#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Yar Chaikovsky ABA Section of Intellectual Property Law Division VII — Information Technology Final Report
1. ABA Section of Intellectual Property Law
Division VII — Information Technology
Final Report
May 1, 2008
Marc K. Temin, Division Chair
2. COMMITTEE NO. 711 — ONLINE SECURITY & E-PRIVACY
Robert Mark Field and Michael A. Parks, Co-Chairs
Scope of committee: All aspects of online security and e-privacy but excluding issues within the
scope of Committee 710.
In its second year, Committee 711 does not have any proposed resolutions. Committee 711 has
planned a Continuing Legal Education seminar titled “Data Breach Notification: Roundtable
Discussion of US, EU and APEC Approaches and Related Policy Considerations” for the ABA
Section of International Law’s 2008 Fall Meeting, September 23rd – 27th, 2008 in Brussels
Belgium. In addition, Committee 711 submits the following report. This report consists of a
Report of the Subcommittee on Spyware and an Update to credit security legislation enacted
since last year’s report.
2
3. REPORT OF THE
SUBCOMMITTEE ON SPYWARE
Renard Francois (co-chair)
Mo Syed (co-chair)
Elizabeth Bowles
Thomas A. Rust
David E. Blau
Christina D. Frangiosa
Steven Emmert
Behnam Dayanim
The Subcommittee on Spyware has met repeatedly to discuss Section policy concerning
the issue of spyware legislation. We set out to try to arrive at a proposed committee resolution
on this issue. However, on March 14, 2008 , a majority of the subcommittee decided that there
was not enough consensus on the issues to propose a resolution. As such the subcommittee
decided to present the Section with a report highlighting areas that need to be analyzed more
fully and assessed for their impact.
Discussion.
I. DEFINITION OF SPYWARE
Critical to any legislation purporting to regulate spyware is the definition of the term
itself. Obviously, anti-spyware legislation cannot regulate programs that fall without the
definition of “spyware,” nor can any program that fits within that definition be exempted from
the legislation’s reach. The generally accepted popular definition of spyware is “a broad
category of malicious software intended to intercept or take partial control of a computer’s
operation without the user’s informed consent.” This software then resides on a user’s computer
without the user’s knowledge and often collects information about the user or the computer’s use
that is then sent to the software’s creator or to third parties.
State legislation usually defines “spyware” to include computer programs that are
installed on the user’s computer without the user’s knowledge and/or consent and that cause
certain, defined, results (i.e. changing settings, “hijacking” homepages, collecting personally
identifiable information, keystroke logging, monitoring surfing habits in order to deliver
advertisements, creating zombies). See Utah Code Ann. 13-39-101, et. seq and Cal. Code Ann.
32-22947 et. seq. Current proposed Federal legislation takes a similar tack – requiring consent
and defining spyware by the ultimate result of the software. See H.R. 4661 (the Internet
Spyware (I-SPY) Act) and H.R. 2929 (the Securely Protect Yourself Against Cyber Trespass Act
(SPY ACT).
3
4. Critics of this method of definition argue that by including specific results that the
software must produce in order to be in violation of the acts, software that is yet to be invented
that nonetheless would produce an undesirable result is excluded from the definition. These
advocates argue that the definition of spyware should rest entirely on the quality of the consent
given to installation of the program regardless of the software’s purpose. (Arguably, under this
construct, a consumer could consent to have her computer turned into a zombie.)
Many marketers argue that the definition of spyware should expressly exclude certain
types of programs that collect only marketing data. These marketers assert that marketing data is
not personally-identifiable, is harmless to the consumer, and allows marketers to provide desired
information on goods and services the consumer may want to obtain.
A third group of stakeholders in the debate, including many consumer advocacy
organizations, argue that cookies, both session and tracking, should be excluded from the
definition of spyware. Because tracking cookies are lines of code invisibly installed on the
user’s computer without consent, are sometimes “permanent” (in that they continue to reside on
the computer once the consumer has logged out of that particular session), and track user’s paths
through websites, they fall within many definitions of spyware unless specifically exempted.
Many privacy and consumer advocates accept the use of cookies as creating a better and more-
enjoyable Internet experience (for example, Amazon.com greets visitors by name when they
return to the site), and virtually all companies and marketers use them to provide much-needed
data on website usage. However, many pieces of anti-spyware legislation unintentionally
include tracking cookies in their definition of spyware. Such legislation would require all
website owners to provide notice and obtain consent from website visitors when cookies are
used.
The Anti-Spyware Coalition (“ASC”), a consortium of consumer groups, ISPs and
software companies (including some adware vendors), has stated the following with respect to
“spyware and other potentially unwanted technologies” –
These are technologies implemented in ways that impair users’ control over:
Material changes that affect their user experience, privacy, or system security
Use of their system resources, including what programs are installed on their computers
Collection, use, and distribution of their personal or otherwise sensitive information
These are items that users will want to be informed about, and which the user, with
appropriate authority from the owner of the system, should be able to easily remove or disable.
The ASC created a table of the types of potentially malicious software along with each
type of software’s pros and cons. The ASC noted that “with proper notice, consent, and control
some of these same technologies can provide important benefits.”
Ultimately, the definition of spyware may hinge on whether or not installation of the program
occurs only following the user’s adequately informed notice and consent. Programs installed
with adequate notice and informed consent, regardless of purpose, may be exempted from the
definition of spyware, whereas programs installed without the user’s consent, regardless of
purpose, may be included within that definition.
4
5. II. FEDERAL SPYWARE LAWS
1. The Wiretap Act
In 1968 Congress passed the Wiretap Act, 1 the first of two major federal laws affecting
spyware. The Wiretap Act contains two titles, each known by separate names, that cooperate to
prohibit access to communications while in transit between two parties, and while in storage.
Communications as defined in the Act may be wire, oral, or electronic. Wire communications
include aural transfers over a wire, such as telephone conversations. 2 Oral communications
include those utterances that are not wire communications and for which a person has an actual
and reasonable expectation of privacy. 3 Electronic communications include electronic transfers
of data and signals that are not wire or oral communications. 4
Title I of the Wiretap Act is also known as the Electronic Communications Privacy Act
(ECPA), 5 and generally prohibits interception and disclosure of transient wire, oral, or electronic
communications. The ECPA prohibits the use of intercepted wire or oral communications as
evidence in court, but contains no such exclusionary rule for electronic communications. 6 The
ECPA contains exceptions allowing law enforcement officers to obtain warrants to intercept
these communications, for example by tapping a wire. 7 Any person whose communications
were unlawfully intercepted may recover damages in a civil action. 8
Title II of the Wiretap Act is the Stored Wire and Electronic Communications and
Transactional Records Act (also known as the “Stored Communications Act,” or SCA), 9 and
generally prohibits unauthorized access to wire and electronic communications while they are in
electronic storage at “a facility through which an electronic communication service is
provided.” 10 This phrase has been generally understood to mean an Internet Service Provider,
although courts are split on whether this includes a user’s computer. 11 There are exceptions to
the Act’s prohibition to allow the ISP and user to obtain access to a stored communication of that
1
Pub. L. 90-351 (June 19, 1968).
2
See 18 U.S.C. § 2510(1). Unless otherwise noted, all citations to a section of the U.S. Code are
to Title 18.
3
§ 2510(2).
4
§ 2510(12).
5
18 U.S.C. § 2510 et seq.
6
Id. at § 2515.
7
Id. at § 2517.
8
Id. at § 2520.
9
18 U.S.C. § 2701 et seq.
10
Id. at § 2701(a).
11
In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001) (plaintiff’s
computer is a “facility” within the meaning of the SCA); In re Pharmatrak, Inc. Privacy
Litigation, 220 F. Supp. 2d 4 (D. Mass. 2002) (plaintiff’s computer is not a “facility”).
5
6. user. 12 There are also exceptions to allow an ISP to make mandatory disclosures pursuant to a
warrant, 13 and to allow the ISP to preserve backups of data pursuant to a warrant. 14 The SCA
allows for a private right of action. 15
2. The Computer Fraud and Abuse Act
In 1984 Congress passed the Computer Fraud and Abuse Act, 16 which criminalizes a
wide range of unauthorized computer-related activities. These activities include: obtaining bank
or credit card records or credit reports; 17 accessing a computer with intent to defraud and
obtaining anything of value (other than mere use of the computer valued at less than $5,000 per
year); 18 intentionally or recklessly causing at least $5,000 damage to a computer within a year;19
or trafficking in passwords. 20 The Act does not preempt State laws. 21 The Secret Service, and in
some cases the FBI, may investigate these offenses. 22 Additionally, the Act provides for a
private right of action, however recovery may not include punitive damages, and includes only
economic damages to a user’s computer. 23
Bills in Congress
The Senate is currently considering several bills that would address the problem of
spyware. These include the House’s Securely Protect Yourself Against Cyber Trespass Act
(SPY Act) and the Senate’s Counter Spy Act, the Internet Spyware Prevention Act of 2007 (I-
SPY Act), and the Anti-Phishing Consumer Protection Act of 2008 (APCPA). Also, the Senate is
considering the Identity Theft Enforcement and Restitution Act, 24 which would amend the
Computer Fraud and Abuse Act to eliminate the $5,000 per year threshold for violations and add
a forfeiture penalty for computer equipment used in violations.
12
18 U.S.C. at § 2701(c).
13
§ 2703.
14
§ 2704.
15
§ 2707.
16
Pub. L. 98-473 (Oct. 12, 1984), codified at 10 U.S.C. § 1030.
17
10 U.S.C. § 1030(a)(2).
18
§ 1030(a)(4).
19
§ 1030(a)(5).
20
§ 1030(a)(6).
21
§ 1030(f).
22
§ 1030(d).
23
§ 1030(g).
24
S. 2168, approved by the Senate and referred to the House Subcommittee on Crime,
Terrorism, and Homeland Security as of Feb. 4, 2008.
6
7. The Spy Act 25 and Counter Spy Act, 26 like the Computer Fraud and Abuse Act before
them, attempt to address a comprehensive range of unauthorized computer-related activities.
These activities include: using a computer as a spam relay (zombie) or as part of a denial of
service attack (botnet); hijacking a computer’s browser or network connection to incur charges;
creating browser advertising spam or uncloseable windows; altering a browser’s homepage,
default connection, bookmarks, or security settings; logging keystrokes to obtain personal
information; using false webpages to obtain personal information (phishing); installing software
that ignores ‘do not install’ instructions or automatically re-activates or re-installs itself after
being uninstalled; misrepresenting software as being required to secure a computer;
misrepresenting the identity of a software provider; inducing the disclosure of personal
information by fraud or without consent; disabling anti-virus or other security software;
installing software for the purpose of inducing a user to do any of these things; 27 collecting,
without consent, personally identifying information or network usage information (with an
exception for ads shown by the site doing the collecting, if the information is kept private); 28
hiding installation files using misleading or random file or directory names, or installing files in a
system folder to avoid detection; requiring that a particular third party website be accessed, or
an access code obtained from a third party, in order to disable software; 29 and installing adware
that conceals its operation from a user. 30 In both bills, the FTC and various other federal and
state agencies may bring an action, but neither bill provides for a private right of action. 31
Further, these bills would preempt State laws on these matters. 32
The I-SPY Act 33 would add a new section 18 U.S.C. 1030A, which defines offenses for
loading a computer program onto a computer without authorization, then intentionally using that
program to commit a Federal crime; and obtaining or transmitting personal information, or
impairing the security of a computer, with intent to defraud, injure, or damage a user’s
computer. 34 This Act would also preempt State law, unlike the Computer Fraud and Abuse
Act. 35 However, the Act makes no changes to the existing private right of action under the
existing Computer Fraud and Abuse Act.
25
H.R. 964, approved by the House and in the Senate Committee on Commerce, Science, and
Transportation as of June 7, 2007.
