Compliance Toolkit

Spyware and the law

Simon Briskman and Mark Smith Olswang

Published: 04 Nov 2004 17:08 GMT

There is also legislation emerging at state level. The first anti-spyware laws were introduced in Utah, but are currently suspended due to allegations that they are unconstitutional. California is not far behind with SB 1436, the Consumer Protection Against Computer Spyware Act, and New York also has legislation pending. Commentators vary over the need to supplement the existing computer misuse law at national level, but it seems that the risk of introducing differing protections at state level may push the Senate towards finalising federal law.

UK legal position: computer misuse
There is an assumption that back home in the UK, the issue of spyware isn't yet on the legislators' radar: in fact, the situation is very different. Looking first at mal-spyware, the broad wording of the Computer Misuse Act 1990 (CMA) does a good job of coping with this threat. The CMA creates offences of unauthorised access to programs or data, unauthorised access with intent to commit a further offence, and unauthorised modification of data. Between them, these offences will catch most mal-spyware, primarily because of the wide definitions of terms like "access". In practice, as with many computer misuse issues, mal-spyware may prove difficult to stop. The high standard of proof required for criminal cases combined with the problems of crime detection and identification of the perpetrator (especially where the crime crosses national borders) and the limited resources of the specialist computer crime authorities mean the number of successful prosecutions is likely to remain low.

The recent All Party Internet Group Report on Computer Misuse (to which Olswang contributed) indicated that they felt the CMA covered mal-spyware and did not believe that the CMA should be extended to cover adware. The group went on to suggest that Ofcom (the communications regulator) should address this topic by educating users, working with the DTI to ensure sufficient consumer protection legislation and by working with software developers to create a code of practice.

Data protection issues
Putting mal-spyware on one side (on the basis that it falls within the scope of the CMA), the more complex issue is how English law treats adware. One of the key issues is the nature of consent. Much adware is bundled with other software applications (often freeware or shareware) or downloaded covertly ('drive-by downloads'). There is often a crude form of clickwrap software licence that users will need to accept before installing the application. Organisations using the software will assert that accepting this licence constitutes user’s consent.

This practice may be sufficient to ensure that a court cannot find beyond reasonable doubt that the software is accessing the user’s machine or data without "authority" (and therefore will avoid the risk of a CMA prosecution). However it is less clear whether this constitutes sufficient consent for other areas of the law, particularly as the wording of the licence may be complex or unclear.

Indeed the All Party Internet Group suggested that the Data Protection Act 1998 (DPA) would be another possible legislative tool that could control spyware. Even if the initial capture of personal data using adware was lawful, the organisations subsequently using that data will need to ensure that their use complies with the DPA principles. The concept of informed consent is important from a DPA perspective, and transparency is key to the spyware issue. If users knew what applications they were loading onto their machines, and what these applications did (and could therefore give or refuse their informed consent) many of the adware industry's problems would be solved.