29 June 2005
DCITA Consultation on Spyware
Below is EFA's submission to the Department of Communications, Information Technology and the Arts public consultation on Spyware.
Electronic Frontiers Australia Inc (EFA) is a non-profit national organisation concerned with the protection and promotion of the civil liberties of users of computer based communications systems and of those affected by their use. EFA was established in 1994, is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting civil liberties.
Spyware is an issue which has the potential to affect all Internet users. Studies suggest that the majority of computers connected to the Internet contain spyware of some sort.
While recognising the seriousness of the problem that spyware poses, EFA cautions the government against legislative reforms specifically targeted at spyware. We consider that it would be more effective and more beneficial to increase the privacy rights of Australians generally, which as will be discussed further, are sorely lacking in an online environment.
- personal information
- business information
- bandwidth, or
- processing capacity
EFA submits that the definition of "spyware" should be primarily based on the characteristics and functionality of the software itself, and not the circumstances of it's installation on any particular computer. Such characteristics may include:
- Most importantly, that it spies upon or otherwise monitors the activities of computer users, or data stored on the computer.
- That it operates, or is designed to operate in a way which would be invisible to an average computer user.
- That it is, or is designed to be difficult or impossible to uninstall.
- That it interferes with, or is designed to disable or interfere with the operation of anti-virus, anti-spyware, firewall, or other security software.
- That it is installed by, or is typically installed by exploiting a security vulnerability in the operating system, Internet browser, or other legitimate software.
Adoption of the working definition in the discussion paper would make it difficult, if not impossible to characterise any particular software application as "spyware", which we submit would be an undesirable outcome, and would hamper efforts to publicise the threat of spyware (and other undesirable software) and to educate consumers as to what measures they can take to protect themselves against it.
We also submit that the fundamental characteristic of "spyware" is that it spies on the users of the computer on which it is installed. The taking or use of bandwidth or processing capacity has never been generally regarded as a characteristic of spyware.
As described above, we consider that programs taking bandwidth or processing capacity should not fall within the definition of spyware. It would perhaps be more appropriate to label such programs with the more general term "malware", or devise a new term to describe them.
We submit that any definition of "spyware" which deals with the taking of "personal information" must further define what is meant by the term "personal information".
We further submit that the definition of "personal information" contained within the Privacy Act 1988 (Cth) is inappropriate to use when discussing spyware, is unduly restrictive, and does not accord with what an average Australian Internet user would reasonably consider to be their "personal information". This matter is discussed further under Question 5 below.
All aspects of spyware are of great concern to EFA.
While not more concerning than any other aspect of spyware, the most common usage of spyware, and the one least protected under existing laws, is the surveillance and monitoring of user's private information, done without any obvious criminal motive (eg ID theft, stealing of money from bank accounts, etc).
This issue seems to attract the least publicity, and least attention from law makers and law enforcement agencies, but in EFA's opinion deserves at least equal attention.
Cookies have a legitimate function in facilitating authentication and other functionality of a large number of Internet sites, and their use is well known and standardised.
Further, the vast majority of Internet browsers on the market allow the user to configure their own preferences for accepting or blocking cookies, and allow stored cookies to be viewed and deleted.
As expressed in our answer to Question 1b, our answer to this question is an emphatic yes.
The definition of "personal information" within the Privacy Act 1988 (Cth) turns on whether an individual's identity is apparent, or can reasonably be ascertained, from the collected information.
EFA considers the "can reasonably be ascertained" aspect of the Australian definition to be problematic because the definition begs the questions: reasonably ascertainable by whom? And does whether it "can reasonably be ascertained" depend on how much time or effort needs to be devoted to ascertaining the individual's identity?
EFA submits that this is one of the greatest failings of that definition, and is precisely why it would be inappropriate to use that definition when trying to define "spyware".
As was reported recently in the Australian media, Australian doctors can and are engaging in the practice of selling their patient's medical records to marketing firms with links to the pharmaceutical industry. Under the Privacy Act, because the patient's name and other identifying information are removed from the records, the records are not considered to be "personal information", and consequently this information is given no protection under the Act.
Few every-day Australians would support the proposition that just because their medical records have been stripped of their name, address, Medicare number, etc, those records should be afforded no privacy protection.
Likewise, few Australians would support third parties spying upon their emails, web-browsing habits, and instant messenger service messages (eg ICQ, MSN, and AOL) merely because the information may not immediately identify them.
As stated in the Federal Privacy Commissioner's Report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988:
"Whether or not a person's identity can be reasonably ascertained from information is becoming difficult to determine. With the advent of new technologies it is increasingly difficult to conclude that information that may appear to be de-identified, or not identified can never be connected with a real person. There is evidence that information about people is increasingly used to make contact with people in ways that people find privacy invasive even if it cannot necessarily lead to the physical location of individual or their actual name (for example, email). It is also being used to profile individuals.
As the Council of Europe research suggests:'New technology makes it increasingly possible to process data relating to individuals not, as was traditionally the case, through data relating to their legal identity, such as name and address, but via an anchor point or even an object (so-called ambient intelligence) associated with it. This means that the danger often no longer resides in the collection of personal data as such but in the subsequent application of abstract profiles to individuals.'
The European research report says that it is clear that the Consultative Committee will have to work with the concept of personal data. It concludes:'A definition of personal data based on undefined and indefinable notion of identity and the pendant concept of anonymity is ambiguous and not directly workable. From the practical point of view, it would be better to refer to biographical data, identifiers linked to individuals or to terminal (indeed objects), and points of contact.'"
As recently submitted to two inquiries concerning the Privacy Act, EFA considers that the definition of "personal information" should be extended to include wording such as:
"any information which enables interactions with an individual on a personalised basis, or enables tracking or monitoring of an individual's activities and/or communication patterns, or enables an individual to be contacted".In addition, the definition should be amended to include an explanatory note such as:
"For the avoidance of doubt, in determining whether information is personal information, it is irrelevant that the identity of the individual may not be known or ascertainable by the collecting or disclosing organisation at the time of collection or disclosure."
EFA views this as being one of the more problematic issues with defining what is and is not "spyware", and arguments can be made either way.
In the majority of cases, "spyware" can be installed either with or without the knowledge and consent of the user. If 95% of the installations of a given piece of "spyware" were made without the knowledge or consent of the user, that still leaves 5% which were made with knowledge and consent.
There is a strong argument that the term "spyware" should be independent of the facts surrounding any given installation of the software. There are obvious benefits to anti-spyware measures (both technical and education-based) to being able to label specific programs as being "spyware" based upon the characteristics and functionality of the program, and the typical circumstances of its installation.
If it were not possible (under whatever definition of "spyware" that DCITA adopts) to label software products in this way, this would hamper the identification and removal of programs that might otherwise be deemed to be "spyware".
It is not beyond the realms of possibility that companies and individuals in the business of producing, distributing or promoting software which is generally accepted to be "spyware" might institute legal proceedings for defamation against persons who describe their software as "spyware", on the basis that their software is not "spyware" within the meaning that the Australian government (i.e. DCITA) gives to the term. The decision of the High Court in the case of Dow Jones v Gutnick would allow such legal action even where the defendant is outside Australia.
The risk of such legal action is not at all far-fetched when one considers that there are numerous recorded instances of alleged spyware producers threatening legal action against people who characterise their products as "spyware".
A competing argument is that most customary definitions of spyware require at least some degree of lack of knowledge and consent on the part of the user.
In our opinion, the real questions should be:
- Is it desirable that individual software programs be able to be classed as "spyware", rather than individual installations of that software?; and
- Is it (and should it) be necessary that all installations of a given program be made without the knowledge and consent of the user before the program can be properly classed as "spyware"?
And our response to those questions is "Yes" and "No", respectively.
EFA has further concerns on the issues of "knowledge" and "consent" which we address later in this submission.
"A man purchases software from a software provider which allows him to activate web cameras attached to a PC and view his pictures remotely. The man installs the software on a colleague's computer and uses the software to activate the camera to watch the colleague without their knowledge."
