Utah Bar Journal

The term "spyware" is often used as an umbrella term encompassing a number of annoying and malignant programs. There are actually several discreet types of spyware, including adware (programs that install and initiate "pop-up" advertising), malware (programs such as viruses or worms that are specifically designed to disrupt computer operation), keylogging programs (programs that track computer users" key strokes, sometimes known as "snoopware") and page hijackers (programs that take over a computer's internet browser, rerouting users to different home pages or Internet sites).

Adware
Adware, also known as "pestware" or "adbots," is usually more annoying than malicious. Composed of relatively benign programs that track consumers' Internet surfing and spending habits, adware causes advertisements to appear (or "pop-up") when a user visits specific Web sites or when he or she searches for a specific site or product. Although adware programs are frequently referred to as "spyware" and many people use the terms interchangeably, spyware and adware are quite different in both purpose and use. Adware is intended to be benign and it is primarily used to market online goods and services. Spyware, on the other hand, is frequently malicious and may be used to fraudulently obtain users' bank account information, passwords, and other confidential information. This confusion regarding spyware and adware may lead some consumers and legislators to underestimate the threat presented by actual spyware, believing that the worst of it is simply annoying.

Despite its relatively benign function and purpose, adware is widely disliked. Online merchants don't like it because it attempts to redirect users to a competitor's Web site or product; consumers find pop-up advertisements annoying because they block the user's computer screen and disrupt online work - users must stop working and close the ad before they can continue. Adware is also disruptive because it causes computers and Internet connections to slow down, and, if a user inadvertently clicks on a pop-up advertisement, may expose users to computer viruses and other forms of malware. Thus, although the intent of the adware programmer is not malicious, the adware itself causes problems and exposes consumers to other more malicious forms of programming.

Adware usually installs itself through the use of misleading dialogue boxes or other methods of stealth installation and is frequently bundled with free product downloads, such as peer-to-peer movie/music swapping programs or free screen saver programs. Adware manufacturers insist that they disclose the existence of the adware in the end user licensing agreements ("EULAs") and that consumers agree to the adware download when they click the "I accept" button required by the EULA before the download begins. But despite such "disclosure," most users are unaware that they have installed an adware application on their computers. And once downloaded, adware programs are difficult (if not impossible) to uninstall and removal of the adware may render the rest of the bundled software inoperable.

Because adware is so pervasive, obvious and disruptive, it has spurred the biggest consumer backlash against computer programming to date - generating multiple versions of anti-spyware1 legislation on both state and federal levels. Federal legislation intended to regulate adware passed the House in October of 2004, H.R. 4661, but stalled in the Senate, due to concerns over the impact the legislation might have on legitimate businesses. Opponents of the legislation believe that the legislation would restrict the legitimate uses of responsive pop-up and information gathering technology. For example, the use of "cookies," programs that gather data allowing a user to return to a Web site and have the site "recognize" him or her (sometimes including forms pre-filled with that specific user's information), by legitimate business could be impeded by anti-spyware legislation. Anti-Spyware legislation originating in the Senate also remains pending.

On the state level, Utah passed the nation's first anti-spyware/ adware legislation in 2004 under Utah Code ¤13-40-101 et seq. Utah's 2004 Spyware Control Act (the "Act") initially required software to obtain a user's express consent (separate from any disclosure contained within the EULA) before any computer program was installed on a machine. The 2004 Act also required software manufacturers to provide a means for disabling and removing the software. However, opponents of the legislation argued that the law regulated interstate commerce - an area constitutionally reserved for federal action alone. As a result, the Utah Act was stayed in June of 2004 pending judicial review.

In an attempt to remedy the constitutional issues, the Utah legislature amended the Anti-Spyware Control Act in 2005. The 2005 Act, which now focuses more on trademark/copyright infringement issues, applies only to adware downloads to computers physically present in the state and owned by Utah residents. Utah legislators hope that this restricted application of the law will circumvent any potential Commerce Clause issues. Since Utah first initiated such protective legislation, nine states have enacted some type of spyware legislation and another 28 states are currently considering it.

Moreover, some Web site owners have pursued civil suits claiming that pop-up advertisements block the content of the Web site and, in effect, violate the copyright or trademark rights of the owner. Although courts have generally been sympathetic, they have routinely ruled against site owners, finding that, because computer users have, ostensibly, voluntarily downloaded the adware programs, there was no violation of trademark law. For example, in U-Haul Int'l v. WhenU.Com, Inc., 279 F.Supp. 2d 723, 723 (E.D. Va. 2003), the United States District Court for the Eastern District of Virginia held that WhenU, an Internet advertising company, had not violated trademarks by having its software display pop-up advertisements in front of U-Haul's Web site, even though the pop-ups blocked the view of visitors to the U-Haul site. The court plaintively opined:

Computer users, like this trial judge, may wonder what we have done to warrant the punishment of seizure of our computer screens by pop-up advertisements for secret web cameras, insurance, travel values, and fad diets. Did we unwittingly sign up for incessant advertisements that require us to click, click, and click again in order to return to our Internet work? The Court, in this opinion, attempts to answer this question; we have invited these pop-up advertisements by downloading free screen savers and other free software from the Internet.

Id. Ultimately, the court found the supposed voluntary nature of the download (i.e., computer users voluntarily and affirmatively downloaded the adware) to be dispositive.

In cases where the adware program downloads without any type of notice to the user Ð often as a result of the user visiting an infected site or opening an infected email, the newly established trespass against chattels standard set forth by the California Supreme Court in Intel Corp. v. Hamidi, 30 Cal. 4th 1342; 71 P.3d 296 (Cal. 2003), may provide grounds for a tort action against pop-up advertisers. In Intel Corp., the California Supreme Court applied California's "trespass to chattels" doctrine to unsolicited email advertisements (commonly known as "spam"). Although the court concluded that the spam complained of by Intel does not constitute trespass to chattels because it did not interfere with Intel's use or possession of its computer system, the court also indicated that interference with the functioning of the computer system would constitute trespass to chattels. Given this broadened application of the trespass to chattels doctrine, a plausible trespass to chattels claim may be made against producers of both adware and spyware as the programs cause "momentary dispossession" by interfering with the computer user's work and by slowing the computer down. Thus, trespass to chattels may provide a means for a viable civil cause of action against adware vendors who distribute programs that automatically or covertly install on a user's computer.

However, the trespass to chattels doctrine would be inapposite to affirmative downloads agreed to by computer users. And as long as adware vendors continue to bury disclosure in EULAs and as long as consumers agree to EULAs (either with or without reading them thoroughly), it is unlikely that courts will rule against adware in and of itself. It is more likely that legislation - like that recently passed in Utah - will be necessary to require more overt disclosure by vendors and more affirmative acceptance of the agreement by users.

Spyware
Actual spyware, as opposed to the relatively benign adware, is software used to covertly monitor actual computer activity - including Web sites visited, passwords, and other confidential information. In addition to monitoring users' online activities, spyware can also monitor offline computer activity. A spyware program gathers confidential information (such as bank account information, credit card numbers, social security numbers, etc.) and then transmits the information to criminals who either use the information to steal funds and identities or who sell the information to other criminals.

Spyware/adware programs have spread rapidly. One recent study found that more than 85% of all computers (both personal and corporate) scanned for spyware/adware were infected, see Webroot Report: Spyware Industry Worth Billions, CoolLawyer, Inc., at http://www.coollawyer.com/webfront/lawnews.php (June 2005), yet the vast majority of consumers were unaware that their computers had been compromised. Although users may have noticed the appreciable slowing of the computer, the increase in pop-up advertisements, and/or the increased incidents of computer freezes (or crashes), many simply blamed the Internet service provider, the legitimate software installed on the computer, or the computer hardware manufacturer itself.

The costs of spyware, coupled with the misplaced consumer blame, extend into the general economy as well. For example, service calls to Internet service providers as a result of spyware/ adware-based pop-up advertisements reduce an ISP's corporate profit margins, and computer software and hardware companies fear that decreased performance as a result of spyware/adware negatively impacts their brands. The companies have found that consumers often mistakenly blame the computer hardware itself for spyware created problems. Additionally, corporations worldwide are impacted by reduced productivity caused by sluggish computers and by the time required to repeatedly purge company computers of unwanted programs. Finally, companies marketing spyware programs have been known to sue anti-spyware programmers to force them to exclude their products from anti-spyware programs. See, e.g., New.Net.Inc. v. Lavasoft, 356 F. Supp. 2d 1071 (C.D. Ca. 2003). Although the spyware companies have yet to win a suit, the litigation costs the anti-spyware vendors both time and money and may further discourage companies from developing and producing anti-spyware programs.

Many consumers, legislators, and government agencies believe that spyware legislation is not the answer. Agencies like the Federal Trade Commission (FTC) believe that the real problem is with finding and catching the scammers, not with prosecuting them once caught. As support for its position, the FTC points to the recent CAN-SPAM Act of 2003, which has been largely ineffective 2 because officials cannot locate the spammers before the spammers change locations or products. This is due in large part to the fact that spammers often hide their identities and investigations may take months. The President's Working Group on Unlawful Conduct on the Internet agrees. The group issued a report in March of 2000 in which it indicated that legislation is needed to enable law enforcement agencies to more effectively police Internet crimes in "real time." See The Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet, United States Dept. of Justice, at http://www.usdoj.gov/ criminal/cybercrime/unlawful.htm (Mar. 2000) (hereafter "The Electronic Frontier"). Other opponents include the IT industry (which favors a more forgiving "opt out" law rather than the proposed "opt in" or express consent bills), and, not surprisingly, adware manufacturers such as 180Solutions, WhenU, and Claria (each of whom has contributed more than $100,000 to anti-regulation lobbying efforts). The Internet Alliance, a trade organization made up of merchants such as eBay, America Online, and Microsoft, has also opposed anti-spyware legislation, concerned that any enacted legislation would infringe upon legitimate activities by bona fide Internet e-commerce sites.

These concerns are not without merit. One of the biggest challenges with anti-spyware legislation is its broad scope. Although it would be most effective to define a species of computer program as malignant spyware and nothing else, in reality the only difference between the technically similar spyware and "supportware" (programs which provide beneficial programs such as pop-up reminders, program update utilities, and Internet browser security features) is the intent of the programmer. Given the broad application of most anti-spyware legislation it is virtually inevitable that some of the "good guys" will get swept up with the "bad." Because of the inevitability of such over-inclusiveness (or, in the alternative, under-inclusiveness), some lawmakers are considering "bad acts" legislation that focuses on specific prohibited behavior.

"Bad acts" legislation, though, may be substantially - and unnecessarily - duplicative. As the FTC noted, most criminal statutes do not distinguish between crimes committed over the Internet and those committed through other media.

For example, laws governing fraud - such as credit card fraud, identity theft, securities fraud, gambling, and unfair and deceptive trade acts or practices - apply with equal force to both online as well as offline conduct. To the extent these existing laws adequately address unlawful conduct in the offline world, they should, for the most part, adequately cover unlawful conduct on the Internet.

The Electronic Frontier. However, some legislation has been determined to be inapplicable because it applies only to "unauthorized" software downloads and spyware/adware vendors have continued to circumvent these laws by burying "authorization" language in long-winded EULAs.

Despite the flurry of legislative, judicial, and political activity, no solution to the spyware/adware problem is likely any time soon.

1. Despite being motivated by and specifically addressed to eliminating adware, most anti-adware legislation is known by the broader term "anti-spyware" legislation. There are some exceptions, however. See, e.g., legislation recently passed in Arizona, Virginia, and Washington directed specifically at actual spyware. 2005 State Legislation http://www.ncsl.org/programs/lis/spyware05.htm (last updated Aug. 9, 2005).

2. In January of 2005, one year after the CAN-SPAM Act of 2003 took effect, industry experts indicated that a mere 7% of all e-mails surveyed complied with the law Ð spam levels continue to rise despite the legislation. Gregg Keizer, CAN-SPAM Can't Slam Spam, Information Week, at http://www.informationweek.com/shared/printableArtcileSrc/jhtml?articleID=56900503, (Jan. 4, 2005).