BILL REQ. #: H-5326.1
State of Washington | 60th Legislature | 2008 Regular Session |
READ FIRST TIME 02/05/08.
AN ACT Relating to spyware; amending RCW 19.270.010, 19.270.020, 19.270.040, 19.270.050, and 19.270.060; and repealing RCW 19.270.030.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
Sec. 1 RCW 19.270.010 and 2005 c 500 s 1 are each amended to read
as follows:
The definitions in this section apply throughout this chapter
unless the context clearly requires otherwise.
(1) "Advertisement" means a communication, the primary purpose of
which is the commercial promotion of a commercial product or service,
including a communication on an internet web site that is operated for
a commercial purpose.
(2) "Computer software" means a sequence of instructions written in
any programming language that is executed on a computer. "Computer
software" does not include computer software that is a web page, or are
data components of web pages that are not executable independently of
the web page.
(3) "Damage" means any significant impairment to the integrity or
availability of data, computer software, a system, or information.
(4) "Deceptive" means: (a) A materially false or fraudulent
statement; or (b) a statement or description that omits or
misrepresents material information in order to deceive an owner or
operator.
(5) "Execute" means the performance of the functions or the
carrying out of the instructions of the computer software.
(((5) "Intentionally deceptive" means any of the following:))
(a) An intentionally and materially false or fraudulent statement;
(b) A statement or description that intentionally omits or
misrepresents material information in order to deceive an owner or
operator; and
(c) An intentional and material failure to provide any notice to an
owner or operator regarding the installation or execution of computer
software in order to deceive the owner or operator.
(6) "Internet" means the global information system that is
logically linked together by a globally unique address space based on
the internet protocol (IP), or its subsequent extensions, and that is
able to support communications using the transmission control
protocol/internet protocol (TCP/IP) suite, or its subsequent
extensions, or other IP-compatible protocols, and that provides, uses,
or makes accessible, either publicly or privately, high level services
layered on the communications and related infrastructure described in
this subsection.
(7) "Owner or operator" means the owner or lessee of a computer, or
someone using such computer with the owner's or lessee's authorization.
"Owner or operator" does not include any person who owns a computer
before the first retail sale of such computer.
(8) "Person" means any individual, partnership, corporation,
limited liability company, or other organization, or any combination
thereof.
(9) "Personally identifiable information" means any of the
following with respect to an individual who is an owner or operator:
(a) First name or first initial in combination with last name;
(b) A home or other physical address including street name;
(c) An electronic mail address;
(d) A credit or debit card number, bank account number, or a
password or access code associated with a credit or debit card or bank
account;
(e) Social security number, tax identification number, driver's
license number, passport number, or any other government-issued
identification number; ((and)) or
(f) Any of the following information in a form that personally
identifies an owner or operator:
(i) Account balances;
(ii) Overdraft history; ((and)) or
(iii) Payment history.
(10) "Procure" means to knowingly, or with conscious avoidance of
knowledge, pay or provide other consideration to, or induce, another
person to transmit on one's behalf.
(11) "Transmit" means to knowingly, or with conscious avoidance of
knowledge, transfer, send, or make available computer software, or any
component thereof, via the internet or any other medium, including
local area networks of computers, other nonwire transmission, and disc
or other data storage device. "Transmit" does not include any action
by a person providing:
(a) The internet connection, telephone connection, or other means
of transmission capability ((such as a compact disk or digital video
disk)) through which the software was made available;
(b) The storage or hosting of the software program or a web page
through which the software was made available, unless the person
providing the storage or hosting services knows or reasonably should
know there is or will be a violation of this chapter, and participates
in or ratifies the actions constituting the violation; or
(c) An information location tool, such as a directory, index
reference, pointer, or hypertext link, through which the user of the
computer located the software, unless such person receives a direct
economic benefit from the execution of such software on the computer.
