Courts Step Up to Plate in Battle Against Spyware

Several months ago, the New York attorney general filed suit in a New York state court seeking an injunction against Direct Revenue LLC enjoining the firm from secretly installing spyware or sending ads through already installed spyware. New York v. Direct Revenue LLC, No. 401325/06 (Sup. Ct. N.Y. Co.). The suit has resulted in public disclosure of some of the most reviled Internet marketing tactics by a company that recently claimed it had changed its evil ways and has resulted in allegations of financial connections to some 'good guy' Internet behemoths such as Yahoo, Vonage, MySpace and others.

While motions to dismiss are pending, the public nature of the dispute, including widespread dissemination of court documents on the Internet, has already resulted in greater attention to the issue of spyware. (An earlier suit by the New York state attorney general against Intermix Media resulted in a settlement of the unfair business claim, including payment of $7.5 million. See, www.technewsworld.com/story/qJxm7qrYd4Lekx/Spitzer-Intermix-Ex-CEO-Agree-on-Settlement.xhtml.)

Across the country, the attorney general of Washington state alleged in an August lawsuit that four companies and two corporate executives based in California had violated Washington's anti-spyware statute, that was enacted last year. (See the complaint at www.atg.wa.gov/releases/2006/rel_Movieland_Spyware_Lawsuit_081406.html.)

In September, two California companies agreed to pay the Federal Trade Commission (FTC) more than $2 million to settle charges that they had infected nearly 20 million computers around the world with spyware. According to the FTC, the Web sites of the defendants and their affiliates caused 'installation boxes' to pop up on consumers' computer screens. Some of the boxes allegedly offered a variety of 'freeware,' including music files, cell phone ring tones, photographs, wallpaper and song lyrics. Other boxes warned that consumers' Internet browsers were defective and offered free browser upgrades or security patches.

The FTC asserted that the individuals who downloaded the supposed freeware or security upgrades did not receive what they were promised, and that instead their computers were infected with spyware that interfered with the functioning of their computers and was difficult to uninstall or remove.

The FTC's complaint also alleged that the defendants' software code tracked consumers' Internet activity, changed their home page settings, inserted new toolbars onto their browsers, inserted a large side 'frame' or 'window' onto browser windows that in turn displayed ads, and displayed pop-up ads, even when consumers' Internet browsers were not activated. (See, 'FTC Closes Door on Spyware Operation,' FTC Release, Sept. 6, 2006, available at www.ftc.gov/opa/2006/09/enternet.htm.)

This stipulated settlement followed on the heels of a default judgment the FTC obtained in May from a federal district judge in New Hampshire ordering an alleged spyware distributor to pay more than $4 million and barring it from downloading spyware onto consumers' computers, downloading any software without consumers' consent, redirecting consumers' computers to sites or servers other than those the consumers selected to visit, changing any Web browser's default home page, and modifying or replacing the search features or functions of any search engine. (See, 'Court Halts Spyware Operations,' FTC Release, May 4, 2006, available at http://ftc.gov/opa/2006/05/seismic.htm.)

Ironically, one of the tactics allegedly used by these companies was the installation of spyware to demonstrate the need for the consumer user to download their anti-spyware program.

Spyware can be somewhat difficult to define. Indeed, complaints have been filed against companies one might not normally expect to fall within the category of spyware provider, including Yahoo, Microsoft and Sony.

The Anti-Spyware Coalition, a group of anti-spyware software companies, academics and consumer advocates, offers a useful and practical definition of spyware as '[t]echnologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

• Material changes that affect their user experience, privacy, or system security;
• Use of their system resources, including programs installed on their computers; and/or
• Collection, use, and distribution of their personal or other sensitive information.'

(See, Anti-Spyware Coalition Definitions Document, available at www.antispywarecoalition.org/documents/DefinitionsJune292006.htm.)

However defined, spyware is clearly a tremendous problem.

A survey conducted by Colorado-based Webroot Software found that nearly three out of four compliance officers at corporations and financial services firms believe that spyware is a top concern. (See, Mark Malyszko, 'Most compliance officers fear spyware,' Euromoney Institutional Investor (Nov. 21, 2005, p. 1(2) vol. 12)).

Some estimates suggest that spyware costs consumers $2 billion a year, when anti-spyware programs and computer repairs ' and new computers ' are included. (See, Alana Semuels, 'Two Firms Settle Claims of Spyware,' Los Angeles Times (Sept. 8, 2006, at Business, Part C, p. 2.))

