Law and the Spyware Plague

After a U.S. Senate hearing earlier this month, one senator was quoted as likening spyware to "somebody walking around your house, kind of invisibly." The analogy was inadequate.

Spyware is more like someone planting hidden cameras and microphones around your house and office, and even in the bathrooms. It's just about the sleaziest online activity there is.

Given the severity of the problem, one might be pleased to hear that Congress seems fairly serious this year about doing something about it. But it's too soon to get our hopes up. For a variety of reasons, including the sheer indifference of the bad guys to the rule of law, this plague will be enormously difficult to slow, much less halt.

The stakes are high and growing. Nothing less than the future of online commerce and communications may ride on whether we find ways to deal with spyware.

One of the big problems is with definitions. Is "adware" -- software that pollutes your computer with unwanted advertising -- spyware? I think it can be, certainly when users don't realize that clicking "yes" on a terms-of-service box for a product will lead to the installation of adware. This is all too common.

The adware industry is making some moves toward real legitimacy. But as long as such software continues to find its way onto people's computers without genuine, knowledgeable consent, the adware industry won't have my respect. (I urge you to visit Harvard law student Benjamin Edelman's excellent site at if you are interested in the machinations of the adware companies.)

We can all agree that some kinds of malware are just plain bad. In this category, I'd include keystroke recorders and other surveillance tools that capture what we type and send it elsewhere. (I should note that companies put such things on employees' computers all the time. As long as they tell the employees they're doing it, they have the right, even if the practice is a bit nasty.)

The main problem with the proposed laws is the fact that the U.S. isn't an island on the Internet. The global nature of networks means we have to deal with international criminals.

"The guys out of Russia or wherever, they're untouchable," notes Richard Smith, a computer security expert. But having some new tools to fight domestic bad guys -- such as class-action lawsuits -- is better than nothing, he says.

In theory, current law already provides for prosecution and punishment of the worst offenders. Also in theory, software tools could solve the problem.

IT people need to explain to marketing people that it is never acceptable to install unwanted software on customers' computers. And marketing people need to understand what they risk if they go ahead and do it.

What they risk with me is simple: If I learn that a company has even attempted to pull a fast one, I put it on my personal blacklist, which means never doing business with it again.

I also never do e-commerce on a computer I don't own. And, given Windows' history as the vehicle for the worst spyware, I use a Mac.

I wish Congress the best in its efforts to help end the spyware plague. I suspect, however, that in the end, the law will be just one relatively minor tool.

Dan Gillmor, a writer based in Silicon Valley, is the author of We the Media: Grassroots Journalism by the People (O'Reilly Media Inc., 2004). Contact him at

Copyright © 2005 IDG Communications, Inc.

Shop Tech Products at Amazon