Big Brother Isn’t Watching You (Everybody Else Is)

August 31, 2004

What is Spyware/Adware?

Let’s start with some terminology explanation. Spyware and Adware are programs downloaded onto a PC which analyse data and send the results back to the supplier. They can catalogue your viewing habits, load relevant pop-up ads, or change banner ads to more carefully suit your preferences. They are the program equivalent of gossipy neighbours telling everybody your shopping and viewing preferences.

These programs are downloaded by the user, but this needn’t be obvious. Sometimes permission is given inadvertently in a small line item viewable after a two-page scroll down the small print of another requested program: download one program, get another less welcome one free. Some programs get downloaded illicitly by asking you to do something else entirely. There are a few cunning programs that even pretend to be free ‘Spyware Killers’ – you’ve got to appreciate the rather sick humour behind that trick. Keyloggers are an insidious subset of the above. They log your key functions and so could record a user typing in their credit card details into a Web site form – an effective tool to enable credit card fraud and identity theft.

Propagation of these programs is widespread. In June, Webroot Software,[1] the supplier of leading Spyware-killing software “Spy Sweeper 2.2”, and EarthLink (NASDAQ: ELNK), the US Internet service provider, released their second SpyAudit Report which tracks the growth of spyware on consumer PCs. For the year to date, more than 500,000 system monitors and Trojan horses have been discovered from the roughly 1.5 million SpyAudit scans completed, approximately 41 million traces overall, an average of 27.5 per machine.[2]

The security issues for home and commercial users are obvious. Recently a keylogger was installed on a lead developer’s machine at Valve Software which captured the source code for the company’s leading game HalfLife2 right before it launched. The code was shared online, and Valve had to delay release and suffered enormously as a result. However it’s not just the potential for security breach and fraudulent use. Lee Kennedy, Vice President of enterprise operations for Webroot states,

“Aside from the security threat Spyware poses to corporations, it ties up system resources and impairs PCs from working at their full capacity. When a computer is clogged with Spyware, it directly affects worker productivity, not to mention the increased time and costs of IT support.”

What about E-mail?

It is not just separate programs that can monitor your movements. E-mail can also provide more information than you might think.

Cookies are text files stored on the PC which keep details available for when the user returns to a Web site. They are in the main innocuous and helpful. Many Web sites require you to enter a fair amount of data in order to use them. Cookies enable you to do things like carry your purchases in your virtual shopping basket to the checkout.

Images which track progress. When marketing e-mails are sent, many people do not realise that the e-mail senders don’t need a ‘read receipt’ in order to know when the e-mail is opened. Often an image is stored on a remote server and the act of opening the e-mail and calling the image from the remote server will verify the e-mail address as live, thereby enabling the sender to monitor the progress of a marketing campaign, or enable a spammer to verify an address as live, ensuring more spam is sent to that address.

Harvesting information from e-mails. Google, the US search engine, is planning to offer an e-mail service Gmail which gives users 1Gb space. As part of the package, Google plans automatically to check e-mail content to help advertisers give users relevant adverts. Google also plans to keep the e-mails for an extended period. It would not be long before they had the best data source for targeting adverts. A user moaning in an e-mail to her friend about her job, could find recruitment adverts being displayed. On the Google Gmail explanatory page it says, “No humans read your email to target the ads, and no email content or other personally identifiable information is ever provided to advertisers.”[3] Is it better that the targeting of adverts is done automatically and efficiently?

Is it Legal?

In the UK the Privacy and Electronic Communications (EC Directive) Regulations 2003 apply. Under reg 6, Confidentiality of communications, a person must not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a user unless the user is given the choice and able to refuse. These provisions apply to all devices, not just those devices processing personal data.

The user must have an opportunity to refuse Cookies or Spyware. The Information Commissioner has advised that a mere ‘opportunity to refuse’ is not adequate to comply. The mechanism to refuse continued storage should be:

“prominent, intelligible and readily available to all, not just the most computer literate or technically aware. Where the relevant information is to be included in a privacy policy, for example, the policy should be clearly signposted at least on those pages where a user may enter a website. The relevant information should appear in the policy in a way that is suitably prominent and accessible and it should be worded so that all users and subscribers are capable of understanding, and acting upon it, without difficulty.”[4]

Is the use of clear images that track the progress of a Web campaign covered? Nothing is being loaded on the user’s machine – the file is held on a separate server. The monitoring is activated automatically on the opening of the e-mail. According to the Information Commissioner, yes this too is covered:

“The important point to note is that if you are using such a tracking device in your marketing emails, you must let the recipient know about it in the message itself and explain to them how to switch the web beacon/clear gif off. You could provide this information next to your valid address for opt-out requests and include a link to a webpage, which offers a fuller explanation. For the avoidance of doubt, a link to your cookie and privacy policy alone is unlikely to be sufficient unless the section of that policy which relates to the use of web beacons/clear gifs is clearly signposted when you arrive at that page.” [5]

Under reg 7, Restrictions on the processing of certain traffic data, a public communications provider must either delete e-mails or anonymise them so that the user is not identifiable, unless consent is given.

The Data Protection Act 1998 should also be considered where the use of a Cookie or Spyware device involves the processing of personal data. The supplier needs to consider the usual issues. Are they collecting personal data? Is it excessive? Do they have permission? Is the permission broad enough and accurate enough for all intended uses? Should they consider anonymising data?

