Deleting spyware: a criminal act?

Analysis On my computer right now I have three anti-spyware programs, three anti-virus programs, and three anti-spam programs, together with a hardware and software firewall, an IPsec VPN, and data level encryption on certain files (and no, this is not intended to be an invitation for you to try to test my security.)

The anti-spyware, anti-virus, and anti-spam software all work in very much the same way - they have definitions of known malicious programs, and they may also have algorithms to raise flags about unknown programs which operate in an unusual way. Depending upon user preferences, the programs either automatically block or delete the suspicious mail or program, stop a running process, or quarantine a file for the user to delete.

In general, users delete all or virtually all of these identified programs and blocked mail. I mean, who really wants spyware or viruses, right? However, both the identification of programs as spyware or spam, and the deletion of these programs may, in fact, be a violation of the law.

What is "spyware" anyway?

At present there are several dozen laws or pending bills to both define and outlaw spyware. At the federal level, there are three bills pending, including the Internet Spyware (I-SPY) Prevention Act, HR 744, the SPY Act, HR 29, and SPY BLOCK Act, S. 687. At the state level, there are four existing anti-spyware laws, in Utah, Washington State H.B.1012, Virginia - Prohibited Software and Actions and California - Computer Spyware.

In addition, there are a number of states that are considering laws to outlaw spyware. While there are significant differences in each of these proposals (with some permitting criminal or private civil enforcement, and others only permitting the State Attorney General to enforce these rights), in general the law attempt to prohibit the "deceptive" practices of the unauthorized installation of programs that monitor a consumer's activities without their consent. As a result, these statutes tend to prohibit both the transmission or installation "through intentionally deceptive means" of software that either changes configurations of certain programs, or collects personally identifiable information, or prevents a user's efforts to block installation, or falsely claims that software will be disabled by the user's actions, or removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Of course, if I want to install software that does all these things, the law would not prohibit these things. The problem of distinguishing between illegal spyware and ordinary programs is not that easy, however. America Online was sued when it distributed version 5.0 years ago, which members of the class that sued claimed altered software and registry settings without the consumer's knowledge or consent. Netscape was similarly sued for a version of its browser, but defended claiming that the Software Licence Agreement provided notice of the changes. Rumors have abounded that the next version of Microsoft's "Longhorn" OS will automatically send error messages to the mothership in Redmond which will now contain information about not only the system settings at the time of a crash, but also the contents of any document the user may have been working on when the system crashed.

Thus, the key difference between unwanted and unlawful spyware and "legitimate" software is simply user knowledge and consent. Both might actually collect and transmit personal information, muck up system and registry settings, be hard or impossible to alter or delete, and might disable itself or other programs upon removal. But did you know and consent to having it installed?

What is consent?

How does a purveyor of "spyware" get users to "consent" to its installation anyway? Online consent is usually achieved through some form of advisory on a webpage or a click-through agreement. Providing users with access to your Terms of Service or Terms of Use (by placing them on a link on your home page) or providing them the relatively easy ability to download or view a Software License Agreement is usually sufficient to bind the consumer to any non-egregious or unconscionable terms of a contract, including things like agreeing to arbitrate disputes, and agreeing to sue in the website operator's home jurisdiction (Guam? Northern Marianas Islands?), and so on.

Just how "prominent" must a Software License Agreement or website be in order to not constitute a "deceptive" practice? How detailed must a software distributor be in describing exactly what registry settings the software alters, what information it collects, and what programs it may interfere with in order to avoid liability? How does a software distributor get consent of, for example, a 13-year-old in Columbus, Ohio who just wants to download a pretty screensaver, yet is below the age to legally enter into a contract? Or what about a 92-year-old first time computer user in Sheffield who is installing a program he or she read about in a magazine?

Take, for example, one common source of "spyware" or "adware," Kazaa's peer-to-peer network software. By simply downloading and installing the P2P software you are agreeing to the terms of their 5,500 word license agreement, which attempts to distinguish between the evil "spyware" that they would never install on your computer, and the helpful and friendly "adware" which, according to Kazaa, delivers ads which "are selected for you based in part on how you surf the Web so they're often about things you are actively searching for. That makes them pretty useful." Consider a website which might contain language at the bottom (under the "privacy policy" or "legal") which might contain language to the effect that, by proceeding past the home page, or by installing certain programs, you are agreeing to the installation of a key logger, password grabber, browser redirector, program crasher, a pop-up installer, and a remote control program. Is it a crime if you state that you never read or understood what was clearly and plainly written on their website?

