In their most innocent form, adware programs
deliver adverts to a user's desktop
without collecting data relating to the user.
But concerns arise when programs "spy" on
internet users, tracking their habits - often
without the user's knowledge and consent.
These programs, known as spyware, can monitor
users' internet browsing habits in
order to tailor adverts to their interests.
Worryingly, this information is sometimes
collected and used by third parties, again
without the user's knowledge and consent.
In 2003, the US Federal Trade Commission
felt that the threat was sufficiently serious
to issue a warning to consumers.
What should businesses know about the potential
legal risks posed by adware and
spyware? The legal distinction between spyware
and adware is cloudy, and UK courts
have yet to examine the issue. For now, laws
relating to data protection, intellectual
property and employment may provide some guidance.
The Data Protection Act has the primary aim
of protecting an individual's data from illegitimate
or excessive use, and providing safeguards
for individuals when their personal information
The act outlines eight data protection principles.
The principle of "fair processing" requires
that the user is given information on how
their personal data will be used.
Under the act, individuals may request that
their data is no longer processed for marketing
purposes, and companies in receipt of such
requests must comply. Damages may be payable
where an individual can show that they have
suffered damage and distress as a result of
breaching the act.
The Privacy and Electronic Communications
(EC Directive) regulations relate to cookie-type
devices that store a user's data. These regulations,
along with guidance from the Information Commissioner
(an independent authority, which enforces
and oversees the Data Protection Act), indicate
that whilst the use of such devices is not
prohibited, subscribers and users should be
given the choice as to which of their online
activities are monitored in this way. The
regulations do not, however, specifically
address spyware and adware.
Users should also be given the opportunity
to refuse the use of a cookie-type device
as well as a clear choice as to whether or
not they wish to allow a service provider
to engage in the continued storage of their
The regulations do not specify the manner
in which users should be given this opportunity,
but state that it should be presented in clear,
intelligible language and should appear in
a way that is "prominent".
If adverts are displayed whilst the user
is visiting a competitor's website, intellectual
property rights could be infringed.
A company could have grounds to say that
its intellectual property rights have been
infringed by adware if it can show that such
placing of adverts misrepresents its own brand
and that this leads to confusion amongst consumers
as to the source of the product.
The issue of advertising on a competitor's
site through the use of adware remains to
be conclusively tested in the English courts.
Businesses can use spyware to monitor employees'
internet use. However, the Employment Practices
Code makes it clear that such practice will
generally be considered intrusive, as employees
are entitled to a degree of privacy in the
Employers must notify employees of monitoring
policies, both those in place and any subsequently
introduced, in all instances identifying the
Covert monitoring is the only exception to
this. The Information Commissioner considers
this justifiable in only very limited circumstances.
Most of the legal developments relating to
adware and spyware have occurred in the US.
For example, internet security firm Symantec
is currently taking action against internet
tools supplier Hotbar for the right to classify
certain Hotbar programs as adware.
This case highlights the difficulties facing
internet security firms and has the potential,
should Symantec lose, to allow software companies
to challenge the right of security firms to
screen out software that possesses only some
of the attributes of spyware and adware.
Additionally, further moves have been seen
in the US to introduce anti-spyware legislation.
The I-SPY Prevention Act (2004) attempts to
draw a legal distinction between adware and
spyware, and makes it an offence to access
a PC through the use of spyware without the
However, any successful regulatory approach
must be taken globally, or the impact on restricting
such programs will be minimal. Some observers
doubt the impact that legislation can have
on "technological" problems, feeling that
it will fail to prevent frivolous lawsuits
being brought against security companies.
They also highlight the attempts that were
made previously to outlaw spam.
Others fear that the introduction of legislative
measures will impact adversely upon legal
software programs. They would instead prefer
to see advances in technology to prevent the
distribution of malicious programs.
What steps can users take to prevent the
downloading of unwanted adware or spyware
Domestic regulations simply require that
a user is given a clear choice of what online
activities are monitored by spyware devices
and is provided with a clear means to prevent
such programs operating on their computer.
Users can screen against malicious software
by maintaining up-to-date internet security
systems. Simple steps can also be taken to
prevent downloading malicious programs: carefully
choosing which websites to visit, reading
terms and conditions attached to software
before downloading from the internet and never
opening e-mails that are considered suspicious.
Simon Shooter is head of commercial and
technology and Edward Bodey is a trainee solicitor,
commercial and technology, at law firm Barlow
Lyde & Gilbert