Bill Text: NY A03658 | 2009-2010 | General Assembly | Introduced
Bill Title: An act to amend the penal law, in relation to establishing the crime of unlawful use of spyware and malware
Spectrum: Partisan Bill (Democrat 2-0)
Status: (Introduced - Dead) 2010-01-06 - referred to codes [A03658 Detail]
Download: New_York-2009-A03658-Introduced.html
S T A T E O F N E W Y O R K ________________________________________________________________________ 3658 2009-2010 Regular Sessions I N A S S E M B L Y January 27, 2009 ___________ Introduced by M. of A. TOWNS -- read once and referred to the Committee on Codes AN ACT to amend the penal law, in relation to establishing the crime of unlawful use of spyware and malware THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: 1 Section 1. The penal law is amended by adding a new section 156.40 to 2 read as follows: 3 S 156.40 UNLAWFUL USE OF SPYWARE AND MALWARE. 4 1. A PERSON IS GUILTY OF UNLAWFUL USE OF SPYWARE AND MALWARE WHEN SUCH 5 PERSON OR ENTITY THAT IS NOT AN AUTHORIZED USER, AS DEFINED IN SUBDIVI- 6 SION FOUR OF THIS SECTION, WITH ACTUAL KNOWLEDGE, WITH CONSCIOUS AVOID- 7 ANCE OF ACTUAL KNOWLEDGE, OR WILLFULLY, CAUSES COMPUTER SOFTWARE TO BE 8 COPIED ONTO THE COMPUTER OF A CONSUMER IN THIS STATE AND USES THE SOFT- 9 WARE TO DO ANY OF THE FOLLOWING: 10 (A) MODIFY, THROUGH INTENTIONALLY DECEPTIVE MEANS, ANY OF THE FOLLOW- 11 ING SETTINGS RELATED TO THE COMPUTER'S ACCESS TO, OR USE OF, THE INTER- 12 NET: 13 (1) THE PAGE THAT APPEARS WHEN AN AUTHORIZED USER LAUNCHES AN INTERNET 14 BROWSER OR SIMILAR SOFTWARE PROGRAM USED TO ACCESS AND NAVIGATE THE 15 INTERNET. 16 (2) THE DEFAULT PROVIDER OR WEB PROXY THE AUTHORIZED USER USES TO 17 ACCESS OR SEARCH THE INTERNET. 18 (3) THE AUTHORIZED USER'S LIST OF BOOKMARKS USED TO ACCESS WEB PAGES. 19 (B) COLLECT, THROUGH INTENTIONALLY DECEPTIVE MEANS, PERSONALLY IDEN- 20 TIFIABLE INFORMATION THAT MEETS ANY OF THE FOLLOWING CRITERIA: 21 (1) IT IS COLLECTED THROUGH THE USE OF A KEYSTROKE-LOGGING FUNCTION 22 THAT RECORDS ALL KEYSTROKES MADE BY AN AUTHORIZED USER WHO USES THE 23 COMPUTER AND TRANSFERS THAT INFORMATION FROM THE COMPUTER TO ANOTHER 24 PERSON. EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD02018-01-9 A. 3658 2 1 (2) IT INCLUDES ALL OR SUBSTANTIALLY ALL OF THE WEB SITES VISITED BY 2 AN AUTHORIZED USER, OTHER THAN WEB SITES OF THE PROVIDER OF THE SOFT- 3 WARE, IF THE COMPUTER SOFTWARE WAS INSTALLED IN A MANNER DESIGNED TO 4 CONCEAL FROM ALL AUTHORIZED USERS OF THE COMPUTER THE FACT THAT THE 5 SOFTWARE IS BEING INSTALLED. 