Whether a program is a crime or was invited must go beyond mere "notice and proceed" consent, or even mere "clickwrap" consent. When a program is as invasive and potentially destructive as what we commonly think of as "spyware" or "adware," the distributor should be required to demonstrate effective and informed consent - sort of an "are you sure you want to do this?" consent. Sure, this is a much higher standard than required of any other form of clickwrap contract - many of which may be as unconscionable as the installation of spwyare. But if I am going to install something that is as potentially disruptive as spyware, the purveyor should take strong steps to show that I knew what I was doing. This applies equally to Kazaa's Claria as it does to Redmond's Microsoft. Clear, concise and easily understood terms should be required.

Spyware removers as criminals?

Now let's say I install Kazaa and agree to the GAIN ads they give me as a condition precedent for obtaining this useful P2P software. Or, suppose I install a demo version of a program, and agree to a condition that it will self-destruct if I don't pay for it. Or, I install a screensaver which contains a notice that it will also redirect my browser and install spyware (but I am dumb enough not to read that part). I am therefore bound by the terms of the contract I have agreed to - whether or not I have read it - unless the terms are unconscionable and therefore unenforceable, or they are so buried and inaccessible or fraudulently worded as to not be capable of forming a contract.

Once I receive the benefit of the contract I have entered into (the P2P software, the screensaver, etc.) suppose I then download and install a spyware remover, which either automatically or at my request removes the portion of the program which is of benefit to the software distributor. Thus, I get the benefit of the program without adhering to the other part of the contract. An analogy can be made to those who get "free" broadcast television with the implied understanding that they will watch commercials, and then they use TIVO to get past them or create software programs that will automatically remove them from recorded broadcasts. More apt an analogy is those who subscribe to valuable services (such as email newsletters) on the condition that they provide some personal information, such as for a subscriptions to the online New York Times - and then deliberately provide false information. While these websites don't seem to mandate that you provide accurate information, what if they had an "attestation" clause - meaning, I agree that I am providing accurate information as consideration for my access to the free online content of the New York Times? Would that make viewing the Times under false pretenses the same as stealing a copy of the paper from the news box?

The problem is worse for anti-spyware programs, which essentially automate the process of breaching consumer contracts. This is assuming that the consumers actually agreed to the terms and conditions under which the spyware was installed - generally not a valid assumption. Essentially, the spyware distributors would argue that the anti-spyware purveyors are inducing their customers to breach their contractual obligations, and are tortuously interfering with their contractual relationships with those who knowingly downloaded the spyware.

This is precisely the legal theory relied on when New.net sued Lavasoft in Federal Court in California, asserting that by calling its software "spyware" and blocking it, Lavasoft was defaming its products and interfering with its ability to distribute it. The California court rejected these arguments, asserting that, "despite the fact that the success of [New.net's] business ultimately depends on its ability to distribute as many copies of its software as possible onto users' computers, these relationships with the public at large are based on free and usually surreptitious downloads, and thus hardly rise to the level of 'economic relationships' as there is no business dealing between the unsuspecting users and [the company]." While the result is laudable, it is not clear that the analysis withstands scrutiny. New.net's "customers," those who installed the software with a bargained for consideration, were induced into breaching the contract by Lavasoft's operator's designating the program as "spyware." Certainly there was an economic relationship between New.net and those who downloaded the software ? personal information in exchange for free software. The court could have attacked these contracts and found that the users never really agreed to them, and therefore were unenforceable, but it did not do so - it simply dismissed any argument that there was an economic relationship.

The lesson of all of this is, if you get a bargained-for benefit from downloading and installing a program in return for agreeing to provide something (such as your personal information), not only may the distributor be guilty of a deceptive trade practice if it doesn't fully explain what the program does, you may also be guilty of a deceptive practice if you don't live up to your end of the bargain. Another full employment program for lawyers!

Copyright © 2004,

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

House passes anti-spyware bills
Spyware wars
Spyware scumbags make $2bn a year