[Pages S10089-S10091]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

THE SPYWARE CONTROL AND PRIVACY PROTECTION ACT

Mr. EDWARDS. Mr. President, how would you feel if someone was
eavesdropping on your private phone conversations without your
knowledge? Well, if it happened to me, I would be very disturbed. And I
think that most Americans would be very disturbed to know that
something similar may be happening every time they use their computers.
The shocking fact is that many software programs contain something
called spyware. Spyware is computer code that surreptitiously uses our
Internet connection to transmit information about things like our
purchasing patterns and our health and financial status. This
information is collected without our knowledge or explicit permission
and the spyware programs run undetected while you surf the Internet.
Spyware has been found in Quicken software, which is manufactured by
Intuit, Inc. So let me use this as an example. Imagine you purchase
Quicken software or download it from the Internet. You install it on
your computer to help you with your finances. However, unbeknownst to
you, Quicken does more than install financial planning tools on your
computer. It also installs a little piece of spyware. The spyware lies
dormant until one day when you get on the Internet.
As you start surfing the Internet, the spyware sends back information
to Intuit about what you buy and what you are interested in. And all of
this happens without your knowledge. You could be on Amazon.com or
researching health issues and at the very same time Intuit spyware is
using your Internet connection, transmitting some of your most private
data to someone you never heard of.
In the months since it was reported that Quicken contained spyware,
the folks at Intuit may have decided to remove the spyware from
Quicken. However, Quicken is not the only software program that may
contain spyware. One computer expert recently found spyware programs in
popular children's software that is designed to help them learn, such
as Mattel Interactive's Reader Rabbit and Arthur's Thinking Games. And,
according to another expert's assessment, spyware is present in four
hundred software programs, including commonly used software such as
RealNetworks RealDownload, Netscape/AOL Smart Download, and NetZip
Download Demon. Spyware in these software programs can transmit
information about every file you download from the Internet.
I rise today to introduce the Spyware Control and Privacy Protection
Act of 2000. I believe that this legislation will help Americans regain
some control over their personal information and will help stop the
loss of their privacy and the privacy of their families.
My proposal is common-sense and simple. It incorporates all four fair
information practices of notice, choice, access and security--practices
that I believe are essential to effective computer privacy legislation.
First, the Act requires that any software that contains spyware must
provide consumers with clear and conspicuous notice--at the time the
software is installed--that the software contains spyware. The notice
must also describe the information that the spyware will collect and
indicate to whom it will be transmitted.
Another critical provision of my bill requires that software users
must first give their affirmative consent before the spyware is enabled
and allowed to start obtaining and sharing users' personal information
with third parties. In other words, software users must ``opt-in'' to
the collection and transmission of their information. My bill gives
software users a choice whether they will allow the spyware to collect
and share their information.
The Spyware Control and Privacy Protection Act allows for some
common-sense exceptions to the notice and opt-in requirements. Under my
proposal, software users would not have to receive notice and give
their permission to enable the spyware if the software user's
information is gathered in order to provide technical support for use
of the software. In addition, users' information may be collected if it
is necessary to determine if they are licensed users of the software.
And finally, the legislation would not apply to situations where
employers are using spyware to monitor Internet usage by their
employees. I believe that this last issue is a serious one and deserves
to be addressed in separate legislation.
Another important aspect of the Spyware Control and Privacy
Protection Act is that it would incorporate the fair information
practice known as ``access.'' What this means is that an individual
software user would have the ability to find out what information has
been collected about them, and would be given a reasonable chance to
correct any errors.
And finally, the fourth fair information practice guaranteed by my
bill is ``security.'' Anyone that uses spyware to collect information
about software users must establish procedures to keep that information
confidential and safe from hackers.
Spyware is a modern day Trojan horse. You install software on your
computer thinking it's designed to help you, and it turns out that
something else is hidden inside that may be quite harmful.

I have been closely following the privacy debate for some time now.
And I am struck by how often I discover new ways in which our privacy
is being eroded. Spyware is among the more startling examples of how
this erosion is occurring.
Most people would agree that modern technology has been
extraordinarily beneficial. It has enabled us to obtain information
more quickly and easily than ever before. And companies have
streamlined their processes for providing goods and services.
But these remarkable developments can have a startling downside. They
have made it easier to track personal information such as medical and
financial records, and buying habits. In

