UK legal position: computer misuse
There is an assumption that back home in the UK, the issue of spyware isn't yet on the
legislators' radar: in fact, the situation is very different. Looking first at mal-spyware, the broad wording of the Computer Misuse Act 1990 (CMA) does a good job of coping with this threat. The CMA creates offences of unauthorised access to programs or data, unauthorised access with intent to commit a further offence, and unauthorised modification of data. Between them, these offences will catch most mal-spyware, primarily because of the wide definitions of terms like "access". In practice, as with many computer misuse issues, mal-spyware may prove difficult to stop. The high standard of proof required for criminal cases combined with the problems of crime detection and identification of the perpetrator (especially where the crime crosses national borders) and the limited resources of the specialist computer crime authorities mean the number of successful prosecutions is likely to remain low.
The recent All Party Internet Group Report on Computer Misuse (to which Olswang contributed) indicated that they felt the CMA covered mal-spyware and did not believe that the CMA should be extended to cover adware. The group went on to suggest that Ofcom (the communications regulator) should address this topic by educating users, working with the DTI to ensure sufficient consumer protection legislation and by working with software developers to create a code of practice.
Data protection issues
Putting mal-spyware on one side (on the basis that it falls within the scope of the CMA), the more complex issue is how English law treats adware. One of the key issues is the nature of consent. Much adware is bundled with other software applications (often freeware or shareware) or downloaded covertly ('drive-by downloads'). There is often a crude form of clickwrap software licence that users will need to accept before installing the application. Organisations using the software will assert that accepting this licence constitutes user’s consent.
This practice may be sufficient to ensure that a court cannot find beyond reasonable doubt that the software is accessing the user’s machine or data without "authority" (and therefore will avoid the risk of a CMA prosecution). However it is less clear whether this constitutes sufficient consent for other areas of the law, particularly as the wording of the licence may be complex or unclear.
Indeed the All Party Internet Group suggested that the Data Protection Act 1998 (DPA) would be another possible legislative tool that could control spyware. Even if the initial capture of personal data using adware was lawful, the organisations subsequently using that data will need to ensure that their use complies with the DPA principles. The concept of informed consent is important from a DPA perspective, and transparency is key to the spyware issue. If users knew what applications they were loading onto their machines, and what these applications did (and could therefore give or refuse their informed consent) many of the adware industry's problems would be solved.
Talkback
I use anit virus software,have a firewall and have installed spy-bot. I keep my antivirus sw updated and have installed all the windows patches, including SP2. Spy-bot tells me when I am likely to download a threat, but I find that some of these threats are attached to websites that I could really not do without. For the time being, therefore, I monitor but do not remove, because I am not sure of the possible result. I think I am a reasonably well informed amateur/business user, but no expert. What I need to know, more than the name of the threat, is the type of problem that it may pose, so that I can make an informed decision. How can I find this out?
You have just asked the $64,000 question. Unfortunately, it's extremely difficult to answer.
I would assume that the sites you refer to would not intentionally be spreading malware. However, there is no guarantee that a cracker cannot compromise a site to have it start doing this. The Web server and operating system used by a site can affect its vulnerability. See the "What's that site running" feature on www.netcraft.com to get details. The Apache Web server running on Linux or one of the various flavors of Unix (Solaris, HP-UX, AIX, SunOS, BSD-OS, FreeBSD, NetBSD, and especially OpenBSD) has been more secure than Microsoft IIS running on Windows.
Adware can slow down your system or reduce your operating stability. The article also pointed out that a cracker may be able to compromise an adware program and therefore gain access to your system. Of course, an adware producer is unlikely to call attention to security concerns in a program.
If you have access to a "clean" machine, install your firewall and Spybot on it and go to one of your "must have" Web sites. Tell Spybot and/or your firewall not to allow anything to be downloaded or installed. See if you can still access what you want to on the site. However, I can't guarantee that if your clean machine accesses the site fine without the spyware, you will be able to remove the spyware on your production machine and not have that mess up something else.
I don't know if Spybot tells you what spyware may be installed. If not, try AdAware to find out what is on your machine. Then off to Google to look up program or file names.
Sorry about all the "weasel wording," but there are simply too many relevant things that I do not know. That's the big problem with spyware - not knowing (does it cause problems, is it hostile, is it secure, can I safely remove it, etc.).