Advertising has entered a new age, where adware programs
enable adverts to be placed onto users' desktops while they browse
the internet.
In their most innocent form, adware programs deliver adverts to
a user's desktop without collecting data relating to the user. But
concerns arise when programs "spy" on internet users, tracking
their habits - often without the user's knowledge and consent.
These programs, known as spyware, can monitor users' internet
browsing habits in order to tailor adverts to their interests.
Worryingly, this information is sometimes collected and used by
third parties, again without the user's knowledge and consent. In
2003, the US Federal Trade Commission felt that the threat was
sufficiently serious to issue a warning to consumers.
What should businesses know about the potential legal risks
posed by adware and spyware? The legal distinction between spyware
and adware is cloudy, and UK courts have yet to examine the issue.
For now, laws relating to data protection, intellectual property
and employment may provide some guidance.
The Data Protection Act has the primary aim of protecting an
individual's data from illegitimate or excessive use, and providing
safeguards for individuals when their personal information is
processed.
The act outlines eight data protection principles. The principle
of "fair processing" requires that the user is given information on
how their personal data will be used.
Under the act, individuals may request that their data is no
longer processed for marketing purposes, and companies in receipt
of such requests must comply. Damages may be payable where an
individual can show that they have suffered damage and distress as
a result of breaching the act.
The Privacy and Electronic Communications (EC Directive)
regulations relate to cookie-type devices that store a user's data.
These regulations, along with guidance from the Information
Commissioner (an independent authority, which enforces and oversees
the Data Protection Act), indicate that whilst the use of such
devices is not prohibited, subscribers and users should be given
the choice as to which of their online activities are monitored in
this way. The regulations do not, however, specifically address
spyware and adware.
Users should also be given the opportunity to refuse the use of
a cookie-type device as well as a clear choice as to whether or not
they wish to allow a service provider to engage in the continued
storage of their information.
The regulations do not specify the manner in which users should
be given this opportunity, but state that it should be presented in
clear, intelligible language and should appear in a way that is
"prominent".
If adverts are displayed whilst the user is visiting a
competitor's website, intellectual property rights could be
infringed.
A company could have grounds to say that its intellectual
property rights have been infringed by adware if it can show that
such placing of adverts misrepresents its own brand and that this
leads to confusion amongst consumers as to the source of the
product.
The issue of advertising on a competitor's site through the use
of adware remains to be conclusively tested in the English
courts.
Businesses can use spyware to monitor employees' internet use.
However, the Employment Practices Code makes it clear that such
practice will generally be considered intrusive, as employees are
entitled to a degree of privacy in the workplace.
Employers must notify employees of monitoring policies, both
those in place and any subsequently introduced, in all instances
identifying the policy's purpose.
Covert monitoring is the only exception to this. The Information
Commissioner considers this justifiable in only very limited
circumstances.
Most of the legal developments relating to adware and spyware
have occurred in the US. For example, internet security firm
Symantec is currently taking action against internet tools supplier
Hotbar for the right to classify certain Hotbar programs as
adware.
This case highlights the difficulties facing internet security
firms and has the potential, should Symantec lose, to allow
software companies to challenge the right of security firms to
screen out software that possesses only some of the attributes of
spyware and adware.
Additionally, further moves have been seen in the US to
introduce anti-spyware legislation. The I-SPY Prevention Act (2004)
attempts to draw a legal distinction between adware and spyware,
and makes it an offence to access a PC through the use of spyware
without the user's permission.
However, any successful regulatory approach must be taken
globally, or the impact on restricting such programs will be
minimal. Some observers doubt the impact that legislation can have
on "technological" problems, feeling that it will fail to prevent
frivolous lawsuits being brought against security companies. They
also highlight the attempts that were made previously to outlaw
spam.
Others fear that the introduction of legislative measures will
impact adversely upon legal software programs. They would instead
prefer to see advances in technology to prevent the distribution of
malicious programs.
What steps can users take to prevent the downloading of unwanted
adware or spyware programs?
Domestic regulations simply require that a user is given a clear
choice of what online activities are monitored by spyware devices
and is provided with a clear means to prevent such programs
operating on their computer.
Users can screen against malicious software by maintaining
up-to-date internet security systems. Simple steps can also be
taken to prevent downloading malicious programs: carefully choosing
which websites to visit, reading terms and conditions attached to
software before downloading from the internet and never opening
e-mails that are considered suspicious.
Simon Shooter is head of commercial and technology and
Edward Bodey is a trainee solicitor, commercial and technology, at
law firm Barlow Lyde & Gilbert