26
S. 1625, in the Committee on Commerce, Science, and Transportation as of June 14, 2007.
27
Spy Act, § 2; Counter Spy Act, § 3.
28
Spy Act, § 3; Counter Spy Act, § 4.
29
Counter Spy Act, § 3(3).
30
Counter Spy Act, § 5.
31
Spy Act, § 4; Counter Spy Act, §§ 7(a), 8(a), 9(a).
32
Spy Act, § 6(a); Counter Spy Act, § 11(b).
33
H.R. 1525, approved by the House and in Senate Committee on the Judiciary as of May 23,
2007.
34
I-SPY Act, § 2.
35
I-SPY Act, § 2, text of new § 1030A(c).
7
8. Finally, the Congress is also considering the Anti-Phishing Consumer Protection Act. 36
This Act would add offenses directed specifically to phishing, cybersquatting, and deceptive or
misleading domain names. 37 A state agency, attorney general, or other official may bring a civil
action “as parens patriae” on behalf of its citizens, but there is no private right of action. 38 The
FTC, affected ISPs and trademark holders, the SEC, and certain federal reserve banks, providers
of State insurance, and the Secretaries of Transportation and Agriculture could also bring suit in
various situations. 39 This Act would also preempt state law. 40
III. SPYWARE: FEDERAL REGULATORY ACTIONS
The Federal Trade Commission and the United States Department of Justice argue that
federal, anti-spyware statute is not warranted because current statutes, such as the Federal Trade
Commission Act (“FTC Act”) 41 and the Computer Fraud and Abuse Act of 1984. 42 provide
federal law enforcement with sufficient authority to sue those create, use, or distribute spyware.
Currently, certain federal statutes have been used to prosecute persons and businesses who have
used spyware to defraud consumers, surreptitiously obtain information from consumers, or to
impair the performance of a consumer’s computer. This section will show how the Federal
Trade Commission is using its authority under the Federal Trade Commission Act to prosecute
those who use spyware to deceive consumers or to engage in unfair business practices.
Additionally, this section will also show how the Department of Justice is using two statutes in
particular to prosecute those using spyware for illegal purposes. Both of these agencies have
been extremely aggressive in recent years in investigating and litigating spyware cases.
The FTC has applied the prohibitions articulated in Section 5 of the FTC Act not only to
spyware, but also to adware, malware, and other unwanted software. There is a difference
between the FTC deception and unfairness authority under the statute. The FTC has used both to
combat spyware. Although the FTC has not requested additional laws to fight spyware, the FTC
has recommended to Congress that it be granted civil penalty authority to fine spyware
developers.
36
S. 2661, in the Committee on Commerce, Science, and Transportation as of Feb. 25, 2008.
37
APCPA, § 3.
38
APCPA, § 4(a).
39
APCPA, §§ 4, 5.
40
APCPA, § 7.
41
See 15 U.S.C. § 41-58. The Federal Trade Commission Act prohibits the acts or practices that
are unfair or deceptive. According to the FTC, an unfair act or practice is one which is
injures consumers, or is likely to cause an injury; the injury is not reasonably avoidable
by the consumer; and the act or practice has no countervailing benefit. A deceptive
practice is an act or a practice that a misrepresentation of a material fact.
42
18 U.S.C. § 1030.
8
9. The FTC has used this statute to sue those who have created and distributed spyware for
violations of the FTC Act. FTC v. Seismic Entertainment demonstrates the first principle that the
resources of a consumer’s computer are his or her own, and Internet businesses cannot use these
resources without the consumer’s permission. 43 The FTC alleged that Seismic Entertainment
exploited known vulnerabilities in Internet Explorer to download spyware to consumers’
computers without their knowledge. 44 According to the FTC, the spyware, among other things,
hijacked consumers’ home pages, caused the display of an incessant stream of pop-up ads,
allowed the secret installation of additional software programs, and caused computers to severely
slow down or crash. Additionally, the FTC alleged that defendants used of “drive-by” tactics to
download spyware in violation of Section 5 of the FTC Act. The FTC obtained a $4.1 million
judgment; a final order that prohibits the Defendants from downloading software in the future
without consumer authorization; and a $330,000 judgment against a second group of defendants
who allegedly distributed the spyware. FTC v. Seismic Entertainment, Inc., No. 04-377-JD,
2004 U.S. Dist. LEXIS 22788 (D.N.H. Oct. 21, 2004).
In Seismic, the FTC sued, and obtained judgments against, the defendants who created
the spyware but also the defendants who distributed the spyware to unwitting consumers. This
highlights the breadth of the FTC Act and demonstrates how the FTC has used the FTC Act to
pursue all those who have some responsibility in the creation and distribution of spyware. The
FTC has also applied the FTC Act to instances other than the allegations described in Seismic.
The FTC has sued companies that hire third parties who use adware in violation of the FTC Act.
In FTC v. Zango, 45 the FTC alleges that Zango’s distributors – third-party affiliates who
often contracted with numerous sub-affiliates – frequently offered consumers free content and
software, such as screensavers, peer-to-peer file sharing software, games, and utilities, without
disclosing that downloading them would result in installation of the adware. 46 In other instances,
Zango’s third-party distributors exploited security vulnerabilities in Web browsers to install the
adware via “drive-by” downloads. As a result, millions of consumers received pop-up ads
without knowing why, and had their Internet use monitored without their knowledge. The FTC
charged that Zango’s failure to disclose that downloading the free content and software would
result in installation of the adware was deceptive, and that its failure to provide consumers with a
reasonable and effective means to identify, locate, and remove the adware from their computers
was unfair, in violation of the FTC Act.
Second, the FTC has sued companies that have buried disclosures about spyware or
critical information in the End User License Agreement for violating the well established
requirements for clear and conspicuous disclosures. FTC sued Odysseus Marketing and its
principal for advertising software that the company claimed would allow consumers to engage in
43
FTC v. Seismic Entertainment et al, FTC File Nos.: 042 3142; X05 0013.
