Spyware Maker Sues Detection Firm

Luigi30 writes "ZDnet reports that RetroCoder, makers of the SpyMon remote monitoring program, are suing Sunbelt Software, makers of ConterSpy, a spyware detector program, for detecting the SpyMon as spyware. According to the EULA, SpyMon can not be used in 'anti-spyware research,' and detecting it is therefore a violation of it. 'In order to add our product to their list, they must have downloaded it and then examined it. These actions are forbidden by the notice,' a RetroCoder spokesperson said."

If it looks like a duck and sounds like a duck...

[VGPowerlord]

Since when could a company dictate to other companies what how they could classify the software?

If it looks like a duck, and sounds like a duck, then it must be a duck. :P

Detection w/o "Research" on the product

[Anonymous Coward]

Although the EULA does state the defendant must prove in court they didn't use the accused spyware program in research, isn't it possible that the spyware detecting application made (exclusive?) use of heuristic profiling to detect the actual spyware app?

Prove my invisible friend ISN'T Jesus.

[CosmeticLobotamy]

If you do produce a program that will affect this software's ability to perform its function, then you may have to prove in criminal court that you have not infringed this warning.

Is it legal for contracts to include conditions that are physically impossible to do? If so, my next bit of software is coming with a "If you can't prove you didn't make copies of the software, you owe us for as many copies as could possibly have been made between the time you first run the program and the time we sue you." Since nobody reads those things anyway.

On a mostly unrelated note, I wrote a program that shows funny pictures. It's awesome, and it's only 1 cent, for... processing purposes, if anyone's interested in a download.

Re:Does it work against FBI agents too?

[Kjella]

Anyone remember those MOTD's on pirate-software FTP sites giving us a pseudo-legal-brief about President Clinton signing some law, and then "FBI AGENTS YOU CANNOT ENTER THIS SITE"?

They never stopped, FTP simply lost importance. IRC fserves used to have them too. Websites, DC++ hubs, eMule hubs, WinMX shares as well. It's funny, I've had people present me that and then ask me if I'm a cop as well. Even after sending them this [snopes.com] and this [snopes.com] they still think it is for real. I guess it's some kind of mental self-defense, denial or whatever that makes them go LALALALALA I can't hear you.

Kjella

Re:i hate spyware....but..

[Rocketship Underpant]

1. EULAs are BS. The spyware company happily uploaded a copy of their software to the anti-spyware company on request. Clicking the install button below a 3000 word pile of legalese after you've been given the software isn't a valid contract, for reasons well explained many times before on this site. Heck, the spyware company doesn't even know what individual supposedly "agreed" to the EULA. The janitor? A 12-year-old child? Could have been anyone.

2. Why is the industry so lawsuit crazy? Lawsuits are supposed to reimburse you for actual unlawful damages done. What damage was done by the anti-spyware company downloading the software? A few cents' worth of bandwidth at the most. What damage was done by installing it? None at all. This is surely the most baseless lawsuit ever.

(I know that including the spyware definitions in anti-spyware software will [one hopes] hurt the spyware company, but that's not what the suit is about.)

yes and no

[TubeSteak]

Yes, spyware companies leaned on the likes of ad-aware, spybot, etc

BUT

no, because their delisting was contingent on the company modifying the way their software installs/removes/whatever

some spyware companies changed a few of their nasty ways and were rewarded by being delisted. The anti-spyware companies (of course) have reserved the right to relist lapsed spyware makers.

Re:i hate spyware....but..

[kartack]

A company or individual can sue for slander. I'm no legal expert however maybe RetroCoder could consider CounterSpy as slandering them when they mark SpyMon as spyware. This however would have nothing to do with the EULA in particular. You hear about this kind of court case usually in regards to the media, if I review your software and give it an unfair and bad review I just might end up on the receiving end of such a lawsuit. I would think though that given the nature of SpyMon that this would be exceedingly difficult to prove, since you can't sue over slander if the comments are true (aka its fine to call a pice of crap a piece of crap, but you can't call something that most people would consider good a piece of crap.)

If RetroCoder indeed is going to attempt to sue for violating the EULA and they go all the way through court and lose I'm curious if this will have any implications on future EULA related cases. Others have been saying that EULA's are hard to prove in court but every time an EULA cannot successfully be defended it means that it will be all the more difficult to show in future. If enough attempts are made and failed maybe companies will stop trying to claim all these crazy protections in EULA's and decided to simply save the costs of hiring lawyers to write them.

I would tend to agree with some others that there should be legal mechanisms in place to properly protect software. Neither copyright nor patent properly fit this bill and no one seems to be interested in trying to come up with the appropriate thing.

Simple solution

[CarpetShark]

Dear Sunbelt Software, I just wanted to complain to someone about a crappy bit of software. c:\abc.exe is has been pissing me off for ages now. It does X, Y, and Z. I really wish there was some software out there to remove this crap. Thanks for listening.

