SB-0151, As Passed Senate, March 9, 2005
SUBSTITUTE FOR
SENATE BILL NO. 151
A bill to prohibit certain conduct relating to computer
software, including spyware, and the unauthorized collection and
use of information from computers; to prescribe the powers and
duties of certain state agencies and officers; and to provide
remedies.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 1. This act shall be known and may be cited as the
"spyware control act".
Sec. 2. As used in this act:
(a) "Advertisement" means a communication, the primary purpose
of which is the commercial promotion of a commercial product or
service, including content on an internet website operated for a
commercial purpose.
(b) "Authorized user" means the owner of the computer or a
person who is authorized by the owner or lessee of the computer to
use the computer.
(c) "Computer" means that term as defined in section 2 of 1979
PA 53, MCL 752.792.
(d) "Computer software" means a sequence of instructions
written in any programming language that is executed on a computer.
Computer software does not include a cookie.
(e) "Computer virus" means a computer program or other set of
instructions that is designed to damage, degrade the performance
of, or disable a computer, computer data, or a computer network and
to replicate itself on other computers or computer networks without
the authorization of the owners of those computers or computer
networks.
(f) "Cookie" means a nonexecutable text or data file that is
used by, or placed on, a computer, computer program, computer
system, or computer network, by an internet service provider,
interactive computer service, or internet website to return
information to that provider, service, or website, or to any device
such as a web beacon to facilitate the use of the computer,
computer program, computer system, or computer network by an
authorized user.
(g) "Damage" means any significant impairment to the integrity
or availability of data, software, a system, or information.
(h) "Deceptively" means by means of 1 or more of the
following:
(i) An intentionally and materially false or fraudulent
pretense or statement.
(ii) A statement or description that omits or misrepresents
material information in order to deceive an authorized user.
(iii) A material failure to provide any notice to an authorized
user regarding the download or installation of software in order to
deceive an authorized user.
(i) "Execute" means to perform the functions of or to carry
out the instructions of computer software.
(j) "Internet" means that term as defined in 47 USC 230.
(k) "Person" means an individual, partnership, corporation,
limited liability company, or other legal entity, or any
combination of persons.
(l) "Personal identifying information" means that term as
defined in section 3 of the identity theft protection act, 2004 PA
452, MCL 445.63, or a name, number, or other information used as a
password or access code.
Sec. 3. A person that is not an authorized user shall not,
with actual knowledge, with conscious avoidance of actual
knowledge, or willfully, cause computer software to be copied onto
a computer in this state and use the computer software to do 1 or
more of the following:
(a) Deceptively modify 1 or more of the following settings
related to the computer's access to, or use of, the internet:
(i) The page that appears when an authorized user launches an
internet browser or similar software program used to access and
navigate the internet.
(ii) The default provider or web proxy an authorized user uses
to access or search the internet.
(iii) An authorized user's list of bookmarks used to access web
pages.
(b) Deceptively collect personal identifying information that
meets 1 or more of the following criteria:
(i) The information is collected through the use of a
keystroke-logging function that records keystrokes made by an
authorized user to transfer that information from the computer to
another person.
(ii) If the computer software was installed in a manner
designed to conceal the installation from authorized users of the
computer, the information includes websites visited by an
authorized user, other than websites of the provider of the
software.
(iii) The information is extracted from the computer's hard
drive for a purpose unrelated to any of the purposes of the
computer software or service described to an authorized user.
(c) Deceptively prevent, without the authorization of an
authorized user, an authorized user's reasonable efforts to disable
or to block the reinstallation of software by causing software that
the authorized user has properly removed or disabled to
automatically reinstall or reactivate on the computer without the
authorization of an authorized user.
(d) Misrepresent that software will be uninstalled or disabled
by an authorized user's action, with knowledge that the software
will not be uninstalled or disabled by the action.
(e) Deceptively remove, disable, or render inoperative
security, antispyware, or antivirus computer software installed on
the computer.
Sec. 4. (1) A person that is not an authorized user shall not,
with actual knowledge, with conscious avoidance of actual
knowledge, or willfully, cause computer software to be copied onto
a computer in this state and use the software to do 1 or more of
the following:
(a) Take control of the computer by doing 1 or more of the
following:
(i) Transmitting or relaying commercial electronic mail or a
computer virus from the computer, if the transmission or relaying
is initiated by a person other than an authorized user and without
the authorization of an authorized user.
(ii) Accessing or using the modem or internet service of an
authorized user for the purpose of causing damage to the computer
or of causing an authorized user to incur financial charges for a
service that is not authorized by an authorized user.
(iii) Using the computer as part of an activity performed by a
group of computers for the purpose of causing damage to another
computer, including, but not limited to, launching a denial of
service attack.
(iv) Opening multiple, sequential, stand-alone advertisements
in the authorized user's internet browser without the authorization
of an authorized user and with knowledge that a reasonable computer
user cannot close the advertisements without turning off the
computer or closing the internet browser.
(b) Modify 1 or more of the following settings related to the
computer's access to, or use of, the internet:
(i) An authorized user's security or other settings that
protect information about the authorized user, for the purpose of
stealing personal identifying information of an authorized user.
(ii) The security settings of the computer, for the purpose of
causing damage to 1 or more computers.
(c) Prevent, without the authorization of an authorized user,
an authorized user's reasonable efforts to block the installation
of, or to disable, software, by doing 1 or more of the following:
(i) Presenting the authorized user with an option to decline
installation of software with knowledge that if the option is
selected by the authorized user the installation nevertheless
proceeds.
(ii) Falsely representing that software has been disabled.
(2) This section does not apply to monitoring of or
interaction with an authorized user's internet or other network
connection or service, or a computer by a telecommunications
carrier, cable operator, computer hardware or software provider, or
provider of information service or interactive computer service if
the monitoring or interaction is for purposes of network or
computer security, diagnostics, technical support, repair,
authorized updates of software or system firmware, network
management or maintenance, authorized remote system management, or
detection or prevention of the unauthorized use of or fraudulent or
other illegal activities in connection with a network, service, or
computer software, including scanning for and removing software
proscribed under this act.
Sec. 5. (1) A person who is not an authorized user shall not
do 1 or more of the following to a computer in this state:
(a) Induce an authorized user to install a software component
onto the computer by misrepresenting that installing software is
necessary for security or privacy reasons or in order to open,
view, or play a particular type of content.
(b) Deceptively causing the copying and execution on the
computer of a computer software component that causes the computer
to use the component in a way that violates this section.
(2) This section does not apply to monitoring of or
interaction with an authorized user's internet or other network
connection or service or a computer by a telecommunications
carrier, cable operator, computer hardware or software provider, or
provider of information service or interactive computer service if
the monitoring or interaction is for the purposes of network or
computer security, diagnostics, technical support, repair,
authorized updates of software or system firmware, network
management or maintenance, authorized remote system management, or
detection or prevention of the unauthorized use of or fraudulent or
other illegal activities in connection with a network, service, or
computer software, including scanning for and removing software
proscribed under this act.
Sec. 6. (1) An action against a person for a violation of this
act may be brought by the attorney general or by any of the
following who is adversely affected by the violation:
(a) An authorized user.
(b) An internet website owner or registrant.
(c) A trademark or copyright owner.
(d) An authorized advertiser on an internet website.
(2) In an action under subsection (1), the person bringing the
action may obtain 1 or both of the following:
(a) An injunction to prohibit further violations of this act.
(b) The greater of the following:
(i) Actual damages sustained by the person or, if the action is
brought by the attorney general, by each person adversely affected
by a violation that is a basis for the action.
(ii) Ten thousand dollars for each separate violation of this
act.
(iii) If the defendant has engaged in a pattern and practice of
violating this act, in the discretion of the court, up to 3 times
whichever amount described in subparagraph (i) or (ii) is larger.
(3) In an action under subsection (1), a prevailing party is
entitled to recover the actual costs of the action and reasonable
attorney fees incurred.
(4) A single action or conduct that violates more than 1
subdivision of sections 3 to 5 constitutes multiple violations of
this act.
(5) The remedies provided by this section are in addition to
any other remedies provided by law.
(6) A person shall not file a class action under this act.