
the option is selected, the installation process |
| 25 |
| will continue to
proceed; or
|
| 26 |
| (B) misrepresenting that software has been
|
| 27 |
| disabled.
|
| 28 |
| (5) Change the name, location, or other designation of
|
| 29 |
| computer software to prevent the owner from locating and |
| 30 |
| removing
the software.
|
| 31 |
| (6) Create randomized or intentionally deceptive file
|
| 32 |
| names or random or intentionally deceptive directory |
| 33 |
| folders,
formats, or registry entries to avoid detection |
| 34 |
| and prevent the
owner from removing computer software.
|
|
|
|
SB3036 |
- 7 - |
LRB094 18891 LJB 54335 b |
|
|
| 1 |
| Section 30. Knowing violation. A person knowingly
violates |
| 2 |
| Section 15, 20, or 25 if the person does either of the |
| 3 |
| following:
|
| 4 |
| (1) acts with actual knowledge of the facts that
|
| 5 |
| constitute the violation; or
|
| 6 |
| (2) consciously avoids information that would
|
| 7 |
| establish actual knowledge of those facts.
|
| 8 |
| Section 35. Other prohibited conduct. If a person is not
|
| 9 |
| the owner or operator of the computer, the person may not do |
| 10 |
| any of the following:
|
| 11 |
| (1) induce the owner or operator of a computer in this
|
| 12 |
| State to install a computer software component to the |
| 13 |
| computer by
intentionally misrepresenting the extent to |
| 14 |
| which the installation
is necessary for security or privacy |
| 15 |
| reasons, to open or view text,
or to play a particular type |
| 16 |
| of musical or other content; or
|
| 17 |
| (2) copy and execute or cause the copying and
execution |
| 18 |
| of a computer software component to a computer in this
|
| 19 |
| State in a deceptive manner with the intent of causing the |
| 20 |
| owner or
operator of the computer to use the component in a |
| 21 |
| manner that
violates this Act.
|
| 22 |
| Section 40. Deceptive act or omission. For purposes of
this |
| 23 |
| Act, a person is considered to have acted through
intentionally |
| 24 |
| deceptive means if the person, with the intent to
deceive an |
| 25 |
| owner or operator of a computer does any of the following:
|
| 26 |
| (1) intentionally makes a materially false or
|
| 27 |
| fraudulent statement;
|
| 28 |
| (2) intentionally makes a statement or uses a
|
| 29 |
| description that omits or misrepresents material |
| 30 |
| information; or
|
| 31 |
| (3) intentionally and materially fails to provide to
|
| 32 |
| the owner or operator any notice regarding the installation |
| 33 |
| or
execution of computer software.
|
|
|
|
SB3036 |
- 8 - |
LRB094 18891 LJB 54335 b |
|
|
| 1 |
| Section 45. Civil remedy. |
| 2 |
| (a) The following persons, if
adversely affected by the |
| 3 |
| violation, may bring a civil action
against a person who |
| 4 |
| violates this Act:
|
| 5 |
| (1) a provider of computer software; |
| 6 |
| (2) an owner of a web page or trademark; |
| 7 |
| (3) a telecommunications carrier; |
| 8 |
| (4) a cable operator; or |
| 9 |
| (5) an Internet service provider. |
| 10 |
| (b) In addition to any other remedy provided by law and
|
| 11 |
| except as provided by subsection (g) of this Section, a person |
| 12 |
| bringing an action
under this Section may:
|
| 13 |
| (1) seek injunctive relief to restrain the violator
|
| 14 |
| from continuing the violation;
|
| 15 |
| (2) recover damages in an amount equal to the greater
|
| 16 |
| of:
|
| 17 |
| (A) actual damages arising from the violation; or |
| 18 |
| (B) $100,000 for each violation of the same
nature; |
| 19 |
| or
|
| 20 |
| (3) both seek injunctive relief and recover damages as
|
| 21 |
| provided by this subsection (b).
|
| 22 |
| (c) The circuit court may increase an award of actual |
| 23 |
| damages in an
action brought under subsection (b) to an amount |
| 24 |
| not to exceed 3
times the actual damages sustained if the court |
| 25 |
| finds that the
violations have occurred with a frequency as to |
| 26 |
| constitute a
pattern or practice.
|
| 27 |
| (d) A plaintiff who prevails in an action filed under
|
| 28 |
| subsection (b) is entitled to recover reasonable attorney's |
| 29 |
| fees
and court costs.
|
| 30 |
| (e) Each separate violation of this Act is an actionable
|
| 31 |
| violation.
|
| 32 |
| (f) For purposes of subsection (b), violations are of the
|
| 33 |
| same nature if the violations consist of the same course of |
| 34 |
| conduct
or action, regardless of the number of times the |
| 35 |
| conduct or act
occurred.
|
| 36 |
| (g) In the case of a violation of Section 20 that causes
a |
|
|
|
SB3036 |
- 9 - |
LRB094 18891 LJB 54335 b |
|
|
| 1 |
| telecommunications carrier or cable operator to incur costs for
|
| 2 |
| the origination, transportation, or termination of a call |
| 3 |
| triggered
using the modem of a customer of the |
| 4 |
| telecommunications carrier or
cable operator as a result of the |
| 5 |
| violation and in addition to any
other remedy provided by law, |
| 6 |
| a telecommunications carrier or cable
operator bringing an |
| 7 |
| action under this Section may:
|
| 8 |
| (1) apply to a court for an order to enjoin the
|
| 9 |
| violation;
|
| 10 |
| (2) recover the charges the telecommunications
carrier |
| 11 |
| or cable operator is obligated to pay to a
|
| 12 |
| telecommunications carrier, a cable operator, an other |
| 13 |
| provider of
transmission capability, or an information |
| 14 |
| service provider as a
result of the violation, including |
| 15 |
| charges for the origination,
transportation, or |
| 16 |
| termination of the call;
|
| 17 |
| (3) recover the costs of handling customer inquiries
or |
| 18 |
| complaints with respect to amounts billed for calls as a |
| 19 |
| result
of the violation;
|
| 20 |
| (4) recover other costs, including court costs, and
|
| 21 |
| reasonable attorney's fees; or
|
| 22 |
| (5) both apply for injunctive relief and recover
|
| 23 |
| charges and other costs as provided by this subsection (g).
|
| 24 |
| Section 50. Civil penalty; injunction. |
| 25 |
| (a) A person who
violates this Act is liable to the State |
| 26 |
| for a civil penalty in
an amount not to exceed $100,000 for |
| 27 |
| each violation. The Attorney
General may bring suit to recover |
| 28 |
| the civil penalty imposed by this
subsection (a).
|
| 29 |
| (b) If it appears to the Attorney General that a person is
|
| 30 |
| engaging in, has engaged in, or is about to engage in conduct |
| 31 |
| that
violates this Act, the Attorney General may bring an |
| 32 |
| action in
the name of this State against the person to restrain |
| 33 |
| the violation
by a temporary restraining order or a permanent |
| 34 |
| or temporary
injunction.
|
| 35 |
| (c) The Attorney General is entitled to recover reasonable
|