Jun 22, 2020
Spyware: Looking Out for Consumers By John Lawford and Dan McConville Public Interest Advocacy Centre 1204 – ONE Nicholas St. Ottawa, Ontario K1N 7B7 June 2006 With Funding from Industry Canada
Copyright 2006 PIAC
Contents may not be commercially reproduced. Any other reproduction with acknowledgment is encouraged.
The Public Interest Advocacy Centre
(PIAC) Suite 1204
ONE Nicholas Street Ottawa, ON
Canadian Cataloguing and Publication Data
Lawford, John McConville, Daniel
Spyware: Looking Out for Consumers
Executive Summary Spyware is essentially software that limits users’ control over their computers, and often is installed surreptitiously. Historically much of this type of software tracked users’ online behaviour and delivered pop-up advertising, leading to the label “spyware”. Its association with pop-up advertising and its difficult uninstall methods soon led to its reputation as an Internet scourge. “Spyware” as a broad category now includes many behaviours beyond spying, from the more ‘innocent’ displaying of advertisements right through to the delivery of viruses allowing for the remote control of the user’s computer. Over the last few years, spyware infection rates rose dramatically until their peak in late 2004. While there was a reduction in spyware installation rates between late 2004 and late 2005, likely due to Windows security patches, consumer education and advancements in anti-spyware software, infection rates again are climbing to near-record levels in the first quarter of 2006.
This trend is a serious threat, since spyware lowers consumer confidence in e-commerce, costs consumers tremendous amounts of time and money, and threatens governments and corporations with the possibility of large-scale security vulnerabilities. Spyware is also responsible for an increasing amount of service calls and computer crashes each year.
Extreme spyware activities likely violate several Canadian laws, including consumer protection legislation, PIPEDA, Criminal Code provisions, the Competition Act and the common law tort of trespass to chattels. However, neither remedies currently available to individual users nor deterrents to spyware producers are sufficient to address the problem. While intentionally deceptive or misleading installations are likely caught by several statutes, it is often selectively omitted information, rather than outright deceptive statements, that characterize the spyware installation process. It is uncertain if these more common behaviours are actionable, despite the fact that a large majority of computer users report having no knowledge of the software in question, or how it was installed. Government actors in Canada are not actively pursuing any enforcement activities against spyware companies on their own initiative at the moment.1 This is likely due to a lack of resources or a view that spyware regulation does not fit the specific department’s mandate.
1 Note that the Canadian Internet Policy and Public Interest Clinic, together with the U.S. Center for Democracy & Technology filed parallel complaints with the Canadian Competition Bureau and U.S. Federal Trade Commission over the activities of one spyware operator and affiliated companies in November 2005. See CIPPIC and CDT Press Release at; http://www.cippic.ca/en/news/documents/Media_Release_Spyware_Complaint_Nov_3_2005.pdf
In this environment a legislative response may be necessary, but there is a major difficulty in regulating spyware: its lack of a cohesive definition. Any definition based on post-installation behaviours will ultimately leave significant discretion and potentially create unintended liability, because spyware behaviours can almost always have legitimate purposes in other contexts. Because of this limitation, the most appropriate legislative response should target the installation procedure, and require specific disclosures for potentially unwanted software behaviours that inhibit user control. This strategy will lead to a spyware definition built around the consent of the user, avoiding the need to outlaw specific software functionality and clarifying the emerging software installation regime.
Further regulation can rein in absurdly large affiliate networks, prevent the
targeting of children to obtain installations, and perhaps pressure advertising companies to exercise more due diligence in controlling where their advertisements are displayed. Uninstall requirements could also be established, to eliminate misleading or ineffective uninstall procedures.
Critics of spyware regulation state that regulating bad actors on the
Internet is impossible due to jurisdictional issues, or that additional notice will not affect user behaviour. Furthermore, legitimate software vendors likely fear overly broad legislation that could lead to unintended liability. While jurisdictional problems will always stand in the way of effective Internet regulation, this concern should not prevent spyware regulation since many large, established companies engage in spyware practices. These corporations can certainly be regulated with some success. The concern over additional notice similarly should not prevent regulation. While the relationship between notice and user behaviour may be questionable, uncertainty should not prevent legislators from establishing baseline standards to protect the public. Finally, legislation could be drafted in such a way as to minimize compliance efforts by legitimate software vendors, since most legitimate software will not engage in ‘potentially unwanted’ software activity. Generally any software that allows the user to control it will not be affected by legislation, and the vast majority of legitimate software allows the user to do so.
While US government actors have been criticized for their slow progress
in tackling the threat posed by spyware, the Canadian government has done little concrete to date. Spyware nonetheless has been harming Canadian for several years and this inaction is becoming noticeable. Parliament should immediately determine which department is responsible for enforcing laws against spyware activity, and allocate the necessary resources to investigate and prosecute offenders. Spyware legislation, focused on the installation procedure, can then be introduced to aid in the fight, ensuring a strong reaction to the problem while minimally burdening legitimate software vendors.
While spyware has highlighted the need for clearer rules in software installation procedures, regulation of spyware should be viewed with a greater goal in mind: a stronger statement of users’ rights over their computers. Users should always be presumed to desire complete control over their computer, and any attempt to limit that control through the installation of software should be done in a transparent fashion that requires fair and obvious consent. This report therefore makes recommendations for a multi-facted approach to controlling spyware that includes regulation of certain aspects of spyware. In particular, this report recommends the following:
• Give a clear mandate and allocate resources towards the department best able to handle spyware complaints and enforce current laws against spyware activity.
• Enforce current consumer protection and competition laws against companies who engage in the worst spyware activity.
• Continue and strengthen consumer education initiatives regarding spyware, accentuating:
o Only download from websites you trust; o Update your operating system software; o Install a trusted anti-spyware solution.
• Build support in the software community for clearer rules of installation for potentially unwanted software.
• Develop initiatives towards more accountability in the advertising industry, clarifying how advertising money gets to spyware distributors and what advertisers, advertising companies and brokers can do about it.
• Introduce spyware-specific legislation that: o Creates liability for software producers for the actions of their
affiliates; o Clarifies the rules of installing potentially unwanted software by
creating clear disclosure requirements; o Creates a higher threshold of consent for software installations
than simple contractual consent, namely “fair and obvious” consent;
o Creates a private right of action, with statutory damages, for unwanted installations of spyware;
o Specifically empowers an agency with spyware enforcement and permits that agency to cooperate with foreign counterparts
o Regulates the practice of targeting software installations towards children;
o Requires standard uninstall procedures for all software; o Contains exemptions for operating systems.
Although spyware appears to be on its way to becoming a fact consumers are resigned to, the truth is that the dangers of its unchecked growth are too large to
ignore and the options for slowing its growth are both possible and not overly onerous. This report is a call to action on the part of consumers, governments and industry to work together to ensure consu