Content

Spyware and the law

I spy with my little eye, a legal problem beginning with "S".

The media is full of spyware stories. It covers a multitude of sins, threatens consumers and businesses alike and is constantly changing. It has a mysterious title, and fits in (at least vaguely) with this year's focus on the surveillance society (RFID, identity cards et al). At the heart of the story is the question – who owns (and controls) a user's PC?

The general risks posed by the spyware invasion are well publicised: industrial espionage, identity theft, abuse of credit card and bank information, unauthorised use of PC resources and bandwidth, system instability (and the time and effort involved in fixing these problems) and delivery of inappropriate content. Until recently, the legal issues raised by spyware attracted little comment. Now the problem is so widespread that there is a growing call for governments to take positive action to help protect citizens.

What's in a name?

The first real problem with spyware is understanding exactly what it is. User confusion is itself a large part of the problem. Other names for spyware, or categories of spyware, include adware, snoopware, scumware, foistware, pestware and trespassware. While many of the applications in these categories share some characteristics, there are some significant differences. In order to analyse the legal implications of these applications, it is essential to be clear exactly what we are talking about.

Technology law in the EU is generally drafted to be "technology neutral" meaning it relies on very broad, general definitions. While it would be easier to interpret if it was more specific, it would quickly become obsolete. Technology specific definitions would also mean it was easier for developers to produce applications that fell outside the strict letter of the law.

For the sake of argument, we'll start with a working definition that says the main features common to all spyware are that it:

  • is installed without the user's full knowledge;
  • cannot be easily uninstalled or disabled;
  • covertly transmits information about the user's activities to a remote host

Adware and malware

The next part of our analysis splits spyware into two main camps. Firstly, those applications that are a sub-set of malware (malicious code). Malware includes viruses, worms and trojans. A defining characteristic of malware is that it is intended to cause harm or be otherwise used for criminal purposes. Examples of spyware in this category are keystroke loggers, password sniffers, spam launchers, remote access tools ("RATS") and screen capture utilities. We'll call this "mal-spyware".

The second category of spyware we'll call "adware". This doesn't have a malicious intent, but rather is designed to enhance the effectiveness of advertising targeted at the user or otherwise provide marketing information to a third party. Examples of this are applications that facilitate pop-up browser windows, redirect browser home pages and add favourite sites to browser lists.

Already, the definitions can be attacked. Firstly, it is possible to find legitimate uses for mal-spyware. For example, covertly monitoring children's Internet activity, remote administration of networked PCs are legitimate uses for software that could be used to serious criminal effect. Secondly, in looking at adware, badly written software in this category could lead to security vulnerabilities and lead indirectly to a security compromise. The dividing line becomes blurred, particularly when some of the code in question may not even be an application.

Finally, there is a third category of software on the very edges of spyware. Specific functionality within legitimate applications may send data off remotely to third parties without users realising they have enabled this feature. The classic example of this was a feature of RealJukeBox software that sent music track details back to RealNetworks. Many applications (anti-virus software being a good example) do contact remote hosts, but make it very clear to users what they are doing. This issue is outside the scope of this article, but there are other well-known examples suggesting this topic should not be ignored.

Outside the law?

Before looking at legislation to regulate spyware, it's worth considering the litigation on the fringes of this issue. Firstly, lawsuits have been brought in the USby software developers who claim their products have been wrongly labelled spyware (note the lack of any product names in this article!). In the ecommerce arena, many on-line merchants are also threatening action because spyware can distort their ability to track where site visitors came from (which may impact payment of commission to affiliates) and can be used to serve up competitive adverts and divert visitors from their sites.

The growing awareness of the scale of the problem, supported as usual by a tide of industry surveys, has led to calls for legislation to help users tackle the problem. As with many Internet issues, the best practical solutions are technical. However, because the problem affects many home users, who struggle to get to grips with basic anti-virus precautions, let alone spyware, the law does have a role to play. At the time of writing, it is the US legislators that are making the headlines.

US legislation

There are currently three spyware pieces of legislation being developed at national level in the US. These are the Internet Spyware Prevention Act of 2004 (the "I-SPY Act"), the Securely Protect Yourself Against Cyber Trespass Act (the "SPY Act") and the snappily titled Software Principles Yielding Better Levels of Computer Knowledge Act (or "SPY BLOCK Act"). The purpose of these bills includes targeting the unauthorised installation of computer software (with a corresponding focus on disclosure of information to users) and protecting users from unknowing transmission of personal information over the Internet. It is likely there will be some consolidation of these bills before they hit the statute books.

There is also legislation emerging at state level. The first anti-spyware laws were introduced in Utah, but are currently suspended due to allegations that they are unconstitutional. California is not far behind, with SB 1436, the Consumer Protection Against Computer Spyware Act and New York also has legislation pending. Commentators vary over the need to supplement the existing computer misuse law at national level, but it seems that the risk of introducing differing protections at state level may push the Senate towards finalising federal law.

UK legal position: computer misuse

There is an assumption that back home in the UK, the issue of spyware isn't yet on the legislators' radar: In fact, the situation is very different. Looking first at mal-spyware, the broad wording of the Computer Misuse Act 1990 (the "CMA") does a good job of coping with this threat. The CMA creates offences of unauthorised access to programs or data, unauthorised access with intent to commit a further offence, and unauthorised modification of data. Between them, these offences will catch most mal-spyware, primarily because of the wide definitions of terms like "access". In practice, as with many computer misuse issues, mal-spyware may prove difficult to stop. The high standard of proof required for criminal cases combined with the problems of crime detection and identification of the perpetrator (especially where the crime crosses national borders) and the limited resources of the specialist computer crime authorities mean the number of successful prosecutions is likely to remain low.

The recent All Party Internet Group Report on Computer Misuse (to which Olswang contributed) indicated that they felt the CMA covered mal-spyware and did not believe that the CMA should be extended to cover adware. The group went on to suggest that OFCOM (the communications regulator) should address this topic by educating users, working with the DTI to ensure sufficient consumer protection legislation and by working with software developers to create a code of practice.

Data protection issues

Putting mal-spyware on one side (on the basis that it falls within the scope of the CMA), the more complex issue is how English law treats adware. One of the key issues is the nature of consent. Much adware is bundled with other software applications (often freeware or shareware) or ID downloaded covertly ("drive-by downloads"). There is often a crude form of clickwrap software licence that users will need to accept before installing the application. Organisations using the software will assert that accepting this licence constitutes user's consent. This practice may be sufficient to ensure that a court cannot find beyond reasonable doubt that the software is accessing the user's machine or data without "authority" (and therefore will avoid the risk of a CMA prosecution). However it is less clear whether this constitutes sufficient consent for other areas of the law, particularly as the wording of the licence may be complex or unclear.

Indeed the All Party Internet Group suggested that the Data Protection Act 1998 (the "DPA") would be another possible legislative tool that could control spyware. Even if the initial capture of personal data using adware was lawful, the organisations subsequently using that data will need to ensure that their use complies with the DPA principles. The concept of informed consent is important from a DPA perspective, and transparency is key to the spyware issue. If users knew what applications they were loading onto their machines, and what these applications did (and could therefore give or refuse their informed consent) many of the adware industry's problems would be solved.

The Information Commissioner's most powerful weapon against adware is the Privacy and Electronic Communications Regulations 2003 (the "Regulations"). When the Regulations came into force, much of the emphasis was on the implications for spam and cookies. The Information Commissioner has made it clear that certain provisions will also catch spyware.

The Regulations state that information must not be stored or accessed on a user's equipment unless the user is (a) given clear and comprehensive information about the purpose of the storage of, or access to, that information; and (b) given the opportunity to refuse the storage of or access to that information. While the CMA is a more suitable route for mal-spyware (because the penalties are more severe), the Regulations give a clear opportunity for action against adware. Where loss has been suffered there is a right to bring a civil claim under the Regulations and the Information Commissioner can also use his powers under the DPA to enforce the Regulations.

Practical obstacles to tackling spyware

Relative to some other jurisdictions the UK appears well equipped with legislation to deal with spyware. In practice, however, there are a number of barriers to overcome, depending on the remedy being pursued. It is worth noting that in all cases, if any of the parties involved is off shore, the matter will become significantly more complex.

If the matter is a criminal one, the technical complexity of the cases coupled with the need to prove a case beyond reasonable doubt, may mean the authorities are reluctant to pursue the matter (as they may not be confident of success). Regulatory intervention may prove easier, but as with law enforcement, the authorities only have a limited amount of resource and will need to prioritise the cases they investigate. Where looking at a civil claim, the user needs to show loss. If claiming on damages for loss of system stability, resource or bandwidth usage, this can be notoriously difficult to prove from a legal standpoint. Secondly, the loss needs to be significant enough for a user to go to the time, effort and expense of bringing proceedings. Thirdly, actually finding who to bring the action against may actually prove very complicated. A huge range of parties may be involved in the propagation of spyware, from the adware developer, to the distributor of the software bundled with the adware, to the on-line advertising company using the software, to the organisations that utilise the software and use the data it transmits. Finally, one user of a pc may have downloaded the software, while a different user suffers the loss. Things become more complex if a child is one of the home users involved or on a corporate network where the organisation has different tolerance for spyware to the individual user.

We will need to watch this space to see how the case law develops in this area, but the prevalence of spyware suggests that despite the practical problems outlined above, we wouldn't bet against seeing some court action soon.

The Olswang view

In our view, the key issue is transparency. The article has emphasised issues of consent, information and authorisation, but the uninstallation/de-installation? or disabling of the application is another area that requires transparency. Users should be able to easily uninstall the software, preferably using the standard "add/remove programs" functionality.

The consent to install the software should be clear and unambiguous, taking into account the variable computer literacy of users. The terms and conditions should also make it clear what will happen to the harvested data and comply with the usual DPA consent requirements.

For those people offering freeware/shareware that incorporates adware, the industry shows that offering people an alternative "paid for" version of the software without bundled adware can be a viable marketing model. If adware is the "price" of the software, then users should know what they are installing to enable them to judge if the price is too high.

Self-regulation, coupled with technical developments (such as P3P the platform for privacy preferences machine-readable privacy policies) may well be the ultimate solution to the spyware. In the meantime, the law will undoubtedly continue to develop and play a part in the spyware drama. As the plot unfolds, we suggest businesses [users] take the following steps:

  • Educate yourself – and your employees – the more you know about the problem, the better equipped you'll be to spot problems;
  • Read click-wrap licences carefully – don't just blindly click on "I accept";
  • Use an anti-spyware application – there are plenty of good free ones available;
  • Keep your software (particularly your operating system and browser) properly configured, patched and up to date and make sure you use anti-virus and firewall software.

For more information on this issue please contact Simon Briskman, Partner, Olswang [email protected] tel +44 207 067 3163) or Mark Smith, Assistant Solicitor, Olswang [email protected] tel +44 207 067 3215).

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.