Bill Text: NY A03658 | 2009-2010 | General Assembly | Introduced


Bill Title: An act to amend the penal law, in relation to establishing the crime of unlawful use of spyware and malware

Spectrum: Partisan Bill (Democrat 2-0)

Status: (Introduced - Dead) 2010-01-06 - referred to codes [A03658 Detail]

Download: New_York-2009-A03658-Introduced.html
                           S T A T E   O F   N E W   Y O R K
       ________________________________________________________________________
                                         3658
                              2009-2010 Regular Sessions
                                 I N  A S S E M B L Y
                                   January 27, 2009
                                      ___________
       Introduced  by M. of A. TOWNS -- read once and referred to the Committee
         on Codes
       AN ACT to amend the penal law, in relation to establishing the crime  of
         unlawful use of spyware and malware
         THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
       BLY, DO ENACT AS FOLLOWS:
    1    Section 1. The penal law is amended by adding a new section 156.40  to
    2  read as follows:
    3  S 156.40 UNLAWFUL USE OF SPYWARE AND MALWARE.
    4    1. A PERSON IS GUILTY OF UNLAWFUL USE OF SPYWARE AND MALWARE WHEN SUCH
    5  PERSON  OR ENTITY THAT IS NOT AN AUTHORIZED USER, AS DEFINED IN SUBDIVI-
    6  SION FOUR OF THIS SECTION, WITH ACTUAL KNOWLEDGE, WITH CONSCIOUS  AVOID-
    7  ANCE  OF  ACTUAL KNOWLEDGE, OR WILLFULLY, CAUSES COMPUTER SOFTWARE TO BE
    8  COPIED ONTO THE COMPUTER OF A CONSUMER IN THIS STATE AND USES THE  SOFT-
    9  WARE TO DO ANY OF THE FOLLOWING:
   10    (A)  MODIFY, THROUGH INTENTIONALLY DECEPTIVE MEANS, ANY OF THE FOLLOW-
   11  ING SETTINGS RELATED TO THE COMPUTER'S ACCESS TO, OR USE OF, THE  INTER-
   12  NET:
   13    (1) THE PAGE THAT APPEARS WHEN AN AUTHORIZED USER LAUNCHES AN INTERNET
   14  BROWSER  OR  SIMILAR  SOFTWARE  PROGRAM  USED TO ACCESS AND NAVIGATE THE
   15  INTERNET.
   16    (2) THE DEFAULT PROVIDER OR WEB PROXY  THE  AUTHORIZED  USER  USES  TO
   17  ACCESS OR SEARCH THE INTERNET.
   18    (3) THE AUTHORIZED USER'S LIST OF BOOKMARKS USED TO ACCESS WEB PAGES.
   19    (B)  COLLECT,  THROUGH INTENTIONALLY DECEPTIVE MEANS, PERSONALLY IDEN-
   20  TIFIABLE INFORMATION THAT MEETS ANY OF THE FOLLOWING CRITERIA:
   21    (1) IT IS COLLECTED THROUGH THE USE OF  A  KEYSTROKE-LOGGING  FUNCTION
   22  THAT  RECORDS  ALL  KEYSTROKES  MADE  BY AN AUTHORIZED USER WHO USES THE
   23  COMPUTER AND TRANSFERS THAT INFORMATION FROM  THE  COMPUTER  TO  ANOTHER
   24  PERSON.
        EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                             [ ] is old law to be omitted.
                                                                  LBD02018-01-9
       A. 3658                             2
    1    (2)  IT  INCLUDES ALL OR SUBSTANTIALLY ALL OF THE WEB SITES VISITED BY
    2  AN AUTHORIZED USER, OTHER THAN WEB SITES OF THE PROVIDER  OF  THE  SOFT-
    3  WARE,  IF  THE  COMPUTER  SOFTWARE WAS INSTALLED IN A MANNER DESIGNED TO
    4  CONCEAL FROM ALL AUTHORIZED USERS OF THE  COMPUTER  THE  FACT  THAT  THE
    5  SOFTWARE IS BEING INSTALLED.
    6    (3) IT IS A DATA ELEMENT DESCRIBED IN SUBPARAGRAPH TWO, THREE, OR FOUR
    7  OF  PARAGRAPH  (K) OF SUBDIVISION FOUR OF THIS SECTION, OR IN CLAUSE (A)
    8  OR (B) OF SUBPARAGRAPH FIVE OF PARAGRAPH (K) OF SUBDIVISION FOUR OF THIS
    9  SECTION, THAT IS EXTRACTED FROM THE CONSUMER'S COMPUTER HARD DRIVE FOR A
   10  PURPOSE WHOLLY UNRELATED TO ANY OF  THE  PURPOSES  OF  THE  SOFTWARE  OR
   11  SERVICE DESCRIBED TO AN AUTHORIZED USER.
   12    (C)  PREVENT, WITHOUT THE AUTHORIZATION OF AN AUTHORIZED USER, THROUGH
   13  INTENTIONALLY DECEPTIVE MEANS, AN AUTHORIZED USER'S  REASONABLE  EFFORTS
   14  TO  BLOCK THE INSTALLATION OF, OR TO DISABLE, SOFTWARE, BY CAUSING SOFT-
   15  WARE THAT THE AUTHORIZED USER HAS PROPERLY REMOVED OR DISABLED TO  AUTO-
   16  MATICALLY  REINSTALL  OR REACTIVATE ON THE COMPUTER WITHOUT THE AUTHORI-
   17  ZATION OF AN AUTHORIZED USER.
   18    (D) INTENTIONALLY MISREPRESENT THAT SOFTWARE WILL  BE  UNINSTALLED  OR
   19  DISABLED  BY  AN AUTHORIZED USER'S ACTION, WITH KNOWLEDGE THAT THE SOFT-
   20  WARE WILL NOT BE SO UNINSTALLED OR DISABLED.
   21    (E) THROUGH INTENTIONALLY DECEPTIVE MEANS, REMOVE, DISABLE, OR  RENDER
   22  INOPERATIVE  SECURITY,  ANTISPYWARE,  OR ANTIVIRUS SOFTWARE INSTALLED ON
   23  THE COMPUTER.
   24    2. A PERSON OR ENTITY THAT IS NOT AN AUTHORIZED USER,  AS  DEFINED  IN
   25  SUBDIVISION FOUR OF THIS SECTION, SHALL NOT, WITH ACTUAL KNOWLEDGE, WITH
   26  CONSCIOUS  AVOIDANCE  OF  ACTUAL KNOWLEDGE, OR WILLFULLY, CAUSE COMPUTER
   27  SOFTWARE TO BE COPIED ONTO THE COMPUTER OF A CONSUMER IN THIS STATE  AND
   28  USE THE SOFTWARE TO DO ANY OF THE FOLLOWING:
   29    (A)  TAKE  CONTROL  OF  THE  CONSUMER'S  COMPUTER  BY DOING ANY OF THE
   30  FOLLOWING:
   31    (1) TRANSMITTING OR RELAYING COMMERCIAL ELECTRONIC MAIL OR A  COMPUTER
   32  VIRUS  FROM  THE CONSUMER'S COMPUTER, WHERE THE TRANSMISSION OR RELAYING
   33  IS INITIATED BY A PERSON OTHER THAN THE AUTHORIZED USER AND WITHOUT  THE
   34  AUTHORIZATION OF AN AUTHORIZED USER.
   35    (2)  ASSESSING  OR  USING THE CONSUMER'S MODEM OR INTERNET SERVICE FOR
   36  THE PURPOSE OF CAUSING DAMAGE TO THE CONSUMER'S COMPUTER OR  OF  CAUSING
   37  AN  AUTHORIZED USER TO INCUR FINANCIAL CHARGES FOR A SERVICE THAT IS NOT
   38  AUTHORIZED BY AN AUTHORIZED USER.
   39    (3) USING THE CONSUMER'S COMPUTER AS PART OF AN ACTIVITY PERFORMED  BY
   40  A  GROUP  OF  COMPUTERS  FOR  THE  PURPOSE  OF CAUSING DAMAGE TO ANOTHER
   41  COMPUTER, INCLUDING, BUT NOT LIMITED TO, LAUNCHING A DENIAL  OF  SERVICE
   42  ATTACK.
   43    (4)  OPENING  MULTIPLE,  SEQUENTIAL, STAND-ALONE ADVERTISEMENTS IN THE
   44  CONSUMER'S INTERNET BROWSER WITHOUT THE AUTHORIZATION OF  AN  AUTHORIZED
   45  USER AND WITH KNOWLEDGE THAT A REASONABLE COMPUTER USER CANNOT CLOSE THE
   46  ADVERTISEMENTS  WITHOUT  TURNING OFF THE COMPUTER OR CLOSING THE CONSUM-
   47  ER'S INTERNET BROWSER.
   48    (B) MODIFY ANY OF THE FOLLOWING SETTINGS  RELATED  TO  THE  COMPUTER'S
   49  ACCESS TO, OR USE OF, THE INTERNET:
   50    (1)  AN  AUTHORIZED  USER'S  SECURITY  OR  OTHER SETTINGS THAT PROTECT
   51  INFORMATION ABOUT THE  AUTHORIZED  USER  FOR  THE  PURPOSE  OF  STEALING
   52  PERSONAL INFORMATION OF AN AUTHORIZED USER.
   53    (2)  THE  SECURITY SETTINGS OF THE COMPUTER FOR THE PURPOSE OF CAUSING
   54  DAMAGE TO ONE OR MORE COMPUTERS.
       A. 3658                             3
    1    (C) PREVENT, WITHOUT THE  AUTHORIZATION  OF  AN  AUTHORIZED  USER,  AN
    2  AUTHORIZED USER'S REASONABLE EFFORTS TO BLOCK THE INSTALLATION OF, OR TO
    3  DISABLE, SOFTWARE, BY DOING ANY OF THE FOLLOWING:
    4    (1) PRESENTING THE AUTHORIZED USER WITH AN OPTION TO DECLINE INSTALLA-
    5  TION OF SOFTWARE WITH KNOWLEDGE THAT, WHEN THE OPTION IS SELECTED BY THE
    6  AUTHORIZED USER, THE INSTALLATION NEVERTHELESS PROCEEDS.
    7    (2) FALSELY REPRESENTING THAT SOFTWARE HAS BEEN DISABLED.
    8    (D)  NOTHING  IN  THIS  SECTION  SHALL  APPLY TO ANY MONITORING OF, OR
    9  INTERACTION WITH, A SUBSCRIBER'S INTERNET OR OTHER NETWORK CONNECTION OR
   10  SERVICE, OR A PROTECTED COMPUTER, BY A TELECOMMUNICATIONS CARRIER, CABLE
   11  OPERATOR, COMPUTER HARDWARE OR SOFTWARE PROVIDER, OR PROVIDER OF  INFOR-
   12  MATION  SERVICE  OR INTERACTIVE COMPUTER SERVICE FOR NETWORK OR COMPUTER
   13  SECURITY PURPOSES, DIAGNOSTICS, TECHNICAL  SUPPORT,  REPAIR,  AUTHORIZED
   14  UPDATES OF SOFTWARE OR SYSTEM FIRMWARE, AUTHORIZED REMOTE SYSTEM MANAGE-
   15  MENT,  OR  DETECTION OR PREVENTION OF THE UNAUTHORIZED USE OF OR FRAUDU-
   16  LENT OR OTHER ILLEGAL ACTIVITIES IN CONNECTION WITH A NETWORK,  SERVICE,
   17  OR  COMPUTER  SOFTWARE,  INCLUDING  SCANNING  FOR  AND REMOVING SOFTWARE
   18  PROSCRIBED UNDER THIS SECTION.
   19    3. (A) A PERSON OR ENTITY, WHO IS NOT AN UNAUTHORIZED USER, AS DEFINED
   20  IN SUBDIVISION FOUR OF THIS SECTION, SHALL NOT DO ANY OF  THE  FOLLOWING
   21  WITH REGARD TO THE COMPUTER OF A CONSUMER IN THIS STATE:
   22    (1) INDUCE AN AUTHORIZED USER TO INSTALL A SOFTWARE COMPONENT ONTO THE
   23  COMPUTER  BY  INTENTIONALLY  MISREPRESENTING THAT INSTALLING SOFTWARE IS
   24  NECESSARY FOR SECURITY OR PRIVACY REASONS OR IN ORDER TO OPEN, VIEW,  OR
   25  PLAY A PARTICULAR TYPE OF CONTENT.
   26    (2) DECEPTIVELY CAUSING THE COPYING AND EXECUTION ON THE COMPUTER OF A
   27  COMPUTER  SOFTWARE  COMPONENT  WITH  THE INTENT OF CAUSING AN AUTHORIZED
   28  USER TO USE THE COMPONENT IN A WAY THAT VIOLATES ANY OTHER PROVISION  OF
   29  THIS SECTION.
   30    (B)  NOTHING  IN  THIS  SECTION  SHALL  APPLY TO ANY MONITORING OF, OR
   31  INTERACTION WITH, A SUBSCRIBER'S INTERNET OR OTHER NETWORK CONNECTION OR
   32  SERVICE, OR A PROTECTED COMPUTER, BY A TELECOMMUNICATIONS CARRIER, CABLE
   33  OPERATOR, COMPUTER HARDWARE OR SOFTWARE PROVIDER, OR PROVIDER OF  INFOR-
   34  MATION  SERVICE  OR INTERACTIVE COMPUTER SERVICE FOR NETWORK OR COMPUTER
   35  SECURITY PURPOSES, DIAGNOSTICS, TECHNICAL  SUPPORT,  REPAIR,  AUTHORIZED
   36  UPDATES OF SOFTWARE OR SYSTEM FIRMWARE, AUTHORIZED REMOTE SYSTEM MANAGE-
   37  MENT,  OR  DETECTION OR PREVENTION OF THE UNAUTHORIZED USE OF OR FRAUDU-
   38  LENT OR OTHER ILLEGAL ACTIVITIES IN CONNECTION WITH A NETWORK,  SERVICE,
   39  OR  COMPUTER  SOFTWARE,  INCLUDING  SCANNING  FOR  AND REMOVING SOFTWARE
   40  PROSCRIBED UNDER THIS SECTION.
   41    4. FOR PURPOSES OF THIS SECTION:
   42    (A) "ADVERTISEMENT" SHALL MEAN A COMMUNICATION, THE PRIMARY PURPOSE OF
   43  WHICH IS THE COMMERCIAL PROMOTION OF A COMMERCIAL  PRODUCT  OR  SERVICE,
   44  INCLUDING  CONTENT  ON  AN  INTERNET  WEB SITE OPERATED FOR A COMMERCIAL
   45  PURPOSE.
   46    (B) "AUTHORIZED USER," WITH RESPECT TO A COMPUTER, SHALL MEAN A PERSON
   47  WHO OWNS OR IS AUTHORIZED BY THE OWNER OR LESSEE TO USE THE COMPUTER. AN
   48  "AUTHORIZED USER" DOES NOT INCLUDE A PERSON OR ENTITY THAT HAS  OBTAINED
   49  AUTHORIZATION  TO USE THE COMPUTER SOLELY THROUGH THE USE OF AN END USER
   50  LICENSE AGREEMENT.
   51    (C) "COMPUTER SOFTWARE" SHALL MEAN A SEQUENCE OF INSTRUCTIONS  WRITTEN
   52  IN ANY PROGRAMMING LANGUAGE THAT IS EXECUTED ON A COMPUTER.
   53    (D)  "COMPUTER  VIRUS"  SHALL  MEAN A COMPUTER PROGRAM OR OTHER SET OF
   54  INSTRUCTIONS THAT IS DESIGNED TO DEGRADE THE PERFORMANCE OF OR DISABLE A
   55  COMPUTER OR COMPUTER NETWORK AND IS DESIGNED  TO  HAVE  THE  ABILITY  TO
       A. 3658                             4
    1  REPLICATE  ITSELF  ON  OTHER  COMPUTERS OR COMPUTER NETWORKS WITHOUT THE
    2  AUTHORIZATION OF THE OWNERS OF THOSE COMPUTERS OR COMPUTER NETWORKS.
    3    (E)  "CONSUMER" SHALL MEAN AN INDIVIDUAL WHO RESIDES IN THIS STATE AND
    4  WHO USES THE COMPUTER IN QUESTION PRIMARILY  FOR  PERSONAL,  FAMILY,  OR
    5  HOUSEHOLD PURPOSES.
    6    (F)"DAMAGE"  SHALL MEAN ANY SIGNIFICANT IMPAIRMENT TO THE INTEGRITY OR
    7  AVAILABILITY OF DATA, SOFTWARE, A SYSTEM, OR INFORMATION.
    8    (G) "EXECUTE," WHEN USED WITH RESPECT TO COMPUTER SOFTWARE, SHALL MEAN
    9  THE PERFORMANCE OF THE FUNCTIONS OR THE CARRYING OUT OF THE INSTRUCTIONS
   10  OF THE COMPUTER SOFTWARE.
   11    (H) "INTENTIONALLY DECEPTIVE" SHALL MEAN ANY OF THE FOLLOWING:
   12    (1) BY MEANS OF AN INTENTIONALLY AND MATERIALLY  FALSE  OR  FRAUDULENT
   13  STATEMENT.
   14    (2) BY MEANS OF A STATEMENT OR DESCRIPTION THAT INTENTIONALLY OMITS OR
   15  MISREPRESENTS MATERIAL INFORMATION IN ORDER TO DECEIVE THE CONSUMER.
   16    (3)  BY  MEANS  OF  AN INTENTIONAL AND MATERIAL FAILURE TO PROVIDE ANY
   17  NOTICE TO AN AUTHORIZED USER REGARDING THE DOWNLOAD OR  INSTALLATION  OF
   18  SOFTWARE IN ORDER TO DECEIVE THE CONSUMER.
   19    (I)  "INTERNET"  SHALL  MEAN  THE  GLOBAL  INFORMATION  SYSTEM THAT IS
   20  LOGICALLY LINKED TOGETHER BY A GLOBALLY UNIQUE ADDRESS  SPACE  BASED  ON
   21  THE  INTERNET  PROTOCOL  (IP), OR ITS SUBSEQUENT EXTENSIONS, AND THAT IS
   22  ABLE  TO  SUPPORT  COMMUNICATIONS   USING   THE   TRANSMISSION   CONTROL
   23  PROTOCOL/INTERNET PROTOCOL (TCP/IP) SUITE, OR ITS SUBSEQUENT EXTENSIONS,
   24  OR  OTHER  IP-COMPATIBLE  PROTOCOLS,  AND  THAT PROVIDES, USES, OR MAKES
   25  ACCESSIBLE, EITHER PUBLICLY OR PRIVATELY, HIGH LEVEL SERVICES LAYERED ON
   26  THE COMMUNICATIONS AND RELATED INFRASTRUCTURE DESCRIBED IN THIS SUBDIVI-
   27  SION.
   28    (J) "PERSON" SHALL  MEAN  ANY  INDIVIDUAL,  PARTNERSHIP,  CORPORATION,
   29  LIMITED  LIABILITY  COMPANY,  OR  OTHER ORGANIZATION, OR ANY COMBINATION
   30  THEREOF.
   31    (K) "PERSONALLY  IDENTIFIABLE  INFORMATION"  SHALL  MEAN  ANY  OF  THE
   32  FOLLOWING:
   33    (1) FIRST NAME OR FIRST INITIAL IN COMBINATION WITH LAST NAME.
   34    (2) CREDIT OR DEBIT CARD NUMBERS OR OTHER FINANCIAL ACCOUNT NUMBERS.
   35    (3) A PASSWORD OR PERSONAL IDENTIFICATION NUMBER REQUIRED TO ACCESS AN
   36  IDENTIFIED FINANCIAL ACCOUNT.
   37    (4) SOCIAL SECURITY NUMBER.
   38    (5) ANY OF THE FOLLOWING INFORMATION IN A FORM THAT PERSONALLY IDENTI-
   39  FIES AN AUTHORIZED USER:
   40    (A) ACCOUNT BALANCES.
   41    (B) OVERDRAFT HISTORY.
   42    (C) PAYMENT HISTORY.
   43    (D) A HISTORY OF WEB SITES VISITED.
   44    (E) HOME ADDRESS.
   45    (F) WORK ADDRESS.
   46    (G) A RECORD OF A PURCHASE OR PURCHASES.
   47    UNLAWFUL  USE  OF  SPYWARE  AND  MALWARE  IS  A  CLASS  A MISDEMEANOR,
   48  PROVIDED, HOWEVER, THAT UNLAWFUL USE OF SPYWARE AND MALWARE BY A  PERSON
   49  WHO  HAS  BEEN PREVIOUSLY CONVICTED WITHIN THE LAST FIVE YEARS OF HAVING
   50  VIOLATED THIS SECTION IS A CLASS E FELONY.
   51    S 2. This act shall take effect on the first of November next succeed-
   52  ing the date on which it shall have become a law.
feedback