Journal of Information, Law and Technology

I Spy With My Little Eye -Taking a Closer Look at Spyware

Kylie Howard
Solicitor

and

Yee Fen Lim
Associate Professor, Department of Law, MacquarieUniversity

This is a refereed article published on: 30 January 2006.

Citation: Howard and Lim, 'I Spy With My Little Eye -Taking a Closer Look at Spyware’, 2005 (2)The Journal of Information, Law and Technology (JILT).

Abstract
Spyware is a practical problem that can affect interne users everywhere. This article explains the problem of spyware, how it can affect users of PCs and the Internet and examines the legislative approach to spyware in both Australia and the US. Although spyware has recently received judicial and academic attention in many jurisdictions around the world, the actual effects of spyware are largely unknown by the everyday user of the Internet. And unfortunately, until there is a wide understanding of the nature and scope of spyware, it is unlikely that practical legal solutions will ever evolve. More importantly, if one does not know or understand a serious issue that could be impeaching upon their rights, one will never exercise the legal protections that exist (to the extent that they do exist). This article therefore, provides a detailed explanation of spyware, and how it can affect a user of the Internet. The article then focuses on two examples of how different jurisdictions have handled spyware - Australia and the US.

Keywords: Spyware, privacy, data,Department of Communications, Information Technology and the Arts (DCITA), California Act, Utah Act.

1. Introduction - What is Spyware?

“You are being watched. Monitored. Every move you make is being recorded, logged. Your personal tastes and desires, your friends, travel plans, favourite TV shows, and newspapers. Perhaps more disturbing, this information is stored into databases, sold and shared with nameless and countless others. And you have no idea….”[1]

The very problem with spyware is that it could never be the subject of an I spy game - it is invisible to the every day user of the Internet. Spyware is any form of technology that aids in gathering information about a person or an organisation without their knowledge or informed consent.[2] It is commonly referred to as “snoopware” or “trespassware” because the program snoops or trespasses into the private life of the user, sometimes to the extent of full identity theft.[3] A user of the Internet can sometimes play a part in downloading spyware, often without knowledge and by accident through downloading a spy-carrying email attachment, downloading “free” software[4]. More often however, just simply using the Internet can result in spyware being placed on a user’s computer as the spyware exploits vulnerabilities in the operating system of the user. Some examples of free software that have been known to be accompanied by spyware include browser toolbars and modifications, file transfer protocol, UnZip, PC clocks, personal organisers and Kazaa.[5] A user may or may not have consented to a “monitoring” software as part of an end user licence agreement. Most would not be aware that the “I agree” consented to involve having masses of personal information being collected (and even sold to third parties!). Problematically, firewalls or virus protecting software do not always prevent spyware downloads and often spyware is deliberately designed to be difficult or impossible to uninstall.

There are some very convincing reasons why Spyware should not be tolerated. The main arguments being security issues and the right to privacy. Regarding privacy, in the real world, would you agree to someone following you into shops, recording the purchases you make, looking at the types of books you read and then selling this information to a third party for marketing purposes? Probably not. In the virtual world, however, this is constantly happening to internet users everyday all over the world - and not just to home users, but to companies as well. Some marketing companies are making millions of dollars selling personal information to third parties.[6] It is not the intention of this article to explore all the data privacy issues that spyware present. It is acknowledged that spyware would infringe many of the protections enshrined in the EU Data Protection Directive however, the aim here is to focus on the security and fraudulent practices that spyware represent.

Specific concerns about spyware range from slowing down PCs to extreme theft of confidential information such as bank account details and passwords which can lead to identity theft and other forms of criminal activities. At its most innocuous level, the disruptive advertising pop-ups can consume significant resources on a PC.[7] Companies have reported that they are losing millions of dollars in down time and lost productivity and expect the issue to get worse.[8] Evidence of the worsening problem can be seen in a recent US survey (April, 2004) - over three months, some 30 million spyware programs had been installed on approximately one million computers. The number of spyware programs installed on a similar number of computers is now at an alarming 85 million.[9]

The US seems to have given the issue of spyware considerable academic and judicial attention - as to whether the regime works in a practical sense is another question. As outlined in more detail below, there have been a number of cases brought under various legislative and common law regimes. The legislative approach in US, however, has proven to be problematic and unable to mould to the problem of spyware. Some states in the US have recognised this, and have moved toward introducing legislation to specifically deal with spyware. In Australia, although case law on this topic is scarce, we seem to be on track in terms of focussed attention on the issue. The Department of Communications, Information Technology and the Arts (DCITA) issued a discussion paper on the topic, with the purpose of seeking information and feedback from the Australian public to assist in developing a practical response that targets spyware that is not legitimately used. Responses from the public have now been received, and various strategies have been implemented to address the issue. The Australian Democrats have also shown interest in the issue and proposed a bill - the Spyware Bill 2005. However, as spyware is already present on millions of computers even if the bill is passed (which seems unlikely at this stage), it will be important to remember that some more general solutions will also be required before we can begin to confidently say that the issue is under control.