A study conducted by the Pew Internet and American Life Project demonstrated that 91% of all Internet users have modified their surfing habits as a result of spyware and adware, including not opening e-mail attachments unless they are certain of their source and content, and forgoing business or leisure dealings with certain types of Web sites, including those they did not already know, that involved peer-to-peer (P2P) interactions, or that offered gratis downloads. (See, www.pewinternet.org/PPF/r/160/report_display.asp.) Thus, the threat of spyware also creates a direct threat to the continued commercial expansion of the Internet.

Only about a dozen states have passed anti-spyware legislation already, although nearly twice that number are considering doing so. (See, 'Spyware: Down but not out,' Consumer Reports, supra.) Pending bills in New York include Assembly Bill A02682, that would amend the penal law to establish the crime of unlawful dissemination of spyware. It provides that a person would be guilty of unlawful dissemination of spyware when, having no right to do so, he or she installs an executable computer program, including but not limited to a 'keylogging' program, that exploits a user's Internet connection without the user's knowledge or 'explicit authorization' and such program gathers and transmits personal information or data of a user. (See, eg, A02682: 'An act to amend the penal law, in relation to establishing the crime of unlawful dissemination of spyware,' available at http://assembly.state.ny.us/leg/?bn=a2682; and A00549: 'An act to amend the general business law, in relation to enacting the 'consumer protection against computer spyware act,” available at http://assembly.state.ny.us/leg/?bn=a549.)

The bill limits those who may grant authorization to the owner or lessor of a computer or, if the owner or lessor of a computer is under 18, by the parent or guardian of such person. Authorization may be granted in an end user agreement that an authorized user agrees to upon installation of a program.

The bill defines 'personal information or data' to mean data that identifies a specific person, including but not limited to financial information including banking and credit card account numbers and any information concerning a person that, because of name, number, symbol, mark or other identifier can identify such person.

'Keylogging computer programs' are programs that record and electronically trasmit all of the key strokes that a user makes and that are installed without the knowledge or awareness of the computer user.

Under the bill, unlawful dissemination of spyware is a Class A misdemeanor, but the second time a person is convicted within 5 years will result in a Class E felony.

In the Courts

Although few published court decisions involve complaints over spyware, an important ruling was issued last year by the U.S. District Court for the Northern District of Illinois in Sotelo v. DirectRevenue, LLC, 384 F. Supp. 2d 1219 (N.D. Ill. 2005).

The decision is significant both for its explanation of alleged spyware practices and its decision on an important legal issue; it also is noteworthy because it apparently led to a settlement in February, with the defendant agreeing not to install software on a computer without the user's consent. (See, eg, Eric Benderoff, 'Class-action suit dismissed against spyware provider,' Chicago Tribune, supra.)

The plaintiff in this case alleged that, without his consent, the defendant had caused spyware to be downloaded onto his personal computer. According to the plaintiff, the defendant's spyware was designed to be difficult to remove once it was installed, including by changing its name to prevent disgruntled users from complaining and altering the spyware file names so anti-spyware programs and technicians could not locate and remove it.

One of the key counts in the complaint was a claim for trespass to
personal property. The defendants argued that this count failed to state a claim upon which relief could be granted because the plaintiff failed to plead causation and damages as required to state a trespass to personal property claim.

The court observed that the plaintiff had specifically alleged that spyware was the proximate cause of significant and cumulative injury to computers, including his, and interfered with their use. The plaintiff also alleged that spyware and the resource-consuming advertisements sent to a computer by spyware caused computers to slow down, took up the bandwidth of the user's Internet connection, incurred increased Internet-use charges, depleted a computer's memory, utilized pixels and screen-space on monitors, required more energy because slowed computers must be kept on for longer and reduced a user's productivity while increasing their frustration.

Indeed, the court continued, many companies and computer users consider pop-up ads and spyware 'an Internet scourge.' The court then noted that the plaintiff alleged that spyware had interfered with and damaged his personal property, namely his computer and his Internet connection, by over-burdening their resources and diminishing their functioning. The court then denied the defendant's motion to dismiss the trespass claim.

Conclusion

Certainly, there are steps that users can take to limit their risk of having their computers affected by spyware, from using an anti-spyware program to avoiding downloads of certain free programs or software.

State legislatures, and perhaps ultimately Congress, also may act.

Court involvement, whether initiated by private actions, such as Sotelo, or government prosecutions under existing consumer protection law, has resulted in injunctions and monetary damages, which suggests that the judicial system may also be part of the solution for this ongoing and growing problem.

