BILL NUMBER: AB 2415 CHAPTERED BILL TEXT CHAPTER 860 FILED WITH SECRETARY OF STATE SEPTEMBER 30, 2006 APPROVED BY GOVERNOR SEPTEMBER 30, 2006 PASSED THE ASSEMBLY AUGUST 29, 2006 PASSED THE SENATE AUGUST 23, 2006 AMENDED IN SENATE AUGUST 21, 2006 AMENDED IN SENATE AUGUST 10, 2006 AMENDED IN SENATE JUNE 20, 2006 AMENDED IN ASSEMBLY MAY 30, 2006 AMENDED IN ASSEMBLY MAY 17, 2006 AMENDED IN ASSEMBLY APRIL 26, 2006 INTRODUCED BY Assembly Member Nunez (Principal coauthor: Assembly Member Leno) FEBRUARY 23, 2006 An act to add Chapter 34 (commencing with Section 22948.5) to Division 8 of the Business and Professions Code, relating to network security. LEGISLATIVE COUNSEL'S DIGEST AB 2415, Nunez Network security. Existing law, the Consumer Protection Against Computer Spyware Act, provides specified protections for the computers of consumers in this state against certain types of computer software. This bill would require a device that includes an integrated and enabled wireless access point, if the device is manufactured on or after October 1, 2007, for use in a small office, home office, or residential setting, and that is used in a federally unlicensed spectrum, to either include a warning advising the consumer how to protect his or her wireless network connection, a warning sticker, or provide other protection that, among other things, requires affirmative action by the consumer prior to use of the device. The bill would provide that if any part of these provisions or their applications are held invalid, the invalidity would not affect other provisions. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. The Legislature finds and declares the following: (a) With the increasing use of low power, unlicensed wireless technology in residences, home offices, and small offices, consumers are unknowingly allowing their personal information on their small office, home office, or residential networks to be accessed by unauthorized users who piggyback onto their network connection. (b) Piggybacking occurs when an unauthorized user connects its client device to a wireless local area network (WLAN) access point or router in order to utilize the small office, home office, or residential network's broadband access connection to reach the Internet. The practice is becoming a serious issue for people who reside in densely populated areas or live in apartment buildings where wireless transmission waves can travel easily through walls, floors, and ceilings. (c) Consumers are generally unaware when an unauthorized user is using their broadband network connection, as most are not sufficiently aware to determine if someone has tapped into their network. Enabled security avoids this problem by preventing all but the most determined attempts to tap into a consumer's network. (d) In 2003, it was estimated that there were 3.9 million households with wireless access to the Internet. Currently, there are about 7.5 million households with wireless access, and that number is expected to rise to 16.2 million households by the end of the year. (e) In December 2005, the National Cyber Security Alliance (NCSA) found that, "more than one out of four homes had a wireless network (26%) and nearly half of these homes (47%) failed to encrypt their connection, a safety precaution needed to protect wireless networks from outside intruders." (f) There is disagreement as to whether it is legal for someone to use another person's WiFi connection to browse the Internet if the owner of the WiFi connection has not put a password on it. While Section 502 of the Penal Code prohibits the unauthorized access to computers, computer systems, and computer data, authorized use is determined by the specific circumstances of the access. There are also federal laws, including the Computer Fraud and Abuse Act (18 U.S.C. Sec. 1030 et seq.), that prohibit the intentional access to a computer without authorization. SEC. 2. Chapter 34 (commencing with Section 22948.5) is added to Division 8 of the Business and Professions Code, to read: CHAPTER 34. Network Security 22948.5. For purposes of this chapter, the following terms have the following meanings: (a) "Federally unlicensed spectrum" means a spectrum for which the Federal Communications Commission does not issue a specific license to a user, but instead certifies equipment that may be used in a segment of spectrum designated for shared use. (b) "Small office" means a business with 50 or fewer employees within the company. (c) "Spectrum" means the range of frequencies over which electromagnetic signals can be sent, including radio, television, wireless Internet connectivity, and every other communication enabled by radio waves. (d) "Wireless access point" means a device, such as a premises-based wireless network router or a wireless network bridge, that allows wireless clients to connect to it in order to create a wireless network for the purpose of connecting to an Internet service provider. (e) "Wireless client" means a wireless device that connects to a wireless network for the purpose of connecting to an Internet service provider. 22948.6. (a) A device that includes an integrated and enabled wireless access point, such as a premises-based wireless network router or wireless access bridge, that is for use in a small office, home office, or residential setting and that is sold as new in this state for use in a small office, home office, or residential setting shall be manufactured to comply with one of the following: (1) Include in its software a security warning that comes up as part of the configuration process of the device. The warning shall advise the consumer how to protect his or her wireless network connection from unauthorized access. This requirement may be met by providing the consumer with instructions to protect his or her wireless network connection from unauthorized access, which may refer to a product manual, the manufacturer's Internet Web site, or a consumer protection Internet Web site that contains accurate information advising the consumer on how to protect his or her wireless network connection from unauthorized access. (2) Have attached to the device a temporary warning sticker that must be removed by the consumer in order to allow its use. The warning shall advise the consumer how to protect his or her wireless network connection from unauthorized access. This requirement may be met by advising the consumer that his or her wireless network connection may be accessible by an unauthorized user and referring the consumer to a product manual, the manufacturer's Internet Web site, or a consumer protection Internet Web site that contains accurate information advising the consumer on how to protect his or her wireless network connection from unauthorized access. (3) Provide other protection on the device that does all of the following: (A) Advises the consumer that his or her wireless network connection may be accessible by an unauthorized user. (B) Advises the consumer how to protect his or her wireless network connection from unauthorized access. (C) Requires an affirmative action by the consumer prior to allowing use of the product. Additional information may also be available in the product manual or on the manufacturer's Internet Web site. (4) Provide other protection prior to allowing use of the device, that is enabled without an affirmative act by the consumer, to protect the consumer's wireless network connection from unauthorized access. (b) This section shall only apply to devices that include an integrated and enabled wireless access point and that are used in a federally unlicensed spectrum. (c) This section shall only apply to products that are manufactured on or after October 1, 2007. 22948.7. The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect any other provision or application that can be given effect without the invalid provision or application.