Business Law Today: American Bar Association

Volume 14, Number 2 - November/December 2004

Just a tad intrusive?
Spyware and the Internet
By Brad Slutsky and Sheila Baran

Someone may be watching you.

While you are logged on to the Internet, software known as spyware may be tracking the Web sites you visit and collecting personal information about you. Even more alarming, there may be more than one set of eyes watching you. Many computers have a multitude of spyware programs running in the background, often without the knowledge of the computer's user.

In addition to invading your privacy, spyware can cause a whole lot of other problems. The multitude of spyware that can infiltrate a user's computer can limit the processing time, memory and bandwidth available for other programs and can cause one's computer to slow down and in some cases become nearly unusable. According to Consumer Reports, one-third of Net users have been afflicted by spyware.

Often spyware has an additional insidious purpose. Some spyware uses your computer to send spam e-mail on behalf of third parties. Some spyware changes your home page, or the search results you see, behind your back. Software that some people characterize as spyware generates ads that are displayed as users surf the Web or use other programs.

This article discusses the nature of spyware, how you get it, how you get rid of it, and what federal and state governments — and the courts — are doing about it. We then provide pointers for lawyers advising clients affected by spyware, including companies whose Web sites may be affected.

Spyware comes in many forms. One type is known as a "keystroke logger." This type of spyware logs a user's keystrokes to gain access to personal information such as passwords, Social Security numbers, drivers' license numbers, credit card numbers, and other financial or personal data, which could lead to identity theft.

Another type of spyware is the Browser Hijacking Object or "BHO." A BHO takes over one's Internet browser. It can reset one's home page to the vendor's own Web site, or insert toolbars into one's browser that also link the user to the vendor's products or Web site. BHOs can even go so far as to alter the search results that one sees when one conducts searches at popular Web site search engines, such as Google.

The exact boundaries of what constitutes spyware are not well defined. For example, some people categorize "adware" as spyware. Adware is software that tracks the Web sites one visits or the searches one enters into a search engine (sometimes sending this information back to the adware's author) and then generates ads based on the Web sites visited or search terms entered. While there is some disagreement about whether adware should be considered spyware, the legislation that has been enacted in Utah as well as that currently making its way through the U.S. Senate and the House of Representatives each contains broad definitions of spyware that would include adware.

Some forms of spyware can be criminal — hijacking the user's Internet connection for its own use, such as sending spam. In many cases, spyware can be difficult or impossible to uninstall. It may entwine itself with critical system files. Some spyware, if deleted, is set to regenerate the next time you go online.

Spyware makes its way onto computers using several schemes. It can be installed automatically by viewing an unsolicited e-mail message containing a virus or worm. Spyware also can be installed as a result of visiting certain Web sites — a process known as a "drive-by download." This installation can be entirely invisible to the user (such as by taking advantage of security vulnerabilities on the user's computer) or can be initiated through a system prompt that asks the user to install software (also known as an "ActiveX Security Warning").

In the latter case, the prompt that appears often is the same prompt that appears when one downloads Macromedia's Flash or other software that is required to view a Web site. User complaints about misuse of this type of installation procedure caused Microsoft to change the installation process in Windows XP Service Pack 2 to make such installations more difficult.

Spyware also can "piggyback" onto the installation of other unrelated applications. For example, piggybacking is the most common way that adware is installed on a user's computer. This often is the case when users download free programs, such as programs providing weather information or programs that make it easier to swap recorded music.

The author is able to offer the program without charge because they have agreed to bundle the free program with a spyware program that may provide a source of revenue (such as advertising). While some free software will inform the user that adware is included as part of the installation process, frequently this information is buried in lengthy user agreements that are difficult to read.

State and federal legislatures have taken steps in the past year to protect consumers from invasive advertising methods, such as their response to the telemarketing epidemic with "do not call" lists and their response to the spam epidemic with anti-spam legislation. Legislators are trying to take on the task of creating anti-spyware legislation to resolve the ever- growing spyware epidemic.

On March 23, 2004, Utah Gov. Olene Walker signed into law that state's Spyware Control Act — enacting the first anti-spyware legislation. However, the Utah law was enjoined by Judge Joseph C. Fratto Jr. of the Third Judicial District Court in Salt Lake City, on the grounds that it impermissibly burdened interstate commerce.

