ABA Section of Intellectual Property Law Division VII — Information Technology

Final Report May 1, 2008

Marc K. Temin, Division Chair

COMMITTEE NO. 711 — ONLINE SECURITY & E-PRIVACY Robert Mark Field and Michael A. Parks, Co-Chairs Scope of committee: All aspects of online security and e-privacy but excluding issues within the scope of Committee 710. In its second year, Committee 711 does not have any proposed resolutions. Committee 711 has planned a Continuing Legal Education seminar titled “Data Breach Notification: Roundtable Discussion of US, EU and APEC Approaches and Related Policy Considerations” for the ABA Section of International Law’s 2008 Fall Meeting, September 23rd – 27th, 2008 in Brussels Belgium. In addition, Committee 711 submits the following report. This report consists of a Report of the Subcommittee on Spyware and an Update to credit security legislation enacted since last year’s report.

2

REPORT OF THE

SUBCOMMITTEE ON SPYWARE Renard Francois (co-chair) Mo Syed (co-chair) Elizabeth Bowles Thomas A. Rust David E. Blau Christina D. Frangiosa Steven Emmert Behnam Dayanim

The Subcommittee on Spyware has met repeatedly to discuss Section policy concerning the issue of spyware legislation. We set out to try to arrive at a proposed committee resolution on this issue. However, on March 14, 2008 , a majority of the subcommittee decided that there was not enough consensus on the issues to propose a resolution. As such the subcommittee decided to present the Section with a report highlighting areas that need to be analyzed more fully and assessed for their impact.

Discussion.

I. DEFINITION OF SPYWARE

Critical to any legislation purporting to regulate spyware is the definition of the term itself. Obviously, anti-spyware legislation cannot regulate programs that fall without the definition of “spyware,” nor can any program that fits within that definition be exempted from the legislation’s reach. The generally accepted popular definition of spyware is “a broad category of malicious software intended to intercept or take partial control of a computer’s operation without the user’s informed consent.” This software then resides on a user’s computer without the user’s knowledge and often collects information about the user or the computer’s use that is then sent to the software’s creator or to third parties.

State legislation usually defines “spyware” to include computer programs that are

installed on the user’s computer without the user’s knowledge and/or consent and that cause certain, defined, results (i.e. changing settings, “hijacking” homepages, collecting personally identifiable information, keystroke logging, monitoring surfing habits in order to deliver advertisements, creating zombies). See Utah Code Ann. 13-39-101, et. seq and Cal. Code Ann. 32-22947 et. seq. Current proposed Federal legislation takes a similar tack – requiring consent and defining spyware by the ultimate result of the software. See H.R. 4661 (the Internet Spyware (I-SPY) Act) and H.R. 2929 (the Securely Protect Yourself Against Cyber Trespass Act (SPY ACT).

3

Critics of this method of definition argue that by including specific results that the software must produce in order to be in violation of the acts, software that is yet to be invented that nonetheless would produce an undesirable result is excluded from the definition. These advocates argue that the definition of spyware should rest entirely on the quality of the consent given to installation of the program regardless of the software’s purpose. (Arguably, under this construct, a consumer could consent to have her computer turned into a zombie.)

Many marketers argue that the definition of spyware should expressly exclude certain

types of programs that collect only marketing data. These marketers assert that marketing data is not personally-identifiable, is harmless to the consumer, and allows marketers to provide desired information on goods and services the consumer may want to obtain.

A third group of stakeholders in the debate, including many consumer advocacy

organizations, argue that cookies, both session and tracking, should be excluded from the definition of spyware. Because tracking cookies are lines of code invisibly installed on the user’s computer without consent, are sometimes “permanent” (in that they continue to reside on the computer once the consumer has logged out of that particular session), and track user’s paths through websites, they fall within many definitions of spyware unless specifically exempted. Many privacy and consumer advocates accept the use of cookies as creating a better and more-enjoyable Internet experience (for example, Amazon.com greets visitors by name when they return to the site), and virtually all companies and marketers use them to provide much-needed data on website usage. However, many pieces of anti-spyware legislation unintentionally include tracking cookies in their definition of spyware. Such legislation would require all website owners to provide notice and obtain consent from website visitors when cookies are used.

The Anti-Spyware Coalition (“ASC”), a consortium of consumer groups, ISPs and

software companies (including some adware vendors), has stated the following with respect to “spyware and other potentially unwanted technologies” –

These are technologies implemented in ways that impair users’ control over: Material changes that affect their user experience, privacy, or system security Use of their system resources, including what programs are installed on their computers Collection, use, and distribution of their personal or otherwise sensitive information

These are items that users will want to be informed about, and which the user, with appropriate authority from the owner of the system, should be able to easily remove or disable.

The ASC created a table of the types of potentially malicious software along with each type of software’s pros and cons. The ASC noted that “with proper notice, consent, and control some of these same technologies can provide important benefits.”

Ultimately, the definition of spyware may hinge on whether or not installation of the program occurs only following the user’s adequately informed notice and consent. Programs installed with adequate notice and informed consent, regardless of purpose, may be exempted from the definition of spyware, whereas programs installed without the user’s consent, regardless of purpose, may be included within that definition.

4

II. FEDERAL SPYWARE LAWS

1. The Wiretap Act In 1968 Congress passed the Wiretap Act,1 the first of two major federal laws affecting

spyware. The Wiretap Act contains two titles, each known by separate names, that cooperate to prohibit access to communications while in transit between two parties, and while in storage. Communications as defined in the Act may be wire, oral, or electronic. Wire communications include aural transfers over a wire, such as telephone conversations.2 Oral communications include those utterances that are not wire communications and for which a person has an actual and reasonable expectation of privacy.3 Electronic communications include electronic transfers of data and signals that are not wire or oral communications.4

Title I of the Wiretap Act is also known as the Electronic Communications Privacy Act

(ECPA),5 and generally prohibits interception and disclosure of transient wire, oral, or electronic communications. The ECPA prohibits the use of intercepted wire or oral communications as evidence in court, but contains no such exclusionary rule for electronic communications.6 The ECPA contains exceptions allowing law enforcement officers to obtain warrants to intercept these communications, for example by tapping a wire.7 Any person whose communications were unlawfully intercepted may recover damages in a civil action.8

Title II of the Wiretap Act is the Stored Wire and Electronic Communications and

Transactional Records Act (also known as the “Stored Communications Act,” or SCA),9 and generally prohibits unauthorized access to wire and electronic communications while they are in electronic storage at “a facility through which an electronic communication service is provided.”10 This phrase has been generally understood to mean an Internet Service Provider, although courts are split on whether this includes a user’s computer.11 There are exceptions to the Act’s prohibition to allow the ISP and user to obtain access to a stored communication of that 1 Pub. L. 90-351 (June 19, 1968). 2 See 18 U.S.C. § 2510(1). Unless otherwise noted, all citations to a section of the U.S. Code are

to Title 18. 3 § 2510(2). 4 § 2510(12). 5 18 U.S.C. § 2510 et seq. 6 Id. at § 2515. 7 Id. at § 2517. 8 Id. at § 2520. 9 18 U.S.C. § 2701 et seq. 10 Id. at § 2701(a). 11 In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001) (plaintiff’s

computer is a “facility” within the meaning of the SCA); In re Pharmatrak, Inc. Privacy Litigation, 220 F. Supp. 2d 4 (D. Mass. 2002) (plaintiff’s computer is not a “facility”).

5

user.12 There are also exceptions to allow an ISP to make mandatory disclosures pursuant to a warrant,13 and to allow the ISP to preserve backups of data pursuant to a warrant.14 The SCA allows for a private right of action.15

2. The Computer Fraud and Abuse Act

In 1984 Congress passed the Computer Fraud and Abuse Act,16 which criminalizes a wide range of unauthorized computer-related activities. These activities include: obtaining bank or credit card records or credit reports;17 accessing a computer with intent to defraud and obtaining anything of value (other than mere use of the computer valued at less than $5,000 per year);18 intentionally or recklessly causing at least $5,000 damage to a computer within a year;19 or trafficking in passwords.20 The Act does not preempt State laws.21 The Secret Service, and in some cases the FBI, may investigate these offenses.22 Additionally, the Act provides for a private right of action, however recovery may not include punitive damages, and includes only economic damages to a user’s computer.23 Bills in Congress

The Senate is currently considering several bills that would address the problem of spyware. These include the House’s Securely Protect Yourself Against Cyber Trespass Act (SPY Act) and the Senate’s Counter Spy Act, the Internet Spyware Prevention Act of 2007 (I-SPY Act), and the Anti-Phishing Consumer Protection Act of 2008 (APCPA). Also, the Senate is considering the Identity Theft Enforcement and Restitution Act, 24 which would amend the Computer Fraud and Abuse Act to eliminate the $5,000 per year threshold for violations and add a forfeiture penalty for computer equipment used in violations.

12 18 U.S.C. at § 2701(c). 13 § 2703. 14 § 2704. 15 § 2707. 16 Pub. L. 98-473 (Oct. 12, 1984), codified at 10 U.S.C. § 1030. 17 10 U.S.C. § 1030(a)(2). 18 § 1030(a)(4). 19 § 1030(a)(5). 20 § 1030(a)(6). 21 § 1030(f). 22 § 1030(d). 23 § 1030(g). 24 S. 2168, approved by the Senate and referred to the House Subcommittee on Crime,

Terrorism, and Homeland Security as of Feb. 4, 2008.

6

The Spy Act25 and Counter Spy Act,26 like the Computer Fraud and Abuse Act before them, attempt to address a comprehensive range of unauthorized computer-related activities. These activities include: using a computer as a spam relay (zombie) or as part of a denial of service attack (botnet); hijacking a computer’s browser or network connection to incur charges; creating browser advertising spam or uncloseable windows; altering a browser’s homepage, default connection, bookmarks, or security settings; logging keystrokes to obtain personal information; using false webpages to obtain personal information (phishing); installing software that ignores ‘do not install’ instructions or automatically re-activates or re-installs itself after being uninstalled; misrepresenting software as being required to secure a computer; misrepresenting the identity of a software provider; inducing the disclosure of personal information by fraud or without consent; disabling anti-virus or other security software; installing software for the purpose of inducing a user to do any of these things;27 collecting, without consent, personally identifying information or network usage information (with an exception for ads shown by the site doing the collecting, if the information is kept private);28 hiding installation files using misleading or random file or directory names, or installing files in a system folder to avoid detection; requiring that a particular third party website be accessed, or an access code obtained from a third party, in order to disable software;29 and installing adware that conceals its operation from a user.30 In both bills, the FTC and various other federal and state agencies may bring an action, but neither bill provides for a private right of action.31 Further, these bills would preempt State laws on these matters.32

The I-SPY Act33 would add a new section 18 U.S.C. 1030A, which defines offenses for

loading a computer program onto a computer without authorization, then intentionally using that program to commit a Federal crime; and obtaining or transmitting personal information, or impairing the security of a computer, with intent to defraud, injure, or damage a user’s computer.34 This Act would also preempt State law, unlike the Computer Fraud and Abuse Act.35 However, the Act makes no changes to the existing private right of action under the existing Computer Fraud and Abuse Act. 25 H.R. 964, approved by the House and in the Senate Committee on Commerce, Science, and

Transportation as of June 7, 2007. 26 S. 1625, in the Committee on Commerce, Science, and Transportation as of June 14, 2007. 27 Spy Act, § 2; Counter Spy Act, § 3. 28 Spy Act, § 3; Counter Spy Act, § 4. 29 Counter Spy Act, § 3(3). 30 Counter Spy Act, § 5. 31 Spy Act, § 4; Counter Spy Act, §§ 7(a), 8(a), 9(a). 32 Spy Act, § 6(a); Counter Spy Act, § 11(b). 33 H.R. 1525, approved by the House and in Senate Committee on the Judiciary as of May 23,

2007. 34 I-SPY Act, § 2. 35 I-SPY Act, § 2, text of new § 1030A(c).

7

Finally, the Congress is also considering the Anti-Phishing Consumer Protection Act.36 This Act would add offenses directed specifically to phishing, cybersquatting, and deceptive or misleading domain names.37 A state agency, attorney general, or other official may bring a civil action “as parens patriae” on behalf of its citizens, but there is no private right of action.38 The FTC, affected ISPs and trademark holders, the SEC, and certain federal reserve banks, providers of State insurance, and the Secretaries of Transportation and Agriculture could also bring suit in various situations.39 This Act would also preempt state law.40

III. SPYWARE: FEDERAL REGULATORY ACTIONS

The Federal Trade Commission and the United States Department of Justice argue that

federal, anti-spyware statute is not warranted because current statutes, such as the Federal Trade Commission Act (“FTC Act”)41 and the Computer Fraud and Abuse Act of 1984.42 provide federal law enforcement with sufficient authority to sue those create, use, or distribute spyware. Currently, certain federal statutes have been used to prosecute persons and businesses who have used spyware to defraud consumers, surreptitiously obtain information from consumers, or to impair the performance of a consumer’s computer. This section will show how the Federal Trade Commission is using its authority under the Federal Trade Commission Act to prosecute those who use spyware to deceive consumers or to engage in unfair business practices. Additionally, this section will also show how the Department of Justice is using two statutes in particular to prosecute those using spyware for illegal purposes. Both of these agencies have been extremely aggressive in recent years in investigating and litigating spyware cases.

The FTC has applied the prohibitions articulated in Section 5 of the FTC Act not only to spyware, but also to adware, malware, and other unwanted software. There is a difference between the FTC deception and unfairness authority under the statute. The FTC has used both to combat spyware. Although the FTC has not requested additional laws to fight spyware, the FTC has recommended to Congress that it be granted civil penalty authority to fine spyware developers.

36 S. 2661, in the Committee on Commerce, Science, and Transportation as of Feb. 25, 2008. 37 APCPA, § 3. 38 APCPA, § 4(a). 39 APCPA, §§ 4, 5. 40 APCPA, § 7. 41 See 15 U.S.C. § 41-58. The Federal Trade Commission Act prohibits the acts or practices that

are unfair or deceptive. According to the FTC, an unfair act or practice is one which is injures consumers, or is likely to cause an injury; the injury is not reasonably avoidable by the consumer; and the act or practice has no countervailing benefit. A deceptive practice is an act or a practice that a misrepresentation of a material fact.

42 18 U.S.C. § 1030.

8

The FTC has used this statute to sue those who have created and distributed spyware for violations of the FTC Act. FTC v. Seismic Entertainment demonstrates the first principle that the resources of a consumer’s computer are his or her own, and Internet businesses cannot use these resources without the consumer’s permission.43 The FTC alleged that Seismic Entertainment exploited known vulnerabilities in Internet Explorer to download spyware to consumers’ computers without their knowledge.44 According to the FTC, the spyware, among other things, hijacked consumers’ home pages, caused the display of an incessant stream of pop-up ads, allowed the secret installation of additional software programs, and caused computers to severely slow down or crash. Additionally, the FTC alleged that defendants used of “drive-by” tactics to download spyware in violation of Section 5 of the FTC Act. The FTC obtained a $4.1 million judgment; a final order that prohibits the Defendants from downloading software in the future without consumer authorization; and a $330,000 judgment against a second group of defendants who allegedly distributed the spyware. FTC v. Seismic Entertainment, Inc., No. 04-377-JD, 2004 U.S. Dist. LEXIS 22788 (D.N.H. Oct. 21, 2004). In Seismic, the FTC sued, and obtained judgments against, the defendants who created the spyware but also the defendants who distributed the spyware to unwitting consumers. This highlights the breadth of the FTC Act and demonstrates how the FTC has used the FTC Act to pursue all those who have some responsibility in the creation and distribution of spyware. The FTC has also applied the FTC Act to instances other than the allegations described in Seismic. The FTC has sued companies that hire third parties who use adware in violation of the FTC Act. In FTC v. Zango,45 the FTC alleges that Zango’s distributors – third-party affiliates who often contracted with numerous sub-affiliates – frequently offered consumers free content and software, such as screensavers, peer-to-peer file sharing software, games, and utilities, without disclosing that downloading them would result in installation of the adware.46 In other instances, Zango’s third-party distributors exploited security vulnerabilities in Web browsers to install the adware via “drive-by” downloads. As a result, millions of consumers received pop-up ads without knowing why, and had their Internet use monitored without their knowledge. The FTC charged that Zango’s failure to disclose that downloading the free content and software would result in installation of the adware was deceptive, and that its failure to provide consumers with a reasonable and effective means to identify, locate, and remove the adware from their computers was unfair, in violation of the FTC Act. Second, the FTC has sued companies that have buried disclosures about spyware or critical information in the End User License Agreement for violating the well established requirements for clear and conspicuous disclosures. FTC sued Odysseus Marketing and its principal for advertising software that the company claimed would allow consumers to engage in

