The Hindu Business Line : The spy in your system

Warning: Software May be Hazardous to your Privacy!' How eerie, but that's the title of a recent paper by Daniel Garrie of Rutgers, the State University of New Jersey. "Spyware poses a serious threat of privacy infringement to unassuming Internet users across the globe," cautions the abstract.

For starters, spyware is any software that secretly gathers user information through his Internet connection. Where does it come from?

"Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware," explains www.pcwebopaedia.com.

What does it do? "Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers," is more about the creepy mole in the machine!

Garrie's paper touches upon existing European legislation that attempts to protect end-users from unethical processing of their personal data. "Spyware found in 30 per cent of European businesses," read an alarming post on www.out-law.com, years ago. And the topic continues to be in the limelight.

For instance, www.pcadvisor.co.uk has an article by Jeremy Kirk, dated June 5, where he speaks about Sony BMG Music Entertainment. The product included copy-protection software on an estimated 15 million music CDs!

"Security experts found last year that the software installed itself without the consent of users, was difficult to remove and secretly communicated with company servers, the sort of behaviour that commonly earns software the label spyware," states Kirk, citing a recent report of the UK's All Party Parliamentary Internet Group on DRM (digital rights management), the encoded restrictions on the use of digital files.

"Organised crime - increasingly from Eastern Europe and Africa - is responsible for data breaches," reads a chilling message from www.online-casinos.com in a recent posting. "Cyber criminals have resorted to extortion, demanding money in exchange for not erasing an agency's or organisation's data or instituting denial-of-service attacks. They employ people to write spyware, botnets and other types of surreptitious software that hide in computers and capture keystrokes and other data," it states, quoting Eugene Spafford, a computer sciences professor at Purdue University.

And Garrie might agree. For, he frets that spyware technologies are skirting the current laws and often times breaking them entirely. "Outlawing the technology used in spyware and strengthening the legal consent requirement to mine data are statutory solutions that can prevent spyware users from skirting the law," he proposes, quite optimistically.

Let there be an internationally standardised technology education system for the judiciaries in Europe and the US, Garrie wishes. Such an approach can ensure that when spyware users do break the law, they cannot hide by escaping from one nation to another without being held accountable, reasons the author. "Transnational improvements are necessary to remedy the global spyware epidemic."

That may seem too idealistic a hope, in the light of what's happening around. "Microsoft faces second class-action spyware lawsuit," reports Seattle Times, as on July 4. `Spyware popping porn in all the wrong places,' says ZDNet, even as VNUNet.com informs, `Spyware attacks triple in 2005'.

Is spyware turning to be the spy we may have to reconcile to live with?

The evil ghost within!

Another paper that you can spy on the same theme is Coddling spies: why the law doesn't adequately address computer spyware, by Alan F. Blakley, Daniel B. Garrie and Matthew J. Armstrong. A section titled `the evil ghost in the machine,' with which the paper begins, notes that connecting to the Web is not like opening a book in the library and looking at its contents.

"While the person accessing the Web is gathering information from the site, the site knows the visitor is there, is monitoring the visitor's actions and has varying levels of access, by the visitor's invitation, to that visitor's computer. One of the earliest forms of this active interaction was cookie technology," educate the authors.

"Web-based businesses like cookies because they can use them to track `Web surfing behaviour or patterns.'

Businesses can target their advertising and show users products of interest based on past purchases," explains the paper.

Technology helps businesses to be competitive, thus, but the flip side is that many illegitimate tools have been developed along with the legitimate ones for the purpose.

The paper's proposal is that legislation should mandate `clear and explicit warnings in plain English' before a site installs an application onto the other user's computer.

This should enable the user "to understand exactly what the application will do, including the information it will gather, who will receive the information, how it will be used and any potential modifications of the user's system the application will cause." In the view of the authors, `click-through' and `end-user licence agreements' are not acceptable. "First, the agreement must begin with a conspicuous statement that by accepting the terms, the user is authorising outside access to the user's information. Perhaps examples of the information to be collected and mined would be included."

The paper is a useful resource for the law-avid because it discusses the US law on the subject, including the Computer Fraud and Abuse Act, the Stored Wire and Electronic Communications and Transactional Records Act, and the Wiretap Act.

More resources

Catch up on www.ssrn.com also with: `Rethinking Spyware: Questioning the Propriety of Contractual Consent to Online Surveillance' by Wayne Barnes; `Spyware and the Limits of Surveillance Law' by Patricia L. Bellia; `Contracting Spyware by Contract' by Jane K. Winn; `First do no Harm: The Problem of Spyware' by Susan P. Crawford; and `Regulating Spyware' by Peter S. Menell.

http://IT-in-the-works.blogspot.com