Following Utah's lead, on Sept. 28, 2004, California Gov. Arnold Schwarzenegger signed into law S.B. 1436, that state's version of anti-spyware legislation. State legislators in Iowa, Maryland, Michigan, New York, Pennsylvania and Virginia also have been considering anti-spyware legislation. In addition, anti-spyware bills have been proposed in both the U.S. Senate and House of Representatives.

The main obstacle to anti-spyware legislation has been the difficulty of adequately defining "spyware" to separate legitimate from illegitimate software. Legitimate software that is similar to spyware comes in several forms.

One such form is the "cookie." A cookie is a file that is downloaded to a user's computer by a Web site to remember the user's preferences each time the user returns to the site. However, cookies also have been used to track users' movements among Web sites without their knowledge.

Another arguably legitimate form of data collection stems from software used by security companies to collect information from users' computers to analyze and prevent virus attacks. Additionally, programs such as error-reporting applications, troubleshooting and maintenance programs, security protocols as well as Internet browsers also may gather information about users.

More controversially, a debate is under way as to whether adware is legitimate software or should be prohibited by legislation. The proponents of adware argue that it is the product of an informed decision by users to have their movements on the Internet tracked, and to receive targeted ads, in exchange for "free" software. Opponents argue that adware is installed by trickery (such as vague or hidden information about what is being installed) and that the ads infringe the rights of the sites when they appear and often are misleading or confusing.

Thus, the federal and state bills have been criticized by some because the bills focus on the definition of spyware. Some commentators argue that instead of attempting to define spyware and outlaw some types of technology, effective anti-spyware legislation should focus on the illegal actions that spyware allows, including the secret collection of consumer data.

At the time this article is being written, the only anti- spyware legislation that has been enacted into law are the statutes in Utah and California. Utah's Spyware Control Act prohibits installing spyware on another person's computer or using a context-based triggering mechanism to display an ad that partially or wholly covers or obscures paid advertising or other content on an Internet Web site.

The act defines spyware as software residing on a computer that:

monitors the computer's usage;
sends information about the computer's usage to a remote computer or server; or
displays or causes to be displayed a noncomplying ad in response to the computer's usage; and
does not get the consent of the user at the time of, or after the installation of, the software (and before the software sends information about the computer's usage to a remote computer or displays an ad in response to the computer's usage).

Challenging the constitutionality of Utah's Spyware Control Act, WhenU.com, a spyware/adware provider, moved for a preliminary injunction to enjoin Utah from enforcing the Spyware Control Act. WhenU argues that the Spyware Control Act impermissibly burdens interstate commerce in violation of the dormant commerce clause. In addition, it argues that the act violates WhenU's freedom of expression under the First Amendment and that significant portions of the act are preempted by the federal Copyright Act.

On June 22, 2004, Judge Fratto granted WhenU's motion for a preliminary injunction. The court granted the injunction based in part on the reasoning that compliance with the provisions of the statute may be either technologically impossible or possible but extensive.

Additionally, some vagueness in the statute added an element of uncertainty as to what is required to comply. That uncertainty and the private enforcement provisions exposed WhenU to a "potential plethora of litigation." The court noted that spyware legislation may be different, and even conflicting, from state to state. The ability to accommodate these different and conflicting regulations may not be possible, but if possible it would likely entail some expense. The state of Utah has moved for reconsideration of this ruling.

California's anti-spyware law prohibits those who are not "authorized users" of a computer from causing computer software to be installed that, "through intentionally deceptive means":

modifies certain Internet browser settings (such as one's home page, Web proxy, bookmarks or security settings),
collects certain personally identifiable information, uses keystroke logging, or collects a list of substantially all the Web sites one visits,
interferes with spyware blocking software or with attempts to uninstall spyware, or
takes control of a user's computer to send spam, to sign up for pay services, to conduct "distributed denial of service attacks," or to open multiple ads that do not cease unless the browser is closed or the computer is turned off.

Those who get authorization to use a computer through an end-user license agreement (for example, a spyware developer who presents a user with a license agreement) do not quality as "authorized users." The law contains exceptions for security or diagnostic monitoring performed by Internet service providers. The law authorizes the recipient of spyware to bring an action for actual damages and for liquidated damages of $1,000 per transmission (plus applicable attorneys' fees).

Opponents of the law argue that California's legislation is too weak. They argue that the law bans truly deceptive practices that already are addressed by common law causes of action such as fraud and unfair trade practices. Critics argue that, by banning only certain activities and requiring "intentionally deceptive means," the law does not clearly address more controversial activities, such as adware. The fact that adware provider Claria Corp. has publicly supported the law may lend some credence to this view.

