Information Systems Management 39 Spring 2005 Security, Ethics, and Legal Issues

SECURITY, ETHICS, AND LEGAL ISSUES

THE ETHICAL AND LEGAL CONCERNS OF SPYWARE

Janice C. Sipior, Burke T. Ward, and Georgina R. Roselli

Computer users are threatened by stealth invaders, in the form of spyware, which gather users’ personal information for target marketing purposes, but can also disrupt the operation of the computer. This article examines the ethical and legal controversy within the United States surrounding spyware. The various methods of battling spyware, including approaches by individual users, organizations, and government oversight, legislation, and litigation, are discussed.

PYWARE IS REGARDED AS THE LARGEST about 20 percent of calls related to spyware or threat to Internet users since spam, yet viruses, up from 2 percent for the previous 18 JANICE C. SIPIOR, S most users do not even know spyware is months. Associate Professor on their personal computers (PCs). Spy- The increasing prevalence of spyware is of MIS at Villanova University, is currently ware (a.k.a. adware, foistware, malware, pest- not unlike the unintended use of cookies, a Chair of ACM– ware, scumware, sneakware, snoopware, and Web-tracking and information-gathering tech- SIGMIS (Association trespassware) includes “[a]ny software that co- nique, enabling personal information to be eas- for Computing vertly gathers user information through the us- ily obtained from Web users, often without Machinery – Special er’s Internet connection without his or her their knowledge. While information concern- Interest Group on knowledge, usually for advertising purposes” ing user characteristics and preferences col- MIS), Senior Editor (FTC, 2004b). The definition is so broad that it lected via cookies may be used beneficially to of Data Base, and may cover software that is beneficial and be- improve product and service offerings to con- Associate Editor of nign, or software that has poorly written, inef- sumers, the surreptitious nature of its acquisi- Information Resources ficient code (FTC, 2004c). The Center for tion coupled with no indication of its intended Management Journal. Democracy and Technology, a policy research use can raise ethical issues regarding the ac- BURKE T. WARD, group, has proposed that software that hijacks ceptability of privacy invasions in Web use. Professor in the Web traffic, tracks Internet users without their However, the consequences of spyware can be Departments of knowledge and consent, and is not easily re- more severe. For industry sectors that are sub- Accountancy, movable should be considered spyware. ject to data collection laws, such as the Health Marketing and “Spyware appears to be a new and rapidly Insurance Portability and Accountability Act Business Law, and growing practice that poses a risk of serious and Sarbanes–Oxley Act, spyware can unwit- The Graduate Tax Program at Villanova harm to consumers” (FTC, 2004a). An estimat- tingly result in noncompliance. Section 404 of University, has ed 7000 spyware programs run on millions of Sarbanes–Oxley requires publicly held compa- published numerous corporate and personal computers. A study in nies to annually evaluate their financial reporting articles on taxation, May 2003 reported that 91 percent of home controls and procedures. The security and priva- information systems, PCs are infected with spyware (Richmond, cy of proprietary information and systems can- and employment law. 2004). Gartner Research estimates that over 20 not be guaranteed should stealth spyware arrive. GEORGINA million people have installed spyware applica- This article examines the controversy sur- ROSELLI is currently tions on their PCs. According to Microsoft, spy- rounding spyware. First, the types of spyware a graduate student ware is responsible for half of all PC crashes. are overviewed. The ethical and legal concerns in business Spyware complaints are the most common rea- of spyware, including trespass, privacy inva- administration at son for consumers to contact Dell Tech Sup- sion, surreptitious data collection, direct mar- Villanova University. port Services (Urbach and Kibel, 2004), with keting, and hijacking, are then discussed.

INFORMATION SYSTEMS MANAGEMENT 39 SPRING 2005 SECURITY, ETHICS, AND LEGAL ISSUES

TABLE 1 Earthlink’s 2004 Spyware Audit

Number of Instances of Spyware Found Type of Spyware 1st Quarter 2nd Quarter 3rd Quarter 1Q-3Q Total Adware 3,558,595 7,887,557 5,978,018 34,848,340 Adware cookies 14,799,874 27,868,767 22,327,112 129,991,506 System monitors 122,553 210,256 154,878 164,839,846 Trojan horse 130,322 236,639 148,214 1,030,350 Total 18,611,344 36,203,219 28,608,222 330,710,042 Source: http://www.earthlink.net/spyaudit/press.

Finally, the various methods of battling spy- An example of a redirected homepage and ware, including approaches by individual us- default search engine is presented in Table 2. ers, organizations, and U.S. Government This example results from visiting a known spy- oversight, legislation, and litigation, are adware site such as www.yahoogamez.com. (Do dressed. not visit this site!) The get_http (Hypertext Transfer Protocol) command returns the HyperText Markup Language (HTML) of the TYPES OF SPYWARE Web site whose address is 209.50.251.182, Spyware has been variously categorized on the which is an Internet protocol (IP) address rath- basis of the activities it performs. EarthLink (an er than a hostname. The HTML from this site is Internet service provider) and Webroot Soft- downloaded. Within this HTML are commands ware, Inc. (an anti-spyware software maker) au- that redirect the homepage and the default dited over 3.2 million PCs to date in 2004 and search engine of the user’s browser. found 83.4 million instances of spyware, aver- aging 26 instances of spyware per PC. As Trojan Horses shown in Table 1, almost 65 million (77.9 per- A malicious form of spyware named for the Tro- cent) of these items were adware cookies. Ex- jan horse from Greek history, a Remote Admin- cluding cookies, the average instances of istration Trojan (RAT) or Trojan can take control spyware is six per PC. of a user’s computer by installing itself with a download and taking directions from other Adware Cookies computers it contacts via the Internet. Trojans Adware cookies are files containing informa- can turn a PC into a spam proxy without user tion about a user’s Web site interaction, which knowledge or use Microsoft Outlook e-mail as can be exchanged between the Web site, the if it were a browser to allow for a torrent of user’s hard drive, and back. Originally intended pop-up ads. Trojans can also be designed to for innocuous purposes such as keeping track steal data or damage computer files. of items in an online shopping cart, simplifying the log-in process, and providing users with System Monitors customized information based on stated inter- This form of spyware, also referred to as key- ests, cookies can be used to create a profile of stroke loggers, surreptitiously collects data a user’s online behavior without that user’s from user–computer interaction, both locally knowledge or consent. and online. User keystrokes and mouse-clicks can be recorded while shopping or banking on Adware the Web and locally while using software such Adware is used for direct marketing on the as spreadsheets or videogames. This data can Web, with or without user consent. By moni- be transmitted back to the spyware installer, toring users’ Web browsing or by using de- shared with other businesses such as market- tailed target market profiles, adware delivers ers, or sold to data consolidators. specific advertisements and offerings, customized for individual users as they browse the THE ETHICAL AND LEGAL CONCERNS Web. These advertisements can take the form of OF SPYWARE pop-up or pop-under ads, Web banners, redi- The controversy surrounding spyware results rected Webpages, and spam e-mail. from ethical and legal concerns associated with 40 WWW.ISM-JOURNAL.COM SPRING 2005 SECURITY, ETHICS, AND LEGAL ISSUES

TABLE 2 Example of Change of Homepage and Default Search Engine (based on Liston, 2004)

[Editor’s Warning: Do not visit this site!] Get_http command initiated by visiting www.yahoogamez.com: [20/Jul/2004:14:03:55 -0500] “GET_http://209.50.251.182” — “/vu083003/object-c002.cgi HTTP/1.1” The HyperText Markup Language (HTML) returned from the 209.50.251.182 Web site:

its distribution and capabilities. The issues, in- security vulnerabilities by including capabili- cluding trespass, privacy invasion, surrepti- ties to automatically download and install addi- tious data collection, direct marketing, and tional programs. hijacking, are discussed below. The idea of others installing software, unde- tected, on an individual’s hard drive may be of- Trespass fensive. Once installed, spyware utilizes the Spyware usually arrives uninvited from file- user’s own resources, potentially without the sharing services as hidden components bun- user’s knowledge and express permission. Spy- dled with desired downloads such as screen ware’s monitoring or controlling of PC use can savers, music-swapping software, or other free- significantly slow the performance of basic ware or shareware, but can also be included tasks such as opening programs or saving files. with purchased software. Spyware can mas- Random error messages, pop-up ads, or a sur- querade as a legitimate plug-in needed to prise homepage may appear when opening the launch a certain program or pose as a browser browser. New and unexpected toolbars or help object, such as a toolbar. Users may unwit- icons may appear on the user’s desktop. Com- tingly consent and accept spyware by agreeing mon keys, such as tab, may no longer function. to, but not thoroughly reading, the license pre- The transmission of user information gathered sented when installing such software. Spyware by spyware uses valuable bandwidth and can also be distributed in a variety of stealth threatens the security of computers and the in- ways. For example, a “drive-by download” tegrity of online communications. Even with starts a download process when a user visits a the use of anti-spyware software, removal can Web site or clicks on a Web ad. In peer-to-peer be difficult. Knowledge of how to manipulate networks, spyware can hide in group directo- the Windows registry is required for persistent ries and spread itself through infestation of the spyware. Diagnosing compromised system directories on a user’s PC. Users can also be performance and removing spyware places a tricked into installing spyware. A message box substantial burden on users or corporate sup- might appear saying, “To install this program, port departments. click ‘No’,” prompting a user to unknowingly Uninvited stealth spyware is particularly in- click for installation. Spyware can also covertly sidious and could arguably be considered tres- install other spyware programs as part of an passing. Users should be able to maintain “auto-update” component. This creates new control over their own computer resources INFORMATION SYSTEMS MANAGEMENT 41 SPRING 2005 SECURITY, ETHICS, AND LEGAL ISSUES

and Internet connection. They should not be Privacy Invasion disallowed from using their own computer as Privacy is one of the major concerns raised by they personally desire and should have the abil- spyware. The privacy concern is based mainly ity to remove, for any reason and at any time, on the potential for intrusions into a user’s unwanted programs. Applying common law, computer resources for surreptitious data col- this unauthorized invasion is called trespass to lection, dissemination of an individual’s private information, and uninvited direct marketing. f the chattels (i.e., personal property). This is a legal I remedy for an individual, not a governmental Spyware “install[s] itself without your permis- unauthorized remedy, that protects society generally. Gov- sion, run[s] without your permission, and installation of ernmental remedies, such as actions by the use[s] your computer without your permission” (Baker, 2003). Without having knowingly Federal Trade Commission (FTC), are discussed spyware is provided permission for the installation of spy- later, in the section addressing U.S. legislation. ware, the user is likely to see spyware as a vio- actionable as a According to the Restatement (Second) of lation of privacy. trespass to Torts, § 217, a trespass to chattel can be com- Is the user’s privacy legally protected? mitted by intentionally chattel, the There is no definitive answer. The full extent of installer ❚ Dispossessing another of the chattel, or privacy rights within the United States remains should be ❚ Using or intermeddling with a chattel in the unclear. Recognition of privacy rights within possession of another. the United States did not occur until the late liable to the 1800s (Warren and Brandeis, 1890). Almost a Although not yet applied in any legal ac- injured party. half century ago, privacy was recognized as, in tion, it is arguable that a computer user is dis- part, a spiritual issue, the unprivileged invasion possessed, not physically of course, but at least of which is an affront to individuality and hu- constructively, by the uninvited spyware when man dignity (Bloustein, 1964). Are the actions the operation of the PC is impaired through hi- of spyware such an unethical affront to individ- jacking, crashing, or disruption of perfor- ual human dignity, to be afforded legal protec- mance. At a minimum, the spyware installer is tion? Currently, privacy protection in the using and intermeddling with the user’s posses- United States is an incomplete but complex sion through unauthorized data collection, amalgam of federal and state constitutions, stat- control of his browser, Webpage redirection, utes, and regulations. The scope of privacy pro- search engine substitution, pop-up ads, and hi- tection provided by each legal source varies. jacking. Possession is defined in § 216 as “phys- Therefore, the reasonableness of a user’s ex- ical control… with the intent to exercise such pectation of privacy differs depending on control on his own behalf, or on behalf of an- whether the claim is made under constitution- other.” Spyware clearly interferes with control al, common, or statutory law. The resolution of and therefore should be subject to legal action. the issue will ultimately require either federal If the unauthorized installation of spyware legislation or a seminal legal case in which the is actionable as a trespass to chattel, the install- user’s reasonable expectation of privacy is de- er should be liable to the injured party. The Re- termined. statement at § 218 states that “[O]ne who commits a trespass to a chattel is subject to lia- Surreptitious Data Collection bility to the possessor of the chattel if, but only Spyware, such as system monitors, can surrep- if, titiously capture personal information stored ❚ He dispossesses the other of the chattel, or or typed into a PC. Hard drives can be scanned ❚ The chattel is impaired as to its condition, to obtain information from a user’s files and ap- quality, or value, or plication programs such as e-mail, word pro- ❚ The possessor is deprived of the use of the cessors, and games. User keystrokes and chattel for a substantial time, or mouse-clicks can be recorded during both In- ❚ Bodily harm is caused to the possessor, or ternet access and local PC use, in playing harm is caused to some person or thing in videogames for example. Information obtained, such as user behavior, financial data, which the possessor has a legally protected credit card numbers, passwords, and id-tagged interest.” downloads, can be transmitted to the spyware Depending on the characteristics and purpose installer and partners for marketing or fraudu- of the spyware, at least one, and possibly all, of lent purposes. These sites can “phish” for data these consequences will be present. from user inputs while surfing, banking, and 42 WWW.ISM-JOURNAL.COM SPRING 2005 SECURITY, ETHICS, AND LEGAL ISSUES

