senate Bill S244

Establishes the crime of unlawful use of spyware and malware

download pdf

Sponsor

Bill Status


  • Introduced
  • In Committee
  • On Floor Calendar
    • Passed Senate
    • Passed Assembly
  • Delivered to Governor
  • Signed/Vetoed by Governor
view actions

actions

  • 09 / Jan / 2013
    • REFERRED TO CODES
  • 08 / Jan / 2014
    • REFERRED TO CODES

Summary

Establishes the crime of unlawful use of spyware and malware; unlawful use of spyware and malware is a class A misdemeanor, provided, however, that unlawful use of spyware and malware by a person who has been previously convicted within the last five years of having violated this section is a class E felony.

do you support this bill?

Bill Details

Versions:
S244
Legislative Cycle:
2013-2014
Current Committee:
Senate Codes
Law Section:
Penal Law
Laws Affected:
Add ยง156.40, Pen L
Versions Introduced in Previous Legislative Cycles:
2011-2012: S167, S1670
2009-2010: S137, S7490
2007-2008: A2427

Sponsor Memo

BILL NUMBER:S244

TITLE OF BILL:
An act
to amend the penal law, in relation to establishing the crime of
unlawful use of spyware and malware

PURPOSE:
The act aims to protect the privacy of computer users by banning the
dissemination of computer spyware and malware without the
authorization of the owner of a computer.

SUMMARY OF PROVISIONS:
Section 1 adds section 156.40 to the Penal Law to ban the use of
computer spyware and malware, where spyware and malware are a
computer program when downloaded and functioning, transmits
information to a third party without the authorization of a computer
user.
Section 2 establishes an effective date of the first of November next
succeeding date on which it shall have become a law.

JUSTIFICATION:
Computer users download information from the internet without truly
understanding what functions the programs will have. Many times
computer users will encounter the opportunity to download a computer
program from the internet that they believe will give them an
innocuous program that will help them organize their lives. However,
it sometimes is not known to the computer user what other functions
the computer program will actually have and these seemingly harmless
programs may also send information to a third party such as a
marketing firm, or worse a person who wishes to commit identity
theft. Key-logging computer programs record all of the keystrokes
that a computer user makes while using a computer. Because many use
computers for banking and credit card transactions, these programs
allow for criminals to commit identity theft.
Therefore, this legislation includes (but is not limited to)
key-logging within the spyware ban.

PRIOR LEGISLATIVE HISTORY:
S.4948 of 2007
04/24/07 Referred to Codes
S.1670 of 2011
01/11/11 Referred to Codes
01/04/12 Referred to Codes

FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
None.

EFFECTIVE DATE:
This act shall take effect on the
first of November
next succeeding the date on which it shall have become a law.

view bill text
                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                   244

                       2013-2014 Regular Sessions

                            I N  S E N A T E

                               (PREFILED)

                             January 9, 2013
                               ___________

Introduced  by  Sen. SAMPSON -- read twice and ordered printed, and when
  printed to be committed to the Committee on Codes

AN ACT to amend the penal law, in relation to establishing the crime  of
  unlawful use of spyware and malware

  THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section 1. The penal law is amended by adding a new section 156.40  to
read as follows:
S 156.40 UNLAWFUL USE OF SPYWARE AND MALWARE.
  1. A PERSON IS GUILTY OF UNLAWFUL USE OF SPYWARE AND MALWARE WHEN SUCH
PERSON  OR ENTITY THAT IS NOT AN AUTHORIZED USER, AS DEFINED IN SUBDIVI-
SION FOUR OF THIS SECTION, WITH ACTUAL KNOWLEDGE, WITH CONSCIOUS  AVOID-
ANCE  OF  ACTUAL KNOWLEDGE, OR WILLFULLY, CAUSES COMPUTER SOFTWARE TO BE
COPIED ONTO THE COMPUTER OF A CONSUMER IN THIS STATE AND USES THE  SOFT-
WARE TO DO ANY OF THE FOLLOWING:
  (A)  MODIFY, THROUGH INTENTIONALLY DECEPTIVE MEANS, ANY OF THE FOLLOW-
ING SETTINGS RELATED TO THE COMPUTER'S ACCESS TO, OR USE OF, THE  INTER-
NET:
  (1) THE PAGE THAT APPEARS WHEN AN AUTHORIZED USER LAUNCHES AN INTERNET
BROWSER  OR  SIMILAR  SOFTWARE  PROGRAM  USED TO ACCESS AND NAVIGATE THE
INTERNET.
  (2) THE DEFAULT PROVIDER OR WEB PROXY  THE  AUTHORIZED  USER  USES  TO
ACCESS OR SEARCH THE INTERNET.
  (3) THE AUTHORIZED USER'S LIST OF BOOKMARKS USED TO ACCESS WEB PAGES.
  (B)  COLLECT,  THROUGH INTENTIONALLY DECEPTIVE MEANS, PERSONALLY IDEN-
TIFIABLE INFORMATION THAT MEETS ANY OF THE FOLLOWING CRITERIA:
  (1) IT IS COLLECTED THROUGH THE USE OF  A  KEYSTROKE-LOGGING  FUNCTION
THAT  RECORDS  ALL  KEYSTROKES  MADE  BY AN AUTHORIZED USER WHO USES THE
COMPUTER AND TRANSFERS THAT INFORMATION FROM  THE  COMPUTER  TO  ANOTHER
PERSON.