6 (3) IT IS A DATA ELEMENT DESCRIBED IN SUBPARAGRAPH TWO, THREE, OR FOUR 7 OF PARAGRAPH (K) OF SUBDIVISION FOUR OF THIS SECTION, OR IN CLAUSE (A) 8 OR (B) OF SUBPARAGRAPH FIVE OF PARAGRAPH (K) OF SUBDIVISION FOUR OF THIS 9 SECTION, THAT IS EXTRACTED FROM THE CONSUMER'S COMPUTER HARD DRIVE FOR A 10 PURPOSE WHOLLY UNRELATED TO ANY OF THE PURPOSES OF THE SOFTWARE OR 11 SERVICE DESCRIBED TO AN AUTHORIZED USER. 12 (C) PREVENT, WITHOUT THE AUTHORIZATION OF AN AUTHORIZED USER, THROUGH 13 INTENTIONALLY DECEPTIVE MEANS, AN AUTHORIZED USER'S REASONABLE EFFORTS 14 TO BLOCK THE INSTALLATION OF, OR TO DISABLE, SOFTWARE, BY CAUSING SOFT- 15 WARE THAT THE AUTHORIZED USER HAS PROPERLY REMOVED OR DISABLED TO AUTO- 16 MATICALLY REINSTALL OR REACTIVATE ON THE COMPUTER WITHOUT THE AUTHORI- 17 ZATION OF AN AUTHORIZED USER. 18 (D) INTENTIONALLY MISREPRESENT THAT SOFTWARE WILL BE UNINSTALLED OR 19 DISABLED BY AN AUTHORIZED USER'S ACTION, WITH KNOWLEDGE THAT THE SOFT- 20 WARE WILL NOT BE SO UNINSTALLED OR DISABLED. 21 (E) THROUGH INTENTIONALLY DECEPTIVE MEANS, REMOVE, DISABLE, OR RENDER 22 INOPERATIVE SECURITY, ANTISPYWARE, OR ANTIVIRUS SOFTWARE INSTALLED ON 23 THE COMPUTER. 24 2. A PERSON OR ENTITY THAT IS NOT AN AUTHORIZED USER, AS DEFINED IN 25 SUBDIVISION FOUR OF THIS SECTION, SHALL NOT, WITH ACTUAL KNOWLEDGE, WITH 26 CONSCIOUS AVOIDANCE OF ACTUAL KNOWLEDGE, OR WILLFULLY, CAUSE COMPUTER 27 SOFTWARE TO BE COPIED ONTO THE COMPUTER OF A CONSUMER IN THIS STATE AND 28 USE THE SOFTWARE TO DO ANY OF THE FOLLOWING: 29 (A) TAKE CONTROL OF THE CONSUMER'S COMPUTER BY DOING ANY OF THE 30 FOLLOWING: 31 (1) TRANSMITTING OR RELAYING COMMERCIAL ELECTRONIC MAIL OR A COMPUTER 32 VIRUS FROM THE CONSUMER'S COMPUTER, WHERE THE TRANSMISSION OR RELAYING 33 IS INITIATED BY A PERSON OTHER THAN THE AUTHORIZED USER AND WITHOUT THE 34 AUTHORIZATION OF AN AUTHORIZED USER. 35 (2) ASSESSING OR USING THE CONSUMER'S MODEM OR INTERNET SERVICE FOR 36 THE PURPOSE OF CAUSING DAMAGE TO THE CONSUMER'S COMPUTER OR OF CAUSING 37 AN AUTHORIZED USER TO INCUR FINANCIAL CHARGES FOR A SERVICE THAT IS NOT 38 AUTHORIZED BY AN AUTHORIZED USER. 39 (3) USING THE CONSUMER'S COMPUTER AS PART OF AN ACTIVITY PERFORMED BY 40 A GROUP OF COMPUTERS FOR THE PURPOSE OF CAUSING DAMAGE TO ANOTHER 41 COMPUTER, INCLUDING, BUT NOT LIMITED TO, LAUNCHING A DENIAL OF SERVICE 42 ATTACK. 