Title: An act relating to spyware.

Brief Description: Modifying provisions regulating spyware.

Sponsors: Senators Weinstein, Delvin, Honeyford, Benton and Kline; by request of Attorney General.

Brief History:

Committee Activity: Consumer Protection & Housing: 1/29/08, 2/5/08 [DPS].

SENATE COMMITTEE ON CONSUMER PROTECTION & HOUSING

Majority Report: That Substitute Senate Bill No. 6499 be substituted therefor, and the substitute bill do pass.Signed by Senators Weinstein, Chair; Kauffman, Vice Chair; Honeyford, Ranking Minority Member; Delvin, Haugen, Jacobsen, Kilmer, McCaslin and Tom.

Staff: Alison Mendiola (786-7483)

Background: The term "spyware" generally describes any software that is placed on a user's computer to monitor, collect, and transmit personally identifiable information without the user's knowledge or consent. Spyware programs can be difficult to identify and remove, and can cause problems ranging from advertisements to computer viruses to identity theft. Frequently, spyware is hidden within a larger software package that the consumer purposely installs, but spyware can also be installed by visiting a web site.

In 2005 the Legislature enacted a spyware law, Chapter 19.270 of the RCW. The law generally prohibits the unauthorized installation of computer spyware if installed through intentionally deceptive means.

Several types of computer spyware activities are prohibited, including collecting web browsing histories, taking control of a user's computer to send e-mails or viruses, creating bogus financial charges, opening multiple pop-up advertisements, and modifying security settings.

The Attorney General, a provider of computer software, or an owner of a web site or trademark may bring a civil action to enjoin further violations and recover either actual damages, or $100,000 per violation, whichever is greater. The maximum allowable damage award is $2 million. In addition, a court may increase the damage award up to three times if the defendant has engaged in a pattern and practice of engaging in the prohibited activities. The court may also award costs and reasonable attorneys' fees to the prevailing party.

Summary of Bill (Recommended Substitute): Several computer-related actions, collectively known as "spyware," are added to the computer spyware law.

The following spyware activities are prohibited: disabling the ability of anti-spyware or anti-virus software to update automatically, if the disabling is done through intentionally deceptive means; using the owner or operator's computer as part of an activity performed by a group of computers for the purpose of causing damage to another computer or person; transmitting or relaying commercial email or computer virus from the owner or operator's computer if initiated by a person other than the owner or operator; modifying toolbars or buttons of the owner or operator's internet browser used to access the internet, if the disabling is done through deceptive means; and inducing an owner to install software by displaying a pop-up, web page, or other message whose source is misrepresented.

These prohibitions also apply to those persons who know or consciously avoid knowing that their services are being used to procure or transmit spyware.  

These prohibitions do not apply to any monitoring of a subscriber's internet service by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service for network or computer security purposes. However, while specific activities may be exempt, the exemption is not intended to create a defense to liability or an affirmative grant to engage in the prohibited activity.

The following computer spyware provisions are modified to prohibit "deceptive" actions rather than "intentionally deceptive" actions: modifying settings for opening web pages, search engines, bookmarks, and toolbars; misrepresenting that software will be uninstalled or disabled by an owner or operator's actions; and misrepresenting that software is necessary for security, maintenance, repair or privacy reasons."deceptive" is defined as: (1) a materially false or fraudulent statement; or (2) a statement or description that omits or misrepresents material information in order to deceive an owner or operator.

Some provisions of the existing computer spyware law relating to: (1) keystroke logging; and (2) preventing an owner from disabling or blocking the installation of software, are removed.

A provider of computer software or owner of a web site or trademark only may bring a civil action if the action arises directly out of the person's status as a provider or owner. The computer spyware statute is reorganized.

EFFECT OF CHANGES MADE BY CONSUMER PROTECTION & HOUSING COMMITTEE (Recommended Substitute): Certain enumerated activities by a telecommunications carrier, or similar business, for specific purposes is neither a defense to liability nor an affirmative grant of authority to engage in specific activities, unless otherwise authorized to do so.

Appropriation: None.

Fiscal Note: Available.

Committee/Commission/Task Force Created: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.

Staff Summary of Public Testimony on Original Bill: PRO: The spyware legislation that passed in 2005 has had a deterrent effect, yet some changes could be made, as proposed by this bill, to fix loopholes and lack of enforcement against others. Washington is one of only three states to take any action under spyware laws. Spyware is a real security threat. The office of the Attorney General is supportive of the proposed amendment language. Existing exceptions are too broad and could be deemed as giving broad immunity or affirmative authority.

Persons Testifying: PRO: Paula Selis, Washington State Attorney General's Office; Art Butler, Washington Electric and Business Telecommunications Coalition; Kenton Brine, Property Casualty Insurers Association.