44
See FTC v. Seismic Entertainment, Complaint at
http://www.ftc.gov/os/caselist/0423142/041012comp0423142.pdf.
45
FTC v. Zango et al., FTC File No. 052 3130
46
See FTC v. Zango, Complaint (filed Nov. 5, 2006)
(http://www.ftc.gov/os/caselist/0523130/0523130cmp061103.pdf)
9
10. peer-to-peer file sharing anonymously. 47 According to the FTC’s complaint, the website’s claims
of anonymity encouraged consumers to download their free software. 48 The agency charged that
the claims were bogus because the software did not make file-sharing anonymous and there
actually was a cost to consumers because the “free” software was bundled with spyware.
According to the Complaint, the spyware secretly downloaded dozens of other software
programs, diminishing consumers’ computer performance and memory, and replaced or
reformatted search engine results. The FTC alleged that Odysseus Marketing hid their disclosure
in the middle of a two-page end-user licensing agreement buried in the “Terms and Conditions”
section of their website and deliberately made their software difficult to detect and impossible to
remove using standard software utilities.
In addition to the FTC’s ability to bring Section 5 cases like Seismic, the United States
Department of Justice has statutory authority to prosecute distributors of spyware in cases where
consumers’ privacy or security is compromised. The Computer Fraud and Abuse Act of 1984
prohibits the unauthorized acquisition of data from a protected computer that results in damage.
18 U.S.C. § 1030(a). The DOJ has been fairly successful in using the Computer Fraud and
Abuse Act to go after the distributors of spyware. In United States v. Dinh, the DOJ alleged that
the defendant violated the Computer Fraud and Abuse Act in two ways. First, defendant
allegedly knowingly accessed a computer of another person without authorization by installing a
series of keystroke-logging programs to remotely monitor the keystrokes of the computer user
and identify computer accounts and passwords. Second, defendant violated the statute by
allegedly engaging in a scheme to defraud an investor and committing mail and wire fraud. The
defendant was sentenced to 13 months in prison.
In addition to this case, other cases illustrate that the DOJ has successfully used the
Computer Fraud and Abuse Act to prosecute those who use keystroke loggers without the
authorization of the computer user. In United States v. Jiang, the defendant was sentenced to 27
months in prison and ordered to pay approximately $200,000 in restitution for knowingly
installing keystroke logging software to surreptitiously record the keystrokes on another person’s
computer. Furthermore, United States v. Owusu involved a defendant who surreptitiously
installed a keystroke logger program on public computers in order to record every keystroke
made on those computers. According to the Department of Justice, the defendant used the
information gathered with the keystroke logger to collected data to gain unauthorized access to
users’ online accounts and university management systems. The defendant was sentenced to
four years in prison.
The DOJ also has authority, under a variety of statutes that regulate communications, to
pursue actions against entities that acquire information fraudulently, such as through the use of a
keystroke logger program. Fraud and Related Activity in Connection with Access Devices, 18
U.S.C. § 1029, Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C.
§§ 2510-22, and Electronic Communications Privacy Act, 18 U.S.C. §§ 2701-11. To that end,
the DOJ has used 18 U.S.C. § 2512 to prosecute those who create and market spyware programs.
47
FTC v. Odysseus Marketing, FTC File Nos.: 042 3205; X050069.
48
FTC v. Odysseus Marketing, , complaint (filed October 5, 2005)
(http://www.ftc.gov/os/caselist/0423205/050929comp0423205.pdf).
10
11. In United States v. Perez-Melera, the federal government used § 2512 to prosecute a
person who created a computer program that he could use to spy on others and monitor all
activities on the computer, including emails sent and received, web sites visited, and passwords
entered were intercepted, collected.
In prosecuting these cases, federal law enforcement has used its resources to confront
unfair and deceptive practices and illustrated that certain spyware behaviors are illegal under
existing law. In particular, the FTC has established three principles to guide its spyware
enforcement efforts: 49
• A consumer’s computer belongs to him or her, not to the software distributor. This
means that no software maker should be able to gain access to or use the resources of a
consumer’s computer without the consumer’s consent.
• Buried disclosures do not work. Communicating material terms about the functioning of
a software program deep within an EULA does not meet high enough standards for adequate
disclosure.
• Consumers must be able to uninstall or disable software that they do not want. If a
software distributor places an unwanted program on a consumer’s computer, there should be a
reasonably straightforward way for that program to be removed.
Through active and aggressive enforcement, federal law enforcement has clarified some
of the issues idiosyncratic to spyware. This clarification, as illustrated in the three above-
referenced guidelines, have guided federal enforcement, and can possibly do the same for
federal, anti-spyware legislation. Although some states have anti-spyware laws, the law does not
clarify the complex issues peculiar to spyware. “Some states have passed specific spyware
statutes to help clarify these distinctions, but several of the states that have been most active in
spyware enforcement have no such laws in place.” 50
Federal officials at both the Federal Trade Commission and the Department of Justice
believe that they have adequate authority under their existing criminal and civil statutes to take
law enforcement action against those who disseminate spyware. Both the FTC and the DOJ have
been active in their law enforcement against the creators and distributors of spyware by using the
statutes that are at their disposal.
49
Remarks of Deborah Platt Majoras, Chairman, Federal Trade Commission, Anti-Spyware
Coalition Public Workshop, Feb. 9, 2006,
http://www.ftc.gov/speeches/majoras/060209cdtspyware.pdf.
50
Remarks of Ari Schwartz, Deputy Director of the Center for Democracy and Technology,
“Consumer Protection Issues”, before The Financial Services and General Government
Subcommittee of the House Committee on Appropriations, February 28, 2007,
http://www.cdt.org/privacy/20070228schwartzftc.pdf.
11
12. IV. SPYWARE: EXISTING STATE STATUTES
Starting in 2004, state legislatures began passing a variety of different kinds of anti-
spyware legislation. Depending on how broadly “spyware” is defined, as many as 16 states now
have laws that in some way address the problem. 51 For the most part, these statutes approach the
definition of “spyware” similarly. Rather than define spyware by what it is – i.e., a program
placed on a protected computer without the computer owner’s knowledge – the statutes define
spyware by what it does – i.e., a program that initiates any of a specific set of prohibited
activities. 52 This section provides an overview of those state laws and some of their significant
features.
In 2004, California became one of the first states to pass a law specifically related to
spyware. 53 Since that time a number of states have passed laws that, with only minor variations,
resemble California’s prohibition. Those states include Arizona, Arkansas, Georgia, Indiana,
Iowa, Louisiana, New Hampshire, Rhode Island, Texas and Washington. In addition, a
number of other states are currently considering bills that are modeled after the California
spyware statute.
The California law and the many laws that have followed the California model focus on
protecting consumers from spyware. They generally prohibit a person from causing computer
software to be copied on to a computer without permission from or knowledge by an authorized
user, if that software performs certain functions, including: (1) modifying certain settings, such
as the browser’s home page, default search provider or bookmarks; (2) collecting personally
identifying information, including information about websites the computer user visits, the user’s
financial account numbers, passwords and the like; (3) preventing reasonable efforts to block the
installations of software; (4) misrepresenting that software will be uninstalled or disabled by the
computer user’s actions; (5) removing or disabling security, antispyware or antivirus software; or
(6) taking control of a consumer’s computer by modifying security settings or causing damage to
a computer. 54 In addition to these prohibitions found in most of the state anti-spyware laws,
some states have specifically outlawed other actions, such as denial of service attacks. 55
Because of the way these laws define the prohibited conduct, the state legislatures
following the California model have been forced to grapple with the fact that, read broadly, the
prohibited conduct could restrict legitimate actions by Internet Service Providers (“ISPs”). Thus,
the statutes expressly exclude from their purview certain activities such as interactions with a
51
These include Alaska, Arizona, Arkansas, California, Georgia, Indiana, Iowa, Louisiana,
Nevada, New Hampshire, Rhode Island, Tennessee, Texas, Utah, Virginia and Washington.
52
See L. Elizabeth Bowles, “Survey of State Anti-Spyware Legislation,” The Business Lawyer,
Vol. 63, November 2007.
53
Consumer Protection Against Computer Spyware Act, Cal. Bus. & Prof. Code § 22947.
54
Cal Bus & Prof Code § 22947.2 through 22947.4 (2007).
55
See e.g., Arkansas Consumer Protection Against Computer Spyware Act, A.C.A. § 4-111-
103(b)(1)(C) (2007).
12
13. subscriber’s ISP for network or security purposes, diagnostic, technical support, repair updates
and other, similar services. 56
One of the other issues facing state legislatures is how these laws should be enforced.
The California statute is silent as to whether it creates a private right of action. Some states
expressly provide for a private right of action. 57 Others only allow for prosecution by state
prosecutors or state attorneys general. 58 These prosecutions can be either for civil penalties 59 or
criminal. 60 Some state legislatures also are grappling with the issue of how to measure damages
in these cases – in some instances, allowing for treble damages or attorneys’ fees. 61
Not all states with anti-spyware legislation have followed the California model. For
example, Utah, which passed its law in 2004 – the same year as California – adopted a
somewhat different approach. 62 The Utah statute, along with a similar Alaska statute, not only
protects consumers from spyware, but also expressly protects trademark holders by prohibiting
software that makes certain types of unauthorized uses of another’s mark. Unlike the California
statute, the Utah law defines spyware to include “software on the computer of a user who resides
in the state that collects information about an Internet website at the time the Internet website is
being viewed in the state, unless the Internet website is the Internet website of the person who
provides the software; and uses the information collected contemporaneously to display a pop-up
advertisement on the computer[.]” 63 The Utah law prohibits causing pop-up advertisements to
be shown on the computer screen by means of spyware, if the pop-up is displayed in response to
a user accessing a specific mark or Internet address that is purchased or acquired by a person
other than the mark owner or an authorized user of the mark. The statute also prohibits
purchasing advertising that makes use of spyware, if the advertiser receives notice of the
violation by the mark owner and fails to end its involvement. 64
The Utah law has been the subject of interesting litigation. In 2004, an adware vendor
sought a temporary restraining order and a preliminary injunction in Utah state court against the
Utah law as unconstitutional under a principle of Constitutional law known as the “Dormant
Commerce Clause.” 65 The U.S. Constitution reserves to Congress the authority to “regulate
56
See e.g., Cal Bus & Prof Code § 22947.4(b) (2007).
57
See e.g., Arizona Computer Spyware Act, A.R.S. § 44-7304 (2007).
58
See e.g., A.C.A. § 4-111-104 (2007).
59
See e.g., Georgia Computer Security Act O.C.G.A. § 16-9-155(b)(1) (2007)
60
See e.g., Computer Crimes Act, Va. Code Ann. § 18.2-152.3 (2008).
61
See e.g., Louisiana Computer Spyware Act, La. R.S. 51:2014(C) and (D) (2007).
62
Spyware Control Act, Utah Code Ann. § 13-40-101, et seq. (2007)
63
Id. at § 13-40-102(8)(a) (2007).
64
Id. at § 13-40-201 (2007).
65
WhenU.com Inc. v. Utah, Case No. 040907578 (Utah Dist. Ct. June 22, 2004).
13
14. Commerce with foreign Nations, and among the several States, and with the Indian Tribes.” 66
That provision has been construed by courts to include “a further, negative command, known as
the dormant commerce clause,” 67 in areas where Congress has not affirmatively regulated, in
order to “create an area of trade free from interference by the States.” 68
State laws are subject to two levels of scrutiny under this doctrine. Strict scrutiny is
triggered if the state law discriminates on its face or in its effect directly in favor of in state
commerce to the detriment of out-of-state commerce, and is generally struck down unless the
state demonstrates a legitimate local purpose and an absence of nondiscriminatory alternatives.69
Conversely, “[w]here the statute regulates even-handedly to effectuate a legitimate local public
interest, and its effects on interstate commerce are only incidental, it will be upheld unless the
burden imposed on such commerce is clearly excessive in relation to the putative local
benefits.” 70
In the spyware challenge, the court granted a preliminary injunction, holding that the
statute was likely unconstitutional. In response to that preliminary decision, the Utah legislature
drafted amendments to the law in an effort to resolve the constitutional issue. To that end, the
Utah and Alaska statutes expressly exclude pop-up advertisements if the software requests
information about the user’s state of residence before displaying the pop-up, implements a
reasonably reliable automated system to determine the geographic location of the user, does not
encourage the user to indicate a residence outside of their states and does not display the pop-up
to users in their respective states. The authors are unaware of any pop-up adware that would
satisfy these statutory prescriptions, and the ability of these amendments to withstand similar
Constitutional scrutiny remains untested.
