Monday, April 26, 2004

NY Senator Suggests Criminalizing Spyware

Senator Michael Balboni has introduced a Bill in the NY state Senate to regulate spyware!

The other NY bills, A 8035 and S 5239, which were introduced in April, 2003 were referred to the Consumer Protection committee On January 7, 2004.

Friday, April 23, 2004

This is a good article, which articulates the point I made in my last post. Utah's spyware law and the other proposed state and federal legislations go well beyond the goal of restricting the use of secret software spying mechanisms unknowingly downloaded onto a user’s computer and impacts legitimate business practices.

I think the EU is a step ahead of the US at addressing this problem while attempting to regulate spyware. The EU Directive on privacy and electronic communications (Electronic Privacy Directive), which was adopted on July 12, 2002 includes provisions relating to Spam and SMS marketing and also specifically targets technical methods of data collection and processing that is performed by software and hardware on the Internet without the knowledge of internet users (this is basically what is broadly referred to as 'spyware')

The Electronic Privacy Directive requires Member States to ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of users is only allowed if:

- users are informed of any invisible tracking devices or software that is placed on their computers
- users are informed of the purposes of such software and devices and the purposes should be
legitimate (i.e. in conformity with established privacy principles)
- users are offered an opportunity to opt-out from the use of such devices or software.

The Electronic Privacy Directive covers spyware, web bugs, hidden identifiers and other similar devices that can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. It is important to note that although the new provisions under the Electronic Privacy Directive target all technical methods of collection of data from the terminal equipment of users of electronic communications networks, the Directive recognizes that some non-obvious data collection technologies such as "cookies", can be used as a legitimate and useful tool, for example, in analyzing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. However, even where devices such as cookies, are intended for a legitimate purpose, they have to meet the two basic requirements (notice and an opportunity to opt-out). This may be a good approach to avoid restricting technologies that can have legitimate purposes and could be beneficial for users and the e-commerce industry as a whole.

If the US decides to tackle the problem of spyware through legislations, it should first recognize that such technologies raise concerns that are not limited to the protection of privacy rights and enter into the realm of trespass and the ability of an Internet user to control use of his/her terminal equipment. I generally agree with the EU approach, which builds on privacy law principles of notice and consent and ensures that non-obvious data collection technologies are only used for legitimate business purposes. However, the EU Directive is not without its drawbacks. Further, the implementation of the Electronic Privacy Directive into national legislations of the member states has been slow, and therefore the true impact of the Directive cannot be assessed as of now.

Thursday, April 22, 2004

Utah's Spyware law may see some changes

Hot on the heels of the delay in the enactment of Utah's new Spyware law, comes more news that the said law (in its present form) might not be the best solution to the problem of spyware.

This article makes important observations on the need for more public awareness and the drawback of having a law that has a negative effect on technology that is legitimate and has a beneficial use to consumers. On the issue of arriving at what would constitute reasonable standards of disclosure, this article rightly points out what companies should and should not try and get away with. I liked the comparison between WhenU's disclosure and that of the Google Toolbar.

I might be repeating myself, but I think there is a need to recognize that it is the use of the technology at issue here and not the technology itself. There is a need to outline what constitutes acceptable/unacceptable behavior and whether technological measures, greater awareness or a regulatory solution or a combination of these elements can make the Internet a safer place for consumers (without having to restrict technology and legitimate business practices that are fundamental to the future of the internet).

WhenU Suit Delays Utah Anti-Spyware Law

The preliminary injunction hearing is scheduled for May 21 in the third Judicial District Court of Utah. WhenU's ability to do business in Utah is at stake if the preliminary injunction is not granted.

Tuesday, April 20, 2004

Now that we know that the FTC has grasped the complexities involved with dealing with the problem of spyware and that they don’t support a quick fix regulatory solution, what does an internet user do? Fight spyware yourself!

You might have also heard that Earthlink currently offers a free service known as Spy Audit that analyzes the contents of a hard drive and provides a report of spyware programs it finds. According to Earthlink, "This free service examines your computer and lists spyware results in minutes. It will not change or harm your system in any way". Further, Earthink has started to keep tabs on spyware. As reported earlier, Earthlink found an average of nearly 28 spyware items on each PC it scanned during the first quarter (1.06 million scans were carried out through its Spy Audit service for this purpose). Now did independantly run these scans, or are these the scans run by user's who have availed of the service? If the latter is true, then Earthlink definitely does not provide enough information about what the software does. Moreover, their Privacy policy doesn't seem to have any information about data gathered by the software and how it is used. And lastly, the software starts scanning automatically once you click on the downloaded file, without providing any further information to the user. Hello Earthlink?

Former Collier Shannon Scott Partner to Spearhead Claria's Consumer Privacy Protection and Government Affairs Efforts

Just when I was wondering how Claria was going to fight the odds with their unproven and controversial business model that has been labelled by many as 'adware/spyware', they've gone ahead and recruited a really respected privacy lawyer. Great move! 'Behavioral marketing' (as they prefer to call it) is not going down without a fight.

Monday, April 19, 2004

FTC Takes On Spyware

While I applaud the FTC's current efforts to put a swift end the new menace to Internet society, I cannot imagine a simple solution to the problem.

The FTC should rightfully be taking the lead in this endeavor, and should protect consumers from unfair and deceptive practices that can secretly gather data and ruin your computer and Internet connection. However, the FTC is definitely short of resources at this point to take on such a Herculean task, but hopefully it will see better days ahead.

As I mentioned earlier…the FTC workshop is a start in the right direction and I don’t want to say more on the possible outcome until there is some sort of consensus or concrete action plan. I must say, the early signs are encouraging and pretty much outline the current mess and the significant role the industry and technology can play, before one can think of implementing a viable regulatory solution.