95TH GENERAL ASSEMBLY
State of Illinois
2007 and 2008
SB1495

 

Introduced 2/9/2007, by Sen. Dale A. Righter - Dan Cronin

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Consumer Protection Against Computer Spyware Act. Sets forth provisions for unauthorized collection or culling of personally identifiable information, unauthorized access to or modifications of computer settings and computer damage, unauthorized interference with installation or disabling computer software, and other prohibited conduct. Provides that certain persons may bring a civil action against a violator of the Act. Provides a civil penalty for violations of the Act. Permits the Attorney General to obtain a restraining order or injunction for violations of the Act.


LRB095 09617 KBJ 29817 b

FISCAL NOTE ACT MAY APPLY

 

 

A BILL FOR

 

SB1495 LRB095 09617 KBJ 29817 b

1     AN ACT concerning business.
 
2     Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
 
4     Section 1. Short title. This Act may be cited as the
5 Consumer Protection Against Computer Spyware Act.
 
6     Section 5. Definitions. In this Act:
7     "Advertisement" means a communication that includes the
8 promotion of a commercial product or service, including
9 communication on an Internet website operated for a commercial
10 purpose.
11     "Cause computer software to be copied" means to distribute
12 or transfer computer software or a component of computer
13 software. The term does not include:
14         (1) the transmission or routing of computer software or
15     a component of the software;
16         (2) the provision of intermediate temporary storage or
17     caching of software;
18         (3) the provision of a storage medium, such as a
19     compact disk;
20         (4) a website;
21         (5) the distribution of computer software by a third
22     party through a computer server; or
23         (6) the provision of an information location tool, such

 

 

SB1495 - 2 - LRB095 09617 KBJ 29817 b

1     as a directory, index, reference, pointer, or hypertext
2     link, through which the user of a computer is able to
3     locate computer software.
4     "Computer software" means a sequence of instructions
5 written in a programming language that is executed on a
6 computer. The term does not include:
7         (1) a web page; or
8         (2) a data component of a web page that cannot be
9     executed independently of that page.
10     "Damage" means, with respect to a computer, significant
11 impairment to the integrity or availability of data, computer
12 software, a system, or information.
13     "Execute" means, with respect to computer software, to
14 perform a function or carry out instructions.
15     "Keystroke-logging function" means a function of a
16 computer software program that records all keystrokes made by a
17 person using a computer and transfers that information from the
18 computer to another person.
19     "Owner or operator of a computer" means the owner or lessee
20 of a computer or an individual using a computer with the
21 authorization of the owner or lessee of the computer. "Owner or
22 operator of a computer" does not include the person who owned
23 the computer before the date on which the computer was sold if
24 a computer was sold at retail.
25     "Person" means any individual, partnership, corporation,
26 limited liability company, or other organization or a

 

 

SB1495 - 3 - LRB095 09617 KBJ 29817 b

1 combination of those organizations.
2     "Personally identifiable information", with respect to an
3 individual who is the owner or operator of a computer, means:
4         (1) the first name or first initial in combination with
5     the last name;
6         (2) a home or other physical address, including street
7     name;
8         (3) an electronic mail address;
9         (4) a credit or debit card number;
10         (5) a bank account number;
11         (6) a password or access code associated with a credit
12     or debit card or bank account;
13         (7) a social security number, tax identification
14     number, driver's license number, passport number, or other
15     government-issued identification number; or
16         (8) any of the following information if the information
17     alone or in combination with other information personally
18     identifies the individual:
19             (A) account balances;
20             (B) overdraft history; or
21             (C) payment history.
 
22     Section 10. Applicability of Act.
23     (a) Section 20, other than subdivision (1) of that Section,
24 and Sections 25 and 35 do not apply to a telecommunications
25 carrier, cable operator, computer hardware or software

 

 

SB1495 - 4 - LRB095 09617 KBJ 29817 b

1 provider, or provider of information service or interactive
2 computer service that monitors or has interaction with a
3 subscriber's Internet or other network connection or service or
4 a protected computer for the following:
5         (1) network or computer security purposes;
6         (2) diagnostics, technical support, or repair
7     purposes;
8         (3) authorized updates of computer software or system
9     firmware;
10         (4) authorized remote system management; or
11         (5) detection or prevention of unauthorized use of or
12     fraudulent or other illegal activities in connection with a
13     network, service, or computer software, including scanning
14     for and removing software proscribed under this Act.
15     (b) This Act does not apply to the following:
16         (1) the use of a navigation device, any interaction
17     with a navigation device, or the installation or use of
18     computer software on a navigation device by a multichannel
19     video programming distributor or video programmer in
20     connection with the provision of multichannel video
21     programming or other services offered over a multichannel
22     video programming system if the provision of the
23     programming or other service is subject to 47 U.S.C.
24     Section 338(i) or 551; or
25         (2) the collection or disclosure of subscriber
26     information by a multichannel video programming

 

 

SB1495 - 5 - LRB095 09617 KBJ 29817 b

1     distributor or video programmer in connection with the
2     provision of multichannel video programming or other
3     services offered over a multichannel video programming
4     system if the collection or disclosure of the information
5     is subject to 47 U.S.C. Section 338(i) or 551.
6     (c) In this Section, "multichannel video programming
7 distributor" has the meaning assigned by 47 U.S.C. Section
8 522(13).
9     (d) A manufacturer or retailer of computer equipment shall
10 not be liable under this Act to the extent that the
11 manufacturer or retailer is providing third-party branded
12 software loaded on the equipment they are manufacturing or
13 selling.
 