A number of anti-spyware bills have been introduced in the U.S. House and Senate over the past year. Three bills that have gained attention recently are Senate Bill 2145, Software Principles Yielding Better Levels of Consumer Knowledge ("SPY BLOCK"); House Bill 2929, the Securely Protect Yourself Against Cyber Trespass Act ("SPY ACT"); and House Bill 4661, the Internet Spyware (I-SPY) Prevention Act of 2004. Both SPY BLOCK and SPY ACT prohibit the installation of software on computers without proper notice and consent and mandate that software have features for removing it from systems. I-SPY criminalizes the unauthorized loading of spyware onto protected computers (that is, computers used by the U.S. government or a financial institution, or used in interstate commerce), when the spyware helps further a federal criminal offense, impairs the security of the computer, or gathers personal information when there is an intent to defraud, to injure a person or to cause damage to a protected computer.

SPY BLOCK has drawn criticism because of allegations that its definitions of technical terms are too rigid, that its standard for notice is unwieldy, and that its uninstall requirements are unrealistic. SPY BLOCK requires a separate consent for every feature of a program that has spyware characteristics. SPY BLOCK would not preempt state legislation.

The SPY ACT, on the other hand, has avoided some of the criticism of SPY BLOCK. The SPY ACT has added flexibility in defining and enforcing the proposed law. SPY ACT draws a distinction between programs that collect information from users and programs that are "unfair or deceptive." The first set of programs — nondeceptive programs — would be subject to a notice and consent regime. Software providers must give a single notice to the user instead of multiple notices. The second would be banned as "unfair and deceptive" practices.

The SPY ACT provides for fines of up to $3 million for actions that are not authorized by a computer's owner, such as hijacking the browser, changing a browser's default home page, changing security settings of the computer, logging the keystrokes the user makes, and delivering ads that the user cannot close without turning off the computer or closing all sessions of the browser. The bill exempts the process of Internet service providers' scanning for fraudulent activities or diagnosing network problems. In addition, the SPY ACT would pre-empt all state legislation in this area. The SPY ACT moved very quickly through the House and was passed on Oct. 5, 2004.

Moving even more quickly through the House, I-SPY was passed by the House on Oct. 7, 2004. I-SPY carries criminal penalties enforceable by the Department of Justice while the SPY ACT imposes civil penalties enforceable by the FTC. I-SPY also contains only a few narrow prohibitions, while the SPY ACT has a long list of prohibitions relating to deceptive acts or practices and collection of certain information. I-SPY also provides for preemption of conflicting state law.

Despite the potential preemption that would be imposed by the SPY ACT or I-SPY, state legislatures are not waiting for the federal government to place controls on spyware. Recently, Iowa, Maryland, Michigan, New York, Pennsylvania and Virginia legislatures all have been reviewing proposed anti-spyware bills.

The legislation that has been enacted and that is being reviewed by federal and state legislatures primarily focuses on protecting consumers. However, businesses are fighting their own battles with spyware in the courts. Spyware can replace a user's search results or generate ads based on the user visiting a company's Web site or searching for a company's (trademarked) product or service.

For example, if a user is searching a specific airline Web site for travel dates, some adware might detect that and pop-up ads for travel on a competing airline. If the user clicks on the competing airline's ad, the user may be redirected to the competitor's Web site.

As a result of this practice, adware developers have been sued in multiple jurisdictions. These suits have been based on claims of trademark and copyright infringement, as well as state law claims such as trespass to chattels and tortious interference. The results of these suits have been inconsistent.

For example, WhenU has been sued by 1-800 Contacts, Quicken Loans, U-Haul and Wells Fargo, among others. WhenU prevailed in the U-Haul case, which resulted in a dismissal (279 F. Supp. 2d 723 (E.D. Va. 2003)). WhenU also prevailed on a motion for a preliminary injunction in the Wells Fargo case (293 F. Supp. 734 (E. D. Mi. 2003)).

In the U-Haul and Wells Fargo cases, the courts found that the use of trademarks by software companies to generate pop-up Internet ads did not constitute "trademark use" of those marks under the Lanham Act. For example, in U-Haul, the court held that WhenU did not place the U-Haul trademark in commerce, but rather used it for a "pure machine-linking function."

