Virtual Spies Virtually Unfettered: The Epidemic of Spyware and the Inadequacy of the Current Law

 

April 12, 2006

Cyberspace Law

Final Final Draft

Subject: Spyware

Rashawn Logan

 

 

I.  A GROWING PROBLEM

It is a beautiful weekend morning as Ruby (not her real name) slowly wakes up and realizes she has a longer than usual list of tasks she needs to accomplish.   She wiggles into her slippers and sits down at her desk to check her email.  She is used to her laptop snapping to attention.  This morning, as Ruby returns to her desk with a glass of orange juice, she notices that her computer is still struggling to start its day.  Several minutes pass with the silence only broken by the sound of the computer’s processor hard at work. 

Ruby’s worry momentarily dissipates when her computer eventually loads its “desktop” screen.  However, her computer “desktop” has an uninvited guest.  An advertisement for weight loss pills mocks her from the middle of the laptop’s screen.  She quickly closes the advertisement and double clicks on the Internet Explorer icon only to hear the grinding of the computer’s processor again. 

Several minutes pass, but no Internet browser window opens.  Ruby begins lose hope, but then a window appears.  Instead of her email, the unwelcome weight loss advertisement has returned and has brought along a friend, a work-from-home advertisement.  Ruby closes both unwanted windows only to discover that they return exactly one minute later.  A window containing Ruby’s email finally opens.  By this time her orange juice is long gone.  In the middle of reading an important email, Ruby is interrupted by a flashing advertisement declaring that “Your computer may have spyware! Click here to delete it!” 

Ruby recalls hearing about something called ‘spyware’ before, but she never gave it much thought.  Now she is beginning to realize how serious it can be.  Not only are the programs annoying, they are seriously affecting the performance of her computer.  They are taking up valuable disk space and dramatically slowing down the computer’s processing speed. 

Ruby does not understand how these programs found their way onto her machine.  She has not downloaded anything from the internet in months.  Her firewall and antivirus programs are up to date.

Thoroughly annoyed by the perpetually reoccurring advertisements, Ruby runs not one but two anti-spyware programs.  These programs find hoards of cookies, tracking devices, and programs.  She deletes all of the unwelcome programs that downloaded without her permission or knowledge.

However, her problem has not been solved as she discovers the next time she restarts her computer.  The advertisements are back.  Apparently, the spyware programs reinstalled themselves automatically. 

Completely frustrated, Ruby decides to do a little research on the most obnoxious of the programs. She is surprised to discover that some spyware defends itself from manual removal.  The sophisticated programs can change their filenames after every restart of the computer; thereby preventing users from deleting the program on the basis of its last known file name.

Ruby goes to the spyware manufacture’s website and is pleased to find the offer of a “patch” designed to remove the unwelcome spyware from her computer.  She installs it, only to subsequently discover to her horror that this so-called “patch” actually just installs more spyware.  Lacking the technical knowledge to delete the hidden programs, Ruby realizes she only has two options to restore her computer to its prior level of performance.  She can either pay for a professional to fix her laptop or spend hours reformatting her computer and lose all the data that she has not backed up.

Unfortunately, this story is not fictional.  It is true.  Ruby and the author of this paper are one and the same.  Apparently, many computer owners have similar stories to tell.  As a result of this experience, it is the position propounded by this paper that both stronger civil injunctions and larger criminal fines should be available to protect computer owners from the unauthorized installation of programs on their computers.  

      II.   SPYWARE OVERVIEW
           A.    What is Spyware?
      “Spyware” has been best defined by Mark Rosch & Jeffery Allen as “malicious software designed to surreptitiously take partial control of a computer's operation.[1]  Most spyware operates without the consent of the computer user.[2]  “Adware” refers to a subset of spyware, the function of which (as “Ruby” discovered) is the display of advertisements.  Some adware imitates the activities of spyware by tracking the websites a computer user visits and submitting the data back to the manufacturer of the program.

B. Why is Spyware a Problem?

Spyware can be a problem for anyone who has both a computer and access to the internet.  Indeed, some studies find that as many as 90 percent of computers connected to the Internet have been infested with at least some spyware.[3]  Moreover, most of these computers do not have only one or two pieces of spyware.  Instead, the average infected computer has twenty-five potential spyware programs.[4]   

      The potential harm from spyware can range from mere annoyance to serious computer impairment.  The less serious of these problems range include pop-up windows and also changes in a user’s settings such as their bookmarks and homepage.  Other common irritations triggered by spyware are decreased Internet bandwidth and computer memory.
      Spyware wastes individuals’ money. [5]  Some individuals must pay a professional to help rid them of the unwanted programs.  Others must waste valuable time removing the spyware themselves.
      Serious problems can also occur as a direct result of spyware.  Enough spyware can crash a computer.  The spyware can make computers slow down dramatically and can destroy other programs.  Spyware can also make computers more vulnerable to viruses by disabling anti-virus programs or changing the security settings on web browsers.[6]  Some spyware can facilitate identity theft by transmitting personal information on a computer’s hard drive back to the spyware distributor.  Other spyware can contain key loggers which record everything the computer user types including credit card numbers, passwords, and usernames.
       C.    How Do Computers Get Infected with Spyware?
      Spyware spreads in many ways.  Unlike viruses and worms, computers infected with spyware programs do not spread the spyware to other computers.[7]  Spyware can hide in other programs downloaded off the Internet.  Other types of spyware try to trick the user into installing it.  One such trick distributors of spyware use is to disguise the program as security software.  Other spyware relies on bombarding the user with requests to install the program until he or she eventually consents.  Not all spyware downloads occur from a user’s positive action. By just visiting a certain website, an individual may become the victim of a “drive-by download”.[8]  In a “drive-by download”, spyware exploits the weaknesses in the web browser to install itself without the computer user’s knowledge.
            D.    Why Is Spyware Hard to Remove?
      Once spyware is on a computer, it is very hard to remove.  Spyware typically does not show up on the add/remove programs menu.  Instead, users have to manually locate and remove it.  The files can be hard to find since many types of spyware use random letters and numbers as file names.  Other spyware can actually change its file name every time the computer is restarted.  Other variations reinstall themselves after an individual removes their components.  If the spyware is extremely persistent, a user may be forced to reformat his or her computer to get rid of the programs.

III. EXISTING FEDERAL STATUTES FAIL TO PROTECT INDIVIDUALS FROM SPYWARE

There are three existing federal laws that could potentially be used against spyware distributors: the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the Federal Trade and Commission Act .[9]  This paper will analyze the purpose of each of these acts and their flaws.

A.  The Computer Fraud and Abuse Act Offers Individuals Little Assistance

The Computer Fraud and Abuse Act makes it a crime to knowingly send a program without authorization to a protected computer and intentionally cause damage to the protected computer.[10]  The Act punishes violations by five years for the first offense and ten years for the second.[11]  The USA Patriot Act increases these penalties to ten years for the first offense and twenty for the second offense.[12] 

Individuals are allowed to sue in a civil action under the Computer Fraud and Abuse Act.[13]  An individual can request an injunction against the spyware distributor or obtain compensatory damages.  However, damages are limited to only economic damages.[14]

The Computer Fraud and Abuse Act is not be as helpful to individuals as it first seems.  It would be easy to establish that a company secretly installing spyware on an individual’s computer is doing so without authorization.  An individual could also show that the company knowingly sends the spyware.  However, individuals would have a hard time proving that the spyware company intentionally caused damages to their computers.  The spyware distributor would probably counter any argument an individual could make by stating the only purpose of the advertisements was to help people find the products they desire.

Even assuming that individuals can prove the necessary requirements of the Computer Fraud and Abuse Act, the Act is still nearly useless for the average citizen.  The reason for the ineffectiveness is the specific language used in the statute.  The statute uses the term “protected computer.”[15]  The general public may believe a protected computer is one with an up to date antivirus program and firewall.  However, the Computer Fraud and Abuse Act defines this phrase differently.   According to the Act, a protected computer is one used “exclusively for the use of a financial institution or the United States Government” or one used “in interstate or foreign commerce.”[16] 

The Act’s narrow definition of a protected computer limits individuals’ ability to sue. Perhaps an individual could argue their computer was used in interstate commerce if they purchased a lot of items over the internet from out of state vendors.  But if the court does not accept that argument, then the individual would not have standing to sue under the Computer Fraud and Abuse Act.

Other difficulties exist with the Act.  The Computer Fraud and Abuse Act requires at least $5,000 in damages in one year in order to be a criminal offense.[17]   My entire computer is not worth $5,000 and neither are most individuals’ computers.  A group of affected individuals could ban together and form a class action suit against a spyware distributor to meet the $5,000 limitation.  However, it would be very difficult to put a price on the data lost and the time spent repairing the computers that the individuals performed themselves.  Finally, the costs of litigation could quickly exceed the damages done by the spyware so there would be little incentive for individuals to sue when they would just be losing more money.

A class action suit is further complicated by the court’s decision in Thurmond v. Compaq Computer Corp. [18]  In Thurmond, a group of individuals who used computers in their business sued under the Computer Fraud and Abuse Act.  The total damages the individuals suffered were well over $5,000.  However, the court read the Act to read that $5,000 in damages had to occur to a single protected computer.[19]  In order to have standing, at least one of the class members must have had over $5,000 in damages to one of his or her computers.  As the price of new computers gradually decreases every year, it will be harder for one individual to meet the minimum damage requirement.  As a result, individuals face difficulties suing as either single entities or as part of class action. 

B.  The Electronic Communications Privacy Act Has Limited Applicability

The Electronic Communications Privacy Act prohibits the interception of any electronic communication.[20]  This Act could be used against some forms of spyware, especially those that use key loggers.  A key logger records all the key strokes made on an infected computer and sends the information back to the owner of the key logger.[21]  If an individual used an infected computer to type an email, then the spyware company would know exactly what was said in the message.  An email would be a type of electronic communication, and by receiving a copy of the message, the spyware company would be intercepting the electronic communication.  Thus the spyware company would be in violation of the Electronic Communications Privacy Act.  

However, the Electronic Communications Privacy Act only works in the limited circumstances where the spyware captures an electronic communication.  As a result, the display of pop-up advertisements and the tracking of what websites an individual visits would not violate the Act.

C.  The Federal Trade Commission Act Only Applies When the Activity is Unfair and Deceptive

Another possible law to combat spyware is Title 15 of the Federal Trade Commission Act.[22]  This Act prohibits unfair methods of competition and unfair business practices.  According to a Federal Trade Commission Staff Report, an unfair method is one that “if it causes or is likely to cause substantial injury to consumers, that injury is not outweighed by any countervailing benefits to consumers and competition, and consumers could not have reasonably avoided the injury.”[23]  Some activities conducted by spyware companies, such as displaying false advertisements, are made illegal by the Federal Trade Commission Act.  However, just installing spyware on an individual’s computer may not be punishable under this Act if the spyware is not an unfair method of competition or an unfair business practice.

The first spyware case brought by the Federal Trade Commission was FTC v Seismic,[24]  In Seismic, when computer users stumbled upon Seismic’s web site, spyware was downloaded onto their computers.  No notice of the download occurred and individuals never had a chance to consent to the download.  The spyware caused pop-up windows on the computers’ screens that advertised for specific brand of anti-spyware program.  The advertisements mislead consumers by saying that it was their final warning and that they urgently needed to rid their system of spyware programs by purchasing a specific anti-spyware program.  Seismic then received a commission on the sale of this advertised anti-spyware program.

Other harm to the consumers resulted beyond losing money from purchasing Seismic’s affiliated anti-spyware program.  The spyware itself slowed down the affected computers and even caused some to crash resulting in data loss.  Individuals had to waste time fixing their machines themselves or paying a professional to repair it.[25]

In response to numerous complaints, the Federal Trade Commission petitioned the New Hampshire District Court for an injunction to force Seismic to remove the script from its website that caused the spyware to download without any notice.  The Federal Trade Commission argued that Seismic’s activities were unfair methods of competition and thus violated 15 U.S.C.A. § 45 because the false advertisements were likely to cause the consumers to purchase the depicted product. [26]   The Federal Trade Commission had to prove Seismic’s activities were “likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition.”[27] 

In response, Seismic alleged “at least some of their activities are widely accepted internet practices and should not be prohibited.”[28]  Seismic also tried to argue that the federal district court no longer had jurisdiction over it since the company was no longer in the spyware business.[29]  The court decided that the Federal Trade Commission could continue the case and stated that “jurisdiction under the Federal Trade Commission Act extends to defendants who have sufficient minimum contacts with the United States, and is not limited to those who have minimum contacts with the forum state.”[30]

The court determined that the Federal Trade Commission was likely to succeed in showing that Seismic’s actions were “unfair and deceptive practices within the meaning of the” Federal Trade Commission Act.   The court awarded a temporary restraining order against Seismic.[31] 

More recently, the Federal Trade Commission sued a spyware company, Enternet, and its affiliates in U.S. District Court for the Central District of Los Angeles.[32]  Enternet lured consumers to its website with the promise of free computer wallpaper, ring tones, music files, and security patches.[33]  Instead of receiving the free promised files, consumers received spyware.  This spyware changed the computer user’s homepage, tracked the user’s activity, added toolbars to the browser, caused pop-up advertisements, and made frames in which more advertisements were displayed.[34] 

The Federal Trade Commission convinced the district court that Enternet’s activities were unfair and deceptive.[35]  The court ordered Enternet to stop its illegal downloads and temporarily froze its assets until a future hearing.[36]  At the next hearing, the Federal Trade Commission will try to obtain a permanent injunction against Enternet and make it forfeit the money it illegally acquired.[37]

It is a step in the right direction that the Federal Trade Commission brought a case against a spyware company.  However, there are some problems with the Federal Trade Commission’s methods.  First, many consumers will be affected by the spyware while the Federal Trade Commission conducts an investigation.  There is no incentive for a spyware company to stop installing its products on individuals’ computers even when it knows an investigation is taking place.  A solution to this problem could be if the Federal Trade Commission receives a set number of complaints about a company, then the Federal Trade Commission can petition the court for a temporary injection to shut down the company’s website while it conducts its investigation.

One potential problem could arise with the preceding solution.  An individual with a grudge against an innocent company could send many reports to the Federal Trade Commission.  However, this risk can be minimized by setting the triggering number of complaints high enough that it is unlikely an individual or even a small group could cause an investigation.  This strategy would conserve the Federal Trade Commission’s resources by only having it obtain injunctions while it investigates the worst offenders.

A second problem with the Federal Trade Commission’s current strategy is it goes after offenders one at a time.  While the Federal Trade Commission succeeded in obtaining a temporary injunction against one spyware company, what about all the other companies installing their programs on unsuspecting users’ computers?  There is no incentive for other spyware companies to stop their unfair activities.  While they may be forced to give up the profits they obtained unfairly, there exists a good chance they will never be investigated.  It seems unreasonable that the Federal Trade Commission can pursue every violating spyware company one by one.

Thirdly, not every spyware company violates unfair methods of competition.  If Seismic never advertised for a spyware removal program, the Federal Trade Commission probably would not have sued them.  Instead if Seismic installed spyware that advertised for cruises and vacations, there would be nothing false in the advertisements so Title 15 of the Federal Trade Commission Act would not apply.

The Federal Trade Commission cannot be expected to eliminate spyware single handedly.  The Federal Trade Commission’s goals are to protect consumers and to eliminate anticompetitive business practices.[38]  Therefore, the Federal Trade Commission would not be able to sue spyware companies who are not engaging in unfair competition and not harming consumers.  Most types of spyware would not fall in the Federal Trade Commission’s authority.  Furthermore, the Federal Trade Commission Act does not give individuals standing to sue spyware companies, so if the Federal Trade Commission chose not to respond to an individual’s complaint, he or she is without recourse.

D.  Barriers to New Federal Legislation

One would think that the Federal Trade Commission would be a strong proponent for new spyware legislation.  Actually, the opposite is true.  As Britt Anderson stated “the FTC has sent a consistent message that new federal anti-spyware legislation is not necessary and may be counterproductive.[39]  The Federal Trade Commission prefers more user education and self-regulation.[40]  One Commissioner was even heard to state that it is too early to pass laws on spyware and instead consumers should be educating themselves on how to avoid these programs.[41]  On the other hand, consumers can not be expected to have the same level of computer sophistication as the programmers that create the spyware software.  Individuals need some legislation to help them fight spyware and to offer them remedies for the damages that occur from these unwanted programs.

IV. ATTEMPTS AT NEW LEGISLATION

A.  SPY ACT

During the 108th Congress, the House of Representatives made two attempts at new anti-spyware legislation.[42]  The first of these bills was the Securely Protect Yourself Against Cyber Trespass Act (SPY ACT).[43]  This bill was passed by the House on October 5, 2004 with a vote of 399 to one.[44] 

The SPY ACT prohibited using an individual’s computer to send spam email, modem dialers, and key loggers.  Companies would not be allowed to use deceptive practices to change security settings, bookmarks, or alter the home page of the Internet browser.  Hijacking the browser or turning off anti-virus programs were also banned.  Any software that collects personal information about an individual must first obtain the individual’s consent and notify the individual about the program’s activities.[45]  Fines of up to three million dollars are allowed under the bill.[46]

The SPY ACT was sent to the Senate but no action was taken on it.  The 109th Senate sent the bill back to the House Committee on Energy and Commerce.[47]  At the time of this paper, the bill is still in this committee.[48]

The SPY ACT has undergone many amendments.  The bill originally classified all programs send data without the user’s consent as spyware.[49]  This wide definition caused many complaints by companies that included anti-virus businesses.[50]  The next version of the bill contained exceptions for a few types of programs, including anti-virus software.[51]  Later, the Subcommittee on Commerce, Trade and Consumer Protection excluded third party cookies from the bill’s prohibited activities.[52] [53]

The SPY ACT would prohibit spyware distributors from tricking consumers into installing spyware on their computers.  However, it does not prohibit most drive-by downloads of spyware.  The only drive-by download the SPY ACT would prohibit is if the spyware collected “personally identifiable information” about the individual.  In this case, the computer user would need to consent to the spyware’s download for it to be legal. 

The SPY ACT defines an information collection program as one that collects personally identifiable information or collects information about web pages visited in order to target the individual with advertisements.[54]  Spyware companies would not need consent if they were collecting information on an individual’s computer specifications or collecting data on what websites they visited without displaying any advertisements.  Therefore, consent requirement for information collection programs is not narrow enough to apply to many types of spyware.

