The online versions of legislation provided on this website are not official. Enrolled bills are the final version passed by the Ohio General Assembly and presented to the Governor for signature. The official version of acts signed by the Governor are available from the Secretary of State's Office in the Continental Plaza, 180 East Broad St., Columbus.
H. B. No. 633 As IntroducedAs Introduced
|126th General Assembly|
To enact sections 1349.81, 1349.82, 1349.83, 1349.84, 1349.85, 1349.86, 1349.87, and 1349.88 of the Revised Code to provide consumer protection against spyware.
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:
Section 1. That sections 1349.81, 1349.82, 1349.83, 1349.84, 1349.85, 1349.86, 1349.87, and 1349.88 of the Revised Code be enacted to read as follows:
Sec. 1349.81. As used in sections 1349.81 to 1349.88 of the Revised Code:
(A) "Advertisement" means a communication, the primary purpose of which is the commercial promotion of a commercial product or service, including content on an internet web site operated for a commercial purpose.
(B) "Authorized user" means a person that owns or leases a computer or is authorized by that owner or lessee to use the computer or computer network.
(C) "Bundled software" means software that is acquired through the installation of a large number of separate programs in a single installation when the programs are unrelated to the purpose of the installation as described to the authorized user.
(D) "Software" means a sequence of instructions written in any programming language that is executed on a computer including a cookie but not including a text or data file.
(E) "Computer virus" means a computer program or other set of instructions that is designed to do the following acts without the authorized user's authorization:
(1) Degrade the performance of or disable a computer or computer network;
(2) Have the ability to replicate itself on another computer or computer network.
(F) "Damage" means any significant impairment to the integrity, confidentiality, or availability of data, software, a system, or information, including significant and intentional degradation of the performance of a computer or a computer network and intentional disabling of a computer or computer network.
(G) "Distributed denial of service" or "DDoS attack" means techniques or actions involving the use of one or more damaged computers to damage another computer or a targeted computer system in order to shut the computer or computer system down and deny the service of the damaged computer or computer system to legitimate users.
(H) "Execute" means the performance of the functions or the carrying out of the instructions of the computer software.
(I) "Hardware" means all of the discrete physical parts of a computer. Hardware does not mean the data the computer contains or that enables it to operate or the software that provides instructions for the hardware to accomplish tasks.
(J) "Intentionally deceptive" means taking action without authority and with the intent to deceive an authorized user in order to damage a computer or computer system or wrongfully obtain personally identifiable information. The following acts are considered "intentionally deceptive":
(1) Making an intentional and materially false or fraudulent statement;
(2) Making a statement or description that intentionally omits or misrepresents material information;
(3) Failing, intentionally and materially, to provide any notice to an authorized user regarding a download or installation of software.
(K) "Internet" has the same meaning as in section 1.59 of the Revised Code.
(L) "Internet address" means a specific location on the internet accessible through a universal resource locator or internet protocol address.
(M) "Personally identifiable information" means information that identifies a person and includes any of the following:
(1) First name or first initial in combination with last name;
(2) Credit or debit card numbers or other financial account numbers;
(3) A password or personal identification number or other identification required to access an identified account other than a password, personal identification number, or other identification transmitted by an authorized user to the issuer of the account or its agent;
(4) A social security number.
(N) "Phishing" means the use of electronic mail or other means for the purpose of committing theft or fraud by imitating a legitimate company or business in order to entice an authorized user to divulge passwords, credit card numbers, or other sensitive information.
Sec. 1349.82. No person that is not an authorized user shall purposely, knowingly, or recklessly cause computer software to be copied onto any computer in this state or use software to do any of the following through intentionally deceptive means and without the authorized user's consent:
(A) Modify any of the following settings related to the computer's access to, or use of, the internet:
(1) The page that appears when an authorized user launches an internet browser or similar software program used to access and navigate the internet;
(2) The default provider or web proxy the authorized user uses to access or search the internet;
(3) The authorized user's list of bookmarks used to access web pages;
(4) Settings in computer software or in a text or data file on the computer that are used to resolve a universal resource locator or other location identifier used to access a public or private network.
(B) Collect personally identifiable information about the authorized user by either of the following means:
(1) Recording all keystrokes made by the authorized user and transmitting that information from the computer to another person through a keystroke-logging function;
(2) Extracting screen shots of an authorized user's use of the computer for a purpose unrelated to any of the purposes of the software or service as described to the authorized user.
(C) Collect personally identifiable information that includes all or substantially all of the internet addresses visited by an authorized user, other than internet addresses of the provider of the software;
(D) Extract personally identifiable information from a computer hard drive for a purpose unrelated to any of the purposes of the software or service as described to the authorized user;
(E) Prevent an authorized user's reasonable efforts to disable or block the installation of software by causing properly disabled or removed software to automatically reactivate or reinstall on the computer without the authorized user's authorization;
(F) Remove, disable, or render inoperative security, antispyware, or antivirus software installed on the computer.
Sec. 1349.83. No person who is not an authorized user shall purposely, knowingly, or recklessly do any of the following:
(A) Cause computer software to be copied onto any computer in this state and use the software to take control of a computer by using any of the following means:
(1) Transmitting or relaying commercial electronic mail or a computer virus without the authorized user's authorization;
(2) Accessing or using the authorized user's modem or internet service for the purpose of causing damage to the computer or causing an authorized user to incur financial charges for a service that the authorized user has not authorized;
(3) Using the computer as part of an activity performed by a group of computers for the purpose of causing damage to another computer, including launching a denial of service attack;
(4) Opening multiple, sequential, stand-alone advertisements in the authorized user's internet browser without the authorized user's authorization and with knowledge that a reasonable computer user cannot close the advertisements without turning off the computer or closing the authorized user's internet browser.
(B) Obtain the ability to use one or more computers of other end users on a network to send commercial electronic mail, to damage other computers, or to locate other computers vulnerable to an attack, without the authorized user's authorization or a prior or existing personal, business, or contractual relationship with the owner or owners of the computer or computer networks;
(C) Modify security settings or settings that protect the authorized user's personally identifiable information, for the purpose of stealing that information or causing damage to one or more computers;
(D) Prevent an authorized user's reasonable efforts to block the installation of or disable software by providing an option to decline installation of the software with knowledge that if the option is selected the installation nevertheless proceeds;
(E) Intentionally interfere with an authorized user's attempt to uninstall the software by using any of the following means:
(1) Leaving hidden elements of software that are designed to and will reinstall the software or portions of the software without the authorized user's authorization on the authorized user's computer for the purpose of evading an authorized user's attempt to remove the software from the computer;
(2) Causing damage to or removing any vital component of a computer's operating system;
(3) Falsely representing that software has been disabled;
(4) Changing the name, location, or other designating information of software for the purpose of preventing an authorized user from locating the software to remove it;
(5) Using randomized or deceptive file names, directory folders, formats, or registry entries for the purpose of avoiding the authorized user's detection and removal of the software;
(6) Causing the installation of software in a particular computer directory or computer memory for the purpose of evading an authorized user's attempt to remove the software from the computer;
(7) Requiring completion of a survey to uninstall software unless completion of the survey is reasonably related to the uninstallation of the software;
(8) Requiring without the authorized user's authorization that an authorized user obtain a special code or download a special program from a third party to uninstall the software.
Sec. 1349.84. (A) No person that is not an authorized user, with regard to any computer in this state, shall do any of the following:
(1) Intentionally misrepresent that installing software is necessary for security or privacy reasons or in order to open, view, or play a particular type of content or software if the software is not necessary for those purposes;
(2) Deceptively cause the copying and execution of a software component on the computer with the intent of causing an authorized user to use the component in a way that violates any other provision of sections 1349.82 to 1349.85 of the Revised Code.
(B) No person shall engage in phishing.
Sec. 1349.85. No person who is not an authorized user shall purposely, knowingly, or recklessly cause computer software to be copied onto any computer in this state to carry out any of the violations described in sections 1349.82 to 1349.84 of the Revised Code for a purpose wholly unrelated to any of the purposes of the software or service as described to the authorized user if the software is installed in an intentionally deceptive manner that does either of the following:
(A) Exploits a security vulnerability in the computer;
(B) Bundles the software with other software.
Sec. 1349.86. (A) Any provision of a consumer contract that permits a practice prohibited under sections 1349.82 to 1349.85 of the Revised Code is not enforceable.
(B) Sections 1349.82 to 1349.85 of the Revised Code do not apply to any monitoring of, or interaction with, a subscriber's internet or other network connection or service or a protected computer in accordance with the relationship or agreement between the owner of the computer or computer system used by the authorized user and any of the following types of providers:
(1) Telecommunications or internet service provider;
(2) Cable internet provider;
(3) Computer hardware or software provider;
(4) Provider of information service or interactive computer service for any of the following purposes:
(a) Network or computer security purposes;
(e) Authorized updates of software or system firmware;
(f) Authorized remote system management;
(g) Network management or maintenance;
(h) Detection or prevention of the unauthorized use of, or fraudulent or other illegal activities in connection with, a network, service, or computer software, including scanning for and removing software that is prohibited under sections 1349.82 to 1349.85 of the Revised Code.
(C) Sections 1349.82 to 1349.85 of the Revised Code do not apply to the installation of an upgrade to a software program that has already been installed on the computer with the authorization of an authorized user or
software that is installed in a computer before the first retail sale and delivery of that computer.
Sec. 1349.87. (A) Any violation of sections 1349.82 to 1349.85 of the Revised Code is an unfair or deceptive act or practice in violation of section 1345.02 of the Revised Code. All powers and remedies available to the attorney general to enforce sections 1345.01 to 1345.13 of the Revised Code are available to the attorney general to enforce sections 1349.82 to 1349.85 of the Revised Code, and all remedies available to consumers under section 1345.09 of the Revised Code to remedy violations of section 1345.02 of the Revised Code are available to consumers to remedy a violation of sections 1349.82 to 1349.85 of the Revised Code.
(B) All fines and penalties collected under this section shall be paid to the consumer protection enforcement fund created under section 1345.51 of the Revised Code.
Sec. 1349.88. The attorney general shall establish and maintain a web site that satisfies all of the following requirements:
(A) Promotes consumer awareness about spyware, antispyware, and computer fraud;
(B) Provides information concerning all of the following:
(1) Spyware, computer fraud, and the effects of spyware and computer fraud upon consumer privacy and computer systems;
(2) The availability of computer software to combat spyware and how to access or obtain that software;
(3) False representations about the effectiveness of specific antispyware software;
(C) Provides consumers with links to antispyware web sites that contain helpful information.