Is Spyware Illegal Under Existing Laws?
In filing a lawsuit last month, New York State's attorney general intends to prove current laws against deceptive practices and false advertising are effective tools for prosecuting spyware distributors.
The answer to that question, I believe, is incredibly important to everyone who uses software and suffers from the threat of spyware. In a nutshell, Spitzer is saying he doesn't need a state antispyware law to take action against spyware promoters. This class of computer program is already illegal under existing laws, it seems.
Let's look at the implications of this and how it may allow prosecutions of spyware makers in other places.
Using Business Law To Stop Spyware
• Deceptive acts and practices. When Internet users installed screen savers from Intermix's more than 40 Web sites, adware programs such as KeenValue were quietly installed at the same time. Intermix made this spyware hard for users to remove, omitting an uninstall program and reinstalling the spyware if users tried to delete its files. This is prohibited by New York's law against "deceptive acts and practices";
• False advertising. To encourage Internet users to download Intermix's software, the company made claims on its sites such as "Free from spyware." New York law prohibits "false advertising in the conduct of any business, trade, or commerce";
• Trespass to chattels. This claim is perhaps the most interesting. "Chattels" means someone's personal property that is movable, such as a computer (but not land or buildings). New York law prohibits "the intentional intermeddling with a chattel" that results in "the deprivation of the chattel or impairment of the condition, quality or usefulness of the chattel." Even slowing a computer system down, as spyware almost always does, would seem to fall into this definition of trespass, if a user had not consented to it.
"Intermix does not promote or condone spyware, and remains committed to putting this legacy issue behind it as soon as practicable," the company said in a statement quoted by eWeek. "Many of the practices being challenged were instituted under prior leadership, and Intermix has been voluntarily and proactively improving these applications for some time," according to Christopher Lipp, Intermix's senior vice president and general counsel.
Getting To The Heart Of The Matter
Spitzer's lawsuit is a sign that software companies might finally lose the ability to put an unlimited set of conditions into end-user license agreements (EULAs) and expect those conditions to be enforceable in court.
"Intermix either fails to disclose these additional [spyware] programs in any manner, or hides mention of them deep within lengthy, legalistic license agreements," the attorney general's complaint states. In one case, the disclosure "occurred on the fourth page of a long license agreement, under the vague heading 'Additional Information,' " the suit says.
It's become very common for software companies to make users click "OK" to long licenses, some of which have very one-sided provisions. If Spitzer's suit is successful, it could begin a welcome trend for companies that buy software. Purchasers might eventually be freed of some EULA clauses that a court of law would find "unconscionable" and therefore unenforceable. Some database licenses that prohibit buyers from publishing benchmark test results come to mind.
Are New Laws Needed Or Not?
Spitzer's actions suggest that other jurisdictions could easily take action against spyware vendors who've installed software surreptitiously on users' computers. All U.S. states and most countries of the world must certainly have laws against deceptive trade practices.
A major barrier to the U.S. Congress passing a law against spyware is the lack of an exact definition of it. Some software installation techniques could be deceptive in some cases but perfectly fine if the computer user truly gave informed consent.
It may turn out that more laws aren't needed after all. What's needed is for more attorneys general to decide to enforce the laws on the books, even when the trespassers are using a novel means of breaking and entering -- the Internet.
The stakes are high. The New York attorney general alleges that Intermix quietly installed spyware on 3 million computers in that state alone. Since the applicable laws call for a fine of $500 per violation, the penalty could add up to $1.5 billion. That should get the attention of a few spyware makers.
May 18, 2005
A new anti-virus technology from Sophos, Inc. is designed to protect users against the flood of malware variants that are attacking networks with sometimes overwhelming speed.