Wayne Barnes, Associate Professor at Texas Weslayan University School of Law, has just written a powerful dissertation called Rethinking Spyware: Questioning the Propriety of Contractual Consent to Online Surveillance.  Download it here.

The premise of the document is:  Just because we got you to agree, does it make it ok that we are doing what we’re doing?   The paper then describes, in painstaking detail, what the various applicable laws are in the area.  While I don’t entirely agree with his definitions of spyware (he does make it seem like practically all spyware is a keylogger), there is some powerful information in this writeup.

Some snippets:

…the proposition that a consumer may contractually consent to the installation of such software is accepted almost without any serious debate… However, once the consumer initially clicks “I accept,” she may never again be aware of the fact of the surveillance and transmission of her private web browsing data. These arrangements have been championed by many in the software industry, and resistance against them is sometimes weak since the consumer is perceived to have granted contractual consent …

The purpose of this article is to question the propriety of that contractual consent, given the privacy implications of spyware. Part II of this article discusses the history of spyware in the greater context of the development of the Internet generally. It also discusses the debate about the definition of spyware, and the importance of the perceived grant of consent in that debate…. On the other hand, some observers believe that the spyware/adware distinction is spurious. Ben Edelman, perhaps the foremost researcher of spyware in the United States, stated: “From the perspective of users whose computers are infected, there is nothing hard about (defining spyware). . . .

If you have adware or spyware on your computer, you want it gone. Maybe the toolbar is Mother Theresa, but it’s Mother Theresa sitting in your living room uninvited and you want her gone also. . . . You don’t need a committee of 50 smart guys in D.C. sipping ice tea in order to decide that.”49 Many people, fed up with the epidemic of spyware and adware, say that it’s not the label that’s given, but rather it’s “what you don’t want on your PC that matters.”50 In considering recently proposed spyware legislation, a United States congressperson remarked, in an analogy of spyware’s intrusive tactics to the “real” world: “If somebody walks in my house without my knowledge, without my permission, they’re trespassing. I don’t understand, I really don’t understand, why we’re having a . . . debate about this issue that everyone is outraged about.”

I would submit that no one actively seeks out to have such surveillance-enabled software placed on their computer, for its own sake. Rather, the consumer is only thinking of getting the desired application, such as KaZaa or a computer game. True freeware still exists on the Internet, as well as “trial versions” of programs, or shareware, which allow the downloading of a program for limited purposes, with payment required in order to get the full version.331 Thus, it certainly is not a given that consumers always know there “must be a catch” in the form of consent to constant surveillance

….In short, consumers don’t usually expect spyware. This is further evidenced by a recent survey of Internet users conducted by America Online and the National Cyber Security Alliance, which was released in October 2004.332 That survey revealed that 80% of all computers tested had spyware or adware installed on them; even more notably, 89% of the same users were completely unaware of the presence of the surveillance software on their computers.333 The fact that 89% of users are completely unaware of the spyware on their computer supports an inference that the installation of such software – if it had been discussed in a EULA to which the consumer manifested some type of superficial assent — was clearly beyond the range of reasonable expectation, in terms of the operation of Restatement section 211(3)

Thus, from the privacy principles generally, and the sanctity of one’s home, it can be argued that spyware contracts which obtain purported consent to surveillance should be unenforceable as against the public policy favoring privacy. Unlike contracts where the invasion is a merely incidental aspect of the bargain, the spyware bargain purports that the full consideration flowing from the consumer is the allowance of unfettered, continuous online surveillance of the consumer, which could conceivably include all of the most private aspects of the consumer’s life. The invasion effected by the spyware is a “virtual” trespass into the consumer’s home – the usual location of the consumer’s computer used for web browsing.

Alex Eckelberry
(Thanks to Ben Edelman for sending me this link).