Several months ago, the New York attorney general filed suit in a New York state court seeking an injunction against Direct Revenue LLC enjoining the firm from secretly installing spyware or sending ads through already installed spyware. New York v. Direct Revenue LLC, No. 401325/06 (Sup. Ct. N.Y. Co.). The suit has resulted in public disclosure of some of the most reviled Internet marketing tactics by a company that recently claimed it had changed its evil ways and has resulted in allegations of financial connections to some 'good guy' Internet behemoths such as Yahoo, Vonage, MySpace and others.

While motions to dismiss are pending, the public nature of the dispute, including widespread dissemination of court documents on the Internet, has already resulted in greater attention to the issue of spyware. (An earlier suit by the New York state attorney general against Intermix Media resulted in a settlement of the unfair business claim, including payment of $7.5 million. See, www.technewsworld.com/story/qJxm7qrYd4Lekx/Spitzer-Intermix-Ex-CEO-Agree-on-Settlement.xhtml.)

Across the country, the attorney general of Washington state alleged in an August lawsuit that four companies and two corporate executives based in California had violated Washington's anti-spyware statute, that was enacted last year. (See the complaint at www.atg.wa.gov/releases/2006/rel_Movieland_Spyware_Lawsuit_081406.html.)

In September, two California companies agreed to pay the Federal Trade Commission (FTC) more than $2 million to settle charges that they had infected nearly 20 million computers around the world with spyware. According to the FTC, the Web sites of the defendants and their affiliates caused 'installation boxes' to pop up on consumers' computer screens. Some of the boxes allegedly offered a variety of 'freeware,' including music files, cell phone ring tones, photographs, wallpaper and song lyrics. Other boxes warned that consumers' Internet browsers were defective and offered free browser upgrades or security patches.

The FTC asserted that the individuals who downloaded the supposed freeware or security upgrades did not receive what they were promised, and that instead their computers were infected with spyware that interfered with the functioning of their computers and was difficult to uninstall or remove.

The FTC's complaint also alleged that the defendants' software code tracked consumers' Internet activity, changed their home page settings, inserted new toolbars onto their browsers, inserted a large side 'frame' or 'window' onto browser windows that in turn displayed ads, and displayed pop-up ads, even when consumers' Internet browsers were not activated. (See, 'FTC Closes Door on Spyware Operation,' FTC Release, Sept. 6, 2006, available at www.ftc.gov/opa/2006/09/enternet.htm.)

This stipulated settlement followed on the heels of a default judgment the FTC obtained in May from a federal district judge in New Hampshire ordering an alleged spyware distributor to pay more than $4 million and barring it from downloading spyware onto consumers' computers, downloading any software without consumers' consent, redirecting consumers' computers to sites or servers other than those the consumers selected to visit, changing any Web browser's default home page, and modifying or replacing the search features or functions of any search engine. (See, 'Court Halts Spyware Operations,' FTC Release, May 4, 2006, available at http://ftc.gov/opa/2006/05/seismic.htm.)

Ironically, one of the tactics allegedly used by these companies was the installation of spyware to demonstrate the need for the consumer user to download their anti-spyware program.

Spyware can be somewhat difficult to define. Indeed, complaints have been filed against companies one might not normally expect to fall within the category of spyware provider, including Yahoo, Microsoft and Sony.

The Anti-Spyware Coalition, a group of anti-spyware software companies, academics and consumer advocates, offers a useful and practical definition of spyware as '[t]echnologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

• Material changes that affect their user experience, privacy, or system security;
• Use of their system resources, including programs installed on their computers; and/or
• Collection, use, and distribution of their personal or other sensitive information.'

(See, Anti-Spyware Coalition Definitions Document, available at www.antispywarecoalition.org/documents/DefinitionsJune292006.htm.)

However defined, spyware is clearly a tremendous problem.

A survey conducted by Colorado-based Webroot Software found that nearly three out of four compliance officers at corporations and financial services firms believe that spyware is a top concern. (See, Mark Malyszko, 'Most compliance officers fear spyware,' Euromoney Institutional Investor (Nov. 21, 2005, p. 1(2) vol. 12)).

Some estimates suggest that spyware costs consumers $2 billion a year, when anti-spyware programs and computer repairs ' and new computers ' are included. (See, Alana Semuels, 'Two Firms Settle Claims of Spyware,' Los Angeles Times (Sept. 8, 2006, at Business, Part C, p. 2.))

A study conducted by the Pew Internet and American Life Project demonstrated that 91% of all Internet users have modified their surfing habits as a result of spyware and adware, including not opening e-mail attachments unless they are certain of their source and content, and forgoing business or leisure dealings with certain types of Web sites, including those they did not already know, that involved peer-to-peer (P2P) interactions, or that offered gratis downloads. (See, www.pewinternet.org/PPF/r/160/report_display.asp.) Thus, the threat of spyware also creates a direct threat to the continued commercial expansion of the Internet.

Only about a dozen states have passed anti-spyware legislation already, although nearly twice that number are considering doing so. (See, 'Spyware: Down but not out,' Consumer Reports, supra.) Pending bills in New York include Assembly Bill A02682, that would amend the penal law to establish the crime of unlawful dissemination of spyware. It provides that a person would be guilty of unlawful dissemination of spyware when, having no right to do so, he or she installs an executable computer program, including but not limited to a 'keylogging' program, that exploits a user's Internet connection without the user's knowledge or 'explicit authorization' and such program gathers and transmits personal information or data of a user. (See, eg, A02682: 'An act to amend the penal law, in relation to establishing the crime of unlawful dissemination of spyware,' available at http://assembly.state.ny.us/leg/?bn=a2682; and A00549: 'An act to amend the general business law, in relation to enacting the 'consumer protection against computer spyware act,” available at http://assembly.state.ny.us/leg/?bn=a549.)

The bill limits those who may grant authorization to the owner or lessor of a computer or, if the owner or lessor of a computer is under 18, by the parent or guardian of such person. Authorization may be granted in an end user agreement that an authorized user agrees to upon installation of a program.

The bill defines 'personal information or data' to mean data that identifies a specific person, including but not limited to financial information including banking and credit card account numbers and any information concerning a person that, because of name, number, symbol, mark or other identifier can identify such person.

'Keylogging computer programs' are programs that record and electronically trasmit all of the key strokes that a user makes and that are installed without the knowledge or awareness of the computer user.

Under the bill, unlawful dissemination of spyware is a Class A misdemeanor, but the second time a person is convicted within 5 years will result in a Class E felony.

In the Courts

Although few published court decisions involve complaints over spyware, an important ruling was issued last year by the U.S. District Court for the Northern District of Illinois in Sotelo v. DirectRevenue, LLC , 384 F. Supp. 2d 1219 (N.D. Ill. 2005).

The decision is significant both for its explanation of alleged spyware practices and its decision on an important legal issue; it also is noteworthy because it apparently led to a settlement in February, with the defendant agreeing not to install software on a computer without the user's consent. (See, eg, Eric Benderoff, 'Class-action suit dismissed against spyware provider,' Chicago Tribune, supra.)

The plaintiff in this case alleged that, without his consent, the defendant had caused spyware to be downloaded onto his personal computer. According to the plaintiff, the defendant's spyware was designed to be difficult to remove once it was installed, including by changing its name to prevent disgruntled users from complaining and altering the spyware file names so anti-spyware programs and technicians could not locate and remove it.

One of the key counts in the complaint was a claim for trespass to
personal property. The defendants argued that this count failed to state a claim upon which relief could be granted because the plaintiff failed to plead causation and damages as required to state a trespass to personal property claim.

The court observed that the plaintiff had specifically alleged that spyware was the proximate cause of significant and cumulative injury to computers, including his, and interfered with their use. The plaintiff also alleged that spyware and the resource-consuming advertisements sent to a computer by spyware caused computers to slow down, took up the bandwidth of the user's Internet connection, incurred increased Internet-use charges, depleted a computer's memory, utilized pixels and screen-space on monitors, required more energy because slowed computers must be kept on for longer and reduced a user's productivity while increasing their frustration.

Indeed, the court continued, many companies and computer users consider pop-up ads and spyware 'an Internet scourge.' The court then noted that the plaintiff alleged that spyware had interfered with and damaged his personal property, namely his computer and his Internet connection, by over-burdening their resources and diminishing their functioning. The court then denied the defendant's motion to dismiss the trespass claim.

Conclusion

Certainly, there are steps that users can take to limit their risk of having their computers affected by spyware, from using an anti-spyware program to avoiding downloads of certain free programs or software.

State legislatures, and perhaps ultimately Congress, also may act.

Court involvement, whether initiated by private actions, such as Sotelo, or government prosecutions under existing consumer protection law, has resulted in injunctions and monetary damages, which suggests that the judicial system may also be part of the solution for this ongoing and growing problem.