BILL ANALYSIS
By: Zaffirini
BACKGROUND AND PURPOSE
Under current law, botnets are not prohibited from being used. A bot is defined as computer software that operates as an agent for a user or another computer program or simulates a human activity. Botnets are a collection of zombies. A zombie is defined as a computer that, without the knowledge and consent of the computer's owner or operator, has been compromised to give access or control to a program or person other than the computer's owner or operator. Botnets are increasingly being used by cyber-criminals to send messages or software without a computer user's knowledge in order to make a computer resource unavailable to its intended users, to commit click fraud, or to steal personally identifiable information. Electronic commerce is quickly becoming the next frontier of international business and is being threatened by the use of botnets. A report by Symantec, a computer security company, reported that an average of 57,000 bots (individually compromised machines) was observed per day during the first six months of 2006. During this period, Symantec discovered 4.7 million distinct computers being actively used in botnets.
S.B. 1009 prohibits a person who is not the owner or operator of the computer from knowingly causing a computer to become a zombie or part of a botnet. This bill also prohibits a person from knowingly creating, having created, using, or offering to use a zombie or botnet for certain purposes and prohibits a person from purchasing, renting, or otherwise gaining control of a zombie or botnet created by another person or selling, leasing, offering for sale or lease, or otherwise providing to another person access to or use of a zombie or botnet.
RULEMAKING AUTHORITY
It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.
ANALYSIS
SECTION 1. Amends Section 48.002, Business & Commerce Code, as added by Chapter 298, Acts of the 79th Legislature, Regular Session, 2005, by adding Subdivisions (1-a) and (10), to define "botnet" and "zombie."
SECTION 2. Amends Section 48.054, Business & Commerce Code, as added by Chapter 298, Acts of the 79th Legislature, Regular Session, 2005, to include that a person knowingly violates Section 48.057 if the person acts with actual knowledge of the facts that constitute the violation or consciously avoids information that would establish actual knowledge of those facts.
SECTION 3. Amends Subchapter B, Chapter 48, Business & Commerce Code, as added by Chapter 298, Acts of the 79th Legislature, Regular Session, 2005, by adding Section 48.057, as follows:
Sec. 48.057. UNAUTHORIZED CREATION OR USE OF ZOMBIES OR BOTNETS. (a) Prohibits a person who is not the owner or operator of a computer from knowingly causing or offering to cause the computer to become a zombie or part of a botnet.
(b) Prohibits a person from knowingly creating, having created, using, or offering to use a zombie or botnet for certain purposes.
(c) Prohibits a person from purchasing, renting, or otherwise gaining control of a zombie or botnet created by another person or selling, leasing, offering for sale or lease, or otherwise providing to another person access to or use of a zombie or botnet.
(d) Prohibits a person from providing substantial assistance or support to another person knowing the other person is engaged in an act or practice that violates this section.
(e) Provides that internet service providers, businesses that incur losses, and the attorney general may bring civil actions against violators.
(f) Provides that a cause of action may seek injunctive relief; damages equal to the greater of: actual damages, $500,000 for each violation consisting of the same course of conduct or action, or $100,000 for each zombie used; or both injunctive relief and damages.
(g) Provides that a court may increase damages up to triple damages under certain circumstances.
(h) Provides for costs of litigation for a prevailing plaintiff.
(i) Provides that the remedies specified are not exclusive.
SECTION 4. Amends Section 48.101(a), Business & Commerce Code, as added by Chapter 298, Acts of the 79th Legislature, Regular Session, 2005, to clarify that certain entities may bring a civil action against a person who violates this chapter other than Section 48.057.
SECTION 5. Makes application of the bill prospective.
SECTION 6. Effective date: September 1, 2007.
EFFECTIVE DATE
September 1, 2007.
Committee Amendment No. 1 adds a new Section to the bill which amends Subsection (a), Section 48.003, Business & Commerce Code, as added b y Chapter 298, Acts of the 79th Legislature, Regular Session, 2005, to clarify that Section 48.057, Business & Commerce Code, does not apply to a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service that monitors or has interaction with a subscriber's Internet or other network connection or service or protected computer for certain functions. Makes nonsubstantive changes.
Committee Amendment No. 2 amends proposed Paragraph (B), Subdivision (2), Subsection (f), Section 48.057, Business & Commerce Code, to provide that a cause of action may seek damages equal to $100,000, rather than $500,000, for each violation consisting of the same course of conduct or action.