Boalt Spyware Conference Recap

On Friday I attended the Spyware conference at Boalt. This was an outstanding conference—I learned a lot. You should take any opportunity to attend a Berkeley Technology Law Journal annual symposium in the future—their events are typically first-rate.

Tutorial on Spyware

Jeffrey Friedberg, Microsoft’s “Director of Windows Privacy,” started off the conference with a spyware tutorial. He proposed rejecting the term “spyware” in favor of “deceptive software,” a useful nomenclature shift. He then made the typical technologist’s argument that we should focus on bad behavior instead of bad software features, as many features that are included in deceptive software can be used for beneficial purposes. Thus, he wants to preserve room for “horse trades” where users willingly make a choice to cede desktop control in exchange for some desired benefit. However, he then gave examples of deceptive software to show how bad actors exploit various user interface design elements to trick users into downloading their software. He listed a number of attributes of XP Service Pack 2 designed to correct some of those design elements.

He then gave an extended depiction of an “Internet battlefield” to argue that spyware and phishing are really the same problem—an attempt to convert data from the user/their desktop into cash. He offered his solutions to the deceptive software/phishing problem: a combination of consumer education, technological innovation, industry cooperation, enforcement and new legislation.

Two points were especially interesting to me:

First, he explained why users should never put personal information into a pop-up window because users don’t/can’t know who served the pop-up window (e.g., there are no address bars in the pop-up window). He showed how phishers may launch a pop-up while redirecting the main window to a trusted website at the correct URL. In this case, the user might mistakenly assume that the pop-up window was spawned by the underlying trusted site. I realized that even I could fail prey to that trick, so I’ve made a mental note—no personal information into pop-up windows!

Second, he discussed how occasionally Microsoft has used its automatic update feature to eradicate (he called it “clean”) software from users’ computers. He gave the example of Download.ject, some malware code that Microsoft simply deemed impermissible, so it wiped Download.ject off the face of the Windows universe. Perhaps I missed the publicity about this at the time, but I’m troubled by this exercise of power. On the one hand, so long as Microsoft executes its powers as a benevolent dictator wisely, it’s a great asset to combat malware. On the other hand, (1) it isn’t clear how clearly Microsoft communicates its decision, (2) I am not aware that Microsoft has published its standards for software that it will unilaterally eradicate (or that it applies those standards consistently), and (3) we have to trust Microsoft to do the right thing, and I’m not sure how comfortable I am with that!

Panel on Privacy and Surveillance Issues

Patricia Bellia made an argument that some existing federal laws are inadequate to deal with spyware. She deconstructed the ECPA and made a convincing case that the law has a tough time stretching to cover actions on a single desktop computer. She also deconstructed the CFAA and suggested a little more hope there, but still argued that several standards (such as the $5,000 damage requirement) may be fatal to claims. I need to see her paper, but her talk makes me question my previous beliefs that CFAA and ECPA already covered spyware and that additional legislation was superfluous.

Ari Schwartz presented CDT’s positions on spyware. He argued that adware vendors cater only to advertiser interests, not user interests, and therefore these misdirected loyalties disadvantage consumers. I disagree with this argument: if adware vendors do not provide a suitable user experience, they will not be able to perform well for advertisers. So adware vendors will have to create a good value proposition for users, and their interests are far more aligned than Ari portrays.

Paul Schwartz recapped his recent article Property, Privacy, and Personal Data, 117 Harvard Law Review 2055 (a very interesting read, BTW). In that article, he pointed out two separate reasons to regulate privacy: first, there is a privacy market failure because data collectors know more about what they will do with the data than data subjects, and second, that there are social costs to privacy, and therefore a privacy commons needs to be protected.

Based on this, he favors an opt-in scheme that, among other benefits, forces data collectors to tell consumers about their practices. After his talk, I pointed out to him that I see the information asymmetry differently—consumers have heterogeneous but undisclosed interests, so perhaps we should set up a system to force consumers to disclose those interests. I doubt I’ll convince him on this point!

Paul S. surprised a number of us by supporting the mandatory disclosure requirements in HR 29, favoring efforts to sharpen the notice/consent process.

Reed Freeman of Claria then presented Claria’s perspectives on regulation. Claria generally favors regulation of software that operates without consent. From their perspective, these laws would not affect them because they see themselves as obtaining consumer consent.

Seth Lesser then gave his perspectives as a plaintiff’s lawyer in the Doubleclick cookies, Avenue A and Pharmatrak cases, saying that user consent issues are tough to overcome and echoing Patricia’s assessment that the federal statutes may not be robust enough.

Deirdre Mulligan moderated this panel, and I thought she made a great observation when she noted that spyware purveyors are experts at exploiting consumer expectations about user interfaces.