Sec. 2 RCW 19.270.020 and 2005 c 500 s 2 are each amended to read
as follows:
It is unlawful for a person ((who is not an owner or operator to
transmit computer software to the owner or operator's computer with
actual knowledge or with conscious avoidance of actual knowledge and to
use such software to do)), without the authorization of the owner or
operator, to transmit, or procure the transmission of, software to the
owner or operator's computer with actual knowledge or conscious
avoidance of actual knowledge that the software does any of the
following:
(1) ((Modify)) Modifies, through ((intentionally)) deceptive means,
settings that control any of the following:
(a) The page that appears when an owner or operator launches an
internet browser or similar computer software used to access and
navigate the internet;
(b) The default provider or web proxy the owner or operator uses to
access or search the internet; ((and))
(c) The owner or operator's list of bookmarks used to access web
pages; or
(d) The toolbars or buttons of the owner or operator's internet
browser or similar computer software used to access and navigate the
internet;
(2) Collects, through intentionally deceptive means, personally
identifiable information((:))
through the use of a keystroke-logging function or through extracting
the information from the owner or operator's hard drive;
(a) Through the use of a keystroke-logging function that records
all keystrokes made by an owner or operator and transfers that
information from the computer to another person;
(b) In a manner that correlates such information with data
respecting all or substantially all of the web sites visited by an
owner or operator, other than web sites operated by the person
collecting such information; and
(c) Described in RCW 19.270.010(9) (d), (e), or (f)(i) or (ii) by
extracting the information from the owner or operator's hard drive
(3) Prevents, through intentionally deceptive means, an owner or
operator's reasonable efforts to block the installation or execution
of, or to disable, computer software ((by causing the software that the
owner or operator has properly removed or disabled automatically to
reinstall or reactivate on the computer));
(4) ((Intentionally)) Misrepresents that computer software will be
uninstalled or disabled by an owner or operator's action; ((and))
(5) Through intentionally deceptive means, removes, disables, or
renders inoperative security, antispyware, or antivirus computer
software installed on the computer, or through intentionally deceptive
means disables the ability of such computer software to update
automatically;
(6) Accesses or uses the modem or internet service for such
computer to cause damage to the computer or cause an owner or operator
to incur financial charges for a service that is not authorized by the
owner or operator;
(7) Opens multiple, sequential, stand-alone advertisements in the
owner or operator's computer without the authorization of the owner or
operator and that a reasonable computer user cannot close without
turning off the computer or closing the internet browser;
(8) Uses the owner or operator's computer as part of an activity
performed by a group of computers for the purpose of causing damage to
another computer or person including, but not limited to, launching a
denial of service attack;
(9) Transmits or relays commercial electronic mail or a computer
virus from the owner or operator's computer, where the transmission or
relaying is initiated by a person other than the owner or operator;
(10) Modifies any of the following settings related to the
computer's access to, or use of, the internet:
(a) Settings that protect information about the owner or operator
in order to make unauthorized use of the owner or operator's personally
identifiable information; or
(b) Security settings in order to cause damage to a computer; or
(11) Prevents an owner or operator's reasonable efforts to block
the installation of, or to disable, computer software by doing any of
the following:
(a) Presenting the owner or operator with an option to decline
installation of computer software and with knowledge or conscious
avoidance of knowledge that when the option is selected the
installation nevertheless proceeds; or
(b) Falsely representing that computer software has been disabled.
Sec. 3 RCW 19.270.040 and 2005 c 500 s 4 are each amended to read
as follows:
It is unlawful for a person who is not an owner or operator to do
any of the following with regard to the owner or operator's computer:
(1) Induce an owner or operator to install a computer software
component onto the computer by ((intentionally)) deceptively
misrepresenting the extent to which installing the software is
necessary for maintenance, update, or repair of the computer or
computer software, for security or privacy reasons ((or)), for the
proper operation of the computer, in order to open, view, or play a
particular type of content; ((and)) or
(2) Induce an owner or operator to install a computer software
component onto the computer by displaying a pop-up, web page, or other
message that deceptively misrepresents the source of the message; or
(3) Deceptively cause the execution on the computer of a computer
software component ((with the intent of causing)) that causes the owner
or operator to use the component in a manner that violates any other
provision of this section.
Sec. 4 RCW 19.270.050 and 2005 c 500 s 5 are each amended to read
as follows:
(1) Neither RCW ((19.270.030 or)) 19.270.020 (5) through (11) nor
((or)) 19.270.040 ((does not)) apply to any monitoring of, or
interaction with, a subscriber's internet or other network connection
or service, or a computer, by a telecommunications carrier, cable
operator, computer hardware or software provider, or provider of
information service or interactive computer service for network or
computer security purposes, diagnostics, technical support,
maintenance, repair, authorized updates of software or system firmware,
authorized remote system management, or detection or prevention of the
unauthorized use of or fraudulent or other illegal activities in
connection with a network, service, or computer software, including
scanning for and removing software under this chapter.
(2) This section shall not be construed to provide a defense to
liability under the common law or any other state or federal law, nor
shall it be construed as an affirmative grant of authority to engage in
any of the activities listed in this section.
Sec. 5 RCW 19.270.060 and 2005 c 500 s 6 are each amended to read
as follows:
(1) In addition to any other remedies provided by this chapter or
any other provision of law, the attorney general, or a provider of
computer software or owner of a web site or trademark who is adversely
affected by reason of a violation of this chapter, and whose action
arises directly out of such person's status as a provider or owner, may
bring an action against a person who violates this chapter to enjoin
further violations and to recover either actual damages or one hundred
thousand dollars per violation, whichever is greater.
(2) In an action under subsection (1) of this section, a court may
increase the damages up to three times the damages allowed under
subsection (1) of this section if the defendant has engaged in a
pattern and practice of violating this chapter. The court may also
award costs and reasonable attorneys' fees to the prevailing party.
(3) The amount of damages determined under subsection (1) or (2) of
this section may not exceed two million dollars.
NEW SECTION. Sec. 6 RCW 19.270.030 (Unlawful activities--Taking
control of computer--Modification of computer's setting--Preventing
installation of certain software) and 2005 c 500 s 3 are each repealed.