43 FTC v. Seismic Entertainment et al, FTC File Nos.: 042 3142; X05 0013. 44See FTC v. Seismic Entertainment, Complaint at http://www.ftc.gov/os/caselist/0423142/041012comp0423142.pdf. 45 FTC v. Zango et al., FTC File No. 052 3130 46 See FTC v. Zango, Complaint (filed Nov. 5, 2006) (http://www.ftc.gov/os/caselist/0523130/0523130cmp061103.pdf)

9

peer-to-peer file sharing anonymously.47 According to the FTC’s complaint, the website’s claims of anonymity encouraged consumers to download their free software.48 The agency charged that the claims were bogus because the software did not make file-sharing anonymous and there actually was a cost to consumers because the “free” software was bundled with spyware. According to the Complaint, the spyware secretly downloaded dozens of other software programs, diminishing consumers’ computer performance and memory, and replaced or reformatted search engine results. The FTC alleged that Odysseus Marketing hid their disclosure in the middle of a two-page end-user licensing agreement buried in the “Terms and Conditions” section of their website and deliberately made their software difficult to detect and impossible to remove using standard software utilities. In addition to the FTC’s ability to bring Section 5 cases like Seismic, the United States Department of Justice has statutory authority to prosecute distributors of spyware in cases where consumers’ privacy or security is compromised. The Computer Fraud and Abuse Act of 1984 prohibits the unauthorized acquisition of data from a protected computer that results in damage. 18 U.S.C. § 1030(a). The DOJ has been fairly successful in using the Computer Fraud and Abuse Act to go after the distributors of spyware. In United States v. Dinh, the DOJ alleged that the defendant violated the Computer Fraud and Abuse Act in two ways. First, defendant allegedly knowingly accessed a computer of another person without authorization by installing a series of keystroke-logging programs to remotely monitor the keystrokes of the computer user and identify computer accounts and passwords. Second, defendant violated the statute by allegedly engaging in a scheme to defraud an investor and committing mail and wire fraud. The defendant was sentenced to 13 months in prison. In addition to this case, other cases illustrate that the DOJ has successfully used the Computer Fraud and Abuse Act to prosecute those who use keystroke loggers without the authorization of the computer user. In United States v. Jiang, the defendant was sentenced to 27 months in prison and ordered to pay approximately $200,000 in restitution for knowingly installing keystroke logging software to surreptitiously record the keystrokes on another person’s computer. Furthermore, United States v. Owusu involved a defendant who surreptitiously installed a keystroke logger program on public computers in order to record every keystroke made on those computers. According to the Department of Justice, the defendant used the information gathered with the keystroke logger to collected data to gain unauthorized access to users’ online accounts and university management systems. The defendant was sentenced to four years in prison.

The DOJ also has authority, under a variety of statutes that regulate communications, to pursue actions against entities that acquire information fraudulently, such as through the use of a keystroke logger program. Fraud and Related Activity in Connection with Access Devices, 18 U.S.C. § 1029, Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. §§ 2510-22, and Electronic Communications Privacy Act, 18 U.S.C. §§ 2701-11. To that end, the DOJ has used 18 U.S.C. § 2512 to prosecute those who create and market spyware programs. 47 FTC v. Odysseus Marketing, FTC File Nos.: 042 3205; X050069. 48 FTC v. Odysseus Marketing, , complaint (filed October 5, 2005) (http://www.ftc.gov/os/caselist/0423205/050929comp0423205.pdf).

10

In United States v. Perez-Melera, the federal government used § 2512 to prosecute a person who created a computer program that he could use to spy on others and monitor all activities on the computer, including emails sent and received, web sites visited, and passwords entered were intercepted, collected.

In prosecuting these cases, federal law enforcement has used its resources to confront unfair and deceptive practices and illustrated that certain spyware behaviors are illegal under existing law. In particular, the FTC has established three principles to guide its spyware enforcement efforts:49

• A consumer’s computer belongs to him or her, not to the software distributor. This

means that no software maker should be able to gain access to or use the resources of a consumer’s computer without the consumer’s consent.

• Buried disclosures do not work. Communicating material terms about the functioning of

a software program deep within an EULA does not meet high enough standards for adequate disclosure.

• Consumers must be able to uninstall or disable software that they do not want. If a

software distributor places an unwanted program on a consumer’s computer, there should be a reasonably straightforward way for that program to be removed.

Through active and aggressive enforcement, federal law enforcement has clarified some of the issues idiosyncratic to spyware. This clarification, as illustrated in the three above-referenced guidelines, have guided federal enforcement, and can possibly do the same for federal, anti-spyware legislation. Although some states have anti-spyware laws, the law does not clarify the complex issues peculiar to spyware. “Some states have passed specific spyware statutes to help clarify these distinctions, but several of the states that have been most active in spyware enforcement have no such laws in place.”50

Federal officials at both the Federal Trade Commission and the Department of Justice

believe that they have adequate authority under their existing criminal and civil statutes to take law enforcement action against those who disseminate spyware. Both the FTC and the DOJ have been active in their law enforcement against the creators and distributors of spyware by using the statutes that are at their disposal.

49 Remarks of Deborah Platt Majoras, Chairman, Federal Trade Commission, Anti-Spyware Coalition Public Workshop, Feb. 9, 2006, http://www.ftc.gov/speeches/majoras/060209cdtspyware.pdf. 50 Remarks of Ari Schwartz, Deputy Director of the Center for Democracy and Technology, “Consumer Protection Issues”, before The Financial Services and General Government Subcommittee of the House Committee on Appropriations, February 28, 2007, http://www.cdt.org/privacy/20070228schwartzftc.pdf.

