Federal Register of Legislation - Australian Government

Primary content

Spyware Bill 2005

  • - C2005B00066
A Bill for an Act to regulate the unauthorised installation of computer software, to require the clear disclosure to computer users of certain computer software features that may pose a threat to user privacy, and for related purposes
For authoritative information on the progress of bills and on amendments proposed to them, please see the House of Representatives Votes and Proceedings, and the Journals of the Senate as available on the Parliament House website.
Registered 18 May 2005
Introduced Senate 12 May 2005

2004-2005

 

The Parliament of the

Commonwealth of Australia

 

THE SENATE

 

 

 

 

Presented and read a first time

 

 

 

 

 

 

Spyware Bill 2005

 

No.      , 2005

 

(Senator Greig)

 

 

 

A Bill for an Act to regulate the unauthorised installation of computer software, to require the clear disclosure to computer users of certain computer software features that may pose a threat to user privacy, and for related purposes

 

 

 


Contents

Part 1—Preliminary                                                                                                               2

1............ Short title............................................................................................ 2

2............ Commencement.................................................................................. 2

3............ Objects of the Act.............................................................................. 2

4............ Definitions.......................................................................................... 2

Part 2—Prohibited practices in relation to software installation                  6

5............ Surreptitious installation of software................................................. 6

6............ Notice, choice and removal of software.............................................. 6

7............ Deceptive installation of software...................................................... 7

8............ Notice, consent and removal of software requirements...................... 7

9............ Misleading inducements to install software....................................... 9

10.......... Preventing reasonable efforts to remove software.............................. 9

11.......... Limitation of ability to remove software.......................................... 10

Part 3—Installing surreptitious information collection features on a user’s computer       11

12.......... Surreptitious information collection unlawful.................................. 11

13.......... Intentional transmission of information by user.............................. 12

14.......... Adware that conceals its operation.................................................. 12

15.......... Other practices that thwart user control of computer...................... 12

Part 4—Limitations on liability                                                                                      14

16.......... Passive transmission, hosting or linking........................................... 14

17.......... Network security.............................................................................. 14

Part 5—Penalties                                                                                                                   15

18.......... Penalties............................................................................................ 15

19.......... Exceptions........................................................................................ 15


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A Bill for an Act to regulate the unauthorised installation of computer software, to require the clear disclosure to computer users of certain computer software features that may pose a threat to user privacy, and for related purposes

Preamble

                   Acknowledging that computer users increasingly are finding software installed on their computers that they did not know was installed and that they cannot uninstall.

                   Concerned that there is an increasing capacity and tendency for users of the Internet to have unauthorised software surreptitiously installed on their computers without their knowledge.

                   Aware that there is now freely available predatory and eavesdropping software which has the capacity to collect and transfer data from a user’s computer to another computer without the knowledge of the user.

The Parliament of Australia enacts:

Part 1Preliminary

  

1  Short title

                   This Act may be cited as the Spyware Act 2005.

2  Commencement

                   This Act commences on Royal Assent.

3  Objects of the Act

                   The objects of this Act are to:

                     (a)  regulate the unauthorised or surreptitious installation of computer software;

                     (b)  require the clear disclosure to computer users of certain computer software features that may pose a threat to a user’s privacy or the speed or operation of their computer;

                     (c)  give computer users the rights and capacity to:

                              (i)  know what software is being installed on their computer;

                             (ii)  refuse to have the software installed; and

                            (iii)  be able to uninstall any software.

4  Definitions

                   In this Act:

ACMA means the Australian Communications and Media Authority.

advertisement means a commercial promotion for a product or service, but does not include promotions for products or services that appear on computer software help or support pages that are displayed in response to a request by the user.

advertising feature means a function of computer software that, when installed on a computer, delivers advertisements to the user of that computer.

adware means software which causes advertisements to be displayed on a user’s computer.

affirmative consent means consent expressed through action by the user of a computer other than default action specified by the installation sequence and independent from any other consent solicited from the user during the installation process.

authorised user, when used with respect to a computer, means the owner or lessee of a computer, or someone using or accessing a computer with the actual or apparent authorisation of the owner or lessee.

cause the installation, when used with respect to particular software, means to knowingly provide the technical means by which the software is installed, or to knowingly pay or provide other consideration to, or induce, another person to do so.

clear description means a description that is clear, conspicuous, concise and in a font size that is at least as large as the largest default font displayed to the user by the software.

computer software            means any program designed to cause a computer to perform a desired function or functions and does not include any cookie.

cookie means a text file:

                     (a)  that is placed on a computer by an Internet service provider, interactive computer service or Internet website; and

                     (b)  the sole function of which is to record information that can be read or recognised by an Internet service provider, interactive computer service or Internet website when the user of the computer uses or accesses such provider, service or website.

