Spyware is essentially software that tracks clicks and collects other user and computer related information and transmits it to third parties. Some variants trade under the names adware (technology that delivers ads based on spyware) or malware (a program or file that secretly enters a computer and wreaks havoc).
But not all spyware is as sinister as the term suggests it is. The technology was born as software that contained a “phone home” capability that allowed software manufacturers to confirm that a copy of their program had been legally purchased. It was also designed to install software updates and upgrades with little or no intervention by users. For example, Microsoft authenticates each copy of Windows XP by retrieving information from a user’s computer and comparing it to its database to confirm the authenticity of the copy before permitting a full installation of the software.
Spyware of this sort and other legitimate forms continue to proliferate. Predictably, though, the technology has in some cases become a nuisance to users. More troublesome variants can hijack browsers, eat up bandwidth, and cause other computing resources to be used inefficiently. Navigation of the internet can become delayed or rendered impossible through never ending popup windows. Spyware also has become a source of privacy concerns. Unfortunately, these types of uses are the ones that are most associated with the term spyware.
Enter the federal and state politicians. These legislators are aggressively targeting this new fiend with possible regulation, and in some states, spyware laws have been passed. At the end of June, the House Energy and Commerce Committee in D.C. overwhelmingly passed the Spy Act, setting the stage for approval by the full House, where the bill has strong support. The legislation includes dense and unwieldy regulations that require spyware programs to be easily identifiable and removable, and to obtain consent from users before collecting personal identifiable information. The bill also calls for fines for abusers. The Senate is considering a similar bill.
Predictably, the tech industry is not happy with their handiwork. In its effort to contain spyware, the bill overreaches, casting its net over an array of legitimate and useful applications. The critics fear that Congress’ haste will make waste and ultimately lead to an overly broad law undermining valid online applications. The ensuing regulatory standards will lead to inefficiencies in our use of technology and require additional investment in education, compliance, enforcement (to the extent possible) and avoidance.
In general, tech industry advocates tend to be skeptical of governmental efforts to regulate the ever-changing, ever-adapting internet environment. The narrower the legislation’s scope the better. Thus, some would prefer regulation targeting only spyware that is designed for strictly illegitimate purposes. Such purposes would include the furtive collection of personal identifiable information (such as names and email addresses), and the disclosing of this data to third parties without the individual’s consent. Such a statute would focus on the privacy concerns, but not regulate parties that hijack a user’s browser.
Another approach advocated by Spy Act opponents is to rely on a combination of anti-spyware technological innovation, user education and wariness, and the enforcement of existing laws to fight against harmful spyware. These critics are on to something. There is, after all, off-the-shelf anti-spyware technology along with firewall applications that users can install to build an impenetrable barrier around their machine. In the long run, this tech solution will be more effective than any regulation could be. In the same vein, one can ask whether the CAN-SPAM Act has limited the distribution of junk email. Essentially, the answer is no. Though the government has spent significant resources trying to deal with the problem, the new law is failing to stop spammers. It is only when users take the matter into their own hands by using filtering technology that the spam scourge lessens.
There are, of course, some forms of spyware for which legal action will be required. For these instances, though, some critics argue that more traditional civil and criminal charges such as illegal trespass can be applied.
For example, in a 2000 case in the U.S. District Court for the Northern District of California, eBay sued a company named Bidder’s Edge for using spyware technology to search eBay’s website intensively (up to 100,000 times a day) to gather product and price information. eBay’s lawyers employed a novel argument at the time, charging Bidder’s Edge with illegal trespass of chattel—the trespass of or interference with real property, be it animals or, in this case, servers. The Court approved, enjoining Bidder’s Edge from deluging eBay’s systems with requests for data and causing it irreparable harm.
Going after a spyware promulgator with a charge of illegal trespass may seem like a novel approach to the regulators, but it makes sense. If someone intentionally interferes with your personal property without your consent, that person has illegally trespassed. It does not take a huge leap of faith to apply these same principles to someone who inserts code or changes the configurations of a computer without the user’s consent.
During the days ahead, the spyware debate will continue. Legislators will insist that what the internet needs is more legislation. The opponents will continue to argue that there is always a technology solution for technology problems, and that the internet should remain as unregulated as possible. Any company involved in the technology industry will want to stay abreast of the developments in this area so that the expanding regulatory framework does not jeopardize product development or expose anyone to unanticipated liability.