making purchases, or promote pornography, what impact such activities have on computer gambling, or fraudulent schemes. An invest- performance, and presented with the opportu- ment broker recently lost $540,000 after he in- nity to grant permission could remove the stalled spyware disguised as a phony market stealth reputation of these activities. analysis program that transmitted his account information to hackers. Other sinister uses may Direct Marketing evolve, such as capturing and transmitting Adware serving networks pay software compa- dware Word and Excel documents to steal corporate A nies to include spyware with their legitimate secrets or recording telephone conversations serving software such as games, utilities, and mu- when a suitable modem is attached to the PC. networks pay sic/video players for the purpose of gathering Spyware uses novel approaches to collect user preferences, characteristics, and online be- software data, such as adware cookies. Avoiding Web havior. Using programs installed on the user’s sites that place cookies on your hard drive, companies to computer, this user information is sent to the however, does not eliminate them. Spam e-mail include advertiser that serves the targeted ad. Such can contain cookies that are read by the origi- marketing activity is expected to continue to spyware with nating server and matched to the user’s e-mail increase, raising concerns about its acceptabil- address. The information gathered by cookies their ity. The Direct Marketing Association (DMA) can beneficially increase convenience in the legitimate projects a growth rate in interactive media ex- online shopping experience and allow for per- penditures of 18.9 percent annually, reaching software. sonalized marketing strategies to be employed. U.S.$5.0 billion in 2006. However, without informed consent for specif- Adware can be used beneficially to improve ic information collection, cookies can be product and service offerings to consumers. viewed as “a self-serving act of capitalist voy- For example, a determination of what adver- eurism” (Stead and Gilbert, 2001). tisements a Web site visitor has already seen Another novel form of spyware is the can be made so that only new ads are present- “Backdoor Santa,” a stand-alone program that ed during future visits. Such tracking allows for gathers user information. A popular example of a personalized screening capability, thus reduc- this spyware is a novelty cursor representing a ing information overload. A user’s online usage seasonal icon or the likeness of Dilbert or a Pea- and interests can also be used to determine nuts character. Using a Globally Unique IDenti- what other sites are visited, thereby allowing fier (GUID), issued when the program is identification of potential affiliate Web sites. downloaded, the provider’s servers are con- Such use seems rather innocuous and perhaps tacted to record logs of cursor impressions, the even desirable. However, if used to promote identity of referrers, Internet protocol (IP) ad- pornography, gambling, or fraudulent schemes, dresses, and system information, all without adware becomes a questionable medium. Fur- user awareness. The data collected by the pro- ther contributing to the acceptability of ad- vider is given to paying clients to inform them ware is the practice of browser hijacking, of how many individual users have customized disallowing the user control of his own brows- cursors obtained from specific sites. er. The user should receive adequate notice of Ethically, spyware installers have an obliga- and permission for the installation of spyware, tion to users to obtain informed consent for the with the capability to uninstall it, for the explic- collection and use of personal information. it purpose of exchanging user information for However, in the commercially competitive en- the benefits of adware. Although adware appli- vironment of E-commerce, information gather- cations are usually disclosed, in the End User Li- ing may be undertaken without users’ censing Agreement (EULA) of software it knowledge or permission. The mere awareness, accompanies, and have the ability to be unin- on the part of an end user, of the existence of stalled from the user’s system, such disclosures spyware may impart an eerie feeling during may not be read. Without explicit user permis- computer use. The knowledge that someone, sion, the user is likely to object to and be of- somewhere, may be tracking every mouse-click fended by the delivery of adware. and every keystroke can be unsettling. Even if users were aware of all the data collected about them, they would still have little idea of how Hijacking that data is used, by whom, and the resulting Spyware, such as Trojan horses, can persistent- direct marketing that can result. Perhaps being ly disallow user control over his computing re- comprehensively informed of what data is be- sources, precluding the user from his own uses ing collected when and for what purpose, and compromising system security. Most users INFORMATION SYSTEMS MANAGEMENT 43 SPRING 2005 SECURITY, ETHICS, AND LEGAL ISSUES

TABLE 3 Approaches to Battling Spyware

I. Individual User Vigilance II. Organizational Initiatives A. Spyware Awareness Training B. Organizational Policies C. Technological Approaches 1. Hosts File 2. Proxy Automatic Conﬁguration File 3. Security Software a. Anti-Spyware Software b. Firewalls c. Spyware Blockers 4. Utilize Server-Based Applications 5. Keep Operating System Software Up-to-Date III. U.S. Government Oversight, Legislation, and Litigation A. Federal Trade Commission Oversight 1. FTC Act ¤5 to regulate “unfair or deceptive acts or practices” 2. FTC endorses the use of Industry Self-Regulation B. Federal Legislation Introduced during the 108th Session of Congress 1. Safeguard Against Privacy Invasions Act (H.R. 2929), http://thomas.loc.gov/cgi- bin/bdquery/z?d108:h.r.02929: 2. Internet Spyware (I-SPY) Prevention Act of 2004 (H.R. 4661), http://thomas.loc.gov/ cgi-bin/bdquery/z?d108:h.r.04661: 3. Software Principles Yielding Better Levels of Consumer Knowledge (SPYBLOCK) Act (S. 2145), http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s.02145: 4. Piracy Deterrence and Education Act of 2004 (H.R. 4077), Piracy Deterrence and Education Act of 2004 (H.R. 4077), http://thomas.loc.gov/cgi-bin/bdquery/z?d108:HR04077: @@@L&summ2=m& C. State Legislation 1. Utah Spyware Control Act 2. California Computer Spyware Act D. Federal Litigation 1. Federal Trade Commission, Plaintiff, v. Seismic Entertainment Productions, Inc., SmartBot.net, Inc., and Sanford Wallace 2. Claria Corporation (formerly Gator) multidistrict litigation case 3. WhenU.com’s multiple cases

