The legal status of spyware.

• Author: Garrie, Daniel B.

1. OVERVIEW OF SPYWARE'S RELATIONSHIP WITH THE LAW II. SPYWARE TECHNOLOGY: A TECHNICAL OVERVIEW A. Spyware Defined B. Spyware Has Two Primary Forms 1. Software-Enabled Installation of Spyware via Shareware 2. Web-Enabled Installation of Spyware via Browser Vulnerability C. Adware Differs from Spyware III. LEGAL TREATMENT OF SPYWARE A. Spyware Trespass to Chattels Actions B. Spyware Under the Computer Fraud and Abuse Act 1. Meeting the Damage Requirement for Civil Claims 2. Civil Causes of Action Applicable to Spyware C. Spyware Under the Stored Communications Act 1. First Element: Intent 2. Second Element: Authorization 3. Third Element: Facility Providing an Electronic Communication Service 4. Fourth Element: Access to a Wire or Electronic Communication 5. Fifth Element: In Electronic Storage 6. Spyware Does Not Fall Within a Recognized Defined Exception 7. The Stored Communications Act's Ability to Prevent Spyware D. Spyware Invasions of Privacy and Intrusions Upon Seclusion E. The Wiretap Act, Spyware, Grokster, Napster, and Developers 1. The Wiretap Act Falls Short in Preventing Spyware from Operating a. Recording Phase b. Transmission Phase 2. Conclusion: Spyware Faces Limited Liability Under the Wiretap Act IV. SOLUTION TO CLOSE LOOPHOLE THAT ENABLES SPYWARE TO BYPASS THE LEGAL SYSTEM A. Anti-spyware Legislation: Multi-Click Consent Agreements Analogous to Initialing Each Pertinent Point Respective to Data Mining Performed by the Software Provider 1. Global Spyware and the Data Mining Industry 2. Potential Non-Statutory Solutions B. Legislative Intent Is Accepted by Courts V. CONCLUSION I. OVERVIEW OF SPYWARE'S RELATIONSHIP WITH THE LAW

   Identity theft is lucrative; stealing one's good name is lucrative. What liability deters the people who steal digital information, even if it might be considered worthless? The Federal Trade Commission logged up to 250,000 identity theft complaints in 2004--100,000 more than in 2002. By and large, the law has been silent; and companies, some legitimate and some not, continue to collect, store, and process consumer information. The law provides those whose private information is being misused little recourse and provides little protection for those legitimately mining information. Even though large-scale breaches grab the headlines, many victims of identity theft frequently cause the offending disclosure by unwittingly downloading software from the World Wide Web ("Web") or responding to email "phishing" and other online and offline seams. Although courts find a right to privacy in the United States Constitution, that right generally only protects citizens from invasions by the government, not by corporate America.

   Today, federal law enables spyware, adware, and phishing businesses to mine consumer data with impunity. This Article demonstrates that although some laws are ineffective, others provide consumers with some minimal relief. In addition, the Article proposes an innovative solution. It also discusses the implications of the "evil-ution" of software developers in the context of the law, analyzing the evolution of the software developer, the impact of the rapidly increasing skill of the developers, and the disastrous outcomes that may occur if governments fail to act.

2. SPYWARE TECHNOLOGY: A TECHNICAL OVERVIEW

   Understanding spyware requires the realization that any connection to a site on the Web is not passive, and the visitor does not wander around invisibly. Connecting to the Web is not like opening a book in the library and looking at its contents. While the person accessing the Web is gathering information from the site; the site knows the visitor is there, monitors the visitor's actions, and has varying levels of access--by the visitor's invitation--to that visitor's computer. One of the earliest forms of this active interaction was cookie technology. (1) Most users find cookies beneficial because they eliminate the need to repeatedly fill out order forms or re-register on Web sites. (2) For instance, with passwords being increasingly difficult to remember, some sites that require user names and passwords place cookies on the hard drive so the user has the option to log in automatically when visiting. (3)

   The reality is, however, that many businesses seek more competitive advantages. Consequently, they have developed a variety of legitimate and illegitimate technologies to enhance their market advantage. (4) Data miners (5) that actively collect information, dialers that change the computer's dial-up networking, (6) worms that create self-replicating viruses, (7) and hijackers that hijack a user's home page are all examples of modifications of cookie technology. (8)

