Spyware and Adware - Is Your Company Protected?

Published on: 6/01/2005

Spyware is becoming an increasingly prevalent tool that is used by internet marketing companies and others to gather information about computer users' activities on the internet. It is also widely reported that some spyware is being used to obtain personal information about visitors to the Internet in order to facilitate identity theft or worse. 

What is it and how did I get it?  

In its most basic sense, spyware can be defined as "any software program that aids in gathering information about a person or organization without their knowledge and can relay this information back to an unauthorized third party." This definition was proposed by an industry trade group and probably enjoys general consensus in the industry. While there are many ways these software programs can be delivered, they usually end up on a user's computer by being surreptitiously downloaded in the background while the user is visiting a participating website. Once the code is inserted into the appropriate places in the user's browser, it can collect information such as passwords, credit card numbers, and social security numbers, or it can monitor and report behavioral information such as the user's favorite websites or Internet purchasing habits. 

Adware - Spyware's nicer cousin  

Spyware is often grouped together with Adware, although there are some significant differences between the two. While the main purpose of spyware is to obtain information about a user, the main purpose of adware is to advertise. Usually, this advertisement is accomplished through pop-up ads, but recently, adware manufacturers have gotten more clever and have figured out ways to, for example, cause the user's browser to display search results determined by the advertisers instead of the search site. While some adware programs may use tactics that are similar to spyware, they claim to do so with the knowledge and consent of the user -- although this claim is often disputed by the user who is sick of pop-up ads. Typically, adware finds its way onto the user's computer by being "bundled" with other applications that the user actually wants. One of the main issues with adware is the fact that the user often does not know that he or she is downloading the adware code along with the desired application. 

Many adware companies argue that their software is only downloaded with the consent of the user. What they do not tell you is that consent is often given by way of a long, complex and burdensome notice agreement. The typical user, which practically every computer user has been guilty of this at some point, will, instead of reading the entire 40 or 50 page pop-up consent regarding what is being downloaded, simply click "OK" in order to download the program he or she wants. What is missed by not reading that long notice is that, bundled along with the software the user wanted, there is a spyware or adware program.   

What is the government doing about it?  

Because spyware is universally seen as a threat to Internet users, several states have taken steps to attempt to outlaw it. California, Washington and New York have been the most active in the field of spyware prevention, with California actually having its law on the books. All other states discussed here have legislation proposed and in various stages of the legislative process. 

In general, the legislation would or does prohibit the deceptive use of computer software to:

  • Modify another person's Internet settings

  • Collect personally identifiable information from a person's computer

  • Prevent another user's ability to block or remove spyware or adware by making the software automatically reinstall

  • Intentionally misrepresent to a user that software will be disabled or removed by a certain action when it will not

  • Intentionally remove, block, disable or render inoperative another user's security, anti-spyware or anti-virus software 

Also to be prohibited are actions such as:

  • Sending "spam" or "junk" email from another person's computer without their authorization

  • Causing another user to incur financial charges for a service not authorized by the user

  • Unauthorized opening of multiple advertisements on another user's computer which the user can't close without closing the Internet browser or turning off computer

While California and Washington provide for civil penalties for spyware violations, New York 's new bill would make spyware violations a criminal act. The first violation would be a Class "A" misdemeanor, punishable by up to a year in prison and a fine of up to $1,000. A second violation within a 5 year span would be a Class "E" felony, punishable by up to four years in prison and a fine of up to $5,000. 

Alabama, Arizona, Illinois, Kansas, Maryland, Nebraska, and Virginia have all submitted legislation that is substantially similar to the California law and the New York and Washington bills.

Virginia has long been on the forefront of computer issues and has similarly sought to regulate Internet activities. Effective July 1, 2005, Virginia will make it a felony to engage in the practice known as "phishing" in which a person attempts to fraudulently acquire personally sensitive information (passwords or credit card details) by masquerading in an official looking e-mail or IM as someone entitled to such information. As enacted, the law will also cover spyware, and, potentially, adware. 

It is already a crime in Virginia , through which half of all Internet traffic passes, to:

  • send spam or unsolicited bulk e-mail;

  • use a computer or computer network without authority and with the intent to obtain property by false pretenses, embezzle or commit larceny or convert the property of another;

  • temporarily or permanently halt or disable a computer or computer network without authorization;

  • invade someone's privacy by using a computer to examine certain personal and employment information without authorization;

  • steal computer services;

  • use a computer or computer network without authority and with the intent to cause physical injury; and

  • use a computer to harass a person. 

Proposed Federal Legislation  

On January 4, 2005, a bill was introduced into the U.S. House of Representatives by California Representative Mary Bono (R), called the "Securely Protect Yourself Against Cyber Trespass Act," or "SPY-ACT." The stated purpose of this bill is to protect users of the Internet from unknowing transmission of their personally identifiable information through the use of spyware programs. A virtually identical bill was introduced by Rep. Bono in 2004, and it passed through the House by an overwhelming vote of 399 to 1. That bill, however, never came up for a vote in the Senate and had to be reintroduced in 2005. 

Much like the state laws and legislation discussed here, the SPY-ACT would prohibit specific types of deceptive conduct in relation to a third-party's computer. For instance, Section 2 of the SPY-ACT provides 18 specific "deceptive" practices that are prohibited by the Act. These practices include phishing (using phony emails from credit card companies or stores to get a user to enter their personal information), keystroke logging, homepage hijacking and ads that can't be closed except by shutting down a computer.  

Section 3 of the SPY-ACT sets notice and consent requirements for programs that collect personal information or track online activities. One of the weakest points of the SPY-ACT, according to software experts, is that Section 3 allows for a software developer to give a user "notice" that either spyware or adware is going to be downloaded onto their computer, and for the user to give "consent" to such downloading. According to Section 3, there is no violation of the Act if notice is given in the following manner, and the user consents:

  • Notice must be "clearly distinguished" from other text on the screen

  • Notice must include text that "This program will collect and transmit information about you" or "This program will collect information about the web pages you access and will use that information to display advertising on your computer," or SUBSTANTIALLY SIMILAR language.

  • Notice must remain on the screen until the user accepts or denies consent.

  • Notice must provide the option of giving additional information about the program which is "clear" about the information collected and the purpose. 

The provision that the notice may contain "substantially similar" language has left the door open to companies that currently use long, confusing notices as discussed earlier. Such companies have an argument that they are already in compliance with the federal legislation by providing a consent notice, even though the notice is practically useless because the typical user doesn't read it. 

Penalties and Enforcement?  

The good news is that the SPY-ACT has some teeth in the form of hefty civil penalties of up to $3 million per violation. The bad news is that the Act only gives enforcement powers to the Federal Trade Commission ("FTC"). The FTC has been notoriously slow to enforce software protection laws, and although more severe spyware acts could be actionable under the current FTC rules on deceptive trade practices, the FTC has prosecuted only one such case to date. Perhaps even worse, the SPY-ACT, if passed, will specifically preempt any and all state laws on the subject. This would effectively take enforcement power out of the hands of individuals, who have the most to lose. 

So what should your business do now?  

The biggest thing right now is for businesses to realize that their computers and information systems are at risk from threats such as spyware and adware, which can transmit confidential information to third parties without their knowledge. They should be on the lookout for any such violations, and all businesses should have a policy for all employees, prohibiting downloading software from the Internet without it first being checked out by their information technology department. Without such a safeguard, no software should be downloaded from the Internet. 

Also, companies should keep an eye on the federal legislation that is working its way through the House. Based on the passage of practically identical legislation last year, the SPY-ACT is almost guaranteed to pass the House. The bill must then still pass through the Senate and be signed by the President before it will become law. 

Regardless of the federal legislation, if you discover a spyware problem with your computer system, contact the FTC or the state attorney general's office because spyware may be actionable under current deceptive trade practice laws on a state or federal level.




This was written by: