Spyware, Malware, and Internet beasties
- Fair Info Practices
- 4th Amendment
- - ECPA
- - FISA
- - Patriot Act
- - Expectation
- - Cybersecurity
- - Anonymity
- - ID Theft
- - Spyware
- - Children's Privacy
- - COPPA
- - Cookies
- - Social Networks
- - Advertising
- - Online Profiling
- - Privacy Policies
- - Enforcement
- - CPNI
- - Cable
- - CALEA
Dept of Commerce
- - NTIA
- - NIST
- - EU Safe Harbors
- The Feds
- - Pri.Protection Act
- - Privacy Act
- - Pri. Impact Statements
- - Info Law
- - The Press
- - Location Based Services
"[P]anelists from FTC staff and Department of Justice staff stated that their current statutory authority was sufficient to prosecute spyware distributors. Section 5 of the FTC Act gives the agency the authority to challenge acts and practices in or affecting commerce that are “deceptive” or “unfair.” The Commission will find that an act or practice is “unfair” if it causes or is likely to cause substantial injury to consumers, that injury is not outweighed by any countervailing benefits to consumers and competition, and consumers could not have reasonably avoided the injury.
The Commission will find deception if there is a material representation, omission, or practice that is likely to mislead consumers acting reasonably in the circumstances, to their detriment. For example, if a software distributor represented that spyware bundled with primary software would not affect the operation of a computer, this representation would be deceptive if the spyware used so much memory that it substantially slowed down the computer’s performance or otherwise significantly impaired the computer’s performance.
It is also deceptive for a seller to tell a half-truth, i.e., to fail to disclose information necessary to prevent some other statement from creating a misleading impression. So, if a software distributor expressly or impliedly represented that downloading its primary software would not cause a computer to crash, it might be deceptive to fail to disclose that accompanying spyware would substantially slow it down.
Even assuming that the amount and type of information provided about the spyware is adequate, as explained above, software distributors often present it through fine print disclosures buried deep in a lengthy document. FTC law is clear, however, that disclosures must be clear and prominent if consumers are to be able to notice, read, and comprehend them. The FTC has issued a guidance document providing sellers with information on how to present such
information in an online environment.
The FTC has substantial experience challenging unfair or deceptive acts and practices on the Internet as violating Section 5 of the FTC Act. Over the past decade, the Commission has brought over 300 law enforcement actions related to the Internet. In these cases, the FTC has obtained injunctive relief, and often, monetary relief. Specifically, the defendants in these cases have been ordered to pay more than $1 billion to redress harm to consumers.
Over the past decade, the FTC has brought 14 Internet-related cases challenging conduct that caused harms similar to those associated with spyware. The Commission, for example, has challenged: (1) hijacking computer modems for use in placing unauthorized telephone calls; (2) hijacking web pages or “copy catting” website domain names to trap consumers and subject them to a barrage of pop-up ads; and (3) using information obtained from consumers who purchased an anti-spam product to send them spam.
Drawing on its experience in challenging unfair or deceptive acts and practices on the Internet, the Commission recently sued an alleged spyware distributor. The FTC filed a complaint in federal district court alleging that Seismic Entertainment Productions, Inc., SmartBot.Net, Inc., and Sanford Wallace engaged in unfair acts and practices in violation of Section 5 of the FTC Act. The defendants allegedly operated numerous websites and used a variety of tactics, including pop-up ads, to get consumers to visit these websites. Defendants then allegedly exploited a known vulnerability in the Internet Explorer web browser to download spyware to users’ computers without the users’ knowledge or authorization.
According to the complaint, the spyware caused many different harms. Allegedly, it:
modified the features of consumers’ web browsers and hijacked their Internet searches; caused consumers to receive an incessant stream of pop-up ads; secretly installed a number of additional software programs, including programs that
could monitor users’ Internet activity and capture information they entered into online
caused computers to malfunction, slow down, or even crash.
Furthermore, the complaint alleges that after the defendants had infected consumers’ computers with spyware, they began to aggressively advertise to these same consumers purported “anti-spyware” programs called “Spy Deleter” or “Spy Wiper.” The ads claimed that consumers must purchase these products to remove spyware from their computers. The defendants allegedly received a sizeable commission from the anti-spyware vendors based on the number of sales attributable to the ads displayed by the defendants. On October 21, 2004, the court granted a temporary injunction against the defendants. The defendants subsequently stipulated to a preliminary injunction.
In addition to the FTC’s ability to bring Section 5 cases like Seismic Entertainment, the Department of Justice (DOJ) has statutory authority to prosecute distributors of software products, such as spyware, in cases where consumers’ privacy or security is compromised. The Computer Fraud and Abuse Act of 1984, for example, prohibits the unauthorized acquisition of data from a protected computer that results in damage.
The DOJ also has authority, under a variety of statutes that regulate communications, to pursue actions against entities that acquire information fraudulently, such as through the use of a keylogger program. For example, the DOJ recently indicted an individual who installed a keylogger on a computer at his place of employment, and also prosecuted a defendant who had installed a keylogger on several public computers located in a Kinko’s store.
As explained above, federal officials believe that they have adequate authority under their existing criminal and civil statutes to take law enforcement action against those who disseminate spyware. Spyware is a serious and growing problem, and it has the potential to cause substantial harm to consumers and businesses. Notwithstanding the challenges posed by investigating acts and practices related to spyware, FTC staff believes that law enforcement officials should increase criminal and civil prosecution under existing laws of those who distribute spyware.
- FTC, Monitoring Software on Your PC: Spyware, Adware and other Software, pp 20-21 (March 2005)