are not aware of the depth of penetration into BATTLING SPYWARE their systems. The browser’s homepage, de- The approaches to reduce unwanted spyware fault search engine, bookmarks, and toolbars include individual user vigilance, organization- can be changed to persistently present a com- al initiatives, U.S. Federal Trade Commission petitor’s Web site or a look-alike site. Mistyped (FTC) oversight, legislation, and litigation, as URLs can be redirected to pornographic sites shown in Table 3 None of these approaches and pop-up advertising can be presented. Web alone has been effective. Rather, battling spy- sites may be launched without any action on ware requires a combination of these ap- the part of the user. Dialers can use a telephone proaches. modem to dial into a service, such as a pornographic 900 number, for which the user is then Individual User Vigilance billed. System settings can be modified. For ex- Individual users can undertake some defense ample, the auto signature can be reset; unin- against spyware through vigilance in interact- stall features can be disabled or bypassed; and ing with the Internet and properly managing anti-virus, anti-spyware, and firewall software their computing resources. First and foremost, can be modified. McAfee, an intrusion preven- a user needs to be vigilant in downloading files. tion software provider, first detected a home- Before installing any software, a user should page hijacking program in July 2002. As of July carefully read the EULA. Ethically, any spyware 2004, there were more than 150 hijacker bundled with the download should be dis- spyware programs (Gomes, 2004). Hijacking closed in this “clickwrap” agreement. There is particularly offensive due to its persistent na- may be an opt-out option to avoid downloading ture. spyware, but this does not occur frequently. If 44 WWW.ISM-JOURNAL.COM SPRING 2005 SECURITY, ETHICS, AND LEGAL ISSUES a pop-up window appears to ask the user, “Do or clicking on the wrong links, for example, you want to install this software?” the user with an assurance that they will not be repri- should avoid clicking no, which may result in manded for such mistakes. Additionally, organi- unwanted installation. Rather, the user should zational policy should prohibit peer-to-peer file close the window with the “X” window closer sharing and downloading freeware or share- or press Alt and F4. Another safeguard is to ware. Further, PC use by anyone other than the check for disclosures about downloads by employee, such as family members and other searching for the name of the software fol- unauthorized users, should be disallowed. Fi- lowed by “spyware” using a search engine. Do nally, organizations should consider requiring not install software without knowing exactly the use of alternate Internet browsers and in- what it is. struct users on appropriate browser settings. Al- Users can take additional actions to reduce ternatives to Microsoft’s Internet Explorer (IE), the potential for spyware. Avoid peer-to-peer the standard Internet browser, are currently networks, which offer downloads containing more secure due, in part, to the fact that these al- spyware because of revenues generated from ternate browsers are smaller targets for malware advertising with which it is packaged, and visit authors. Alternatives, such as Mozilla’s Firefox, only known Web sites to minimize “drive-by” are competent browsers that are free to users. downloads. Remember that Web links on Web sites, within pop-up windows, or in e-mails can Technological Approaches. Technologi- be masked to look like legitimate links. Do not cal approaches directed toward eradicating use instant messengers or shopping or search spyware include setting operating system and helpers. Software for purchase, such as video- browser features to block Web sites and install- games, may also contain spyware to capture ing security software. Additionally, organiza- user behavior to support ad placement and tions are encouraged to utilize server-based pricing within the software. Run a virus check applications, as they are less susceptible to at- on unfamiliar files. Update operating system tack, and keep operating system software up- and Web browser software to obtain “patches” to-date. to close holes in the system that spyware could Hosts file and proxy automatic configuration exploit. Set the browser security setting to Me- file. The hosts file within operating systems dium or High to detect download attempts. such as Windows, Linux, or UNIX, and the Turn off the PC when not in use. Proxy Automatic Configuration (PAC) file within browsers such as IE, Firefox, and Netscape Organizational Initiatives Navigator, are two alternatives available to IP Organizations cannot rely on individual user vig- network administrators. To use either of these ilence as a defense against spyware. Organiza- approaches, a list of Web sites, or even Webpag- tions should thoroughly educate users about es, to not visit must be created. The hosts file or the types and risks of spyware through spy- the PAC file is then edited to include the list, ware awareness training and create user poli- thereby blocking access to Web sites known for cies that minimize the occurrence of spyware spyware. The Windows hosts file, for example, corruption. More importantly, organizations is found under c:\windows\system32\driv- should pursue technological approaches to re- ers\etc and has no extension. This text file is duce spyware. Additionally, the Windows Hosts used to associate host names with IP addresses. file or the Proxy Automatic Configuration (PAC) Any network program on the organization’s file in the browser can be used to block access system consults this file to determine the IP ad- to Web sites known for spyware. dress that corresponds to a host name. When a Web address, called a domain name, is typed Employee Education and Organizational into a browser, the browser first checks the Policies. Employees need to understand that hosts file. The central Domain Name Services their downloading and Web-surfing habits can (DNS) server is then contacted to look up the lead to an increased amount of spyware infesta- numeric equivalent of the Web address, the IP tion. PC and Internet use policies should ex- address, necessary to locate the Web site to be plicitly forbid visitation of Web sites known for displayed. If the hosts file contains an IP ad- placing spyware, such as those promoting pi- dress for the domain name to be visited, the rated software, gambling, and pornography. browser never contacts the DNS to find the Employees should be encouraged to report un- number. The hosts file can be edited in Note- witting or accidental visits resulting from typos pad to enter or update a list of known spyware INFORMATION SYSTEMS MANAGEMENT 45 SPRING 2005 SECURITY, ETHICS, AND LEGAL ISSUES

sites and redirect them to 127.0.0.1 (which is software were accurately represented, eradica- the IP address the computer uses to refer to it- tion of the program by McAfee becomes more self, the local host). This will effectively block difficult. any requests made to undesirable sites because PestPatrol Corporate Edition, owned by the domain name of such Web sites will point Computer Associates, has a central manage- to the local host. Hosts files can only block en- ment console that lets administrators scan tire Web sites, while PAC files can block ad- desktops for spyware, quarantine infected sys- H osts files dresses of individual Web pages within a site. tems, and cleanse them. Zone Labs, Symantec, can only block The user is thus afforded greater control over and Cisco plan to release anti-spyware pro- entire Web what is blocked. A Web site with desirable con- grams for enterprise systems. By the end of tent may also serve ads via individual Web pages, 2005, firewall, anti-virus protection, and behav- sites, while which can selectively be blocked. The PAC file ior-based protection will be available in one in- PAC files can is written in JavaScript, introduced with tegrated software package. block Netscape Navigator 2.0 in 1996 (LoVerso, 2004). The browser evaluates a JavaScript func- addresses of U.S. Government Oversight, Legislation, tion for every Uniform Resource Locator (URL) and Litigation individual Web (i.e., Web page) to be displayed. Like the hosts The U.S. government has recently begun to in- pages within a file, the JavaScript function in the PAC file vestigate the effects and legitimacy of spyware, blocks access by redirecting the requested Web site. with the FTC leading the charge. While legisla- page to the local host. tion has been proposed at the federal level in the Senate and House of Representatives, some Security software. Security software solutions states have already imposed regulations. Spy- include anti-spyware software, firewalls, and ware has not yet caused widespread public out- spyware blockers. A recent, concentrated ef- cry because most users are unaware that their fort on the part of software makers is bringing systems have been compromised. a proliferation of anti-spyware initiatives for the corporate world to market. The market for anti- Federal Trade Commission Oversight. spyware software is still small, with $10 to $15 The FTC has stated that “spyware appears to be million in sales, compared to the $2.2 billion a new and rapidly growing practice that poses anti-virus software industry. Effective anti-spy- a risk of serious harm to the consumers.” Fur- ware software should identify the spyware thermore, the FTC feels that government re- threat, as well as provide an informative expla- sponse “will be focused and effective” (FTC, nation of the nature and severity of the detect- 2004c). The FTC currently has legal authority ed threat, and allow the user to decide what to to take action, both civilly and criminally, remove. To date, no anti-spyware utility can against spyware installers. Civil action would provide an impenetrable defense. Attracted to be brought under the Federal Trade Commis- the potential to generate advertising revenue, sion Act §5 to regulate “unfair or deceptive professional programmers continue to refine acts or practices.” Criminal action would be spyware to make it difficult to identify and re- brought under the Computer Fraud and Abuse move. Therefore, at least two anti-spyware Act to provide remedies against whoever tools should be used, as the first may not detect “knowingly and with intent to defraud, access- something that another tool does. Further, ev- es a protected computer without authoriza- ery network or PC that accesses the Internet tion, or exceeds authorized access, and by should have its own firewall to block unautho- means of such conduct furthers the intended rized access and provide an alert if spyware, fraud and obtains anything of value.” The FTC sending out information, is already resident. conceded that if the spyware infiltration con- Defensive spyware blocker software can also tinues, there could be “loss in consumer confi- detect and stop spyware before it is installed. dence in the Internet as a medium of Anti-spyware software vendors face many communication and commerce” (FTC, 2004c). gray areas as they attempt to eradicate adware The FTC is endorsing the use of self-regula- and potentially unwanted programs (PUPs). tory measures, as opposed to the introduction For example, McAfee’s VirusScan 8.0 will de- of regulating legislation, through a series of tect PUPs on a computer, including adware pro- workshops and hearings. Industry and consum- grams, but will only delete them if the PUP is in er and privacy advocates have met to address direct opposition to the terms stated and agreed the online privacy and security issues of spy- to in its EULA. If the user had given consent to ware and to encourage and facilitate industry download the adware, when all functions of the leaders to develop and implement effective 46 WWW.ISM-JOURNAL.COM SPRING 2005 SECURITY, ETHICS, AND LEGAL ISSUES

self-regulatory programs. Additionally, a variety federal criminal code to prohibit intentionally of education and civil enforcement initiatives accessing a protected computer without au- have been undertaken to reduce the negative thorization to install spyware to transmit per- effects of personal information disclosure, sonal information with the intent to defraud or such as identity theft, violations of privacy injure an individual or cause damage to a pro- promises, and breaches of customer databases. tected computer. Penalties of up to five years in In response, companies whose spyware is prison for certain crimes committed with spy- T he U.S. installed with free software have improved ware are included. In addition, $10 million Congress has methods for disclosure and removal. According would be provided annually to the Justice De- begun to study to Urbach and Kibel (2004), most reputable partment for enforcement. The House voted to and responsible technology providers feel that pass this bill on October 7, 2004, and referred and debate adherence to the following five principles is it to the Senate. various crucial for all adware providers and those who The Software Principles Yielding Better Lev- initiatives to take advantage of their services: els of Consumer Knowledge (SPYBLOCK) Act (S. 2145) was introduced in the Senate on Feb- address 1. Clear and prominent notification presented ruary 27, 2004. This bill addresses the use of concerns to the user prior to downloads or data col- spyware on computers systems used in inter- lection. Additionally, the EULA contains associated state or foreign commerce and communica- such notification. tion. It makes the installation of spyware with spyware. 2. The user has the opportunity to accept the unlawful unless the user has received notice terms of the application for both access to and granted consent and there are software un- the user’s PC and to any communications install procedures that meet requirements set between a user’s PC and the Internet. forth. The notice to the user must be clearly dis- 3. Easy removal procedures to uninstall any played on the screen until the user either unwanted applications. agrees or denies consent to install and a sepa- 4. Clear branding of pop-up windows so there rate disclosure concerning information collec- is no confusion regarding the ad’s source. tion, advertising, distributed computing, and 5. Adherence to all application laws and best settings modifications must be featured. Inter- business practices for Internet business. estingly, the bill does not attempt to define spyware. Instead, the bill applies to “any computer U.S. Federal Legislation Introduced program at all that does not comply with its no- during the 108th Session of Congress. tice, choice, and uninstall requirements” while The U.S. Congress has begun to study and de- making exceptions for technologies such as bate various initiatives to address concerns as- cookies, preinstalled software, e-mail, and in- sociated with spyware. At the time of writing, stant messaging (Urbach and Kibel, 2004). At a number of legislative proposals were pending the time of writing, the bill was pending in the in Congress. Each is discussed below and pre- Senate. sented in Table 3 (see III.B). The Piracy Deterrence and Education Act of The Safeguard Against Privacy Invasions Act 2004 (H.R. 4077), introduced in the House on (H.R. 2929) was introduced in the U.S. House March 31, 2004, touts the dangerous activity of Representatives on July 23, 2003. The bill di- on publicly accessible peer-to-peer file-sharing rects the FTC to prohibit the transmission of services. It stresses that appropriate measures spyware to a computer system used by a finan- to protect consumers should be considered. cial institution or the federal government by Similarly, the FTC has already warned the pub- means of the Internet. The bill requires con- lic not to use file-sharing programs, due to the spicuous notification of the installation of spy- inherent risks associated with such activity. ware. Furthermore, it requires the FTC to This bill was passed by the House on Septem- establish requirements for the transmission of ber 29, 2004, and referred to the Senate. an application through affirmative action on the part of the user. Also, the spyware installer State Legislation. On March 23, 2004, the would need to disclose valid identification. Vi- governor of Utah signed the nation’s first anti- olators could be fined up to $3 million. On Oc- spyware legislation. The Spyware Control Act tober 5, 2004, the House voted to pass the bill prohibits the installation of software without the and referred it to the U.S. Senate. user’s consent, including programs that send The Internet Spyware (I-SPY) Prevention personal information. Under this law, only busi- Act of 2004 (H.R. 4661) was introduced in the nesses are given the right to sue. This has result- House on June 23, 2004. This bill amends the ed in the view that the Utah law was drafted to INFORMATION SYSTEMS MANAGEMENT 47 SPRING 2005 SECURITY, ETHICS, AND LEGAL ISSUES