Another problem with the SPY ACT is it only applies to protected computers.[55]  If protected computer is defined the same way as in the Computer Fraud and Abuse Act, then only government computers, computers in financial institutions, or computers used in interstate commerce would be protected.  As a result, the SPY ACT would not offer individual computer owners any rights since their computers would not meet the definition of a protected computer.

B.  Internet Spyware Prevention Act

On October 7, 2004 the Internet Spyware Prevention Act (I-SPY Act) was passed by the House.[56] [57]  The I-SPY Act would have amended the Computer Fraud and Abuse Act to increase a prison sentence to up to five years if a federal crime occurred and a program was installed without authorization on a protected computer.[58]  Also punishable under the Act are intentionally impairing a protected computer’s security protections or using a program to collect personal information to defraud another.

The I-SPY Act is a lot narrower than the SPY ACT in that it focuses on the worst of the spyware offenders.[59]  Individuals are not given a right to sue under the I-SPY Act.  According to the Act, “no person may bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant's violating this section.”[60]  The I-SPY Act may make some spyware distributors change their business practices. However, for those companies that do not change, there would be no civil remedy under the bill.  Only using the threat of a prison sentence would not seem to be as effective as combining civil and criminal penalties. The I-SPY Act could use fines in addition to criminal sanctions to slow down the spread of spyware.

C.  Spy Block Act

The Senate also designed its own anti-spyware bill called the Software Principles Yielding Better Levels of Consumer Knowledge Act (SPY BLOCK Act).  This bill was approved by the Senate Commerce Committee, but as of the time of this paper, the full Senate has yet to vote on it.[61]  The SPY BLOCK Act prohibits any one other than a computer’s owner to install software on it unless certain conditions are met.[62]  The first of these conditions is the user must have received a clear notice of the potential installation.  The notice must state if the software will collect information, create advertisements, or modify any settings.  Then the notice must clearly describe these activities.  Second, the user must consent to the installation.  Separate consent is needed for each of the features of the software that perform advertising activities, monitoring, and modification of settings.  Third, the software must meet uninstall provisions such as appearing in the add/remove programs list and displaying a link on advertisements that tell how to remove the program.[63]

The SPY BLOCK Act is very similar to the SPY ACT.  However, the SPY BLOCK Act superior in some ways.  Unlike the SPY ACT which has a narrow requirement of consent before the execution of information collection programs, the SPY BLOCK Act requires consent before all installations regardless of the type of program.  This approach makes more sense because individuals should be given the right to choose what is installed on their own computers.  The right to consent should not be lost if the program will only display advertisements instead of collecting information.

The main problem with the SPY BLOCK Act is that it does not provide for civil penalties, such as fines.[64]  Instead, the Federal Trade Commission is given the duty to enforce the Act and punish violators under a new section in the criminal code.[65]  State attorney generals are also given the right to enjoin activities that would violate the Act and to recover damages for residents of the state.  The bill could be more of deterrence to spyware companies if it incorporated the high fines of the SPY ACT. 

Also like the SPY ACT, the SPY BLOCK Act uses the term protected computer without defining it.  This term could cause the same problems to individuals regarding standing requirements if the courts adopt the definition of term as used in the Computer Fraud and Abuse Act.  It seems that if the word protected was taken out of the bill, it would actually protect individuals better.

V.  THE STATES’ ATTEMPTS TO REGULATE SPYWARE

Due to the lack of federal enforcement, many states have enacted their own spyware statutes.  There are two main approaches that states use to deal with spyware.  The first approach protects business while the second attempts to give consumers protection. 

    A.  Utah

The first state to enact anti-spyware legislation was Utah in March of 2004.[66]  Utah’s Spyware Control Act prohibits pop-ups if the advertisement infringes on trademark law by using another company’s symbol.[67]  The Act also prohibits programs from displaying advertisements when an individual visits a certain site or creating an advertisement triggered by visiting a webpage containing a competitor’s trademark.  A private action may be brought against violators by either the attorney general or the trademark owner.[68]  Damages recoverable under the Act are the greater of actual damages or five hundred dollars.[69]

The purpose of the Utah anti-spyware law dramatically changed when the legislature made amendments to the bill.  Originally, Utah drafted a bill that prohibited installing spyware on someone else’s computer.[70]  This bill would have protected computer owners in Utah against spyware.  However, these same computer owners would have no rights if the bill was violated.  The bill only gave the right to sue to website owners, internet advertisers, and trademark owners.[71] 

The problem with the Utah approach to spyware is it only focuses on a small portion of spyware.  As long as the spyware companies do not infringe on trademark laws, they can install as many programs as they want on consumers’ computers without permission.  Individuals are given no protection or rights under the Utah approach.  Utah’s statute caters towards businesses by protecting trademarks instead of the computers themselves.

    B.  Alaska

Alaska, has also decided to focus on protecting trademarks from spyware.  Alaska’s statute is entitled Deceptive Acts or Practices Relating to Spyware.  The Act’s narrow definition of deceptive acts causes the same problems for individuals as Utah’s statute.[72]  The Act defines a deceptive act for spyware purposes as one that causes a pop-up window to appear that is not affiliated to the website a user visited and triggered by the website’s address or trademarks.[73]  As a result, any spyware that does not infringe on trademark law would be legal in Alaska.

    C.  California

An alternative to the Utah approach is California’s Consumer Protection Against Computer Spyware Act.[74]  This Act prohibits spyware distributors from doing many activities though intentionally deceptive means.  The prohibited activities include things such as modifying a homepage, changing bookmarks, collecting personal information through a key logger, collecting information on what sites a user visits, and blocking the individual from disabling the spyware.[75]

The problem with California’s statute is the phrase “intentionally deceptive.”  To be intentionally deceptive, it must be (1) intentionally and materially false and fraudulent, (2) intentionally omit material information, or (3) intentionally and materially fail to alert the user of the download or installation of the software.[76]  This is quite a high burden of proof for a victim to establish.[77]  A spyware company could easily defend itself by denying that it intended any prohibited conduct from occurring.  For example, the spyware distributor could design its spyware to reinstall itself after an individual removes it.  The spyware company could defend its actions by claiming that a notice to the user was supposed to appear to alert them of the reinstallation, and it was not sure why the notice did not appear.  Then the spyware company would not have the required intent under the statute.

A second problem with the statute is it has no consent requirement.  A spyware company can install programs on people’s computers without violating the Act as long as they are not being deceptive about it.  The Act does not require the company to ask for a user’s consent in order to put spyware on his or her machine.  An individual could accidentally go to a website by clicking on an advertisement instead of a link above the advertisement.  Once at the website, the spyware distributor can start to install spyware on the individual’s computer as long as it says somewhere on the web page (without hiding the notice) that programs may be installed on visitors’ computers.

    D.  Texas

Texas’s Consumer Protection and Computer Spyware Act is more similar to California’s statute than Utah’s statute.[78]  This Act prohibits modifying settings, taking control over another computer, opening advertisements that can not be closed using normal means, and preventing the computer user from removing the spyware.  Like California’s Act, the Texas statute prohibits only intentionally deceptive activities.  If the above activities were conducted in an undeceiving manor, they would be legal.

The Texas statute prohibits a few activities that the California Act missed.  Under the Texas statute, spyware companies cannot design their programs to change their file names or locations in an attempt to prevent consumers from finding and removing the program.[79]  This would stop spyware from creating a different random file name for itself every time the user restarted their computer.

Texas also requires actual knowledge for the copying of computer software on another computer to be prohibited.  California’s Act uses the phrase “with actual knowledge, with conscious avoidance of actual knowledge, or willfully.”[80]  Plaintiffs in California have a much lighter burden of proof than Texas residents because they have alternatives to proving actual knowledge.  To prove actual knowledge, plaintiffs may need to hire experts to testify that the spyware company knew what it was doing when it downloaded software to the plaintiff’s computer.

There are a couple situations in which a spyware company could argue that it did not have the actual knowledge required in Texas’s statute.  First, if a spyware company set up a website to transmit spyware to any one who stumbled upon the website and then left the site alone, the spyware company could argue it did not have actual knowledge if its programs were sent to any one.  Instead the spyware company could claim it was only negligent and avoid the penalties of the Consumer Protection and Computer Spyware Act.  Second, a spyware creator could hire a company oversees, which would make prosecution more difficult and expensive, to distribute its programs.  This way the spyware company could claim it did not have actual knowledge if any Texas residents received its software.

Unlike the California statute, the Texas’s Consumer Protection and Computer Spyware Act limits who may bring suit under the Act.  Individual consumer owners are not on the list of allowed persons.  Instead, only website owners, providers of computer software, cable operators, telecommunication providers, and Internet service providers can bring a case to court.[81]  This causes big problems for individual computer owners because even if they have suffered harm that the statute prohibits, they have no remedy under the Act.

Texas uses civil penalties for violations of the Act instead of criminal sactions.  Violators can be fined up to one hundred thousand dollars for each violation.[82]  Permanent injunctions may also be sought by the state attorney general.

    E.  Iowa

Several other states have adopted the California approach and have made fewer changes to it than Texas.  The language of Iowa’s Consumer Spyware Protection Act is very similar to California’s Consumer Protection Against Computer Spyware Act. [83]  Violation of the Consumer Spyware Protection Act is an aggravated misdemeanor unless damages amount to over one thousand dollars to a single victim.  If the damages were over one thousand damages, then a violation becomes a class D felony.  It is unlikely that a single individual would have over one thousand dollars in damages, so the latter sentence is probably aimed toward protecting businesses.

    F.  Indiana

Indiana’s statute is a combination of both Texas’s and California’s Acts.  Indiana borrowed Texas’s actual knowledge requirement and remedies and California’s prohibited activities.[84]  In Indiana, the attorney general, a website owner, a provider of software, or a trademark owner may bring a civil action against a violator of IC 24-4.8-2.  The statute makes no mention of affected consumers being able to bring suit.  If the plaintiff wins in Indiana, they receive an injunction against the violator and the greater of actual damages or one hundred thousand dollars.

    G.  Washington

Like Indiana, Washington’s statute allows only the attorney general, trademark owners, website owners, and computer software providers to sue.[85]   Violators may be fined for the greater of actual damages or one hundred thousand dollars.  The court can multiply the damage award by three if the defendant has a pattern and practice of violating the statute.[86]  Otherwise, Washington’s statute is similar to California’s Act.  Washington even adopted California’s language of “actual knowledge or with conscious avoidance of actual knowledge.[87]

    H.  Arizona

Arizona’s statute mirrors Washington’s statute.  Arizona has the same damage provision with the three time multiplier for defendants with a pattern and practice.[88]  It also has the same problem of limiting suits to businesses and the attorney general.  Individuals should be given the same rights to sue as business for similar violations of the statute.

    I.  New Hampshire

New Hampshire’s anti-spyware statute is also a hybrid approach of Texas and California.  However, New Hampshire’s punishment of violators makes the statute unique.  It is a class A misdemeanor to violate RSA 359-H:2.[89]  This light punishment will likely not reduce the rates of spyware infection in New Hampshire.

    J.  Arkansas

Arkansas punishes violators of its Consumer Protection Against Spyware Act under the Deceptive Trade Practices Act.[90]  Violators may be found guilty of a class A misdemeanor.  However, Arkansas does not stop there unlike New Hampshire.  Violators may be forced to pay for the damages they caused and can be enjoined from engaging in a deceptive practice again.  While Arkansas’s punishment would create more of an incentive to comply with the law than New Hampshire’s punishment, a heavier fine similar to ones used by other states could work more effectively.  The statute also provides that money from fines will be used to fund a website to educate consumers about spyware.[91]

    K.  Georgia

The Georgia Computer Security Act of 2005 provides the heaviest penalties of all California approach states.[92]  A violation of Georgia’s Act is a felony with a prison sentence between one and ten years or a fine of up to three million dollars.  In addition, the attorney general can ask for fines of one hundred dollars per violation and up to a one hundred thousand dollar fine for violators with a pattern and practice. This Act’s high fines may actually cause spyware distributors to think twice before installing programs on Georgia computers.

VI. USING OTHER AREAS OF LAW TO SUE

Without having an adequate statute to sue under, victims have had to be creative with their law suits.  One such case is Gosbee v. Martinson.[93]  In Gosbee, the plaintiff’s computer became infected with spyware.  His computer displayed advertisements for a brand of anti-spyware program.  The advertisements warned him that it was his last chance to get rid of the spyware and caused his cd-rom drive to open.  The plaintiff’s homepage was also changed to a site advertising the anti-spyware program.

The plaintiff sued the spyware company under the Racketeer Influenced and Corrupt Organizations Act.  The plaintiff’s argument was that the defendant hijacked his computer in order to force him to buy the defendant’s product.  The defendant convinced the trial court to dismiss the case for failure to state a claim because its affiliate, and not the defendant, hijacked the plaintiff’s computer.  The district court reversed and required the trial court to hold a hearing on the plaintiff’s motion to amend his complaint.

Allowing companies to hide behind their affiliates does not benefit public policy.  If the anti-spyware company works with a spyware company in a scheme to get people to purchase its product, the anti-spyware company should be liable too for the spyware company’s actions.  As long as the anti-spyware company knew or should have known that its affiliate was installing its software on people’s computers, there is no reason to hold the anti-spyware company immune from suit.

Other plaintiffs have tried suing under old common law theories such as trespass.  Sotelo v. DirectRevenue is one example of a suit using trespass to personal property.[94]  In Sotelo, the plaintiff received spyware without his consent that displayed advertisements in response to websites he visited.  The spyware protected itself from people uninstalling it by changing its file name often so that it could not be found easily.  If a user did manage to remove the spyware, it would reinstall itself.  If consumers found the user licensing agreement of the software, they would spot a link to remove the program.  However, the link did not lead to an actual webpage.

The spyware had three separate ways to install itself on users’ computers.  First, the spyware was attached to many free software programs that are frequently downloaded.  If the program the spyware came with was uninstalled, the spyware would “unbundle” and remain on the computer.[95]  Second, some users received a pop-up window that refered to the program as “the software” without any description, and users were given the choice to install or decline.[96]  Last, other users received a pop-up window asking them to agree to a consumer policy agreement.

      Intent is a required element of trespass to property.  The defendant claimed its subsidiary performed the unlawful activities, and it did not know if spyware was illegally placed on the plaintiff’s computer.  Therefore, it did not have the intent to trespass.  The court decide that intent is satisfied by the knowledge that intermeddling with the chattel is likely to occur and “it is not necessary that the actor should know or have reason to know that such intermeddling” violates the property rights of another.[97] 

The spyware company also tried to defend itself from the trespass to property claim by arguing that conversion is the modern theory for trespass to property.  Under conversion, the spyware company would win since the plaintiff would be required to demand his property back and have that demand denied.  In this case, the plaintiff never made such a demand.  The court agreed with the plaintiff that conversion and trespass to property are two different claims in this case because the defendant never had the plaintiff’s property.  Instead the plaintiff claimed his property was “interfered with.”[98]

To establish that a trespass to personal property occurred, interference and damage must be proven.[99]  The plaintiff in Sotelo established these elements by showing that the spyware overburdened his computer’s resources and diminished its function.  As a result, the court denied the defendant’s motion to dismiss on the trespass claim.

Besides trespass to personal property, the plaintiff also sued for unjust enrichment, negligence, consumer fraud, and computer tampering.  The court dismissed his unjust enrichment claim because the plaintiff did not have a claim to the advertising fees from the advertisements displayed on his computer.[100]  The court denied motions to dismiss the other charges.

If Illinois had an anti-spyware statute, Sotelo would have had a much easier time bring a case against the spyware company.  His litigation expenses probably would have been much lower too. His lawyer would have been able to write the petition and make arguments under a new statute tailored to the issue quicker than trying to force old laws to deal with new technologies.

VII. CONCLUDING WITH A MULTIFACTED APPROACH

It will take a multifaceted approach to combat spyware.  Consumer education is just one of these facets and certainly should not be expected to hold its own against spyware distributors.  It will take injunctions and legislation with heavy fines and stiff criminal penalties to diminish the un-consented installation of software by spyware companies.  New legislation is needed because the old common law theories are not flexible enough to deal with the changes in technology.

VIII.                     PROPOSED STATUTE

Statutes should avoid using undefined or problematic phrases such as “intentionally deceptive” and “protected computer” that make it harder for a plaintiff get to court or confuse the general public.  Statutes should strive to use plain English that any one can understand.  An example of such a statute is:

I.             It is unlawful for a person or any organization to:

a. Change any setting on a computer though the use of the internet without permission from the computer owner including but not limited to security levels, homepages, and bookmarks.

b. Install a program on a computer though the use of the internet without clear consent from the computer owner.

                                                       i.      The computer’s owner must have clearly consented to the installation of any such program.

1. Clear consent requires a reasonably adequate notice of what the program does.

2. The notice must have the default option set to no installation.

3. The notice must tell the user what settings the program will affect if installed.

4. The notice must include reasonably clear instructions on how to uninstall the program.

5. If the program collects any information about the user, the notice must tell what information it collects, why it collects it, and who receives the information.

6. The notice must specify the file size of the program.

7. If the program displays advertisements, the notice must specify the frequency the advertisements will be displayed.

a. Any such advertisements may not take up more than half of the room on an average computer screen.

b. Advertisements must be able to be closed by clicking the close button on the top right hand side of the frame.

c. No more than two advertisements may appear at once on the computer screen.

d. There must be an option in the program that a typical computer user can find with reasonable ease to turn off the advertisements.

8. The notice must specify if the program automatically updates itself by downloading new data from the provider.

                                                  ii.      A computer owner can revoke consent at any time.

1. After installation is complete, a text file with reasonably clear instructions on how to remove the computer must be placed on the computer user’s desktop.

2. The program must appear on the add/remove programs menu.

3. The program may not change its file name after installation.

4. The program may not reinstall itself after a computer user uninstalls it.

5. The program must be reasonably easily disabled by an average computer user.

6. The text file containing instructions on how to uninstall must also appear in the program’s file.

7. The text file must also contain a 1-800 number for users to call if they have trouble uninstalling the program

8. A program must remove all of its components when it is uninstalled.

 

A statute needs strong penalties to convince people to follow it.  The combination of civil penalties and criminal sanctions could convince the largest number of people to obey the law.  Some individuals may fear fines more than imprisonment and vice versa.

II.        Penalties for violating this section are:

a. For the first offense, $1,000 per violation will be fined in addition to the payment of compensatory damages to the victims.

b. For the second offense, $10,000 per violation will be fined in addition to the payment of compensatory damages to the victims.  The defendant’s website will have a temporary injunction on it for one year.

c. For the third offense, $100,000 per violation will be fined in addition to the payment of compensatory damages to the victims.  In addition, a minimum of one year to a maximum of five years shall be spent in prison.  The defendant’s website will have a permanent injunction on it and the injunction shall follow any subsequent websites the defendant either makes or participates in for the next ten years.

 

Giving the right to sue to a diverse group of people could make a law the most efficient.  Most individuals will only sue when it is profitable or in their best interests.  On the other side, law enforcement can not efficiently pursue every violator.  Instead, usually the worst offenders are prosecuted.  By giving average affected citizens standing along with government employees, compliance with the law can be maximized though prosecution of all levels of violation.

III.  The following individuals and organizations may bring a suit under this section:

a. The state attorney general.

b. An affected website owner.

c. An affected trademark owner.

d. An affected computer user.

e. Any other affected groups within the court’s discretion.

 


[1] Mark Rosch & Jeffery Allen, Geek-Speak for the Rest of Us, 23 NO. 1 GPSolo 12, (2006).

[2] Wikipedia, Spyware, at  http://en.wikipedia.org/wiki/Spyware

[3] Earthlink Spy Audit, (2005), at http://www.earthlink.net/spyaudit/press/.

[4] Id.

[5] “Productivity is decreased because hours are wasted attempting to remove Spyware from computers, closing recurring and frequent advertisements, and waiting for slowed machines.  Users are forced to keep their slowed computers running longer, which uses more electricity, decreases the useful life of a computer, and forces the user to incur increased Internet access charges.” Sotelo v. DirectRevenue, 384 F.Supp.2d 1219, 1224, (N.D.Ill. 2005).

[6] Wikipedia, Spyware, at  http://en.wikipedia.org/wiki/Spyware

[7] Wikipedia, Spyware, at  http://en.wikipedia.org/wiki/Spyware

[8]   Whatis.com, Drive-by Download, at http://whatis.techtarget.com/definition/0,,sid9_gci887624,00.html

[9] Javad Heydary, US Getting Serious on Spyware Laws, (2004), at http://www.ecommercetimes.com/story/37297.html.

[10] Computer Fraud and Abuse Act 18 U.S.C.A. § 1030 (2002).

[11] Wikipedia, Computer Fraud and Abuse Act, at  http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#Criminal_Offenses_Under_The_Computer_Fraud_and_Abuse_Act.

[12] Computer Fraud and Abuse Act 18 U.S.C.A. § 1030.

[13] Computer Fraud and Abuse Act 18 U.S.C.A. § 1030(g).

[14] Chance v. Ave. A, Inc., 165 F. Supp. 2d 1153, (W.D.Wash., 2001), http://www.phillipsnizer.com/library/cases/lib_case122.cfm.

[15] Computer Fraud and Abuse Act 18 U.S.C.A. § 1030(a)(5)(A)(ii).

[16] Computer Fraud and Abuse Act 18 U.S.C.A. § 1030(e)(2)(A).

[17] Computer Fraud and Abuse Act 18 U.S.C.A. § 1030(a)(5)(iii)(B)(i).

[18] Thurmond v. Compaq Computer Corp., 171 F. Supp. 2d 667, 681 (E.D. Texas, 2001).

[19] Id.

[20] Electronic Communications Privacy Act, 18 U.S.C.A. § 2511(1)(a) (2002) at http://floridalawfirm.com/privacy.html.

[21] See Wikipedia, Keystroke Loggin, at http://en.wikipedia.org/wiki/Keyloggers.

[22] Federal Trade Commission Act 15 U.S.C.A. § 45, at http://www.fda.gov/opacom/laws/ftca.htm.

[23] Federal Trade Commission Staff Report, Spyware Workshop, Monitoring Software on Your PC: Spyware, Adware, and Other Software, at 20, (2005), at http://www.ftc.gov/os/2005/03/050307spywarerpt.pdf.

[24] FTC v Seismic, 2004 WL 2403124, (New Hampshire District Court, 2004). 

[25] FTC Cracks Down on Spyware Operation, (2004), at http://www.ftc.gov/opa/2004/10/spyware.htm.

[26] Federal Trade Commission Act 15 U.S.C.A. § 45, at http://www.fda.gov/opacom/laws/ftca.htm.

[27] FTC v Seismic, 2004 WL 2403124, 2 (New Hampshire District Court, 2004). 

[28] Id.

[29] Brown Raysman, Court In FTC Enforcement Against Spyware Distributor Action Has Jurisdiction Despite Defendant's Claim That He Is No Longer In Business, (2005) at http://brownraysman.typepad.com/technology_law_update/spyware/index.html.

[30] Id.

[31] FTC v Seismic, 2004 WL 2403124, 4 (D.N.H. 2004). 

[32] FTC Shuts Down Spyware Operation, (2005) at http://www.ftc.gov/opa/2005/11/enternet.htm.

[33] Id.

[34] FTC v. Enternet Media, No. 05-7777 CAS, 7 (CD Cal. filed Nov. 1, 2005), at http://www.ftc.gov/os/caselist/0523135/051110comp0523135.pdf.

[35] FTC Shuts Down Spyware Operation, 23 NO. 1 Computer & Internet Law. 25, 25 (2006).

[36] Id.

[37] Id.

[38] Wikipedia, Federal Trade Commission, (2006), at http://en.wikipedia.org/wiki/Federal_Trade_Commission.

[39] Britt Anderson, What Exactly Constitutes Spyware? (2006) at http://www.law.com/jsp/ltn/pubArticleLTN.jsp?id=1141047299486.

[40] John Leyden, No Need for Anti-Spyware Laws-FTC, (2004), at http://www.theregister.co.uk/2004/04/21/ftc_spyware_workshop/.

[41] Dave McGuire, ‘Spyware’ Eludes Easy Answers, (2004), at http://www.washingtonpost.com/wp-dyn/articles/A25231-2004Apr19.html.

[42] Federal Trade Commission Staff Report, Spyware Workshop, Monitoring Software on Your PC: Spyware, Adware, and Other Software, at 22, (2005), at http://www.ftc.gov/os/2005/03/050307spywarerpt.pdf

[43] H.R. 2929, 108th Cong. (2004).

[44] Jason Tuohey, Spyware Bill Passes House, (2004) at http://www.pcworld.com/news/article/0,aid,118069,00.asp.

[45] H.R. 2929, 108th Cong. § 2 (2004).

[46] Grant Gross, Bill Banning Spyware Makes Progress, (2004), at http://www.pcworld.com/news/article/0,aid,116553,00.asp.

[47] Federal Trade Commission Staff Report, Spyware Workshop, Monitoring Software on Your PC: Spyware, Adware, and Other Software, at 22, (2005), at http://www.ftc.gov/os/2005/03/050307spywarerpt.pdf.

[48] Roy Mark, House Cuts Cookies from SPY ACT, (2005), at http://www.internetnews.com/xSP/article.php/3483741.

[49] Grant Gross, Bill Banning Spyware Makes Progress, (2004), at http://www.pcworld.com/news/article/0,aid,116553,00.asp.

[50] Id.

[51] Id.

[52] Roy Mark, House Cuts Cookies from SPY ACT, (2005), at http://www.internetnews.com/xSP/article.php/3483741

[53] Third party cookies are used by advertisers.  See id.

[54] H.R. 2929, 108th Cong. § 3 (2004).

[55] H.R. 2929, 108th Cong. § 2 (2004).

[56] Federal Trade Commission Staff Report, Spyware Workshop, Monitoring Software on Your PC: Spyware, Adware, and Other Software, at 22, (2005), at http://www.ftc.gov/os/2005/03/050307spywarerpt.pdf.

[57] H.R. 744,108th Cong. (2004).

[58] Britt Anderson, What Exactly Constitutes Spyware? (2006) at http://www.law.com/jsp/ltn/pubArticleLTN.jsp?id=1141047299486.

[59] Roy Mark, House Approves Anti-Spyware Bills, (2005), at http://www.internetnews.com/bus-news/article.php/3507211.

[60] H.R. 744,108th Cong. § 2 (2004).

[61] Britt Anderson, What Exactly Constitutes Spyware? (2006) at http://www.law.com/jsp/ltn/pubArticleLTN.jsp?id=1141047299486.

[62] S.2145, 109th Cong. § 2 (2005).

[63] Id.

[64] Britt Anderson, What Exactly Constitutes Spyware? (2006) at http://www.law.com/jsp/ltn/pubArticleLTN.jsp?id=1141047299486.

[65] Roy Mark, A Senate Shot at Ant-Spyware, (2005) at http://www.internetnews.com/bus-news/article.php/3565481

[66] Jordan Blanke, “Robust Notice” and” Informed Consent:”The Keys to Sucessful Spyware Legislation, 7 Colum. Sci. & Tech. L. Rev. 2, (2006).

[67] Spyware Control Act, U.C.A. 1953 § 13-40-201, (2004). 

[68] Spyware Control Act, U.C.A. 1953 § 13-40-301, (2004). 

[69] Id.

[70] H.B. 13-39-201, Spyware Regulation, (2004), at http://www.le.state.ut.us/~2004/bills/hbillenr/hb0323.htm.

[71] H.B. 13-39-301, Spyware Regulation, (2004), at http://www.le.state.ut.us/~2004/bills/hbillenr/hb0323.htm.

[72] Deceptive Acts or Practices Relating to Spyware, ALASKA STAT. § 45.45.792, (2005).

[73] Id.

[74] Consumer Protection Against Computer Spyware Act, CAL. BUS. & PROF. D. 8, Code § 22947, (2005).

[75] Id.

[76] Consumer Protection Against Computer Spyware Act, CAL. BUS. & PROF. D. 8, Code § 22947.1, (2005).

[77] Britt Anderson, What Exactly Constitutes Spyware? (2006) at http://www.law.com/jsp/ltn/pubArticleLTN.jsp?id=1141047299486.

[78] Consumer Protection and Computer Spyware Act, Tex. Bus. & Com. Code §48.001, (2005).

[79] Consumer Protection and Computer Spyware Act, Tex. Bus. & Com. Code §48.053, (2005).

[80] Consumer Protection Against Computer Spyware Act, CAL. BUS. & PROF. D. 8, Code § 22947.2, (2005).

[81] Consumer Protection and Computer Spyware Act, Tex. Bus. & Com. Code §48.101, (2005).

[82] Consumer Protection and Computer Spyware Act, Tex. Bus. & Com. Code §48.102, (2005).

[83] Consumer Spyware Protection Act, IOWA CODE ANN. § 714F.4, (2005).

[84] IC 24-4.8-2, (2005).

[85] WASH. REV. CODE ANN. § 19.270.020, (2006).

[86] WASH. REV. CODE ANN. § 19.270.060, (2006).

[87] WASH. REV. CODE ANN. § 19.270.020, (2006).

[88] ARIZ. REV. STAT. § 44-7302, (2005).

[89] N.H. REV. STAT. ANN. § 359-H:2, (2005).

[90] Consumer Protection Against Spyware Act, ARK. CODE ANN. § 4-111-101, (2006).

[91] Consumer Protection Against Spyware Act, ARK. CODE ANN. § 4-111-105, (2006

[92] Georgia Computer Security Act of 2005, GA. CODE ANN. § 16-9-152, (2005).

[93] Gosbee v. Martionson, 701 N.W.2d 411, (N.D.App. 2005).

[94] Sotelo v. DirectRevenue, 384 F.Supp.2d 1219, (N.D.Ill. 2005).

[95] Sotelo v. DirectRevenue, 384 F.Supp.2d 1219, 1224, (N.D.Ill. 2005).

[96] Id.

[97] Sotelo v. DirectRevenue, 384 F.Supp.2d 1219, 1232, (N.D.Ill. 2005).

[98] Sotelo v. DirectRevenue, 384 F.Supp.2d 1219, 1229, (N.D.Ill. 2005).

[99] Sotelo v. DirectRevenue, 384 F.Supp.2d 1219, 1230, (N.D.Ill. 2005).

[100] Sotelo v. DirectRevenue, 384 F.Supp.2d 1219, 1234, (N.D.Ill. 2005).