|
1
|
- Spokane County Bar Association: IP Section
|
|
2
|
- “Spyware” is a general term used for software that delivers advertising,
collects personal information, or changes the configuration of your
computer, generally without obtaining your consent.
- “Spyware” and “Adware” are often used interchangeably (although not all
Spyware is Adware and vice-versa); Typically Adware acquires your
consent through a EULA; Spyware does not.
- Spyware evolved from Adware, i.e. Cookies were not doing the trick.
- Spyware is different than SPAM (although they are usually part of the
same barrel of tricks
- Cookies (can be Spyware depending on who is using it)
- Malware (spyware that is used for destructive purposes)
- Phishing and Pharming (misleading e-mail; misdirecting website requests)
- Trojan Horses (used to load spyware and adware onto computers)
- Keystroke Loggers/System Monitors (private spying devices; can be
hardware or software)
|
|
3
|
- National Cyber Security Alliance Estimates that 8 of 10 Private
Computers Contain Spyware (Controlling for cookies, the number was 5 to
6 in 10)
- 89% of the Users Were Unaware of It
- Average Computer had 93 Spyware Components
- 92% of IT managers estimate that their organization has been infected by
spyware at some point.
- Claria estimates that its GAIN Software is installed on 40 Million
Computers
- Kazaa, for instance, has between 2 and 12 bundled spyware programs with
each version (and the Kazaa EULA states that you agree not to delete
these programs)
- Spyware is responsible for 12% of technical support calls in Dell’s
consumer hardware division – the biggest category for complaints
- Microsoft claims that 50% of computer crashes are caused by spyware
- 43% of adults have been Phished; 2% have responded
- Keyloggers are on one in fifteen computers
|
|
4
|
- The Holy Grail of Targeted Advertising
- Generation X and Generation Y Cynicism re Advertising
- Top 4 Adware Companies recently received $140M of Investments (See
also, huge investments in anti-spyware companies)
- The General Incompetence and Gullibility of Consumers (14% Spam
Click-Through; 6% Purchase from Spam)
- The Desire for “Free” (Consumers are remarkably willing to trade privacy
and security for “free”, e.g. Supermarket Cards)
- Advertising Model: (“Pay for
Click” advertising leads to “Pay for Click” fraud)
- Even major advertisers are funding spyware unknowingly (see, e.g.
Mercedes-Benz)
|
|
5
|
- Downloads (Read the EULA!)
- Drive By Downloads
- Downloads After Click (“Do you want to change your home page” after
Typosquatting mistake)
- Taking advantage of confusion (See e.g. advertising that looks like
error messages)
- This is Successful Because We’ve Been Conditioned to Click Through
Dialog Boxes and Because Downloads (and the EULAs are Confusing)
|
|
6
|
- Pop-Ups When Not On the Web
- Hijacked Home Page
- New Toolbar
- Delay In Processing
- Sudden Rise in Crashes
- Unfortunately – Not Better Advertising…
|
|
7
|
- Update Your Operating System and Web Browser Software
- Download Free Software Only From Sites You Know and Trust
- Don’t Install Any Software Without Knowing Exactly What It Is
- Minimize Drive By Downloads By Setting Your Browser Security System High
Enough to Detect Unauthorized Downloads
- Don’t Click On Any Links Within Pop-Up Windows
- Don’t Click on Links in Spam That Claim to Offer Anti-Spyware Software
- Install a Personal Firewall to Stop Uninvited Users From Accessing Your
Computer
- --From FTC Consumer Alert on Spyware
|
|
8
|
- Bad Actors
- Phishers and Identity Thieves (for instance, a Queens resident admitted
to installing a key logger on public computers in 13 Kinko’s
stores. He acquired over 450
banking passwords).
- Those Delivering Malware and Creating Zombies
- Private Spying
- But Not All Are Inherently Evil
- Ad Delivery
- Ad Analysis/Consumer Activity Monitoring
|
|
9
|
- Loss of Privacy
- Loss of Data
- Loss of Identity
- Loss of Security
- Zombies
- Compromise of Trade Secrets and Other Confidential Information
|
|
10
|
- Three Classes:
- Laws Governing the Means of Collecting the Information
- Laws Governing What You Do With the Information Collected
- Laws Governing the Required Notice and Consent
- Basic Fraud and Theft Laws
- Computer Fraud and Abuse Act
- Anti-Identity Theft Laws
- EULAs
- Anti-Wiretapping/Electronic Communications Privacy Act (Monitoring
“Contemporaneous Communications”)
- Just Two States Have “Anti-Spyware” Laws (But that will grow)
|
|
11
|
- HR 29 - The Spy Act (Sponsored By Mary Bono)
- Cleared Committee in House
- Successor to 2004 Bill Approved 399-1 By House, But Never Voted On By
Senate
- Key Terms
- Prevent Homepage Hijacking
- Keystroke Tracking
- Requires That Spyware Be Easily Identifiable and Removable
- Requires Express Consent By Users
- Outlaw “Evil Twin” Wi-Fi Hotspots
- Large Fines
- Exceptions
- Exemption for Cookies and Pop-Up Ads From Spyware Definitions
- Very Hot Issue on Capitol Hill (Senate had hearings last week)
|
|
12
|
- Utah: First Anti-Spyware Statute; Enjoined June 2004 (Prohibition
against Pop-Up Advertising Would Violate Commerce Clause)
- California: “CPASCA”
- In Effect January 1, 2005
- Outlaws the installation of software for wrongful purposes, including:
- Taking control of a user’s computer (e.g. Zombie);
- Modifying through deceptive means any settings on the computer
including the homepage, bookmarks, default ISP, security settings
- Collecting PII through intentionally deceptive means
- Unauthorized prevention of a user’s ability to block or disable
software
- Deceptive inducement to install, remove, or disable software for
security or privacy purposes.