However, on facts identical to the U-Haul and Wells Fargo cases, WhenU lost on a preliminary injunction motion in the 1-800 Contacts case (309 F. Supp. 2d 467 (S.D. N.Y. 2003) (granting a preliminary injunction enjoining WhenU from delivering certain pop-up ads)). The court found that WhenU was making "trademark use" of the plaintiff's trademark in two ways: by using 1-800 Contacts' mark in the advertising of competitors' Web sites, and by including 1-800 Contacts' mark in the directory of terms that trigger pop-up ads.

In a case involving ads triggered by search terms (but not involving known spyware), the 9th Circuit recently held that the use of trademarks to trigger ads could constitute trademark infringement and thus a jury should decide the question. Playboy Enterprises Inc v. Netscape Communications Inc., 354 F.3d 1020 (9th Cir. 2004). The Playboy case settled after the 9th Circuit's decision, leaving undecided a number of other important questions that often are raised in spyware cases.

However, in a similar case between GEICO and Google, GEICO's trademark claims survived a motion to dismiss and remain pending. Government Employees Insurance Co. v. Google Inc., 330 F.Supp.2d 700 (E.D.Va. 2004).

Software developers whose products may fall under the broad category of spyware need to take into account the likely passage of federal or more state legislation. Distribution methods that require no user consent or that fool users into downloading software likely already violate the law, or will soon. Similarly, it is worth considering whether information about a user's browsing habits needs to be transmitted back to a central database or whether storing the information on the user's computer may be sufficient. While both actions risk some form of privacy regulation, in the latter case the information may not be shared with third parties.

Misleading and confusing advertising already is regulated by the FTC and is likely to be even more heavily regulated through spyware legislation. Ads that are triggered by trademarks and that confuse users into visiting competitors' Web sites are likely to be the subject of continued lawsuits.

Also, if your client is receiving complaints about competitors' ads appearing on their Web site, they should save records of the complaints and investigate them. Evidence of actual confusion often is considered the best evidence of trademark infringement. If your client is considering filing a lawsuit against an adware developer, pleadings from lawsuits against WhenU, Gator/Claria, and Google may be instructive. Has your client registered its copyright in their Web site? Registration (or attempted registration) generally is a prerequisite to bringing a copyright infringement claim.

You also may want to advise your client to investigate technical solutions to spyware. Technical procedures can allow Web sites to "know" when a user has spyware on their computer and to take different actions as a result. While spyware developers may be able to develop their own procedures to defeat such technical solutions, these efforts still may be worthwhile. After all, few people would argue that anti-virus software is a bad idea just because new viruses can be developed that might slip by occasionally.

Part of the solution for companies negatively hit by spyware — as well as for consumers — may involve education. Users who are familiar with spyware and know what it is doing on their computers may be able to take some precautions to help mitigate its effect. For example, users can run various forms of spyware detection and removal utilities, including several good free utilities. In addition, a number of anti-virus packages have begun to include an anti-spyware function. Firewall software also can help protect against spyware.

Spyware is everywhere. One of the biggest problems presented by spyware is that, whether or not the underlying software may be characterized as "useful," spyware frequently does not announce itself and inform the user that they are being spied on. Thus, even spyware with arguably legitimate purposes is objectionable to many people because most people are not aware that such software exists on their computers. When consumers discover this presence, they feel that their privacy has been violated.

Computer users should be cautious when accepting free downloads from a Web site. They also need to be cautious when downloading software because of a Web site's prompt. In addition, users may want to use anti-spyware software to prevent or remediate the installation of spyware that may have been introduced without their knowledge.

Utah and California have taken the first steps to address the proliferation of spyware. As the WhenU litigation unfolds, the treatment of Utah's Spyware Control Act by the courts may pave the way for the enactment of spyware legislation by Congress and possibly by additional state legislatures. Even without the passage of spyware legislation, businesses are finding recourse in the courts of some states.

Spyware developers, as well as companies adversely affected by spyware, can prepare for likely developments in the law by taking counsel from legislation enacted and under consideration, as well as from court decisions ruling on the constitutionality of this legislation and addressing questions of whether various forms of spyware give rise to trademark or copyright infringement, trespass to chattels or a range of other state-law torts.

Slutsky is a partner and Baran an associate at King & Spalding LLP, in Atlanta. His e-mail is bslutsky@kslaw.com; hers is sbaran@kslaw.com.

ABA Section of Business Law