Yar Chaikovsky ABA Section of Intellectual Property Law Division VII — Information Technology Final Report


Published on

2008 final report ABA Section of Intellectual Property Law

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Yar Chaikovsky ABA Section of Intellectual Property Law Division VII — Information Technology Final Report

  1. 1. ABA Section of Intellectual Property LawDivision VII — Information Technology Final Report May 1, 2008 Marc K. Temin, Division Chair
  2. 2. COMMITTEE NO. 711 — ONLINE SECURITY & E-PRIVACYRobert Mark Field and Michael A. Parks, Co-ChairsScope of committee: All aspects of online security and e-privacy but excluding issues within thescope of Committee 710.In its second year, Committee 711 does not have any proposed resolutions. Committee 711 hasplanned a Continuing Legal Education seminar titled “Data Breach Notification: RoundtableDiscussion of US, EU and APEC Approaches and Related Policy Considerations” for the ABASection of International Law’s 2008 Fall Meeting, September 23rd – 27th, 2008 in BrusselsBelgium. In addition, Committee 711 submits the following report. This report consists of aReport of the Subcommittee on Spyware and an Update to credit security legislation enactedsince last year’s report. 2
  3. 3. REPORT OF THE SUBCOMMITTEE ON SPYWARERenard Francois (co-chair)Mo Syed (co-chair)Elizabeth BowlesThomas A. RustDavid E. BlauChristina D. FrangiosaSteven EmmertBehnam Dayanim The Subcommittee on Spyware has met repeatedly to discuss Section policy concerningthe issue of spyware legislation. We set out to try to arrive at a proposed committee resolutionon this issue. However, on March 14, 2008 , a majority of the subcommittee decided that therewas not enough consensus on the issues to propose a resolution. As such the subcommitteedecided to present the Section with a report highlighting areas that need to be analyzed morefully and assessed for their impact.Discussion. I. DEFINITION OF SPYWARE Critical to any legislation purporting to regulate spyware is the definition of the termitself. Obviously, anti-spyware legislation cannot regulate programs that fall without thedefinition of “spyware,” nor can any program that fits within that definition be exempted fromthe legislation’s reach. The generally accepted popular definition of spyware is “a broadcategory of malicious software intended to intercept or take partial control of a computer’soperation without the user’s informed consent.” This software then resides on a user’s computerwithout the user’s knowledge and often collects information about the user or the computer’s usethat is then sent to the software’s creator or to third parties. State legislation usually defines “spyware” to include computer programs that areinstalled on the user’s computer without the user’s knowledge and/or consent and that causecertain, defined, results (i.e. changing settings, “hijacking” homepages, collecting personallyidentifiable information, keystroke logging, monitoring surfing habits in order to deliveradvertisements, creating zombies). See Utah Code Ann. 13-39-101, et. seq and Cal. Code Ann.32-22947 et. seq. Current proposed Federal legislation takes a similar tack – requiring consentand defining spyware by the ultimate result of the software. See H.R. 4661 (the InternetSpyware (I-SPY) Act) and H.R. 2929 (the Securely Protect Yourself Against Cyber Trespass Act(SPY ACT). 3
  4. 4. Critics of this method of definition argue that by including specific results that thesoftware must produce in order to be in violation of the acts, software that is yet to be inventedthat nonetheless would produce an undesirable result is excluded from the definition. Theseadvocates argue that the definition of spyware should rest entirely on the quality of the consentgiven to installation of the program regardless of the software’s purpose. (Arguably, under thisconstruct, a consumer could consent to have her computer turned into a zombie.) Many marketers argue that the definition of spyware should expressly exclude certaintypes of programs that collect only marketing data. These marketers assert that marketing data isnot personally-identifiable, is harmless to the consumer, and allows marketers to provide desiredinformation on goods and services the consumer may want to obtain. A third group of stakeholders in the debate, including many consumer advocacyorganizations, argue that cookies, both session and tracking, should be excluded from thedefinition of spyware. Because tracking cookies are lines of code invisibly installed on theuser’s computer without consent, are sometimes “permanent” (in that they continue to reside onthe computer once the consumer has logged out of that particular session), and track user’s pathsthrough websites, they fall within many definitions of spyware unless specifically exempted.Many privacy and consumer advocates accept the use of cookies as creating a better and more-enjoyable Internet experience (for example, Amazon.com greets visitors by name when theyreturn to the site), and virtually all companies and marketers use them to provide much-neededdata on website usage. However, many pieces of anti-spyware legislation unintentionallyinclude tracking cookies in their definition of spyware. Such legislation would require allwebsite owners to provide notice and obtain consent from website visitors when cookies areused. The Anti-Spyware Coalition (“ASC”), a consortium of consumer groups, ISPs andsoftware companies (including some adware vendors), has stated the following with respect to“spyware and other potentially unwanted technologies” – These are technologies implemented in ways that impair users’ control over:  Material changes that affect their user experience, privacy, or system security  Use of their system resources, including what programs are installed on their computers  Collection, use, and distribution of their personal or otherwise sensitive information These are items that users will want to be informed about, and which the user, withappropriate authority from the owner of the system, should be able to easily remove or disable. The ASC created a table of the types of potentially malicious software along with eachtype of software’s pros and cons. The ASC noted that “with proper notice, consent, and controlsome of these same technologies can provide important benefits.”Ultimately, the definition of spyware may hinge on whether or not installation of the programoccurs only following the user’s adequately informed notice and consent. Programs installedwith adequate notice and informed consent, regardless of purpose, may be exempted from thedefinition of spyware, whereas programs installed without the user’s consent, regardless ofpurpose, may be included within that definition. 4
