Report Title:

Adware; Spyware; Unlawful distribution.

 

Description:

Creates a new criminal offense of unlawful distribution of adware or spyware if a person knowingly transmits prohibited computer software, adware, or spyware to a computer to obtain the owner's personally identifiable information or control the computer, and makes the offense a class B felony.

 

 


HOUSE OF REPRESENTATIVES

H.B. NO.

2033

TWENTY-FOURTH LEGISLATURE, 2008

 

STATE OF HAWAII

 

 

 

 

 

 

A BILL FOR AN ACT


 

 

relating to crime.

 

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 


     SECTION 1.  The legislature finds that computer-based crimes involving spyware or adware software are on the rise.  Spyware and adware are computer software programs that track or collect the online activities or personal identification of Internet users, change settings on a users' computer, or cause advertising messages to pop up on a users' computer screen.  Web users are often unaware that spyware or adware is being downloaded to their computers and it can be very difficult to remove.  More troubling, however, is that this type of software enables third parties to have access to highly personal information, modifies the computer systems or settings of users who unknowingly download this type of software, and prevents the owner or user of a computer from blocking the installation of or disabling this type of software.

     The purpose of this Act is to establish the criminal offense of unauthorized distribution of spyware or adware to protect Hawaii consumers from being victims of identity theft or undertaking costly repairs to remove this type of software from their computer systems or networks.  

     SECTION 2.  Chapter 708, Hawaii Revised Statutes, is amended by adding a new section to part IX to be appropriately designated and to read as follows:

     "§708-    Unlawful distribution of adware or spyware.  (1)  A person commits the offense of unlawful distribution of adware or spyware if the person knowingly transmits or causes to be transmitted computer software, adware, or spyware to a computer owned or operated by another person and uses the software to:

    (a)   Modify, through deceptive means, the settings of a computer that control:

         (i)  The web page that appears when an owner or authorized operator launches an Internet browser or similar computer software used to access and navigate the Internet;

        (ii)  The default provider or web proxy that an owner or authorized operator uses to access or search the Internet; or

       (iii)  The owner or authorized operator's list of bookmarks used to access web pages;

    (b)   Collect, through deceptive means, personally identifiable information about the owner or authorized operator through:

         (i)  The use of a key stroke logging function that records key strokes made by an owner or authorized operator of a computer and transfers that information from the computer to another person;

        (ii)  The removal of, disabling of, or rendering inoperative security or anti-virus computer software that protects personally identifiable information about the owner or authorized operator; or

       (iii)  Preventing, through deceptive means, an owner or authorized operator's reasonable efforts to block the installation of, or to disable, computer software by causing software that the owner or authorized operator has properly removed or disabled to automatically be reinstalled or reactivated on the computer;

    (c)   Take control of an owner or authorized operator's computer by:

         (i)  Accessing or using a modem, broadband, or other Internet service for the purpose of causing damage to an owner or authorized operator's computer or causing an owner or authorized operator to incur financial charges for a service that the owner or authorized operator did not authorize; or

        (ii)  Opening multiple, sequential, or stand alone advertisements on an owner or authorized operator's Internet browser without the authorization of the owner or authorized operator and which a reasonable computer user could not close without turning off the computer or closing the Internet browser;

    (d)   Remove, disable, or render inoperative through deceptive means, security or anti-virus software installed on the computer;

    (e)   Misrepresent to the owner or authorized operator that:

         (i)  Computer software will be disabled or uninstalled by the action of the owner or authorized operator of the computer, and after the choice has been made to disable or uninstall the software, the installation proceeds; or

        (ii)  Computer software has been disabled.

    (2)  The provisions of this section shall not apply to:

    (a)   The installation of software and its respective uninstall capabilities after proper notice and that fall within the scope of a grant of authorization by the owner or authorized operator;

    (b)   The installation of an upgrade to a software program that has already been installed on the computer with the authorization by the owner or authorized operator; or

    (c)   The installation of software before the first retail sale and delivery of the computer.

    (3)  Businesses, corporations, and organizations shall provide notice to their employees of software that is installed in company computers to monitor and control the computer activity of their employees.

    (4)  Unlawful distribution of adware or spyware is a class B felony.  If convicted, the court may impose on a person one or more of the following:

    (a)   A maximum fine of $100,000 per offense;

    (b)   Reimbursement to victims for damages related to the crime; and

    (c)   A maximum ten-year prison sentence per offense.

    (5)  For purposes of this section:

    "Adware" means a computer program that, without the control of the computer user, generates advertising that is unrelated to either the program or Internet website that the computer owner or authorized operator is purposefully running or viewing.

    "Deceptive means" means an intentionally and materially false or fraudulent statement; a statement or description that intentionally omits or misrepresents material information to deceive an owner or authorized operator of a computer; or an intentional and material failure to provide any notice to the owner or authorized user of the computer regarding the installation or execution of computer software to deceive the owner or authorized operator of the computer.

    "Internet" means the global information system that is linked together by globally unique address space based on the Internet Protocol, or its subsequent extensions, and that is able to support communications using the transmission control protocol/Internet protocol suite, or its subsequent extensions, or other Internet protocol compatible protocols, and that provides, uses, or makes accessible, either publicly or privately, high level services layered on the communications and related infrastructure.

    "Owner" or "authorized operator" means the owner or lessee of a computer, or a person using a computer with the owner or lessee's authorization, but does not include a person who owned the computer prior to the first retail sale of the computer.

    "Personally identifiable information" includes, but is not limited to:

    (a)   The first name or first initial in combination with the last name;

    (b)   A home or physical address, including street name;

    (c)   An electronic mail address;

    (d)   Credit or debit card number, bank account number, or any password or access code associated with a credit or debit card or bank account;

    (e)   Social security number, tax identification number, driver's license number, passport number, or any other government-issued identification number; or

    (f)   Account balance, overdraft history, or payment history that personally identifies an owner or authorized operator of a computer.

    "Spyware" means an executable computer program that automatically, and without the control of the owner or authorized operator of the computer, gathers and transmits to the provider of the program or a third party personally identifiable information of the owner or authorized operator or information relating to computer usage, including, but not limited to, Internet websites and addresses that are or have been visited by the owner or authorized operator."

     SECTION 3.  New statutory material is underscored.

     SECTION 4.  This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun, before its effective date.

     SECTION 5.  This Act shall take effect upon its approval.

 

INTRODUCED BY:

_____________________________