RetroCoder makes a commercial keylogger called SpyMon, something that someone would normally buy on purpose.  But just in case, it’s in our threat database and we treat it like we treat all commercial keyloggers — we tell the user it’s on the system, make the default action “Ignore” and let the user decide whether or not to remove it. 

But they don’t like the fact that we list it.  And so they sent us this little gem through our standard submission form:

If you read the copyright agreement when you downloaded or ran our program you will see that Anti-spyware publishers/software houses are NOT allowed to download, run or examine the software in any way. By doing so you are breaking EU copyright law, this is a criminal offence. Please remove our program from your detection list or we will be forced to take action against you.

Thank you,

Anthony Ball

A check on their website confirms this policy:

This software package is a copyrighted product. As such the owner of the copyright expressly forbids any use, disassembly, examinination [sic] and/or modification by anyone who works for or has any relationship or link to an AntiSpy or AntiVirus software house or related company. If you do produce a program that will affect this softwares [sic] ability to perform its function then you may have to prove in criminal court that you have not infringed this warning.

Infingement [sic] of a copyright licence is a criminal offence .

Well well well. This brings up an interesting issue.  Can you use copyright law to protect your product from being evaluated by a spyware researcher?  

The answer is, absolutely not.

Already knowing the answer, I checked with our high-priced lawyers and the answer agreed with mine.  Regardless of EU law, US law or the Supreme Law of the Lower Hebrides, simply listing an application as potential spyware is not copyright infringement.  Unless you reverse engineer the application, there is no liability for infringement. 

Of course, there is US case law to support a position about using EULAs in general to inhibit First Ammendment free speech, such as when New York AG Elliot Spitzer stopped Network Associates from imposing onerous license conditions (“a New York state judge has ruled that Network Associates can’t prevent people from talking about its products.”). Or, this link, reporting the NYAG’s view that “Whether the subject is political debate, debate in the arts and sciences, or debate over what software to buy, we must protect free and open speech from intimidation. The public has a right to information about products.”  (Thanks Ben)

Eric Howes and Suzi Turner pointed out that this is redolent of the Ash1ey Affair that occurred back in August and September of last year.  Here’s how it went: A fellow by the name of “Ash1ey” was behind a product called Privacy Tools 2004. His program was on SpyareWarrior’s Rogue/Suspect list, and when he released a new version with a new database, he expected to get it de-listed from the site. It didn’t work out that way, and Ash1ey was quite upset.  In short, he added a clause to his EULA forbidding anyone associated with SpywareWarrior from testing his program, and he threatened to write malware himself. Ash1ey is now the poster boy for rogue antispyware applications. 

The idea of using “copyright law” or EULAs as an attempt to suppress antispyware research is both disturbing and laughable.  While the reasoning is sophomoric (along the lines of “I watch Boston Legal, therefore I am a lawyer”), it could put smaller publishers that don’t have legal resources to pull listings of products.  We’ve seen this happen with a couple of antispyware vendors — they get a legal threat and they just fold, because they don’t have the legal resources to fight it.

Well, to Mr. Ball, I wish you luck in your efforts to suppress free speech and common sense.  Your application will continue to be listed, as well as a large number of others. 

 

Alex Eckelberry
(Thanks to Ben Edelman, Wayne Porter, Chris Boyd, Eric Howes and Suzi Turner for their helpful input on this issue.)