[[Page S10090]]

turn, our ability to keep our personal information private is being
eroded.
Even sophisticated computer software users are unlikely to be aware
that information is being collected about their Internet surfing habits
and is likely being fed into a growing personal profile maintained at a
data warehouse. They don't know that companies can and do extract the
information from the warehouse to create a so-called cyber-profile of
what they are likely to buy, what the status of their health may be,
what their family is like, and what their financial situation may be.
I believe that in the absence of government regulation, it is
difficult, if not impossible for people to control the use of their own
personal information. Consumers are not properly informed, and
businesses are under no legal obligation to protect consumers' privacy.
I believe that the Spyware Control and Privacy Protection Act is a
reasonable way to help Americans regain some of their privacy. My
legislation does not prevent software manufacturers from using their
software to collect a consumer's online information. However, it gives
back some control to the consumer by allowing him or her to decide
whether their information may be gathered.
My bill protects consumer privacy, while enabling software companies
and marketing firms to continue obtaining consumers' information if the
consumer so chooses. Confidence in these companies will be enhanced if
they are able to assure their customers that they will not collect
their personal information without their permission.
Privacy protections should not stop with computer software. I am also
proud to be a cosponsor of the Consumer Privacy Protection Act, a much-
needed measure that would prevent Internet service providers,
individual web sites, network advertisers, and other third parties from
gathering information about our online surfing habits without our
permission.
And last fall, I introduced the Telephone Call Privacy Act in order
to prevent phone companies from disclosing consumers' private phone
records without their permission. Although there are only a few weeks
left in this congressional session, it is my hope that Congress will
pass meaningful privacy legislation soon.
Increasingly, technology is impacting our lives and the lives of our
families. I believe that while it is important to encourage
technological growth, we must also balance new developments with our
fundamental right to privacy. Otherwise, we may wake up one day and
realize that our privacy has been so thoroughly eroded that it is
impossible to recover.
I urge my colleagues to support the Spyware Control and Privacy
Protection Act.
Mr. President, I ask unanimous consent that the text of the bill be
printed in the Record.
There being no objection, the bill was ordered to be printed in the
Record, as follows:

S. 3180

Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the ``Spyware Control and Privacy
Protection Act of 2000''.

SEC. 2. COLLECTION OF INFORMATION BY COMPUTER SOFTWARE.

(a) Notice and Choice Required.--
(1) In general.--Any computer software made available to
the public, whether by sale or without charge, that includes
a capability to collect information about the user of such
computer software, the hardware on which such computer
software is used, or the manner in which such computer
software is used, and to disclose to such information to any
person other than the user of such computer software, shall
include--
(A) a clear and conspicuous written notice, on the first
electronic page of the instructions for the installation of
such computer software, that such computer software includes
such capability;
(B) a description of the information subject to collection
and the name and address of each person to whom such computer
software will transmit or otherwise communicate such
information; and
(C) a clear and conspicuous written electronic notice, in a
manner reasonably calculated to provide the user of such
computer software with easily understood instructions on how
to disable such capability without affecting the performance
or operation of such computer software for the purposes for
which such computer software was intended.
(2) Enablement of capability.--A capability of computer
software described in paragraph (1) may not be enabled unless
the user of such computer software provides affirmative
consent, in advance, to the enablement of the capability.
(3) Exception.--The requirements in paragraphs (1) and (2)
shall not apply to any capability of computer software that
is reasonably needed to--
(A) determine whether or not the user is a licensed or
authorized user of such computer software;
(B) provide, upon request of the user, technical support of
the use of such computer software by the user; or
(C) enable an employer to monitor computer usage by its
employees while such employees are within the scope of
employment as authorized by applicable Federal, State, or
local law.
(4) Use of information collected through excepted
capability.--Any information collected through a capability
described in paragraph (1) for a purpose referred to in
paragraph (3) may be utilized only for the purpose for which
such information is collected under paragraph (3).
(5) Access to information collected through excepted
capability.--Any person collecting information about a user
of computer software through a capability described in
paragraph (1) shall--
(A) upon request of the user, provide reasonable access by
user to information so collected;
(B) provide a reasonable opportunity for the user to
correct, delete, or supplement such information; and
(C) make the correction or supplementary information a part
of the information about the user for purposes of any future
use of such information under this subsection.
(6) Security of information collected through excepted
capability.--Any person collecting information through a
capability described in paragraph (1) shall establish and
maintain reasonable procedures necessary to protect the
security, confidentiality, and integrity of such information.
(b) Preinstallation.--In the case of computer software
described in subsection (a)(1) that is installed on a
computer by someone other than the user of such computer
software, whether through preinstallation by the provider of
such computer or computer software, by installation by
someone before delivery of such computer to the user, or
otherwise, the notice and instructions under that subsection
shall be provided in electronic form to the user before the
first use of such computer software by the user.
(c) Violations.--A violation of subsection (a) or (b) shall
be treated as an unfair or deceptive act or practice
proscribed by section 18(a)(1)(B) of the Federal Trade
Commission Act (15 U.S.C. 57a(a)(1)(B)).
(d) Disclosure to Law Enforcement or Under Court Order.--
(1) In general.--Notwithstanding any other provision of
this section, a computer software provider that collects
information about users of the computer software may disclose
information about a user of the computer software--
(A) to a law enforcement agency in response to a warrant
issued under the Federal Rules of Criminal Procedure, an
equivalent State warrant, or a court order issued in
accordance with paragraph (3); or
(B) in response to a court order in a civil proceeding
granted upon a showing of compelling need for the information
that cannot be accommodated by any other means if--
(i) the user to whom the information relates is given
reasonable notice by the person seeking the information of
the court proceeding at which the order is requested; and
(ii) the user is afforded a reasonable opportunity to
appear and contest the issuance of the requested order or to
narrow its scope.
(2) Safeguards against further disclosure.--A court that
issues an order described in paragraph (1) shall impose
appropriate safeguards on the use of the information to
protect against its unauthorized disclosure.
(3) Court orders.--A court order authorizing disclosure
under paragraph (1)(A) may issue only with prior notice to
the user and only if the law enforcement agency shows that
there is probable cause to believe that the user has engaged,
is engaging, or is about to engage in criminal activity and
that the records or other information sought are material to
the investigation of such activity. In the case of a State
government authority, such a court order shall not issue if
prohibited by the law of such State. A court issuing an order
pursuant to this paragraph, on a motion made promptly by the
computer software provider may quash or modify such order if
the information or records requested are unreasonably
voluminous in nature or if compliance with such order
otherwise would cause an unreasonable burden on the provider.
(e) Private Right of Action.--
(1) Actions Authorized.--A person may, if otherwise
permitted by the laws or rules of court of a State, bring in
an appropriate Federal court, if such laws or rules prohibit
such actions, either or both of the actions as follows:
(A) An action based on a violation of subsection (a) or (b)
to enjoin such violation.
(B) An action to recover actual monetary loss for a
violation of subsection (a) or (b) in an amount equal to the
greater of--
(i) the amount of such actual monetary loss; or
(ii) $2,500 for such violation, not to exceed a total
amount of $500,000.

