New York Attorney General Eliot Spitzer Wages
War on "Spyware" While Legislative Proposals Abound
June 28, 2005
On June 14, 2005, just seven weeks after charges were filed, Los Angeles-based Intermix Media, Inc., reached a tentative settlement agreement with New York Attorney General Eliot Spitzer, concerning allegations that Intermix's software distribution practices were illegal. The settlement agreement is not yet finalized, but, as announced, Intermix will be required to pay the state of New York $7.5 million over three years, as well as discontinue distribution of its adware, redirect, and toolbar programs.
Spitzer filed suit against Intermix on April 28, 2005. Intermix operates a number of websites that offer free program downloads for computers such as screensavers and games. The New York attorney general alleged that when users downloaded these programs, Intermix additionally loaded unwanted programs on to users' computers without proper disclosure and consent. The state of New York charged that such "bundling" practices constitute false advertising and fraudulent business practices in violation of New York's General Business Law and common law prohibitions against trespass.
The claim of improper disclosure and lack of consent stemmed from allegations that when users downloaded Intermix software, Intermix either failed to disclose the loading of certain programs and functionality or "hid" disclosures within lengthy licensing agreements. Further, the complaint contended that even when some notification was given, it was inadequate and inaccurately described the programs.
Among the types of software programs described in the complaint were pop-up toolbars, programs that redirect individuals to Intermix's websites, and "updater" programs that allowed Intermix to add or change programs on the user's computer at a later time. The complaint also noted that the programs in question were particularly troublesome for users as they were difficult to remove. Specifically, the programs lacked uninstall programming, could not be removed using the "add/remove programs" function in Windows, and obscured locations on users' hard drives. In addition, some of the unwanted programs, after being disabled, would reinstall themselves.
Intermix initially responded to the suit by claiming that it had "voluntarily" stopped distributing programs with the accused functionality or characteristics before the suit was filed. Intermix further explained that many of these programs were implemented by the company's prior administration. The company also denied allegations that its programs collect personal user information, a frequent criticism of "spyware."
Despite these protestations, New York sought to enjoin Intermix permanently from installing any advertising, ad-serving, redirecting, or toolbar software onto any user's computer. The claim further requested an accounting of all such prior installations, disgorgement of unjust enrichment, unspecified civil monetary penalties, and costs. While the reported settlement does not include all of these requested remedies, it still imposes a heavy burden upon Intermix.
Intermix and Legislative Developments
The Intermix case shows how existing law can be used to prosecute software distribution practices commonly maligned as spyware, adware, and malware. It also shows how such cases can be prosecuted effectively without resorting to new statutes. The case signals a willingness, at least in New York, to bring such prosecutions.
In light of this development, software manufacturers should be especially vigilant in monitoring how their programs are distributed and understand whether consumers will encounter difficulty in removing them. Moreover, it would appear that in at least some cases, regulators and prosecutors may take issue with how particular functionality is disclosed to consumers.
New anti-spyware legislation has been passed in a few state legislatures and is under consideration in others. The Washington State Legislature recently passed House Bill 1012, which provides stiff penalties for individuals and organizations that install invasive computer programs without user knowledge. The law becomes effective July 24, 2005. California also has relatively weak anti-spyware legislation in effect. Other states, including Pennsylvania, New York, Nebraska, and Michigan, have proposed criminal penalties for illicit installation practices. Still other proposed state laws either give private citizens a right of action or grant power to the state to exact fines for violations of new regulations.
There also are proposed federal bills in both the House and Senate that, if passed, would introduce criminal and civil penalties for loading certain types of programs onto covered computers. The Internet Spyware Prevention Act of 2005, H.R. 744, which is under consideration provides criminal penalties of up to five years imprisonment for installing spyware on protected computers without authorization for criminal purposes [H.R. 744, 109th Cong. (2005)]. Spyware is not specifically defined in the bill, but the bill's prohibitions are telling. Specifically, the bill prohibits installing programs or programming code in furtherance of committing another federal offense. The bill also prohibits uploading code that functions to obtain or transmit personal information or impairs the security protection of protected computers where there is intent to defraud or cause damage to a person or a protected computer.
Under H.R. 744, protected computers include those used by financial institutions or the government, or computers that affect the use of such computers and all computers used in interstate and foreign commerce. As an additional point of note, H.R. 744 includes a preemption provision, disallowing civil actions under state laws where the action is premised upon violation of this section.
The House has also considered the Securely Protect Yourself against Cyber Trespass Act or SPY Act, H.R. 29, 109th Cong. (2005). This bill more broadly allows for significant civil monetary penalties against persons who knowingly engage in unfair or deceptive acts relating to spyware and who collect certain information without notice and consent. Much like H.R. 744, this bill contains a preemption clause that displaces some, but not all, similar state laws.
New anti-spyware legislation has also been introduced in the Senate. The Enhanced Consumer Protection against Spyware Act of 2005 would give the Federal Trade Commission power to combat spyware by making it a violation of 15 U.S.C. 57a to "install through deceptive acts or practices software on protected computers" [S. 1004, 109th Cong. (2005)]. Violation of this section would constitute an unfair and deceptive trade practice, with civil damages ranging up to $3 million for each violation.
The SPYBLOCK Act. S. 687, 109th Cong. (2005), has also been introduced in the Senate. Among other things, this broad-reaching bill would make it illegal to install software in a manner that conceals software installations or prevents the user from knowingly granting or withholding consent. The bill would also make it illegal to use misleading inducements to obtain consent and to install programs that then cannot be uninstalled or disabled in a "usual and customary" way. Further, the bill specifically would prohibit the installation of certain adware. Penalties for violations could include up to five years in prison.
Both of the Senate proposals would grant state attorney generals power to bring civil actions for injunction, damages, and other appropriate relief. Both bills also include preemption provisions, which displace state laws with respect to certain conduct. They would prohibit a wide range of conduct, some of which may or may not necessarily be performed solely for nefarious purposes.
The Intermix prosecution reflects increasing public concern over Internet use and privacy, and the steps that state and federal governments will take to protect against perceived dangers. The New York prosecution illustrates how existing laws may be used to combat these perceived dangers, while recent state and federal legislation shows the importance of these issues to the public, as well as the mounting pressure on legislators and regulators to act now to combat certain software distribution practices and programs.
Wilson Sonsini Goodrich & Rosati routinely counsels clients in all aspects of their privacy and data protection programs. If you have questions in these areas, please contact Gerry Stegmaier at (703) 734-3109 or David Kramer at (650) 320-4741
Click here to read the complaint.