Spyware Remains Elusive

Even 007 wasn't shadowed this much. These days, spyware operations are the most popular cybermarketing tool around ' and the most unpopular. Software designers and advertisers have joined forces to run a clandestine operation on millions of consumers across the country. The tracking, data mining, and browser hijacking files that these companies surreptitiously plant on a person's computer extract personal information for advertising purposes, often without the user's knowledge or consent, and they have become a growing concern to companies, individual consumers, and the government. Most importantly, as frustration and fear of spyware grow and cause more people to turn away from the Internet, e-commerce is threatened. How did we get to this point, and what are the chances of successful regulation?

So Simple, So Hated

The basic business model is clear enough. Collect information about a user's Web browsing, and report the information to a server that will send pop-up ads to the user's computer. Because this process adds to pop-up misery and slows the user's Internet connection, the most successful spyware programs have to stick to the hard drive like a cockleburr. Spyware often sneaks into the computer without notice, because that's the only way it can get in, and then it often hides in many places, hoping to regenerate after a partially successful effort to uninstall it. A severely infected computer may be so difficult to cleanse that it is easier to reformat the drive and start over.

Web sites may also object to spyware because customers who visit a site may be served a competitor's pop-up advertisement. The profusion of pop-up ads can blemish the image of a Web site. And hardware and software producers are fielding many support calls about spyware removal that eat into their slim profit margins. [Editor's Note: We dealt extensively with adware in the June issue.]

In short, everyone hates spyware, but for different reasons. And the plethora of reasons for hating spyware has turned out to be one of the problems as legislators try to find ways to regulate such programs. Defining spyware in a fashion that separates legitimate from illegitimate software is proving remarkably difficult. And deciding what it is about spyware that needs to be banned is even harder.

State Law

Utah was the first state to take a stab at regulating spyware operations. The Utah law, the Spyware Control Act, was adopted in March. It defined spyware broadly as any software that monitors usage of the Internet and transmits information back from a location. It sets requirements for notice and unistallation. It specifically prohibits any spyware installation that fails to meet three requirements: 1) a license agreement that appears before a user installs the program, 2) the consent of the user, and 3) an uninstall option. It also prohibits targeted pop-up ads that partially or wholly cover other companies' Web sites, and software that records and reports a user's online actions. Each infraction can draw a penalty of $10,000.

But in early March 2004, numerous large Internet firms protested Utah's bill, arguing that it condemned as spyware several types of useful communications software and some routine network communications. To take one example, Google monitors user activity routinely. Cookies are commonly installed without notice on every computer. And information technology and security companies rely on relatively unfettered data collection to analyze and prevent virus attacks. Programs such as error reporting applications, troubleshooting and maintenance programs, security protocols, and Internet browsers also use information-gathering procedures similar to spyware programs. All of these products may now operate under a cloud as a result of Utah's new law.

Already the law has been challenged. In May, Overstock.com sued the Massachusetts online retailer SmartBargains, Inc. in the Third District Court in Salt Lake City. Overstock.com claimed that SmartBargains used spyware to display pop-up ads over the Overstock.com Web site. Overstock.com is seeking injunctive relief, damages, and attorney's fees.

[Editor's Note: At press time, the Utah statute was blocked from being enforced by Third District Judge Joseph C. Fratto, Jr., pending the outcome of a challenge to the law by the adware company WhenU.com. For more, see Net News.]

Other states, notably California, are considering bills that are less draconian. The most recent version of California's bill merely requires a spyware distributor to provide to a user a detailed notice of the nature, functions, and operational features of its software prior to the software's opening download. It does not require easy removal of a program or the offering of an opt-out. New York, Ohio, Iowa, and Virginia are also considering legislation that would curb spyware operations.

Federal Bills

At the federal level, the Senate has drafted one anti-spyware bill and the House another. The Senate bill, Burns/Wyden/Boxer bill, S-2145, known as SPY BLOCK, has drawn criticism for rigid definition of technical terms, unwieldy standards for notice, and unrealistic uninstall requirements. SPY BLOCK seems to require a separate consent for every feature of a program that has spyware characteristics. There are obviously risks in such an approach. Among other things, users may conclude that every feature that requires notice is also a feature that will invade the user's privacy. Similarly, an uninstall requirement can cause problems for programs that share software components.

The SPY ACT (H.R. 2929) seems to have somewhat satisfied SPY BLOCK's detractors by adding some flexibility in defining and enforcing the proposed law. SPY ACT makes a distinction between programs that collect information from users and programs that are “unfair or deceptive” (that somehow trick the user). The first type of programs would be subject to a notice and consent regime. The second would be banned as “unfair and deceptive” practices ' a phrase that could cover a host of activities, from distributed computing and resetting the browser home page to resetting of the default Internet service provider or connection settings, alteration of bookmarks, and collecting personal information via keystroke loggers.

Like SPYBLOCK, the SPY ACT bill extends enforcement to FTC actions and allows the government to bring civil action suits on behalf of consumers. Unlike SPYBLOCK, the SPY ACT would pre-empt all state legislation in this area. Since preemption of state law is the only reason for business to support any federal spyware law, business will be focusing its efforts on improving and perhaps enacting SPY ACT.

[Editor's Note: Just as this issue went to press, the House Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection passed the Act. The Act is next scheduled to go before the full Energy and Commerce Committee. For more, see Net News.]

