However, if protected by a properly crafted licence, such applications aren't actually doing anything that's legally considered wrong. In the precedent-setting case Specht et al. vs Netscape Communications, the court found that two tests must be satisfied for a licence to be binding: the user must be aware of the licence, and the user must be required to accept it in some way. The licence included in Permissioned Media's FriendGreetings e-card passes both tests. The viral Web greeting card attracts users with an email masquerading as a message from an acquaintance and stating that an e-card awaits at a Web site, such as "Friendgreetings.com" or "Friend-card.com." The email contains a link that, when clicked, will begin to download the infectious program. A dialogue box says the program is necessary to view the e-card. The installer requires that the user accept two end-user agreements that contain the following text, among other legalese: "As part of the installation process, Permissioned Media will access your MicroSoft(r) (sic) Outlook(r) Contacts list and send an email to persons on your Contacts list inviting them to download FriendGreetings or related products." Many companies have already blocked access to Friendgreetings.com, but Permissioned Media has repeatedly changed the site's address and sent out a new batch of unsolicited email to users. "It's getting sneakier," said Alex Shipp, senior antivirus technologist for UK-based email service provider MessageLabs. The latest iteration of the email -- the fifth, said Shipp -- caused a spike in the number of messages blocked by the company's anti-spam filter this past weekend. Yet, the licence gave Shipp pause. "It's a very difficult call," he said. "It behaves exactly like a virus but because it has this disclaimer, some companies think they could get sued if they stop it like a virus." In 1998, some antivirus companies started blocking a utility called NetBus, which allowed an administrator to control a remote system. Like BackOrifice, the utility soon became a favourite way for hackers to send commands to systems over which they had gained control. However, when the program's creator decided to start a company to sell the product, he hired a lawyer to go after any company that blocked the tool. "Antivirus companies learned that they have to be careful what they block," Shipp said. This time the lesson may be different, however; click-wrapped viruses may spotlight the flaws in the system. The laws under which online vandals and cybercriminals are prosecuted specify that intrusions into computer systems have to be unauthorised. Yet, a Trojan horse or virus wrapped in a click-accept licence could make the access authorized, and therefore not a crime. "The question is that, when most people admit they don't read them, can licenses really give authorisation," said Stanford's Granick. "If you are a prosecutor in a cybercrime case, you argue not." But courts may have a tough time justifying that what goes for Microsoft and Brilliant Digital shouldn't also go for any other programmer, including a virus writer, Granick points out. Not everyone is so sure, however. Network Associates' Gullotto wouldn't bet just yet that the laws are what will be altered. Users might just have to adapt instead, he said. "Times are changing," Gullotto said. "People have to know what they are opening up in email."
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
