““Liability Issues inLiability Issues in Anti-Spyware Software” Anti-Spyware Software”
Peter P. SwirePeter P. Swire
Ohio State UniversityOhio State University
Center for American ProgressCenter for American Progress
Anti-Spyware Coalition Public WorkshopAnti-Spyware Coalition Public Workshop
January 31, 2008January 31, 2008
OverviewOverview
Background & DisclaimerBackground & Disclaimer Kaspersky caseKaspersky case Safe harbor statuteSafe harbor statute A current case – should anti-spyware A current case – should anti-spyware
delete opt-out cookies?delete opt-out cookies?
Background & DisclaimerBackground & Disclaimer To “balance” the panel, Ari asked me to highlight To “balance” the panel, Ari asked me to highlight
critiques of anti-spyware softwarecritiques of anti-spyware software I worked extensively with this Coalition in I worked extensively with this Coalition in
formative stageformative stage Ari & CDT have done such a good job that I Ari & CDT have done such a good job that I
have been happy to let them take the lead sincehave been happy to let them take the lead since I am enormously appreciative of contributions of I am enormously appreciative of contributions of
anti-spyware softwareanti-spyware software
KasperskyKaspersky
I share the general happiness for the I share the general happiness for the overall outcome – Zango losesoverall outcome – Zango loses
Two broad holdings that perhaps make Two broad holdings that perhaps make bad lawbad law ““Interactive computer service”Interactive computer service” ““Otherwise objectionable”Otherwise objectionable”
““Interactive Computer Service”Interactive Computer Service”
Court admits it gives a very broad reading to ICSCourt admits it gives a very broad reading to ICS Broad as well on “access software provider”Broad as well on “access software provider”
Maybe would mean a service that lets the Maybe would mean a service that lets the useruser access an outside service access an outside service
Court’s definition means any “phone home” Court’s definition means any “phone home” software is included – put that in your software is included – put that in your software and you are immunesoftware and you are immune
Court goes broad, but perhaps another court Court goes broad, but perhaps another court would find differentlywould find differently
““Otherwise Objectionable”Otherwise Objectionable” One of these things is not like the other?One of these things is not like the other?
Obscene, lewd, lascivious, filthy, excessively Obscene, lewd, lascivious, filthy, excessively violent, harassingviolent, harassing
Ads for a legal productAds for a legal product Purpose of the law – the “Communications Purpose of the law – the “Communications
DecencyDecency Act” – restrict Act” – restrict children’s children’s access access Ejusdem generis – canon of statutory Ejusdem generis – canon of statutory
interpretationinterpretation No discussion of these issues in the district court No discussion of these issues in the district court
decisiondecision
Safe Harbor & KasperskySafe Harbor & Kaspersky
ASC and long hours spent drafting versions of ASC and long hours spent drafting versions of safe harbor legislationsafe harbor legislation
Kaspersky is broader safe harborKaspersky is broader safe harbor Kaspersky would block FTC & state AG Kaspersky would block FTC & state AG
enforcementenforcement No need to act in good faithNo need to act in good faith No need to have a reasonable process to No need to have a reasonable process to
define malware or manage disputesdefine malware or manage disputes District court holding in Kaspersky may go too far District court holding in Kaspersky may go too far
in immunizing anti-spyware softwarein immunizing anti-spyware software
A Current IssueA Current Issue FTC comments on behavioral profiling due Feb. 22FTC comments on behavioral profiling due Feb. 22 I’m working on comments about technical barriers I’m working on comments about technical barriers
to effective consumer choiceto effective consumer choice One existing tool for consumer choice is the “opt One existing tool for consumer choice is the “opt
out cookie”out cookie” Technical problems with these, at least partially Technical problems with these, at least partially
fixablefixable Comments today are tentative & welcome your Comments today are tentative & welcome your
inputinput Have reached out to the ACMHave reached out to the ACM
Opt Out Cookies - IOpt Out Cookies - I
Monday I opt out of trackingMonday I opt out of tracking DoubleClickDoubleClick Network Advertising InitiativeNetwork Advertising Initiative Maybe a lot more given FTC involvementMaybe a lot more given FTC involvement
Tuesday I delete my cookiesTuesday I delete my cookies Wednesday I am being tracked againWednesday I am being tracked again
Opt-Out Cookies: IIOpt-Out Cookies: II
Monday I opt out of trackingMonday I opt out of tracking Tuesday my anti-spyware software deletes Tuesday my anti-spyware software deletes
all cookies (or all 3d party cookies)all cookies (or all 3d party cookies) Wednesday I am being tracked againWednesday I am being tracked again
(At least until the next anti-spyware cleaning (At least until the next anti-spyware cleaning of my computer)of my computer)
Change to Anti-spyware?Change to Anti-spyware?
First problem is for the browsers – more granular First problem is for the browsers – more granular control over cookies so opt out cookies persist control over cookies so opt out cookies persist betterbetter
Second problem is for anti-spyware vendorsSecond problem is for anti-spyware vendors What barriers to allowing opt-out cookies to What barriers to allowing opt-out cookies to
persist?persist? Need standards to define “opt out cookies”?Need standards to define “opt out cookies”? Security holes or vulnerabilities if bad guys Security holes or vulnerabilities if bad guys
use “opt out cookies”?use “opt out cookies”?
Some ImplicationsSome Implications
Perhaps it’s worth it to tune anti-spyware Perhaps it’s worth it to tune anti-spyware so opt out cookies can persistso opt out cookies can persist Better ways to enable consumer choice on Better ways to enable consumer choice on
behavioral profile? In reasonable amount of behavioral profile? In reasonable amount of time?time?
If not, then bigger importance of tuning anti-If not, then bigger importance of tuning anti-spyware software to preserve opt-out cookies, spyware software to preserve opt-out cookies, soon.soon.
FinallyFinally IfIf it is worth getting persistence of opt-out it is worth getting persistence of opt-out
cookiescookies And And ifif vendors decided not to tune their vendors decided not to tune their
productsproducts ThenThen Kaspersky would block the FTC and Kaspersky would block the FTC and
state AGs from legal actionstate AGs from legal action That might not be the right legal regime for That might not be the right legal regime for
how anti-spyware fits into the rest of the how anti-spyware fits into the rest of the legal systemlegal system
Top Related