Would Legislation Against Spyware Do Any Good?

February 22, 2005
"Spyware is sending back information about our online life that we don't realize others know," said panelist Susan Crawford.

Legislation against computer spyware is not going to stop it, but it might reduce the problem, according to panelists at the "Real Law and Online Rights" conference sponsored by the Virginia Journal of Law & Technology Feb. 19.

While the term has been difficult to define, spyware has thoroughly invaded our computers, according to Derek Bambauer, Resident Fellow at Harvard Law School's Berkman Center for Internet and Society. Asked by relatives over the Christmas holidays to fix various problems with their computers, Bambauer said that he was shocked by the "vast and fascinating ecology of spyware" he found "that even challenges technologically savvy users."

Surveys show that 77 percent of people believe their computers are free of spyware, but in fact it's present on 80 percent of computers, he said.

Susan Crawford, assistant professor of law at Cardozo School of Law at Yeshiva University in Manhattan, proposed to define spyware as software that a computer user doesn't know about that sends information about the user to a third party. Most of us consider that practice an invasion of privacy.

Derek Bambauer said spyware is on 80 percent of computers.

"Spyware is sending back information about our online life that we don't realize others know," she said, adding that it may be a prima facie tort. "Spyware feels like a bad relationship. It's like a surveillance camera or a blackmail note because it creates an oppressive relationship.

"What we're really concerned about is people creating dossiers on us," she summed up, adding that companies such as Choicepoint have already done so.

Some intrusions are relatively harmless, Bambauer said, but some software now tagged "malware" has "a high risk of compromising the computer." The problem of controlling spyware's spread has been complicated by the fact that the Internet has become the preferred way to distribute new software to users, he added.

Figuring out how to discourage new spyware is really the problem of "designing smarter users," he said. "Many users are naïve and not paranoid enough. They consent to things they should not, and would not if they thought more about it. They invite one program in and others are then installed by it that you don't know about and that resist extraction."

Current legislative proposals would require that computer users be informed about software entering their machines and given a chance to refuse it.

For Bambauer the key element in designing anti-spyware laws will be factoring in our cognitive biases. Our attitudes are preventing us from taking precautions, he said. Our prevailing biases incline us to assume that software is helpful, that it is reversible, and that it is minimally intrusive. Typically, we are optimistic about what a software program can do for us and likely to underestimate the risk and scale of possible harm it might do. "Do we actually read and understand the end-user license agreements [that present themselves when we install software] before we agree to them?" he asked rhetorically.

Bambauer was dubious about the effectiveness of legislation. Spyware is easily moved offshore, just as spam e-mail was after legislation was passed against it, he said. Meanwhile, consumers should consider their platform choices. "Microsoft seems to be getting the message," he said, "But we need to keep the pressure on. We need to consider switching to other programs."

Crawford was more emphatically skeptical about a legislative strategy.

"It's a crucial technology design moment for us. We've taken an inoculation approach, but we need an immune network approach." The body's immune system is capable of resisting unforeseen varieties of diseases, she explained. "It doesn't know what's going to come at it.

"We'll never ever win. It's a dynamic ongoing relationship. There will always be flare-ups."

Given that, "It's a bad idea to design software in legislatures," she said. We would be annoyed by the constant intrusion to question us about whether we were going to give formal consent to a software program, she predicted.

Chris Hoofnagle was optimistic about government regulation of spyware.

Legislators are willing to write laws about spyware because they feel pressure from relatives, she said, but in fact most lawmakers do not understand how the Internet works. "How can you be against something called spyware?"

Legislation is likely to be "very prescriptive of software design" and "it's doomed to be ineffective, just like the spam law.

"The thing to do is facilitate development of rich immunity networks. What does that mean? You would learn the code paths and block them. We should think of them as groups of networked organisms," she said, adding that there is evidence that spyware is diminishing as Internet service providers get better at spotting it.

Chris Hoofnagle, associate director of the Electronic Privacy Information Center in San Francisco, was more hopeful about government involvement. "I have more faith in legislation than in letting the market regulate the problem." He said that where legislation has tried to protect privacy it does have the effect of limiting the offending practice. Laws prevent television cable companies from collecting and selling information they could get about what we are watching, for example, and spam faxing is also outlawed.

"Have some faith in legislators," he said. He praised a California anti-spam law that "gives you a way to sue the spam sender."

He recommended that spyware be approached as a "collecting-personal-information problem, rather than as a software design problem."

"The advertising industry is pushing a lot of these practices. This industry will stop at nothing," he said, and is even willing to pay people for the use of their foreheads as billboards.

"Our premise at EPIC is that if information can be collected, it will be, and if it is, it will be sold."

"You don't have to do anything wrong to be impacted by privacy invasion," Hoofnagle warned. He told the story of a Washington D.C. firefighter who was arrested on suspicion of arson after an investigation of purchases he made with a grocery story discount card showed that one product was a potential fire accelerant. He was not freed until the real arsonist confessed.

"Adopting a minimization principle would help. If we think of the problem as notice-and-choice, we're going to lose. If we had done something about cookies in the '90s, we could have done better with spyware today."

He suggested that a "public utility" be formed to monitor spyware. "The Do Not Call List has been a big step forward for privacy. If you put burdens on information collection, it will reduce collection. He also suggested that laws require the destruction of personal information after a certain period.

When a student suggested that we should simply lie when asked for personal information," Hoofnagle observed that, "Lying doesn't always work. If you pay for something with a credit card, you've given them a way to check behind you."


Founded in 1819, the University of Virginia School of Law is the second-oldest continuously operating law school in the nation. Consistently ranked among the top law schools, Virginia is a world-renowned training ground for distinguished lawyers and public servants, instilling in them a commitment to leadership, integrity and community service.

News Highlights