Our answer to this question would depend on the characteristics of the software itself, such as whether it was designed to be installed and operate in such a way as to be invisible to the user of the computer with the camera attached.
If the software was designed to facilitate spying on people without their knowledge, we would consider it to be spyware.
If the software was designed for legitimate purposes, we would not consider it to be spyware.
Spyware comes in a variety of forms, and performs a wide variety of functions. It would be futile to attempt to exhaustively list all examples of spyware.
For the reasons given in our response to Question 1, we do not consider that the "taking" of bandwidth properly falls within the definition of "spyware". In the example given (the taking of bandwidth to send spam), we consider the program would be more properly characterised as a "trojan" or generally as "malware".
Also, we do not consider that the "taking" of processing capacity falls within the definition of spyware, nor are we aware of any significant examples of "spyware" which exhibit this behaviour.
EFA has grave concerns about the conclusions of the "spyware legislative review", and we believe that existing Australian laws do not adequately cover the uses of spyware which fall outside of existing criminal law (denial of service attacks, Internet banking fraud, etc).
We consider that it would be premature to "inform individuals and businesses" of the coverage of these laws, when the adequacy of that coverage is a matter of debate, and has yet to be tested in a court of law.
We also consider that the problematic issue of "consent" poses a significant hurdle to the application of existing criminal law to the use of spyware.
EFA considers that there may be a role for government or non-government groups (such as the Internet Industry Association) to recommend anti-spyware products from known and reputable suppliers, to help avoid the problem of spyware masquerading as anti-spyware products.
EFA submits that education of computer users is the most appropriate long-term strategy to address the problem of spyware.
EFA further submits that it would be inappropriate to introduce "technical measures" against spyware at an Internet Service Provider level. There are no such measures which could currently be introduced which would have any meaningful effect upon the problem of spyware, and any attempts to introduce such measures would cause far more problems than they would solve.
There is substantial evidence to suggest that the majority of secretive installations of spyware upon user's computers occur through exploiting known security vulnerabilities in the Microsoft Windows series of operating systems, and bundled applications.
We consider that users adopting alternative software products, which historically have a better record of security, and are less tightly integrated with the operating system, would be an effective technological measure against spyware, and that there may be a role for the government in informing computer users of the availability of these alternative products.
The issues of "knowledge" and "consent"
Two of the apparently simplest issues in the spyware discussion are those of "knowledge" and "consent". In reality, these simple terms involve a legalistic minefield which lies at the heart of any attempt to use the legal system to combat spyware.
While a detailed analysis of these issues is beyond the scope of this response, we will attempt to convey some of the difficulties we believe they involve.
Whose knowledge and consent?
Whose knowledge and consent is required for the installation of "spyware" onto a computer?
- Is it to be required that the owner of the computer must have knowledge and give consent?
- What in cases where the primary user of the computer is not the owner of the computer?
- Can the owner or primary user of a computer have knowledge and give consent to the installation of spyware, if the spyware monitors the activities of all users of the computer?
- What in cases where the owner, primary user, or person installing the software is a minor?
- What if the person installing the software warrants they have the authority of the owner of the computer to do so?
- What about situations where a minor installing the software warrants that they are over the age of 18?
- Is it to be required only that the person have knowledge that the software is to be installed?
- Is it to be required that the person have knowledge of exactly what functions the software will be performing (i.e. what it will be monitoring)?
- Must all persons using a computer have knowledge that spyware has been installed on it?
- Does a person agreeing to an End User License Agreement ("EULA") give consent to the operation of spyware?
- Is it sufficient that the person agreed to a EULA, in cases where they did not read it?
- Is it sufficient that the person agreed to a EULA, in cases where they read it but did not understand it?
- Is there sufficient justification for disturbing the well-settled principle of contract law that persons are bound by written contracts (such as EULAs) they have entered into, regardless of whether they read or understood the contract?
- Does a person, when agreeing to the EULA of program A, which explicitly permits program A to install any other programs onto the computer, thereby consent to the installation of any other programs which may be installed by program A?
EFA submission to the Inquiry into the Privacy Act 1988 conducted by the Senate Legal and Constitutional References Committee, 24 February 2005