Law in the Internet Society
"What I Did Over Summer Vacation"

My summer was swell. I interned at EPIC. This was my first chance to adapt law school habits to the workplace. In the fast-paced world of Capitol Hill, and of electronic privacy, assignments changed too quickly, and their subject matter was too novel and complex, to permit me the luxury of analyzing every contingency of every possible issue. I gradually adjusted to mass-producing sufficient work rather than hand-crafting perfect work. With each project that passed my desk, my school-honed intensity loosened, notch by notch, and my output became more functional and less abstract. As a result, my first project was my favorite.

On our first day, Marc received a last-minute invitation to testify before a Senate subcommittee regarding S.1625, the "Counter-Spy Act," which would expand the FTC's leverage against purveyors of spyware. By tomorrow night, he needed a briefing on the FTC's current authority against spyware. "My suspicion --" mused Marc as we returned to our desks, "-- is that this bill will snag on the definition spyware."

I was gratified when they also asked for a volunteer to write EPIC's new spyware info page. For reasons outside my control, my work never reached EPIC's website. However, I found the process of researching, understanding, and formulating the spyware-definition problem to be both fulfilling and insightful. I enjoy journalistic writing, I believe there exists a best possible way to translate arcana into public language, and I felt that if I was to distinguish EPIC's new spyware page from all the competition on the web, I had to write that translation. One Senator (yes, it was Alaska Senator Ted Stevens!) asked an FTC commissioner, "Do you believe that there is such a thing as legitimate spyware?" Senator Stevens is not the only person who asks this fraught question, and that commissioner is not the only person with no idea how to answer it. If the definition of spyware was (in Marc's opinion) the snag, then it seemed worthwhile for me to try to define it -- or to account for the controversies that complicate the effort.

In the spyware context, I found four major areas of disagreement which few people take the trouble to make explicit.

1. What constitutes “knowledge and consent”?

Everyone agrees that “spyware” should only apply to software that operates without the user’s knowledge and consent. However, that definition begs the question of how and when consumers need to be told about software installed on their computers for consent to be adequate. For example, the Anti-Spyware Coalition, which sets standards for anti-spyware vendors, models spyware as a balance between “risk” factors and mitigating “consent” factors. But it then concedes that “ultimately, the decision on what rating to give and what risk model to use falls to the individual Anti-Spyware vendor.” Elsewhere, the ASC more broadly defines (pdf) spyware as “technologies deployed without appropriate user consent and/or implemented in ways that impair user control over (1) material changes that affect their user experience, privacy or system security; (2) use of their system resources, including what programs are installed on their computers; and/or (3) collection, use, and distribution of their personal or other sensitive information.

The ASC’s definitions are intentionally vague precisely where it matters: by not defining “consent” and “risk”, it leaves to the various anti-spyware companies to decide whether targeted advertising benefits consumers, or what constitutes sufficient consent in a EULA.

The ASC is right to concede that this ambiguity cannot be removed. With proper “notice, consent, and control,” the same technologies that have been used to harm or annoy computer users can provide important benefits: “Tracking can be used for personalization, advertisement display can subsidize the cost of a product or service, monitoring tools can help parents keep their children safe online, and remote control features can allow support professionals to remotely diagnose problems.”

2. What constitutes “harm”?

Again, the ASC's "risk" factors beg the question of what constitutes a harm. Some treat software that “trespasses” on a computer as spyware because they consider trespass to be per se harmful, even if the software is otherwise benign or beneficial. Others focus on “nuisance” software, such as software that provides pop-up ads. But these definitions omit the invisible harm in data-gathering software that does not rise to a nuisance and is undetectable, because it does not alert a user to remove it from his computer. Other externalities are also not felt as "harms" by the user. An innocent user’s hard drive may unknowingly be used to generate “zombies,” or automated spam emails. ISPs or computer makers often bear the blame for harms caused by spyware. And spyware may also defraud legitimate online advertisers, for example by automatically activating pay-per-click advertisements.

3. Is “spyware” limited to “spying”? 4. Is “spyware” limited to “software?”

Limiting spyware to "spying" would overlook software that otherwise creates hazards or nuisances interfering with users’ enjoyment of their computers. By contrast, the Federal Trade Commission’s “guiding principles” defining “unfair and deceptive” software practices focus on lack of consent rather than on spying. They establish that Internet businesses are “not free to help themselves” to a consumer’s computer resources.

In this area, I disagree with EPIC's implied approach. The staff attorney asked me to not limit "spyware" to software (so that it encompasses new, online threats like Facebook Beacon), and that is how I wrote the document. However, people rarely deal with this question head-on. Even Marc's Senate testimony talked about "Privacy Threats Beyond Traditional Spyware Programs," so he is ambiguous whether he regards cookies & Beacon as "threats other than spyware," or "spyware threats other than programs." I think it would be strategically better to regard non-software threats as "threats other than spyware," for three reasons: 1) the term "spyware" is a portmanteau based on "software", 2) we use "Adware" and "malware" and "trespassware" to characterize software nuisances that go beyond spying, and 3) I think we can rely on the creativity of the web community to come up with a new word that suits new threats. I am less worried about closing imaginations by limiting the term "spyware" to spying-software, than I am about closing imaginations by stretching "spy-ware" to cover non-spying non-software, when lazy thinkers will tend to move from "spyware" to spying software.

-- AndrewGradman - 18 Dec 2008



Webs Webs

r6 - 22 Dec 2008 - 01:19:21 - AndrewGradman
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM