What not to "ware": as Congress struggles against spyware, the FBI develops its own.
Most computer users have heard the term "spyware," but few understand the scope of the threat it poses. (1) Spyware can end up on a user's computer with little warning, or sometimes with no warning at all. (2) Spyware can gather information on the user's web browsing habits, harvest credit card numbers, or simply slow the computer to a halt. (3) Thus, it is not surprising that Congress has taken up the cause of combating spyware, (4) although the issue has resulted in much legislative hand wringing. (5)
While the federal government has been trying to stop this kind of spyware in its tracks, however, it has also been developing some spyware of its own. (6) Imagine receiving the following warning from your computer's security software: (7) "Spyware detected! Source: US Government." Or, even more disconcertingly, imagine that your security software did not detect such a program, yet federal agents had installed one surreptitiously and were able to monitor your every digital move. (8)
Although this software can be highly useful for catching tech-savvy criminals, (9) such surveillance techniques pose many questions. Some have questioned the propriety of the government's involvement in the creation and use of spyware, especially the potential exploitation of computer security loopholes. (10) It is also possible that the government may try to convince Internet security companies to create back doors in their software for government spyware, or at least whitelist the software so that users will not find it. (11) Even the classification of various technologies as "spyware" or "fedware" is a contentious process, (12) as exemplified by the debate over pending federal legislation against spyware. (13)
This note will illustrate how the FBI has deftly turned spyware technology to its own advantage, while Congress has struggled to keep up with technological trends. It will also discuss the proliferation of "wares," provide examples of government spyware or "fedware" and their policy implications, and offer recommendations on the pending federal legislation that would regulate spyware.
II. A CATALOG OF "WARES"
The suffix "-ware" has proven popular in fashioning monikers for new breeds of questionable or malicious software and Internet technology. (14) Besides the term "spyware," other potentially less familiar terms include "adware," (15) "pestware," (16) "malware" (17) "fedware," (18) "policeware," (19) "greyware," (20) "stealware," (21) "scumware," (22) "snoopware," (23) and even "iMalware." (24) Many of these terms overlap as well. (25) Indeed, a large part of the problem in addressing Internet security threats like spyware stems from the difficulty of categorizing various technologies. (26) In addition, the name of a "ware" can refer to the purpose of the technology, the techniques it uses, or both. This proliferation of "wares" in computer and Internet jargon necessitates some elucidation in order to highlight the significance of government spyware.
The simplest definition of adware is software that delivers advertising. (27) Illustrating the lack of precision in "ware" definitions, however, some have defined adware as involving surveillance of an Internet user's browsing habits to facilitate the delivery of advertising content. (28) However, the Anti-Spyware Coalition (ASC) (29) indicates that not all adware necessarily includes surveillance: "[m]any [but not all] adware applications also perform tracking functions ..." (30) Depending on the method used to deliver advertising content, this kind of "ware" can be the least offensive. (31)
A common example of relatively innocuous adware is the link that appears in the upper-right corner of Adobe Reader 7.0.9. (32) It urges the user to "Download New Reader Now;" arguably this is merely an ad for a new version of the software that the user is already using, which is likely to enhance the user's experience at no extra charge. The ads that appear in the e-mail client Eudora are another example. These ads include products not specifically offered by the maker of Eudora, which arguably represents a slightly higher level of intrusion on the user's experience. (33)
Adware is sometimes considered less offensive than other "wares" because a user may have "consented" to its installation. (34) In addition, when software makers "bundle" adware with their programs, the advertising revenue from the adware can help offset the cost of the primary program, and in some cases this can make the primary program available for free. (35) In this sense, the advertising is part (or all) of the "cost" of the program, much like advertising on television. Thus, adware is primarily commercially driven, and when it merely displays advertisements within a desired program's window without conducting surveillance of the user's computer habits, it is perhaps the least malicious "ware."
However, the term "adware" is seldom used to describe only this minimally intrusive form of advertising (36) (that is, true user consent to the ads, which exert minimal control over computer use and appear only within the current program window). The term "adware" is sometimes used interchangeably with "spyware" because many adware programs monitor users' Internet browsing habits in order to conduct "contextually based marketing," (37) and in these cases, the two terms overlap. (38) An example of the conflation of these two "wares" is Ad-Aware, a popular anti-spyware/antiadware product whose name is a play on the term "adware," but its maker, Lavasoft, bills itself as "the original anti-spyware company." (39)
Many different definitions of "spyware" exist. In the Internet context, one definition is "[a]ny software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes." (40) The Anti-Spyware Coalition lumps spyware together with "other potentially unwanted technologies" and defines them as
[t]echnologies deployed without appropriate user consent and/or implemented in ways that impair user control over: Material changes that affect their user experience, privacy, or system security; Use of their system resources, including what programs are installed on their computers; and/or Collection, use, and distribution of their personal or other sensitive information. (41)
In the commercial context, the information gathered usually consists of the user's Internet browsing habits, which marketers can use to deliver targeted advertisements. (42) This form of spyware is responsible for the dreaded pop-up windows, (43) redirecting of browser clicks, changed home pages, (44) and other behaviors that plague many (if not most) web users' experiences. (45)
However, spyware is not limited to this functionality; various kinds of spyware can also capture users' personal information (46) or, in the case of keyloggers, every keystroke that the user enters, (47) and some programs can reinstall themselves after the user attempts to delete them. (48) Thus, it is important to separate the technology from the purpose for which it is used. Each of these capabilities has both legitimate and objectionable uses. When this technology is put to harmful use, it falls into the broader category of "malware," a category that includes other harmful software such as Trojans, viruses, and worms. (49)
Spyware has other uses beyond aggressive commercial marketing. Some spyware can be used for stealing personal information such as credit card information and Social Security numbers, in which case it has the same goal as phishing. (50) In these cases, the technology's goal is to facilitate identity theft, rather than to discover marketing information. Individuals have also used spyware to investigate others, such as tracking the communications of a spouse suspected of infidelity. (51)
Spyware or adware installation methods vary. Some adware and spyware is "bundled" with other software that a user downloads or buys, (52) and in many cases, the full extent of the software's activity is only vaguely referenced in the End User License Agreement (EULA) or is buffed in free print. (53) Other spyware "tricks" the user into installing it through deceptive browser pop-up windows. (54) Another method of delivering spyware or adware is by attaching it to a deceptive e-mail and relying on the unwitting recipient to open the attachment, thereby inadvertently installing the program, much like some viruses, Trojans, and phishing scams. (55) An even more insidious form of installation is the "drive-by download," in which malware is installed simply upon visiting a given web page. (56) The variety of propagation methods, while troublesome, is also a testament to the ingenuity of spyware makers.
Continuing the trend of using "-ware" to describe emergent Internet technologies, "spyware" developed or used by law enforcement agents has been called "fedware" (57) or "policeware." (58) The following sections describe two relatively old technologies that might be described as fedware, and a newer program that surfaced recently.
Carnivore is an FBI-created "packet sniffer": essentially, an Internet version of a wiretap that reads and filters IP packets. (59) It is an outgrowth of an earlier, less content-discriminating project called Omnivore, which the FBI started in 1997. (60) Carnivore was unveiled in 2000 (61) and runs on a "black box" installed at an Internet Service Provider (ISP). (62) It is capable of monitoring the content of a targeted computer's Internet communications, such as the contents of e-mails or chat room discussions, and it can also be configured to capture only the address information of Internet communications, such as the "to" and "from" fields of e-mail messages or the addresses of websites visited. (63) As Professor Orin Kerr has pointed out, the name "Carnivore" sounds alarming, but it was originally intended to reflect the technology's respect for privacy; the tool can be configured to capture only the information within the scope of a given search warrant, a capability the FBI desired but one which was absent from commercially available alternatives at the time. (64)
Among the technologies discussed in this note, Carnivore is perhaps the least similar to the popular conception of "spyware" because it is not installed on the user's computer. (65) As such, it is "fedware" only in that it was created by the FBI. This early version of "fedware" has reportedly been abandoned in favor of commercially available software. (66)
2. Magic Lantern
Magic Lantern, a keylogging software program created by the FBI, (67) publicly surfaced in 2001. (68) Keyloggers offer the ability to defeat password-based encryption by recording every keystroke of the user, thereby recording users' passwords as they are typed. (69) But, because they record every keystroke, they can also record the contents of local documents as they are typed, as well as electronic communications such as e-mail and instant messaging. (70) Both hardware (71) and software (72) versions of keyloggers exist. The hardware versions usually require physical attachment to the suspect's computer, which can be more intrusive, (73) making them less convenient for FBI investigations. (74) One of Magic Lantern's main advantages is that it can be deployed remotely through a deceptive e-mail message, without physical access to the suspect's computer. (75)
Like Carnivore, Magic Lantern could also be classified as "fedware" in that it is FBI-created surveillance software. (76) However, Magic Lantern also fits the "spyware" aspect of "fedware" because it is delivered secretly or deceptively to the suspect and runs on the suspect's computer. (77)
The most recent example of fedware is CIPAV, the Computer & Internet Protocol Address Verifier. (78) In response to an FBI request, (79) on June 13th, 2007, the United States District Court for the Western District of Washington issued a search warrant to deploy CIPAV in an ongoing investigation. (80) The FBI then used this new tool to discover the identity of a student who was sending bomb threats to his high school. (81)
According to the FBI affidavit, every day from June 4th through June 8th, 2007, Timberline High School in Lacey, Washington, received bomb threats from various e-mail accounts, (82) resulting in school evacuations on each day. (83) The e-mails taunted the police, claiming that the messages could not be traced. (84) Investigations into the source of the e-mail messages seemed to hit a dead-end in two compromised Italian computers, (85) but the individual inadvertently offered the FBI a novel way to track him down. Students at the school began to receive demands from the MySpace (86) profile of "Timberlinebombinfo" to post a link to "http://bombermails.hyperphp.com" on their own MySpace profiles. (87) The FBI reasoned that the administrator of the "Timberlinebombinfo" MySpace page was likely the same person who sent the threats. (88) The FBI agents obtained judicial consent to deploy CIPAV to the computer of the MySpace page's administrator to determine his or her identity. (89)
CIPAV enabled the FBI to locate the computer used to administer the MySpace page, which belonged to a fifteen-year-old Timberline High School student. (90) The student pied guilty to two counts of making bomb threats to a school, "one count of felony harassment[,] and three counts of identity theft." (91) Ultimately, he was sentenced to 90 days of juvenile detention and had to pay $8,852 in restitution to the school system. (92)
While the CIPAV technology used in the investigation remains classified, (93) commentators have categorized CIPAV as "spyware." (94) Perhaps the greatest advantage of this program is its surreptitious remote installation feature; the affidavit indicates CIPAV was "deployed through an electronic messaging program from an account controlled by the FBI." (95) This wording might indicate that CIPAV was delivered to the target computer through an e-mail message, (96) through MySpace's instant messaging system, or another web-based messaging system, (97) but it could also have been delivered through some other computer vulnerability. (98)
Commercial and other forms of spyware also use these methods, which bolsters CIPAV's classification as spyware. (99)
However, it is unclear why the target computer did not detect CIPAV. If the program was deployed through a security vulnerability known generally within the computer industry, the computer's security software would have detected CIPAV. (100) If the target computer did have security software installed, (101) two possibilities arise: (1) the FBI convinced security software companies to "whitelist" CIPAV, (102) or (2) the FBI discovered and exploited a computer vulnerability unknown to the public. (103)
According to the affidavit, CIPAV operates on the target computer like spyware. For instance, after being installed on the user's computer, CIPAV "conduct[s] a one-time search of the [user's] computer" and captures information that helps the FBI uniquely identify that computer. (104) CIPAV attempts to collect the computer's IP address, which an Internet Service Provider uses in order to identify its various customers and connect them to the Internet. (105) It may also gather the computer's currently logged-in user name, a list of running programs, or other similar information. (106) After collecting this data, CIPAV forwards the information to an FBI computer in Virginia. (107) CIPAV then switches to a pen register mode, recording the destination and routing information (but not the contents) of electronic communications from the user's computer. (108) All these features raise the specter of "government spyware": for example, the installation and execution of CIPAV could constitute a "material change" that affects the user's "experience, privacy, or system security" under the ASC's definition of "spyware". (109)
Nonetheless, CIPAV appears to be an ingenious tool for determining the location of computers likely involved in crimes, despite its spyware-like behaviors. Continuing in the tradition of prior tools like Carnivore (110) and Magic Lantern (111), new variations on this technology (112) will likely be used to address new problems, (113) although it is unclear whether the public will learn the full details of CIPAV. (114)
III. THE POLICY IMPLICATIONS OF FEDWARE
Fedware programs like Magic Lantern, Carnivore, and CIPAV have caused controversy. Some have argued that the government should not be involved in writing code that exploits Windows and other operating system vulnerabilities; they claim it is an unacceptable use of taxpayer money or that hackers may capitalize on the vulnerabilities exposed and exploited by government spyware. (115) Certainly, it would seem the government has an incentive not to use widely available software to conduct its surveillance because such software may already be recognized and defeated by existing anti-spyware and anti-virus software. In fact, some have pointed out that even government-created programs like Magic Lantern (and indeed all fedware) could be detected by security software. (116)
Wanting to avoid spyware defenses raises an unseemly possibility: the government might try to pressure security software companies into whitelisting fedware so that it would not be detected by suspects' computers. (117) In one survey, thirteen major anti-spyware vendors all denied ever having cooperated unofficially with government agencies, although some indicated they would comply if ordered by a court. (118) Yet this is an unlikely threat. Even if the government could persuade major companies to whitelist their surveillance programs, those who want to defeat fedware could turn to open-source security programs, which are much less likely to whitelist government surveillance software. (119)
Although the term "fedware" can describe government-developed spyware, the term also applies to software created by third parties when put to use by the government. Fedware in those cases is less objectionable. For instance, the commercially available tool EtherPeek performs tasks very similar to Carnivore but has more features. (120) The use of commercially available tools by the government within the scope of a valid warrant is less offensive because it does not require spending taxpayer money on discovering and exploiting computer vulnerabilities. In fact, it is worth noting that in the case of Carnivore, the government was actually attempting to create a program that was more respectful of privacy rights than what was commercially available at the time, and that the program was later abandoned, presumably when commercial tools improved. (121)
Fedware is not likely to go away any time soon. Indeed, the federal government will most likely continue to try to find a balance between using commercial tools and developing their own. Ultimately, the federal government must walk a fine line as its agents pursue the technology-savvy criminals of tomorrow.
IV. CONGRESS' STRUGGLE AGAINST SPYWARE
A. Proposed Federal Laws
While law enforcement officials have been finding innovative ways to employ surveillance software against criminals, Congress has been grappling with how to combat the threat to the public posed by spyware. (122) Federal legislation has some advantages over a state-by-state solution to spyware. For example, a federal law could provide a uniform national standard of permissible activity for the authors and purveyors of spyware and adware. (123) However, a new law has yet to pass both houses because of disagreement between the members of the industry and agencies like the FTC. (124) Nonetheless, it is noteworthy that all three bills apparently would permit the continued creation and use of fedware through exemptions for law enforcement. (125)
1. SPY ACT
The SPY ACT appears to tackle the issue of spyware directly by banning a list of "unfair or deceptive acts or practices," (126) such as delivering annoying ads that a user cannot easily close (127) and automatically reinstalling software after a user tries to remove it. (128) The Act would also require that makers of "information collection programs" provide certain kinds of notice to prospective users before the programs are downloaded or installed. (129) The Act would be enforced by the Federal Trade Commission, (130) and it would provide penalties of up to $1,000,000 for each violation of the notice requirements and of up to $3,000,000 for each unfair or deceptive act. (131) It would also preempt similar state laws. (132)
2. I-SPY Act
The I-SPY Act takes a different approach to the problem of spyware: it would extend federal criminal penalties under the Computer Fraud and Abuse Act (133) to "illicit indirect use of protected computers." (134) The Department of Justice, rather than the FTC, would enforce the Act. (135) In addition, the Act would prohibit fewer actions, but those actions would be defined more broadly than those listed in the SPY ACT. (136) One section of the I-SPY Act provides for up to five years of imprisonment, a fine, or both for the use of spyware in furtherance of another federal offense. (137) The Act's other main section provides for up to two years of imprisonment, a fine, or both for the use of spyware to obtain personal information or to impair a computer's security with the intent to defraud, injure, or damage. (138) The Act would also specifically prohibit a person from bringing a civil suit "premised in whole or in part" upon the person's violation. (139)
3. Counter Spy Act
The Counter Spy Act was introduced in the Senate on June 14, 2007 as a hybrid of the two House acts. (140) Like the SPY ACT, it contains a list of "prohibited behaviors." (141) However, the Act also contains criminal penalties that mirror those of the I-SPY Act. (142) Like the SPY ACT, parts of the Counter Spy Act would be enforced primarily by the FTC. (143) The bill, however, also explicitly contemplates enforcement by a variety of other agencies such as the FCC, SEC, state attorneys general, and even private telecommunications carders, depending on the identity of the allegedly infringing party. (144) The criminal portions of the Counter Spy Act, however, would require enforcement by the Department of Justice. (145) In addition, like the SPY ACT, the Counter Spy Act preempts similar state spyware laws. (146)
B. The Proposed Laws Compared
Both the SPY ACT and the Counter Spy Act explicitly prohibit many practices. As a result, the proposals can be criticized as legislating too closely to technology. (147) This legislative approach can be dangerous because technology changes much more quickly than law, (148) and non-harmful programs may validly use certain practices or actions on the list. (149) Not surprisingly, because the SPY ACT contains about twenty prohibitions on specific practices in the first section alone, (150) the Act also requires the FTC to issue guidance to help developers and users understand the Act and avoid violating it. (151) Such guidance, and maybe even the Act itself, would likely require constant updating, (152) since new technologies and harmful uses of existing technology emerge daily. (153)
Although the SPY ACT admirably attempts to alleviate the problem of inadequate user consent to spyware and adware by requiring software to contain certain kinds of notice, problems still exist. It is unclear whether these notice forms can adequately warn ordinary Internet users of the potential harm that downloading and installing certain kinds of software might cause. (154)
Some agencies and industry groups have shown support for the legislation. The Center for Democracy and Technology (CDT) supports all three bills because they attempt to better define illegal practices and increase civil and criminal penalties. (155) CEOs of the Business Software Alliance (BSA) also seem to support the bills, albeit hesitantly; for example, BSA President Robert Holleyman said that both the SPY ACT and I-SPY Act have "good elements." (156)
However, many groups oppose significant portions of the proposed laws. Some groups feel that preemption of state laws would be detrimental to consumers. The CDT opposes federal preemption of state laws, (157) as does the Electronic Frontier Foundation (EFF), which has pointed out that the SPY ACT would preempt some existing state laws that are tougher on spyware than the SPY ACT would be. (158) In a recent Senate hearing on the Counter Spy Act, Harvard professor Benjamin Edelman and the Electronic Privacy Information Center (EPIC) also expressed opposition to preemption of tougher state spyware laws. (159) EPIC cited a case where Washington State obtained a $1,000,000 settlement against one company through the combined use of the state's Spyware Act and other state and federal laws. (160)
The Direct Marketing Association (DMA) and other groups have backed the I-SPY bill, but not the SPY ACT, on the theory that the SPY ACT's definitions of "computer software" and "information collection program" could extend beyond downloadable programs to web pages and thereby interfere with normal browsing activity. (161)
Although some groups and agencies have argued that existing laws and regulations are sufficient when combined with technological advances and industry self-regulation, (162) the continued prevalence of spyware undermines this contention. (163) The FTC has stated that it has sufficient power to take spyware purveyors to court, yet "the agency has only filed a dozen such suits in recent years." (164) Furthermore, the FTC has not instituted any lawsuits under the Safe Web Act of 2006, which was intended to expand the FTC's abilities to fight spyware and other computer threats. (165)
It seems an unlikely argument that, as the FTC has stated, additional legislation will "muddle [the FTC's] ability to go after cyber-criminals when it finds them." (166) Instead, the hybrid solution of the Counter Spy Act could increase available criminal penalties (167) for Department of Justice enforcement and expand the FTC's powers to fight spyware. (168) The hybrid solution also would clarify the parties responsible for spyware and the appropriate causes of action against them, rather than forcing litigants to rely on a hodgepodge of existing federal laws that were not written with spyware in mind. (169) Examples include the current Computer Fraud and Abuse Act, (170) the Stored Wire and Electronic Communications and Transactional Records Act, (171) and the Wiretap Act. (172) Although it would undermine state laws, (173) preemption would ensure that software companies that operate in most or all states have a single, national standard of acceptable behavior. (174) Thus, the best approach is for the Senate to continue to refine and ultimately pass the Counter Spy Act, which would hopefully garner support in the House from those who backed both the SPY ACT and the I-SPY Act. With this combination of enhanced criminal penalties and a national standard of disclosure requirements and prohibited behaviors, the spyware threat can be diminished significantly, although constant updates may be necessary as technology advances.
Industry experts and purveyors of malware will always be several steps ahead of legislators when it comes to technologies like spyware. Whereas agencies such as the FBI can quickly develop and deploy technologies like CIPAV to catch tech-savvy criminals, Congress can take many years to provide legislative solutions to technological problems. If Congress passes the Counter Spy Act, it will have an important new weapon in the fight against annoying and malicious spyware; however, by the time any of the proposed laws are passed, new threats will have arisen. Reports of mobile phone spyware, (175) including the first iPhone Trojan, (176) make it clear that these kinds of threats will only multiply while Congress works toward solutions.
Making Internet computing safer requires the concerted efforts of many parties; local, state and federal legislatures cannot do this alone. The anti-malware industry can address threats like spyware much more quickly and effectively than the government. Thus, more affordable and even free software solutions should be encouraged. Similarly, federal agencies like the FBI should continue developing technical solutions like CIPAV to address cybercrime, as long as they strictly follow the appropriate legal standards. Perhaps most importantly, computer users should educate themselves about safe browsing and computing habits, security software and hardware, and data backup and recovery to ensure a safer online experience.
(1.) See infra note 45.
(2.) See Wayne R. Barnes, Rethinking Spyware: Questioning the Propriety of Contractual Consent to Online Surveillance, 39 U.C. DAVIS L. REV. 1545, 1547 (2006).
(3.) See id. at 1547, 1558.
(4.) See infra note 13.
(5.) For instance, federal legislation against spyware was proposed as early as 2003. See Securely Protect Yourself Against Cyber Trespass Act, H.R. 2929, 108th Cong. (2003), available at http://frwebgate.access.gpo.gov/ cgibirdgetdoc.cgi?dbname=108_cong_bills&docid=f:h2929eh.txt.pdf. At the time of this writing, Congress still has not agreed upon a final version. See infra note 13.
(6.) See infra Part II.C.