Finally, other states have sought to address spyware not in a stand-alone spyware-specific
statute, but within the context of larger computer crime laws. For example, Nevada’s computer
crime statute now defines spyware as an unlawful “computer contaminant” which cannot be
introduced into a computer, system or network. 71 Virginia also expanded the definitions in its
existing computer crimes statutes to include activity that could encompass the use of spyware. 72
66
U.S. CONST. art. I, § 8, cl. 3.
67
Oklahoma Tax Comm’n v. Jefferson Lines, 514 U.S. 175, 179 (1995).
68
Boston Stock Exchange v. State Tax Comm’n, 429 U.S. 318, 328 (1977).
69
Brown-Forman Distillers Corp., 476 U.S. 573, 578 (1986); Granholm v. Heald, 544 U.S. 460,
479 (2005).
70
Pike v. Bruce Church, Inc., 397 U.S. 137, 142 (1970).
71
Unlawful Acts Regarding Computers and Information Services, Nev. Rev. Stat. Ann. §
205.473(2)(b) (2007).
72
See, e.g., Computer Crimes Act, Va. Code Ann. § 18.2-152.4 (2008).
14
15. V. CONCLUSION
In conclusion, the Subcommittee agrees that the following areas need to be brought to the
attention of the Section for further discussion and analysis:
Comparison of need and efficacy of statutory prohibitions versus regulation.
Enforcement vs. private right of action - analysis of the motivations and
effectiveness of enforcement by regulatory bodies versus private actions by
affected citizens against offenders.
Analysis of varying remedies available and their effectiveness (injunction, civil
damages, criminal penalties, etc).
State law issues:
o perceived need for uniformity through preemptive federal law versus
desire to allow states to fashion their own different and more restrictive standards.
Definition of spyware:
o is the key element consent?
o does “spyware” actually have to “spy” (e.g., monitor or report
on user activity), or does it include malware, fraudware, browser hijacks
and the like?
15
16. UPDATE ON CREDIT SECURITY LEGISLATION SINCE 2007 REPORT
Updated by Rebecca Piper
Since last year’s Report, 15 additional states and the District of Columbia enacted some
type of legislation related to credit freezes or other form of credit security. Currently, the District
of Columbia and thirty-nine states have credit freeze laws in place, including Arkansas,
California, Colorado, Connecticut, Delaware, Florida, Hawaii, Illinois, Indiana, Kansas,
Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Montana,
Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina,
North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee,
Texas, Utah, Vermont, Washington, West Virginia Wisconsin and Wyoming. In addition, since
November 1, 2007, the security freeze is offered voluntarily by Equifax, Experian, and
TransUnion to consumers living in the eleven states that do not have a security freeze law and to
consumers in the four states whose laws limit the security freeze protection to identity theft
victims only. 73
Several highlights of the new state and District of Columbia credit security laws are
detailed below. In addition to these highlights on the process and cost of placing a security
freeze, most of the state credit freeze laws outline the situations and agencies to which the credit
security freeze law does not apply as well as provide penalties and private rights of action for
violations of the security freeze law.
Arkansas
H.B. 2215 became effective on January 1, 2008 and is titled “Arkansas Consumer Report
Security Freeze Act.” Under this Act, a resident of the state that has been the victim of identity
theft and who has submitted a copy of a valid investigative report, an incident report, or a
complaint with a law enforcement agency about the unlawful use of the victim’s identifying
information by another person may request a security freeze. The consumer may request the
security freeze by sending the written request by certified mail with proper identification and any
applicable fee. Fees for each security freeze, removal of a security freeze, or temporary lifting of
a security freeze may not exceed $10. Consumer reporting agencies may advise a third party that
a security freeze is in effect with respect to a consumer report. A third party may treat an
application for credit or any other use as incomplete if a security freeze is in place and access to
a consumer report is not allowed. The security freeze will remain in place until removal by the
consumer or discovery that the consumer report was frozen due to a material misrepresentation
of the consumer.
District of Columbia
Title 28 of the District of Columbia Official Code was amended by adding the
“Consumer Security Freeze Act of 2006.” The Act became effective July 1, 2007. Under the
Act, a credit reporting agency will put a freeze on a consumer’s credit report no later than three
73
http://www.consumersunion.org/campaigns/learn_more/003484indiv.html
16
17. days after receiving a request by certified mail. In addition, by January 1, 2009, the credit
reporting agency will make available the ability to request a security freeze over the Internet and
will accept requests received by either telephone or regular mail. On or before September 1,
2008, the credit reporting agency must be able to allow access to the consumer’s credit report by
a specific party or for a specific period of time within 15 minutes of receiving such request
unless the consumer fails to provide the proper identity, password and identity of designated
third party, or the consumer reporting agency is unable to lift the security freeze because of an
Act of God, unauthorized acts by a third party, operational interruption, governmental action,
regulatory scheduled maintenance, or commercially reasonable maintenance. The Act allows a
credit reporting agency to inform a third party that a security freeze is in place on a consumer’s
credit report and the third party may treat an application as incomplete if the consumer does not
allow access to their credit report. A security freeze is in place until a consumer asks for its
permanent removal in writing. The removal shall occur within 3 days of the credit reporting
agency receiving such removal request. The Act permits the credit reporting agency to charge a
fee of $10 for the initial application and first personal identification number or password unless
the consumer is a victim of identify theft, then the agency may only charge for subsequent
instances of loss and reissuance of new identification numbers. After a one-time reissue of the
password, the agency may charge $10 for subsequent instances of loss and reissuance of the
identification number or password.
Indiana
Indiana’s SB 403 is titled “Security Freeze for Consumer Reports” and became effective
on September 1, 2007. Under the Act, by January 1, 2009 consumer reporting agencies must
develop a secure electronic mail connection by which consumers can request a security freeze, a
new personal identification number or password, or a temporary lift of a security freeze. Also by
January 1, 2009, consumer reporting agencies must have a secure process by which the agency
will release a consumer report subject to a security freeze, temporarily lift a security freeze, or
remove a security freeze within 15 minutes of receiving such a request. The Act provides a list
of people, including law enforcement agencies and licensed insurers, to which a consumer report
under a security freeze can be released. Consumer reporting agencies are prohibited from
charging a fee for requests to place a security freeze, release a consumer report to a specified
person, temporarily lift a security freeze, remove a security freeze, or issue a personal
identification number or password associated with the preceding requests.
Maryland
Maryland’s S.B. 52 was approved by the governor on May 8, 2007 and is effective
January 1, 2008. Under the Act, consumers must be able to make a request for a security freeze
by certified mail, by telephone after January 1, 2010, and by secure internet connection, should
the consumer reporting agency choose to make it available. The Act clarifies that it does not
apply to consumer reporting agencies that act only as a reseller of credit information and do not
maintain permanent databases of credit information from which new consumer reports are
produced. After January 1, 2009, requests to temporarily lift a security freeze must occur within
15 minutes if received by telephone, electronic mail, or secure website connection. The Act
acknowledges that third parties may treat an application as incomplete if a party requests access
to a consumer’s consumer report and a freeze is in place. Fees of up to $5 may only be charged
17
18. for each placement, temporary lift, or removal of a security freeze and fees may not be applied to
those consumers that have obtained a report of alleged identity fraud.
Massachusetts
H.B. 4144, H.B. 4018, and S.B. 2236 were consolidated to create an Act relative to
security freezes and notification of data breaches. The Act became effective on February 3,
2008. Under the Act a consumer may request a security freeze by regular, overnight, or certified
mail. Consumer reporting agencies must comply with a request to lift a freeze for a particular
party or for a certain period of time within three days of receiving the request. The Act allows a
consumer reporting agency to charge a reasonable fee, not to exceed $5, to a consumer that elects
to freeze, lift, or remove a freeze to their consumer report. This fee may not be charged to
victims of identity theft or their spouses provided the victim has submitted a valid police report
related to the identity theft.
Minnesota
In May 2007, Minnesota was the first state to enact legislation that codified certain
requirements from the Payment Card Industry Data Security Standards. 74 The statute prohibits
merchants from retaining “the card security code data, the PIN verification code number, or the
full contents of any track of magnetic stripe data, subsequent to the authorization of the
transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of
the transaction.” 75 This limitation on storage of data captured as part of a credit card transaction
adds another tool for consumers in the quest to alleviate the risk of identity theft. Several other
states have introduced similar legislation. 76
Mississippi
S.B. 3034 was signed into law and became effective on July 1, 2007. The security freeze
is available to consumers with a valid copy of a police report that the consumer filed regarding
the unlawful use of their personal information. The request must be by certified mail and must
include proper identification. A consumer reporting agency may charge a reasonable fee, not to
exceed $10, to place a security freeze on a file. A consumer may request by telephone or mail to
have a security freeze removed or temporarily lifted for a properly designated period or a
properly identified requester, which will occur within three business days after the request. Fees
may not be charged for the removal or temporary lift of a security freeze. A consumer reporting
agency shall honor a security freeze placed by another consumer reporting agency.
74
“Minnesota Gives PCI Rules a Legal Standard” (May 28, 2007)
(http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyNa
me=standards_and_legal_issues&articleId=293804&taxonomyId=146)
75
Minn. Stat. § 325E.64 (2007).
76
Thomas J. Smedinghoff, It's All About Trust: The Expanding Scope Of Security Obligations In
Global Privacy And E-Transactions Law, 16 Mich. St. J. Int'l L. 1 (2007).
18
19. Montana
S.B. 116 became effective law in Montana on July 1, 2007. A consumer may place a
security freeze on their consumer report by requesting such a freeze in writing by regular or
certified mail. A consumer reporting agency will place the freeze within 5 business days of
receiving such request unless the consumer making the request is a victim of identity theft in
which case the freeze will be placed within 24 hours of receiving the request. A consumer
reporting agency may not imply to a third party that the placing of a freeze reflects negatively on
a consumer’s credit score or history. A consumer may request a temporary lift in a security
freeze by regular or certified mail, telephone, or secure electronic connection. By January 1,
2009, the consumer reporting agency must honor a request for a temporary lift of a security
freeze within 15 minutes of receiving such request. A reasonable fee, not to exceed $3, may be
charged to a consumer that is not the victim of identity theft for the placing or temporarily
removal of a security freeze. A reasonable fee of up to $5 may be charged for the reissue of a
consumer identification number or password.
Nebraska
L.B. 674 was approved by the Governor on May 24, 2007 and the Credit Report
Protection Act became effective law on September 1, 2007. Under the Act a consumer may
request a security freeze by certified mail. A consumer reporting agency must develop
procedures involving the telephone, the Internet, or other electronic media to receive and process
a request for a temporary lift of a security freeze in an expedited manner. By January 1, 2009,
the temporary lift must occur within 15 minutes of receiving the request. The consumer
reporting agency may charge a fee of $15 for placing a security freeze unless the consumer
requesting the freeze is a minor or a victim of identity theft and provides a copy of an official
police report documenting the theft.
