SPYWARE and ADWARE:

Is Your Company Protected?

 

Spyware is becoming an increasingly prevalent tool that is used by internet marketing companies and others to gather information about computer users’ activities on the Internet. It is widely reported that some spyware is also being used to obtain personal information about visitors to the Internet in order to facilitate identity theft or worse.

What is it and how did I get it?

In its most basic sense, spyware can be defined as “any software program that aids in gathering information about a person or organization without their knowledge, and can relay this information back to an unauthorized third party.” This definition was proposed by an industry trade group and probably enjoys general consensus in the industry. While there are many ways these software programs can be delivered, they usually end up on a user’s computer by being surreptitiously downloaded in the background while the user is visiting a participating Web site. Once the code is inserted into the appropriate places in the user’s browser, it can collect information such as passwords, credit card numbers, and social security numbers, or it can monitor and report behavioral information such as the user’s favorite Web sites or Internet purchasing habits.

Adware - Spyware’s nicer cousin

Spyware is often grouped together with adware, although there are some significant differences between the two. While the main purpose of spyware is to obtain information about a user, the main purpose of adware is to advertise. Usually, this advertisement is accomplished through pop-up ads, but recently, adware manufacturers have gotten more clever and have figured out ways to, for example, cause the user’s browser to display search results determined by the advertisers instead of the search site. While some adware programs may use tactics that are similar to spyware, they claim to do so with the knowledge and consent of the user — although this claim is often disputed by the user who is sick of pop-up ads. Typically, adware finds its way onto the user’s computer by being “bundled” with other applications that the user actually wants. One of the main issues with adware is that the user often does not know he is downloading the adware code along with the desired application.

Many adware companies currently argue that their software is only downloaded with the consent of the user. What they do not tell you is that consent is often given by way of a long, complex and burdensome notice agreement. The typical user instead of reading the entire 40 or 50 page pop-up consent regarding what is being downloaded, will simply click “OK” in order to download the program she wants. What users miss by not reading that long notice is that bundled along with the software the user wanted, there is a spyware or adware program.

What is the government doing about it?

Since spyware is universally seen as a threat to Internet users, several states have taken steps to attempt to outlaw it. California, Washington and New York have been the most active in the field of spyware prevention, with California actually having its law on the books. All other states discussed here have legislation proposed and in various stages of the legislative process.

All three states would or do prohibit the deceptive use of computer software to:

• Modify another person’s internet settings,

• Collect personally identifiable information from a person’s computer,

• Prevent another user’s ability to block or remove spyware or adware by making the software automatically reinstall,

• Intentionally misrepresent to a user that software will be disabled or removed by a certain action when it will not, and

• Intentionally remove, block, disable or render inoperative another user’s security, anti-spyware or antivirus software.

Also to be prohibited by all three states are actions such as:

• Sending “spam” or “junk” e-mail from another person’s computer without their authorization,

• Causing another user to incur financial charges for a service not authorized by the user, and

• Unauthorized opening of multiple advertisements on another user’s computer which the user can’t close without closing the Internet browser or turning off computer.

While California and Washington provide for civil penalties for spyware violations, New York’s new bill would make spyware violations a criminal act. The first violation would be a Class “A” misdemeanor, punishable by up to a year in prison and a fine of up to $1,000. A second violation within a 5-year span would be a Class “E” felony, punishable by up to four years in prison and a fine of up to $5,000.

Alabama, Arizona, Illinois, Kansas, Maryland, Nebraska, and Virginia have all submitted legislation that is substantially similar to the California law and the New York and Washington bills.

Proposed Federal legislation

On January 4, 2005, a bill was introduced into the U.S. House of Representatives by California Representative Mary Bono (R), called the “Securely Protect Yourself Against Cyber Trespass Act,” or “SPY-ACT.” The stated purpose of this bill is to protect users of the Internet from unknowing transmission of their personally identifiable information through the use of spyware programs. A virtually identical bill was introduced by Rep. Bono in 2004, and it passed through the House by an overwhelming vote of 399 to 1. That bill, however, never came up for vote in the Senate and had to be reintroduced in 2005.

Much like the state laws and legislation discussed here, the SPY-ACT would prohibit specific types of deceptive conduct in relation to a third-party’s computer. For instance, Section 2 of the SPY-ACT provides 18 specific “deceptive” practices which are prohibited by the Act. These practices include phishing (using phony emails from credit card companies or stores to get a user to enter personal information), keystroke logging, homepage hijacking and ads that can’t be closed except by shutting down a computer.

Section 3 of the SPY-ACT sets notice and consent requirements for programs that collect personal information or track online activities. One of the weakest points of the SPY-ACT, according to software experts, is that Section 3 allows for a software developer to give a user “notice” that either spyware or adware is going to be downloaded onto their computer, and for the user to give “consent” to such downloading. According to Section 3, there is no violation of the Act if notice is given in the following manner, and the user consents:

• Notice must be “clearly distinguished” from other text on the screen,

• Notice must include this text: “This program will collect and transmit information about you” or “This program will collect information about the Web pages you access and will use that information to display advertising on your computer,” or substantially similar language,

• Notice must remain on the screen until the user accepts or denies consent, and

• Notice must provide the option of giving additional information about the program which is “clear” about the information collected and the purpose.

The provision that the notice may contain “substantially similar” language has left the door open to companies that currently use long, confusing notices as discussed earlier. Such companies argue that they are already in compliance with the federal legislation by providing a consent notice, even though the notice is practically useless because the typical user won’t read it.

Penalties and Enforcement

The good news is that the SPY-ACT has some teeth, in the form of hefty civil penalties of up to $3 million per violation. The bad news is that the Act gives enforcement powers only to the Federal Trade Commission (“FTC”). The FTC has been notoriously slow to enforce software protection laws, and although more severe spyware acts could be actionable under the current FTC rules on deceptive trade practices, the FTC has prosecuted only one such case to date. Perhaps even worse, the SPY-ACT, if passed, will specifically preempt any and all state laws on the subject. This would effectively take enforcement power out of the hands of individuals who have the most to lose.

What should your business do now?

The biggest thing right now is for businesses to realize that their computers and information systems are at risk from threats such as spyware and adware, which can transmit confidential information to third parties without their knowledge. You should be on the lookout for any such violations, although for the time being only California has enacted laws against such activity. All businesses should have a policy for all employees prohibiting downloading software from the Internet without it first being checked out by their information technology department. Without such a safeguard, no software should be downloaded from the Internet.

Also, companies should keep an eye on the federal legislation that is working its way through the House. Based on the passage of practically identical legislation last year, the SPY-ACT is almost guaranteed to pass the House. The bill must then pass through the Senate, and be signed by the President before it will become law.

Regardless of the Federal legislation, if you discover a spyware problem with your computer system, please contact your Tucker Arensberg lawyer because spyware may be actionable under current deceptive trade practice laws on a state or federal level.

 

^ Back to top

WHAT ARE PRIVATE PLACEMENTS?

• The term “private placement” refers to an enterprise’s sale of shares of stock, notes, bonds or other securities to investors, so that the enterprise can obtain investment capital (normally for its growth and operations).

• The investor invests his or her funds in the securities sold in a private placement in hopes of making a return on his or her investment.

• These sales are called “private placements” because the company typically sells such securities to a small number of people and not to the general public.

• Sometimes a sale of a security, and therefore a private placement, can occur even if the business never issues a stock certificate, a note or a bond to the investor. For example, if the company borrows funds from a private individual and promises to repay the lender within a certain period at a certain interest rate, the company has sold a security, even though it never issues a note or bond evidencing its repayment obligation.

• The term “security” has been broadly interpreted in the courts. Therefore, when in doubt, call your lawyer.

WHAT RISKS DO PRIVATE PLACEMENTS POSE FOR MANAGEMENT?

• Every private placement involves the sale of a security, and, because of the potential for defrauding investors (the enterprise is essentially selling “great expectations”), state and federal laws and regulators tightly control the offer and sale of securities, both in a “private placement” and in the more commonly known public offerings.

• State and federal laws and regulations normally impose two duties on the seller of securities in a private placement: First, they require the seller to register the sale of the securities with the federal and/or applicable state securities commission, or to show that the seller qualifies for an exemption from such registration. Second, they require the seller to make full and fair disclosure to the investor concerning the company and its condition and prospects, and the rights that the investor is acquiring in making the investment. Civil and criminal penalties can be imposed on the company’s management if it doesn’t obey such laws and regulations.

• In addition to penalties imposed by regulators, if the securities laws and regulations aren’t complied with, individual investors can sue management for any losses on their investment or force management to rescind the sale and buy back the securities at the original purchase price plus some amount reflecting a reasonable return on such investment.

UNDER WHAT CIRCUMSTANCES DO ENTERPRISES USE PRIVATE PLACEMENTS TO RAISE FUNDS?

• The first private placement of any startup is normally the sale of shares (or other ownership interests in the company) to the “insiders” to start the business. Many enterprises undertake a second private placement soon thereafter by obtaining funds from the friends and family of the company’s management. Management sells to its friends and family some of the company’s shares or borrows from them, issuing notes. The management of some start-ups often mistakenly concludes that this type of “private placement”, which is sometimes undertaken informally, is not regulated by securities laws and, therefore, does not require legal analysis or advice. Such a mistake can lead to serious consequences. See the “risks”, described above.) In addition, the risk that such a claim could be made may deter future investors from investing in the company. Therefore, seek legal advice whenever something that could be considered a “security” is issued by the company.

• Private placements for enterprises that have been established are normally effected to “angel” investors or venture capital organizations. Even though such securities sales are being made to sophisticated investors represented by counsel, the selling company’s management should obtain their own counsel, so that management can be sure that all applicable securities laws and regulations are carefully reviewed and complied with.

HOW CAN THE RISKS BE MINIMIZED?

• The best way to minimize risks is to obtain the advice of an experienced securities lawyer for any transaction that could be considered a “private placement”.

• Next, make sure you follow the lawyer’s advice.

William T. Harvey is a shareholder in the firm’s Technology/Intellectual Property Practice Group. For more information on private placements, please contact Bill Harvey at 412.594.5550 or wharvey@tuckerlaw.com.
 

^ Back to top