11

IV. SPYWARE: EXISTING STATE STATUTES Starting in 2004, state legislatures began passing a variety of different kinds of anti-

spyware legislation. Depending on how broadly “spyware” is defined, as many as 16 states now have laws that in some way address the problem.51 For the most part, these statutes approach the definition of “spyware” similarly. Rather than define spyware by what it is – i.e., a program placed on a protected computer without the computer owner’s knowledge – the statutes define spyware by what it does – i.e., a program that initiates any of a specific set of prohibited activities.52 This section provides an overview of those state laws and some of their significant features.

In 2004, California became one of the first states to pass a law specifically related to

spyware.53 Since that time a number of states have passed laws that, with only minor variations, resemble California’s prohibition. Those states include Arizona, Arkansas, Georgia, Indiana, Iowa, Louisiana, New Hampshire, Rhode Island, Texas and Washington. In addition, a number of other states are currently considering bills that are modeled after the California spyware statute.

The California law and the many laws that have followed the California model focus on

protecting consumers from spyware. They generally prohibit a person from causing computer software to be copied on to a computer without permission from or knowledge by an authorized user, if that software performs certain functions, including: (1) modifying certain settings, such as the browser’s home page, default search provider or bookmarks; (2) collecting personally identifying information, including information about websites the computer user visits, the user’s financial account numbers, passwords and the like; (3) preventing reasonable efforts to block the installations of software; (4) misrepresenting that software will be uninstalled or disabled by the computer user’s actions; (5) removing or disabling security, antispyware or antivirus software; or (6) taking control of a consumer’s computer by modifying security settings or causing damage to a computer.54 In addition to these prohibitions found in most of the state anti-spyware laws, some states have specifically outlawed other actions, such as denial of service attacks.55

Because of the way these laws define the prohibited conduct, the state legislatures

following the California model have been forced to grapple with the fact that, read broadly, the prohibited conduct could restrict legitimate actions by Internet Service Providers (“ISPs”). Thus, the statutes expressly exclude from their purview certain activities such as interactions with a

51 These include Alaska, Arizona, Arkansas, California, Georgia, Indiana, Iowa, Louisiana, Nevada, New Hampshire, Rhode Island, Tennessee, Texas, Utah, Virginia and Washington. 52 See L. Elizabeth Bowles, “Survey of State Anti-Spyware Legislation,” The Business Lawyer, Vol. 63, November 2007. 53 Consumer Protection Against Computer Spyware Act, Cal. Bus. & Prof. Code § 22947. 54 Cal Bus & Prof Code § 22947.2 through 22947.4 (2007). 55 See e.g., Arkansas Consumer Protection Against Computer Spyware Act, A.C.A. § 4-111-103(b)(1)(C) (2007).

12

subscriber’s ISP for network or security purposes, diagnostic, technical support, repair updates and other, similar services.56

One of the other issues facing state legislatures is how these laws should be enforced.

The California statute is silent as to whether it creates a private right of action. Some states expressly provide for a private right of action.57 Others only allow for prosecution by state prosecutors or state attorneys general.58 These prosecutions can be either for civil penalties59 or criminal.60 Some state legislatures also are grappling with the issue of how to measure damages in these cases – in some instances, allowing for treble damages or attorneys’ fees.61

Not all states with anti-spyware legislation have followed the California model. For

example, Utah, which passed its law in 2004 – the same year as California – adopted a somewhat different approach.62 The Utah statute, along with a similar Alaska statute, not only protects consumers from spyware, but also expressly protects trademark holders by prohibiting software that makes certain types of unauthorized uses of another’s mark. Unlike the California statute, the Utah law defines spyware to include “software on the computer of a user who resides in the state that collects information about an Internet website at the time the Internet website is being viewed in the state, unless the Internet website is the Internet website of the person who provides the software; and uses the information collected contemporaneously to display a pop-up advertisement on the computer[.]”63 The Utah law prohibits causing pop-up advertisements to be shown on the computer screen by means of spyware, if the pop-up is displayed in response to a user accessing a specific mark or Internet address that is purchased or acquired by a person other than the mark owner or an authorized user of the mark. The statute also prohibits purchasing advertising that makes use of spyware, if the advertiser receives notice of the violation by the mark owner and fails to end its 64 involvement.

The Utah law has been the subject of interesting litigation. In 2004, an adware vendor

sought a temporary restraining order and a preliminary injunction in Utah state court against the Utah law as unconstitutional under a principle of Constitutional law known as the “Dormant Commerce Clause.”65 The U.S. Constitution reserves to Congress the authority to “regulate

56 See e.g., Cal Bus & Prof Code § 22947.4(b) (2007). 57 See e.g., Arizona Computer Spyware Act, A.R.S. § 44-7304 (2007). 58 See e.g., A.C.A. § 4-111-104 (2007). 59 See e.g., Georgia Computer Security Act O.C.G.A. § 16-9-155(b)(1) (2007) 60 See e.g., Computer Crimes Act, Va. Code Ann. § 18.2-152.3 (2008). 61 See e.g., Louisiana Computer Spyware Act, La. R.S. 51:2014(C) and (D) (2007). 62 Spyware Control Act, Utah Code Ann. § 13-40-101, et seq. (2007) 63 Id. at § 13-40-102(8)(a) (2007). 64 Id. at § 13-40-201 (2007). 65 WhenU.com Inc. v. Utah, Case No. 040907578 (Utah Dist. Ct. June 22, 2004).

