A number of firms currently design and offer so-called "spyware" software -- programs that monitor user activities, and transmit user information to remote servers and/or show targeted advertisements. As distinguished from the design model anticipated by whatis.com's definition of adware ("any software application in which advertising banners are displayed while the program is running"), these spyware programs run continuously and show advertisements specifically responding to the web sites that users visit. Companies making programs in this latter category include Gator (recently renamed Claria), WhenU, and 180Solutions. Other spyware programs include keystroke recorders, screen capture programs, and numerous additional software systems that surreptitiously monitor and/or transmit users' activities. As programs and practices shift and terms evolve, some practices are more naturally termed "adware" or "malware" -- especially if their tracking is secondary to an advertising purpose.
These programs have prompted a number of legal challenges, as described in the pending suits section, below. They have also attracted attention from legislators, who have proposed laws to rein in the problem
I have followed these developments generally, I have written about the programs and their effects, and I have been retained as an expert in certain of these suits. This page indexes my research and my work in selected cases.
Research showing which advertisements Gator shows when users visit various domain names. Includes advertisement thumbnails and analysis of targeting conditions.
Analysis of substance and presentation of Claria's license agreement. The 5,900+ word, 63-page license is presented in a small scroll box with section headings merged into body text. Users who manage to read the license find surprising terms: Users must not run third-party tools (like Ad-Aware or Spybot) to remove Gator, and users must not investigate what personal information Gator tracks and sends.
Complete set of screenshots showing the Claria installation process and license agreement, when Claria is bundled with Kazaa. The 5,541-word Claria license requires fifty six on-screen pages, e.g. fifty six presses of the page-down key, discouraging users from meaningfully reviewing the license.
Research showing that WhenU transmits to its serves some of the specific URLs users visit, precisely contrary to WhenU's promises in WhenU's license agreements and in some WhenU software installers.
Research finding a flaw in the auto-update system used by certain WhenU software recently available on WhenU's ordinary public web site. Flaw allowed attackers to install any software on PCs of users with the affected WhenU software.
Research showing web sites created by WhenU in violation of search engine rules, boosting rankings of content favorable to WhenU while pushing critics lower in rankings. Google and Yahoo! responded by removing www.whenu.com and other affected sites from their indexes.
Research showing that WhenU has copied at least 26 articles from at least 20 different publishers to its main www.whenu.com web server, as well as to at least eleven other official WhenU servers. The articles are provided in full, but without the advertisements that surround article text on the publishers' web sites, without any mention of authorization from the publishers, and without their ordinary copyright notices.
Complete set of screenshots showing the WhenU installation process and license agreement, when WhenU is bundled with BearShare. Due to placement of the WhenU license is an exceptionally small on-screen window, viewing the entire license requires 45 presses of the page-down key, discouraging users from meaningfully reviewing the license.
Documentation of WhenU Advertisements and Targeting (forthcoming)
Research showing which advertisements WhenU shows when users visit various domain names. Includes advertisement thumbnails and analysis of targeting conditions.
Quicken Loans and Wells Fargo v. Whenu.com Inc. - Edelman Expert Declarations (July - September 2003)
Research showing how 180 software intentionally causes merchants to pay affiliate commissions to 180, even when affiliate commissions are properly payable to other affiliates, or are properly withheld by merchants under the terms and conditions of their affiliate programs.
Research itemizing 180's major installation methods, including drive-by downloads, distribution partners, and installation through security holes. Discussion also tracks failure to show a license agreement and failure to provide an uninstaller.
I explain how spyware works, including presenting specific personal information transmitted by both Gator and WhenU. (The WhenU transmissions are particularly notable because these transmissions seem to violate WhenU's own privacy policy.) Other sections of the document discuss installation methods of spyware (with special consideration of the technical methods used in drive-by downloads), frequency of advertisement display, and performance and security effects of spyware.
Shows installation of software even when users press "Cancel" to decline installation. Notes that license agreements stretch to the tens of thousands of words, and to hundreds of on-screen pages.
VeriSign's existing software systems let it revoke digital certificates so as to block certain misleading installation attempts. I give examples of the problem and suggest how VeriSign could take action.
Certain pages at Google's Blogspot service show misleading popups, falsely claiming to be required updates. If a user presses "Yes" once, extra toolbars, popup ads, and privacy-invading software arrive on the user's PC. Google could stop this problem with a simple policy change already implemented elsewhere on the Blogspot site.
I compare five major P2P programs and the additional applications they install. Article includes detailed screen-shots and analysis of the programs' licenses and installation procedures.
Spy Act ("Securely Protect Yourself Against Cyber Tresspact Act") - Rep. Mary Bono - H.R. 964 (formerly H.R.2929; formerly H.R.29)
Status: Passed House, May 23, 2005. Reintroduced, February 8, 2007.