Intellectual Property and Contracting Issues

Dan Burk discussed how intellectual property law does not protect consumers from spyware because, among other things, consumers lack standing to sue. Later I asked Dan if spyware raises any unique issues because consumers don’t have standing under IP laws generally. Dan observed that the relevant “infringing” actions take place on a chattel owned by the consumer, yet the consumer cannot use IP laws to protect that chattel. I’m still not sure if that is a meaningful difference; I’m looking forward to reading his paper.

Jane Winn talked about contract law. Her perspective is that American law upholds contracts very liberally. She favors an approach like the EU directive on mass market contracts, where courts have the power to reject terms that are substantively unfair.

Tim Ehrlich spoke about the costs that legitimate businesses incur due to the spyware paranoia, including the costs incurred by advertisers and the costs attributable to being labeled as spyware or adware. Ehrlich called for some type of appeals process when private companies characterize software as spyware or adware.

Alex MacGillivray described Google’s software principles.

Keynote

Christine Varney was scheduled as the keynote, but she scratched at the last minute due to illness. Instead, her partner Mary Ellen Callahan took her place. I think we had all been looking forward to hearing Christine, so the substitution was a little disappointing, but Mary Ellen did the best she could under the circumstances. Mary Ellen focused on whether adware businesses could be legitimate, and taking a very FTC-esque approach, she concluded that the answer was yes with adequate notice/consent and easy uninstall procedures.

Regulatory Challenges

Peter Menell asked whether regulation was better located at the state or federal level. He used the unfair competition doctrine as a case study, showing that it used to be a federal doctrine but is principally the province of state law now. However, on the Internet, state-based regulation has the risk of creating a lowest-common denominator environment where the most restrictive laws control nationally. He took particular aim at the notion that states can be a laboratory for testing new policy, showing that state law is often influenced by federal policy (such as in the case of unfair competition laws), so they are not pure testing environments. After the talk, I added that states are lousy laboratories because (1) they are especially susceptible to regulatory capture/rent seeking, (2) there is no empirical measurements of results or effort to divine best practices from states’ experiences, and (3) often, at least in the Internet context, a pioneering state’s law is adopted by other states before it has been tested. California’s anti-spyware law is a typical example, having propagated to approximately a dozen states before we have gotten any empirical results in California.

Ira Rubinstein deconstructed several of the proposed federal laws, showing both their breadth and ambiguity.

Susan Crawford gave a good overview of how various legal efforts have failed to address spyware. Her solution is to think about unwanted software as a pathogen and allow technology to develop immunizations organically. She has written a nice paper surveying the spyware/adware topic and I hope she’ll post the paper soon (before it gets too far out of date…).

Deirdre Mulligan gave a great talk (my choice for the best of the day). Her clinic has conducted an ethnographic study of 30 people downloading software and how they processed disclosures. Under current practices, downloaders did not understand the contract terms or even review them. However, when she explained the terms post-download, most users expressed regret. She then presented downloaders with summary notices of some key terms (a layered notice approach). The summaries improved user understanding, but to her surprise, they did not change behavior—people still clicked through to complete the download! This empirical research seems to completely destroy the assumptions incorporated into laws like the Spy Act—the fact that behavior did not change undercuts any belief that more prominent or understandable disclosures will help consumers. I am anxious to see Deirdre’s write-up of her findings; they appear to be both important and useful.

I spoke after Deirdre and made two principal points. First, consumers will benefit from having software on their machines that learns their preferences passively and using those inferred preferences to deliver surplus-producing information. Therefore, we don’t want laws that would keep that type of software off users’ computers. Second, regulators are forcing consumers to see notice/consent information that consumers don’t care about—basically, foisting new types of pop-ups onto consumers, except that consumers can’t turn these pop-ups off. You can see my notes here.

Henry Chesbrough talked about business models of adware companies. He gave Ebates as an example of a company creating consumer value based on monitoring consumer behavior. He also talked about how government can affect policy not just through negative regulations, but also by encouraging behavior through subsidies and its purchasing protocol.

Michael Geist spoke about transnational jurisdictional issues. He noted the split regarding defamation jurisdiction between the US (which applies the law of the poster) and the other Commonwealth countries (which apply the law of the target).

Conclusion

I thought the conference was great both substantively and as a place to exchange information. My only “criticism” is that many talks did a good job identifying the problems but gave little attention to any solutions (my talk suffered this same defect). In the end, I think this reflects the difficult nature of the problem, but it would have been great if there are new innovative solutions that we should support. Ultimately, such an inquiry is probably moot, because Congress appears to be determined to pass an anti-spyware law regardless of its policy merit.