Want to stay current on e–commerce law? Sign up for Email Newsletter.
CDT Releases Report on Spyware
The Center for Democracy and Technology in the United States released a report addressing the growing "spyware" problem. The term spyware is used to describe computer programs, such as key stroke loggers and "adware", which are often installed without the user's knowledge to monitor online behaviour and collect information. The report provides an outline of the categories of spyware with corresponding examples, identifies the problems associated with each category, and canvasses legal and non-legal strategies.
The report describes three main categories of spyware. The first category comprises key stroke loggers and screen capture utilities. Also called "snoopware", these applications are installed by a third party to capture the user's key strokes and record periodic screen shots. This category of spyware has legal uses, as in limited situations of employee monitoring, and illegal uses. The second category concerns "adware" and similar applications, which are installed covertly by piggybacking on unrelated applications and downloads and which are resistant to uninstallation. Instead of capturing key strokes, these programs transmit information about the user or the user's computer back to a central location. They are the most problematic because they fall into a legal grey-zone and, thus, are the focus of CDT's report. According to CDT, the third category has been inappropriately labelled as spyware since it includes programs that, although featuring flawed user privacy protections, are based on legitimate business models.
CDT further classifies spyware applications into three additional categories based on the uses they make of their hosts' computers and Internet connections. The first of these categories are programs that collect information from the user's computer. Programs that fall into this category can include key stroke logging and screen capture programs, as well as adware programs that piggyback on free downloads. This category of spyware raises substantial privacy and user control issues. The programs in the second category are those that hijack the user's computer and Internet connection for the software's own use. They do not pose an immediate privacy threat because they do not collect user information; however, there are significant user control issues to consider. The final category consists of programs that use the Internet connection to only download updates to the software or the content. The threats to privacy and user control are not as significant as in the above categories.
The report points to three existing US laws that may address the most extreme examples of spyware: 1) The Electronic Communications Privacy Act (ECPA), 2) The Computer Fraud and Abuse Act, and 3) Title 5 of the Federal Trade Commission Act, which allows the US Federal Trade Commission to take action against unfair and deceptive trade practices. However, the existing laws are inadequate in that they fail to cover some of the most common cases and do not respond to the unique features of the technology. And although there are several proposals for new legislation that would address spyware's privacy issues, they have yet to deal with the user control concerns. The report recommends that a multifaceted approach be taken to properly combat the complicated problems of spyware. While Congress has an important role in passing baseline privacy legislation that includes appropriate spyware provisions, companies and users must also play their parts with better technology measures, self-regulation, and user education.
For a copy of the release, visit: