Compliance Toolkit

Spyware and the law

Simon Briskman and Mark Smith Olswang

Published: 04 Nov 2004 17:08 GMT

The Information Commissioner's most powerful weapon against adware is the Privacy and Electronic Communications Regulations 2003.

When the Regulations came into force, much of the emphasis was on the implications for spam and cookies. The Information Commissioner has made it clear that certain provisions will also catch spyware.

The Regulations state that information must not be stored or accessed on a user's equipment unless the user is (a) given clear and comprehensive information about the purpose of the storage of, or access to, that information; and (b) given the opportunity to refuse the storage of or access to that information. While the CMA is a more suitable route for mal-spyware (because the penalties are more severe), the Regulations give a clear opportunity for action against adware. Where loss has been suffered there is a right to bring a civil claim under the Regulations and the Information Commissioner can also use his powers under the DPA to enforce the Regulations.

Practical obstacles to tackling spyware
Relative to some other jurisdictions, the UK appears well equipped with legislation to deal with spyware. In practice, however, there are a number of barriers to overcome, depending on the remedy being pursued. It is worth noting that in all cases, if any of the parties involved is off shore, the matter will become significantly more complex.

If the matter is a criminal one, the technical complexity of the cases coupled with the need to prove a case beyond reasonable doubt, may mean the authorities are reluctant to pursue the matter (as they may not be confident of success). Regulatory intervention may prove easier, but as with law enforcement, the authorities only have a limited amount of resource and will need to prioritise the cases they investigate. Where looking at a civil claim, the user needs to show loss. If claiming on damages for loss of system stability, resource or bandwidth usage, this can be notoriously difficult to prove from a legal standpoint. Second, the loss needs to be significant enough for a user to go to the time, effort and expense of bringing proceedings. Third, actually finding who to bring the action against may actually prove very complicated. A huge range of parties may be involved in the propagation of spyware, from the adware developer, to the distributor of the software bundled with the adware, to the online advertising company using the software to the organisations that utilise the software and use the data it transmits. Finally, one user of a PC may have downloaded the software, while a different user suffers the loss. Things become more complex if a child is one of the home users involved or on a corporate network where the organisation has different tolerance for spyware to the individual user.

We will need to watch this space to see how the case law develops in this area, but the prevalence of spyware suggests that despite the practical problems outlined above, we wouldn't bet against seeing some court action soon.