S T A T E O F N E W Y O R K
________________________________________________________________________
6419
2009-2010 Regular Sessions
I N A S S E M B L Y
March 3, 2009
___________
Introduced by M. of A. TOWNS, JAFFEE, CYMBROWITZ, RAIA, REILLY, CHRIS-
TENSEN, FIELDS, SCHIMEL, DenDEKKER, ROBINSON, COLTON, GALEF, ZEBROW-
SKI, SCARBOROUGH, ORTIZ, MAYERSOHN, LANCMAN, P. LOPEZ -- Multi-Spon-
sored by -- M. of A. ALFANO, BOYLAND, BRENNAN, BURLING, CASTRO, CONTE,
DESTITO, ERRIGO, GLICK, GREENE, HEASTIE, HIKIND, KOLB, LATIMER, LUPAR-
DO, MAISEL, PHEFFER, QUINN, SCHROEDER, THIELE, TITONE, WEISENBERG --
read once and referred to the Committee on Economic Development, Job
Creation, Commerce and Industry
AN ACT to amend the general business law, in relation to enacting the
"computer spyware protection act"
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. This act shall be known and be cited as the "computer
spyware protection act".
S 2. It is the intent of the legislature to protect owners and opera-
tors of computers in this state from the use of spyware and malware that
is deceptively or surreptitiously installed on the owner's or the opera-
tor's computer.
S 3. The general business law is amended by adding a new section 399-i
to read as follows:
S 399-I. COMPUTER SPYWARE PROTECTION. 1. FOR THE PURPOSES OF THIS
SECTION THE FOLLOWING TERMS SHALL HAVE THE FOLLOWING MEANINGS:
(A) "CAUSE TO BE COPIED" MEANS TO DISTRIBUTE OR TRANSFER COMPUTER
SOFTWARE, OR ANY COMPONENT THEREOF. SUCH TERM SHALL NOT INCLUDE PROVID-
ING:
(I) TRANSMISSION, ROUTING, PROVISION OF INTERMEDIATE TEMPORARY STOR-
AGE, OR CACHING OF SOFTWARE;
(II) A STORAGE OR HOSTING MEDIUM, SUCH AS A COMPACT DISK, WEB SITE, OR
COMPUTER SERVER THROUGH WHICH THE SOFTWARE WAS DISTRIBUTED BY A THIRD
PARTY; OR
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD08039-01-9
A. 6419 2
(III) AN INFORMATION LOCATION TOOL, SUCH AS A DIRECTORY, INDEX, REFER-
ENCE, POINTER, OR HYPERTEXT LINK, THROUGH WHICH THE USER OF THE COMPUTER
LOCATED THE SOFTWARE.
(B) "COMPUTER SOFTWARE" MEANS A SEQUENCE OF INSTRUCTIONS WRITTEN IN
ANY PROGRAMMING LANGUAGE THAT IS EXECUTED ON A COMPUTER. "COMPUTER SOFT-
WARE" DOES NOT INCLUDE A DATA COMPONENT OF A WEB PAGE THAT IS NOT
EXECUTABLE INDEPENDENTLY OF THE WEB PAGE.
(C) "COMPUTER VIRUS" MEANS A COMPUTER PROGRAM OR OTHER SET OF
INSTRUCTIONS THAT IS DESIGNED TO DEGRADE THE PERFORMANCE OF OR DISABLE A
COMPUTER OR COMPUTER NETWORK AND IS DESIGNED TO HAVE THE ABILITY TO
REPLICATE ITSELF ON OTHER COMPUTERS OR COMPUTER NETWORKS WITHOUT THE
AUTHORIZATION OF THE OWNERS OF THOSE COMPUTERS OR COMPUTER NETWORKS.
(D) "DAMAGE" MEANS ANY SIGNIFICANT IMPAIRMENT TO THE INTEGRITY OR
AVAILABILITY OF DATA, SOFTWARE, A SYSTEM, OR INFORMATION.
(E) "EXECUTE", WHEN USED WITH RESPECT TO COMPUTER SOFTWARE, MEANS THE
PERFORMANCE OF THE FUNCTIONS OR THE CARRYING OUT OF THE INSTRUCTIONS OF
THE COMPUTER SOFTWARE.
(F) "INTENTIONALLY DECEPTIVE" MEANS ANY OF THE FOLLOWING:
(I) AN INTENTIONALLY AND MATERIALLY FALSE OR FRAUDULENT STATEMENT.
(II) A STATEMENT OR DESCRIPTION THAT INTENTIONALLY OMITS OR MISREPRE-
SENTS MATERIAL INFORMATION IN ORDER TO DECEIVE AN OWNER OR OPERATOR OF A
COMPUTER.
(III) AN INTENTIONAL AND MATERIAL FAILURE TO PROVIDE A NOTICE TO AN
OWNER OR OPERATOR REGARDING THE INSTALLATION OR EXECUTION OF COMPUTER
SOFTWARE FOR THE PURPOSE OF DECEIVING THE OWNER OR OPERATOR.
(G) "INTERNET" MEANS THE GLOBAL INFORMATION SYSTEM THAT IS LOGICALLY
LINKED TOGETHER BY A GLOBALLY UNIQUE ADDRESS SPACE BASED ON THE INTERNET
PROTOCOL (IP), OR ITS SUBSEQUENT EXTENSIONS, AND THAT IS ABLE TO SUPPORT
COMMUNICATIONS USING THE TRANSMISSION CONTROL PROTOCOL/INTERNET PROTOCOL
(TCP/IP) SUITE, OR ITS SUBSEQUENT EXTENSIONS, OR OTHER IP-COMPATIBLE
PROTOCOLS, AND THAT PROVIDES, USES, OR MAKES ACCESSIBLE, EITHER PUBLICLY
OR PRIVATELY, HIGH-LEVEL SERVICES LAYERED ON THE COMMUNICATIONS AND
RELATED INFRASTRUCTURE DESCRIBED IN THIS PARAGRAPH.
(H) "OWNER OR OPERATOR" MEANS THE OWNER OR LESSEE OF A COMPUTER, OR A
PERSON USING SUCH COMPUTER WITH THE OWNER OR LESSEE'S AUTHORIZATION, BUT
DOES NOT INCLUDE A PERSON WHO OWNED A COMPUTER PRIOR TO THE FIRST RETAIL
SALE OF THE COMPUTER.
(I) "MESSAGE" MEANS A GRAPHICAL OR TEXT COMMUNICATION PRESENTED TO AN
AUTHORIZED USER OF A COMPUTER.
(J) "PERSON" MEANS ANY INDIVIDUAL, PARTNERSHIP, CORPORATION, LIMITED
LIABILITY COMPANY, OR OTHER ORGANIZATION, OR ANY COMBINATION THEREOF.
(K) "PERSONALLY IDENTIFIABLE INFORMATION" MEANS ANY OF THE FOLLOWING
INFORMATION IF IT ALLOWS THE ENTITY HOLDING THE INFORMATION TO IDENTIFY
THE OWNER OR OPERATOR OF A COMPUTER:
(I) THE FIRST NAME OR FIRST INITIAL IN COMBINATION WITH THE LAST NAME;
(II) A HOME OR OTHER PHYSICAL ADDRESS INCLUDING STREET NAME;
(III) PERSONAL IDENTIFICATION CODE IN CONJUNCTION WITH A PASSWORD
REQUIRED TO ACCESS AN IDENTIFIED ACCOUNT, OTHER THAN A PASSWORD,
PERSONAL IDENTIFICATION NUMBER OR OTHER IDENTIFICATION NUMBER TRANSMIT-
TED BY AN AUTHORIZED USER TO THE ISSUER OF THE ACCOUNT OR ITS AGENT;
(IV) SOCIAL SECURITY NUMBER, TAX IDENTIFICATION NUMBER, DRIVER'S
LICENSE NUMBER, PASSPORT NUMBER, OR ANY OTHER GOVERNMENT-ISSUED IDEN-
TIFICATION NUMBER; OR
(V) ACCOUNT BALANCE, OVERDRAFT HISTORY, OR PAYMENT HISTORY THAT
PERSONALLY IDENTIFIES AN OWNER OR OPERATOR OF A COMPUTER.