43 (4) OPENING MULTIPLE, SEQUENTIAL, STAND-ALONE ADVERTISEMENTS IN THE 44 CONSUMER'S INTERNET BROWSER WITHOUT THE AUTHORIZATION OF AN AUTHORIZED 45 USER AND WITH KNOWLEDGE THAT A REASONABLE COMPUTER USER CANNOT CLOSE THE 46 ADVERTISEMENTS WITHOUT TURNING OFF THE COMPUTER OR CLOSING THE CONSUM- 47 ER'S INTERNET BROWSER. 48 (B) MODIFY ANY OF THE FOLLOWING SETTINGS RELATED TO THE COMPUTER'S 49 ACCESS TO, OR USE OF, THE INTERNET: 50 (1) AN AUTHORIZED USER'S SECURITY OR OTHER SETTINGS THAT PROTECT 51 INFORMATION ABOUT THE AUTHORIZED USER FOR THE PURPOSE OF STEALING 52 PERSONAL INFORMATION OF AN AUTHORIZED USER. 53 (2) THE SECURITY SETTINGS OF THE COMPUTER FOR THE PURPOSE OF CAUSING 54 DAMAGE TO ONE OR MORE COMPUTERS. A. 3658 3 1 (C) PREVENT, WITHOUT THE AUTHORIZATION OF AN AUTHORIZED USER, AN 2 AUTHORIZED USER'S REASONABLE EFFORTS TO BLOCK THE INSTALLATION OF, OR TO 3 DISABLE, SOFTWARE, BY DOING ANY OF THE FOLLOWING: 4 (1) PRESENTING THE AUTHORIZED USER WITH AN OPTION TO DECLINE INSTALLA- 5 TION OF SOFTWARE WITH KNOWLEDGE THAT, WHEN THE OPTION IS SELECTED BY THE 6 AUTHORIZED USER, THE INSTALLATION NEVERTHELESS PROCEEDS. 7 (2) FALSELY REPRESENTING THAT SOFTWARE HAS BEEN DISABLED. 8 (D) NOTHING IN THIS SECTION SHALL APPLY TO ANY MONITORING OF, OR 9 INTERACTION WITH, A SUBSCRIBER'S INTERNET OR OTHER NETWORK CONNECTION OR 10 SERVICE, OR A PROTECTED COMPUTER, BY A TELECOMMUNICATIONS CARRIER, CABLE 11 OPERATOR, COMPUTER HARDWARE OR SOFTWARE PROVIDER, OR PROVIDER OF INFOR- 12 MATION SERVICE OR INTERACTIVE COMPUTER SERVICE FOR NETWORK OR COMPUTER 13 SECURITY PURPOSES, DIAGNOSTICS, TECHNICAL SUPPORT, REPAIR, AUTHORIZED 14 UPDATES OF SOFTWARE OR SYSTEM FIRMWARE, AUTHORIZED REMOTE SYSTEM MANAGE- 15 MENT, OR DETECTION OR PREVENTION OF THE UNAUTHORIZED USE OF OR FRAUDU- 16 LENT OR OTHER ILLEGAL ACTIVITIES IN CONNECTION WITH A NETWORK, SERVICE, 17 OR COMPUTER SOFTWARE, INCLUDING SCANNING FOR AND REMOVING SOFTWARE 18 PROSCRIBED UNDER THIS SECTION. 19 3. (A) A PERSON OR ENTITY, WHO IS NOT AN UNAUTHORIZED USER, AS DEFINED 20 IN SUBDIVISION FOUR OF THIS SECTION, SHALL NOT DO ANY OF THE FOLLOWING 21 WITH REGARD TO THE COMPUTER OF A CONSUMER IN THIS STATE: 22 (1) INDUCE AN AUTHORIZED USER TO INSTALL A SOFTWARE COMPONENT ONTO THE 23 COMPUTER BY INTENTIONALLY MISREPRESENTING THAT INSTALLING SOFTWARE IS 24 NECESSARY FOR SECURITY OR PRIVACY REASONS OR IN ORDER TO OPEN, VIEW, OR 25 PLAY A PARTICULAR TYPE OF CONTENT. 26 (2) DECEPTIVELY CAUSING THE COPYING AND EXECUTION ON THE COMPUTER OF A 27 COMPUTER SOFTWARE COMPONENT WITH THE INTENT OF CAUSING AN AUTHORIZED 28 USER TO USE THE COMPONENT IN A WAY THAT VIOLATES ANY OTHER PROVISION OF 29 THIS SECTION. 30 (B) NOTHING IN THIS SECTION SHALL APPLY TO ANY MONITORING OF, OR 31 INTERACTION WITH, A SUBSCRIBER'S INTERNET OR OTHER NETWORK CONNECTION OR 32 SERVICE, OR A PROTECTED COMPUTER, BY A TELECOMMUNICATIONS CARRIER, CABLE 33 OPERATOR, COMPUTER HARDWARE OR SOFTWARE PROVIDER, OR PROVIDER OF INFOR- 34 MATION SERVICE OR INTERACTIVE COMPUTER SERVICE FOR NETWORK OR COMPUTER 35 SECURITY PURPOSES, DIAGNOSTICS, TECHNICAL SUPPORT, REPAIR, AUTHORIZED 36 UPDATES OF SOFTWARE OR SYSTEM FIRMWARE, AUTHORIZED REMOTE SYSTEM MANAGE- 37 MENT, OR DETECTION OR PREVENTION OF THE UNAUTHORIZED USE OF OR FRAUDU- 38 LENT OR OTHER ILLEGAL ACTIVITIES IN CONNECTION WITH A NETWORK, SERVICE, 39 OR COMPUTER SOFTWARE, INCLUDING SCANNING FOR AND REMOVING SOFTWARE 40 PROSCRIBED UNDER THIS SECTION. 41 4. FOR PURPOSES OF THIS SECTION: 42 (A) "ADVERTISEMENT" SHALL MEAN A COMMUNICATION, THE PRIMARY PURPOSE OF 43 WHICH IS THE COMMERCIAL PROMOTION OF A COMMERCIAL PRODUCT OR SERVICE, 44 INCLUDING CONTENT ON AN INTERNET WEB SITE OPERATED FOR A COMMERCIAL 45 PURPOSE. 46 (B) "AUTHORIZED USER," WITH RESPECT TO A COMPUTER, SHALL MEAN A PERSON 47 WHO OWNS OR IS AUTHORIZED BY THE OWNER OR LESSEE TO USE THE COMPUTER. AN 48 "AUTHORIZED USER" DOES NOT INCLUDE A PERSON OR ENTITY THAT HAS OBTAINED 49 AUTHORIZATION TO USE THE COMPUTER SOLELY THROUGH THE USE OF AN END USER 50 LICENSE AGREEMENT. 51 (C) "COMPUTER SOFTWARE" SHALL MEAN A SEQUENCE OF INSTRUCTIONS WRITTEN 52 IN ANY PROGRAMMING LANGUAGE THAT IS EXECUTED ON A COMPUTER. 53 (D) "COMPUTER VIRUS" SHALL MEAN A COMPUTER PROGRAM OR OTHER SET OF 54 INSTRUCTIONS THAT IS DESIGNED TO DEGRADE THE PERFORMANCE OF OR DISABLE A 55 COMPUTER OR COMPUTER NETWORK AND IS DESIGNED TO HAVE THE ABILITY TO A. 3658 4 1 REPLICATE ITSELF ON OTHER COMPUTERS OR COMPUTER NETWORKS WITHOUT THE 2 AUTHORIZATION OF THE OWNERS OF THOSE COMPUTERS OR COMPUTER NETWORKS. 3 (E) "CONSUMER" SHALL MEAN AN INDIVIDUAL WHO RESIDES IN THIS STATE AND 4 WHO USES THE COMPUTER IN QUESTION PRIMARILY FOR PERSONAL, FAMILY, OR 5 HOUSEHOLD PURPOSES. 6 (F)"DAMAGE" SHALL MEAN ANY SIGNIFICANT IMPAIRMENT TO THE INTEGRITY OR 7 AVAILABILITY OF DATA, SOFTWARE, A SYSTEM, OR INFORMATION. 