Revision: Jan. 21, 2010, midnight
CHAPTER 238
HB 47 – FINAL VERSION
23Feb2005… 0219h
05/12/05 1355s
06/09/05 1854s
29Jun2005… 1985eba
2005 SESSION
05/09
HOUSE BILL 47
COMMITTEE: Science, Technology and Energy
This bill prohibits the use of spyware or similar computer programs to knowingly alter, take control of, or damage a consumer’s computer or Internet access and establishes a criminal penalty for such conduct.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
23Feb2005… 0219h
05/12/05 1355s
06/09/05 1854s
29Jun2005… 1985eba
05-0061
05/09
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Five
AN ACT regulating the use of computer spyware.
Be it Enacted by the Senate and House of Representatives in General Court convened:
238:1 New Chapter; Computer Spyware. Amend RSA by inserting after chapter 359-G the following new chapter:
CHAPTER 359-H
COMPUTER SPYWARE
359-H:1 Definitions. In this chapter:
I. “Advertisement” means a communication, the primary purpose of which is the commercial promotion of a commercial product or service, including content on an Internet website operated for a commercial purpose.
II. “Authorized user” means a consumer who owns or is permitted to use a computer.
III. “Computer program” means a set of statements or instructions to be used directly or indirectly in a computer in order to bring about a certain result.
IV.(a) “Spyware” means software residing on a computer that:
(1) Employs a user’s Internet connection in the background, via a backchannel, without his or her knowledge or explicit permission.
(2) Sends information about the computer’s usage to a remote computer or server; or displays or causes to be displayed an advertisement in response to the computer’s usage.
(3) Sends or causes to be sent personal information residing on the computer to a remote computer or server.
(b) Notwithstanding subparagraph (a), “spyware” does not include any of the following:
(1) Software designed and installed primarily to prevent, diagnose, or resolve technical difficulties, to protect the security of the user’s computer, or to detect or prevent fraudulent activities.
(2) Software or data that solely report to an Internet website information stored by the Internet website on the user’s computer, including cookies, HTML code, or Java Scripts.
(3) Software that provides the user with the capability to search the Internet.
(4) Software installed with the consent of an authorized user whose primary purpose is to prevent access to Internet content that is inappropriate for minors.
(5) An operating system.
V. “Usage” means:
(a) The Internet websites accessed by a user.
(b) The contents or characteristics of the Internet websites accessed by a user.
(c) A user’s personal information, including:
(1) A first and last name of a user, whether given at birth or adoption, assumed, or legally changed.
(2) Any of the following with respect to a user’s home or other physical address: the street name, the name of the city or town, or the zip code.
(3) An electronic mail address.
(4) A telephone number.
(5) A Social Security number.
(6) Any personal identification number.
(7) A credit or debit card number.
(8) Any access code associated with a credit or debit card.
(9) A date of birth, birth certificate number, or place of birth.
(10) A password or access code.
(11) A bank account number.
359-H:2 Prohibited Conduct. A person or entity conducting business in this state, who is not an authorized user, shall not knowingly cause a computer program or spyware to be copied onto the computer of a consumer and use the program or spyware to do any of the following:
I. Take control, through intentionally deceptive means, of the consumer’s computer by doing any of the following:
(a) Transmitting or relaying commercial electronic mail or a computer virus from the consumer’s computer, where the transmission or relaying is initiated by a person other than an authorized user and without the authorization of an authorized user.
(b) Accessing or using the consumer’s modem or Internet service for the purpose of causing damage to the consumer’s computer or causing an authorized user to incur unauthorized financial charges.
(c) Using the consumer’s computer as part of an activity performed by a group of computers for the purpose of causing damage to another computer, including launching a denial of service attack.
(d) Opening multiple, sequential, stand-alone advertisements in the consumer’s Internet browser with knowledge that a reasonable computer user cannot close the advertisements without turning off the computer or closing the consumer’s Internet browser.
II. Modifying, through intentionally deceptive means, any of the following settings related to the computer’s access to, or use of, the Internet:
(a) The page that appears when an authorized user launches an Internet browser or similar program used to access and navigate the Internet.
(b) The default provider the authorized user uses to access or search the Internet.
(c) The authorized user’s list of bookmarks used to access Web pages.
(d) An authorized user’s security or other settings that protect information about the authorized user, for the purpose of stealing personal information of, or causing harm to, an authorized user.
(e) The security settings of the computer for the purpose of causing damage to one or more computers.
III. Collecting personal information through intentionally deceptive means, such as through the use of a keystroke logging function, and transferring that information from the computer to another person.
IV. Preventing, through intentionally deceptive means, an authorized user’s reasonable efforts to block the installation of, or to disable, software by doing any of the following:
(a) Presenting an authorized user with an option to decline installation of software such that, when the option is selected, the installation nevertheless proceeds.
(b) Falsely representing that software has been disabled.
(c) Causing software that the authorized user has properly removed or disabled to automatically reinstall or reactivate on the computer without the authorization of an authorized user.
V. Intentionally misrepresenting that software will be uninstalled or disabled by an authorized user’s action, with knowledge that the software will not be uninstalled or disabled.
VI. Inducing, through deceptive means, an authorized user to install a software component onto the computer, including deceptively misrepresenting that installing software is necessary for security or privacy reasons or in order to open, view, or play a particular type of content.
VII. Deceptively installing and executing on the computer one or more additional computer software components with the intent of causing an authorized user to use the components in a way that violates any other provision of this section.
VIII. Through intentionally deceptive means, removing, disabling, or rendering inoperative a security, antispyware, or antivirus technology installed on the computer.
359-H:3 Violation; Criminal Penalty. Any person who uses a computer program or spyware in violation of RSA 359-H:2 shall be guilty of a class A misdemeanor.
359-H:4 Limitations on Actions. A person may not bring an action for a violation of this chapter against an Internet service provider for the routine transmission of security information or information that contains an advertisement violating this chapter. No person may bring a class action under this chapter.
359-H:5 Enforcement; Information Gathering. The house standing committee responsible for science, technology, and energy issues, in consultation with the department of justice, may periodically review implementation and enforcement of this chapter and shall make such legislative recommendations as may be appropriate.
359-H:6 Exemption. A provider of software or provider of interactive computer service shall not be held liable under this chapter for any action voluntarily taken in good faith, or any service provided in good faith, to remove or disable programs used to violate RSA 359-H:2 that reside on the consumer’s computer if the consumer is a customer of the provider and if the provider notifies the consumer prior to undertaking the action or providing the service.
238:2 Effective Date. This act shall take effect upon its passage.
(Approved: July 14, 2005)
(Effective Date: July 14, 2005)