[[Page S10091]]

(2) Additional remedy.--If the court in an action under
paragraph (1) finds that the defendant willfully, knowingly,
or repeatedly violated subsection (a) or (b), the court may,
in its discretion, increase the amount of the award under
paragraph (1)(B) to an amount not greater than three times
the amount available under paragraph (1)(B)(ii).
(3) Litigation costs and attorney fees.--In any action
under paragraph (1), the court may, in its discretion,
require an undertaking for the payment of the costs of such
action and assess reasonable costs, including reasonable
attorney fees, against the defendant.
(4) Venue.--In addition to any contractual provision
otherwise, venue for an action under paragraph (1) shall lie
where the computer software concerned was installed or used
or where the person alleged to have committed the violation
concerned is found.
(5) Protection of trade secrets.--At the request of any
party to an action under paragraph (1), or any other
participant in such action, the court may, in its discretion,
issue a protective order and conduct proceedings in such
action so as to protect the secrecy and security of the
computer, computer network, computer data, computer program,
and computer software involved in order to--
(A) prevent possible recurrence of the same or a similar
act by another person; or
(B) protect any trade secrets of such party or participant.
(f) Definitions.--In this section:
(1) Collect.--The term ``collect'' means the gathering of
information about a computer or a user of computer software
by any means, whether direct or indirect and whether active
or passive.
(2) Computer.--The term ``computer'' means a programmable
electronic device that can store, retrieve, and process data.
(3) Computer software.--(A) Except as provided in
subparagraph (B), the term ``computer software'' means any
program designed to cause a computer to perform a desired
function or functions.
(B) The term does not include a text file, or cookie,
placed on a person's computer system by an Internet service
provider, interactive computer service, or commercial
Internet website to return information to the Internet
service provider, interactive computer service, commercial
Internet website, or third party if the person subsequently
uses the Internet service provider or interactive computer
service, or accesses the commercial Internet website.
(4) Information.--The term ``information'' means
information that personally identifies a user of computer
software, including the following:
(A) A first and last name, whether given at birth or
adoption, assumed, or legally changed.
(B) A home or other physical address including street name
and name of a city or town.
(C) An electronic mail address.
(D) A telephone number.
(E) A social security number.
(F) A credit card number, any access code associated with
the credit card, or both.
(G) A birth date, birth certificate number, or place of
birth.
(H) Any other unique information identifying an individual
that a computer software provider, Internet service provider,
interactive computer service, or operator of a commercial
Internet website collects and combines with information
described in subparagraphs (A) through (G) of this paragraph.
(5) Person.--The term ``person'' has the meaning given that
term in section 3(32) of the Communications Act of 1934 (47
U.S.C. 153(32)).
(6) User.--The term ``user'' means an individual who
acquires, through purchase or otherwise, computer software
for purposes other than resale.
(g) Effective Date.--This section shall take effect 180
days after the date of the enactment of this Act.

____________________