Law in the Internet Society

View   r1
AndrewGradmanPaper2Appendix_DraftSpywarePage 1 - 20 Dec 2008 - Main.AndrewGradman
Line: 1 to 1
Added:
>
>
META TOPICPARENT name="WebPreferences"
[I do NOT intend you to read this entire text in conjunction with my second paper. I uploaded it so that I could hyperlink from summaries in my paper to "anchors" in the document.]


I. Introduction

Spyware is a serious and growing problem. A Pew Internet & American Life Study (pdf) reports [...removed...]

Who Uses Spyware?

Unlike viruses, which often harm users without benefiting a third party, spyware and adware tend to exploit users’ browsing habits or personal information for private gain. Some spyware vendors employ patently illegitimate business models (e.g. identity thieves); others business models are illegitimate, but for reasons that are hard to define (e.g. Adware vendors, who provide a “service” to users in the form of annoying pop-up ads); and some spyware is produced by widely respected, “mainstream” companies (e.g. Google, whose subsidiary DoubleClick? tracks browsing habits by means of third-party cookies). And the private gains from spyware are not limited to profit (e.g. stalker spyware, which is marketed to permit illegal personal tracking).

What the above example have in common, regardless of the technology or techniques employed, is an illegitimate gain from a user’s personal information or computer resources.

II. Difficulties With Defining Spyware

Observers still have difficulty agreeing upon the precise boundary between “legitimate” advertising and spyware. Many software developers do rely on bundling their free software with advertisements to support their work, and certain programs that transmit sensitive information over the Internet to company servers are widely viewed as “legitimate.” While a laundry-list of specific past examples of spyware would have the advantage of drawing a firm line between fair and unfair practices, creative spyware designers can easily develop new technologies that circumvent these lists. And as interest groups compete to include or exclude specific practices under “spyware,” they risk diluting the term until it means nothing more than “computer practices that should be stopped.” On the other hand, forward-looking definitions, which rightly draw the line at infringements of “privacy” or “informed consent,” in turn provide little guidance as to which future business practices will be judged as crossing that line.

The current regime of private and government anti-spyware enforcement gives imperfect guidance to internet enterprises. But this ambiguity is unavoidable in the fast-changing online world.

1. What constitutes “knowledge and consent”?

For example, it is easy to agree that software should be considered “spyware” only if it operates without the user’s knowledge and consent. The Federal Trade Commission has testified that “buried disclosures of material information necessarily to correct an otherwise misleading impression” are inadequate to establish consent. However, that definition begs the question of how and when consumers need to be told about software installed on their computers for consent to be adequate.

The difficulty of defining what intrusions are legitimate is also apparent in the Anti-Spyware Coalition’s (ASC) attempts to create a single definition of spyware for all its members. The ASC, which sets standards for anti-spyware vendors, models spyware as a balance between “risk” factors and mitigating “consent” factors. But it then concedes that “ultimately, the decision on what rating to give and what risk model to use falls to the individual Anti-Spyware vendor.” Elsewhere, the ASC more broadly defines (pdf) spyware as “technologies deployed without appropriate user consent and/or implemented in ways that impair user control over (1) material changes that affect their user experience, privacy or system security; (2) use of their system resources, including what programs are installed on their computers; and/or (3) collection, use, and distribution of their personal or other sensitive information. However, the ASC’s definitions are intentionally vague precisely where it matters: by not defining “consent” and “risk”, it leaves to the various anti-spyware companies to decide whether targeted advertising benefits consumers, or what constitutes sufficient consent in a EULA.

According to the ASC, this ambiguity cannot be removed. With proper “notice, consent, and control,” the same technologies that have been used to harm or annoy computer users can provide important benefits: “Tracking can be used for personalization, advertisement display can subsidize the cost of a product or service, monitoring tools can help parents keep their children safe online, and remote control features can allow support professionals to remotely diagnose problems.”

2. What constitutes “harm”?

Some would treat software that “trespasses” on a computer as spyware because they consider trespass to be per se harmful, even if the software is otherwise benign or beneficial. Others focus on “nuisance” software, such as software that provides pop-up ads. But arguably the greatest hazard is data-gathering software that does not rise to a nuisance and is undetectable, because it does not alert a user to remove it from his computer.

Other externalities are not felt by the user. An innocent user’s hard drive may unknowingly be used to generate “zombies,” or automated spam emails. ISPs or computer makers often bear the blame for harms caused by spyware. And spyware may also defraud legitimate online advertisers, for example by automatically activating pay-per-click advertisements.

3. Is “spyware” limited to “spying”?

Such a definition would overlook software that otherwise creates hazards or nuisances interfering with users’ enjoyment of their computers. By contrast, the Federal Trade Commission’s “guiding principles” defining “unfair and deceptive” software practices focus on lack of consent rather than on spying. They establish that Internet businesses are “not free to help themselves” to a consumer’s computer resources.

4. Is “spyware” limited to “software?”

Information collection online is not performed solely with spyware programs executed on user's computers. Third-party and opt-out cookies present growing threats. The proliferation of mobile devices means a potential new place for spyware to act. Internet service providers are begging to deploy their own adware and profiling services in ways which users will find difficult, if not impossible, to detect. Important user information is leaving the desktops and instead is residing on online social networking profiles. This information includes sensitive personal information such as contact information, one's social and business relationships, political interests, sexual orientation, as well as the contents of communications. Further, online social networking sites are increasing their own information collection practices.

Conclusion: A Working Definition of Spyware

The FTC’s spyware enforcement principles give perhaps the most flexible definition of spyware. These three principles, which the FTC restated in its June 2008 Senate testimony (pdf), are roughly as follows:

1. A consumer’s computer belongs to him or her; Internet businesses are not free to help themselves to the resources of a consumer’s computer.

2. Buried disclosures do not work.

3. If a distributor puts a program on a consumer’s computer that the consumer does not want, the consumer should be able to uninstall or disable it.

III. Examples of Spyware Although the cutting edge of online abuses is constantly evolving, several activities have been notably harmful.

[… section removed …]

-- AndrewGradman - 20 Dec 2008


Revision 1r1 - 20 Dec 2008 - 21:41:11 - AndrewGradman
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM