Adware and Spyware - are they really consensual?

What is this Adware and Spyware stuff anyway?

Adware and Spyware are a class of Malware that some will argue is legal due to the user accepting an end user licensing agreement (EULA.) The basic excuse is that the end user downloaded this really cool game/screensaver/program for free and accepts that the program or another bundled program will make money off the end user in some way. In short, the reason this type of software is legal is because the end user agreed or consented. So what is consent or implied consent and do Adware and Spyware achieve this standard?

To be legal Adware or Spyware must display an agreement sometime during its installation stating at least in general terms what the program does or will do. This display is the EULA that no one ever reads and just clicks "I accept". Now this agreement can state anything that isn't inherently illegal i.e. a contract cannot be created for murder for hire. I'm not going to go into details on all the evils of most EULAs here as there are many other articles on that subject. If you agree to a contract then it's your fault for what happens to you. My focus is on if Adware and Spyware achieves consent and just how strong is this industries house of cards.

Just click - I agree. Come on I dare ya!

So to be legal Adware and Spyware must have had the consent of the end user. Unfortunately, computers are still a relatively new technology and Information Security as a profession still believes their special. Other areas of law have the concept of Informed Consent; that to consent the person must be aware and knowledgeable about the consequences of what can happen. Eventually as computer literate judges enter the workforce Adware and Spyware EULA will be challenged on this concept. In the mean time we must fight these programs on other legal fronts.

Lets get back on the basic premise that the end user has given consent via a click through EULA. Legal consent required:

  1. The EULA was made available to the end user prior to the installation being completed.
  2. The end user accepted the agreement either explicitly by clicking "I accept" or implicitly by continuing to install the program.

3 types of trickery

Adware and Spyware actually come in 3 main flavors of increasing bitterness - Integrated, Bundled, and Trojaned:

  1. Integrated is the most honest of the programs. The Adware or Spyware functionality is built right into the larger program and is usually visible.
  2. Bundled is much more likely to trigger the gag reflex. This refers to a usable free program, here after being referred to as the bait, including a dubious EULA that states other bundled software is required for use. These bundled programs are malicious in nature but still legal at this time do to the consent issue.
  3. Trojaned software may actually be illegal. The general idea is to trick the end user into installing the Adware or Spyware through some third agent. The Adware and Spyware folks try to claim that consent was given due to including a EULA; however, the third agent automates the install and typically hides the display of the EULA. The question now becomes if the EULA isn't displayed and the end user isn't even aware of the existence of the Adware and Spyware, is it still legal?

Types of program distribution or the tough climb to the bottom.

Computer programs are like any other product; the programmer finds a need and then attempts to fulfill it. The problem is that writing programs are about as much work as writing a novel and unless you're already wealthy you need to get paid. So just like the aspiring novelist with book in hand, the programmer sets out to release the program into the world.

The program could be sold through the normal channels of prepackaged store sold goods. Just like the aspiring novelist the programmer has to find and convince a publisher to distribute the work, create all the packaging to distribute the software, and deal with the markup costs in the distribution chain. This is why software costs $50 and up; $10 to the programmer and the rest to Retailmart.

Couldn't find a distributor? How about release it online! Your program or novel is going to be seen by a much larger audience but how do you get paid? How about providing that free taste and then let your customer pay you for the rest ala shareware? The only problem is getting them to pay ...

Can't get your customers to pay? How about giving your program away for free and get paid by a marketing firm to pay you to place ads in your program. Adware isn't that bad, your still liked better than spammers and lawyers. Of course you'll have to rewrite it to display the ads but what's a little work for cold hard cash.

To lazy to rework your own program? Don't worry the Mafiaoso of the world have prepackaged programs that will do the work for you. Just bundle their programs and get paid per install, per add, per identity stolen ... Well you get the point, less work more cash just need to sell your soul; sign right there on the dotted line.

Can't write that American novel or TetrisAttack game? Don't worry! The same people who want you to "bundle" their software don't care how you get their programs installed. Just go out and buy a copy of "Spammers for deadbeats" and annoy the world. For the script kiddies in the audience who need to move out of their parent's basement why not put the wookie costume away and put your leet skilz to work. Script up that virus to do the work for you; you're scum so revel in it!

Surfing at your own risk

Seriously though, I normally don't attempt to stand in the way of anyone making a buck off their hard work. Advertising is actually a good thing because with advertising revenue programmers create programs at a price, even free, that people can afford. The problem is that the current evolution of Adware and Spyware has effectively removed informed consent from the equation. Now I am not talking about all Adware or even Spyware. Advertising that is: visible, integrated into the larger program, and has the fully informed consent of the system owner, is completely fine and even ethical. Even Spyware that meets the above standards could be deemed ethical. I allow individuals to watch me every day as I go about my life; it is when I have not given my permission, obviously attempt to avoid contact, or am tricked into compling that it becomes stalking. The current trend by web advertisers is to provide programs that provide the advertising or tracking functionality to 3rd parties to bundle in their programs. While I am still somewhat willing to give these advertisers the benefit of the doubt, this system is ripe for misuse. What ends up happening is that virus writers sign up for an account with the advertisers and bundle the Adware and Spyware as the viral payload as the following two samples show:
  1. Downloader-AAI
  2. Downloader-VG
There is now a whole class of malware called downloader or multi-dropper thats main effect is to install other programs. The question now becomes, just how innocent are these advertisers? They may be able to claim that they didn't create the malware; they cannot deny that they are profiting from it.

Crossing the line

The questions before the legal community are:
  • Exactly when does an advertiser stop being an innocent bystander and become an accomplice?
  • Where does the burden of proof lie for informed consent when it's proven that consent is being bypassed via malware? Just because a EULA exists doesn't mean that the end user saw it and agreed to it.
Its time we stop calling Adware and Spyware for what it claims to be and call it what it is - Fraudware.

at Friday, May 27, 2005

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)