““Liability Issues inLiability Issues in Anti-Spyware Software” Anti-Spyware Software”

Peter P. SwirePeter P. Swire

Ohio State UniversityOhio State University

Center for American ProgressCenter for American Progress

Anti-Spyware Coalition Public WorkshopAnti-Spyware Coalition Public Workshop

January 31, 2008January 31, 2008

OverviewOverview

Background & DisclaimerBackground & Disclaimer Kaspersky caseKaspersky case Safe harbor statuteSafe harbor statute A current case – should anti-spyware A current case – should anti-spyware

delete opt-out cookies?delete opt-out cookies?

Background & DisclaimerBackground & Disclaimer To “balance” the panel, Ari asked me to highlight To “balance” the panel, Ari asked me to highlight

critiques of anti-spyware softwarecritiques of anti-spyware software I worked extensively with this Coalition in I worked extensively with this Coalition in

formative stageformative stage Ari & CDT have done such a good job that I Ari & CDT have done such a good job that I

have been happy to let them take the lead sincehave been happy to let them take the lead since I am enormously appreciative of contributions of I am enormously appreciative of contributions of

anti-spyware softwareanti-spyware software

KasperskyKaspersky

I share the general happiness for the I share the general happiness for the overall outcome – Zango losesoverall outcome – Zango loses

Two broad holdings that perhaps make Two broad holdings that perhaps make bad lawbad law ““Interactive computer service”Interactive computer service” ““Otherwise objectionable”Otherwise objectionable”

““Interactive Computer Service”Interactive Computer Service”

Court admits it gives a very broad reading to ICSCourt admits it gives a very broad reading to ICS Broad as well on “access software provider”Broad as well on “access software provider”

Maybe would mean a service that lets the Maybe would mean a service that lets the useruser access an outside service access an outside service

Court’s definition means any “phone home” Court’s definition means any “phone home” software is included – put that in your software is included – put that in your software and you are immunesoftware and you are immune

Court goes broad, but perhaps another court Court goes broad, but perhaps another court would find differentlywould find differently

““Otherwise Objectionable”Otherwise Objectionable” One of these things is not like the other?One of these things is not like the other?

Obscene, lewd, lascivious, filthy, excessively Obscene, lewd, lascivious, filthy, excessively violent, harassingviolent, harassing

Ads for a legal productAds for a legal product Purpose of the law – the “Communications Purpose of the law – the “Communications

DecencyDecency Act” – restrict Act” – restrict children’s children’s access access Ejusdem generis – canon of statutory Ejusdem generis – canon of statutory

interpretationinterpretation No discussion of these issues in the district court No discussion of these issues in the district court

decisiondecision

Safe Harbor & KasperskySafe Harbor & Kaspersky

ASC and long hours spent drafting versions of ASC and long hours spent drafting versions of safe harbor legislationsafe harbor legislation

Kaspersky is broader safe harborKaspersky is broader safe harbor Kaspersky would block FTC & state AG Kaspersky would block FTC & state AG

enforcementenforcement No need to act in good faithNo need to act in good faith No need to have a reasonable process to No need to have a reasonable process to

define malware or manage disputesdefine malware or manage disputes District court holding in Kaspersky may go too far District court holding in Kaspersky may go too far

in immunizing anti-spyware softwarein immunizing anti-spyware software

A Current IssueA Current Issue FTC comments on behavioral profiling due Feb. 22FTC comments on behavioral profiling due Feb. 22 I’m working on comments about technical barriers I’m working on comments about technical barriers

to effective consumer choiceto effective consumer choice One existing tool for consumer choice is the “opt One existing tool for consumer choice is the “opt

out cookie”out cookie” Technical problems with these, at least partially Technical problems with these, at least partially

fixablefixable Comments today are tentative & welcome your Comments today are tentative & welcome your

inputinput Have reached out to the ACMHave reached out to the ACM

Opt Out Cookies - IOpt Out Cookies - I

Monday I opt out of trackingMonday I opt out of tracking DoubleClickDoubleClick Network Advertising InitiativeNetwork Advertising Initiative Maybe a lot more given FTC involvementMaybe a lot more given FTC involvement

Tuesday I delete my cookiesTuesday I delete my cookies Wednesday I am being tracked againWednesday I am being tracked again

Opt-Out Cookies: IIOpt-Out Cookies: II

Monday I opt out of trackingMonday I opt out of tracking Tuesday my anti-spyware software deletes Tuesday my anti-spyware software deletes

all cookies (or all 3d party cookies)all cookies (or all 3d party cookies) Wednesday I am being tracked againWednesday I am being tracked again

(At least until the next anti-spyware cleaning (At least until the next anti-spyware cleaning of my computer)of my computer)

Change to Anti-spyware?Change to Anti-spyware?

First problem is for the browsers – more granular First problem is for the browsers – more granular control over cookies so opt out cookies persist control over cookies so opt out cookies persist betterbetter

Second problem is for anti-spyware vendorsSecond problem is for anti-spyware vendors What barriers to allowing opt-out cookies to What barriers to allowing opt-out cookies to

persist?persist? Need standards to define “opt out cookies”?Need standards to define “opt out cookies”? Security holes or vulnerabilities if bad guys Security holes or vulnerabilities if bad guys

use “opt out cookies”?use “opt out cookies”?

Some ImplicationsSome Implications

Perhaps it’s worth it to tune anti-spyware Perhaps it’s worth it to tune anti-spyware so opt out cookies can persistso opt out cookies can persist Better ways to enable consumer choice on Better ways to enable consumer choice on

behavioral profile? In reasonable amount of behavioral profile? In reasonable amount of time?time?

If not, then bigger importance of tuning anti-If not, then bigger importance of tuning anti-spyware software to preserve opt-out cookies, spyware software to preserve opt-out cookies, soon.soon.

FinallyFinally IfIf it is worth getting persistence of opt-out it is worth getting persistence of opt-out

cookiescookies And And ifif vendors decided not to tune their vendors decided not to tune their

productsproducts ThenThen Kaspersky would block the FTC and Kaspersky would block the FTC and

state AGs from legal actionstate AGs from legal action That might not be the right legal regime for That might not be the right legal regime for

how anti-spyware fits into the rest of the how anti-spyware fits into the rest of the legal systemlegal system