House File 465 - Introduced HOUSE FILE BY RANTS Passed House, Date Passed Senate, Date Vote: Ayes Nays Vote: Ayes Nays Approved A BILL FOR 1 An Act relating to the transmission, installation, and use of 2 computer software through deceptive or unauthorized means. 3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 4 TLSB 2193YH 81 5 kk/cf/24 PAG LIN 1 1 Section 1. NEW SECTION. 714F.1 LEGISLATIVE INTENT. 1 2 It is the intent of the general assembly to protect owners 1 3 and operators of computers in this state from the use of 1 4 spyware and malware that is deceptively or surreptitiously 1 5 installed on the owner's or the operator's computer. 1 6 Sec. 2. NEW SECTION. 714F.2 TITLE. 1 7 This chapter shall be known and may be cited as the 1 8 "Computer Spyware Protection Act". 1 9 Sec. 3. NEW SECTION. 714F.3 DEFINITIONS. 1 10 For purposes of this chapter, unless the context otherwise 1 11 requires: 1 12 1. "Advertisement" means a communication, the primary 1 13 purpose of which is the commercial promotion of a commercial 1 14 product or service, including content on an internet website 1 15 operated for a commercial purpose. 1 16 2. "Computer software" means a sequence of instructions 1 17 written in any programming language that is executed on a 1 18 computer. "Computer software" does not include computer 1 19 software that is a web page or data components of a web page 1 20 that are not executable independently of the web page. 1 21 3. "Damage" means any significant impairment to the 1 22 integrity or availability of data, software, a system, or 1 23 information. 1 24 4. "Execute", when used with respect to computer software, 1 25 means the performance of the functions or the carrying out of 1 26 the instructions of the computer software. 1 27 5. "Intentionally deceptive" means any of the following: 1 28 a. An intentionally and materially false or fraudulent 1 29 statement. 1 30 b. A statement or description that intentionally omits or 1 31 misrepresents material information in order to deceive an 1 32 owner or operator of a computer. 1 33 c. An intentional and material failure to provide a notice 1 34 to an owner or operator regarding the installation or 1 35 execution of computer software for the purpose of deceiving 2 1 the owner or operator. 2 2 6. "Internet" means the same as defined in section 4.1. 2 3 7. "Owner or operator" means the owner or lessee of a 2 4 computer, or a person using such computer with the owner or 2 5 lessee's authorization, but does not include a person who 2 6 owned a computer prior to the first retail sale of the 2 7 computer. 2 8 8. "Person" means the same as defined in section 4.1. 2 9 9. "Personally identifiable information" means any of the 2 10 following information with respect to the owner or operator of 2 11 a computer: 2 12 a. The first name or first initial in combination with the 2 13 last name. 2 14 b. A home or other physical address including street name. 2 15 c. An electronic mail address. 2 16 d. Credit or debit card number, bank account number, or 2 17 any password or access code associated with a credit or debit 2 18 card or bank account. 2 19 e. Social security number, tax identification number, 2 20 driver's license number, passport number, or any other 2 21 government=issued identification number. 2 22 f. Account balance, overdraft history, or payment history 2 23 that personally identifies an owner or operator of a computer. 2 24 10. "Transmit" means to transfer, send, or make available 2 25 computer software using the internet or any other medium, 2 26 including local area networks of computers other than a 2 27 wireless transmission, and a disc or other data storage 2 28 device. "Transmit" does not include an action by a person 2 29 providing any of the following: 2 30 a. An internet connection, telephone connection, or other 2 31 means of transmission capability such as a compact disc or 2 32 digital video disc through which the computer software was 2 33 made available. 2 34 b. The storage or hosting of the computer software program 2 35 or an internet web page through which the software was made 3 1 available. 3 2 c. An information location tool, such as a directory, 3 3 index, reference, pointer, or hypertext link, through which 3 4 the user of the computer located the computer software, unless 3 5 the person transmitting receives a direct economic benefit 3 6 from the execution of such software on the computer. 3 7 Sec. 4. NEW SECTION. 714F.4 PROHIBITIONS == TRANSMISSION 3 8 AND USE OF SOFTWARE. 3 9 It is unlawful for a person who is not an owner or operator 3 10 of a computer to transmit computer software to such computer 3 11 knowingly or with conscious avoidance of actual knowledge, and 3 12 to use such software to do any of the following: 3 13 1. Modify, through intentionally deceptive means, settings 3 14 of a computer that control any of the following: 3 15 a. The web page that appears when an owner or operator 3 16 launches an internet browser or similar computer software used 3 17 to access and navigate the internet. 3 18 b. The default provider or web proxy that an owner or 3 19 operator uses to access or search the internet. 3 20 c. An owner's or an operator's list of bookmarks used to 3 21 access web pages. 3 22 2. Collect, through intentionally deceptive means, 3 23 personally identifiable information through any of the 3 24 following means: 3 25 a. The use of a keystroke=logging function that records 3 26 keystrokes made by an owner or operator of a computer and 3 27 transfers that information from the computer to another 3 28 person. 3 29 b. In a manner that correlates personally identifiable 3 30 information with data respecting all or substantially all of 3 31 the websites visited by an owner or operator, other than 3 32 websites operated by the person collecting such information. 3 33 c. By extracting from the hard drive of an owner's or an 3 34 operator's computer, an owner's or an operator's social 3 35 security number, tax identification number, driver's license 4 1 number, passport number, any other government=issued 4 2 identification number, account balances, or overdraft history. 4 3 3. Prevent, through intentionally deceptive means, an 4 4 owner's or an operator's reasonable efforts to block the 4 5 installation of, or to disable, computer software by causing 4 6 computer software that the owner or operator has properly 4 7 removed or disabled to automatically reinstall or reactivate 4 8 on the computer. 4 9 4. Intentionally misrepresent that computer software will 4 10 be uninstalled or disabled by an owner's or an operator's 4 11 action. 4 12 5. Through intentionally deceptive means, remove, disable, 4 13 or render inoperative security, antispyware, or antivirus 4 14 computer software installed on an owner's or an operator's 4 15 computer. 4 16 6. Take control of an owner's or an operator's computer by 4 17 doing any of the following: 4 18 a. Accessing or using a modem or internet service for the 4 19 purpose of causing damage to an owner's or an operator's 4 20 computer or causing an owner or operator to incur financial 4 21 charges for a service that the owner or operator did not 4 22 authorize. 4 23 b. Opening multiple, sequential, stand=alone 4 24 advertisements in an owner's or an operator's internet browser 4 25 without the authorization of an owner or operator and which a 4 26 reasonable computer user could not close without turning off 4 27 the computer or closing the internet browser. 4 28 7. Modify any of the following settings related to an 4 29 owner's or an operator's computer access to, or use of, the 4 30 internet: 4 31 a. Settings that protect information about an owner or 4 32 operator for the purpose of taking personally identifiable 4 33 information of the owner or operator. 4 34 b. Security settings for the purpose of causing damage to 4 35 a computer. 5 1 8. Prevent an owner's or an operator's reasonable efforts 5 2 to block the installation of, or to disable, computer software 5 3 by doing any of the following: 5 4 a. Presenting the owner or operator with an option to 5 5 decline installation of computer software with knowledge that, 5 6 when the option is selected by the authorized user, the 5 7 installation nevertheless proceeds. 5 8 b. Falsely representing that computer software has been 5 9 disabled. 5 10 Sec. 5. NEW SECTION. 714F.5 OTHER PROHIBITIONS. 5 11 It is unlawful for a person who is not an owner or operator 5 12 of a computer to do any of the following with regard to the 5 13 computer: 5 14 1. Induce an owner or operator to install a computer 5 15 software component onto the owner's or the operator's computer 5 16 by intentionally misrepresenting that installing computer 5 17 software is necessary for security or privacy reasons or in 5 18 order to open, view, or play a particular type of content. 5 19 2. Using intentionally deceptive means to cause the 5 20 execution of a computer software component with the intent of 5 21 causing an owner or operator to use such component in a manner 5 22 that violates any other provision of this chapter. 5 23 Sec. 6. NEW SECTION. 714F.6 EXCEPTIONS. 5 24 Sections 714F.4 and 714F.5 shall not apply to the 5 25 monitoring of, or interaction with, an owner's or an 5 26 operator's internet or other network connection, service, or 5 27 computer, by a telecommunications carrier, cable operator, 5 28 computer hardware or software provider, or provider of 5 29 information service or interactive computer service for 5 30 network or computer security purposes, diagnostics, technical 5 31 support, maintenance, repair, authorized updates of computer 5 32 software or system firmware, authorized remote system 5 33 management, or detection or prevention of the unauthorized use 5 34 of or fraudulent or other illegal activities in connection 5 35 with a network, service, or computer software, including 6 1 scanning for and removing computer software prescribed under 6 2 this chapter. 6 3 Sec. 7. NEW SECTION. 714F.7 REMEDIES. 6 4 1. The attorney general may bring a civil action against a 6 5 person who violates any provision of this chapter to recover 6 6 actual damages, liquidated damages of at least one thousand 6 7 dollars, not to exceed one million dollars, for each 6 8 violation, attorney fees, and costs. 6 9 2. The court may increase a damage award to an amount 6 10 equal to not more than three times the amount otherwise 6 11 recoverable under subsection 1 if the court determines that 6 12 the defendant committed the violation willfully and knowingly. 6 13 3. The court may reduce liquidated damages recoverable 6 14 under subsection 1, to a minimum of one hundred dollars, not 6 15 to exceed one hundred thousand dollars for each violation if 6 16 the court finds that the defendant established and implemented 6 17 practices and procedures reasonably designed to prevent a 6 18 violation of this chapter. 6 19 EXPLANATION 6 20 This bill, in new Code chapter 714F, prohibits actions 6 21 related to the transmission, installation, and use of computer 6 22 software. The bill prohibits a person, other than the owner 6 23 or operator of a computer acting with actual knowledge or 6 24 conscious avoidance of actual knowledge, from transmitting 6 25 computer software onto the computer and using the software to 6 26 modify certain settings relating to the computer's access to 6 27 or use of the internet, collect personally identifiable 6 28 information through certain intentionally deceptive means, 6 29 prevent an owner's or an operator's reasonable efforts to 6 30 block the installation of or disable software through 6 31 intentionally deceptive means, intentionally misrepresent that 6 32 computer software will be uninstalled or disabled by an 6 33 owner's or an operator's action, or through intentionally 6 34 deceptive means remove, disable, or render inoperative 6 35 security, antispyware, or antivirus software installed on a 7 1 computer. 7 2 The bill prohibits a person who is not an owner or operator 7 3 from taking control of an owner's or an operator's computer 7 4 for the purpose of causing damage to the computer or causing 7 5 the owner or operator to incur financial charges for 7 6 unauthorized services, opening certain advertisements in an 7 7 owner's or an operator's internet browser, modifying a 7 8 computer's settings related to an owner's or an operator's 7 9 computer access to the internet, and preventing an owner or 7 10 operator from blocking or disabling software by installing 7 11 software despite the owner or operator declining the 7 12 installation, and falsely representing that computer software 7 13 has been disabled. 7 14 The bill prohibits a person who is not an owner or operator 7 15 from inducing an owner or operator to install a software 7 16 component by intentionally misrepresenting that the 7 17 installation is necessary for security or privacy or in order 7 18 to open, view, or play a particular type of content. The bill 7 19 prohibits a person who is not an owner or operator from using 7 20 intentionally deceptive means to cause the execution of 7 21 computer software components with the intent of causing an 7 22 owner or operator to use the components in a way that violates 7 23 any provision of new Code chapter 714F. 7 24 The monitoring or interaction with an internet or network 7 25 connection by a telecommunications carrier or provider of 7 26 certain computer services, or a provider of interactive 7 27 computer service for security and other technical support are 7 28 not subject to the prohibitions of Code chapter 714F. 7 29 The bill provides that the attorney general may bring a 7 30 civil action against any person who violates any provision of 7 31 new Code chapter 714F and may seek actual damages, liquidated 7 32 damages in an amount not less than $1,000 but not more than $1 7 33 million, attorney fees, and costs. A court may increase an 7 34 award of damages to three times the amount if the defendant 7 35 acted willfully and knowingly. A court may reduce the amount 8 1 of liquidated damages recoverable if the defendant established 8 2 and implemented practices and procedures reasonably designed 8 3 to prevent a violation of Code chapter 714F. 8 4 LSB 2193YH 81 8 5 kk:nh/cf/24