14     Section 15. Unauthorized collection or culling of
15 personally identifiable information. If a person is not the
16 owner or operator of the computer, the person may not knowingly
17 cause computer software to be copied to a computer in this
18 State and use the software to do any of the following:
19         (1) collect, through intentionally deceptive means:
20             (A) personally identifiable information by using a
21         keystroke-logging function; or
22             (B) personally identifiable information in a
23         manner that correlates that information with
24         information regarding all or substantially all of the
25         websites visited by the owner or operator of the

 

 

SB1495 - 6 - LRB095 09617 KBJ 29817 b

1         computer, other than websites operated by the person
2         collecting the information; or
3         (2) gather, through intentionally deceptive means, the
4     following kinds of personally identifiable information
5     from the consumer's computer hard drive for a purpose
6     wholly unrelated to any of the purposes of the software or
7     service described to an owner or operator of the computer:
8             (A) a credit or debit card number;
9             (B) a bank account number;
10             (C) a password or access code associated with a
11         credit or debit card number or a bank account;
12             (D) a social security number;
13             (E) account balances; or
14             (F) overdraft history.
 
15     Section 20. Unauthorized access to or modifications of
16 computer settings; computer damage. If a person is not the
17 owner or operator of the computer, the person may not knowingly
18 cause computer software to be copied to a computer in this
19 State and use the software to do any of the following:
20         (1) Modify, through intentionally deceptive means, a
21     setting that controls:
22             (A) the page that appears when an Internet browser
23         or a similar software program is launched to access and
24         navigate the Internet;
25             (B) the default provider or web proxy used to

 

 

SB1495 - 7 - LRB095 09617 KBJ 29817 b

1         access or search the Internet; or
2             (C) a list of bookmarks used to access web pages.
3         (2) Take control of the computer by:
4             (A) accessing or using the computer's modem or
5         Internet service to:
6                 (i) cause damage to the computer;
7                 (ii) cause the owner or operator of the
8             computer to incur financial charges for a service
9             not previously authorized by the owner or
10             operator; or
11                 (iii) cause a third party affected by the
12             conduct to incur financial charges for a service
13             not previously authorized by the third party; or
14             (B) opening, without the consent of the owner or
15         operator of the computer, an advertisement that:
16                 (i) is in the owner's or operator's Internet
17             browser in a multiple, sequential, or stand-alone
18             form; and
19                 (ii) cannot be closed by an ordinarily
20             reasonable person using the computer without
21             closing the browser or shutting down the computer.
22         (3) Modify settings on the computer that relate to
23     access to or use of the Internet and protection of
24     information for purposes of stealing personally
25     identifiable information of the owner or operator of the
26     computer.

 

 

SB1495 - 8 - LRB095 09617 KBJ 29817 b

1         (4) Modify security settings on the computer relating
2     to access to or use of the Internet for purposes of causing
3     damage to one or more computers.
 
4     Section 25. Unauthorized interference with installation or
5 disabling of computer software. If a person is not the owner or
6 operator of the computer, the person may not knowingly cause
7 computer software to be copied to a computer in this State and
8 use the software to do any of the following:
9         (1) Prevent, through intentionally deceptive means,
10     reasonable efforts of the owner or operator of the computer
11     to block the installation or execution of or to disable
12     computer software by causing computer software that the
13     owner or operator has properly removed or disabled to
14     automatically reinstall or reactivate on the computer.
15         (2) Intentionally misrepresent to another that
16     computer software will be uninstalled or disabled by the
17     actions of the owner or operator of the computer.
18         (3) Remove, disable, or render inoperative, through
19     intentionally deceptive means, security, antispyware, or
20     antivirus computer software installed on the computer.
21         (4) Prevent the owner's or operator's reasonable
22     efforts to block the installation of or to disable computer
23     software by:
24             (A) presenting the owner or operator with an option
25         to decline the installation of software knowing that,

 

 

SB1495 - 9 - LRB095 09617 KBJ 29817 b

1         when the option is selected, the installation process
2         will continue to proceed; or
3             (B) misrepresenting that software has been
4         disabled.
5         (5) Change the name, location, or other designation of
6     computer software to prevent the owner from locating and
7     removing the software.
8         (6) Create randomized or intentionally deceptive file
9     names or random or intentionally deceptive directory
10     folders, formats, or registry entries to avoid detection
11     and prevent the owner from removing computer software.
 
