In our view, the key issue is transparency. The article has emphasised issues of consent, information and authorisation, but the uninstallation or disabling of the application is another area that requires transparency. Users should be able to easily uninstall the software, preferably using the standard "Add/remove programs" functionality.
The consent to install the software should be clear and unambiguous, taking into account the variable computer literacy of users. The terms and conditions should also make it clear what will happen to the harvested data and should comply with the usual DPA consent requirements.
For those people offering freeware/shareware that incorporates adware, the industry shows that offering people an alternative "paid for" version of the software without bundled adware can be a viable marketing model. If adware is the “price” of the software, then users should know what they are installing to enable them to judge if the price is too high.
Self-regulation, coupled with technical developments (such as P3P machine-readable privacy policies) may well be the ultimate solution to the spyware. In the meantime, the law will undoubtedly continue to develop and play a part in the spyware drama. As the plot unfolds, we suggest businesses take the following steps:
- Educate yourself -- and your employees -- the more you know about the problem, the better equipped you’ll be to spot problems;
- Read clickwrap licences carefully – don’t just blindly click on "I accept";
- Use an anti-spyware application – there are plenty of good ones available;
- Keep your software (particularly your operating system and browser) properly configured, patched and up to date and make sure you use anti-virus and firewall software.
Authors: Simon Briskman, Partner, Olswang (simon.briskman@olswang.com tel 0207 067 3163) or Mark Smith, Assistant Solicitor, Olswang (mark.smith@olswang.com tel 0207 067 3215). The information in this Update is for general interest only and readers should seek appropriate and specific legal advice before taking or refraining from any action. Copyright Olswang.
Talkback
I use anit virus software,have a firewall and have installed spy-bot. I keep my antivirus sw updated and have installed all the windows patches, including SP2. Spy-bot tells me when I am likely to download a threat, but I find that some of these threats are attached to websites that I could really not do without. For the time being, therefore, I monitor but do not remove, because I am not sure of the possible result. I think I am a reasonably well informed amateur/business user, but no expert. What I need to know, more than the name of the threat, is the type of problem that it may pose, so that I can make an informed decision. How can I find this out?
You have just asked the $64,000 question. Unfortunately, it's extremely difficult to answer.
I would assume that the sites you refer to would not intentionally be spreading malware. However, there is no guarantee that a cracker cannot compromise a site to have it start doing this. The Web server and operating system used by a site can affect its vulnerability. See the "What's that site running" feature on www.netcraft.com to get details. The Apache Web server running on Linux or one of the various flavors of Unix (Solaris, HP-UX, AIX, SunOS, BSD-OS, FreeBSD, NetBSD, and especially OpenBSD) has been more secure than Microsoft IIS running on Windows.
Adware can slow down your system or reduce your operating stability. The article also pointed out that a cracker may be able to compromise an adware program and therefore gain access to your system. Of course, an adware producer is unlikely to call attention to security concerns in a program.
If you have access to a "clean" machine, install your firewall and Spybot on it and go to one of your "must have" Web sites. Tell Spybot and/or your firewall not to allow anything to be downloaded or installed. See if you can still access what you want to on the site. However, I can't guarantee that if your clean machine accesses the site fine without the spyware, you will be able to remove the spyware on your production machine and not have that mess up something else.
I don't know if Spybot tells you what spyware may be installed. If not, try AdAware to find out what is on your machine. Then off to Google to look up program or file names.
Sorry about all the "weasel wording," but there are simply too many relevant things that I do not know. That's the big problem with spyware - not knowing (does it cause problems, is it hostile, is it secure, can I safely remove it, etc.).