  5. 5. II. FEDERAL SPYWARE LAWS1. The Wiretap Act In 1968 Congress passed the Wiretap Act, 1 the first of two major federal laws affectingspyware. The Wiretap Act contains two titles, each known by separate names, that cooperate toprohibit access to communications while in transit between two parties, and while in storage.Communications as defined in the Act may be wire, oral, or electronic. Wire communicationsinclude aural transfers over a wire, such as telephone conversations. 2 Oral communicationsinclude those utterances that are not wire communications and for which a person has an actualand reasonable expectation of privacy. 3 Electronic communications include electronic transfersof data and signals that are not wire or oral communications. 4 Title I of the Wiretap Act is also known as the Electronic Communications Privacy Act(ECPA), 5 and generally prohibits interception and disclosure of transient wire, oral, or electroniccommunications. The ECPA prohibits the use of intercepted wire or oral communications asevidence in court, but contains no such exclusionary rule for electronic communications. 6 TheECPA contains exceptions allowing law enforcement officers to obtain warrants to interceptthese communications, for example by tapping a wire. 7 Any person whose communicationswere unlawfully intercepted may recover damages in a civil action. 8 Title II of the Wiretap Act is the Stored Wire and Electronic Communications andTransactional Records Act (also known as the “Stored Communications Act,” or SCA), 9 andgenerally prohibits unauthorized access to wire and electronic communications while they are inelectronic storage at “a facility through which an electronic communication service isprovided.” 10 This phrase has been generally understood to mean an Internet Service Provider,although courts are split on whether this includes a user’s computer. 11 There are exceptions tothe Act’s prohibition to allow the ISP and user to obtain access to a stored communication of that1 Pub. L. 90-351 (June 19, 1968).2 See 18 U.S.C. § 2510(1). Unless otherwise noted, all citations to a section of the U.S. Code are to Title 18.3 § 2510(2).4 § 2510(12).5 18 U.S.C. § 2510 et seq.6 Id. at § 2515.7 Id. at § 2517.8 Id. at § 2520.9 18 U.S.C. § 2701 et seq.10 Id. at § 2701(a).11 In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001) (plaintiff’s computer is a “facility” within the meaning of the SCA); In re Pharmatrak, Inc. Privacy Litigation, 220 F. Supp. 2d 4 (D. Mass. 2002) (plaintiff’s computer is not a “facility”). 5
  6. 6. user. 12 There are also exceptions to allow an ISP to make mandatory disclosures pursuant to awarrant, 13 and to allow the ISP to preserve backups of data pursuant to a warrant. 14 The SCAallows for a private right of action. 152. The Computer Fraud and Abuse Act In 1984 Congress passed the Computer Fraud and Abuse Act, 16 which criminalizes awide range of unauthorized computer-related activities. These activities include: obtaining bankor credit card records or credit reports; 17 accessing a computer with intent to defraud andobtaining anything of value (other than mere use of the computer valued at less than $5,000 peryear); 18 intentionally or recklessly causing at least $5,000 damage to a computer within a year;19or trafficking in passwords. 20 The Act does not preempt State laws. 21 The Secret Service, and insome cases the FBI, may investigate these offenses. 22 Additionally, the Act provides for aprivate right of action, however recovery may not include punitive damages, and includes onlyeconomic damages to a user’s computer. 23Bills in Congress The Senate is currently considering several bills that would address the problem ofspyware. These include the House’s Securely Protect Yourself Against Cyber Trespass Act(SPY Act) and the Senate’s Counter Spy Act, the Internet Spyware Prevention Act of 2007 (I-SPY Act), and the Anti-Phishing Consumer Protection Act of 2008 (APCPA). Also, the Senate isconsidering the Identity Theft Enforcement and Restitution Act, 24 which would amend theComputer Fraud and Abuse Act to eliminate the $5,000 per year threshold for violations and adda forfeiture penalty for computer equipment used in violations.12 18 U.S.C. at § 2701(c).13 § 2703.14 § 2704.15 § 2707.16 Pub. L. 98-473 (Oct. 12, 1984), codified at 10 U.S.C. § 1030.17 10 U.S.C. § 1030(a)(2).18 § 1030(a)(4).19 § 1030(a)(5).20 § 1030(a)(6).21 § 1030(f).22 § 1030(d).23 § 1030(g).24 S. 2168, approved by the Senate and referred to the House Subcommittee on Crime, Terrorism, and Homeland Security as of Feb. 4, 2008. 6
  7. 7. The Spy Act 25 and Counter Spy Act, 26 like the Computer Fraud and Abuse Act beforethem, attempt to address a comprehensive range of unauthorized computer-related activities.These activities include: using a computer as a spam relay (zombie) or as part of a denial ofservice attack (botnet); hijacking a computer’s browser or network connection to incur charges;creating browser advertising spam or uncloseable windows; altering a browser’s homepage,default connection, bookmarks, or security settings; logging keystrokes to obtain personalinformation; using false webpages to obtain personal information (phishing); installing softwarethat ignores ‘do not install’ instructions or automatically re-activates or re-installs itself afterbeing uninstalled; misrepresenting software as being required to secure a computer;misrepresenting the identity of a software provider; inducing the disclosure of personalinformation by fraud or without consent; disabling anti-virus or other security software;installing software for the purpose of inducing a user to do any of these things; 27 collecting,without consent, personally identifying information or network usage information (with anexception for ads shown by the site doing the collecting, if the information is kept private); 28hiding installation files using misleading or random file or directory names, or installing files in asystem folder to avoid detection; requiring that a particular third party website be accessed, oran access code obtained from a third party, in order to disable software; 29 and installing adwarethat conceals its operation from a user. 30 In both bills, the FTC and various other federal andstate agencies may bring an action, but neither bill provides for a private right of action. 31Further, these bills would preempt State laws on these matters. 32 The I-SPY Act 33 would add a new section 18 U.S.C. 1030A, which defines offenses forloading a computer program onto a computer without authorization, then intentionally using thatprogram to commit a Federal crime; and obtaining or transmitting personal information, orimpairing the security of a computer, with intent to defraud, injure, or damage a user’scomputer. 34 This Act would also preempt State law, unlike the Computer Fraud and AbuseAct. 35 However, the Act makes no changes to the existing private right of action under theexisting Computer Fraud and Abuse Act.25 H.R. 964, approved by the House and in the Senate Committee on Commerce, Science, and Transportation as of June 7, 2007.26 S. 1625, in the Committee on Commerce, Science, and Transportation as of June 14, 2007.27 Spy Act, § 2; Counter Spy Act, § 3.28 Spy Act, § 3; Counter Spy Act, § 4.29 Counter Spy Act, § 3(3).30 Counter Spy Act, § 5.31 Spy Act, § 4; Counter Spy Act, §§ 7(a), 8(a), 9(a).32 Spy Act, § 6(a); Counter Spy Act, § 11(b).33 H.R. 1525, approved by the House and in Senate Committee on the Judiciary as of May 23, 2007.34 I-SPY Act, § 2.35 I-SPY Act, § 2, text of new § 1030A(c). 7
  8. 8. Finally, the Congress is also considering the Anti-Phishing Consumer Protection Act. 36This Act would add offenses directed specifically to phishing, cybersquatting, and deceptive ormisleading domain names. 37 A state agency, attorney general, or other official may bring a civilaction “as parens patriae” on behalf of its citizens, but there is no private right of action. 38 TheFTC, affected ISPs and trademark holders, the SEC, and certain federal reserve banks, providersof State insurance, and the Secretaries of Transportation and Agriculture could also bring suit invarious situations. 39 This Act would also preempt state law. 40 III. SPYWARE: FEDERAL REGULATORY ACTIONS The Federal Trade Commission and the United States Department of Justice argue thatfederal, anti-spyware statute is not warranted because current statutes, such as the Federal TradeCommission Act (“FTC Act”) 41 and the Computer Fraud and Abuse Act of 1984. 42 providefederal law enforcement with sufficient authority to sue those create, use, or distribute spyware.Currently, certain federal statutes have been used to prosecute persons and businesses who haveused spyware to defraud consumers, surreptitiously obtain information from consumers, or toimpair the performance of a consumer’s computer. This section will show how the FederalTrade Commission is using its authority under the Federal Trade Commission Act to prosecutethose who use spyware to deceive consumers or to engage in unfair business practices.Additionally, this section will also show how the Department of Justice is using two statutes inparticular to prosecute those using spyware for illegal purposes. Both of these agencies havebeen extremely aggressive in recent years in investigating and litigating spyware cases. The FTC has applied the prohibitions articulated in Section 5 of the FTC Act not only tospyware, but also to adware, malware, and other unwanted software. There is a differencebetween the FTC deception and unfairness authority under the statute. The FTC has used both tocombat spyware. Although the FTC has not requested additional laws to fight spyware, the FTChas recommended to Congress that it be granted civil penalty authority to fine spywaredevelopers.36 S. 2661, in the Committee on Commerce, Science, and Transportation as of Feb. 25, 2008.37 APCPA, § 3.38 APCPA, § 4(a).39 APCPA, §§ 4, 5.40 APCPA, § 7.41 See 15 U.S.C. § 41-58. The Federal Trade Commission Act prohibits the acts or practices that are unfair or deceptive. According to the FTC, an unfair act or practice is one which is injures consumers, or is likely to cause an injury; the injury is not reasonably avoidable by the consumer; and the act or practice has no countervailing benefit. A deceptive practice is an act or a practice that a misrepresentation of a material fact.42 18 U.S.C. § 1030. 8
  9. 9. The FTC has used this statute to sue those who have created and distributed spyware forviolations of the FTC Act. FTC v. Seismic Entertainment demonstrates the first principle that theresources of a consumer’s computer are his or her own, and Internet businesses cannot use theseresources without the consumer’s permission. 43 The FTC alleged that Seismic Entertainmentexploited known vulnerabilities in Internet Explorer to download spyware to consumers’computers without their knowledge. 44 According to the FTC, the spyware, among other things,hijacked consumers’ home pages, caused the display of an incessant stream of pop-up ads,allowed the secret installation of additional software programs, and caused computers to severelyslow down or crash. Additionally, the FTC alleged that defendants used of “drive-by” tactics todownload spyware in violation of Section 5 of the FTC Act. The FTC obtained a $4.1 millionjudgment; a final order that prohibits the Defendants from downloading software in the futurewithout consumer authorization; and a $330,000 judgment against a second group of defendantswho allegedly distributed the spyware. FTC v. Seismic Entertainment, Inc., No. 04-377-JD,2004 U.S. Dist. LEXIS 22788 (D.N.H. Oct. 21, 2004). In Seismic, the FTC sued, and obtained judgments against, the defendants who createdthe spyware but also the defendants who distributed the spyware to unwitting consumers. Thishighlights the breadth of the FTC Act and demonstrates how the FTC has used the FTC Act topursue all those who have some responsibility in the creation and distribution of spyware. TheFTC has also applied the FTC Act to instances other than the allegations described in Seismic.The FTC has sued companies that hire third parties who use adware in violation of the FTC Act. In FTC v. Zango, 45 the FTC alleges that Zango’s distributors – third-party affiliates whooften contracted with numerous sub-affiliates – frequently offered consumers free content andsoftware, such as screensavers, peer-to-peer file sharing software, games, and utilities, withoutdisclosing that downloading them would result in installation of the adware. 46 In other instances,Zango’s third-party distributors exploited security vulnerabilities in Web browsers to install theadware via “drive-by” downloads. As a result, millions of consumers received pop-up adswithout knowing why, and had their Internet use monitored without their knowledge. The FTCcharged that Zango’s failure to disclose that downloading the free content and software wouldresult in installation of the adware was deceptive, and that its failure to provide consumers with areasonable and effective means to identify, locate, and remove the adware from their computerswas unfair, in violation of the FTC Act. Second, the FTC has sued companies that have buried disclosures about spyware orcritical information in the End User License Agreement for violating the well establishedrequirements for clear and conspicuous disclosures. FTC sued Odysseus Marketing and itsprincipal for advertising software that the company claimed would allow consumers to engage in43 FTC v. Seismic Entertainment et al, FTC File Nos.: 042 3142; X05 0013.44 See FTC v. Seismic Entertainment, Complaint athttp://www.ftc.gov/os/caselist/0423142/041012comp0423142.pdf.45 FTC v. Zango et al., FTC File No. 052 313046 See FTC v. Zango, Complaint (filed Nov. 5, 2006)(http://www.ftc.gov/os/caselist/0523130/0523130cmp061103.pdf) 9
