Viruses and spam get all the attention, but there is another, less visible, threat to internet users that may already be lurking on your computer without your knowledge. “Spyware”, as it is known, is software that sneaks on to your PC, tracks your online activities, and occasionally splashes pop-up advertisements across the screen. It is more than a nuisance: such software is, in effect, hijacking your PC, monitoring your internet use and unilaterally opening browser windows. Some spyware also harvests personal information, such as your e-mail address and location — or even your credit-card details.
The rapid growth of spyware over the past year, and the legal ambiguity surrounding it, has brought it to the attention of regulators and lawyers in America and Europe. This month, a court in Utah will hear a case challenging the first state law that would ban it. Unless the software is stamped out, it could do to the web what spam has done to e-mail: create an annoyance of such magnitude that the internet may become less useful.
The practice is widespread. Spyware that monitors a user’s online activities and triggers advertisements in response is present on over 4% of computers, according to one study. The top three spyware firms claim their software is installed on around 100m PCs. Yet most users are unaware it is there. That is because the software is usually installed in a “bundle” with other programs, such as the peer-to-peer file-trading software with which many internet users swap music. Another kind of spyware automatically installs itself when a user merely visits a particular site, a trick known as “drive-by downloading”. Having sneaked on to a PC, spyware applications can severely degrade its performance. Mostly, it is very difficult to remove; some programs are even designed to make removal as hard as possible.
The most nefarious forms of spyware steal information such as credit-card numbers or passwords by monitoring every keystroke a user types. This kind of software is already illegal, and is relatively rare. Much more common, however, is advert-triggering software, produced and distributed by software companies operating in a legal grey area, who prefer to call their products “adware”. There is real money to be made in hijacking screen real-estate and selling it to advertisers: the largest adware firm, Claria, had revenues of $90.5m in 2003 and recently announced plans for an initial public offering.
Though less devious than outright surveillance, this form of spyware can nevertheless harm consumers and online businesses, by diverting users away from the sites they have chosen to visit and by displaying a competitor’s site or advertisement instead. Until recently, for example, German internet users visiting the national site for Hertz, a car-rental firm, were, if Claria software was installed, shown advertisements for rival car-rental firms instead. Hertz sued, and in March a German court ordered Claria to stop the practice.
In America, several firms have sued competitors and spyware firms over trademark and copyright infringement, as well as unfair competition. Many of these cases have been settled out of court, which lowers costs and speedily resolves the matter. But this means that no legal precedent is established. Where courts have ruled, their decisions have been inconsistent: hence the growing interest from policymakers in drawing up legislation.
Earlier this year the state of Utah passed a law banning spyware unless it tells users that it is being installed, asks for their consent, and can be removed. Context-triggered pop-up advertisements were made illegal without the permission of the targeted website. One spyware firm, WhenU, immediately sued to block the law, partly on the grounds that it violated free speech; this will be the subject of a hearing next week. Other states that are considering legislation, including California, New York, Iowa and Virginia, are watching closely. So are federal lawmakers: Congress has drafted two bills restricting spyware and the Senate is debating a third.
These bills are similar in calling for notice, consent and ease of removal. (A European Commission privacy directive in 2002 takes a similar line.) Yet they differ in strength, depending on whose interests they aim to uphold. States such as Utah lean towards consumers, and take a stringent position on what is permissible. The legislation proposed by federal policymakers and by California, by contrast, favours the technology industry with a softer stance. The industry, for its part, is divided. E-commerce sites, which are often the victims of spyware, typically call for new laws, while technology firms fear that legislation could outlaw some of their existing practices. For example, Google’s search toolbar has a feature that can collect data if users allow it.
Moreover, some companies that oppose spyware also happen to profit from it. For example, Dell, a computer-maker, has complained that spyware is the main reason for customer calls to its technical support lines. This hurts its brand. In Britain, however, the company has become a customer of Claria, and its ads pop up when users visit the websites of rival firms such as IBM. And in May, Yahoo!, a web portal, released a browser add-on that can block pop-up ads, even though Overture, its ad-placement unit, is responsible for 31% of Claria’s revenue.
The analogy with spam is informative. If legislators had acted sooner, it might have been possible to prevent spam from spiralling out of control. Does that suggest that legislation against spyware will also prove ineffective? Not necessarily, because the people behind spyware are a centralised and traceable group of companies, unlike spammers. Lawmakers have an opportunity to nip spyware in the bud, and help to ensure the integrity of the internet. They should take it.