2. Legislative Review in Australia

It has been recognised that the availability of legal recourse against online offences increases the confidence of the public in using the Internet. In response to this, in 2004 the Minister for Communications, Information Technology and the Arts announced a review of the coverage of existing Australian laws in respect to the malicious use of spyware. DCITA began working with the Attorney-General’s Department and law enforcement agencies to determine the adequacy of existing laws in combating spyware. DCITA found that existing legislation, such as the Criminal Code Act 1995 (Cth), the Privacy Act 1988 (Cth), Telecommunications Act 1997 (Cth) and the Trade Practices Act 1974 (Cth), covered many of the malicious behaviours associated with spyware[10] (this is explained in more detail below). The review covered behaviours such as deceptive conduct, unauthorised access, cyber-stalking, computer hijacking, theft of computer software, resources and bandwidth, denial of service attacks, damage to computer settings, identity theft, content modification, anti-competitive conduct and privacy impeachments.

For the purposes of the legislative review, spyware was defined as:

“any software application that is generally installed without the knowledge or consent of the user, to obtain, use or interfere with personal information or resources, content or settings for malicious or undesirable purposes”.[11]

The table below outlines potential criminal offences that can be brought under existing legislation:

Legislation / Potential offence
Criminal Code Act 1995 (Cth) / Attempting to commit a serious offence (such as fraud) using a telecommunications network;
Unauthorised access, modification or impairment of data, information or programs with intent to commit a serious offence;
Causing unauthorised modification of data, information or programs to cause impairment - including the reliability, security or operation of data, information or programs;
Unauthorised impairment of electronic communication;
Unauthorised access to or modification of restricted data - data held on computer and to which access is restricted by an access control system (such as passwords etc) associated with the function of the computer;
Possession or control of information with the intention to commit or facilitate a computer offence;
Producing, supplying or obtaining data with intention committing or facilitating a computer offence;
Dishonestly obtaining, possessing, supplying, using or dealing in personal financial information without consent; and
Intentionally using a carriage service to menace, harass or cause offence.
Trade Practices Act 1974 (Cth) / Anti-competitive behaviour
Misleading and deceptive conduct
Australian Securities and Investments Commission Act 2001 (Cth) and Corporations Act 2001 (Cth) / Misleading and deceptive conduct
Privacy Act 1988 (Cth) / Invasion of privacy
Harvesting and collecting personal information
Criminal Law Consolidation Act 1935 (SA) / Identity theft
Telecommunications Act 1997 (Cth) / Applies to some use of personal information
Telecommunications (Interception) Act 1979 (Cth) / Collection of data and other information

As indicated above, the Australian Democrats are of a different view to DCITA - their view is that separate legislation is required to specifically deal with spyware and therefore introduced the Spyware Bill 2005 - a proposed Act to regulate the unauthorised installation of computer software and require the clear disclosure to computer users of certain computer software features that may pose a threat to user privacy.

The objects of the proposed Act are to regulate the unauthorised or surreptitious installation of computer software and to require clear disclosure to computer users of certain computer software features that may pose a threat to a user’s privacy or the speed or operation of their computer. The proposed Act aims to give computer users the right and capacity to know that software is being installed on their computer, refuse to have it installed and be able to uninstall any software.[12] Consent by a user to install the software was cleverly designed as a two-step process with the requirement of an “affirmative consent” which is consent that is expressed through the action of a computer user and independent from any other consent solicited from the user during the installation process (for example, consent cannot be a broader consent for the installation of a separate software to which spyware is attached).[13] The first step of consent is to the general installation of the software.[14] Secondly, consent has to be obtained as to each individual information collection feature (and other features such as advertising, distributed computing feature and modification features) of the software. For example, if the spyware software once downloaded causes advertising pop-ups, collection of personal information and modifications to settings of the user’s computer, the computer user must consent to each of these features before the software can be lawfully installed. This type of consent ensures that users are fully informed as to exactly how the software may affect them and their computer. Penalties under the proposed act are directed to the actual software developers rather than passive parties such as the host of a website through which software was made available.[15]

On 1 September 2005, the Minister for Communications, Information Technology and the Arts, Senator The Hon Helen Coonon, released a media statement indicating that malicious uses of spyware are already covered by existing laws with an emphasis on the need for the public to be aware of the threat of spyware.[16] To complement the need for public awareness, DCITA developed and released Taking Care of Spyware[17], a brochure designed to provide the public with information about spyware, how to remove it and how to prevent it. The brochure is supported by the Internet Industry Association’s (IIA) national anti-spyware campaign[18] where the public can find more detailed information and sample the anti-spyware software that is available to use for a free trial period. Given this media release, it is unlikely that the Spyware Bill 2005 will receive sufficient support for it to be passed - perhaps this is the right approach as it is questionable, as suggested below, whether specific legislation is the solution to the growing spyware problem.

3. The Data Explosion - Can Legislation Fully Cope With It?

As to whether legislation is an adequate mechanism to tackle spyware is a topic that is not just relevant to the jurisdictions that are considered in this article. All jurisdictions that are attempting to form a regime to limit certain uses of spyware need to carefully consider whether the legislative path is an effective or practical solution before utilising time and resource into developing such a regime.

Specific spyware legislation may not be the answer to the spyware problem:

(a)the very nature of spyware can make enforcement difficult because the presence of spyware can remain unknown.. In other words, if a person does not know that they are being affected by spyware, legislation that prevents or limits such software is unlikely to be utilised. To summarise this point, legislation is not useful where it protects rights that people do not know are being put at risk and therefore shows that it is hardly adequate from a prevention point of view and education or public awareness is a more practical solution;

(b)evidence gathering is difficult for law enforcement agencies and may result in privacy implications - for example, a full copy of a person’s hard disk may be needed to carry out a formal investigation. This may deter people from bring a complaint forward especially if there is anti-spyware software that is readily available - a non intrusive way to deal with spyware.

And some may argue that existing legislation is sufficient to deal with spyware. For instance, it is widely acknowledged that most jurisdictions in the developed world have extensive data protection and privacy legislation (and rights) to protect the privacy of individuals. However, even though privacy is one of the concerns of spyware, the privacy rights that already exist will not be utilised unless people know about the issue and know that it is effecting them in certain ways.

Many people would suggest that the solution of the knowledge issue is to obtain consent through contractual means. For instance, why can’t it be included as part of an end user licence agreement? The answer is simply that if the spyware is disclosed to the user, it is unlikely that the average user would consent. It is our view that because of the extensive effects of spyware and its ability to gather substantial amounts of personal information without knowledge as to which person information is being gathered, consent through an end user licence agreement is inappropriate.

More generally, legislation has a limited geographical field of application, with physical frontiers. It should be kept in mind that most spyware does not originate in Australia - what happens for example, if a company in a jurisdiction other than Australia causes spyware to be installed without the relevant notices and consents that Australian law requires? It will all depend on whether Australia asserts jurisdiction over that company, and if it does, whether a judgment can be enforced in Australia. This very issue goes back to the widely debated topic of jurisdiction and the Internet. Existing legal regimes struggle to fit into the realm of the new Internet medium, and there is really not much Australia can do except hope that other jurisdictions have legislative regimes (that are effective) to cope with the issue. Better still, we can hope that an international regime will come into play that brings consistency across the virtual world. Until then, understanding the existing legislative regimes is a useful start to combating the spyware phenomena.

4. The Current Situation in the US

Spyware has received more judicial attention in the US than in Australia, but still the number of spyware cases is low compared with the number of people potentially affected by spyware. One reason for this is because plaintiffs in the majority of cases, are forced to bring actions under existing legal regimes that are not entirely appropriate when applied to spyware actions. Three examples are the Consumer Fraud and Abuse Act, the Federal Trade Commission Act and the tort of trespass to chattels. Hopefully this trend will not extend to Australia given that the view in Australia is that existing legal regimes are sufficient to deal with malicious use of spyware.

The Consumer Fraud and Abuse Act and the Federal Trade Commission Act have been recognised as two federal statutes that can be used to bring an action against spyware. The Consumer Fraud and Abuse Act (“CFAA”)[19] provides for a right to bring an action where there is damage caused to a computer system used by or for a government entity for administration of justice, national defence or national security.[20] It is recognised that the CFAA has potential (in limited situations) for those wishing to pursue an action against a spyware claim because it can be proven that spyware can cause quite a substantial amount of damage to a computer system.[21] The CFAA fails to combat the spyware issue in three main ways: