It has been reported at atg.wa.gov.au that Attorney General McKenna has sued Movieland.com and Associates for what it calls "spyware":
The full complaint, complete with screenshots, can be read here:
Now, I must say at the outset, that the behavior exhibited by the software being distributed by Digital Enterprises (trading as Movieland.com; Alchemy Communications, of Los Angeles; AccessMedia Networks, of Los Angeles; and Innovative Networks, of Woodland Hills) is right up there with the worst that I have ever seen. At best it can be called “nagware”, it is most certainly “malware” and it is teetering on the edge of being labellable as a “Trojan”, but I don’t think we can label it “spyware”.
Just like the term “zero day exploit” is often misused, the label “spyware” is used at times when it should not be.
Let’s look at what the lawsuit is about, and what the software in question does:
1. Three days “free” access to members-only content on sites including movieland.com, moviepass.tv and popcorn.net is offered to Web surfers via pop-up advertisements.
2. If the offer is accepted, the Web surfer must download software to take advantage of the three days of “free” access with the software variously being known as “MediaPipe”, “FileGrabber” or “Media Assistant”.
3. After the three free days expire, new “billing” software is apparently downloaded that generates pop-up windows (and videos) that warn the user that their three day access has expired and that they must now purchase membership because they had not stopped using the access software. The pop-ups display the user’s IP address and customer ID, as well as the time and date of installation of the trial software (this, let me say now, does not make the “billing” software “spyware”).
4. Although users are warned when they install the original access software that they will receive “payment reminders”, they are not told what these reminders are, or how disruptive they will be.
5. The pop-ups appear every hour, starting when the user accesses the internet.
6. The initial pop up is large, obscuring much of the available screen real estate, and is not easy to close – the only action a user can easily take is to click on a “Continue” button which launches a 40 second long video alleging that because the user has not cancelled their “free” access, they are now legally obligated to purchase membership. Again, the video is not easily closed.
7. There is no opportunity to decline membership and remove the access software after the three day free access period expires.
8. Although an entry appears in Add/Remove Programs, the entry does no more than redirect the user to a payment page. It seems from my reading of the original complaint that the entry in Add/Remove Programs only exhibits this behavior *after* the three days of free access has expired. I assume that before the three days expire the access software can be removed successfully. This could be a very important point in the legal fight to come.
The actions of Digital Enterprises, Alchemy Communications, AccessMedia Networks and Innovative Networks are unethical, unconscionable and possibly illegal, but is their software “spyware”?
The complaint lodged by the State of Washington alleges on page 19 that the software in question is “spyware” because it "places files on the user's computer which send repeated, harassing notices that interfer with use of the computer; prevent the user from uninstalling the offending files; and if, in fact, if the files are uninstalled (sic), leaves parts of Defendants' software on the user's computer".
Unfortunately for the State of Washington, Rob McKenna and Paula Selis, the behavior listed does not make the software “spyware”. The behavior is unfair, deceptive, antisocial, hostile, unethical and possibly in contravention of various laws, but it does not make the software spyware.
The purest, traditional, interpretation of “spyware” is software that watches what users do with their computer and then sends that information over the internet. Let me emphasise, though, that if your software phones home to report that your user licence has expired, and you are thereafter denied access to updates, that is not “spying”. That is a developer or company ensuring that users are only receiving benefits to which they are entitled.
I’ve been fighting spyware/malware/adware/foistware/betrayware/stealware (pick your name) since Year 2000 and I admit to being a bit of a traditionalist when it comes to the terminology applied to various types of malware. Over time the meaning of spyware has, unfortunately, been expanded to encompass software that is designed to intercept or take partial control of a computer's operation without the informed consent of that machine's owner or legitimate user, or subvert the computer's operation for the benefit of a third party (cite: Wikipedia.org; http://en.wikipedia.org/wiki/Spyware). Although commonplace, such an interpretation is not correct. Such software is rightly labeled “malware” (software that is designed to infiltrate or damage a computer system, without the owner's informed consent; cite: http://en.wikipedia.org/wiki/Malware).
Now, it could be said that the Digital Enterprises software is “watching” users, but then we start getting into difficulty regarding the interpretation of “watching”. A programmatic time-bomb that is written to download and install payment software after a certain period of time has elapsed is not “watching” in the sense meant by those who originally coined the term “spyware” as it pertains to malevolent software.
It is important that we be clear, and consistent, when we attach labels to malevolent software. Users are being confused. The popular press are not doing us any favours by going for the zing that comes with accusing a big name of spreading “spyware”. “Malware” just doesn’t have the same ring to it.