Next the supplier should consider intellectual property rights infringement. Advertisers using Adware need to consider if they are committing a trademark or passing off infringement. If an advertiser is using a competitor’s site as the trigger for its own pop-up advert, there could be grounds for a complaint, analogous to the metatag case of Reed Executive plc and another v Reed Business Information Ltd (see vol. 15, issue 2). The placement, triggers and surrounding circumstances must be looked into.

The corporate use of Spyware within companies to monitor employees has not yet taken off in a big way over here – but it is quite common in the US for companies to monitor their own employees’ PC net usage. Adverts abound for products that ‘reduce suspected inappropriate activity’, and ‘eliminate leaking of confidential information’ and ‘exceed federal compliance requirements for keeping records of communications’. It doesn’t stop at monitoring net usage either: companies can track productivity, and on a smaller scale use products to surreptitiously see or log whatever an individual is doing at any time. UK companies should take advice to check that their employment contracts allow them to monitor such PC usage or risk the employment tribunal.

The US is also directing its attention to Spyware and monitoring at both a state and federal level. A Bill is currently being debated in the House of Representatives; the ‘Safeguard Against Privacy Invasions Act[6]‘ is designed to ‘protect users of the Internet from unknowing transmission of their personally identifiable information through spyware programs, and for other purposes’[7]. It would prohibit the transmission of a Spyware program to a covered computer (one used by a financial institution or the Federal Government), and prohibit the collection of personal data, unless the user of the computer expressly consents to such transmission in response to a clear and conspicuous request or through an affirmative request for such transmission, and clear supplier contact information is given. Enforcement provisions will include criminal penalties.

Liz Figueroa[8] the California state senator is in the process of drafting legislation[9] to require Google to give full disclosure as to how Gmail content will be scanned and how the information will be used. They seemed to have reached agreement. In relation to California users and Californian suppliers. Bill SB 1822 does not restrict the scanning of e-mail messages for marketing purposes in real time, but does restrict Google from transferring data to any third-party, and requires deletion of messages from the server upon the user’s request. Not before time since, under a recent case, it was successfully argued that an ISP monitoring of a user’s e-mails from a third party to gain commercial advantage was not in violation of the Wiretap Act as long as the e-mails had finished the journey and were resting on the local server.[10]

The aspect that seemed to have Google most concerned during the debate on the Bill was the concept that external senders should consent (ie someone using a Hotmail account shouldn’t have their e-mails scanned just because they are emailing a Gmail account – unless they give consent). The current version of Bill SB 1822 doesn’t require consent. Consent puts a significant limit on the commercial model. It wouldn’t be easy for e-mailers to a Google e-mail account to give consent. Nor could Google just ignore e-mails where the ‘from’ address isn’t a Google subscriber – it’s core to the nature of e-mail to be able to forward or reply to chunks of the sender’s e-mail.

So These Things are Legal in the UK?

Adware, Spyware and e-mail monitoring are recognised as having a legitimate commercial role. Clear information and permission are all that’s required in the UK.

The benefits to the advertisers are obvious – better return on investment. Car hire adverts delivered whilst you are surfing the holiday pages are more likely to be effective.

The volume of interfering adverts, junk e-mail, slow processing speed, and security are concerns for the user, however users aren’t necessarily against all monitoring technology and the new legislation may not be the death knell for companies that take note of it. It all depends on there being an established benefit for users.

Cookies are well received due to the utility value they give. They save a great deal of time when returning to Web sites. The trial runs of Gmail seem to show there are many users willing to put up with relevant adverts in return for the benefit of expanded storage space.

Adware needs to give some benefit. This could be as simple as getting better at what it does, and developing into a positive service. With any luck we can look forward to the day when monitoring software is the equivalent of a research assistant and personal shopper enabling a user to find without prompting the relevant legislation, and the best bargain on a CBR1000RR FireBlade with a cutdown seat.

Of course that day is sometime off. In the meantime users can take practical steps to avoid Adware and Spyware.

1. Only install if the item is from trusted sources. Read contractual terms, and check additional items are not ‘bundled’. Be wary of ‘freeware’.

2. Don’t have your outlook window set to ‘view’. Don’t open obvious spam.

3. Set your browser not to allow third-party or session cookies without prompting.

4. Delete your temporary Internet files and file history regularly.

5. Keep your Microsoft security updates up to date. Use a firewall and anti-virus software and keep it up to date. Use a trusted Adware/Spyware killer.

Hazel Randall is a solicitor with niche technology law firm v-lex Ltd.


[4] Electronic Communications Guidance. Version 2. November 2003

[5] Guidance To The Privacy And Electronic Communications (EC Directive) Regulations 2003. Part 1: Marketing by Electronic Means

[6] Referred to more snappily by Congresswoman Mary Bono as SPY ACT (Securely Protect Yourself Against Cyber Trespass Act).

[7] The Committee on Energy and Commerce. Joe Barton, Chairman. U.S. House of Representatives Markup of H.R. 2929, the Safeguard Against Privacy Invasions Act

Bill status:

[8] Liz Figueroa D-Fremont Senate District 10. State of California.

[10] A Federal appeals court in Massachusetts ruled that an e-mail provider did not break the law (Wiretap Act) when he copied and read e-mail messages sent to customers through his server provider to gain commercial advantage in his book-selling business.