Thin line between advertising and spying

Although the legal issues surrounding adware and spyware have yet to be fully examined in UK courts, the Data Protection Act and copyright laws can provide guidance


Advertising has entered a new age, where adware programs enable adverts to be placed onto users' desktops while they browse the internet.

In their most innocent form, adware programs deliver adverts to a user's desktop without collecting data relating to the user. But concerns arise when programs "spy" on internet users, tracking their habits - often without the user's knowledge and consent. These programs, known as spyware, can monitor users' internet browsing habits in order to tailor adverts to their interests.

Worryingly, this information is sometimes collected and used by third parties, again without the user's knowledge and consent. In 2003, the US Federal Trade Commission felt that the threat was sufficiently serious to issue a warning to consumers.

What should businesses know about the potential legal risks posed by adware and spyware? The legal distinction between spyware and adware is cloudy, and UK courts have yet to examine the issue. For now, laws relating to data protection, intellectual property and employment may provide some guidance.

The Data Protection Act has the primary aim of protecting an individual's data from illegitimate or excessive use, and providing safeguards for individuals when their personal information is processed.

The act outlines eight data protection principles. The principle of "fair processing" requires that the user is given information on how their personal data will be used.

Under the act, individuals may request that their data is no longer processed for marketing purposes, and companies in receipt of such requests must comply. Damages may be payable where an individual can show that they have suffered damage and distress as a result of breaching the act.

The Privacy and Electronic Communications (EC Directive) regulations relate to cookie-type devices that store a user's data. These regulations, along with guidance from the Information Commissioner (an independent authority, which enforces and oversees the Data Protection Act), indicate that whilst the use of such devices is not prohibited, subscribers and users should be given the choice as to which of their online activities are monitored in this way. The regulations do not, however, specifically address spyware and adware.

Users should also be given the opportunity to refuse the use of a cookie-type device as well as a clear choice as to whether or not they wish to allow a service provider to engage in the continued storage of their information.

The regulations do not specify the manner in which users should be given this opportunity, but state that it should be presented in clear, intelligible language and should appear in a way that is "prominent".

If adverts are displayed whilst the user is visiting a competitor's website, intellectual property rights could be infringed.

A company could have grounds to say that its intellectual property rights have been infringed by adware if it can show that such placing of adverts misrepresents its own brand and that this leads to confusion amongst consumers as to the source of the product.

The issue of advertising on a competitor's site through the use of adware remains to be conclusively tested in the English courts.

Businesses can use spyware to monitor employees' internet use. However, the Employment Practices Code makes it clear that such practice will generally be considered intrusive, as employees are entitled to a degree of privacy in the workplace.

Employers must notify employees of monitoring policies, both those in place and any subsequently introduced, in all instances identifying the policy's purpose.

Covert monitoring is the only exception to this. The Information Commissioner considers this justifiable in only very limited circumstances.

Most of the legal developments relating to adware and spyware have occurred in the US. For example, internet security firm Symantec is currently taking action against internet tools supplier Hotbar for the right to classify certain Hotbar programs as adware.

This case highlights the difficulties facing internet security firms and has the potential, should Symantec lose, to allow software companies to challenge the right of security firms to screen out software that possesses only some of the attributes of spyware and adware.

Additionally, further moves have been seen in the US to introduce anti-spyware legislation. The I-SPY Prevention Act (2004) attempts to draw a legal distinction between adware and spyware, and makes it an offence to access a PC through the use of spyware without the user's permission.

However, any successful regulatory approach must be taken globally, or the impact on restricting such programs will be minimal. Some observers doubt the impact that legislation can have on "technological" problems, feeling that it will fail to prevent frivolous lawsuits being brought against security companies. They also highlight the attempts that were made previously to outlaw spam.

Others fear that the introduction of legislative measures will impact adversely upon legal software programs. They would instead prefer to see advances in technology to prevent the distribution of malicious programs.

What steps can users take to prevent the downloading of unwanted adware or spyware programs?

Domestic regulations simply require that a user is given a clear choice of what online activities are monitored by spyware devices and is provided with a clear means to prevent such programs operating on their computer.

Users can screen against malicious software by maintaining up-to-date internet security systems. Simple steps can also be taken to prevent downloading malicious programs: carefully choosing which websites to visit, reading terms and conditions attached to software before downloading from the internet and never opening e-mails that are considered suspicious.

Simon Shooter is head of commercial and technology and Edward Bodey is a trainee solicitor, commercial and technology, at law firm Barlow Lyde & Gilbert

Read more on IT risk management