13

Commerce with foreign Nations, and among the several States, and with the Indian Tribes.”66 That provision has been construed by courts to include “a further, negative command, known as the dormant commerce clause,”67 in areas where Congress has not affirmatively regulated, in order to “create an area of trade free from interference by the States.”68

State laws are subject to two levels of scrutiny under this doctrine. Strict scrutiny is triggered if the state law discriminates on its face or in its effect directly in favor of in state commerce to the detriment of out-of-state commerce, and is generally struck down unless the state demonstrates a legitimate local purpose and an absence of nondiscriminatory alternatives.69 Conversely, “[w]here the statute regulates even-handedly to effectuate a legitimate local public interest, and its effects on interstate commerce are only incidental, it will be upheld unless the burden imposed on such commerce is clearly excessive in relation to the putative local benefits.”70

In the spyware challenge, the court granted a preliminary injunction, holding that the

statute was likely unconstitutional. In response to that preliminary decision, the Utah legislature drafted amendments to the law in an effort to resolve the constitutional issue. To that end, the Utah and Alaska statutes expressly exclude pop-up advertisements if the software requests information about the user’s state of residence before displaying the pop-up, implements a reasonably reliable automated system to determine the geographic location of the user, does not encourage the user to indicate a residence outside of their states and does not display the pop-up to users in their respective states. The authors are unaware of any pop-up adware that would satisfy these statutory prescriptions, and the ability of these amendments to withstand similar Constitutional scrutiny remains untested.

Finally, other states have sought to address spyware not in a stand-alone spyware-specific

statute, but within the context of larger computer crime laws. For example, Nevada’s computer crime statute now defines spyware as an unlawful “computer contaminant” which cannot be introduced into a computer, system or network. 71 Virginia also expanded the definitions in its existing computer crimes statutes to include activity that could encompass the use of spyware.72

66 U.S. CONST. art. I, § 8, cl. 3. 67 Oklahoma Tax Comm’n v. Jefferson Lines, 514 U.S. 175, 179 (1995). 68 Boston Stock Exchange v. State Tax Comm’n, 429 U.S. 318, 328 (1977). 69 Brown-Forman Distillers Corp., 476 U.S. 573, 578 (1986); Granholm v. Heald, 544 U.S. 460,

479 (2005). 70 Pike v. Bruce Church, Inc., 397 U.S. 137, 142 (1970). 71 Unlawful Acts Regarding Computers and Information Services, Nev. Rev. Stat. Ann. §

205.473(2)(b) (2007). 72 See, e.g., Computer Crimes Act, Va. Code Ann. § 18.2-152.4 (2008).

14

V. CONCLUSION

In conclusion, the Subcommittee agrees that the following areas need to be brought to the attention of the Section for further discussion and analysis:

Comparison of need and efficacy of statutory prohibitions versus regulation. Enforcement vs. private right of action - analysis of the motivations and

effectiveness of enforcement by regulatory bodies versus private actions by affected citizens against offenders.

Analysis of varying remedies available and their effectiveness (injunction, civil damages, criminal penalties, etc).

State law issues: o perceived need for uniformity through preemptive federal law versus

desire to allow states to fashion their own different and more restrictive standards. Definition of spyware:

o is the key element consent? o does “spyware” actually have to “spy” (e.g., monitor or report

on user activity), or does it include malware, fraudware, browser hijacks and the like?

15

UPDATE ON CREDIT SECURITY LEGISLATION SINCE 2007 REPORT

Updated by Rebecca Piper Since last year’s Report, 15 additional states and the District of Columbia enacted some type of legislation related to credit freezes or other form of credit security. Currently, the District of Columbia and thirty-nine states have credit freeze laws in place, including Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Illinois, Indiana, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, West Virginia Wisconsin and Wyoming. In addition, since November 1, 2007, the security freeze is offered voluntarily by Equifax, Experian, and TransUnion to consumers living in the eleven states that do not have a security freeze law and to consumers in the four states whose laws limit the security freeze protection to identity theft victims only.73

Several highlights of the new state and District of Columbia credit security laws are detailed below. In addition to these highlights on the process and cost of placing a security freeze, most of the state credit freeze laws outline the situations and agencies to which the credit security freeze law does not apply as well as provide penalties and private rights of action for violations of the security freeze law.

Arkansas

H.B. 2215 became effective on January 1, 2008 and is titled “Arkansas Consumer Report Security Freeze Act.” Under this Act, a resident of the state that has been the victim of identity theft and who has submitted a copy of a valid investigative report, an incident report, or a complaint with a law enforcement agency about the unlawful use of the victim’s identifying information by another person may request a security freeze. The consumer may request the security freeze by sending the written request by certified mail with proper identification and any applicable fee. Fees for each security freeze, removal of a security freeze, or temporary lifting of a security freeze may not exceed $10. Consumer reporting agencies may advise a third party that a security freeze is in effect with respect to a consumer report. A third party may treat an application for credit or any other use as incomplete if a security freeze is in place and access to a consumer report is not allowed. The security freeze will remain in place until removal by the consumer or discovery that the consumer report was frozen due to a material misrepresentation of the consumer.

District of Columbia

Title 28 of the District of Columbia Official Code was amended by adding the “Consumer Security Freeze Act of 2006.” The Act became effective July 1, 2007. Under the Act, a credit reporting agency will put a freeze on a consumer’s credit report no later than three

73 http://www.consumersunion.org/campaigns/learn_more/003484indiv.html

16

days after receiving a request by certified mail. In addition, by January 1, 2009, the credit reporting agency will make available the ability to request a security freeze over the Internet and will accept requests received by either telephone or regular mail. On or before September 1, 2008, the credit reporting agency must be able to allow access to the consumer’s credit report by a specific party or for a specific period of time within 15 minutes of receiving such request unless the consumer fails to provide the proper identity, password and identity of designated third party, or the consumer reporting agency is unable to lift the security freeze because of an Act of God, unauthorized acts by a third party, operational interruption, governmental action, regulatory scheduled maintenance, or commercially reasonable maintenance. The Act allows a credit reporting agency to inform a third party that a security freeze is in place on a consumer’s credit report and the third party may treat an application as incomplete if the consumer does not allow access to their credit report. A security freeze is in place until a consumer asks for its permanent removal in writing. The removal shall occur within 3 days of the credit reporting agency receiving such removal request. The Act permits the credit reporting agency to charge a fee of $10 for the initial application and first personal identification number or password unless the consumer is a victim of identify theft, then the agency may only charge for subsequent instances of loss and reissuance of new identification numbers. After a one-time reissue of the password, the agency may charge $10 for subsequent instances of loss and reissuance of the identification number or password.

Indiana

Indiana’s SB 403 is titled “Security Freeze for Consumer Reports” and became effective on September 1, 2007. Under the Act, by January 1, 2009 consumer reporting agencies must develop a secure electronic mail connection by which consumers can request a security freeze, a new personal identification number or password, or a temporary lift of a security freeze. Also by January 1, 2009, consumer reporting agencies must have a secure process by which the agency will release a consumer report subject to a security freeze, temporarily lift a security freeze, or remove a security freeze within 15 minutes of receiving such a request. The Act provides a list of people, including law enforcement agencies and licensed insurers, to which a consumer report under a security freeze can be released. Consumer reporting agencies are prohibited from charging a fee for requests to place a security freeze, release a consumer report to a specified person, temporarily lift a security freeze, remove a security freeze, or issue a personal identification number or password associated with the preceding requests.

Maryland

Maryland’s S.B. 52 was approved by the governor on May 8, 2007 and is effective January 1, 2008. Under the Act, consumers must be able to make a request for a security freeze by certified mail, by telephone after January 1, 2010, and by secure internet connection, should the consumer reporting agency choose to make it available. The Act clarifies that it does not apply to consumer reporting agencies that act only as a reseller of credit information and do not maintain permanent databases of credit information from which new consumer reports are produced. After January 1, 2009, requests to temporarily lift a security freeze must occur within 15 minutes if received by telephone, electronic mail, or secure website connection. The Act acknowledges that third parties may treat an application as incomplete if a party requests access to a consumer’s consumer report and a freeze is in place. Fees of up to $5 may only be charged

17

for each placement, temporary lift, or removal of a security freeze and fees may not be applied to those consumers that have obtained a report of alleged identity fraud.

Massachusetts

H.B. 4144, H.B. 4018, and S.B. 2236 were consolidated to create an Act relative to security freezes and notification of data breaches. The Act became effective on February 3, 2008. Under the Act a consumer may request a security freeze by regular, overnight, or certified mail. Consumer reporting agencies must comply with a request to lift a freeze for a particular party or for a certain period of time within three days of receiving the request. The Act allows a consumer reporting agency to charge a reasonable fee, not to exceed $5, to a consumer that elects to freeze, lift, or remove a freeze to their consumer report. This fee may not be charged to victims of identity theft or their spouses provided the victim has submitted a valid police report related to the identity theft. Minnesota In May 2007, Minnesota was the first state to enact legislation that codified certain requirements from the Payment Card Industry Data Security Standards.74 The statute prohibits merchants from retaining “the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.”75 This limitation on storage of data captured as part of a credit card transaction adds another tool for consumers in the quest to alleviate the risk of identity theft. Several other states have introduced similar legislation.76

Mississippi

S.B. 3034 was signed into law and became effective on July 1, 2007. The security freeze is available to consumers with a valid copy of a police report that the consumer filed regarding the unlawful use of their personal information. The request must be by certified mail and must include proper identification. A consumer reporting agency may charge a reasonable fee, not to exceed $10, to place a security freeze on a file. A consumer may request by telephone or mail to have a security freeze removed or temporarily lifted for a properly designated period or a properly identified requester, which will occur within three business days after the request. Fees may not be charged for the removal or temporary lift of a security freeze. A consumer reporting agency shall honor a security freeze placed by another consumer reporting agency.

74 “Minnesota Gives PCI Rules a Legal Standard” (May 28, 2007)

(http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=standards_and_legal_issues&articleId=293804&taxonomyId=146)

75 Minn. Stat. § 325E.64 (2007). 76 Thomas J. Smedinghoff, It's All About Trust: The Expanding Scope Of Security Obligations In

Global Privacy And E-Transactions Law, 16 Mich. St. J. Int'l L. 1 (2007).

18

Montana

S.B. 116 became effective law in Montana on July 1, 2007. A consumer may place a security freeze on their consumer report by requesting such a freeze in writing by regular or certified mail. A consumer reporting agency will place the freeze within 5 business days of receiving such request unless the consumer making the request is a victim of identity theft in which case the freeze will be placed within 24 hours of receiving the request. A consumer reporting agency may not imply to a third party that the placing of a freeze reflects negatively on a consumer’s credit score or history. A consumer may request a temporary lift in a security freeze by regular or certified mail, telephone, or secure electronic connection. By January 1, 2009, the consumer reporting agency must honor a request for a temporary lift of a security freeze within 15 minutes of receiving such request. A reasonable fee, not to exceed $3, may be charged to a consumer that is not the victim of identity theft for the placing or temporarily removal of a security freeze. A reasonable fee of up to $5 may be charged for the reissue of a consumer identification number or password.

Nebraska

L.B. 674 was approved by the Governor on May 24, 2007 and the Credit Report Protection Act became effective law on September 1, 2007. Under the Act a consumer may request a security freeze by certified mail. A consumer reporting agency must develop procedures involving the telephone, the Internet, or other electronic media to receive and process a request for a temporary lift of a security freeze in an expedited manner. By January 1, 2009, the temporary lift must occur within 15 minutes of receiving the request. The consumer reporting agency may charge a fee of $15 for placing a security freeze unless the consumer requesting the freeze is a minor or a victim of identity theft and provides a copy of an official police report documenting the theft.

