What not to "ware": as Congress struggles against spyware, the FBI develops its own.

• Author: Lawson, Benjamin

1. INTRODUCTION

   Most computer users have heard the term "spyware," but few understand the scope of the threat it poses. (1) Spyware can end up on a user's computer with little warning, or sometimes with no warning at all. (2) Spyware can gather information on the user's web browsing habits, harvest credit card numbers, or simply slow the computer to a halt. (3) Thus, it is not surprising that Congress has taken up the cause of combating spyware, (4) although the issue has resulted in much legislative hand wringing. (5)

   While the federal government has been trying to stop this kind of spyware in its tracks, however, it has also been developing some spyware of its own. (6) Imagine receiving the following warning from your computer's security software: (7) "Spyware detected! Source: US Government." Or, even more disconcertingly, imagine that your security software did not detect such a program, yet federal agents had installed one surreptitiously and were able to monitor your every digital move. (8)

   Although this software can be highly useful for catching tech-savvy criminals, (9) such surveillance techniques pose many questions. Some have questioned the propriety of the government's involvement in the creation and use of spyware, especially the potential exploitation of computer security loopholes. (10) It is also possible that the government may try to convince Internet security companies to create back doors in their software for government spyware, or at least whitelist the software so that users will not find it. (11) Even the classification of various technologies as "spyware" or "fedware" is a contentious process, (12) as exemplified by the debate over pending federal legislation against spyware. (13)

   This note will illustrate how the FBI has deftly turned spyware technology to its own advantage, while Congress has struggled to keep up with technological trends. It will also discuss the proliferation of "wares," provide examples of government spyware or "fedware" and their policy implications, and offer recommendations on the pending federal legislation that would regulate spyware.

2. A CATALOG OF "WARES"

   The suffix "-ware" has proven popular in fashioning monikers for new breeds of questionable or malicious software and Internet technology. (14) Besides the term "spyware," other potentially less familiar terms include "adware," (15) "pestware," (16) "malware" (17) "fedware," (18) "policeware," (19) "greyware," (20) "stealware," (21) "scumware," (22) "snoopware," (23) and even "iMalware." (24) Many of these terms overlap as well. (25) Indeed, a large part of the problem in addressing Internet security threats like spyware stems from the difficulty of categorizing various technologies. (26) In addition, the name of a "ware" can refer to the purpose of the technology, the techniques it uses, or both. This proliferation of "wares" in computer and Internet jargon necessitates some elucidation in order to highlight the significance of government spyware.

   1. Adware

      The simplest definition of adware is software that delivers advertising. (27) Illustrating the lack of precision in "ware" definitions, however, some have defined adware as involving surveillance of an Internet user's browsing habits to facilitate the delivery of advertising content. (28) However, the Anti-Spyware Coalition (ASC) (29) indicates that not all adware necessarily includes surveillance: "[m]any [but not all] adware applications also perform tracking functions ..." (30) Depending on the method used to deliver advertising content, this kind of "ware" can be the least offensive. (31)

      A common example of relatively innocuous adware is the link that appears in the upper-right corner of Adobe Reader 7.0.9. (32) It urges the user to "Download New Reader Now;" arguably this is merely an ad for a new version of the software that the user is already using, which is likely to enhance the user's experience at no extra charge. The ads that appear in the e-mail client Eudora are another example. These ads include products not specifically offered by the maker of Eudora, which arguably represents a slightly higher level of intrusion on the user's experience. (33)

      Adware is sometimes considered less offensive than other "wares" because a user may have "consented" to its installation. (34) In addition, when software makers "bundle" adware with their programs, the advertising revenue from the adware can help offset the cost of the primary program, and in some cases this can make the primary program available for free. (35) In this sense, the advertising is part (or all) of the "cost" of the program, much like advertising on television. Thus, adware is primarily commercially driven, and when it merely displays advertisements within a desired program's window without conducting surveillance of the user's computer habits, it is perhaps the least malicious "ware."

      However, the term "adware" is seldom used to describe only this minimally intrusive form of advertising (36) (that is, true user consent to the ads, which exert minimal control over computer use and appear only within the current program window). The term "adware" is sometimes used interchangeably with "spyware" because many adware programs monitor users' Internet browsing habits in order to conduct "contextually based marketing," (37) and in these cases, the two terms overlap. (38) An example of the conflation of these two "wares" is Ad-Aware, a popular anti-spyware/antiadware product whose name is a play on the term "adware," but its maker, Lavasoft, bills itself as "the original anti-spyware company." (39)

   2. Spyware

      Many different definitions of "spyware" exist. In the Internet context, one definition is "[a]ny software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes." (40) The Anti-Spyware Coalition lumps spyware together with "other potentially unwanted technologies" and defines them as

      [t]echnologies deployed without appropriate user consent and/or implemented in ways that impair user control over: Material changes that affect their user experience, privacy, or system security; Use of their system resources, including what programs are installed on their computers; and/or Collection, use, and distribution of their personal or other sensitive information. (41) In the commercial context, the information gathered usually consists of the user's Internet browsing habits, which marketers can use to deliver targeted advertisements. (42) This form of spyware is responsible for the dreaded pop-up windows, (43) redirecting of browser clicks, changed home pages, (44) and other behaviors that plague many (if not most) web users' experiences. (45)

      However, spyware is not limited to this functionality; various kinds of spyware can also capture users' personal information (46) or, in the case of keyloggers, every keystroke that the user enters, (47) and some programs can reinstall themselves after the user attempts to delete them. (48) Thus, it is important to separate the technology from the purpose for which it is used. Each of these capabilities has both legitimate and objectionable uses. When this technology is put to harmful use, it falls into the broader category of "malware," a category that includes other harmful software such as Trojans, viruses, and worms. (49)

      Spyware has other uses beyond aggressive commercial marketing. Some spyware can be used for stealing personal information such as credit card information and Social Security numbers, in which case it has the same goal as phishing. (50) In these cases, the technology's goal is to facilitate identity theft, rather than to discover marketing information. Individuals have also used spyware to investigate others, such as tracking the communications of a spouse suspected of infidelity. (51)

      Spyware or adware installation methods vary. Some adware and spyware is "bundled" with other software that a user downloads or buys, (52) and in many cases, the full extent of the software's activity is only vaguely referenced in the End User License Agreement (EULA) or is buffed in free print. (53) Other spyware "tricks" the user into installing it through deceptive browser pop-up windows. (54) Another method of delivering spyware or adware is by attaching it to a deceptive e-mail and relying on the unwitting recipient to open the attachment, thereby inadvertently installing the program, much like some viruses, Trojans, and phishing scams. (55) An even more insidious form of installation is the "drive-by download," in which malware is installed simply upon visiting a given web page. (56) The variety of propagation methods, while troublesome, is also a testament to the ingenuity of spyware makers.

   3. Fedware

      Continuing the trend of using "-ware" to describe emergent Internet technologies, "spyware" developed or used by law enforcement agents has been called "fedware" (57) or "policeware." (58) The following sections describe two relatively old technologies that might be described as fedware, and a newer program that surfaced recently.

      1. Carnivore

         Carnivore is an FBI-created "packet sniffer": essentially, an Internet version of a wiretap that reads and filters IP packets. (59) It is an outgrowth of an earlier, less content-discriminating project called Omnivore, which the FBI started in 1997. (60) Carnivore was unveiled in 2000 (61) and runs on a "black box" installed at an Internet Service Provider (ISP). (62) It is capable of monitoring the content of a targeted computer's Internet communications, such as the contents of e-mails or chat room discussions, and it can also be configured to capture only the address information of Internet communications, such as the "to" and "from" fields of e-mail messages or the addresses of websites visited. (63) As Professor Orin Kerr has pointed out, the name "Carnivore" sounds alarming, but it was originally intended to...