X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The term “spyware” has come to be applied to a range of software technologies that enable the remote monitoring of activities on an individual user’s computer. Despite the negative connotation of the term, spyware may be used for benign purposes, such as notifying a user that updates for installed software are available for download. But a lot of spyware lives up to the negative connotation of the term, surreptitiously recording and transmitting a user’s passwords and personal information to a remote hacker, or causing degraded computer performance and system crashes. Because spyware can present serious risks to online privacy and security and may harm the integrity of computer systems, it has drawn the attention of legislators, regulators and the technology industry. Attempts to address the issues created by spyware have been complicated by difficulties in distinguishing objectionable spyware from legitimate monitoring technologies and disagreements over the legitimacy of some uses of spyware technology. This article will briefly review recently enacted and proposed legislation and regulatory actions, as well as some nonlegislative alternatives aimed at controlling the proliferation of spyware. DEFINING SPYWARE The difficulties in defining spyware were apparent at the Federal Trade Commission (FTC) public forum on the topic this past February. After a full day of discussion and consideration of over 200 comments, the participants could not agree on a definition of spyware. The FTC observed: ” ‘Spyware’ is an elastic and vague term � Some definitions of spyware could be so broad that they cover software that is beneficial or benign; software that is beneficial but misused; or software that is just poorly written or has inefficient code.” [FOOTNOTE 1] As the FTC forum revealed, there is good spyware, malicious spyware, such as “malware” and a lot of code in between those two extremes. A form of spyware that few users would object to may come embedded in a conventional software application. For example, if you go to the “Options” menu in many desktop computer applications, you may find an option labeled something like “check for software updates.” If you check “yes” (or if “yes” is checked by default) and you have an Internet connection, you may have enabled the application to communicate with a remote server to download and install a software update automatically. The remote checking, and sometimes the installation of the update as well, often takes place in the “background,” unnoticed by the user once the appropriate option is checked. Among many other uses, anti-virus applications utilize this type of technology to keep users’ systems updated with the latest anti-virus protections, as do some Web browser plug-in applications that permit the playing of audio and video clips. The same relatively simple technology (software embedded in or downloaded with an application) also can be used to enable the downloading and installation of software that most users would not willingly install. If the downloaded code is a “keylogger” or “snoopware” application that records and transmits a user’s keystrokes, the information transmitted may be a user’s banking account, credit card and password information. Some “malware” applications may even change a user’s Web browser and system settings to make it difficult for an unsophisticated computer user to remove the software. IS ADWARE SPYWARE? Broadly speaking, “adware” is code that enables the delivery of advertisements, such as customized banner and pop-up or pop-under ads to a user navigating the Web. A computer may acquire adware code, for example, when a user responding to a Web banner advertisement for the download and installation of free screensavers unknowingly downloads adware code included with the screensaver application. Once the adware code is installed, it may harvest and transmit information on the user’s Web-surfing habits, triggering a blizzard of pop-up advertisements. The FTC forum also demonstrated that whether adware should be regarded as spyware is controversial. For example, adware distributor Claria Corp., in its initial comments to the agency, stated there is no “overlap between the terms ‘spyware’ and legitimate ‘adware’” and that “adware” should be used to describe software that is “supported by advertising” and “installed on consumers’ computers within the core principles of notice, consent and control.” If advertising software does not adhere to any of these principles, according to Claria, then it is spyware, not legitimate adware. [FOOTNOTE 2] LEGISLATIVE RESPONSE Legislators responding to the problem of spyware have been undeterred by the definitional problems, and thus far two states have enacted anti-spyware legislation. This past spring, Utah enacted the Spyware Control Act, the first law of its kind in the country. See Utah Code Ann. ��13-39-101 et seq. In late September, California enacted the Consumer Protection Against Computer Spyware Act. [FOOTNOTE 3]Several bills have made progress in the U.S. Congress, and legislation is also pending in at least several states, including Iowa, Michigan, New York and Pennsylvania. The scope of the state enactments differs significantly. Under the Utah Act, a person is prohibited from installing or causing “spyware” to be installed on another person’s computer. Section 13-39-201 (1)(c). In defining spyware, the Utah statute takes a broad approach. In addition to including software that monitors a computer’s usage and sends information about such usage to a remote computer or server, the statute targets adware by incorporating into its definition of prohibited acts, the distribution (without satisfying certain conditions) of “software residing on a computer that uses a federally registered trademark as a trigger for the display of the advertisement by a person other than the trademark owner, an authorized agent or licenses of the trademark owner; or a recognized Internet search engine � .” See �13-39-101. THE UTAH ACT The Utah Act requires that providers of software falling under its scope give users clear notice and obtain consent before any software can be installed on the user’s computer. In the case of advertising display software, in particular, the notice must include “full-size” examples of the ads to be displayed, a statement concerning the frequency of ad delivery, and a clear description of a method that permits the user to distinguish ads by their appearance from ads generated by other software services. Additionally, the Utah Act mandates that there be a way to uninstall the software if the user so chooses. Violations of the Utah Act are penalized with hefty fines of up to $10,000 per violation as well as other judicial remedies, including injunctive relief. These provisions of the Utah Act directed at adware prompted adware provider WhenU.com Inc., to challenge the statute’s constitutionality shortly after its enactment. In June, the enforcement of the Utah Act was preliminarily enjoined when the Utah state court ruled that the statute was vague in that it created uncertainty concerning what is required in order to be in compliance, and this uncertainty, coupled with the private enforcement provisions of the statute, exposed WhenU.com to a “potential plethora of litigation.” [FOOTNOTE 4] The California spyware legislation, which becomes effective on Jan. 1, 2005, prohibits the installation of software that, among things, modifies certain settings related to the computer’s access to, or use of, the Internet, and prevents, without the authorization of an authorized user, the user’s reasonable efforts to block the installation of, or to disable software. In addition, the California Act prohibits the opening of pop-up ads in the user’s Internet browser. The California law also provides for an aggrieved consumer to recover attorney fees and $1,000 in damages for each violation of the statute. The legislation is notable for its intent provisions, which require the unauthorized user to act “with actual knowledge, with conscious avoidance of actual knowledge or willfully” to copy computer software onto the computer of a California resident. Some commentators, including members of privacy rights organizations, have suggested that these high intent requirements will make it difficult to prove a violation of the statute. [FOOTNOTE 5] COMPETING ANTI-SPYWARE BILLS Several competing anti-spyware bills have made headway in the U.S. Congress. In October, the House passed two anti-spyware bills, the “Securely Protect Yourself Against Cyber Trespass Act” (HR 2929) and the “Internet Spyware Prevention Act” (HR 4661). The SPY ACT would prohibit, among other things, the unauthorized “taking control” of a user’s computer to divert the Internet browser, the delivery of advertisements that a user of the computer cannot close without turning off the computer or closing all sessions of the Internet browser for the computer, and the modification of settings related to the computers use or its access to or use of the Internet. In addition, the SPY ACT gives the Federal Trade Commission broad jurisdiction over violations and authority to levy hefty fines of up to $3 million for the most serious violations. Finally, the SPY ACT, as written, would preempt certain state anti-spyware laws. The I-SPY ACT would amend the federal criminal code by penalizing the unauthorized installation of code or programming in furtherance of another federal criminal offense. In addition, the I-SPY ACT would criminalize the intentional obtaining or transmitting of personal information with the intent to defraud or injure the person or damage the protected computer, as well as criminalize the intentional impairment of the security protection of the protected computer through the use of spyware. Finally, the I-SPY ACT imposes fines and a prison term of up to five years for certain violations of the I-SPY ACT. Although it has not made as much progress as the House bills, the Software Principles Yielding Better Levels of Consumer Knowledge Act (S2145), was approved and amended by the Senate Commerce Committee in late September. Like the I-SPY ACT, the SPY BLOCK ACT would add a new criminal section to federal law. Among its provisions is a prohibition against the surreptitious installation of software onto a computer and a requirement for a reasonable procedure to uninstall downloadable software. The FTC is designated as the chief enforcer of the SPY BLOCK ACT. ALTERNATIVE SOLUTIONS Early last month, the FTC, relying on existing consumer laws, filed a lawsuit in the U.S. District Court for the District of New Hampshire against software companies that allegedly were infecting computers with spyware, resulting in the issuance of a temporary restraining order against the defendants. The order required the disabling of spyware programs used to infiltrate users’ computers. [FOOTNOTE 6]Additionally, the FTC has stated that government and industry-sponsored educational programs, along with industry self-regulation, could be instrumental in assisting consumers in protecting themselves against spyware. [FOOTNOTE 7] Beyond existing laws and educational efforts, there are a number of tools being used to combat spyware, ranging from pop-up blockers to computer options that prohibit downloads from specified companies. Also available are programs that detect and remove spyware from a computer. Some of these programs may include “real-time” protection designed to alert users to threats as they arise. Still, as quickly as a user can alter its operating system to protect against spyware, another hacker may be learning how to circumvent new security programs in an attempt to download spyware onto the user’s computer. CONCLUSION With concerns about spyware increasing, public annoyance may give way to further government action. As additional spyware legislation is debated and perhaps even enacted, and as more sophisticated technological advances are developed to combat these type of computer programs, the public and businesses will most surely be keeping watch to see how the issues that spyware has created eventually may be resolved. Richard Raysman and Peter Brown are partners at Brown Raysman Millstein Felder & Steiner. They are co-authors of “Computer Law: Drafting and Negotiating Forms and Agreements” (Law Journal Press, ( www.lawcatalog.com ) Jeff Myers, a summer associate at the firm, assisted in the preparation of this article. If you are interested in submitting an article to law.com, please click here for our submission guidelines. ::::FOOTNOTE(S):::: FN1See generally “Prepared Statement of the Federal Trade Commission Before the Committee on Energy and Commerce, Trade and Consumer Protection,” U.S. House of Representatives, Washington, D.C., April 29, 2004 available at www.ftc.gov/os/2004/04/040429spywaretestimony.htm (last visited Nov. 2, 2004). FN2See “Initial Comments of Claria Corporation Before the Federal Trade Commission,” dated April 16, 2004 available at www.ftc.gov/os/comments/spyware/040416clariacorporation.pdf (last visited Oct. 26, 2004). Adware programs also have been the subject of lawsuits by trademark owners claiming that the display of competitive pop-up and banner advertisements triggered by a user’s entry of trademark terms constitutes an infringing use of those terms. See, e.g., 1-800 Contacts, Inc. v. WhenU.com, 2003 U.S. Dist. LEXIS 22934 (SDNY Dec. 22, 2003). FN3The text of the act can be viewed online at http://www.leginfo.ca.gov/pub/bill/sen/sb_1401-1450/sb_1436_bill_20040928_chaptered.html. FN4See transcript of the ruling from the Third Judicial District Court available at: http://www.benedelman.org/Spyware/whenu-utah/pi-ruling-transcript.pdf. FN5See e.g., Susan Kuchinskas, “Calif. Spyware Bill: ‘Worse Than Nothing,’ ” internetnews.com (Sept. 16, 2004) available at http://www.internetnews.com/security/article.php/3409281. FN6A copy of the complaint, along with other related legal documents, can be viewed at http://www.ftc.gov/os/caselist/0423142/0423142.htm (last visited Nov. 2, 2004). FN7See, note 1, supra.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.