New Mexico

The Credit Report Security Act became effective law on July 1, 2007. A consumer may make a request for a security freeze by certified or regular mail, or by telephone or secure electronic means, if such methods are made available by the consumer reporting agency. By September 1, 2008, a consumer will be able to request a temporary lift to a security freeze by telephone or secure electronic method in addition to certified or regular mail. Also by September 1, 2008, the temporary lift in the security freeze must occur within 15 minutes of the request rather than the current three business days. The consumer reporting agency may charge a fee of no more than $10 for the placement of a security freeze, and no more than $5 for the release of a credit report or the removal of a security freeze. Fees shall not be charged to victims of identity theft or consumers sixty-five years of age or older.

North Dakota

H.B. 1417 became effective law in North Dakota on July 1, 2007. Under the Act, a consumer may request a security freeze by mail, telephone, or secure electronic mail connection, if the consumer reporting agency has made such electronic method available. As of August 1, 2009, the consumer reporting agency must place the security freeze within 24 hours, rather than

19

the standard three days, from receiving the request of a victim of identity theft. The consumer reporting agency will temporarily lift a security freeze within three business days of receiving the request. The Act outlined a goal of processing a request for a temporary lift within 15 minutes of receiving such request. The consumer reporting agency may work to meet this goal by developing procedures to receive requests by telephone, fax, internet, or other electronic media. The consumer reporting agency may change a fee of up to $5 for placing or temporarily lifting a security freeze unless the consumer is a victim of identity theft and provides a valid copy of a police report. Other than for the first reissue of a consumer password or identification number, a consumer may also be charged a $5 fee for subsequent reissues of such password or identification number.

Oregon

S.B. 583, known as the Oregon Consumer Identity Theft Protection Act, became effective law in Oregon on October 1, 2007. Under the Act, a consumer may request a freeze by mail or by secure electronic request at a website, should the consumer reporting agency make such a method available. A consumer reporting agency shall temporarily lift a security freeze within three business days of receiving such a request from a consumer. A permanent removal of a security freeze shall also occur within three days of receiving such a request. The Act requires a report provided by the Director of the Department of Consumer and Business Services by December 31, 2008 on the minimum amount of time necessary, given current technology, to place, temporarily lift, or remove a security freeze. Other than to victims of identity theft, a fee of up to $10 may be charged to consumers for each freeze, temporary lift of a freeze, removal of a freeze, or replacing of lost personal identification number or password.

Tennessee

P.L. 1700, known as The Credit Security Act of 2007, became effective on January 1, 2008. A consumer may make a request for a security freeze by certified mail and after January 31, 2009, that request may also be made by an electronic method. Consumers may request a temporary lift of a security freeze, and consumer reporting agencies must develop procedures to allow this request by telephone, the Internet, or other electronic method. The temporary lift must occur within 15 minutes of the request. Consumer reporting agencies may charge $7.50 for the placement of a security freeze and $5 for the removal of a security freeze or the replacement of a personal identification number or password but may not charge for the temporary lifting of a security freeze. Victims of identity theft with a police report or other document detailing the theft may not be charged a fee.

West Virginia

S.B. 428 was passed on March 10, 2007 and became effective on July 2, 2007. Under the Act, a consumer may request a security freeze by certified or overnight mail. By January 31, 2009, consumer reporting agencies must allow requests by a secure electronic method. If a consumer requests a temporary lift to the security freeze, the consumer reporting agency must lift the freeze within three days of receiving that request. By September 1, 2008, that temporary lift shall occur within 15 minutes of receiving such request. The consumer may be charged a fee of up to $5 for the placement, removal, or temporary removal of a security freeze unless the

20

consumer is a victim of identity theft and has a copy of a valid police report. A $5 fee may also be charged for reissue of a personal identification number or password.

Wyoming

Wyoming’s security freeze law became effective on July 1, 2007. Under the Act, a consumer may request a security freeze on his consumer report by certified mail. A consumer may request a temporary lift in a security freeze by either mail, an electronic method chosen by the agency, or telephone. After September 1, 2008, the consumer reporting agency will temporarily lift a security freeze within 15 minutes of receiving such request by electronic method or telephone, otherwise they will temporarily lift the security freeze within three business days of receiving such request. Except for victims of identity theft that have a valid copy of a police report, the consumer reporting agency may charge a fee of up to $10 for each placement, temporary lift, or removal of a security freeze.

21

Committee members approving report (31):

Mary Ann C. Ball David Alan Bateman Lee Berger Yar R. Chaikovsky Stephen Chow Vincent Cogan Jeffrey T. Cox Jeff C. Dodd Kenneth Kyle Dort Steven Michael Emmert Eric Neil Everett R. Mark Field Jennifer Fisher Renard C. Francois Christina Frangiosa Terrance Joseph Frolich Jason E. Goldberg David A. Johnson Melissa L. Klipp Kenneth Albert Kopf Louis J. Levy Randy Lowell Elizabeth Stacy McClure Vicki Menard Jennifer Miller Michael A. Parks Woodrow Pollack J. Mark Smith Michael T. Stewart Mohammad a. Syed Peter S. Trotter Committee members disapproving report: None Committee members not responding (16): Patrick Alberts Mark E. Ashton Guillermo Aviles-Mendoza Richard Anthony Brunner Don Lloyd Cook II Ronald S. Courtney Behnam Dayanim Robert Emond Jonathan I Ezor

22

23

Dorothy L. Foley Michael Hagemann Steven Mancinelli Joanne Nelson Robert H. Newman Seth M. Reiss Alan N. Walter Law Student Members: Kristen Aiken Matthew Asbell David E. Blau Kiva Bostwick Michael Buhrley Aubin Chang Yi-Hung Chung Douglas Clough Wendy Happ Elizabeth Jean-Pierre Michael Landres Jason Luros Brian Perrault Amy Petri Brian Pyne Craig Sorensen Kurth Stecher Dondi West Pamela Young