CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Spyware skirmishes: Spy versus antispy

Internet lawyer Venkat Balasubramani says the outcome of a legal tiff could force big changes in the antispyware landscape.

    Software provider Zango opened up a new front in the spyware war by filing a pair of lawsuits against two antispyware companies (PC Tools and Kaspersky Lab). This litigation is aggressive and risky.

    Antispyware efforts have gained momentum in the past several years. Zango itself is no stranger to these efforts, having settled (in late 2006) FTC charges that it "used unfair and deceptive methods to download adware and obstruct consumers from removing it." The New York Attorney General similarly sued and settled with Direct Revenue, which it characterized as a "major 'spyware' distributor." It also settled with some Direct Revenue clients (Priceline, Cingular, and Travelocity).

    The landscape is set to change, however, with antispyware legislation receiving serious consideration by Congress. In late May, the House of Representatives passed the Internet Spyware (I?SPY) Prevention Act of 2007. The bill--a version drastically scaled back from other proposals--tracks in many respects the Computer Fraud and Abuse Act.

    Under the bill, a violation occurs when a person causes a program to be copied onto an end user's computer "without authorization" and obtains data or causes a security breach. The controversial portion of the legislation surrounds the so-called good Samaritan exception. In the words of the Internet Alliance, this floor amendment was "designed to grant immunity to antispyware software makers against claims from companies whose programs have been misidentified (and then often deleted) as 'spyware' or 'adware.'" According to the alliance, this provision would have "serious unintended consequences."

    Zango's lawsuit

    This is exactly what Zango's lawsuit is about. Zango claims that the defendants in each case "mislabeled" Zango software as "an infection...malicious...and as an elevated risk." Zango also claims that end users were not provided with sufficient notice that Zango software would be disabled or purged from the system. (The claims against the two companies vary slightly; in one case, Zango emphasizes blocking the end user's ability to use or access the Zango software, Web sites, and/or content provided via Zango.)

    The timing of the lawsuit indicates that Zango is trying to make a point about the grey areas inherent in the antispyware classification business. Indeed, Professor Eric Goldman noted on his blog that the lawsuit "might help shape the contours of antispyware software vendors' duties as well as influence the pending antispyware legislation in Congress." The move is risky for several reasons.

    First, the court may reject Zango's trade libel claims, either because the labels are "true" or because the antispyware shops had sufficient backup for their characterizations. Zango's previous run-in with the FTC certainly will not help matters (in the court of public opinion, at least).

    Second, the antispyware industry is relatively unified. Sunbelt Software CEO Alex Eckelberry attempted to replicate Zango's claims and proclaimed them without merit. He then "offered PC Tools any forensic documentation or assistance they may need in their efforts to defend themselves."

    It's also worth noting that Zango's position on notice/disclosure is inconsistent with its ultimate position on the spyware issue. Zango cannot be in favor of a bright line rule when it comes to whether users are provided sufficient notice--its method of notice varies. Yet this is precisely the argument PC Tools and Kaspersky will make in reaction to Zango's claim. The notice provided was "reasonable under the circumstances."

    There's also the possibility that PC Tools and Kaspersky will fit under Section 230's existing broad Good Samaritan provision. That section insulates providers of an "interactive computer service" against claims based on "any action taken to enable [users with] the technical means to restrict access to [objectionable] material..." Although there are relatively few decisions addressing this point, a recent California appellate court opinion indicates it will be given a wide reading. ( The court held that Section 230 immunizes listing IP addresses which were potential sources of unwanted e-mail.)

    In the end, the lawsuit may illustrate why the Good Samaritan provision makes sense. The court will struggle with the issue of whether Zango was appropriately classified and blocked. In so doing, it may unwittingly reiterate that the market should make the determination of which antispyware shops are most effective by removing trade defamation claims from the mix.