protect businesses and not the privacy of indi- or affecting commerce.” The FTC alleges that vidual consumers. Spyware is indeed a major these defendants engaged in an unfair and de- concern for businesses. If customer informa- ceptive practice by downloading spyware onto tion is stolen from a firm’s system, that firm the computers of consumers without advance may be liable under data protection regula- notice or permission. This spyware hijacked tions. However, legislation has yet to be en- consumers’ homepages and search engines, forced. At the time of writing, litigation from presented a torrent of pop-up ads, and installed P rotecting the adware firm WhenU has resulted in a pre- adware and other software programs to cap- consumers’ liminary injunction against it. ture consumers’ Web-surfing behavior. Further, concerns must In California, the governor signed into law the spyware may cause computers to malfunc- the SB 1436 Consumer Protection Against Com- tion, slow down, or even crash. As a result, con- be carefully puter Spyware Act on September 28, 2004. Ef- sumers were compelled to either purchase the balanced fective January 1, 2005, this law prohibits the $30 anti-spyware software sold by the defen- against the installation of software that deceptively modi- dants, for which they received a commission, fies settings, including a user’s homepage, de- or spend substantial time and money to fix beneficial use fault search page, or bookmarks, unless notice their computers. At the time of writing, the of spyware as is given. Further, it prohibits intentionally de- FTC asked a U.S. District Court to issue an or- a legitimate ceptive means of collecting personally identifi- der preventing the defendants from installing spyware and foregoing their proceeds. marketing able information through keystroke-logging, tracking Web surfing, or extracting information Leaving unresolved the question of the le- tool. from a user’s hard drive. A consumer can seek gality of pop-up adware, a series of legal cases damages of $1,000, plus attorney fees, per vio- have been settled out of court by Claria Corpo- lation. At the time of writing, Iowa, New York, ration, formerly known as Gator. As many as 13 and Virginia were considering anti-spyware cases were consolidated into one multi-district measures. case. A lawsuit brought by retail florist Teleflo- ra, filed in April 2004, is still pending. Claria Possible Roadblocks to Legislation. was sued for copyright and trademark viola- Passage of legislation has been slow because tions by Hertz, L.L. Bean, Quicken Loans, Six broad legislation could prohibit legitimate Continents, Tiger Direct, UPS, The Washington practices and stifle innovation. Protecting con- Post, Wells Fargo, and others for presenting sumers’ concerns must be carefully balanced competing ads to appear atop or under the against the beneficial use of spyware as a legit- plaintiff’s sites. Claria’s advertisements are in- imate marketing tool. Interactively capturing cluded with free downloads from peer-to-peer behavioral measures provides marketers with applications such as KaZaa. Once downloaded, greater insight and precision, compared to tra- pop-up and pop-under ads appear when users ditional media, to improve product offerings surf or visit specific sites. The terms of the set- and target advertisements to receptive consum- tlements were not disclosed. ers. Furthermore, definitions may be ineffec- The legality of pop-up adware could still be tive upon becoming law because innovation determined through lawsuits. WhenU.com, a occurs so quickly, while the passage of legisla- competitor of Claria, has also been sued by nu- tion is a slower process. The Direct Marketing merous corporations, including 1-800-Con- tacts, Quicken Loans, U-Haul, and Wells Fargo. Association has compared the efforts to regu- Unlike Claria, WhenU.com was not able to con- late spyware to those of spam, in that in the ab- solidate its cases. In September of 2003, a fed- sence of effective enforcement, the legislation eral court in Virginia granted WhenU.com’s itself is toothless and may cause harm to legiti- motion for summary judgment against U-Haul, mate businesses. the plaintiff. The court stated that WhenU.com did not commit copyright infringement, nor Federal Litigation did they infringe on the trademarks of U-Haul. In the first spyware case brought by the FTC, Moreover, the pop-up advertisements, al- Federal Trade Commission, Plaintiff, v. Seis- though annoying, were permissible because mic Entertainment Productions, Inc., Smart- end users consented to installation in the EU-LA. Bot.net, Inc., and Sanford Wallace, on October U-Haul has appealed the ruling. In November 12, 2004, the defendants were charged with of 2003, a federal court in Michigan denied a unfair acts and practices in violation of Section motion for summary judgment by the plaintiff 5(a) of the FTC Act, 15 U.S.C. § 45(a), which Wells Fargo, concurring with the reasoning in outlaws “unfair or deceptive acts or practices in the U-Haul ruling. Conversely, in December 48 WWW.ISM-JOURNAL.COM SPRING 2005 SECURITY, ETHICS, AND LEGAL ISSUES