  10. 10. peer-to-peer file sharing anonymously. 47 According to the FTC’s complaint, the website’s claimsof anonymity encouraged consumers to download their free software. 48 The agency charged thatthe claims were bogus because the software did not make file-sharing anonymous and thereactually was a cost to consumers because the “free” software was bundled with spyware.According to the Complaint, the spyware secretly downloaded dozens of other softwareprograms, diminishing consumers’ computer performance and memory, and replaced orreformatted search engine results. The FTC alleged that Odysseus Marketing hid their disclosurein the middle of a two-page end-user licensing agreement buried in the “Terms and Conditions”section of their website and deliberately made their software difficult to detect and impossible toremove using standard software utilities. In addition to the FTC’s ability to bring Section 5 cases like Seismic, the United StatesDepartment of Justice has statutory authority to prosecute distributors of spyware in cases whereconsumers’ privacy or security is compromised. The Computer Fraud and Abuse Act of 1984prohibits the unauthorized acquisition of data from a protected computer that results in damage.18 U.S.C. § 1030(a). The DOJ has been fairly successful in using the Computer Fraud andAbuse Act to go after the distributors of spyware. In United States v. Dinh, the DOJ alleged thatthe defendant violated the Computer Fraud and Abuse Act in two ways. First, defendantallegedly knowingly accessed a computer of another person without authorization by installing aseries of keystroke-logging programs to remotely monitor the keystrokes of the computer userand identify computer accounts and passwords. Second, defendant violated the statute byallegedly engaging in a scheme to defraud an investor and committing mail and wire fraud. Thedefendant was sentenced to 13 months in prison. In addition to this case, other cases illustrate that the DOJ has successfully used theComputer Fraud and Abuse Act to prosecute those who use keystroke loggers without theauthorization of the computer user. In United States v. Jiang, the defendant was sentenced to 27months in prison and ordered to pay approximately $200,000 in restitution for knowinglyinstalling keystroke logging software to surreptitiously record the keystrokes on another person’scomputer. Furthermore, United States v. Owusu involved a defendant who surreptitiouslyinstalled a keystroke logger program on public computers in order to record every keystrokemade on those computers. According to the Department of Justice, the defendant used theinformation gathered with the keystroke logger to collected data to gain unauthorized access tousers’ online accounts and university management systems. The defendant was sentenced tofour years in prison. The DOJ also has authority, under a variety of statutes that regulate communications, topursue actions against entities that acquire information fraudulently, such as through the use of akeystroke logger program. Fraud and Related Activity in Connection with Access Devices, 18U.S.C. § 1029, Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C.§§ 2510-22, and Electronic Communications Privacy Act, 18 U.S.C. §§ 2701-11. To that end,the DOJ has used 18 U.S.C. § 2512 to prosecute those who create and market spyware programs.47 FTC v. Odysseus Marketing, FTC File Nos.: 042 3205; X050069.48 FTC v. Odysseus Marketing, , complaint (filed October 5, 2005)(http://www.ftc.gov/os/caselist/0423205/050929comp0423205.pdf). 10
  11. 11. In United States v. Perez-Melera, the federal government used § 2512 to prosecute aperson who created a computer program that he could use to spy on others and monitor allactivities on the computer, including emails sent and received, web sites visited, and passwordsentered were intercepted, collected. In prosecuting these cases, federal law enforcement has used its resources to confrontunfair and deceptive practices and illustrated that certain spyware behaviors are illegal underexisting law. In particular, the FTC has established three principles to guide its spywareenforcement efforts: 49 • A consumer’s computer belongs to him or her, not to the software distributor. Thismeans that no software maker should be able to gain access to or use the resources of aconsumer’s computer without the consumer’s consent. • Buried disclosures do not work. Communicating material terms about the functioning ofa software program deep within an EULA does not meet high enough standards for adequatedisclosure. • Consumers must be able to uninstall or disable software that they do not want. If asoftware distributor places an unwanted program on a consumer’s computer, there should be areasonably straightforward way for that program to be removed. Through active and aggressive enforcement, federal law enforcement has clarified someof the issues idiosyncratic to spyware. This clarification, as illustrated in the three above-referenced guidelines, have guided federal enforcement, and can possibly do the same forfederal, anti-spyware legislation. Although some states have anti-spyware laws, the law does notclarify the complex issues peculiar to spyware. “Some states have passed specific spywarestatutes to help clarify these distinctions, but several of the states that have been most active inspyware enforcement have no such laws in place.” 50 Federal officials at both the Federal Trade Commission and the Department of Justicebelieve that they have adequate authority under their existing criminal and civil statutes to takelaw enforcement action against those who disseminate spyware. Both the FTC and the DOJ havebeen active in their law enforcement against the creators and distributors of spyware by using thestatutes that are at their disposal.49 Remarks of Deborah Platt Majoras, Chairman, Federal Trade Commission, Anti-SpywareCoalition Public Workshop, Feb. 9, 2006,http://www.ftc.gov/speeches/majoras/060209cdtspyware.pdf.50 Remarks of Ari Schwartz, Deputy Director of the Center for Democracy and Technology,“Consumer Protection Issues”, before The Financial Services and General GovernmentSubcommittee of the House Committee on Appropriations, February 28, 2007,http://www.cdt.org/privacy/20070228schwartzftc.pdf. 11