New Mexico
The Credit Report Security Act became effective law on July 1, 2007. A consumer may
make a request for a security freeze by certified or regular mail, or by telephone or secure
electronic means, if such methods are made available by the consumer reporting agency. By
September 1, 2008, a consumer will be able to request a temporary lift to a security freeze by
telephone or secure electronic method in addition to certified or regular mail. Also by September
1, 2008, the temporary lift in the security freeze must occur within 15 minutes of the request
rather than the current three business days. The consumer reporting agency may charge a fee of
no more than $10 for the placement of a security freeze, and no more than $5 for the release of a
credit report or the removal of a security freeze. Fees shall not be charged to victims of identity
theft or consumers sixty-five years of age or older.
North Dakota
H.B. 1417 became effective law in North Dakota on July 1, 2007. Under the Act, a
consumer may request a security freeze by mail, telephone, or secure electronic mail connection,
if the consumer reporting agency has made such electronic method available. As of August 1,
2009, the consumer reporting agency must place the security freeze within 24 hours, rather than
19
20. the standard three days, from receiving the request of a victim of identity theft. The consumer
reporting agency will temporarily lift a security freeze within three business days of receiving the
request. The Act outlined a goal of processing a request for a temporary lift within 15 minutes of
receiving such request. The consumer reporting agency may work to meet this goal by
developing procedures to receive requests by telephone, fax, internet, or other electronic media.
The consumer reporting agency may change a fee of up to $5 for placing or temporarily lifting a
security freeze unless the consumer is a victim of identity theft and provides a valid copy of a
police report. Other than for the first reissue of a consumer password or identification number, a
consumer may also be charged a $5 fee for subsequent reissues of such password or
identification number.
Oregon
S.B. 583, known as the Oregon Consumer Identity Theft Protection Act, became effective
law in Oregon on October 1, 2007. Under the Act, a consumer may request a freeze by mail or
by secure electronic request at a website, should the consumer reporting agency make such a
method available. A consumer reporting agency shall temporarily lift a security freeze within
three business days of receiving such a request from a consumer. A permanent removal of a
security freeze shall also occur within three days of receiving such a request. The Act requires a
report provided by the Director of the Department of Consumer and Business Services by
December 31, 2008 on the minimum amount of time necessary, given current technology, to
place, temporarily lift, or remove a security freeze. Other than to victims of identity theft, a fee
of up to $10 may be charged to consumers for each freeze, temporary lift of a freeze, removal of
a freeze, or replacing of lost personal identification number or password.
Tennessee
P.L. 1700, known as The Credit Security Act of 2007, became effective on January 1,
2008. A consumer may make a request for a security freeze by certified mail and after January
31, 2009, that request may also be made by an electronic method. Consumers may request a
temporary lift of a security freeze, and consumer reporting agencies must develop procedures to
allow this request by telephone, the Internet, or other electronic method. The temporary lift must
occur within 15 minutes of the request. Consumer reporting agencies may charge $7.50 for the
placement of a security freeze and $5 for the removal of a security freeze or the replacement of a
personal identification number or password but may not charge for the temporary lifting of a
security freeze. Victims of identity theft with a police report or other document detailing the
theft may not be charged a fee.
West Virginia
S.B. 428 was passed on March 10, 2007 and became effective on July 2, 2007. Under the
Act, a consumer may request a security freeze by certified or overnight mail. By January 31,
2009, consumer reporting agencies must allow requests by a secure electronic method. If a
consumer requests a temporary lift to the security freeze, the consumer reporting agency must lift
the freeze within three days of receiving that request. By September 1, 2008, that temporary lift
shall occur within 15 minutes of receiving such request. The consumer may be charged a fee of
up to $5 for the placement, removal, or temporary removal of a security freeze unless the
20
21. consumer is a victim of identity theft and has a copy of a valid police report. A $5 fee may also
be charged for reissue of a personal identification number or password.
Wyoming
Wyoming’s security freeze law became effective on July 1, 2007. Under the Act, a
consumer may request a security freeze on his consumer report by certified mail. A consumer
may request a temporary lift in a security freeze by either mail, an electronic method chosen by
the agency, or telephone. After September 1, 2008, the consumer reporting agency will
temporarily lift a security freeze within 15 minutes of receiving such request by electronic
method or telephone, otherwise they will temporarily lift the security freeze within three business
days of receiving such request. Except for victims of identity theft that have a valid copy of a
police report, the consumer reporting agency may charge a fee of up to $10 for each placement,
temporary lift, or removal of a security freeze.
21
22. Committee members approving report (31):
Mary Ann C. Ball
David Alan Bateman
Lee Berger
Yar R. Chaikovsky
Stephen Chow
Vincent Cogan
Jeffrey T. Cox
Jeff C. Dodd
Kenneth Kyle Dort
Steven Michael Emmert
Eric Neil Everett
R. Mark Field
Jennifer Fisher
Renard C. Francois
Christina Frangiosa
Terrance Joseph Frolich
Jason E. Goldberg
David A. Johnson
Melissa L. Klipp
Kenneth Albert Kopf
Louis J. Levy
Randy Lowell
Elizabeth Stacy McClure
Vicki Menard
Jennifer Miller
Michael A. Parks
Woodrow Pollack
J. Mark Smith
Michael T. Stewart
Mohammad a. Syed
Peter S. Trotter
Committee members disapproving report: None
Committee members not responding (16):
Patrick Alberts
Mark E. Ashton
Guillermo Aviles-Mendoza
Richard Anthony Brunner
Don Lloyd Cook II
Ronald S. Courtney
Behnam Dayanim
Robert Emond
Jonathan I Ezor
22
23. Dorothy L. Foley
Michael Hagemann
Steven Mancinelli
Joanne Nelson
Robert H. Newman
Seth M. Reiss
Alan N. Walter
Law Student Members:
Kristen Aiken
Matthew Asbell
David E. Blau
Kiva Bostwick
Michael Buhrley
Aubin Chang
Yi-Hung Chung
Douglas Clough
Wendy Happ
Elizabeth Jean-Pierre
Michael Landres
Jason Luros
Brian Perrault
Amy Petri
Brian Pyne
Craig Sorensen
Kurth Stecher
Dondi West
Pamela Young
23