- Anti-Spyware legislation has been introduced in 27 states
(Washington: HB 1012 – Anti
Spyware Bill Introduced January 2005)
|
|
13
|
- AG Actions/FTC Actions
- A Coming Thing (Eliot Spitzer brought first case last month)
- To date, FTC v. Seismic Entertainment (FTC action versus an entity that
exploited IE Browser vulnerabilities to change user computer settings
to deliver advertising
- Consumer Class Actions
|
|
14
|
- Lawsuits Over Spyware as Wiretaps
- Florida Appeals Court Held that Wife that installed “Spector” Spyware
to Monitor Husbands IM Chat Violated Florida Anti-Wiretapping Law
(O’Brien v. O’Brien, 2005 WL 322367)
- US v. Ropp (C.D. CA October 2004) holding that no “wiretap” occurred
because there was no “interception” through use of keystroke monitoring
hardware
- Texas case re Cookies as “Stalking” law violation.
|
|
15
|
- There have been lawsuits regarding whether Adware is an infringement on
the rights of websites. To date,
the courts are split on the legality of these practices.
- In Wells Fargo v. WhenU.com, Inc., 293 F.Supp.2d 734 (E.D. Mich. 2003)
and U-Haul International, Inc. v. WhenU.com, Inc., 279 F.Supp.2d 723
(E.D. Va. 2003) the courts held that the “pop-up” ads were not a “use in
commerce” of the trademark owner and didn’t interfere with the holder’s
right to display its copyrighted works.
- In 1-800 Contacts, Inc. v. WhenU.com, Inc., 309 F.Supp.2d 467 (S.D.N.Y.
2003) and GEICO v. Google, Inc., 330 F.Supp.2d 700 (E.D. Va. 2004), the
courts held that the actions undertaken by the parties were
impermissible. In these two cases
the basis for rejecting the placement of the pop-up advertisements was
based on a misuse of a trademark (i.e. using the trademark as metadata
to facilitate the service of the advertising).
- In all four cases, the court
rejected the argument that the placement of pop-up advertisements
infringed the website owner’s copyright.
- In the GEICO case, the courts
also rejected state claims for tortious interference and business
conspiracy
- Germany has enjoined Claria from serving unsolicited pop-up ads without
the user’s consent
|
|
16
|
- Spyware v. Spyware Cases (Defamation/Tort Cases Over Being Listed as
Spyware)
- Startpagina & Microsoft (Microsoft Apology)
- Avenue Media v. DirectRevenue (DR software “kills” Avenue Media
software from registry as “spyware”) – 12-2004
- Trek8 v. Symantec – 8-2004 (Lawsuit re Listed as Spyware
- Ad-Aware v. Spybot (Settlement)
|
|
17
|
- Europe
- Privacy and Electronic Communications Directive 2002/58/EC Governs,
among other things (among a lot of other things), spyware
- Article 5(3) of the Directive requires that gaining access to or
storing information on a user’s terminal equipment (a PC, mobile phone
or other device) is only allowed if the user is given “clear
information about the purpose of any such invisible activities and is
offered the right to refuse it.”
- Requires that Cookies are Opt-in
- Australia
- Adopted Anti-Spyware Law Dec. 2004
- Adopted New Legislation May 2005 that would make it a crime punishable
with 2 years in jail for placing spyware or a cookie on a computer
without consent
|
|
18
|
- No Universal Definition of “Spyware” So Industry Alliances are Shifting
- Downfall of Consortium of Anti-Spyware Technology “Coast”
- Group devoted to setting anti-spyware standards and helping consumers
distinguish between safe and harmful software
- In February 2005, three founding members resigned in protest over
policies they say are too lax (adding “anti-spyware” companies that
companies claim are spyware)
- Irony: Claria is on the
Department of Homeland Security Advisory Board Regarding Privacy
|
|
19
|
- The Dirty Secret Is That Nothing Works Effectively By Itself (Best
Result is 63%)
- Most Recommend That You Use At Least Two Different Types (I Use Three).
- The Best: Microsoft, Webroot Spy
Sweeper, Ad Aware, SpyBot Search and Destroy
- The Problem of CoolWebSearch (worst spyware; mutates every few days)
- Risk of False Positives
- New Netscape Browser; Microsoft; Yahoo!; SBC all tout tools to help stop
Phishing and Spyware (e.g. whitelists and blacklists).
|
Notes