Prohibits certain specific practices except with user authorization. Requires notice, consent, and uninstall capability for certain information collection and advertising programs. Leaves many key details to the Federal Trade Commission. Grants enforcement power only to the FTC. Preempts existing state laws about spyware.
Creates criminal penalties for accessing a protected computer without authorization, or exceeding authorization, by causing software to be copied onto a computer and 1) using that code for another Federal criminal offense, 2) intentionally obtaining or transmitting personal information with intent to defraud, injure, or cause damage, or 3) intentionally impairing computer security.
Prohibits causing the installation of software without providing an opportunity to grant or withhold consent. Prohibits misleading inducements to install. Requires that programs include reasonable uninstallation procedures. Prohibits "surreptitious" information collection (in a manner not disclosed and authorized at the time of transmission). Requires labeling of adware advertisements. Safe harbor for anti-spyware services. Enforcement by FTC and by state attorney geenrals. Prempts existing state laws about spyware.
Prohibits transmission of software that collects and transmits personal information about computer owner or operator, monitors and transmits web pages accessed, or modifies default computer settings as to home page or search, unless notice is provided and consent is obtained in advance. Advertising software permitted only with consent and uninstall. Violations enforced by FTC under FTC Act, via criminal penalties, and by states. Preempts existing state laws about spyware.
Allocates $10 million towards FTC action against spyware. Increases FTC authority to fine, including disgorgement of profits. Expands FTC authority to include foreign deceptive practices that cause foreseeable injury within the US. Preempts all state and local laws as to software installation.
Claria's activities have prompted a number of legal challenges. This section attempts to chronicle key suits to the best of my ability. Please send suggestions for additions or updates.
Facing complaints from the Internet Advertising Bureau as to Gator's activities, then including banner ads that tended to cover web sites' own banner ads, Gator in 2001 sued the IAB and subsequently settled. Gator has subsequently sued Virtumundo, L.L. Bean, and PriceGrabber (citation).
In 2002, Gator was sued by a group of media companies including the New York Times and Washington Post in the US District Court for the Eastern District of Virginia. A preliminary injunction was issued, enjoining Gator's targeting of plaintiffs' web sites. The case settled before trial, and the terms of the settlement are confidential. I served as a technical expert for the plaintiffs. See my declarations and selected other case documents.
In 2002, Weight Watchers sued competitor DiscreetDrugs.com, which had reportedly used Gator to cause its advertisements to appear when users requested the Weight Watchers web site. Also in 2002, Weight Watchers sued competitor DietWatch.com, which had also reportedly used Gator to cause its advertisements to cover the Weight Watchers site. A premanent injunction was issued by the US District Court, Southern District of Nwe York, enjoining certain DietWatch activities and granting $25,000 of damages.
In 2003, Gator moved for consolidation of these cases as well as Gator's declaratory judgment actions against L.L. Bean, Virtumundo, Extended Stay America, PriceGrabber.com, and Tiger Direct. Gator asked that these cases be consolidated in the US District Court for the Northern District of California. (See Schedule of Matters for Judicial Panel on Multidistrict Litigation, PDF page 7.) Instead, these cases were consolidated to the Northern District of Georgia, as detailed in the Multidistrict Litigation Transfer Order (PDF).
In 2004, the German division of Hertz obtained a preliminary injunction prohibiting Claria from using pop-up ads to cover Hertz's site. See news coverage.
In 2004, Teleflora sued Claria. I serve as an expert for Teleflora, and I filed an initial declaration in this matter.
In 2004, L.L. Bean sued Nordstrom's, JC Penney, Atkins, and Gevalia, each of which used Claria to display pop-up ads that cover L.L. Bean's site. See press release, news coverage. Claria countersued L.L.Bean. Gevalia and Atkins settled with L.L. Bean. L.L. Bean complaints: Nordstrom's, JC Penney, Atkins, Gevalia.
According to Claria's SEC S-1 filing of April 8, 2004, Claria has settled suits brought by Extended Stay America, PriceGrabber.com, LendingTree, and UPS.
In June 2004, the Georgia Court hearing Gator's multidistrict litigation ordered that the Metrodate case (a class action of targeted web sites) be remanded to state court.
In July 2004, Claria was sued by Interlinx, LLC, as to Claria's targeting of budgetlife.com. The case was filed in the US District Court for the Eastern District of Michigan.
In August 2004, the clerk of the court hearing Gator's multidistrict litigation reported that the MDL proceedings were closed because all the MDL cases had been settled (reportedly save for Teleflora and Interlinx).
In 2003, Claria sued PC Pitstop for malicious disparagement and trade libel, arising out of PC Pitstop's statements to users about Gator's software and why they might want to remove it from their PCs. See discussion in Threats Against Spyware Detectors, Removers, and Critics.
WhenU
WhenU has been sued by 1-800 Contacts, Overstock.com, Quicken Loans, U-Haul, Weight Watchers, and Wells Fargo. See summary judgment order (PDF) in U-Haul case (dismissing claims against WhenU) and preliminary injunction order (PDF) in 1-800 Contacts case (granting preliminary injunction enjoining WhenU from delivering certain pop-up advertisements).
1-800 Contacts has also sued (and obtained a preliminary injunction enjoining) Vision Direct, a competitor which used WhenU to cause its advertisements to appear when users requested the 1-800 Contacts web site.
I served as a technical expert in the Quicken Loans and Wells Fargo matter; I filed two declarations in this matter and provided oral testimony. I served as a technical expert in the Utah matter; I filed a declaration in this matter and provided oral testimony.
180solutions
In September 2005, a consumer class action was filed in Illinois on behalf of all US residents who have had 180solutions software installed on their computers. See Simios v. 180solutions complaint (PDF) and coverage (including 180's claim that the case has "no merit"). This suit was voluntarily dismissed in September 2006.
In October 2005, a further class action was filed in California by Consumer Advocates Rights Enforcement Society. See complaint (PDF).
DMNews reports that Weight Watchers sued 180solutions and eDiets as to eDiets covering Weight Watchers' site using 180solutions software. Case status unknown.
In 2004, 180solutions sued two distributors of its software for installing its software without users' consent, which 180 claims was contrary to the distributors' contract with 180. News coverage. Settlement coverage. In 2005, 180 sued seven additional distriubtors, alleging further nonconsensual installations, but 180 subsequently dropped those suits when defendants failed to reply to 180's complaint.
In November 2005, 180solutions sued Zone Labs for trade libel, tortious interference with business expectancies, unfair and deceptive practices, and unjust enrichment, arising out of Zone Labs's detection of 180's software. See discussion in Threats Against Spyware Detectors, Removers, and Critics. In February 2006, 180 dropped its suit. Zone Labs reports having made no change to its reported classification of 180's software.
In October 2005, a further class action was filed in California by Consumer Advocates Rights Enforcement Society. See complaint (PDF). In August 2006, this case was settled.
In April 2006, the New York Attorney General sued Direct Revenue for surreptitiously installing spyware onto users' computers and for making its sotware extremely difficult to remove.
The suit includes claims under New York's General Business Law (prohibiting false advertising and deceptive business practices), New York's Penal Law (prohibiting computer tampering), and New York's common law prohibitions against trespass. Case documents at NYAG's site; additional documents and analysis as well as document highlights.
In December 2004, Avenue Media sued Direct Revenue as to "systematic[] delet[ion]" of Avenue's software from users' hard disks. Discussion and case documents. The parties have reportedly reached a settlement, with no money changing hands.
eXact Advertising
In September 2005, a consumer class action was filed in New York on behalf of all US residents who have had eXact Advertising software installed on their computers. See complaint (PDF) and discussion.
In October 2005, a further class action was filed in California by Consumer Advocates Rights Enforcement Society. See complaint (PDF).
Intermix
In April 2005, the New York Attorney General sued Intermix for false advertising, deceptive business practices, and common law trespass. Press release and case documents. In June 2005, the case settled, with Intermix agreeing to pay $7.5 million and to permanently discontinue distribution of its advertising software.
In 2005, a consumer class action was filed in California on behalf of California residents who have had Intermix software installed on their computers. See Kerrins v. Intermix Media. In January 2006, Intermix's motion to dismiss was rejected (PDF) in part, allowing the case to proceed.
In November 2006, the
City Attorney of Los Angeles
reached a settlement with Intermix as to Intermix's allegedly-illegal business practices. Settlement announcement (PDF). Partial summary of my work in the case.
Ebates
In May 2006, a consumer class action was filed in Illinois on behalf of consumers who have had Ebates software installed on their computers without their consent. Complaint (PDF).
Suits Against Makers of Bogus Anti-Spyware Software
In October 2004, the FTC sued Seismic Entertainment and Sanford Wallace for making unauthorized changes to users' web browsers and performing unauthorized installations of advertising software. In May 2006, Wallace was ordered to forfeit $4 million of ill-gotten gains.
In June 2005, the FTC sued Spykiller for deceptive statements in its marketing of anti-spyware and in its purported detections, including deceptively claimed to have found spyware or to have performed a scan, when it had not done so. A January 2006 settlement entailed payments of more than $900,000, as well as forfeiture of several luxury vehicles, as well as certain injunctive remedies as to accuracy of disclosures.
In March 2005, the FTC sued MaxTheater for deceptive statements about their software and about users' purported need for such software. The December 2005 settlement entailed a payment of $76,000, as well as injunctive remedies (including a prohibition against defendants selling or marketing any anti-spyware software.
