When the Regulations came into force, much of the emphasis was on the implications for spam and cookies. The Information Commissioner has made it clear that certain provisions will also catch spyware.
The Regulations state that information must not be stored or accessed on a user's equipment unless the user is (a) given clear and comprehensive information about the purpose of the storage of, or access to, that information; and (b) given the opportunity to refuse the storage of or access to that information. While the CMA is a more suitable route for mal-spyware (because the penalties are more severe), the Regulations give a clear opportunity for action against adware. Where loss has been suffered there is a right to bring a civil claim under the Regulations and the Information Commissioner can also use his powers under the DPA to enforce the Regulations.
Practical obstacles to tackling spyware
Relative to some other jurisdictions, the UK appears well equipped with legislation to deal with spyware. In practice, however, there are a number of barriers to overcome, depending on the remedy being pursued. It is worth noting that in all cases, if any of the parties involved is off shore, the matter will become significantly more complex.
If the matter is a criminal one, the technical complexity of the cases coupled with the need to prove a case beyond reasonable doubt, may mean the authorities are reluctant to pursue the matter (as they may not be confident of success). Regulatory intervention may prove easier, but as with law enforcement, the authorities only have a limited amount of resource and will need to prioritise the cases they investigate. Where looking at a civil claim, the user needs to show loss. If claiming on damages for loss of system stability, resource or bandwidth usage, this can be notoriously difficult to prove from a legal standpoint. Second, the loss needs to be significant enough for a user to go to the time, effort and expense of bringing proceedings. Third, actually finding who to bring the action against may actually prove very complicated. A huge range of parties may be involved in the propagation of spyware, from the adware developer, to the distributor of the software bundled with the adware, to the online advertising company using the software to the organisations that utilise the software and use the data it transmits. Finally, one user of a PC may have downloaded the software, while a different user suffers the loss. Things become more complex if a child is one of the home users involved or on a corporate network where the organisation has different tolerance for spyware to the individual user.
We will need to watch this space to see how the case law develops in this area, but the prevalence of spyware suggests that despite the practical problems outlined above, we wouldn't bet against seeing some court action soon.
Talkback
I use anit virus software,have a firewall and have installed spy-bot. I keep my antivirus sw updated and have installed all the windows patches, including SP2. Spy-bot tells me when I am likely to download a threat, but I find that some of these threats are attached to websites that I could really not do without. For the time being, therefore, I monitor but do not remove, because I am not sure of the possible result. I think I am a reasonably well informed amateur/business user, but no expert. What I need to know, more than the name of the threat, is the type of problem that it may pose, so that I can make an informed decision. How can I find this out?
You have just asked the $64,000 question. Unfortunately, it's extremely difficult to answer.
I would assume that the sites you refer to would not intentionally be spreading malware. However, there is no guarantee that a cracker cannot compromise a site to have it start doing this. The Web server and operating system used by a site can affect its vulnerability. See the "What's that site running" feature on www.netcraft.com to get details. The Apache Web server running on Linux or one of the various flavors of Unix (Solaris, HP-UX, AIX, SunOS, BSD-OS, FreeBSD, NetBSD, and especially OpenBSD) has been more secure than Microsoft IIS running on Windows.
Adware can slow down your system or reduce your operating stability. The article also pointed out that a cracker may be able to compromise an adware program and therefore gain access to your system. Of course, an adware producer is unlikely to call attention to security concerns in a program.
If you have access to a "clean" machine, install your firewall and Spybot on it and go to one of your "must have" Web sites. Tell Spybot and/or your firewall not to allow anything to be downloaded or installed. See if you can still access what you want to on the site. However, I can't guarantee that if your clean machine accesses the site fine without the spyware, you will be able to remove the spyware on your production machine and not have that mess up something else.
I don't know if Spybot tells you what spyware may be installed. If not, try AdAware to find out what is on your machine. Then off to Google to look up program or file names.
Sorry about all the "weasel wording," but there are simply too many relevant things that I do not know. That's the big problem with spyware - not knowing (does it cause problems, is it hostile, is it secure, can I safely remove it, etc.).