A. 6419 3
2. IT IS UNLAWFUL FOR A PERSON WHO IS NOT AN OWNER OR OPERATOR OF A
COMPUTER TO CAUSE COMPUTER SOFTWARE TO BE COPIED ON SUCH COMPUTER KNOW-
INGLY OR WITH CONSCIOUS AVOIDANCE OF ACTUAL KNOWLEDGE OR WILLFULLY, AND
TO USE SUCH SOFTWARE TO DO ANY OF THE FOLLOWING:
(A) MODIFY, THROUGH INTENTIONALLY DECEPTIVE MEANS, SETTINGS OF A
COMPUTER THAT CONTROL ANY OF THE FOLLOWING:
(I) THE WEB PAGE THAT APPEARS WHEN AN OWNER OR OPERATOR LAUNCHES AN
INTERNET BROWSER OR SIMILAR COMPUTER SOFTWARE USED TO ACCESS AND NAVI-
GATE THE INTERNET.
(II) THE DEFAULT PROVIDER OR WEB PROXY THAT AN OWNER OR OPERATOR USES
TO ACCESS OR SEARCH THE INTERNET.
(III) AN OWNER'S OR AN OPERATOR'S LIST OF BOOKMARKS USED TO ACCESS WEB
PAGES.
(B) COLLECT, THROUGH INTENTIONALLY DECEPTIVE MEANS, PERSONALLY IDEN-
TIFIABLE INFORMATION THROUGH ANY OF THE FOLLOWING MEANS:
(I) THE USE OF A KEYSTROKE-LOGGING FUNCTION THAT RECORDS ALL OR
SUBSTANTIALLY ALL KEYSTROKES MADE BY AN OWNER OR OPERATOR OF A COMPUTER
AND TRANSFERS THAT INFORMATION FROM THE COMPUTER TO ANOTHER PERSON;
(II) IN A MANNER THAT CORRELATES PERSONALLY IDENTIFIABLE INFORMATION
WITH DATA REGARDING ALL OR SUBSTANTIALLY ALL OF THE WEB SITES VISITED BY
AN OWNER OR OPERATOR, OTHER THAN WEB SITES OPERATED BY THE PERSON
PROVIDING SUCH SOFTWARE, IF THE COMPUTER SOFTWARE WAS INSTALLED IN A
MANNER DESIGNED TO CONCEAL FROM ALL AUTHORIZED USERS OF THE COMPUTER THE
FACT THAT THE SOFTWARE IS BEING INSTALLED; OR
(III) BY EXTRACTING FROM THE HARD DRIVE OF AN OWNER'S OR AN OPERATOR'S
COMPUTER, AN OWNER'S OR AN OPERATOR'S SOCIAL SECURITY NUMBER, TAX IDEN-
TIFICATION NUMBER, DRIVER'S LICENCE NUMBER, PASSPORT NUMBER, ANY OTHER
GOVERNMENT-ISSUED IDENTIFICATION NUMBER, ACCOUNT BALANCES, OR OVERDRAFT
HISTORY FOR A PURPOSE UNRELATED TO ANY OF THE PURPOSES OF THIS SOFTWARE
OR SERVICE DESCRIBED TO AN AUTHORIZED USER.
(C) PREVENT, THROUGH INTENTIONALLY DECEPTIVE MEANS, AN OWNER'S OR AN
OPERATOR'S REASONABLE EFFORTS TO BLOCK THE INSTALLATION OF OR EXECUTION
OF, OR TO DISABLE COMPUTER SOFTWARE BY CAUSING COMPUTER SOFTWARE THAT
THE OWNER OR OPERATOR HAS PROPERLY REMOVED OR DISABLED TO AUTOMATICALLY
REINSTALL OR REACTIVATE ON THE COMPUTER WITHOUT THE AUTHORIZATION OF AN
AUTHORIZED USER.
(D) INTENTIONALLY MISREPRESENT THAT COMPUTER SOFTWARE WILL BE UNIN-
STALLED OR DISABLED BY AN OWNER'S OR AN OPERATOR'S ACTION.
(E) THROUGH INTENTIONALLY DECEPTIVE MEANS, REMOVE, DISABLE, OR RENDER
INOPERATIVE SECURITY, ANTISPYWARE, OR ANTIVIRUS COMPUTER SOFTWARE
INSTALLED ON AN OWNER'S OR AN OPERATOR'S COMPUTER.
(F) ENABLE USE OF AN OWNER'S OR AN OPERATOR'S COMPUTER TO DO ANY OF
THE FOLLOWING:
(I) ACCESSING OR USING A MODEM OR INTERNET SERVICE FOR THE PURPOSE OF
CAUSING DAMAGE TO AN OWNER'S OR AN OPERATOR'S COMPUTER OR CAUSING AN
OWNER OR OPERATOR, OR A THIRD PARTY AFFECTED BY SUCH CONDUCT TO INCUR
FINANCIAL CHARGES FOR A SERVICE THAT THE OWNER OR OPERATOR DID NOT
AUTHORIZE;
(II) OPENING MULTIPLE, SEQUENTIAL, STAND-ALONE MESSAGES IN AN OWNER'S
OR AN OPERATOR'S COMPUTER WITHOUT THE AUTHORIZATION OF AN OWNER OR OPER-
ATOR AND WITH KNOWLEDGE THAT A REASONABLE COMPUTER USER COULD NOT CLOSE
THE MESSAGES WITHOUT TURNING OFF THE COMPUTER OR CLOSING THE SOFTWARE
APPLICATION IN WHICH THE MESSAGES APPEAR; PROVIDED THAT THIS PARAGRAPH
SHALL NOT APPLY TO COMMUNICATIONS ORIGINATED BY THE COMPUTER'S OPERATING
SYSTEM, ORIGINATED BY A SOFTWARE APPLICATION THAT THE USER CHOOSES TO
A. 6419 4
ACTIVATE, ORIGINATED BY A SERVICE PROVIDER THAT THE USER CHOOSES TO USE,
OR PRESENTED FOR ANY OF THE PURPOSES DESCRIBED IN THIS SUBDIVISION; OR
(III) TRANSMITTING OR RELAYING COMMERCIAL ELECTRONIC MAIL OR A COMPUT-
ER VIRUS FROM THE COMPUTER, WHERE THE TRANSMISSION OR RELAYING IS INITI-
ATED BY A PERSON OTHER THAN THE AUTHORIZED USER AND WITHOUT THE AUTHORI-
ZATION OF AN AUTHORIZED USER.
(G) MODIFY ANY OF THE FOLLOWING SETTINGS RELATED TO THE COMPUTER'S
ACCESS TO, OR USE OF, THE INTERNET:
(I) SETTINGS THAT PROTECT INFORMATION ABOUT AN OWNER OR OPERATOR FOR
THE PURPOSE OF TAKING PERSONALLY IDENTIFIABLE INFORMATION OF THE OWNER
OR OPERATOR;
(II) SECURITY SETTINGS FOR THE PURPOSE OF CAUSING DAMAGE TO A COMPUT-
ER; OR
(III) SETTINGS THAT PROTECT THE COMPUTER FROM THE USES IDENTIFIED IN
PARAGRAPH (F) OF THIS SUBDIVISION.