In January 2006, the State of Washington sued Secure Computer for violations of the federal CAN-SPAM Act, as well as for violations of the Washington Commercial Electronic Mail Act, Computer Spyware Act, and Unfair Business Practices - Consumer Protection Act. Complaint (PDF) alleges that defendant developed, promoted, and sold anti-spyware products that were marketed improperly, including via improper emails (with false headers, deceptive subject lines, and missing opt-out mechanisms) and via false claims of security problems. In December 2006, the State of Washington announced a settlement including $725,000 of attorneys' fees and costs, $200,000 of civil penalties, and a $75,000 pool for refunds to affected Washington consumers. The settlement also prohibits misrepresenting, directly or by implication, the urgency or need for security software or other programs. Additional terms prohibit deceptive email subject lines, require honoring opt-hours, prohibit claims of "discounts" that are actually ordinary prices, and prohibit simulating system alerts.
In April 2006, the State of Washington sued SoftwareOnline.com for unfair business practices arising out of marketing of Software Online's security software. Complaint (PDF) alleges misrepresenting the extent to which software is necessary for security or privacy, misrepresenting functions on advertisements (e.g. fake user interface ads, where an "x" opened a new ad rather than closing a window), misrepresenting uninstall, and misleading negative-option billing (automatic renewals and future charges). The State of Washington simultaneously announced a stipulated judgment and order (PDF) requiring payment of $40,000 of costs and fees, $400,000 of civil penalties (with $250,000 suspended on condition of compliance with other provisions of settlement). Judgment includes findings of fact as to Software Online's deceptive practices, as well as conclusions of law as to Software Online's liability. Settlement prohibits misrepresentation, directly or by implication, of the urgency or need for security products; utilizing fake user interface elements; showing pop-up or pop-under ads through a trial version; and various other deceptive practices.
In October 2006, the State of Washington sued High Falls Media and ROC Telecommunications for their "Spyware Slayer" software that improperly induces users to install by making false claims that users are, purportedly, already infected. Complaint. Consent decree reflects a $25,000 penalty and $30,000 of costs and fees, as well as restitution to affected consumers, along with restrictions on future advertising practices. Future violations will entail civil penalties of $25,000 per violation.
In November 2006, the State of Washington sued James Lane for his Quickshield software which induced consumers to install by making false statements of security vulnerabilities. Complaint. Consent decree reflects a civil penalty of $5,000, $6,444 of costs, restitution to affected consumers, and restrictions on future advertising practices.
In February 2007, the State of Washington sued Securelink Networks, NJC Softwares, and FixWinReg for misrepresenting the necessity of software for security purposes (in violation of the Washington Computer Spyware Act and Consumer Protection Act). Other claims include misrepresenting that messages are internal operating system security alerts, misrepresenting that the product has deleted critical registry errors, preventing users from declining installations, and modifying computer settings in violation of the Washington Computer Spyware Act. Complaint.
In March 2008, the State of Washington sued Messenger Solutions, LLC for sending user NET SEND popups that 1) claim that a consumer's computer is vulnerable to security attacks, and 2) direct consumers to their web site to buy software to block those very popups. Complaint. In May 2008, the State of Washington won summary judgments requiring the defendants to each pay $400,000 of civil penalties and $141,000 in attorneys' fees and costs.
In September 2008, the State of Washington and Microsoft Corp. sued James McCreary, Branch Software, and Alpha Red as to Registry Cleaner XP, which they claim sent incessant pop-ups that resembled system warnings. Complaint claimed that defendants misrepresented the purported presence of "critical errors" and falsely implied having conducted a scan when no such test had been performed.
Others
In May 2004, Overstock.com sued SmartBargains, Inc. for using pop-up ads to target its web site. Press release.
In October 2005, the FTC sued Odysseus Marketing and Walter Rines for operating the "Clientman" program and causing its installation through a variety of unfair and deceptive practices without requisite consumer disclosures. The FTC's complaint specifically considers and rejects Clientman's license agreement as improperly labeled and otherwise unable to provide consumers with the required notice.
In November 2005, the FTC sued Enternet Media for infecting users with spyware using the lure of free lyric files, browser upgrades, and ring tones. The FTC froze Enternet's assets, and the settlement obliged Enternet to pay more than $2 million.
In November 2006, the FTC sued Media Motor for installing without consent and under deceptive circumstances.
In November 2006, the State of Washington sued Digital Enterprises d/b/a/ Movieland.com, as to software variously named MediaPipe, FileGrabber, and Media Assistant, which also installed other programs, showed pop-ups, etc. Alleges that Movieland took control of users' computers in violation of the Washington Spyware Act, that Movieland misrepresented uninstallation options, that Movieland's practices were unconscionable, that Movieland used threats, harassment, and intimidation in its billing practices, and the Movieland's misrepresentations and failures to disclose violated the Washington Consumer Protection Act. Complaint.