I Spy With My Little Eye: Taking a Closer Look at Spyware
Solicitor, Mallesons Stephen Jaques
Yee Fen Lim
Associate Professor, Department of Law, Macquarie University
Spyware is a practical problem that can affect interne users everywhere. This article explains the problem of spyware, how it can affect users of PCs and the Internet and examines the legislative approach to spyware in both Australia and the US. Although spyware has recently received judicial and academic attention in many jurisdictions around the world, the actual effects of spyware are largely unknown by the everyday user of the Internet. And unfortunately, until there is a wide understanding of the nature and scope of spyware, it is unlikely that practical legal solutions will ever evolve. More importantly, if one does not know or understand a serious issue that could be impeaching upon their rights, one will never exercise the legal protections that exist (to the extent that they do exist). This article therefore, provides a detailed explanation of spyware, and how it can affect a user of the Internet. The article then focuses on two examples of how different jurisdictions have handled spyware - Australia and the US.
Keywords: Spyware, privacy, data, Department of Communications, Information Technology and the Arts (DCITA), Department of Communications, Federal Trade Commission Act, Consumer Fraud and Abuse Act, Spyware Control Act, Consumer Protection Against Computer Spyware Act.
This is a refereed article published on: 30 January 2006.
Citation: Howard and Lim, 'I Spy With My Little Eye: Taking a Closer Look at Spyware’, 2005 (2-3) The Journal of Information, Law and Technology (JILT). <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2005_2-3/howard-lim/>.
“You are being watched. Monitored. Every move you make is being recorded, logged. Your personal tastes and desires, your friends, travel plans, favourite TV shows, and newspapers. Perhaps more disturbing, this information is stored into databases, sold and shared with nameless and countless others. And you have no idea….”1
The very problem with spyware is that it could never be the subject of an I spy game - it is invisible to the every day user of the Internet. Spyware is any form of technology that aids in gathering information about a person or an organisation without their knowledge or informed consent.2 It is commonly referred to as “snoopware” or “trespassware” because the program snoops or trespasses into the private life of the user, sometimes to the extent of full identity theft.3 A user of the Internet can sometimes play a part in downloading spyware, often without knowledge and by accident through downloading a spy-carrying email attachment, downloading “free” software4. More often however, just simply using the Internet can result in spyware being placed on a user’s computer as the spyware exploits vulnerabilities in the operating system of the user. Some examples of free software that have been known to be accompanied by spyware include browser toolbars and modifications, file transfer protocol, UnZip, PC clocks, personal organisers and Kazaa.5 A user may or may not have consented to a “monitoring” software as part of an end user licence agreement. Most would not be aware that the “I agree” consented to involve having masses of personal information being collected (and even sold to third parties!). Problematically, firewalls or virus protecting software do not always prevent spyware downloads and often spyware is deliberately designed to be difficult or impossible to uninstall.
There are some very convincing reasons why Spyware should not be tolerated. The main arguments being security issues and the right to privacy. Regarding privacy, in the real world, would you agree to someone following you into shops, recording the purchases you make, looking at the types of books you read and then selling this information to a third party for marketing purposes? Probably not. In the virtual world, however, this is constantly happening to internet users everyday all over the world - and not just to home users, but to companies as well. Some marketing companies are making millions of dollars selling personal information to third parties.6 It is not the intention of this article to explore all the data privacy issues that spyware present. It is acknowledged that spyware would infringe many of the protections enshrined in the EU Data Protection Directive however, the aim here is to focus on the security and fraudulent practices that spyware represent.
Specific concerns about spyware range from slowing down PCs to extreme theft of confidential information such as bank account details and passwords which can lead to identity theft and other forms of criminal activities. At its most innocuous level, the disruptive advertising pop-ups can consume significant resources on a PC.7 Companies have reported that they are losing millions of dollars in down time and lost productivity and expect the issue to get worse.8 Evidence of the worsening problem can be seen in a recent US survey (April, 2004) - over three months, some 30 million spyware programs had been installed on approximately one million computers. The number of spyware programs installed on a similar number of computers is now at an alarming 85 million.9
The US seems to have given the issue of spyware considerable academic and judicial attention - as to whether the regime works in a practical sense is another question. As outlined in more detail below, there have been a number of cases brought under various legislative and common law regimes. The legislative approach in US, however, has proven to be problematic and unable to mould to the problem of spyware. Some states in the US have recognised this, and have moved toward introducing legislation to specifically deal with spyware. In Australia, although case law on this topic is scarce, we seem to be on track in terms of focussed attention on the issue. The Department of Communications, Information Technology and the Arts (DCITA) issued a discussion paper on the topic, with the purpose of seeking information and feedback from the Australian public to assist in developing a practical response that targets spyware that is not legitimately used. Responses from the public have now been received, and various strategies have been implemented to address the issue. The Australian Democrats have also shown interest in the issue and proposed a bill - the Spyware Bill 2005. However, as spyware is already present on millions of computers even if the bill is passed (which seems unlikely at this stage), it will be important to remember that some more general solutions will also be required before we can begin to confidently say that the issue is under control.
It has been recognised that the availability of legal recourse against online offences increases the confidence of the public in using the Internet. In response to this, in 2004 the Minister for Communications, Information Technology and the Arts announced a review of the coverage of existing Australian laws in respect to the malicious use of spyware. DCITA began working with the Attorney-General’s Department and law enforcement agencies to determine the adequacy of existing laws in combating spyware. DCITA found that existing legislation, such as the Criminal Code Act 1995 (Cth), the Privacy Act 1988 (Cth), Telecommunications Act 1997 (Cth) and the Trade Practices Act 1974 (Cth), covered many of the malicious behaviours associated with spyware10 (this is explained in more detail below). The review covered behaviours such as deceptive conduct, unauthorised access, cyber-stalking, computer hijacking, theft of computer software, resources and bandwidth, denial of service attacks, damage to computer settings, identity theft, content modification, anti-competitive conduct and privacy impeachments.
For the purposes of the legislative review, spyware was defined as:
"any software application that is generally installed without the knowledge or consent of the user, to obtain, use or interfere with personal information or resources, content or settings for malicious or undesirable purposes”.11
The table below outlines potential criminal offences that can be brought under existing legislation.
Criminal Code Act 1995 (Cth)
Attempting to commit a serious offence (such as fraud) using a telecommunications network;
Unauthorised access, modification or impairment of data, information or programs with intent to commit a serious offence;
Causing unauthorised modification of data, information or programs to cause impairment - including the reliability, security or operation of data, information or programs;
Unauthorised impairment of electronic communication;
Unauthorised access to or modification of restricted data - data held on computer and to which access is restricted by an access control system (such as passwords etc) associated with the function of the computer;
Possession or control of information with the intention to commit or facilitate a computer offence;
Producing, supplying or obtaining data with intention committing or facilitating a computer offence;
Dishonestly obtaining, possessing, supplying, using or dealing in personal financial information without consent; and
Intentionally using a carriage service to menace, harass or cause offence.
Trade Practices Act 1974 (Cth)
Misleading and deceptive conduct
Australian Securities and Investments Commission Act 2001 (Cth) and Corporations Act 2001 (Cth)
Misleading and deceptive conduct
Privacy Act 1988 (Cth)
Invasion of privacy
Harvesting and collecting personal information
Criminal Law Consolidation Act 1935 (SA)
Telecommunications Act 1997 (Cth)
Applies to some use of personal information
Telecommunications (Interception) Act 1979 (Cth)
Collection of data and other information
As indicated above, the Australian Democrats are of a different view to DCITA - their view is that separate legislation is required to specifically deal with spyware and therefore introduced the Spyware Bill 2005 - a proposed Act to regulate the unauthorised installation of computer software and require the clear disclosure to computer users of certain computer software features that may pose a threat to user privacy.