   1. Spyware Defined

      Spyware is generally defined as software that, once installed on a person's computer (usually without consent), collects and reports in-depth information about that end-user. (9) Spyware is the progeny of clickstream data or cookie-based data mining technology. (10) These technologies are viewed as instrumental to the operation of the global information society. To demonstrate this expansive reliance on cookie technologies, the reader need only view the cookies stored on any personal computer. (11) The intertwined nature of spyware to other data mining technologies makes regulation a very delicate and difficult process. Most Web Portals would be severely limited, if not rendered useless, in the absence of spyware-like technologies. Web sites that would not operate if such technology was prohibited are: www.yahoo.com; www.wamu.com; www.schwab.com; www.ibm.com. (12) Adjoining these Web sites are a slew of intranet and Web applications that utilize cookies and clickstream data for authentication. (13)

      Spyware is capable of gathering a wide range of information, including Web-surfing habits, each and every keystroke, email messages, credit card information, and other personal information on users' computers. (14) In the world of technology, "spyware" is the umbrella term under which numerous technologies, both legal and malicious, fall. These include: adware, (15) trojans, (16) hijackers, (17) key loggers, (18) dialers, and malware. (19) While each of these technologies has its own unique behavior, for the most part they are all installed without a user's informed and explicit consent and tend to extract varying degrees of personal information, usually without that end-user's consent. (20) For instance, trojan spyware operates with a focus on stealing passwords by using a "trojanized" piece of software to grab passwords. This occurs either directly from the keyboard or while in transit over the network. Trojan spyware has been implemented many times on a raft of different platforms and is installed without the user's consent. (21)

      Spyware operates in relative secrecy, gathering end-user information without the end-user's consent or knowledge. When spyware successfully installs, it is difficult to remove because it embeds itself within the system and uses various techniques to detect and replace various files that are integral to the operation of the user's machine. Consequently, if a user rips out one or two parts, the undetected parts will come in and replace the files that were removed. (22) The outcome is that although the user is aware that spyware is installed, it is difficult for the user to remove, even when utilizing spyware removal technology. (23) Spyware blurs the existing fuzzy line between a malicious virus and an aggressive Internet marketing tool. Spyware, however, can monitor more than just the Web pages an Internet surfer visits; (24) it can also access the end-user's electronic file system, (25) email system, Web pages viewed, and any other unencrypted information the end-user accesses on the machine. (26)

      While valid commercial uses for spyware exist, its primary purpose is to spy and to gather information by invading a user's protected digital space, unbeknownst to the end-user, (27) and to relay it to a third party. For instance, a malicious spyware application might "pop up" a dialog box that warns the user of a problem with his or her account only to redirect that person to a look-alike site, which then acquires personal financial resources of the user. (28) Generally, malicious spyware tends to be financially motivated, distinguishing itself from past viruses/malware. (29)

   2. Spyware Has Two Primary Forms

      Once installed on an end-user's machine, spyware can be catalogued in one of two ways: (1) software-enabled installation of spyware via shareware applications; and (2) Web-enabled installation through a user's browser. (30) This distinction is drawn because spyware's delivery and installation mechanisms can be categorized as either software-enabled or

      Web-enabled spyware. (31)

      1. Software-Enabled Installation of Spyware via Shareware

         According to researchers from the University of Washington's Department of Computer Science and Engineering, software-enabled spyware installs itself by attaching to shareware software, such as Kazaa (http://www.kazaa.com/), which "has been the source of hundreds of millions of spyware installations." (32) Commonly, these software programs are embedded within a Dynamic Link Library ("DLL") that the intruder can manipulate at a later date. On average, infected computers have 93 spyware components, (33) making the process of removal--even for a knowledgeable technical person--an arduous and daunting, if not impossible, task. Software-enabled spyware that relies on this attachment mechanism for installation has been coined "piggy-backed spyware." (34)

         The majority of software-enabled spyware programs fall within the "piggy-backed spyware" installation method. (35) After installation, the spyware remains hidden from the user, and because the user consented to its installation via the shareware application End-user License Agreement ("EULA"), it does not violate black-letter law when transmitting data to third parties...