Even 007 wasn't shadowed this much. These days, spyware operations are the most popular cybermarketing tool around ' and the most unpopular. Software designers and advertisers have joined forces to run a clandestine operation on millions of consumers across the country. The tracking, data mining, and browser hijacking files that these companies surreptitiously plant on a person's computer extract personal information for advertising purposes, often without the user's knowledge or consent, and they have become a growing concern to companies, individual consumers, and the government. Most importantly, as frustration and fear of spyware grow and cause more people to turn away from the Internet, e-commerce is threatened. How did we get to this point, and what are the chances of successful regulation?

So Simple, So Hated

The basic business model is clear enough. Collect information about a user's Web browsing, and report the information to a server that will send pop-up ads to the user's computer. Because this process adds to pop-up misery and slows the user's Internet connection, the most successful spyware programs have to stick to the hard drive like a cockleburr. Spyware often sneaks into the computer without notice, because that's the only way it can get in, and then it often hides in many places, hoping to regenerate after a partially successful effort to uninstall it. A severely infected computer may be so difficult to cleanse that it is easier to reformat the drive and start over.

Web sites may also object to spyware because customers who visit a site may be served a competitor's pop-up advertisement. The profusion of pop-up ads can blemish the image of a Web site. And hardware and software producers are fielding many support calls about spyware removal that eat into their slim profit margins. [Editor's Note: We dealt extensively with adware in the June issue.]

In short, everyone hates spyware, but for different reasons. And the plethora of reasons for hating spyware has turned out to be one of the problems as legislators try to find ways to regulate such programs. Defining spyware in a fashion that separates legitimate from illegitimate software is proving remarkably difficult. And deciding what it is about spyware that needs to be banned is even harder.

State Law

Utah was the first state to take a stab at regulating spyware operations. The Utah law, the Spyware Control Act, was adopted in March. It defined spyware broadly as any software that monitors usage of the Internet and transmits information back from a location. It sets requirements for notice and unistallation. It specifically prohibits any spyware installation that fails to meet three requirements: 1) a license agreement that appears before a user installs the program, 2) the consent of the user, and 3) an uninstall option. It also prohibits targeted pop-up ads that partially or wholly cover other companies' Web sites, and software that records and reports a user's online actions. Each infraction can draw a penalty of $10,000.

But in early March 2004, numerous large Internet firms protested Utah's bill, arguing that it condemned as spyware several types of useful communications software and some routine network communications. To take one example, Google monitors user activity routinely. Cookies are commonly installed without notice on every computer. And information technology and security companies rely on relatively unfettered data collection to analyze and prevent virus attacks. Programs such as error reporting applications, troubleshooting and maintenance programs, security protocols, and Internet browsers also use information-gathering procedures similar to spyware programs. All of these products may now operate under a cloud as a result of Utah's new law.

Already the law has been challenged. In May, Overstock.com sued the Massachusetts online retailer SmartBargains, Inc. in the Third District Court in Salt Lake City. Overstock.com claimed that SmartBargains used spyware to display pop-up ads over the Overstock.com Web site. Overstock.com is seeking injunctive relief, damages, and attorney's fees.

[Editor's Note: At press time, the Utah statute was blocked from being enforced by Third District Judge Joseph C. Fratto, Jr., pending the outcome of a challenge to the law by the adware company WhenU.com. For more, see Net News.]

Other states, notably California, are considering bills that are less draconian. The most recent version of California's bill merely requires a spyware distributor to provide to a user a detailed notice of the nature, functions, and operational features of its software prior to the software's opening download. It does not require easy removal of a program or the offering of an opt-out. New York, Ohio, Iowa, and Virginia are also considering legislation that would curb spyware operations.

Federal Bills

At the federal level, the Senate has drafted one anti-spyware bill and the House another. The Senate bill, Burns/Wyden/Boxer bill, S-2145, known as SPY BLOCK, has drawn criticism for rigid definition of technical terms, unwieldy standards for notice, and unrealistic uninstall requirements. SPY BLOCK seems to require a separate consent for every feature of a program that has spyware characteristics. There are obviously risks in such an approach. Among other things, users may conclude that every feature that requires notice is also a feature that will invade the user's privacy. Similarly, an uninstall requirement can cause problems for programs that share software components.

The SPY ACT (H.R. 2929) seems to have somewhat satisfied SPY BLOCK's detractors by adding some flexibility in defining and enforcing the proposed law. SPY ACT makes a distinction between programs that collect information from users and programs that are “unfair or deceptive” (that somehow trick the user). The first type of programs would be subject to a notice and consent regime. The second would be banned as “unfair and deceptive” practices ' a phrase that could cover a host of activities, from distributed computing and resetting the browser home page to resetting of the default Internet service provider or connection settings, alteration of bookmarks, and collecting personal information via keystroke loggers.

Like SPYBLOCK, the SPY ACT bill extends enforcement to FTC actions and allows the government to bring civil action suits on behalf of consumers. Unlike SPYBLOCK, the SPY ACT would pre-empt all state legislation in this area. Since preemption of state law is the only reason for business to support any federal spyware law, business will be focusing its efforts on improving and perhaps enacting SPY ACT.

[Editor's Note: Just as this issue went to press, the House Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection passed the Act. The Act is next scheduled to go before the full Energy and Commerce Committee. For more, see Net News.]