The objects of the proposed Act are to regulate the unauthorised or surreptitious installation of computer software and to require clear disclosure to computer users of certain computer software features that may pose a threat to a user’s privacy or the speed or operation of their computer. The proposed Act aims to give computer users the right and capacity to know that software is being installed on their computer, refuse to have it installed and be able to uninstall any software.12 Consent by a user to install the software was cleverly designed as a two-step process with the requirement of an “affirmative consent” which is consent that is expressed through the action of a computer user and independent from any other consent solicited from the user during the installation process (for example, consent cannot be a broader consent for the installation of a separate software to which spyware is attached).13 The first step of consent is to the general installation of the software.14 Secondly, consent has to be obtained as to each individual information collection feature (and other features such as advertising, distributed computing feature and modification features) of the software. For example, if the spyware software once downloaded causes advertising pop-ups, collection of personal information and modifications to settings of the user’s computer, the computer user must consent to each of these features before the software can be lawfully installed. This type of consent ensures that users are fully informed as to exactly how the software may affect them and their computer. Penalties under the proposed act are directed to the actual software developers rather than passive parties such as the host of a website through which software was made available.15
On 1 September 2005, the Minister for Communications, Information Technology and the Arts, Senator The Hon Helen Coonon, released a media statement indicating that malicious uses of spyware are already covered by existing laws with an emphasis on the need for the public to be aware of the threat of spyware.16 To complement the need for public awareness, DCITA developed and released Taking Care of Spyware17, a brochure designed to provide the public with information about spyware, how to remove it and how to prevent it. The brochure is supported by the Internet Industry Association’s (IIA) national anti-spyware campaign18 where the public can find more detailed information and sample the anti-spyware software that is available to use for a free trial period. Given this media release, it is unlikely that the Spyware Bill 2005 will receive sufficient support for it to be passed - perhaps this is the right approach as it is questionable, as suggested below, whether specific legislation is the solution to the growing spyware problem.
As to whether legislation is an adequate mechanism to tackle spyware is a topic that is not just relevant to the jurisdictions that are considered in this article. All jurisdictions that are attempting to form a regime to limit certain uses of spyware need to carefully consider whether the legislative path is an effective or practical solution before utilising time and resource into developing such a regime.
Specific spyware legislation may not be the answer to the spyware problem:
(b) evidence gathering is difficult for law enforcement agencies and may result in privacy implications - for example, a full copy of a person’s hard disk may be needed to carry out a formal investigation. This may deter people from bring a complaint forward especially if there is anti-spyware software that is readily available - a non intrusive way to deal with spyware.
More generally, legislation has a limited geographical field of application, with physical frontiers. It should be kept in mind that most spyware does not originate in Australia - what happens for example, if a company in a jurisdiction other than Australia causes spyware to be installed without the relevant notices and consents that Australian law requires? It will all depend on whether Australia asserts jurisdiction over that company, and if it does, whether a judgment can be enforced in Australia. This very issue goes back to the widely debated topic of jurisdiction and the Internet. Existing legal regimes struggle to fit into the realm of the new Internet medium, and there is really not much Australia can do except hope that other jurisdictions have legislative regimes (that are effective) to cope with the issue. Better still, we can hope that an international regime will come into play that brings consistency across the virtual world. Until then, understanding the existing legislative regimes is a useful start to combating the spyware phenomena.
Spyware has received more judicial attention in the US than in Australia, but still the number of spyware cases is low compared with the number of people potentially affected by spyware. One reason for this is because plaintiffs in the majority of cases, are forced to bring actions under existing legal regimes that are not entirely appropriate when applied to spyware actions. Three examples are the Consumer Fraud and Abuse Act, the Federal Trade Commission Act and the tort of trespass to chattels. Hopefully this trend will not extend to Australia given that the view in Australia is that existing legal regimes are sufficient to deal with malicious use of spyware.
The Consumer Fraud and Abuse Act and the Federal Trade Commission Act have been recognised as two federal statutes that can be used to bring an action against spyware. The Consumer Fraud and Abuse Act (“CFAA”)19 provides for a right to bring an action where there is damage caused to a computer system used by or for a government entity for administration of justice, national defence or national security.20 It is recognised that the CFAA has potential (in limited situations) for those wishing to pursue an action against a spyware claim because it can be proven that spyware can cause quite a substantial amount of damage to a computer system.21 The CFAA fails to combat the spyware issue in three main ways:
- it does not proscribe specific notice standards or require specific forms of consent before spyware is downloaded;
- it is limited in its application because it requires damage to be suffered to the computer system. This means that where spyware has only caused a massive impingement upon privacy, an action will not be successful; and
- it only applies where damage is caused to a government entity for administration of justice, national defence or national security.
The Federal Trade Commission Act (“FTCA”)22 has the power to prohibit “unfair or deceptive” practices.23 Section 13(b) of the statute grants the Federal Trade Commission (“FTC”) the power to bring an action to obtain relief for false or deceptive advertising. Recently, the FTC has been using the power to prevent companies from deceptively collecting information from individuals - exactly one of the issues with spyware. For example, the FTC brought a successful action against Seismic Entertainment Productions Inc., who gained access to consumers’ computers to advertise, by installing a software code without the consumers’ knowledge or consent.24 Although the FTCA has been used for spyware cases, like the CFAA, it has various limitations. The criticism is that there must be an element of deceptiveness before the FTC will bring a civil action and this may be difficult to prove. For example, companies could circumvent the FTC where they show that a consumer has consented to the download of “other software” as part of the end user licence agreement. Most consumers would fail to realise that “other software” could include spyware yet this could be enough to fail the “deceptiveness” test. Therefore because the FTCA does not have particular notice requirements, consumers are not given the proper opportunity to provide informed consent.
The common law tort of trespass to chattels may also be relied on for spyware claims. Trespass to chattels includes the use of or the intentional bringing about of physical contact with a chattel owned by another person.25 It has successfully been used for torts committed in cyberspace.26 Courts have also started to award punitive damages for cyberspace cases where there has been wilful and wanton disregard for the property rights of others27 - in some cases therefore, a plaintiff will not have to prove that it has suffered actual loss which may be difficult in spyware cases, where the loss that is suffered is not a calculated loss, but rather an extreme invasion of privacy. Where a court is unwilling to impose punitive damages however, many plaintiffs may be at odds in trying to show actual damage.
Although it is positive that existing legal regimes are attempting to accommodate the current issues of the virtual world, it is clear that there are various limitations with the existing regimes. The very issue is that until there are rigorous laws in place to combat the spyware phenomena, millions and millions of people will be at risk of the growing threat of spyware.
The only answer seems to be legislation that deals specifically with the spyware issue. Positively, some states in the USA have recently passed such legislation. Utah for example was the first state to formally recognise the issue by enacting the Spyware Control Act (“Utah Act”)28 which makes installing spyware or causing spyware to be installed on another person’s computer illegal. California followed Utah by recently enacting the Consumer Protection Against Computer Spyware Act (“California Act”) which became effective on 1 January 2005. The California Act makes it illegal to knowingly or wilfully cause the installation of software on a computer, where the software is used for "wrongful" purposes.29 There are a number of limitations to the California Act which may in reality result in little reduction of the widespread problem of spyware. These include30:
- the software that falls within the scope of the legislation must have a “wrongful effect” (as defined by the legislation). This means that certain spyware may fall outside the provisions of the legislation;
- to be caught by the legislation it must be proven that there has been wilful or intentional deceptive actions.
The Utah Act approach goes well beyond the Australian Democrat’s Spyware Bill 2005 which does not go as far as banning spyware or other unauthorised installations of software. Instead, the Australian Democrat’s approach is more in line with the California Act requiring that the owner of a computer consent to the download of software before that download actually occurs.
The blanket approach of Utah’s Spyware Control Act has met obstacles and in June 2004, a federal district court in Utah granted a preliminary injunction ceasing enforcement of the statute on constitutional grounds.31 The only way to truly combat the issue is the introduce federal legislation - an attempt to do this occurred after the leading case In re Pharmatrack Inc Privacy Litigation.32 In that case, the defendant had employed a company named Pharmatrack to monitor their corporate web sties and provide them with a monthly analysis of web site traffic. Pharmatrack used “NETcompare” a product designed to monitor clients’ web pages and “DRUGcompare” a product designed to monitor activity across disease categories and drug product pages. Using these products, Pharmatrack had collected names, addresses, telephone numbers, dates of birth, sex, insurance status, medical conditions, education levels and occupation. This resulted in detailed profiles of hundreds of individuals being collated without consent, authorisation or knowledge. Summary judgment was granted and upheld by the Third Circuit. Shortly after, the Spyware Control and Spyware Protection Bill 2001 was introduced in the 107th Congress. The stated purpose of the Bill was the requirement to disclose any surveillance capabilities contained within software, the nature of the information being collected and to whom the information would later be disclosed to. The bill never became law -perhaps this proves that historically many people were not particularly worried about spyware and as a result33 Naturally, as the general population becomes more aware of spyware and its effects, many are pressuring the federal government to implement a hasty solution. And perhaps the federal government is finally listening.
Recently, two promising US bills were introduced into Senate, both criminalising the illicit indirect use of protected computers. First, the Enhanced Consumer Protection Against Spyware Act 2005 (s.1004) aims to provide the FTC with the resources necessary to protect users of the Internet from the unfair and deceptive acts of spyware. It has now been read twice and referred to the Committee on Commerce, Science and Transportation.34 The summary statement of the bill has two clear messages35:
- Spyware should be a matter of high priority for FTC action; and
- The resources and tools available to the FTC should be enhanced to increase the vigour of the FTC’s enforcement efforts.
The bill gives authority to the FTC to seek an increased civil penalty (as determined by the FTC), of up to $3,000,000 where software is installed through deceptive acts or practices on protected computers.36 The bill also gives the ability to the FTC to treble damages where there is pattern or practice of violation, and to disgorge any profits made.37
Secondly, the Software Principles Yielding Levels of Consumer Knowledge Act (or Spyblock Act) (s.687) was introduced into Senate on 20 March 2005. It has also been read twice and also referred to the Committee on Commerce, Science, and Transportation. The bill attempts to regulate the unauthorised installation of computer software, to require clear disclosure to computer users of certain computer software features that may pose a threat to user privacy. It aims to prohibit installing software on a computer without notice and consent and requires reasonable uninstall procedures for all downloadable software. It also authorises the FTC to issue rules as necessary to implement or clarify the provisions of the Act.
The unauthorised installation of spyware is rife, dangerously impinging on the privacy rights of Australians and all other users of the Internet throughout the world. The US has struggled to grapple with spyware by using the existing legal regimes. Does this show the importance and the real need to introduce legislation that specifically covers spyware? Possibly not, given the extensive review of Australian law recently undertaken by DCITA. We are yet to find out. Recently, two bills have been introduced into the US Senate which may be a move in the right direction – as to whether these are passed is another question. There has also been a bill that has been introduced in Australia by the Australian Democrats and a proactive move toward educating the public about the issues associated with spyware. It should be noted that even if none of these bills are passed, a jurisdictional issue will always exist - laws of a jurisdiction will generally only be enforced against those that send spyware within that jurisdiction. A final point of note needs to be made about the effectiveness of legislative regimes – although clarifying that legislation is adequate to cope with malicious use of spyware, the real burden of stopping the spread of spyware cannot rest entirely on the shoulders of legislation. The threats will only ever disappear with a widespread effort to educate and implement procedures to combat the ever-growing issue - this is only just starting to happen in Australia. As this article demonstrates, spyware is a global problem and will be difficult to completely eliminate. In practical terms therefore, we need to think about having broader approaches and procedures to handling the issue. Any rights given to computer users under legislation are only beneficial to the extent that the user knows that rights exist. Although spyware has been largely talked about by academics and those in the IT field, a recent National Cyber Security Alliance survey showed that even though more than 80% of computers are infected with spyware, only 10% of users actually knew what spyware was.38 This is where awareness raising comes into play - and Australia is being proactive in this sense. Furthermore, before we can even begin to think that the spyware issue is under control there needs to be a set of procedures in place including an international complaints handling regime, a uniform approach to unauthorised installation of software and a guaranteed enforcement of penalties across the board. It is doubtful that all this can be achieved in the short term (or perhaps even the long term).
1 Michael L Baroni, “Spyware Beware” 47-APR Orange County Law 36
3 Commonwealth of Australia, Parliamentary Debates Hansard 2nd Reading Speech, 12 May 2005
4 For example, the Kaaza file transfer program that was used by millons of people around the world to swap data also included another spyware software.
5 Hon. Jefferson Lankford, “Big Brother is Watching You” (2004) 40-AUG Ariz. Att’y 8
6 Commonwealth of Australia, Parliamentary Debates Hansard 2nd Reading Speech, 12 May 2005. “Companies such as Doubleclick make millions of dollars each year from the sale of data and the targeting of ads, yet their name is not often seen, other than in civil liberties courts.”
9 Commonwealth of Australia, Senate Parliamentary Debates Hansard 2nd Reading Speech, 12 May 2005
10 See http://www.choice.com.au/viewArticle.aspx?id=104706&catId=100245&tid=100008&p=1 accessed 5 June 2005
11 http://www.dcita.gov.au/__data/assets/pdf_file/24939/Outcome_of_Review.pdf accessed 28 September 2005
12 Clause 3, Spyware Bill 2005
13 Clause 4 Spyware Bill 2005
14 Clause 8(2)(a), Spyware Bill 2005
15 See Clause 16, Spyware Bill 2005
16 http://www.minister.dcita.gov.au/media/media_releases/taking_care_of_spyware_-_protecting_consumers_on_the_net accessed 28 September 2005
17 http://www.dcita.gov.au/__data/assets/pdf_file/30866/05020018_Spyware.pdf accessed 28 September 2005
19 18 U.S.C §1030 (2004)
20 18 U.S.C. §1030 (2004) (g)
21 See Michael D Lane, “Spies Among Us: Can New Legislation Stop Spyware From Bugging Your Computer?” (2005) 17 Loy. Consumer L. Rev 283 at 293
22 15 U.S.C. § § 41-58 (2004)
23 15 U.S.C. § 45
24 Federal Trade Commission v Seismic Entertainment Productions Inc. No. Civ. 04-377-JD, 2004 WL 2403124
25 Restatement (Second) of Torts §217 cmt.e (West 2005)
26 For example, CompuServe Incorporated v Cyber Promotions Inc., 962 F.Supp.1015, 1015 (S.D. Ohio 1997); eBay, Inc. v Bidder’s Edge, Inc.100 F.Supp.dd 1058 (N.D. Cal. 2000)
27 See American Online Inc. v National Healthcare Discount Inc. 174 F. Supp. 2d 890, 902 (M.D. Iowa. 2001); Tyco International (US) Inc., v John Does, 1-3, No. 01 Civ. 3856, 2003 WL 21638205 (S.D.N.Y. 2003)
28 Spyware Control Act, Utah Code Ann. 2004
29 "Wrongful" includes where the software damages a computer system; causes unauthorised financial charges to be made; opens multiple "pop-up" ads that the user cannot close out of without closing out of their Internet browser or shutting down the computer altogether; modifies settings through intentionally deceptive means, or modifies security settings in any regard; collects personal information through "intentionally deceptive" means (account balances, social security numbers, etc.); prevents the "intentionally deceptive" installation or proper operation of anti-Spyware programs; or uses "intentionally deceptive" means to induce an end-user into installing harmful programs, or deleting protective ones:
30 See Michael Baroni, “Spyware Beware” (2005) 47-APR Orange County Law. 36
31 WhenU.com v Utah No. 040907578 (D. Utah June 22 2004)
32 329 F.3d 9 (1st Cir. 5 September 2003)
33 See Mike Tonsing, “The Battle Against Spyware is Just Beginning” (2004) 51-JUN Fed. Law 16
34 Enhanced Consumer Protection Against Spyware Act 2005 (Introduced in Senate)
35 http://www.geocities.com/edwardtjbrown/20052006.html accessed 22 July 2005
36 Section 5, Enhanced Consumer Protection Against Spyware Act of 2005 (Introduced in Senate)
37 Section 5(c), Enhanced Consumer Protection Against Spyware Act of 2005 (Introduced in Senate)
38 Byron Acohido & Jon Swartz, Market to Protect Consumer PCs Seems Poised for Takeoff; As Spyware, Viruses Spread, Threat to E-commerce Grows, USA Today, Dec. 27, 2004, at B1