Spyware and the law
Published: 04 Nov 2004 17:08 GMT
The media is full of spyware stories. It covers a multitude of sins, threatens consumers and businesses alike and is constantly changing. It has a mysterious title, and fits in (at least vaguely) with this year's focus on the surveillance society (RFID, identity cards et al). At the heart of the story is the question – who owns (and controls) a user's PC?
The general risks posed by the spyware invasion are well publicised: industrial espionage, identity theft, abuse of credit card and bank information, unauthorised use of PC resources and bandwidth, system instability (and the time and effort involved in fixing these problems) and delivery of inappropriate content. Until recently, the legal issues raised by spyware attracted little comment. Now the problem is so widespread that there is a growing call for governments to take positive action to help protect citizens.
This article considers the scope of terms like spyware and adware and considers how far these phenomena are already addressed by UK law. It concludes with some practical advice on steps businesses can take to limit their exposure to the risks posed by these applications.
What's in a name?
The first real problem with spyware is understanding exactly what it is. User confusion is itself a large part of the problem. Other names for spyware, or categories of spyware, include adware, snoopware, scumware, foistware, pestware and trespassware.
While many of the applications in these categories share some characteristics, there are some significant differences. In order to analyse the legal implications of these applications, it is essential to be clear exactly what we are talking about.
Technology law in the EU is generally drafted to be "technology neutral" meaning it relies on very broad, general definitions. While it would be easier to interpret if it was more specific, it would quickly become obsolete. Technology specific definitions would also mean it was easier for developers to produce applications that fell outside the strict letter of the law.
For the sake of argument, we'll start with a working definition that says the main features common to all spyware are that it:
- is installed without the user's full knowledge;
- cannot be easily uninstalled or disabled;
- covertly transmits information about the user's activities to a remote host
The next part of our analysis splits spyware into two main camps. First, those applications that are a sub-set of spyware being, malware (malicious code). Malware includes viruses, worms and Trojans. A defining characteristic of malware is that it is intended to cause harm or be otherwise used for criminal purposes.
Examples of spyware in this category are keystroke loggers, password sniffers, spam launchers, remote access tools (RATs) and screen capture utilities. We’ll call this "mal-spyware".
Previous
Did you find this article useful?
345 out of 667 people found this useful
- Share this article:
Full Talkback thread
2 comments
