SECOND REGULAR SESSION
HOUSE BILL NO. 2203
94TH GENERAL ASSEMBLY
INTRODUCED BY REPRESENTATIVES PRATT (Sponsor) AND PEARCE (Co-sponsor).
Read 1st time February 19, 2008 and copies ordered printed.
D. ADAM CRUMBLISS, Chief Clerk
To amend chapter 407, RSMo, by adding thereto seven new sections relating to computer spyware, with penalty provisions.
Be it enacted by the General Assembly of the state of Missouri, as follows:
Section A. Chapter 407, RSMo, is amended by adding thereto seven new sections, to be known as sections 407.2100, 407.2105, 407.2110, 407.2115, 407.2120, 407.2125, and 407.2130, to read as follows:
407.2100. Sections 407.2100 to 407.2130 shall be known as and may be cited as the "Consumer Protection Against Computer Spyware Act".
407.2105. For purposes of sections 407.2100 to 407.2130, the following terms shall mean:
(1) "Advertisement", a communication, the primary purpose of which is the commercial promotion of a commercial product or service, including content on an Internet web site operated for a commercial purpose;
(2) "Authorized user", with respect to a computer, a person who owns or leases a computer is authorized by the owner or lessee to use the computer. Authorized user shall not include a person or entity that has obtained authorization to use the computer solely through the use of an end-user license agreement;
(3) "Computer software", a sequence of instructions written in any programming language that is executed on a computer;
(4) "Computer virus", a computer program or other set of instructions that is designed to degrade the performance of or disable a computer or computer network and is designed to have the ability to replicate itself on other computers or computer networks without the authorization of the owners of those computers or computer networks;
(5) "Consumer", an individual who resides in the state and who uses a computer primarily for personal, family, or household purposes;
(6) "Damage", any significant impairment to the integrity, functionality or availability of data, software, a computer, or a system;
(7) "Execute", when used with respect to computer software, the performance of the functions or the carrying out of the instructions of the computer software;
(8) "Intentionally deceptive", any of the following:
(a) By means of an intentionally and materially false or fraudulent statement;
(b) By means of a statement or description that intentionally omits or misrepresents material information in order to deceive the consumer;
(c) By means of an intentional and material failure to provide any notice to an authorized user regarding the download or installation of software in order to deceive the consumer;
(9) "Internet", the global information system that is logically linked together by a globally unique address space based on the Internet protocol, or its subsequent extensions, and that is able to support communications using the Transmission Control Protocol/Internet Protocol suite, or its subsequent extensions, or other Internet protocol-compatible protocols, and that provides, uses, or makes accessible, either publicly or privately, high level services layered on the communications and related infrastructure described in this subdivision;
(10) "Person", any individual, partnership, corporation, limited liability company, or other organization, or any combination thereof;
(11) "Personally identifiable information", any of the following:
(a) A first name or first initial in combination with last name;
(b) Any credit or debit card numbers or other financial account numbers;
(c) A password or personal identification number required to access an identified financial account;
(d) A Social Security number;
(e) Any of the following information in a form that personally identifies an authorized user:
a. Account balance;
b. Overdraft history;
c. Payment history;
d. History of web sites visited;
e. Home address;
f. Work address;
g. Record of a purchase or purchases.
407.2110. A person or entity that is not an authorized user shall not, with actual knowledge, with conscious avoidance of actual knowledge, or willfully, cause computer software to be copied onto the computer of a consumer in this state and use the software to do any of the following:
(1) Modify, through intentionally deceptive means, any of the settings related to the computer's access to, or use of, the Internet;
(2) Collect, through intentionally deceptive means, personally identifiable information that meets any of the following criteria:
(a) It is collected through the use of a keystroke-logging function that records all keystrokes made by an authorized user who uses the computer and transfers that information from the computer to another person;
(b) It includes all or substantially all of the web sites visited by an authorized user, other than web sites of the provider of the software, if the computer software was installed in a manner designed to conceal from all authorized users of the computer the fact that the software is being installed;
(c) It is a data element described in paragraph (b), (c), or (d) of subdivision (11) of section 407.2105, or in subparagraph a. or b. of paragraph (e) of subdivision (11) of section 407.2105, that is extracted from the consumer's computer hard drive for a purpose wholly unrelated to any of the purposes of the software or service described to an authorized user;
(3) Prevent, without the authorization of an authorized user, through intentionally deceptive means, an authorized user's reasonable efforts to block the installation of, or to disable, software, by causing software that the authorized user has properly removed or disabled to automatically reinstall or reactivate on the computer without the authorization of an authorized user;
(4) Intentionally misrepresent that software will be uninstalled or disabled by an authorized user's action, with knowledge that the software will not be so uninstalled or disabled;
(5) Through intentionally deceptive means, remove, disable, or render inoperative security, antispyware, or antivirus software installed on the computer.
407.2115. A person or entity that is not an authorized user shall not, with actual knowledge, with conscious avoidance of actual knowledge, or willfully, cause computer software to be copied onto the computer of a consumer in this state or use the software to do any of the following:
(1) Take control of the consumer's computer by doing any of the following:
(a) Transmitting or relaying commercial electronic mail or a computer virus from the consumer's computer, where the transmission or relaying is initiated by a person other than the authorized user and without the authorization of an authorized user;
(b) Accessing or using the consumer's modem or Internet service for the purpose of causing damage to the consumer's computer or of causing an authorized user to incur financial charges for a service that is not authorized by an authorized user;
(c) Using the consumer's computer as part of an activity performed by a group of computers for the purpose of causing damage to another computer, including, but not limited to, launching a denial of service attack;
(d) Opening multiple, sequential, stand-alone advertisements in the consumer's Internet browser without the authorization of an authorized user and with knowledge that a reasonable computer user cannot close the advertisements without turning off the computer or closing the consumer's Internet browser;
(2) Modify any of the following settings related to the computer's access to, or use of, the Internet:
(a) An authorized user's security or other settings that protect information about the authorized user for the purpose of obtaining personally identifiable information of an authorized user;
(b) The security settings of the computer for the purpose of causing damage to one or more computers;
(3) Prevent, without the authorization of an authorized user, an authorized user's reasonable efforts to block the installation of, or to disable, software, by doing any of the following:
(a) Presenting the authorized user with an option to decline installation of software with knowledge that, when the option is selected by the authorized user, the installation nevertheless proceeds;
(b) Falsely representing that software has been disabled;
(c) Causing the installation of computer software in an intentionally deceptive manner so as to evade an authorized user's attempts to remove the computer software from the computer;
(4) Remove, disable, or render inoperative, through intentionally deceptive means, security, antispyware, or antivirus software installed on the computer;
(5) Nothing in this section shall apply to any monitoring of, or interaction with, an authorized user's Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer authorized service for authorized network or computer security purposes, authorized diagnostics, technical support, network management, authorized maintenance or repair, authorized updates of software or system firmware, authorized remote system management, or authorized detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter.
407.2120. 1. A person or entity, who is not an authorized user is strictly prohibited from doing any of the following with regard to the computer of a consumer in this state:
(1) Induce an authorized user to install a software component onto the computer by misrepresenting that installing software is necessary for security or privacy reasons or in order to open, view, or play a particular type of content;
(2) Deceptively causing the copying and execution on the computer of a computer software component with the intent of causing an authorized user or computer to use the component in a way that violates any other provision of this section.
2. Nothing in this section shall apply to any monitoring of, or interaction with, an authorized user's Internet or other network connection, service, or computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for authorized network or computer security purposes, authorized diagnostics, technical support, authorized maintenance or repair, network management authorized updates of software or system firmware, authorized remote system management, or authorized detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter.
3. A manufacturer or retailer of computer equipment shall not be liable under this act to the extent that the manufacturer or retailer is providing third-party branded software loaded on the equipment they are manufacturing or selling.
407.2125. It shall be unlawful for a person to:
(1) Assist in a violation of this chapter when the person providing the assistance knows, or consciously avoids knowing, that the person to whom the assistance is provided is engaged, or intends to engage, in any act or practice that violates this chapter;
(2) Conspire with another person to engage in any act that violates this chapter.
407.2130. Any person who violates sections 407.2100 to 407.2130 is guilty of a class B misdemeanor.