2003, a New York federal court granted 1-800- References Contacts’ motion for a preliminary injunction Baker, T. (2003). Here’s Looking at You, Kid: How to prevent WhenU.com from serving ads until to Avoid Spyware, Smart Computing, 14(9): resolution. The court also found there was 68–70. trademark infringement. The court maintained Bloustein, E. (1964). Privacy as an Aspect of Human Dignity: An Answer to Dean Prosser. NYU Law that WhenU.com deceptively used the trade- Review, 39:962–1007. mark of the plaintiff to trigger a WhenU.com egislating FTC (2004a). Prepared statement of the Federal L application to serve an ad. WhenU.com is ap- Trade Commission before the Committee on spyware is pealing this ruling. Energy and Commerce, Subcommittee on difficult Commerce, Trade, and Consumer Protection, United States House of Representatives, CONCLUSION because the Washington, D.C., April 29, 2004, The ethical and legal concerns associated with definition of http://www.ftc.gov/os/2004/04/040429spyware spyware call for a response. The form of that re- spyware is testimony.htm, visited December 9, 2004. sponse will ultimately be determined by users, FTC (2004b). Conference: Monitoring Software on vague. organizations, and government action through Your PC: Spyware, Adware, and Other Software, their assessment of the ease and effectiveness April 19, 2004, www.ftc.gov/bcp/workshops/ of the various approaches to battling spyware. spyware/index.htm, visited December 9, 2004. Do the various software tools currently avail- FTC (2004c). Spyware Poses a Risk to Consumers, able satisfy users by allowing them to enjoy the April 29, 2004. use of their own computing resources, while http:www.ftc.gov/opa/2004/04/spywaretest. affording protection against concerns raised? htm, visited December 9, 2004. Federal Trade Commission, Plaintiff, v. Seismic Will industry self-regulation be effective? Will Entertainment Productions, Inc., user protests ultimately be so strong as to lead SmartBot.net, Inc., and Sanford Wallace, to legal legislation? While the concerns associ- Defendants., United States District Court, ated with the presence of spyware are clear, District of New Hampshire, FTC File No.: legislating spyware is difficult because the def- 042 3125, www.ftc.gov/os/caselist/0423142/ inition of spyware is vague. Some spyware in- 0423142.htm, visited December 9, 2004. stallers have contended they have been Gomes, L. (2004). Spyware Is Easy to Get, Difficult unfairly targeted. A balance must be found be- to Remove, Increasingly Malicious, Wall Street tween the legitimate interests of spyware in- Journal, 12 July: B1. stallers, who have obtained the informed Liston, T. (2004). Handler’s Diary July 23rd 2004, SANS, http://isc.sans.org/diary.php?date=2004- consent of users who accept advertisements or 07-23&isc=00ee9070d060393ec1a20ebfef2b48 other marketing devices in exchange for free b7, visited December 9, 2004. software, and users who are unwitting targets. LoVerso, J.R. (2004). Bust Banner Ads with Proxy Currently, there is no widespread awareness or Auto Configuration, www.schooner.com/~ understanding on the part of users as to the ex- loverso/no-ads, visited December 9, 2004. istence of spyware, its effects, and what reme- Richmond, R. (2004). Network Associates to Attack dies are available to defend against its Spyware with New Products, Wall Street installation or removal. As the prevalence of Journal, 22 January: B5. spyware continues to increase, the views of us- Stead, B.A. and J. Gilbert (2001). Ethical Issues in ers regarding the acceptability of spyware will Electronic Commerce, Journal of Business ultimately drive the resolution of concerns. ▲ Ethics, November: 75–85. Urbach, R.R. and G.A. Kibel (2004). Adware/Spyware: An Update Regarding Pending Editor’s Note: The review process for this arti- Litigation and Legislation, Intellectual Property cle was conducted by the Editor-in-Chief, be- and Technology Law Journal, 16(7):12 f. cause the first author on this paper served as Warren, S.D. and L.D. Brandeis (1890). The Right of Guest Editor for the themed articles in this is- Privacy, Harvard Law Review, December: 193– sue. 220.

INFORMATION SYSTEMS MANAGEMENT 49 SPRING 2005