  12. 12. IV. SPYWARE: EXISTING STATE STATUTES Starting in 2004, state legislatures began passing a variety of different kinds of anti-spyware legislation. Depending on how broadly “spyware” is defined, as many as 16 states nowhave laws that in some way address the problem. 51 For the most part, these statutes approach thedefinition of “spyware” similarly. Rather than define spyware by what it is – i.e., a programplaced on a protected computer without the computer owner’s knowledge – the statutes definespyware by what it does – i.e., a program that initiates any of a specific set of prohibitedactivities. 52 This section provides an overview of those state laws and some of their significantfeatures. In 2004, California became one of the first states to pass a law specifically related tospyware. 53 Since that time a number of states have passed laws that, with only minor variations,resemble California’s prohibition. Those states include Arizona, Arkansas, Georgia, Indiana,Iowa, Louisiana, New Hampshire, Rhode Island, Texas and Washington. In addition, anumber of other states are currently considering bills that are modeled after the Californiaspyware statute. The California law and the many laws that have followed the California model focus onprotecting consumers from spyware. They generally prohibit a person from causing computersoftware to be copied on to a computer without permission from or knowledge by an authorizeduser, if that software performs certain functions, including: (1) modifying certain settings, suchas the browser’s home page, default search provider or bookmarks; (2) collecting personallyidentifying information, including information about websites the computer user visits, the user’sfinancial account numbers, passwords and the like; (3) preventing reasonable efforts to block theinstallations of software; (4) misrepresenting that software will be uninstalled or disabled by thecomputer user’s actions; (5) removing or disabling security, antispyware or antivirus software; or(6) taking control of a consumer’s computer by modifying security settings or causing damage toa computer. 54 In addition to these prohibitions found in most of the state anti-spyware laws,some states have specifically outlawed other actions, such as denial of service attacks. 55 Because of the way these laws define the prohibited conduct, the state legislaturesfollowing the California model have been forced to grapple with the fact that, read broadly, theprohibited conduct could restrict legitimate actions by Internet Service Providers (“ISPs”). Thus,the statutes expressly exclude from their purview certain activities such as interactions with a51 These include Alaska, Arizona, Arkansas, California, Georgia, Indiana, Iowa, Louisiana,Nevada, New Hampshire, Rhode Island, Tennessee, Texas, Utah, Virginia and Washington.52 See L. Elizabeth Bowles, “Survey of State Anti-Spyware Legislation,” The Business Lawyer,Vol. 63, November 2007.53 Consumer Protection Against Computer Spyware Act, Cal. Bus. & Prof. Code § 22947.54 Cal Bus & Prof Code § 22947.2 through 22947.4 (2007).55 See e.g., Arkansas Consumer Protection Against Computer Spyware Act, A.C.A. § 4-111-103(b)(1)(C) (2007). 12
  13. 13. subscriber’s ISP for network or security purposes, diagnostic, technical support, repair updatesand other, similar services. 56 One of the other issues facing state legislatures is how these laws should be enforced.The California statute is silent as to whether it creates a private right of action. Some statesexpressly provide for a private right of action. 57 Others only allow for prosecution by stateprosecutors or state attorneys general. 58 These prosecutions can be either for civil penalties 59 orcriminal. 60 Some state legislatures also are grappling with the issue of how to measure damagesin these cases – in some instances, allowing for treble damages or attorneys’ fees. 61 Not all states with anti-spyware legislation have followed the California model. Forexample, Utah, which passed its law in 2004 – the same year as California – adopted asomewhat different approach. 62 The Utah statute, along with a similar Alaska statute, not onlyprotects consumers from spyware, but also expressly protects trademark holders by prohibitingsoftware that makes certain types of unauthorized uses of another’s mark. Unlike the Californiastatute, the Utah law defines spyware to include “software on the computer of a user who residesin the state that collects information about an Internet website at the time the Internet website isbeing viewed in the state, unless the Internet website is the Internet website of the person whoprovides the software; and uses the information collected contemporaneously to display a pop-upadvertisement on the computer[.]” 63 The Utah law prohibits causing pop-up advertisements tobe shown on the computer screen by means of spyware, if the pop-up is displayed in response toa user accessing a specific mark or Internet address that is purchased or acquired by a personother than the mark owner or an authorized user of the mark. The statute also prohibitspurchasing advertising that makes use of spyware, if the advertiser receives notice of theviolation by the mark owner and fails to end its involvement. 64 The Utah law has been the subject of interesting litigation. In 2004, an adware vendorsought a temporary restraining order and a preliminary injunction in Utah state court against theUtah law as unconstitutional under a principle of Constitutional law known as the “DormantCommerce Clause.” 65 The U.S. Constitution reserves to Congress the authority to “regulate56 See e.g., Cal Bus & Prof Code § 22947.4(b) (2007).57 See e.g., Arizona Computer Spyware Act, A.R.S. § 44-7304 (2007).58 See e.g., A.C.A. § 4-111-104 (2007).59 See e.g., Georgia Computer Security Act O.C.G.A. § 16-9-155(b)(1) (2007)60 See e.g., Computer Crimes Act, Va. Code Ann. § 18.2-152.3 (2008).61 See e.g., Louisiana Computer Spyware Act, La. R.S. 51:2014(C) and (D) (2007).62 Spyware Control Act, Utah Code Ann. § 13-40-101, et seq. (2007)63 Id. at § 13-40-102(8)(a) (2007).64 Id. at § 13-40-201 (2007).65 WhenU.com Inc. v. Utah, Case No. 040907578 (Utah Dist. Ct. June 22, 2004). 13
  14. 14. Commerce with foreign Nations, and among the several States, and with the Indian Tribes.” 66That provision has been construed by courts to include “a further, negative command, known asthe dormant commerce clause,” 67 in areas where Congress has not affirmatively regulated, inorder to “create an area of trade free from interference by the States.” 68 State laws are subject to two levels of scrutiny under this doctrine. Strict scrutiny istriggered if the state law discriminates on its face or in its effect directly in favor of in statecommerce to the detriment of out-of-state commerce, and is generally struck down unless thestate demonstrates a legitimate local purpose and an absence of nondiscriminatory alternatives.69Conversely, “[w]here the statute regulates even-handedly to effectuate a legitimate local publicinterest, and its effects on interstate commerce are only incidental, it will be upheld unless theburden imposed on such commerce is clearly excessive in relation to the putative localbenefits.” 70 In the spyware challenge, the court granted a preliminary injunction, holding that thestatute was likely unconstitutional. In response to that preliminary decision, the Utah legislaturedrafted amendments to the law in an effort to resolve the constitutional issue. To that end, theUtah and Alaska statutes expressly exclude pop-up advertisements if the software requestsinformation about the user’s state of residence before displaying the pop-up, implements areasonably reliable automated system to determine the geographic location of the user, does notencourage the user to indicate a residence outside of their states and does not display the pop-upto users in their respective states. The authors are unaware of any pop-up adware that wouldsatisfy these statutory prescriptions, and the ability of these amendments to withstand similarConstitutional scrutiny remains untested. Finally, other states have sought to address spyware not in a stand-alone spyware-specificstatute, but within the context of larger computer crime laws. For example, Nevada’s computercrime statute now defines spyware as an unlawful “computer contaminant” which cannot beintroduced into a computer, system or network. 71 Virginia also expanded the definitions in itsexisting computer crimes statutes to include activity that could encompass the use of spyware. 7266 U.S. CONST. art. I, § 8, cl. 3.67 Oklahoma Tax Comm’n v. Jefferson Lines, 514 U.S. 175, 179 (1995).68 Boston Stock Exchange v. State Tax Comm’n, 429 U.S. 318, 328 (1977).69 Brown-Forman Distillers Corp., 476 U.S. 573, 578 (1986); Granholm v. Heald, 544 U.S. 460, 479 (2005).70 Pike v. Bruce Church, Inc., 397 U.S. 137, 142 (1970).71 Unlawful Acts Regarding Computers and Information Services, Nev. Rev. Stat. Ann. § 205.473(2)(b) (2007).72 See, e.g., Computer Crimes Act, Va. Code Ann. § 18.2-152.4 (2008). 14
  15. 15. V. CONCLUSION In conclusion, the Subcommittee agrees that the following areas need to be brought to theattention of the Section for further discussion and analysis:  Comparison of need and efficacy of statutory prohibitions versus regulation.  Enforcement vs. private right of action - analysis of the motivations and effectiveness of enforcement by regulatory bodies versus private actions by affected citizens against offenders.  Analysis of varying remedies available and their effectiveness (injunction, civil damages, criminal penalties, etc).  State law issues: o perceived need for uniformity through preemptive federal law versus desire to allow states to fashion their own different and more restrictive standards.  Definition of spyware: o is the key element consent? o does “spyware” actually have to “spy” (e.g., monitor or report on user activity), or does it include malware, fraudware, browser hijacks and the like? 15
  16. 16. UPDATE ON CREDIT SECURITY LEGISLATION SINCE 2007 REPORTUpdated by Rebecca Piper Since last year’s Report, 15 additional states and the District of Columbia enacted sometype of legislation related to credit freezes or other form of credit security. Currently, the Districtof Columbia and thirty-nine states have credit freeze laws in place, including Arkansas,California, Colorado, Connecticut, Delaware, Florida, Hawaii, Illinois, Indiana, Kansas,Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Montana,Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina,North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee,Texas, Utah, Vermont, Washington, West Virginia Wisconsin and Wyoming. In addition, sinceNovember 1, 2007, the security freeze is offered voluntarily by Equifax, Experian, andTransUnion to consumers living in the eleven states that do not have a security freeze law and toconsumers in the four states whose laws limit the security freeze protection to identity theftvictims only. 73 Several highlights of the new state and District of Columbia credit security laws aredetailed below. In addition to these highlights on the process and cost of placing a securityfreeze, most of the state credit freeze laws outline the situations and agencies to which the creditsecurity freeze law does not apply as well as provide penalties and private rights of action forviolations of the security freeze law. Arkansas H.B. 2215 became effective on January 1, 2008 and is titled “Arkansas Consumer ReportSecurity Freeze Act.” Under this Act, a resident of the state that has been the victim of identitytheft and who has submitted a copy of a valid investigative report, an incident report, or acomplaint with a law enforcement agency about the unlawful use of the victim’s identifyinginformation by another person may request a security freeze. The consumer may request thesecurity freeze by sending the written request by certified mail with proper identification and anyapplicable fee. Fees for each security freeze, removal of a security freeze, or temporary lifting ofa security freeze may not exceed $10. Consumer reporting agencies may advise a third party thata security freeze is in effect with respect to a consumer report. A third party may treat anapplication for credit or any other use as incomplete if a security freeze is in place and access toa consumer report is not allowed. The security freeze will remain in place until removal by theconsumer or discovery that the consumer report was frozen due to a material misrepresentationof the consumer. District of Columbia Title 28 of the District of Columbia Official Code was amended by adding the“Consumer Security Freeze Act of 2006.” The Act became effective July 1, 2007. Under theAct, a credit reporting agency will put a freeze on a consumer’s credit report no later than three73 http://www.consumersunion.org/campaigns/learn_more/003484indiv.html 16
  17. 17. days after receiving a request by certified mail. In addition, by January 1, 2009, the creditreporting agency will make available the ability to request a security freeze over the Internet andwill accept requests received by either telephone or regular mail. On or before September 1,2008, the credit reporting agency must be able to allow access to the consumer’s credit report bya specific party or for a specific period of time within 15 minutes of receiving such requestunless the consumer fails to provide the proper identity, password and identity of designatedthird party, or the consumer reporting agency is unable to lift the security freeze because of anAct of God, unauthorized acts by a third party, operational interruption, governmental action,regulatory scheduled maintenance, or commercially reasonable maintenance. The Act allows acredit reporting agency to inform a third party that a security freeze is in place on a consumer’scredit report and the third party may treat an application as incomplete if the consumer does notallow access to their credit report. A security freeze is in place until a consumer asks for itspermanent removal in writing. The removal shall occur within 3 days of the credit reportingagency receiving such removal request. The Act permits the credit reporting agency to charge afee of $10 for the initial application and first personal identification number or password unlessthe consumer is a victim of identify theft, then the agency may only charge for subsequentinstances of loss and reissuance of new identification numbers. After a one-time reissue of thepassword, the agency may charge $10 for subsequent instances of loss and reissuance of theidentification number or password. Indiana Indiana’s SB 403 is titled “Security Freeze for Consumer Reports” and became effectiveon September 1, 2007. Under the Act, by January 1, 2009 consumer reporting agencies mustdevelop a secure electronic mail connection by which consumers can request a security freeze, anew personal identification number or password, or a temporary lift of a security freeze. Also byJanuary 1, 2009, consumer reporting agencies must have a secure process by which the agencywill release a consumer report subject to a security freeze, temporarily lift a security freeze, orremove a security freeze within 15 minutes of receiving such a request. The Act provides a listof people, including law enforcement agencies and licensed insurers, to which a consumer reportunder a security freeze can be released. Consumer reporting agencies are prohibited fromcharging a fee for requests to place a security freeze, release a consumer report to a specifiedperson, temporarily lift a security freeze, remove a security freeze, or issue a personalidentification number or password associated with the preceding requests. Maryland Maryland’s S.B. 52 was approved by the governor on May 8, 2007 and is effectiveJanuary 1, 2008. Under the Act, consumers must be able to make a request for a security freezeby certified mail, by telephone after January 1, 2010, and by secure internet connection, shouldthe consumer reporting agency choose to make it available. The Act clarifies that it does notapply to consumer reporting agencies that act only as a reseller of credit information and do notmaintain permanent databases of credit information from which new consumer reports areproduced. After January 1, 2009, requests to temporarily lift a security freeze must occur within15 minutes if received by telephone, electronic mail, or secure website connection. The Actacknowledges that third parties may treat an application as incomplete if a party requests accessto a consumer’s consumer report and a freeze is in place. Fees of up to $5 may only be charged 17
  18. 18. for each placement, temporary lift, or removal of a security freeze and fees may not be applied tothose consumers that have obtained a report of alleged identity fraud. Massachusetts H.B. 4144, H.B. 4018, and S.B. 2236 were consolidated to create an Act relative tosecurity freezes and notification of data breaches. The Act became effective on February 3,2008. Under the Act a consumer may request a security freeze by regular, overnight, or certifiedmail. Consumer reporting agencies must comply with a request to lift a freeze for a particularparty or for a certain period of time within three days of receiving the request. The Act allows aconsumer reporting agency to charge a reasonable fee, not to exceed $5, to a consumer that electsto freeze, lift, or remove a freeze to their consumer report. This fee may not be charged tovictims of identity theft or their spouses provided the victim has submitted a valid police reportrelated to the identity theft. Minnesota In May 2007, Minnesota was the first state to enact legislation that codified certainrequirements from the Payment Card Industry Data Security Standards. 74 The statute prohibitsmerchants from retaining “the card security code data, the PIN verification code number, or thefull contents of any track of magnetic stripe data, subsequent to the authorization of thetransaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization ofthe transaction.” 75 This limitation on storage of data captured as part of a credit card transactionadds another tool for consumers in the quest to alleviate the risk of identity theft. Several otherstates have introduced similar legislation. 76 Mississippi S.B. 3034 was signed into law and became effective on July 1, 2007. The security freezeis available to consumers with a valid copy of a police report that the consumer filed regardingthe unlawful use of their personal information. The request must be by certified mail and mustinclude proper identification. A consumer reporting agency may charge a reasonable fee, not toexceed $10, to place a security freeze on a file. A consumer may request by telephone or mail tohave a security freeze removed or temporarily lifted for a properly designated period or aproperly identified requester, which will occur within three business days after the request. Feesmay not be charged for the removal or temporary lift of a security freeze. A consumer reportingagency shall honor a security freeze placed by another consumer reporting agency.74 “Minnesota Gives PCI Rules a Legal Standard” (May 28, 2007) (http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyNa me=standards_and_legal_issues&articleId=293804&taxonomyId=146)75 Minn. Stat. § 325E.64 (2007).76 Thomas J. Smedinghoff, Its All About Trust: The Expanding Scope Of Security Obligations In Global Privacy And E-Transactions Law, 16 Mich. St. J. Intl L. 1 (2007). 18
  19. 19. Montana S.B. 116 became effective law in Montana on July 1, 2007. A consumer may place asecurity freeze on their consumer report by requesting such a freeze in writing by regular orcertified mail. A consumer reporting agency will place the freeze within 5 business days ofreceiving such request unless the consumer making the request is a victim of identity theft inwhich case the freeze will be placed within 24 hours of receiving the request. A consumerreporting agency may not imply to a third party that the placing of a freeze reflects negatively ona consumer’s credit score or history. A consumer may request a temporary lift in a securityfreeze by regular or certified mail, telephone, or secure electronic connection. By January 1,2009, the consumer reporting agency must honor a request for a temporary lift of a securityfreeze within 15 minutes of receiving such request. A reasonable fee, not to exceed $3, may becharged to a consumer that is not the victim of identity theft for the placing or temporarilyremoval of a security freeze. A reasonable fee of up to $5 may be charged for the reissue of aconsumer identification number or password. Nebraska L.B. 674 was approved by the Governor on May 24, 2007 and the Credit ReportProtection Act became effective law on September 1, 2007. Under the Act a consumer mayrequest a security freeze by certified mail. A consumer reporting agency must developprocedures involving the telephone, the Internet, or other electronic media to receive and processa request for a temporary lift of a security freeze in an expedited manner. By January 1, 2009,the temporary lift must occur within 15 minutes of receiving the request. The consumerreporting agency may charge a fee of $15 for placing a security freeze unless the consumerrequesting the freeze is