(7.) Assuming your computer has security software and that it is up-to-date. According to one study, 87% of Americans believe they have anti-virus software installed on their home computers, and 70% believe they have anti-spyware software installed, yet only 51% of people with anti-virus software had actually received up-to-date virus definitions in the last week, and only 64% had their software firewalls enabled. McAFEE &; NCSA, MCAFEE/NCSA CYBER SECURITY SURVEY 1-2 (2007), available at http://download.mcafee.com/products/manuals/ en-us/McAfeeNCSA_Analysis09-25-07.pdf.
(8.) Presumably within the bounds of a valid search warrant or wiretap order. See infra note 108.
(9.) See infra Part II.C.3. In the summer of 2007, the FBI successfully used such a program to catch a high school student who was e-mailing bomb threats to his school. See Jeremy Pawloski & Venice Buhain, Spyware Helped FBI Track Threats, OLYMPIAN, July 19, 2007, available at 2007 WLNR 13768760.
(10.) See infra Part III.
(11.) See infra Part III.
(12.) See infra note 26 and surrounding text.
(13.) See infra Part IV. As of this writing, Congress is considering three different bills. Compare Counter Spy Act, S. 1625, 110th Cong. (2007) available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=110_cong_bills& docid=f:s1625is.txt.pdf (proposing to amend the Federal Trade Commission Act, 15 U.S.C. [section] 45, and regulate a range of conduct, including: (1) prohibiting taking control of the computer, (2) prohibiting modifying computer settings, (3) prohibiting preventing user efforts to block software installation, (4) curbing the installation of personal information collection features on a user's computer, and (5) ending software that causes advertising windows to appear), with Securely Protect Yourself Against Cyber Trespass Act, H.R. 964, 110th Cong. (2007) available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi? dbname=110_cong_bills&docid=f:h964rfs.txt.pdf [hereinafter SPY ACT] (proposing to prohibit a broader array of behaviors including: (1) unsolicited control of the computer, (2) modification of computer settings, (3) collection of personally identifiable information, (4) removal or disabling of security technology, and (5) transmitting to a protected computer any information collection program) and The Internet Spyware (I-SPY) Prevention Act of 2007, H.R. 1525, 110th Cong. (2007), Available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname= 110_cong_bills&docid=f:h1525rfs.txt.pdf (proposing to amend the federal criminal code to impose fines and prison terms for obtaining and transmitting personal information (e.g. social security numbers) or intentionally impairing security protection with the intent to defraud or injure).
(14.) The "-ware" suffix has also been used since at least the 1980s to describe many other kinds of information technologies, such as "shareware" and "freeware." See Jim Knopf, The Origin of Shareware, Association of Shareware Professionals, http://www.asp-shareware.org/users/history-of-shareware.asp (last visited Nov. 2, 2008).
(15.) See infra Part II.A for discussion of and definition of "adware." See also Barnes, supra note 2, at 1554 (citing FED. TRADE COMM'N, SPYWARE WORKSHOP--MONITORING SOFTWARE ON YOUR PC: SPYWARE, ADWARE, AND OTHER SOFTWARE (2005), available at http:www.ftc.gov/os/2005/03/050307spywarerpt.pdf).
(16.) See Polly Samuels McLean & Michelle M. Young, SPYWARE: Living in a Cyber-Fishbowl, UTAH BAR J. Mar.-Apr. 2006, at 34 (2006), available at http://www.utahbar.org/barjournal/pdf/2006_march_april.pdf; see also infra note 38 and accompanying text.
(17.) See Barnes, supra note 2, at 1551-52; see also infra note 49 and accompanying text.
(18.) See Declan McCullagh & Anne Broache, Will Security Firms Detect Police Spyware?, CNET NEWS, July 17, 2007, http://www.news.com/ Willsecurity-firms-detect-police-spyware/2100-7348_3-6197020.html; see also infra Part II.C.
(19.) See Jeremy Reimer, The Tricky Issue of Spyware with a Badge: Meet "Policeware", ARS TECHNICA, July 19, 2007, http://arstechnica.com/news.ars/ post/20070719-will-security-firms-avoid-detecting-government-spyware.html; see also infra note 59 ,and accompanying text.
(20.) Webopedia.com, What is Greyware?, http://webopedia.com/TERM/g/ greyware.html (last visited Nov. 4, 2008); see also infra note 49.
(21.) Petteri "dRD" Pyyny, Kazaa, BearShare, Morpheus and LimeWire are Stealing from Websites, AFTERDAWN.COM, Sept. 30, 2002, http://www.afterdawn.com/news/archive/3390.cfm ("[These companies] have secretly bundled a new type of software to their tools, in addition to their existing privacy-violating spyware tools, that can be only described as stealware.").
(22.) Whatis.com, What is Scumware?, http://searchciomidmarket.techtarget. com/sDefinition/0,,sid183_gci970605,00.html (last visited Nov. 12, 2008).
(23.) CTR. FOR DEMOCRACY & TECH., GHOSTS IN OUR MACHINES: BACKGROUND AND POLICY PROPOSALS ON THE "SPYWARE" PROBLEM 2 (2003), http://www.cdt.org/privacy/031100spyware.pdf; see also infra note 47.
(24.) See Thomas Clabum, Adware and Mobile Phone Malware on the Rise, INFORMATIONWEEK.COM, Apr. 3, 2008, http://www.informationweek.com/ news/mobility/messaging/showArticle.jhtml?articleID=207001403 (discussing the "first iPhone Trojan" and the potential for more sophisticated "iMalware").
(25.) See infra notes 35-38 and accompanying text (discussing various "ware" programs).
(26.) Lawsuits have arisen over the classification of a software vendor's product as "spyware." See, e.g., Zango, Inc. v. Kaspersky Lab, Inc., No. C070807, 2007 U.S. Dist. LEXIS 97332 (W.D. Wash. Aug. 28, 2007), available at http://www.scribd.com/doe/265266/zango-v-kaspersky; See Anti-Spyware Vendor Protected by 47 USC 230(c)(2)--Zango v. Kaspersky, http://blog.ericgoldman.org/ (Aug. 29, 2007, 14:08 EST). Zango, an Internet company, sued anti-malware vendor Kaspersky Lab for classifying Zango's software as malware and blocking it. Zango, 2007 U.S. Dist. LEXIS 97332 at * 1-2. The court held that 47 U.S.C. [section] 230(c)(2) (2006), a statute intended to encourage the development of content filtering software, protected Kaspersky from liability as an "interactive computer service" that had made its own subjective decision that Zango's product was "objectionable." Id. at 4-7.
(27.) See ANTI-SPYWARE COALITION, DEFINITIONS AND SUPPORTING DOCUMENTS 5 (2006), http://www.antispywarecoalition.org/documents/ documents/ASCDefinitionsWorkingReport20060622.pdf (defining adware as a "type of Advertising Display Software that delivers advertising content potentially in a manner or context that may be unexpected and unwanted by users.") (emphasis in original).
(28.) See, e.g., Webopedia, What is Adware?, http://www.webopedia.com/ TERM/a/adware.html (last visited Nov. 5, 2008) (defining adware as "[a] form of spyware that collects information about the user in order to display advertisements in the Web browser based on the information it collects from the user's browsing patterns."); see also Barnes, supra note 2, at 1552 ("Adware is spyware ... [used] for marketing purposes.").
(29.) The Anti-Spyware Coalition is "a group dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies," and its members include prominent information technology companies such as AOL, Google, McAfee, and Microsoft. Anti-Spyware Coalition, About ASC, http://www.antispywarecoalition.org/about/ index.htm (last visited Nov. 5, 2008).
(30.) See ANTI-SPYWARE COALITION, supra note 27, at 5.
(31.) See Barnes, supra note 2, at 1552 (characterizing even surveillance-based adware as "arguably more legitimate" than other forms of spyware).
(32.) The most recent version of Adobe Reader can be downloaded from Adobe, http://get.adobe.com/reader/(last visited March 10, 2009); however, the feature described may have been removed or changed in versions subsequent to 7.0.9.
(33.) See Webobedia, The Difference between Adware & Spyware, http://www.webopedia.com/DidYouKnow/Internet/2004/spyware.asp (last visited Nov. 8, 2008) ("You can choose to purchase Eudora or run the software in [free] sponsored mode. In sponsored mode Eudora will display an ad window in the program and up to three sponsored toolbar links.").
(34.) See Barnes, supra note 2, at 1552 ("Another, arguably more legitimate, form of spyware is often referred to as 'adware' ... Notably, adware companies do obtain purported consent from consumers more often than is the case with 'malware' ...").
(35.) See Webopedia, supra note 33 ("Adware is considered a legitimate alternative offered to consumers who do not wish to pay for software.").
(36.) See, e.g., Barnes, supra note 2, at 1552 (describing "adware" as always involving surveillance: "Adware is spyware" (emphasis added)).
(38.) Adware of this type is sometimes called "pestware." McLean & Young, supra note 16.
(39.) Lavasoft, About Lavasoft, http://www.lavasoftusa.com/company/ about_lavasoft/(last visited Nov. 5, 2008) (emphasis added). The web page for Ad-Aware 2008 Pro further complicates the issue because it bills the product as being for malware removal, a broader category than either adware or spyware alone. Lavasoft, Ad-Aware 2008 Pro, http://www.lavasoftusa.com/products/ ad_aware_pro.php (last visited Nov. 5, 2008). See also Webopedia, infra note 49 and accompanying text.
(40.) Webopedia, What is Spyware?, http://www.webopedia.com/term/s/ spyware.html (last visited Nov. 5, 2008). See also CTR. FOR DEMOCRACY & TECH, supra note 233, at 2.
(41.) ANTI-SPYWARE COALITION, supra note 27, at 2.
(42.) Barnes, supra note 2, at 1552.
(43.) See id. at 1545.
(44.) See Webopedia, supra note 40.
(45.) One study found that scans revealed that 61% of respondents had spyware installed on their computers, including programs like Gator and 180 Solutions; that 92% did not know the programs were on their computer; and that 91% did not think they had given permission for them to be installed. AMERICA ONLINE & THE NATIONAL CYBER SECURITY ALLIANCE, AOL/NCSA ONLINE SAFETY STUDY (2005), 6-7, http://www.bc.edu/offices/help/meta-elements/pdf/safety_study_2005.pdf. Another source states that nine out of ten computers connected to the Internet have some form of spyware installed. Webroot, Spyware FAQs, Why Do I Need Anti-Spyware Protection?, http://www.webroot.com/En_US/csc/spyware-FAQs.html (last visited Nov. 26, 2008).
(46.) ANTI-SPYWARE COALITION, ANTI-SPYWARE COALITION DEFINITIONS DOCUMENT, WORKING REPORT 1 (2007), available at http://www.antispywarecoalition.org/documents/ documents/2007defmitions.pdf.
(47.) These technologies, especially keyloggers, are also sometimes called "snoopware." See McLean & Young, supra note 16, at 34.
(48.) ANTI-SPYWARE COALITION, supra note 46, at 1.
(49.) One definition of malware is "software designed specifically to damage or disrupt a system, such as a virus or a Trojan horse." Webopedia, What is Malware?, http://webopedia.com/TERM/m/malware.html (last visited Mar. 4, 2008). According to Webopedia, both spyware and adware can also fall into the category of "greyware," meaning "malicious software or code that is considered to fall in the 'grey area' between normal software and a virus." Webopedia, What is Greyware?, http://webopedia.com/TERM/g/greyware.html (last visited Nov. 5, 2008).
(50.) "Phishing" is "[t]he act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft." Webopedia, What is Phishing?, http://www.webopedia.com/TERM/p/phishing.html (last visited Nov 10, 2008).
(51.) For example, in O'Brien v. O'Brien, 899 So. 2d 1133, 1134 (Fla. Dist. Ct. App. 2005), a divorce proceeding, the appellate court upheld the trial court's permanent injunction against the use of evidence that the wife obtained by installing a spyware program called Spector on her husband's computer, which captured "chat conversations, instant messages, e-mails sent and received, and the websites visited by the user of the computer" because that activity violated a state privacy law. Id.
(52.) See Barnes, supra note 2, at 1551-52.
(53.) See id. at 1604.
(54.) See id. at 1557.
(57.) See McCullagh & Broache, supra note 18 ("In [a] case decided earlier this month by the 9th U.S. Circuit Court of Appeals, federal agents used spyware with a keystroke logger--call it fedware ...").
(58.) See Reimer, supra note 19 (describing government keylogging software as "policeware"). Technology intended to fight copyright infringement is also sometimes called "policeware." See Barry J. Lipson, Editorial, Liberty's Corner, LAWYERS J., Feb. 8, 2002, at 6 (describing the proposed Security Systems Standards and Certification Act as requiring "all new personal computers to have built-in 'police-ware' to prevent apparently even 'fair-use' copying of copyrighted materials").
(59.) Orin S. Kerr, Internet Surveillance Law After the USA PATRIOT Act: The Big Brother That Isn't, 97 NW. U. L. REV. 607, 622 (2003).
(60.) Kevin Poulsen, Carnivore Details Emerge, SECURITY FOCUS, Oct. 4, 2000, http://www.securityfocus.com/news/97.
(61.) Neil King, Jr. & Ted Bridis, FBI's Wiretaps to Scan E-Mail Spark Concern, WALL ST. J., July 11, 2000, at A3.
(62.) Kerr, supra note 59, at 654.
(63.) Casey Holland, Neither Big Brother Nor Dead Brother: The Need for a New Fourth Amendment Standard Applying to Emerging Technologies, 94 KY. L.J. 393, 411 (2005-2006).
(64.) Kerr, supra note 59, at 653-54 (noting that the name of the next version was changed to "the more innocuous label 'DCS-1000'" and the FBI's desire for increased information from search warrants).
(65.) Instead, it is installed in a "sealed black box" at the Internet Service Provider (ISP) serving the target of the search, rather than on the target's computer itself. See id. at 654.
(66.) FBI Ditches Carnivore Surveillance System, FOXNEWS.COM, Jan. 18, 2005, http://www.foxnews.com/story/0,2933,144809,00.html.
(67.) See Laura K. Donohue, Anglo-American Privacy and Surveillance, 96 J. CRIM. L. & CRIMINOLOGY 1059, 1131 (2006).
(68.) Neal Hartzog, The "Magic Lantern" Revealed: A Report of the FBI's New "Key Logging" Trojan and Analysis of Its Possible Treatment in a Dynamic Legal Landscape, 20 J. MARSHALL J. COMPUTER & INFO. L. 287, 288 (2002).
(69.) See id. at 288-89
(70.) See id. at 305.
(71.) See, e.g., KeyGhost Keylogger, Interface Security, http://www.keyghost.com (last visited Nov. 2, 2008); KeyDevil Keylogger, http://www.key-devil.com (last visited Nov. 2, 2008).
(72.) See, e.g., BlazingTools Software, Perfect Keylogger, http://www.blazingtools.com/bpk.html (last visited Nov. 2, 2008).
(73.) Cindy Southworth & Sarah Tucker, Technology, Stalking and Domestic Violence Victims, 76 MASS. L.J. 667, 669 (2007) ("[keylogger] abusers must have physical access to a victim's computer in order to use these devices").
(74.) The FBI has used other versions of keyloggers in the past, as in the cases of United States v. Forrester, 495 F.3d 1041, 1044 (9th Cir. 2007), opinion amended and superseded on denial of rehearing by 512 F. 3d 500, 505 (9th Cir. 2008), and United States. v. Scarfo, 180 F. Supp. 2d 572, 574 (D.N.J. 2001), in which FBI agents had to obtain physical access to the suspect's computer, surreptitiously install the keyloggers, and leave no sign of their presence.