distributed computing feature means a function of computer software that, when installed on a computer, transmits information or messages, other than personal or network information about the user of the computer, to any other computer without the knowledge or direction of the user and for purposes unrelated to the tasks or functions the user intentionally performs using the computer.

first retail sale means the first sale of a computer, for a purpose other than resale, after the manufacture, production or importation of the computer. For purposes of this definition, each lease and each subsequent lease of a computer is to be considered as a first retail sale.

information collection feature means a function of computer software that, when installed on a computer, collects personal or network information about the user of the computer and transmits such information to any other party on an automatic basis or at the direction of a party other than the user of the computer.

install means:

                     (a)  to write computer software to a computer’s persistent storage medium, such as the computer’s hard disk, in such a way that the computer software is retained on the computer after the computer is turned off and subsequently restarted; or

                     (b)  to write computer software to a computer’s temporary memory, such as random access memory, in such a way that the software is retained and continues to operate after the user of the computer turns off or exits the Internet service, interactive computer service or Internet website from which the computer software was obtained.

network information means:

                     (a)  an Internet protocol address or domain name of a user’s computer; or

                     (b)  a Uniform Resource Locator or other information that identifies Internet web sites or other online resources accessed by a user of a computer.

personal information means:

                     (a)  a first and last name, whether given at birth or adoption, assumed or legally changed;

                     (b)  a home or other physical address including street name, name of a city or town and postcode;

                     (c)  an electronic mail address or online username;

                     (d)  a telephone number;

                     (e)  any personal identification number;

                      (f)  a credit card number, any access code associated with the credit card or both;

                     (g)  a birth date, birth certificate number or place of birth; or

                     (h)  any password or access code.

settings modification feature means a function of computer software that, when installed on a computer:

                     (a)  modifies an existing user setting, without direction from the user of the computer, with respect to another computer software application previously installed on that computer; or

                     (b)  enables a user setting with respect to another computer software application previously installed on that computer to be modified in the future without advance notification to and consent from the user of the computer.

user of a computer means a computer’s lawful owner or an individual who operates a computer with the authorisation of the computer’s lawful owner.


 

Part 2Prohibited practices in relation to software installation

5  Surreptitious installation of software

 

             (1)  It is unlawful for a person who is not an authorised user of a computer to cause the installation of software on the computer in a manner designed to:

                     (a)  conceal from the user of the computer the fact that the software is being installed; or

                     (b)  prevent the user of the computer from having an opportunity to knowingly grant or withhold consent to the installation.

Exception

             (2)  This section does not apply to:

                     (a)  the installation of software that falls within the scope of a previous grant of authorisation by an authorised user; or

                     (b)  the installation of an upgrade to a software program that has already been installed on the computer with the authorisation of an authorised user; or

                     (c)  the installation of software before the first retail sale of the computer.

6  Notice, choice and removal of software

                   It is unlawful for any person who is not the user of a computer to install computer software on that computer, or to authorise, permit or cause the installation of computer software on that computer, unless:

                     (a)  the user of the computer has received notice that satisfies the requirements of section 8; and

                     (b)  the user of the computer has granted consent that satisfies the requirements of section 8; and

                     (c)  the computer software’s removal procedures satisfy the requirements of section 8.

7  Deceptive installation of software

                   It is unlawful for any person who is not the user of a computer to install computer software on that computer, or to authorise, permit, or cause the installation of computer software on that computer, if the design or operation of the computer software is intended, or may reasonably be expected, to confuse or mislead the user of the computer concerning the identity of the person or service responsible for the functions performed or content displayed by such computer software.

8  Notice, consent and removal of software requirements

Notice

             (1)  For the purposes of section 6, notice to the user of a computer must:

                     (a)  include a clear notification, displayed on the screen until the user either grants or denies consent to installation, of the name and general nature of the computer software that will be installed if the user grants consent; and

                     (b)  include a separate disclosure, with respect to each information collection, advertising, distributed computing and settings modification feature contained in the computer software, that remains displayed on the screen until the user either grants or denies consent to that feature; and

                     (c)  in the case of an information collection feature, provides a clear description of:

                              (i)  the type of personal or network information to be collected and transmitted by the computer software; and

                             (ii)  the purpose for which the personal or network information is to be collected, transmitted and used; and

                     (d)  in the case of an advertising feature, provides:

                              (i)  a representative example of the type of advertisement that may be delivered by the computer software; and

                             (ii)  a clear description of the estimated frequency with which each type of advertisement may be delivered or the factors on which the frequency will depend; and

                            (iii)  a clear description of how the user can distinguish each type of advertisement that the computer software delivers from advertisements generated by other software, Internet website operators or services; and

                     (e)  in the case of a distributed computing feature, provides a clear description of:

                              (i)  the types of information or messages the computer software will cause the computer to transmit; and

                             (ii)  the estimated frequency with which the computer software will cause the computer to transmit such messages or information or the factors on which the frequency will depend; and

                            (iii)  the estimated volume of such information or messages, and the likely impact, if any, on the processing or communications capacity of the user’s computer; and

                            (iv)  the nature, volume and likely impact on the computer’s processing capacity of any computational or processing tasks the computer software will cause the computer to perform in order to generate the information or messages the computer software will cause the computer to transmit; and

                      (f)  in the case of a settings modification feature, provides a clear description of the nature of the modification, its function and any collateral effects the modification may produce, and procedures the user may follow to turn off such feature or uninstall the computer software.

Consent

             (2)  For purposes of section 6, consent means:

                     (a)  consent by the user of the computer to the installation of the computer software; and

                     (b)  separate affirmative consent by the user of the computer to each information collection feature, advertising feature, distributed computing feature and settings modification feature contained in the computer software.

Removal procedures

             (3)  For purposes of section 6, computer software must:

                     (a)  appear in the ‘Add/Remove Programs’ menu or any like feature, if any, provided by each operating system with which the computer software functions; and

                     (b)  be capable of being removed completely using the normal procedures for removing computer software provided by each operating system with which the computer software functions; and

                     (c)  in the case of computer software with an advertising feature, include an easily identifiable link clearly associated with each advertisement that the software causes to be displayed, such that selection of the link by the user of the computer generates an on-screen window that informs the user about how to turn off the advertising feature or uninstall the computer software.

9  Misleading inducements to install software

                   It is unlawful for a person who is not an authorised user of a computer to induce an authorised user of the computer to consent to the installation of software on the computer by means of a materially false or misleading representation concerning:

                     (a)  the identity of an operator of an Internet website or online service at which the software is made available for download from the Internet; or

                     (b)  the identity of the author or publisher of the software; or

                     (c)  the nature or function of the software; or

                     (d)  the consequences of not installing the software.

10  Preventing reasonable efforts to remove software

                   It is unlawful for a person who is not an authorised user of a computer to authorise or cause the installation of software on the computer if the software is designed to prevent reasonable efforts by an authorised user of the computer to remove or disable the software once it has been installed.

11  Limitation of ability to remove software

                   Software that enables an authorised user of a computer, such as a parent or system administrator, to choose to prevent another user of the same computer from uninstalling or disabling the software is not to be considered to prevent reasonable efforts to uninstall or disable the software within the meaning of this section, provided that at least one authorised user retains the ability to uninstall or disable the software.


 

Part 3Installing surreptitious information collection features on a user’s computer

  

12  Surreptitious information collection unlawful

             (1)  It is unlawful for a person who is not an authorised user of a computer to authorise or cause the installation on that computer of software that collects information about the user of the computer or about the user’s Internet browsing behaviour or other use of the computer and transmits such information to any other person on an automatic basis or at the direction of a person other than an authorised user of the computer, if the software’s collection and transmission of such information is not functionally related to or in support of a software capability or function that an authorised user of the computer has chosen or consented to execute or enable, and either:

                     (a)  there has been no notification, prior to the software beginning to collect and transmit such information, to an authorised user of the computer explaining the type of information the software will collect and transmit and the types of ways the information may be used and distributed; or

                     (b)  notification pursuant to paragraph (a) was not provided in a manner reasonably calculated to provide actual notice to an authorised user of the computer; or

                     (c)  notification pursuant to paragraph (a) occurred at a time or in a manner that did not enable an authorised user of the computer to consider the information contained in the notification before choosing whether to permit the collection or transmission of information.

Exception—compliance with licence

             (2)  This section must not be interpreted as prohibiting a person from authorising or causing the installation of software that collects and transmits information that is reasonably needed to determine whether or not the user of a computer is licensed or authorised to use the software.

13  Intentional transmission of information by user

                   Information must not be construed as having been collected and transmitted on an automatic basis or at the direction of a person other than a user of the computer, within the meaning of this Act, if the collection or transmission of the information is intentionally initiated by an authorised user for the purpose of allowing the direct or indirect access to the information by an intended recipient.

14  Adware that conceals its operation

                   It is unlawful for a person who is not an authorised user of a computer to authorise or cause the installation on that computer of software if:

                     (a)  the software causes advertisements to be displayed to the user:

                              (i)  at a time when the user is not accessing an Internet website or online service operated by the publisher of the software; and

                             (ii)  in a manner or at a time such that a reasonable user would not understand that the software is responsible for delivering the advertisements; and

                     (b)  the advertisements referred to in paragraph (a) do not contain a label or other reasonable means of identifying to the user of the computer, each time such an advertisement is displayed, which software is responsible for the advertisement’s delivery.