 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD02135-01-3

S. 244                              2

  (2)  IT  INCLUDES ALL OR SUBSTANTIALLY ALL OF THE WEB SITES VISITED BY
AN AUTHORIZED USER, OTHER THAN WEB SITES OF THE PROVIDER  OF  THE  SOFT-
WARE,  IF  THE  COMPUTER  SOFTWARE WAS INSTALLED IN A MANNER DESIGNED TO
CONCEAL FROM ALL AUTHORIZED USERS OF THE  COMPUTER  THE  FACT  THAT  THE
SOFTWARE IS BEING INSTALLED.
  (3) IT IS A DATA ELEMENT DESCRIBED IN SUBPARAGRAPH TWO, THREE, OR FOUR
OF  PARAGRAPH  (K) OF SUBDIVISION FOUR OF THIS SECTION, OR IN CLAUSE (A)
OR (B) OF SUBPARAGRAPH FIVE OF PARAGRAPH (K) OF SUBDIVISION FOUR OF THIS
SECTION, THAT IS EXTRACTED FROM THE CONSUMER'S COMPUTER HARD DRIVE FOR A
PURPOSE WHOLLY UNRELATED TO ANY OF  THE  PURPOSES  OF  THE  SOFTWARE  OR
SERVICE DESCRIBED TO AN AUTHORIZED USER.
  (C)  PREVENT, WITHOUT THE AUTHORIZATION OF AN AUTHORIZED USER, THROUGH
INTENTIONALLY DECEPTIVE MEANS, AN AUTHORIZED USER'S  REASONABLE  EFFORTS
TO  BLOCK THE INSTALLATION OF, OR TO DISABLE, SOFTWARE, BY CAUSING SOFT-
WARE THAT THE AUTHORIZED USER HAS PROPERLY REMOVED OR DISABLED TO  AUTO-
MATICALLY  REINSTALL  OR REACTIVATE ON THE COMPUTER WITHOUT THE AUTHORI-
ZATION OF AN AUTHORIZED USER.
  (D) INTENTIONALLY MISREPRESENT THAT SOFTWARE WILL  BE  UNINSTALLED  OR
DISABLED  BY  AN AUTHORIZED USER'S ACTION, WITH KNOWLEDGE THAT THE SOFT-
WARE WILL NOT BE SO UNINSTALLED OR DISABLED.
  (E) THROUGH INTENTIONALLY DECEPTIVE MEANS, REMOVE, DISABLE, OR  RENDER
INOPERATIVE  SECURITY,  ANTISPYWARE,  OR ANTIVIRUS SOFTWARE INSTALLED ON
THE COMPUTER.
  2. A PERSON OR ENTITY THAT IS NOT AN AUTHORIZED USER,  AS  DEFINED  IN
SUBDIVISION FOUR OF THIS SECTION, SHALL NOT, WITH ACTUAL KNOWLEDGE, WITH
CONSCIOUS  AVOIDANCE  OF  ACTUAL KNOWLEDGE, OR WILLFULLY, CAUSE COMPUTER
SOFTWARE TO BE COPIED ONTO THE COMPUTER OF A CONSUMER IN THIS STATE  AND
USE THE SOFTWARE TO DO ANY OF THE FOLLOWING:
  (A)  TAKE  CONTROL  OF  THE  CONSUMER'S  COMPUTER  BY DOING ANY OF THE
FOLLOWING:
  (1) TRANSMITTING OR RELAYING COMMERCIAL ELECTRONIC MAIL OR A  COMPUTER
VIRUS  FROM  THE CONSUMER'S COMPUTER, WHERE THE TRANSMISSION OR RELAYING
IS INITIATED BY A PERSON OTHER THAN THE AUTHORIZED USER AND WITHOUT  THE
AUTHORIZATION OF AN AUTHORIZED USER.
  (2)  ASSESSING  OR  USING THE CONSUMER'S MODEM OR INTERNET SERVICE FOR
THE PURPOSE OF CAUSING DAMAGE TO THE CONSUMER'S COMPUTER OR  OF  CAUSING
AN  AUTHORIZED USER TO INCUR FINANCIAL CHARGES FOR A SERVICE THAT IS NOT
AUTHORIZED BY AN AUTHORIZED USER.
  (3) USING THE CONSUMER'S COMPUTER AS PART OF AN ACTIVITY PERFORMED  BY
A  GROUP  OF  COMPUTERS  FOR  THE  PURPOSE  OF CAUSING DAMAGE TO ANOTHER
COMPUTER, INCLUDING, BUT NOT LIMITED TO, LAUNCHING A DENIAL  OF  SERVICE
ATTACK.
  (4)  OPENING  MULTIPLE,  SEQUENTIAL, STAND-ALONE ADVERTISEMENTS IN THE
CONSUMER'S INTERNET BROWSER WITHOUT THE AUTHORIZATION OF  AN  AUTHORIZED
USER AND WITH KNOWLEDGE THAT A REASONABLE COMPUTER USER CANNOT CLOSE THE
ADVERTISEMENTS  WITHOUT  TURNING OFF THE COMPUTER OR CLOSING THE CONSUM-
ER'S INTERNET BROWSER.
  (B) MODIFY ANY OF THE FOLLOWING SETTINGS  RELATED  TO  THE  COMPUTER'S
ACCESS TO, OR USE OF, THE INTERNET:
  (1)  AN  AUTHORIZED  USER'S  SECURITY  OR  OTHER SETTINGS THAT PROTECT
INFORMATION ABOUT THE  AUTHORIZED  USER  FOR  THE  PURPOSE  OF  STEALING
PERSONAL INFORMATION OF AN AUTHORIZED USER.
  (2)  THE  SECURITY SETTINGS OF THE COMPUTER FOR THE PURPOSE OF CAUSING
DAMAGE TO ONE OR MORE COMPUTERS.

S. 244                              3

  (C) PREVENT, WITHOUT THE  AUTHORIZATION  OF  AN  AUTHORIZED  USER,  AN
AUTHORIZED USER'S REASONABLE EFFORTS TO BLOCK THE INSTALLATION OF, OR TO
DISABLE, SOFTWARE, BY DOING ANY OF THE FOLLOWING:
  (1) PRESENTING THE AUTHORIZED USER WITH AN OPTION TO DECLINE INSTALLA-
TION OF SOFTWARE WITH KNOWLEDGE THAT, WHEN THE OPTION IS SELECTED BY THE
AUTHORIZED USER, THE INSTALLATION NEVERTHELESS PROCEEDS.
  (2) FALSELY REPRESENTING THAT SOFTWARE HAS BEEN DISABLED.
  (D)  NOTHING  IN  THIS  SECTION  SHALL  APPLY TO ANY MONITORING OF, OR
INTERACTION WITH, A SUBSCRIBER'S INTERNET OR OTHER NETWORK CONNECTION OR
SERVICE, OR A PROTECTED COMPUTER, BY A TELECOMMUNICATIONS CARRIER, CABLE
OPERATOR, COMPUTER HARDWARE OR SOFTWARE PROVIDER, OR PROVIDER OF  INFOR-
MATION  SERVICE  OR INTERACTIVE COMPUTER SERVICE FOR NETWORK OR COMPUTER
SECURITY PURPOSES, DIAGNOSTICS, TECHNICAL  SUPPORT,  REPAIR,  AUTHORIZED
UPDATES OF SOFTWARE OR SYSTEM FIRMWARE, AUTHORIZED REMOTE SYSTEM MANAGE-
MENT,  OR  DETECTION OR PREVENTION OF THE UNAUTHORIZED USE OF OR FRAUDU-
LENT OR OTHER ILLEGAL ACTIVITIES IN CONNECTION WITH A NETWORK,  SERVICE,
OR  COMPUTER  SOFTWARE,  INCLUDING  SCANNING  FOR  AND REMOVING SOFTWARE
PROSCRIBED UNDER THIS SECTION.
  3. (A) A PERSON OR ENTITY, WHO IS NOT AN UNAUTHORIZED USER, AS DEFINED
IN SUBDIVISION FOUR OF THIS SECTION, SHALL NOT DO ANY OF  THE  FOLLOWING
WITH REGARD TO THE COMPUTER OF A CONSUMER IN THIS STATE:
  (1) INDUCE AN AUTHORIZED USER TO INSTALL A SOFTWARE COMPONENT ONTO THE
COMPUTER  BY  INTENTIONALLY  MISREPRESENTING THAT INSTALLING SOFTWARE IS
NECESSARY FOR SECURITY OR PRIVACY REASONS OR IN ORDER TO OPEN, VIEW,  OR
PLAY A PARTICULAR TYPE OF CONTENT.
  (2) DECEPTIVELY CAUSING THE COPYING AND EXECUTION ON THE COMPUTER OF A
COMPUTER  SOFTWARE  COMPONENT  WITH  THE INTENT OF CAUSING AN AUTHORIZED
USER TO USE THE COMPONENT IN A WAY THAT VIOLATES ANY OTHER PROVISION  OF
THIS SECTION.
  (B)  NOTHING  IN  THIS  SECTION  SHALL  APPLY TO ANY MONITORING OF, OR
INTERACTION WITH, A SUBSCRIBER'S INTERNET OR OTHER NETWORK CONNECTION OR
SERVICE, OR A PROTECTED COMPUTER, BY A TELECOMMUNICATIONS CARRIER, CABLE
OPERATOR, COMPUTER HARDWARE OR SOFTWARE PROVIDER, OR PROVIDER OF  INFOR-
MATION  SERVICE  OR INTERACTIVE COMPUTER SERVICE FOR NETWORK OR COMPUTER
SECURITY PURPOSES, DIAGNOSTICS, TECHNICAL  SUPPORT,  REPAIR,  AUTHORIZED
UPDATES OF SOFTWARE OR SYSTEM FIRMWARE, AUTHORIZED REMOTE SYSTEM MANAGE-
MENT,  OR  DETECTION OR PREVENTION OF THE UNAUTHORIZED USE OF OR FRAUDU-
LENT OR OTHER ILLEGAL ACTIVITIES IN CONNECTION WITH A NETWORK,  SERVICE,
OR  COMPUTER  SOFTWARE,  INCLUDING  SCANNING  FOR  AND REMOVING SOFTWARE
PROSCRIBED UNDER THIS SECTION.
  4. FOR PURPOSES OF THIS SECTION:
  (A) "ADVERTISEMENT" SHALL MEAN A COMMUNICATION, THE PRIMARY PURPOSE OF
WHICH IS THE COMMERCIAL PROMOTION OF A COMMERCIAL  PRODUCT  OR  SERVICE,
INCLUDING  CONTENT  ON  AN  INTERNET  WEB SITE OPERATED FOR A COMMERCIAL
PURPOSE.
  (B) "AUTHORIZED USER," WITH RESPECT TO A COMPUTER, SHALL MEAN A PERSON
WHO OWNS OR IS AUTHORIZED BY THE OWNER OR LESSEE TO USE THE COMPUTER. AN
"AUTHORIZED USER" DOES NOT INCLUDE A PERSON OR ENTITY THAT HAS  OBTAINED
AUTHORIZATION  TO USE THE COMPUTER SOLELY THROUGH THE USE OF AN END USER
LICENSE AGREEMENT.
  (C) "COMPUTER SOFTWARE" SHALL MEAN A SEQUENCE OF INSTRUCTIONS  WRITTEN
IN ANY PROGRAMMING LANGUAGE THAT IS EXECUTED ON A COMPUTER.
  (D)  "COMPUTER  VIRUS"  SHALL  MEAN A COMPUTER PROGRAM OR OTHER SET OF
INSTRUCTIONS THAT IS DESIGNED TO DEGRADE THE PERFORMANCE OF OR DISABLE A
COMPUTER OR COMPUTER NETWORK AND IS DESIGNED  TO  HAVE  THE  ABILITY  TO

S. 244                              4

REPLICATE  ITSELF  ON  OTHER  COMPUTERS OR COMPUTER NETWORKS WITHOUT THE
AUTHORIZATION OF THE OWNERS OF THOSE COMPUTERS OR COMPUTER NETWORKS.
  (E)  "CONSUMER" SHALL MEAN AN INDIVIDUAL WHO RESIDES IN THIS STATE AND
WHO USES THE COMPUTER IN QUESTION PRIMARILY  FOR  PERSONAL,  FAMILY,  OR
HOUSEHOLD PURPOSES.
  (F) "DAMAGE" SHALL MEAN ANY SIGNIFICANT IMPAIRMENT TO THE INTEGRITY OR
AVAILABILITY OF DATA, SOFTWARE, A SYSTEM, OR INFORMATION.
  (G) "EXECUTE," WHEN USED WITH RESPECT TO COMPUTER SOFTWARE, SHALL MEAN
THE PERFORMANCE OF THE FUNCTIONS OR THE CARRYING OUT OF THE INSTRUCTIONS
OF THE COMPUTER SOFTWARE.
  (H) "INTENTIONALLY DECEPTIVE" SHALL MEAN ANY OF THE FOLLOWING:
  (1)  BY  MEANS  OF AN INTENTIONALLY AND MATERIALLY FALSE OR FRAUDULENT
STATEMENT.
  (2) BY MEANS OF A STATEMENT OR DESCRIPTION THAT INTENTIONALLY OMITS OR
MISREPRESENTS MATERIAL INFORMATION IN ORDER TO DECEIVE THE CONSUMER.
  (3) BY MEANS OF AN INTENTIONAL AND MATERIAL  FAILURE  TO  PROVIDE  ANY
NOTICE  TO  AN AUTHORIZED USER REGARDING THE DOWNLOAD OR INSTALLATION OF
SOFTWARE IN ORDER TO DECEIVE THE CONSUMER.
  (I) "INTERNET" SHALL  MEAN  THE  GLOBAL  INFORMATION  SYSTEM  THAT  IS
LOGICALLY  LINKED  TOGETHER  BY A GLOBALLY UNIQUE ADDRESS SPACE BASED ON
THE INTERNET PROTOCOL (IP), OR ITS SUBSEQUENT EXTENSIONS,  AND  THAT  IS
ABLE   TO   SUPPORT   COMMUNICATIONS   USING  THE  TRANSMISSION  CONTROL
PROTOCOL/INTERNET PROTOCOL (TCP/IP) SUITE, OR ITS SUBSEQUENT EXTENSIONS,
OR OTHER IP-COMPATIBLE PROTOCOLS, AND  THAT  PROVIDES,  USES,  OR  MAKES
ACCESSIBLE, EITHER PUBLICLY OR PRIVATELY, HIGH LEVEL SERVICES LAYERED ON
THE COMMUNICATIONS AND RELATED INFRASTRUCTURE DESCRIBED IN THIS SUBDIVI-
SION.
  (J)  "PERSON"  SHALL  MEAN  ANY  INDIVIDUAL, PARTNERSHIP, CORPORATION,
LIMITED LIABILITY COMPANY, OR OTHER  ORGANIZATION,  OR  ANY  COMBINATION
THEREOF.
  (K)  "PERSONALLY  IDENTIFIABLE  INFORMATION"  SHALL  MEAN  ANY  OF THE
FOLLOWING:
  (1) FIRST NAME OR FIRST INITIAL IN COMBINATION WITH LAST NAME.
  (2) CREDIT OR DEBIT CARD NUMBERS OR OTHER FINANCIAL ACCOUNT NUMBERS.
  (3) A PASSWORD OR PERSONAL IDENTIFICATION NUMBER REQUIRED TO ACCESS AN
IDENTIFIED FINANCIAL ACCOUNT.
  (4) SOCIAL SECURITY NUMBER.
  (5) ANY OF THE FOLLOWING INFORMATION IN A FORM THAT PERSONALLY IDENTI-
FIES AN AUTHORIZED USER:
  (A) ACCOUNT BALANCES.
  (B) OVERDRAFT HISTORY.
  (C) PAYMENT HISTORY.
  (D) A HISTORY OF WEB SITES VISITED.
  (E) HOME ADDRESS.
  (F) WORK ADDRESS.
  (G) A RECORD OF A PURCHASE OR PURCHASES.
  UNLAWFUL USE  OF  SPYWARE  AND  MALWARE  IS  A  CLASS  A  MISDEMEANOR,
PROVIDED,  HOWEVER, THAT UNLAWFUL USE OF SPYWARE AND MALWARE BY A PERSON
WHO HAS BEEN PREVIOUSLY CONVICTED WITHIN THE LAST FIVE YEARS  OF  HAVING
VIOLATED THIS SECTION IS A CLASS E FELONY.
  S 2. This act shall take effect on the first of November next succeed-
ing the date on which it shall have become a law.

Comments

Open Legislation comments facilitate discussion of New York State legislation. All comments are subject to moderation. Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity or hate speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Comment moderation is generally performed Monday through Friday.

By contributing or voting you agree to the Terms of Participation and verify you are over 13.