(75.) See Donohue, supra note 67, at 1131.
(76.) See Id.
(78.) See Pawloski & Buhain, supra note 9; see also Application and Affidavit for Search Warrant, In the Matter of the Search of Any Computer Accessing Electronic Message(s) Directed to Administrator(s) of MySpace Account "Timberlinebombinfo" and Opening Messages Delivered to That Account by the Government at 2, No. MJ07-5114 (W. D. Wash. June 12, 2007), available at http://www.politechbot.com/docs/fbi.cipav.sanders.affidavit.071607.pdf [hereinafter Sanders Affidavit]. This might not be the first time the FBI has used this kind of technology; an article in 2004 reported that an "Internet Protocol Address Verifier" had been used in another FBI investigation. See Declan McCullagh, FBI Remotely Installs Spyware to Trace Bomb Threat, CNETNEWS, July 18, 2007, http://news.cnet.com/8301-10784_3-9746451-7.html.
(79.) Sanders Affidavit, supra note 78.
(80.) Search Warrant, In the Matter of the Search of Any Computer Accessing Electronic Message(s) Directed to Administrator(s) of MySpace Account "Timberlinebombinfo" and Opening Messages Delivered to That Account by the Government, No. MJ07-5114 (W.D. Wash. June 21, 2007), available at http://www.politechbot.com/docs/fbi.cipav.sanders.search.warrant.071607.pdf [hereinafter Search Warrant].
(81.) See McCullagh, supra note 78.
(82.) Sanders Affidavit, supra note 78, at 8, 10. Some examples include "firstname.lastname@example.org" and "Timberline.Sucks@gmail.com." Id. Threats were also sent from misleading Gmail addresses based on the name of a student who was uninvolved. Jeremy Pawloski, Boy to Serve 90 Days for School Scare, OLYMPIAN, July 17, 2007, available at 2007 WLNR 13606658. The uninvolved student suffered mistreatment by other students before the bomber's true identity was revealed, to the point where he changed schools. This conduct added charges of identity theft to the responsible student's indictment after his identity was determined. Id.
(83.) Sanders Affidavit, supra note 78, at 6-10. Part of one threat read, "There are 4 bombs planted throughout timberline high school. One in the math hall, library hall, main office and one portable. The bombs will go off in 5 minute intervals at 9:15 AM." Id. at 7.
(84.) Id. at 7-8. One message jeered, "Keep trying to 'trace' this email. The only thing you will be able to track is that it came from Italy. There is no other information that leads it back to the United States in any way so get over it. You should hire Bill Gates to track it for you. HAHAHAHA." Id. at 8.
(85.) Id. at 11-12.
(86.) As the affidavit explains,
MySpace is a[n] international free service that uses the Internet for online communication through an interactive social network of photos, videos, weblogs, user profiles, blogs, e-mail, instant messaging, web forums, and groups, as well as other media formats. MySpace users are capable of customizing their user webpage and profile. Users are also capable of searching or browsing other MySpace webpages and adding other users as "friends". If the person identified approves your "friend" request, he or she will be added to your list of friends. Users are capable of sending MySpace messages and posting comments on other user's [sic] MySpace webpages.
Id. at 2 n.1.
(87.) Id. at 9. According to Detective Jeremy Knight of the Lacey Police Department, thirty-three students received such a request. Moreover, at least one of these requests threatened to associate the recipient's name with future bomb threats unless the recipient complied. Id.
(88.) Id. at 12-14.
(89.) Search Warrant, supra note 80.
(90.) Officials Handled Case Deftly, OLYMPIAN, July 25, 2007, available at 2007 WLNR 14200643.
(91.) See id.
(92.) See id.
(93.) Sanders Affidavit, supra note 78, at 5.
(94.) See McCullagh, supra note 78. National Public Radio has also described CIPAV as "spyware-like." See Audio broadcast: All Things Considered: FBI's Spyware-Like Software Cracks School Case, July 20, 2007, transcript available at 2007 WLNR 13947909. However, John Miller, Assistant Director of the FBI, downplayed the association between CIPAV and spyware: "It's not that the FBI is on the Internet using spyware, it's that people are committing crimes on the Internet ... [and government authorities] have to figure out who those people are." Id.
(95.) Sanders Affidavit, supra note 78, at 13.
(96.) Even though one commentator also suggests that instant messaging could have been used, he ultimately believes the wording of the affidavit makes e-mail the more likely delivery system. See McCullagh, supra note 78.
(97.) See Kevin Poulsen, FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats, WIRED.COM, July 18,2007, http://www.wired.com/print/politics/law/news/2007/07/fbi_spyware (noting "the FBI delivered [CIPAV] through MySpace's messaging system ... [and the] FBI might have simply tricked the suspect into downloading and opening an executable file). According to one commentator, the FBI probably did not deliver CIPAV as an executable attachment to an e-mail because MySpace does not have a traditional e-mail system. See Gregg Keizer, What We Know (Now) about the FBI's CIPAV Spyware: G-men Pull Spyware, Not Pistols, to Make Arrest in Bomb Threat Case, COMPUTERWORLD, July 31, 2007, http://www.computerworld.com.au/(enter "CIPAV" in search function to locate identified article) (arguing that the FBI must have used MySpace's instant messaging or web-based mail system to send a deceptively titled URL to the target account, hoping that the account administrator would click the link and inadvertently download CIPAV through a computer vulnerability).
(98.) See Keizer supra note 97. Another potential delivery mode, albeit farfetched in this case, would be for the FBI to have obtained a court order requiring a security software company to secretly deliver the fedware directly to the user's computer, through the security software's auto-update feature. See Fedware, the New Government Approved Spyware, BestSecurityTips.com, July 23, 2007, http://www.bestsecuritytips.com/news+article.storyid+277.htm.
(99.) See supra text accompanying notes 52-56. Interestingly, the government's use of CIPAV to investigate a crime might exempt the technology from the ASC's definition of "spyware." The ASC defines "spyware" as being "deployed without appropriate user consent." See supra text accompanying note 41. It is arguable, however, that consent is not needed from the subject of a criminal investigation. Thus, CIPAV might not be classified as spyware because its intended government use does not require any consent.
(100.) See McCullagh, supra note 78; see also Sanders Affidavit, supra note 78, at l6.
(101.) One article states that "the bomb-hoaxster also performed a denial of service attack against the school district computers [indicating] some modicum of technical knowledge," suggesting he was more likely to have installed anti-virus software to protect his own computer. See McCullagh, supra note 78.
(102.) Causing security software to deliberate ignore the presence of certain programs is often called "whitelisting." See id.
(103.) See id.
(104.) Sanders Affidavit, supra note 78, at 13.
(105.) Id. at 5-6. Generally IP addresses are assigned dynamically, so users might have the same IP address only for a few days at a time. However, the information can still assist the FBI in locating the user. Id.
(106.) Id. at 5. CIPAV also collects the user's MAC address, an inherently unique piece of information about the user's Ethernet card that can help identify the user. Id.
(107.) Id. at 13. This "phone home" feature likely requires a port and address connection that firewall hardware and software should detect and block.
(108.) Id. at 13-14. It is significant that CIPAV purports not to monitor the contents of communications because such actions would require a Title III order under the Wiretap Act instead of a search warrant. See Posting of Orin Kerr to The Volokh Conspiracy, http://volokh.com/posts/l184933802.shtml (July 20, 2007, 8:16 EST). Nonetheless, Professor Kerr believes that the use of CIPAV necessitates a search warrant to satisfy the Fourth Amendment because CIPAV collects and transmits information while residing on the target's computer (rather than at the ISP), and no "third party" is available to consent to the monitoring (such as the ISP, if the tool were installed there). Id.
(109.) See ANTI-SPYWARE COALITION, supra note 27, at 2. However, this definition may not be suitable for the criminal investigatory context. See discussion, supra note 99.
(110.) See discussion supra Part II.C.1.
(111.) See discussion supra Part II.C.2.
(112.) The possibility of CIPAV variants was raised in the Timberline case by the FBI's affidavit. The affidavit requested permission to deploy "additional CIPAV[s]" in the event that "any particular formulation of a CIPAV" did not "cause a person(s) controlling the activating computer to activate a CIPAV." Sanders Affidavit supra note 78, at 15. This language might refer to technological variations within CIPAV (such as attempting to exploit different system vulnerabilities), or it might simply refer to differing deceptive tactics used to cause the target to activate CIPAV. See generally Sanders Affidavit, supra note 78.
(113.) The affidavit itself suggests that CIPAV might have been or will be used in other investigations. Id. at 5 ("[T]he disclosure [of CIPAV's details] would likely jeopardize other on-going investigations and/or future use of the technique."). The FBI has also sought permission from the Foreign Intelligence Surveillance Court (FISC) to use CIPAV in terrorism and foreign spying cases. Posting of Kevin Poulsen to Threat Level blog, WIRED.COM, http://blog.wired.com/27bstroke6/2008/02/Secretive-surve.html (Feb. 6, 2008, 16:27:14 EST).
(114.) Wired.com submitted a Freedom of Information Act (FOIA) request about CIPAV to the FBI, which reportedly has uncovered 3,000 pages of documents dating back to at least 2005. It is unclear when or whether the FBI will hand over any of these documents. Poulsen, supra note 113.
(115.) For example, one article asserts:
[t]he FBI's 2008 budget request hints at the bureau's efforts in the hacking arena, including $220,000 sought to "purchase highly specialized equipment and technical tools used for covert (and) overt search and seizure forensic operations.... This funding will allow the technology challenges (sic) including bypass, defeat or compromise of computer systems.
Poulsen, supra note 97.
(116.) See Aaron Nance, Taking the Fear out of Electronic Surveillance in the New Age of Terror, 70 UMKC L. REV. 751, 771 (2002) ("absent a global conspiracy between the FBI and every anti-virus soft-ware company, 'Magic Lantern' will fail in its silent purpose; if just one program detects it the proverbial cat would be out of the bag."). See also Shane Coursen, "Magic Lantern' Rubs the Wrong Way: Anti-virus Products Could Detect the FBI's New Spyware. But Should They?, SECURITY FOCUS, Dec. 3, 2001, http://www.securityfocus.com/columnists/44.
(117.) See McCullagh supra note 78. One commentator notes "[t]he use of Magic Lantern will be greatly hindered" unless anti-virus software developers "acquiesce to the use of the trojan and design their software programs to 'look over' the infecting file." Hartzog, supra note 68, at 315.
(118.) See McCullagh & Broache, supra note 18.
(120.) See Kerr, supra note 59, at 657 n.247.
(121.) See discussion supra Part II.C.1.
(122.) For instance, the SPY ACT, H.R. 964, 110th Cong. (2007), was first passed by the House in 2004 in a 399-1 vote and then again in 2005 by 393-4, but it still has received little attention in the Senate. Bennet Kelley, Spyware and Data Security Bills Advance, J. INTERNET L., Aug. 2007, at 25. Congress probably has the constitutional authority under the Commerce Clause to legislate in this area because spyware, and especially adware, may have a substantial effect on interstate commerce. Thus, it is not surprising that the House Committee on Energy and Commerce cited the Commerce Clause as authority for the bill. H.R. REP. No. 110-169 (2007), available at 2007 WL 1524023.
(123.) See L. Elizabeth Bowles, Survey of State Anti-Spyware Legislation, 63 BUS. LAW. 301, 302 & n.7 (2007) (arguing that federal legislation could be more beneficial than state-by-state regulation because it could provide a "single standard of conduct for those attempting to purvey spyware or adware.").
(124.) See Matt Hines, Policy Experts Split on Spyware Laws, CDT and FTC Disagree Whether a Trio of Anti-Spyware Bills Before Congress Will Result in More Prosecutions, INFOWORLD, June 28, 2007, http://www.infoworld.com/article/07/06/28/ Policy-experts-split-on-spyware-laws_1.html.
(125.) See SPY ACT, supra note 13, [section] 5(a); I-SPY Prevention Act of 2007, supra note 13, [section] 2; Counter Spy Act, supra note 13, [section] l(c).
(126.) SPY ACT, supra note 13, [section]2(a).
(127.) Id. [section] 2(a)(1)(E).
(128.) Id. [section] 2(a)(5)(B).
(129.) Id. [section] 3.
(130.) Id. [section] 4(a).
(131.) See id. [section] 4(b)(1).
(132.) Id. [section] 6.
(133.) Hines, supra note 124; see also Computer Fraud and Abuse Act, 18 U.S.C. [section] 1030 (2000).
(134.) I-SPY Act, supra note 13, [section] 2.
(135.) House Passes SPY Act Even as Backer Admits Knotty Provision, WASH. INTERNET DAILY, June 7, 2007, available at 2007 WLNR 10897757.
(136.) Compare I-SPY Act, supra note 13, [section] 2(a) with SPY ACT, supra note 13, [section] 2(a).
(137.) See I-SPY Act, supra note 13, [section] 2(a) ("Whoever intentionally accesses a protected computer without authorization ... by causing a computer program or code to be copied onto the protected computer, and intentionally uses that program or code in furtherance of another Federal criminal offense....").
(138.) See id. [section] 2(b).
(139.) Id. [section] 2(c).
(140.) See Counter Spy Act, supra note 13.
(141.) The list includes "[o]pening multiple, sequential, stand-alone advertisements ... with knowledge that a reasonable computer user cannot close the advertisements without turning off the computer or forcing an application to close using means other than the ordinary means for closing the application." Counter Spy Act, supra note 13, [section] 3(1)(D). Compare this provision to the equivalent in the SPY ACT, which uses the expression "without undue effort" instead of the tortured language "means other than the ordinary means for closing the application." SPY ACT, supra note 13, [section] 2(a)(1)(E).
(142.) See Counter Spy Act, supra note 13, [section] 13.
(143.) Id. [section] 7.
(144.) Id. [section][section] 8-10.
(145.) Id. [section] 13. Section 13 of the Counter Spy Act contains almost the same criminal prohibitions as [section] 2 of the I-SPY Act and would amend the same section of the Computer Fraud and Abuse Act. See I-SPY Act, supra note 13, [section] 2.
(146.) Counter Spy Act, supra note 13, [section] 11(b).
(147.) See discussion supra Parts IV.A.1 to IV.A.3.
(148.) See Kelley, supra note 122, at 25 ("At best [Congress] will capture a moving target at a defined moment in time that has already passed, and at worst it will create a blurry image of a complex reality."); see also Aaron Ricadela, Congress Takes Aim at Spyware, BUSINESSWEEK.COM, June 19, 2007, http://www.businessweek.com/technology/content/jun2007/tc20070618_693312.h tm (quoting Markham Erickson, executive director of the NetCoalition, which lobbies on behalf of companies such as Google and Yahoo, as saying, "[l]egislating based on today's technology is always fraught with peril.").
(149.) For instance, a company that makes operating systems might decide that in order to perform certain software updates on a user's computer, it needs to temporarily disable a "security, anti-spyware, or anti-virus technology installed on the computer" while the update is downloaded or installed, which could be a violation of [section] 2(a)(9). See Counter Spy Act, supra note 13, [section] 2(a)(9).
(150.) SPY ACT, supra note 13, [section] 2(a).
(151.) Id. [section] 2(b).