15  Other practices that thwart user control of computer

             (1)  It is unlawful for a person who is not an authorised user of a computer, knowingly and without the authorisation of an authorised user of the computer:

                     (a)  to utilise the computer to send unsolicited information or material from the user’s computer to other computers; or

                     (b)  to divert an authorised user’s Internet browser away from the Internet website the user intended to view to one or more other websites, unless such diversion has been authorised by the website the user intended to view; or

                     (c)  to display an advertisement, series of advertisements or other content on the computer through windows in an Internet browser, in such a manner that the user of the computer cannot end the display of such advertisements or content without turning off the computer or terminating all sessions of the Internet browser, provided that this paragraph does not apply to the display of content related to the functionality or identity of the Internet browser; or

                     (d)  to covertly modify settings relating to the use of the computer or to the computer’s access to or use of the Internet, including:

                              (i)  altering the default Web page that initially appears when a user of the computer launches an Internet browser; or

                             (ii)  altering the default provider or Web proxy used to access or search the Internet; or

                            (iii)  altering bookmarks used to store Internet website addresses; or

                            (iv)  altering settings relating to security measures that protect the computer and the information stored on the computer against unauthorised access or use;

                            provided that this paragraph does not apply to any modification that restores settings previously changed without user consent; or

                     (e)  to use software installed in violation of section 3 to collect information about the user or the user’s Internet browsing behaviour; or

                      (f)  to remove, disable, or render inoperative security or privacy protection technology installed on the computer.


 

Part 4Limitations on liability

  

16  Passive transmission, hosting or linking

                   A person does not commit an offence against any provision of this Act solely because the person provided:

                     (a)  the Internet connection, telephone connection or other transmission or routing function through which software was delivered to a computer for installation; or

                     (b)  the storage or hosting of software or of an Internet website through which software was made available for installation to a computer; or

                     (c)  an information location tool, such as a directory, index, reference, pointer or hypertext link, through which an authorised user of a computer located software available for installation.

17  Network security

                   A provider of a network or online service that an authorised user of a computer uses or subscribes to has not committed an offence against this Act where the purpose of the provider’s action is to:

                     (a)  protect the security of the network, service or computer; or

                     (b)  facilitate diagnostics, technical support, maintenance, network management or repair; or

                     (c)  prevent or detect unauthorised, fraudulent or otherwise unlawful uses of the network or service.


 

Part 5Penalties

18  Penalties

             (1)  A person who contravenes subsection 5(1), section 6, 7, 9, 10, subsection 12(1), section 14 or subsection 15(1) is guilty of an offence against that subsection or section, as the case may be.

             (2)  An offence against subsection 5(1), section 6, 7, 9, 10, subsection 12(1), section 14 or subsection 15(1) is an indictable offence and, subject to this section, is punishable on conviction by imprisonment for a period of not exceeding 2 years.

             (3)  Notwithstanding that an offence against subsection 5(1), section 6, 7, 9, 10, subsection 12(1), section 14 or subsection 15(1) is an indictable offence, a court of summary jurisdiction may hear and determine proceedings in respect of such an offence if, and only if:

                     (a)  the proceedings are brought in the name of the Attorney-General or the Director of Public Prosecutions; and

                     (b)  the defendant and the prosecutor consent; and

                     (c)  the court is satisfied that it is proper for the court to hear and determine proceedings in respect of the offence.

             (4)  Where, in accordance with subsection (3), a court of summary jurisdiction convicts a person of an offence against subsection 5(1), section 6, 7, 9, 10, subsection 12(1), section 14 or subsection 15(1), the penalty that the court may impose is imprisonment for a period not exceeding 6 months.

19  Exceptions

Preinstalled software

             (1)  A person who installs, or authorises, permits or causes the installation of computer software on a computer before the first retail sale of the computer is deemed to be in compliance with this Act if the authorised user of the computer receives notice that would satisfy the requirements of section 8 and grants consent that would satisfy the requirements of section 8 prior to:

                     (a)  the initial collection of personal or network information, in the case of any information collection feature contained in the computer software; and

                     (b)  the initial generation of an advertisement on the computer, in the case of any advertising feature contained in the computer software; and

                     (c)  the initial transmission of information or messages, in the case of any distributed computing feature contained in the computer software; and

                     (d)  the initial modification of user settings, in the case of any settings modification feature.

Other exceptions

             (2)  Sections 6 and 7 do not apply to any feature of computer software that is reasonably needed:

                     (a)  to provide capability for general purpose online browsing, electronic mail or instant messaging, or for any optional function that is directly related to such capability and that the user knowingly chooses to use; and

                     (b)  to determine whether or not the user of the computer is licensed or authorised to use the computer software; and

                     (c)  to provide technical support for the use of the computer software by the user of the computer.