12     Section 30. Knowing violation. A person knowingly violates
13 Section 15, 20, or 25 if the person does either of the
14 following:
15         (1) acts with actual knowledge of the facts that
16     constitute the violation; or
17         (2) consciously avoids information that would
18     establish actual knowledge of those facts.
 
19     Section 35. Other prohibited conduct. If a person is not
20 the owner or operator of the computer, the person may not do
21 any of the following:
22         (1) induce the owner or operator of a computer in this
23     State to install a computer software component to the
24     computer by intentionally misrepresenting the extent to

 

 

SB1495 - 10 - LRB095 09617 KBJ 29817 b

1     which the installation is necessary for security or privacy
2     reasons, to open or view text, or to play a particular type
3     of musical or other content; or
4         (2) copy and execute or cause the copying and execution
5     of a computer software component to a computer in this
6     State in a deceptive manner with the intent of causing the
7     owner or operator of the computer to use the component in a
8     manner that violates this Act.
 
9     Section 40. Deceptive act or omission. For purposes of this
10 Act, a person is considered to have acted through intentionally
11 deceptive means if the person, with the intent to deceive an
12 owner or operator of a computer does any of the following:
13         (1) intentionally makes a materially false or
14     fraudulent statement;
15         (2) intentionally makes a statement or uses a
16     description that omits or misrepresents material
17     information; or
18         (3) intentionally and materially fails to provide to
19     the owner or operator any notice regarding the installation
20     or execution of computer software.
 
21     Section 45. Civil remedy.
22     (a) The following persons, if adversely affected by the
23 violation, may bring a civil action against a person who
24 violates this Act:

 

 

SB1495 - 11 - LRB095 09617 KBJ 29817 b

1         (1) a provider of computer hardware or software;
2         (2) an owner of a web page or trademark;
3         (3) a telecommunications carrier;
4         (4) a cable operator; or
5         (5) an Internet service provider.
6     (b) In addition to any other remedy provided by law and
7 except as provided by subsection (g) of this Section, a person
8 bringing an action under this Section may:
9         (1) seek injunctive relief to restrain the violator
10     from continuing the violation;
11         (2) recover damages in an amount equal to the greater
12     of:
13             (A) actual damages arising from the violation; or
14             (B) $100,000 for each violation of the same nature;
15         or
16         (3) both seek injunctive relief and recover damages as
17     provided by this subsection (b).
18     (c) The circuit court may increase an award of actual
19 damages in an action brought under subsection (b) to an amount
20 not to exceed 3 times the actual damages sustained if the court
21 finds that the violations have occurred with a frequency as to
22 constitute a pattern or practice.
23     (d) A plaintiff who prevails in an action filed under
24 subsection (b) is entitled to recover reasonable attorney's
25 fees and court costs.
26     (e) Each separate violation of this Act is an actionable

 

 

SB1495 - 12 - LRB095 09617 KBJ 29817 b

1 violation.
2     (f) For purposes of subsection (b), violations are of the
3 same nature if the violations consist of the same course of
4 conduct or action, regardless of the number of times the
5 conduct or act occurred.
6     (g) In the case of a violation of Section 20 that causes a
7 telecommunications carrier or cable operator to incur costs for
8 the origination, transportation, or termination of a call
9 triggered using the modem of a customer of the
10 telecommunications carrier or cable operator as a result of the
11 violation and in addition to any other remedy provided by law,
12 a telecommunications carrier or cable operator bringing an
13 action under this Section may:
14         (1) apply to a court for an order to enjoin the
15     violation;
16         (2) recover the charges the telecommunications carrier
17     or cable operator is obligated to pay to a
18     telecommunications carrier, a cable operator, an other
19     provider of transmission capability, or an information
20     service provider as a result of the violation, including
21     charges for the origination, transportation, or
22     termination of the call;
23         (3) recover the costs of handling customer inquiries or
24     complaints with respect to amounts billed for calls as a
25     result of the violation;
26         (4) recover other costs, including court costs, and

 

 

SB1495 - 13 - LRB095 09617 KBJ 29817 b

1     reasonable attorney's fees; or
2         (5) both apply for injunctive relief and recover
3     charges and other costs as provided by this subsection (g).
 
4     Section 50. Civil penalty; injunction.
5     (a) A person who violates this Act is liable to the State
6 for a civil penalty in an amount not to exceed $100,000 for
7 each violation. The Attorney General may bring suit to recover
8 the civil penalty imposed by this subsection (a).
9     (b) If it appears to the Attorney General that a person is
10 engaging in, has engaged in, or is about to engage in conduct
11 that violates this Act, the Attorney General may bring an
12 action in the name of this State against the person to restrain
13 the violation by a temporary restraining order or a permanent
14 or temporary injunction.
15     (c) The Attorney General is entitled to recover reasonable
16 expenses incurred in obtaining injunctive relief, civil
17 penalties, or both under this Section, including reasonable
18 attorney's fees and court costs.