(152.) For example, Virginia updated its anti-spyware law in March 2007 to add new kinds of prohibited practices to reflect changes in the industry. See Bowles, supra note 123, at 303; VA. CODE ANN. [section] 18.2-152.4 (West 2007).
(153.) As an example, some have suggested that the specific text of all three bills might inappropriately limit their enforcement to the current PC-based paradigm of adware and spyware, when these threats have already spread to mobile devices as well. Hines, supra note 124; see also Claburn, supra note 24 (citing PANDALABS, QUARTERLY REPORT, 36-44 (Jan.-Mar. 2008), http://pandalabs.pandasecurity. com/blogs/images/PandaLabs/2008/04/01/Quarterly_Report_PandaLabs_Q1_2008 .pdf).
(154.) For instance, one of the statements that will meet the Act's requirements for certain programs is, "[t]his program will collect and transmit information about you. Do you accept?" SPY ACT, supra note 13, [section] 3(c)(1)(B)(i). Although the Act also provides that an "option" must be available for the user to discover the types of information collected and the purpose of collecting it, id. at [section] 3(c)(1)(D), users might not notice or understand this option and thus might simply click "Yes," thereby installing a potentially unwanted program.
(155.) Hines, supra note 124. CDT Deputy Director Ari Schwartz has indicated that higher penalties should have been assessed in previous cases against spyware makers such as DirectRevenue and Zango. Id.
(156.) House Passes SPY Act, supra note 135.
(157.) Hines, supra note 124.
(158.) Grant Gross, Some Say Spyware Bill Too Broad, Others Say Too Weak, INFOWORLD, June 8, 2007, http://www.infoworld.com/article/07/06/08/ Some-say-spyware-bill-too-broad-others-say-too-weak_1.html.
(159.) See The Impact and Policy Implications of Spyware on Consumers and Businesses: Hearing on S. 1625 Before the S. Comm. on Science, Commerce, and Transportation, 110th Cong. 6 (2008) (statement of Benjamin Edelman, Ass't. Professor, Harvard Business School), available at http://commerce.senate.gov/public/_files/EdelmanSpywareTestimony061108.pdf; see also The Impact and Policy Implications of Spyware on Consumers and Businesses: Hearing on S. 1625 Before the S. Comm. on Science, Commerce, and Transportation, 110th Cong. 4-5 (2008) (statement of Marc Rotenberg, Exec. Dir., EPIC), available at http://commerce.senate.gov/public/_files/EPICSpyware Testimony.pdf.
(161.) House Passes SPY Act, supra note 135.
(162.) The DMA made this argument in a recent Senate hearing on the Counter Spy Act. See The Impact and Policy Implications of Spyware on Consumers and Businesses: Hearing on S. 1625 Before the S. Comm. on Commerce Science, and Transportation, 110th Cong. 3 (2008) (statement of Jerry Cerasale, Senior Vice President, Government Affairs, on behalf of the Direct Marketing Association), available at http://commerce.senate.gov/public/_files/DMA_Senate_Spyware_ Testimony.pdf.
(163.) See Liying Sun, Who Can Fix the Spyware Problem?, 22 BERKELEY TECH. L.J. 555, 555-56 (2007) (arguing that "the encouraging results achieved since 2005 suggest that the multiple [existing] legal mechanisms working together are effectively controlling the spyware problem," while admitting that spyware "infect[ed] nearly 60% of household computers and caus[ed] an estimated $2.6 billion in damages in 2006").
(164.) Hines, supra note 124.
(165.) See id.
(166.) See id.
(167.) Increasing criminal penalties may be an effective way to deter the proliferation of malicious spyware. As Kevin Richards, federal government relations manager at the security company Symantec, has noted, "A lot of spyware purveyors get a slap on the wrist, and they factor in the fines as a cost of doing business." Ricadela, supra note 148.
(168.) In a recent hearing, the FTC admitted that it is "pleased" with the fact that the Counter Spy Act would authorize it to seek civil penalties in spyware cases. See The Impact and Policy Implications of Spyware on Consumers and Businesses: Hearing on S. 1625 Before the Comm. on Commerce, Science, and Transportation, 110th Cong. 7 (2008) (statement of the Federal Trade Commission), available at http://commerce.senate.gov/public/_files/ FTCspywaretestimony.pdf.
(169.) See Patricia L. Bellia, Spyware and the Limits of Surveillance Law, 20 BERKELEY TECH. L.J. 1283, 1285 (2005) ("[existing] [e]lectronic surveillance law does not apply by any reasonable construction to most forms of spyware.").
(170.) 18 U.S.C. [section] 1030 (2000 & Supp. 2004). This Act is not always a solution for consumers because it requires a showing of "aggregate damages during a one-year period of at least $5,000 in value, some modification or impairment of medical information, a physical injury, a threat to public health or safety, or some damage to a government system." Alan F. Blakley, Daniel B. Garrie, & Matthew J. Armstrong, Coddling Spies: Why the Law Doesn't Adequately Address Computer Spyware, 2005 DUKE L. & TECH. REV. 25, [paragraph] 16 (2005) (noting that because an average home computer costs less than $5,000, an individual consumer whose computer was damaged or destroyed by spyware lacks an adequate remedy under this Act, unless the consumer could somehow prove that the data stored on the computer exceeded $5,000 in value).
(171.) 18 U.S.C. [section][section] 2701-2711 (2000 & West Supp. 2005). This Act provides a private right of action to protect individuals against the collection of personal information without consent. But a claim against a spyware maker or distributor could be defeated in litigation by making a sufficient showing of "consent" in a lengthy boilerplate agreement that the user "clicks through" during installation. See Blakley et al., supra note 170, [paragraph] 24.
(172.) 18 U.S.C. [section][section] 2510-2522 (2000 & Supp. 2004). This act essentially was designed to prevent eavesdropping on information "in transit," rather than stored information. See Blakley et al., supra note 170, [paragraph] 28. Thus, some spyware creators circumvent the prohibition by gathering user information when it is in a "temporarily stored state" on the computer and then transmitting that information in a separate, new communication to third parties. See id. [paragraph] 28. Consequently, the Wiretap Act is likely only useful against spyware that records real-time communications, such as chat sessions. Id. [paragraph] 28-29.
(173.) In July of 2007, 16 states had passed some form of anti-spyware legislation: Alaska, Arizona, Arkansas, California, Georgia, Indiana, Iowa, Hawaii, Louisiana, New Hampshire, Rhode Island, Tennessee, Texas, Utah, Virginia, and Washington. Bowles, supra note 123, at 303, n.12.
(174.) Federal preemption might also be constitutionally appropriate. For instance, a court granted a preliminary injunction against Utah's anti-spyware law on the theory that it violated the Dormant Commerce Clause. WhenU.com Inc. v. Utah, No. 040907578 (Utah Dist. Ct. 2004), available at http://www.internetlibrary.com/cases/lib_case350.cfm.
(175.) See PANDALABS, supra note 153, at 36.
(176.) See Claburn, supra note 24.
Benjamin Lawson, J.D. candidate 2009, Rutgers School of Law--Newark. I would like to thank Justin Schmidt for this title and for his help in editing this Note. I would also like to thank Brandt Lawson for technical editing, Christine Lawson for general editing, and my wife Devon Wilson for editing, support, patience, and encouragement.
|Printer friendly Cite/link Email Feedback|
|Publication:||Rutgers Computer & Technology Law Journal|
|Date:||Sep 22, 2008|
|Previous Article:||Legal understanding and issues with electronic signatures - an empirical study of large businesses.|
|Next Article:||Teleradiology: images of an improved standard of medical care?|
|SURFCONTROL JOINS ANTI-SPYWARE COALITION.|
|ScanSafe reports spyware skyrockets.|
|Webroot releases Vista-compatible product.|
|SPYWAREBASTER ESSENTIAL FOR PREVENTING SPYWARE/MALWARE.|