8 (G) "EXECUTE," WHEN USED WITH RESPECT TO COMPUTER SOFTWARE, SHALL MEAN 9 THE PERFORMANCE OF THE FUNCTIONS OR THE CARRYING OUT OF THE INSTRUCTIONS 10 OF THE COMPUTER SOFTWARE. 11 (H) "INTENTIONALLY DECEPTIVE" SHALL MEAN ANY OF THE FOLLOWING: 12 (1) BY MEANS OF AN INTENTIONALLY AND MATERIALLY FALSE OR FRAUDULENT 13 STATEMENT. 14 (2) BY MEANS OF A STATEMENT OR DESCRIPTION THAT INTENTIONALLY OMITS OR 15 MISREPRESENTS MATERIAL INFORMATION IN ORDER TO DECEIVE THE CONSUMER. 16 (3) BY MEANS OF AN INTENTIONAL AND MATERIAL FAILURE TO PROVIDE ANY 17 NOTICE TO AN AUTHORIZED USER REGARDING THE DOWNLOAD OR INSTALLATION OF 18 SOFTWARE IN ORDER TO DECEIVE THE CONSUMER. 19 (I) "INTERNET" SHALL MEAN THE GLOBAL INFORMATION SYSTEM THAT IS 20 LOGICALLY LINKED TOGETHER BY A GLOBALLY UNIQUE ADDRESS SPACE BASED ON 21 THE INTERNET PROTOCOL (IP), OR ITS SUBSEQUENT EXTENSIONS, AND THAT IS 22 ABLE TO SUPPORT COMMUNICATIONS USING THE TRANSMISSION CONTROL 23 PROTOCOL/INTERNET PROTOCOL (TCP/IP) SUITE, OR ITS SUBSEQUENT EXTENSIONS, 24 OR OTHER IP-COMPATIBLE PROTOCOLS, AND THAT PROVIDES, USES, OR MAKES 25 ACCESSIBLE, EITHER PUBLICLY OR PRIVATELY, HIGH LEVEL SERVICES LAYERED ON 26 THE COMMUNICATIONS AND RELATED INFRASTRUCTURE DESCRIBED IN THIS SUBDIVI- 27 SION. 28 (J) "PERSON" SHALL MEAN ANY INDIVIDUAL, PARTNERSHIP, CORPORATION, 29 LIMITED LIABILITY COMPANY, OR OTHER ORGANIZATION, OR ANY COMBINATION 30 THEREOF. 31 (K) "PERSONALLY IDENTIFIABLE INFORMATION" SHALL MEAN ANY OF THE 32 FOLLOWING: 33 (1) FIRST NAME OR FIRST INITIAL IN COMBINATION WITH LAST NAME. 34 (2) CREDIT OR DEBIT CARD NUMBERS OR OTHER FINANCIAL ACCOUNT NUMBERS. 35 (3) A PASSWORD OR PERSONAL IDENTIFICATION NUMBER REQUIRED TO ACCESS AN 36 IDENTIFIED FINANCIAL ACCOUNT. 37 (4) SOCIAL SECURITY NUMBER. 38 (5) ANY OF THE FOLLOWING INFORMATION IN A FORM THAT PERSONALLY IDENTI- 39 FIES AN AUTHORIZED USER: 40 (A) ACCOUNT BALANCES. 41 (B) OVERDRAFT HISTORY. 42 (C) PAYMENT HISTORY. 43 (D) A HISTORY OF WEB SITES VISITED. 44 (E) HOME ADDRESS. 45 (F) WORK ADDRESS. 46 (G) A RECORD OF A PURCHASE OR PURCHASES. 47 UNLAWFUL USE OF SPYWARE AND MALWARE IS A CLASS A MISDEMEANOR, 48 PROVIDED, HOWEVER, THAT UNLAWFUL USE OF SPYWARE AND MALWARE BY A PERSON 49 WHO HAS BEEN PREVIOUSLY CONVICTED WITHIN THE LAST FIVE YEARS OF HAVING 50 VIOLATED THIS SECTION IS A CLASS E FELONY. 51 S 2. This act shall take effect on the first of November next succeed- 52 ing the date on which it shall have become a law.