a minor or a victim of identity theft and provides a copy of an officialpolice report documenting the theft. New Mexico The Credit Report Security Act became effective law on July 1, 2007. A consumer maymake a request for a security freeze by certified or regular mail, or by telephone or secureelectronic means, if such methods are made available by the consumer reporting agency. BySeptember 1, 2008, a consumer will be able to request a temporary lift to a security freeze bytelephone or secure electronic method in addition to certified or regular mail. Also by September1, 2008, the temporary lift in the security freeze must occur within 15 minutes of the requestrather than the current three business days. The consumer reporting agency may charge a fee ofno more than $10 for the placement of a security freeze, and no more than $5 for the release of acredit report or the removal of a security freeze. Fees shall not be charged to victims of identitytheft or consumers sixty-five years of age or older. North Dakota H.B. 1417 became effective law in North Dakota on July 1, 2007. Under the Act, aconsumer may request a security freeze by mail, telephone, or secure electronic mail connection,if the consumer reporting agency has made such electronic method available. As of August 1,2009, the consumer reporting agency must place the security freeze within 24 hours, rather than 19
  20. 20. the standard three days, from receiving the request of a victim of identity theft. The consumerreporting agency will temporarily lift a security freeze within three business days of receiving therequest. The Act outlined a goal of processing a request for a temporary lift within 15 minutes ofreceiving such request. The consumer reporting agency may work to meet this goal bydeveloping procedures to receive requests by telephone, fax, internet, or other electronic media.The consumer reporting agency may change a fee of up to $5 for placing or temporarily lifting asecurity freeze unless the consumer is a victim of identity theft and provides a valid copy of apolice report. Other than for the first reissue of a consumer password or identification number, aconsumer may also be charged a $5 fee for subsequent reissues of such password oridentification number. Oregon S.B. 583, known as the Oregon Consumer Identity Theft Protection Act, became effectivelaw in Oregon on October 1, 2007. Under the Act, a consumer may request a freeze by mail orby secure electronic request at a website, should the consumer reporting agency make such amethod available. A consumer reporting agency shall temporarily lift a security freeze withinthree business days of receiving such a request from a consumer. A permanent removal of asecurity freeze shall also occur within three days of receiving such a request. The Act requires areport provided by the Director of the Department of Consumer and Business Services byDecember 31, 2008 on the minimum amount of time necessary, given current technology, toplace, temporarily lift, or remove a security freeze. Other than to victims of identity theft, a feeof up to $10 may be charged to consumers for each freeze, temporary lift of a freeze, removal ofa freeze, or replacing of lost personal identification number or password. Tennessee P.L. 1700, known as The Credit Security Act of 2007, became effective on January 1,2008. A consumer may make a request for a security freeze by certified mail and after January31, 2009, that request may also be made by an electronic method. Consumers may request atemporary lift of a security freeze, and consumer reporting agencies must develop procedures toallow this request by telephone, the Internet, or other electronic method. The temporary lift mustoccur within 15 minutes of the request. Consumer reporting agencies may charge $7.50 for theplacement of a security freeze and $5 for the removal of a security freeze or the replacement of apersonal identification number or password but may not charge for the temporary lifting of asecurity freeze. Victims of identity theft with a police report or other document detailing thetheft may not be charged a fee. West Virginia S.B. 428 was passed on March 10, 2007 and became effective on July 2, 2007. Under theAct, a consumer may request a security freeze by certified or overnight mail. By January 31,2009, consumer reporting agencies must allow requests by a secure electronic method. If aconsumer requests a temporary lift to the security freeze, the consumer reporting agency must liftthe freeze within three days of receiving that request. By September 1, 2008, that temporary liftshall occur within 15 minutes of receiving such request. The consumer may be charged a fee ofup to $5 for the placement, removal, or temporary removal of a security freeze unless the 20
  21. 21. consumer is a victim of identity theft and has a copy of a valid police report. A $5 fee may alsobe charged for reissue of a personal identification number or password. Wyoming Wyoming’s security freeze law became effective on July 1, 2007. Under the Act, aconsumer may request a security freeze on his consumer report by certified mail. A consumermay request a temporary lift in a security freeze by either mail, an electronic method chosen bythe agency, or telephone. After September 1, 2008, the consumer reporting agency willtemporarily lift a security freeze within 15 minutes of receiving such request by electronicmethod or telephone, otherwise they will temporarily lift the security freeze within three businessdays of receiving such request. Except for victims of identity theft that have a valid copy of apolice report, the consumer reporting agency may charge a fee of up to $10 for each placement,temporary lift, or removal of a security freeze. 21
  22. 22. Committee members approving report (31):Mary Ann C. BallDavid Alan BatemanLee BergerYar R. ChaikovskyStephen ChowVincent CoganJeffrey T. CoxJeff C. DoddKenneth Kyle DortSteven Michael EmmertEric Neil EverettR. Mark FieldJennifer FisherRenard C. FrancoisChristina FrangiosaTerrance Joseph FrolichJason E. GoldbergDavid A. JohnsonMelissa L. KlippKenneth Albert KopfLouis J. LevyRandy LowellElizabeth Stacy McClureVicki MenardJennifer MillerMichael A. ParksWoodrow PollackJ. Mark SmithMichael T. StewartMohammad a. SyedPeter S. TrotterCommittee members disapproving report: NoneCommittee members not responding (16):Patrick AlbertsMark E. AshtonGuillermo Aviles-MendozaRichard Anthony BrunnerDon Lloyd Cook IIRonald S. CourtneyBehnam DayanimRobert EmondJonathan I Ezor 22
  23. 23. Dorothy L. FoleyMichael HagemannSteven MancinelliJoanne NelsonRobert H. NewmanSeth M. ReissAlan N. WalterLaw Student Members:Kristen AikenMatthew AsbellDavid E. BlauKiva BostwickMichael BuhrleyAubin ChangYi-Hung ChungDouglas CloughWendy HappElizabeth Jean-PierreMichael LandresJason LurosBrian PerraultAmy PetriBrian PyneCraig SorensenKurth StecherDondi WestPamela Young 23