(H) PREVENT, WITHOUT THE AUTHORIZATION OF AN OWNER OR OPERATOR, AN
OWNER'S OR AN OPERATOR'S REASONABLE EFFORTS TO BLOCK THE INSTALLATION
OF, OR TO DISABLE, COMPUTER SOFTWARE BY DOING ANY OF THE FOLLOWING:
(I) PRESENTING THE OWNER OR OPERATOR WITH AN OPTION TO DECLINE INSTAL-
LATION OF COMPUTER SOFTWARE WITH KNOWLEDGE THAT, WHEN THE OPTION IS
SELECTED BY THE AUTHORIZED USER, THE INSTALLATION NEVERTHELESS PROCEEDS;
(II) FALSELY REPRESENTING THAT COMPUTER SOFTWARE HAS BEEN DISABLED;
(III) REQUIRING IN AN INTENTIONALLY DECEPTIVE MANNER THE USER TO
ACCESS THE INTERNET TO REMOVE THE SOFTWARE WITH KNOWLEDGE OR RECKLESS
DISREGARD OF THE FACT THAT THE SOFTWARE FREQUENTLY OPERATES IN A MANNER
THAT PREVENTS THE USER FROM ACCESSING THE INTERNET;
(IV) CHANGING THE NAME, LOCATION OR OTHER DESIGNATION INFORMATION OF
THE SOFTWARE FOR THE PURPOSE OF PREVENTING AN AUTHORIZED USER FROM
LOCATING THE SOFTWARE TO REMOVE IT;
(V) USING RANDOMIZED OR INTENTIONALLY DECEPTIVE FILENAMES, DIRECTORY
FOLDERS, FORMATS, OR REGISTRY ENTRIES FOR THE PURPOSE OF AVOIDING
DETECTION AND REMOVAL OF THE SOFTWARE BY AN AUTHORIZED USER;
(VI) CAUSING THE INSTALLATION OF SOFTWARE IN A PARTICULAR COMPUTER
DIRECTORY OR COMPUTER MEMORY FOR THE PURPOSE OF EVADING AUTHORIZED
USERS' ATTEMPTS TO REMOVE THE SOFTWARE FROM THE COMPUTER; OR
(VII) REQUIRING, WITHOUT THE AUTHORITY OF THE OWNER OF THE COMPUTER,
THAT AN AUTHORIZED USER OBTAIN A SPECIAL CODE OR DOWNLOAD SOFTWARE FROM
A THIRD PARTY TO UNINSTALL THE SOFTWARE.
3. IT IS UNLAWFUL FOR A PERSON WHO IS NOT AN OWNER OR OPERATOR OF A
COMPUTER TO DO ANY OF THE FOLLOWING WITH REGARD TO THE COMPUTER:
(A) INDUCE AN OWNER OR OPERATOR TO INSTALL A COMPUTER SOFTWARE COMPO-
NENT ONTO THE OWNER'S OR THE OPERATOR'S COMPUTER BY INTENTIONALLY
MISREPRESENTING THAT INSTALLING COMPUTER SOFTWARE IS NECESSARY FOR SECU-
RITY OR PRIVACY REASONS OR IN ORDER TO OPEN, VIEW, OR PLAY A PARTICULAR
TYPE OF CONTENT; OR
(B) USING INTENTIONALLY DECEPTIVE MEANS TO CAUSE THE EXECUTION OF A
COMPUTER SOFTWARE COMPONENT WITH THE INTENT OF CAUSING THE COMPUTER TO
USE SUCH COMPONENT IN A MANNER THAT VIOLATES ANY OTHER PROVISION OF THIS
CHAPTER.
4. SUBDIVISIONS TWO AND THREE OF THIS SECTION SHALL NOT APPLY TO THE
MONITORING OF, OR INTERACTION WITH, AN OWNER'S OR AN OPERATOR'S INTERNET
OR OTHER NETWORK CONNECTION, SERVICE, OR COMPUTER, BY A TELECOMMUNI-
CATIONS CARRIER, CABLE OPERATOR, COMPUTER HARDWARE OR SOFTWARE PROVIDER,
OR PROVIDER OF INFORMATION SERVICE OR INTERACTIVE COMPUTER SERVICE FOR
NETWORK OR COMPUTER SECURITY PURPOSES, DIAGNOSTICS, TECHNICAL SUPPORT,
MAINTENANCE, REPAIR, NETWORK MANAGEMENT, AUTHORIZED UPDATES OF COMPUTER
A. 6419 5
SOFTWARE OR SYSTEM FIRMWARE, AUTHORIZED REMOTE SYSTEM MANAGEMENT, OR
DETECTION OR PREVENTION OF THE UNAUTHORIZED USE OF OR FRAUDULENT OR
OTHER ILLEGAL ACTIVITIES IN CONNECTION WITH A NETWORK, SERVICE, OR
COMPUTER SOFTWARE, INCLUDING SCANNING FOR AND REMOVING COMPUTER SOFTWARE
PRESCRIBED UNDER THIS SECTION.
5. (A) THE ATTORNEY GENERAL, AN INTERNET SERVICE PROVIDER OR SOFTWARE
COMPANY THAT EXPENDS RESOURCES IN GOOD FAITH ASSISTING AUTHORIZED USERS
HARMED BY A VIOLATION OF THIS SECTION, OR A TRADEMARK OWNER WHOSE MARK
IS USED TO DECEIVE AUTHORIZED USERS IN VIOLATION OF THIS SECTION, MAY
BRING A CIVIL ACTION AGAINST A PERSON WHO VIOLATES ANY PROVISION OF THIS
SECTION TO RECOVER ACTUAL DAMAGES, LIQUIDATED DAMAGES OF AT LEAST ONE
THOUSAND DOLLARS PER VIOLATION OF THIS SECTION, NOT TO EXCEED ONE
MILLION DOLLARS FOR A PATTERN OR PRACTICE OF SUCH VIOLATIONS, ATTORNEY
FEES, AND COSTS.
(B) THE COURT MAY INCREASE A DAMAGE AWARD TO AN AMOUNT EQUAL TO NOT
MORE THAN THREE TIMES THE AMOUNT OTHERWISE RECOVERABLE UNDER PARAGRAPH
(A) OF THIS SUBDIVISION IF THE COURT DETERMINES THAT THE DEFENDANT
COMMITTED THE VIOLATION WILLFULLY AND KNOWINGLY.
(C) THE COURT MAY REDUCE LIQUIDATED DAMAGES RECOVERABLE UNDER PARA-
GRAPH (A) OF THIS SUBDIVISION, TO A MINIMUM OF ONE HUNDRED DOLLARS, NOT
TO EXCEED ONE HUNDRED THOUSAND DOLLARS FOR EACH VIOLATION IF THE COURT
FINDS THAT THE DEFENDANT ESTABLISHED AND IMPLEMENTED PRACTICES AND
PROCEDURES REASONABLY DESIGNED TO PREVENT A VIOLATION OF THIS SECTION.
(D) IN THE CASE OF A VIOLATION OF SUBPARAGRAPH (I) OF THIS PARAGRAPH
THAT CAUSES A TELECOMMUNICATIONS CARRIER OR PROVIDER OF VOICE OVER
INTERNET PROTOCOL SERVICE TO INCUR COSTS FOR THE ORIGINATION, TRANSPORT,
OR TERMINATION OF A CALL TRIGGERED USING THE MODEM OR INTERNET-CAPABLE
DEVICE OF A CUSTOMER OF SUCH TELECOMMUNICATIONS CARRIER OR PROVIDER AS A
RESULT OF SUCH VIOLATION, THE TELECOMMUNICATIONS CARRIER MAY BRING A
CIVIL ACTION AGAINST THE VIOLATOR TO RECOVER ANY OR ALL OF THE FOLLOW-
ING:
(I) THE CHARGES SUCH CARRIER OR PROVIDER IS OBLIGATED TO PAY TO ANOTH-
ER CARRIER OR TO AN INFORMATION SERVICE PROVIDER AS A RESULT OF THE
VIOLATION, INCLUDING BUT NOT LIMITED TO CHARGES FOR THE ORIGINATION,
TRANSPORT OR TERMINATION OF THE CALL;
(II) COSTS OF HANDLING CUSTOMER INQUIRIES OR COMPLAINTS WITH RESPECT
TO AMOUNTS BILLED FOR SUCH CALLS;
(III) COSTS AND A REASONABLE ATTORNEY'S FEE; AND
(IV) AN ORDER TO ENJOIN THE VIOLATION.
(E) FOR PURPOSES OF A CIVIL ACTION UNDER PARAGRAPHS (A), (B) AND (C)
OF THIS SUBDIVISION ANY SINGLE ACTION OR CONDUCT THAT VIOLATES MORE THAN
ONE SUBDIVISION OF THIS SECTION SHALL BE CONSIDERED MULTIPLE VIOLATIONS
BASED ON THE NUMBER OF SUCH SUBDIVISIONS VIOLATED.
S 4. This act shall take effect on the ninetieth day after it shall
have become a law.