Malware is Everywhere
Malware (or malicious software) is really the key term here. Malware’s definition is at the eyes of the beholder, but I use the term generally as software that you do not want. It can include everything from the destructive virus to the annoying adware popup asking you to clean your PC.
Most malware seems to come in the form of those unwanted software add-ons that seem to come with any free download on the internet.
Downoading the top ten downloads on CNET’s download.com’s site, according to Lowell Heddings, the “How-To Geek” your desktop, will look something like this:CNET is a fairly “reputable” website and Download.com has been around since, well, as long as most people can remember the modern internet, yet somehow these add-on toolbars, PC cleaners, virus detectors, and malware removers seem to just be bloated, annoying, and frankly malicious software.
How is “Malware” Bundles Even Allowed?
Heddings further points out that Download.com’s own “Malicious Software Policies” specify their representation that their software that is listed do not contain “viruses, Trojan horses, malicious adware, spyware, or other potentially harmful components.” Most importantly, no software is listed that “installs without notice and without the user’s consent.”
It seems that publishers and directories like CNET take the position that it is not a malicious adware, spyware, or potentially harmless if the user consents to the software. If you actually take the time to read those End User Licenses Agreements that many of us, including us lawyers, tend to not read, you would see that you are consenting to the download and installation of all those random junk toolbars and software.
Malware Bundling Goes Undetected Everywhere
It is when these kinds software are not properly disclosed or even mistakenly included in bundled software or pre-installed systems that the law actually has something to say.
Take Lenovo’s recent debacle after researchers found their devices came with pre-installed adware from a company called Superfish. In that case, user’s new laptops came with popups displaying scantily clad women as alleged in a class action lawsuit against Lenovo.
Mobile apps are not any less vulnerable. Professional hackers are targeting the Apple’s App Store and Google Play Store to inject its hidden malware into a usable app.
Bundled Software Makes Money for Developers
There are plenty of networks (including CNET) that encourage you to give your well-built software out for free in exchange for bundling software with yours. They all include a pay-per-download or pay-per-install model that can be very attractive to a software developer that would otherwise not make a dime to giving software away for free.
It is a fair assumption that most of these platforms will comply with proper disclosures needed to the end user, but rarely do these arrangements exceed the bare minimum.
Potential Liability of Software Bundling
For the most part, software platforms have the know-how to ensure proper disclosure to the user. It is very easy to slap together a shrink-wrap agreement that no one is going to read and they.
Part of the problem is that the laws surrounding malware are not very strong. Take for example a lawsuit against an adware vendor that developed a software called “Text Enhance.” That software caused a popup to appear each time the user’s mouse would hover over certain keywords. A claim was brought under the Computer Fraud and Abuse Act (CFAA), but the court did not permit the claim to go forward because the damage threshold of $5,000 was not met and that the court is unable to aggregate the harm to other users.
The CFAA has some of the sharpest teeth in combating this issue, but how useless it would be to have to reach that $5,000 for each single user.
Slightly more useful are the civil claims that may be available under state laws that include trespass to personal property or violations of unfair competition. Unfortunately, the damages aspect to these types of claims are usually equally useless unless it can be turned into a class action, such as the case in Lenovo.
It would seem the answer to this problem (assuming you agree it is one), is not a legal one.
The real question is what legitimately operating company wants to be associated with bloatware or bundled useless adware? Developers’ negative reputation may be enough to deter most and end user diligence for the rest.
Going After the Real Bad Actors
Assuming you can differentiate those unwanted software programs that get bundled with other software slowing down your computer and just plain spyware and viruses, how do you go after the real criminals? The biggest problem is that the laws of the United States do not apply the laws of Nigeria, China or Russia (not to pick on any one country). Most of the real malicious software is distributed internationally.
Extradition treaties do not apply until you figure out who committed the crime–which is impossible if you have no authority to investigate across international borders.
With very little legal recourse, if you are busy unscrambling an attacked network or infested personal computer, you have already lost. No lawyer is going to get you out of this one. Call tech support.