Dear Pissed Off User, We actually make anti-spyware software, but I guess we can add this to the list, just because it bugs you so much. Have a nice day :)

First prove that Sunbelt accepted the EULA

[ammoQ]

Putting anything into the EULA means nothing if you cannot prove that the other guy ever accepted it.
This is spyware, so it's main purpose is to install it without the user noticing, right?
A user that doesn't notice the install obviously doesn't read and accect a f*cking EULA, so it doesn't matter what the EULA says.
Sunbelt might just as well have examined a contamined PC.

EULAs are not valid contracts...

[vhogemann]

At least here at Brazil.

To a contrat be valid, it must be an agreement between two parts. In the case of an EULA the consumer doesnt have any power of negociation, and in pratice cant change anything on the EULA.

The brazilian legislation also states that you cant be forced to agree with a contract that prejudice, or denies, any of your rights. This way no EULA can really be enforced here.

Just my 2c.

EULA's on individual computers

[pilybaby]

Perhaps there should be a system where any software installed has to agree to a license on that computer. So I can add my own EULA to my computer and any software vendor that has their software on my computer has to agree to it. There can be a nice API that can be used to get at the license and everything. If I have to agree to an EULA when installing their products on my machine, they should have to agree to my EULA to run their software on my machine. If they break it then I can sue them.

This is fair too, because as much as I don't understand their EULAs, they wont be able to understand mine. Vive la revolution in software consumer rights!

Easily to counter by applying Isaac Asimov

[Anonymous Coward]

Person one opens the package, puts the contents on the table and leaves.

Person two installs the software on a computer, and leaves.

Person three has got no knowledge of the first two, and is therefore not encumbered by any EULA.

Problem solved.

(freely taken from one of Isaac Asimovs stories, in which a series of robots, all of them incapable of hurting a human, are coerced in taking part in a series of actions that results in the death of a human)

Copyright is powerfull...

[leuk_he]

from the article (page 2):

Copyright law plainly wasn't designed for what RetroCoder is using it for, said Christopher Brody, a partner at Clark & Brody in Washington, D.C. "Copyright laws prevent copying, not examination, and I question the enforceability of such a clause based on copyright ownership," he said.

Well since copyright is alos used to prevent the unauthorized copying of banknotes, copyright is actually quite powerful. But copyright will not prevent you from studyding bank notes, it might prevent you from creating machines that can help you to duplicate bank-notes (try scanning in a bank note into photoshop and you get the point.)

Re:My god

[cp.tar]

Oh, don't worry... they can't possibly win this case.

The EULA only enforces certain rules if you want to use the program. If you do not use the program - which would mean running the binaries, if I'm any judge - you may not use the program.

It would be most interested to see whether their EULA contains something along the lines 'this software is provided as-is, and is not fit for any express purpouse' - something similar can IIRC be found in MS Office. That clause would counter and dispel the clause that claims it can not be used in spyware research - regardless of the fact that the program does not have to be running for it to be examined. It doesn't even have to be installed, and the EULA doesn't even have to be read, let alone agreed to.

The package can be extracted, binaries examined... And, if the sued company wants to be evil, they can just claim that any software that forbids the end-user to include it in spyware research (and how in the world would you enforce that rule against NOD32's heuristics and automatic mailing suspicious binaries to their lab really escapes me) deserves to be added to their spyware list. They never had to get past reading the EULA to add the program to their list, so they never would have installed it and, of course, never agreed to the EULA in the first place. If they never installed the program, the EULA is unenforceable.

Finally, proving a negative is not what the US court system is based on, at least from what I've heard about it - innocent until proven guilty (unless it's a terrorism accusation, but I don't really want to troll right now). So the spyware maker has to prove that there was no possible way for the sued company to examine their binaries without agreeing to their EULA. If the sued company can prove that there is at least one way for them to do that, the spyware maker cannot prove that they didn't do it. Innocent until proven guilty.

Hell, I could successfully defend them against this, and IANAL.

Re:enforcability ?

[barefootgenius]

I don't really know, but I think the threat of a lawsuit kills most lawsuits. I mean has anyone challenged this in court?

"1.3 Device Connections. You may permit a maximum of five (5) computers or other electronic devices (each a "Device") to connect to the Workstation Computer to utilize one or more of the following services of the Software: File Services, Print Services, Internet Information Services, and remote access (including connection sharing and telephony services). The five connection maximum includes any indirect connections made through "multiplexing" or other software or hardware which pools or aggregates connections. This five connection maximum does not apply to any other uses of the Software."

I know what they mean, but couldn't that be turned around to mean I can only connect to five computers on the internet? Worst of all, doesn't it make file sharing illegal to run on a XP Home computer as you are providing an information service?

And thats from the XP Home EULA (http://www.microsoft.com/windowsxp/home/eula.mspx [microsoft.com])

Re:My god

[ShadowNetworks]

The world is coming to companies being legally able to install spyware and adware on your computer without your knowing and then you cannot remove it because it's a violation of the EULA. I bet even if you reformatted, it would somehow violate the stupid EULA. There are days I hate private enterprises.

Re:My god

[Spock the Baptist]

Ah, but Sunbelt *never downloaded* it. They obtained their copy otherwise, thus the *PDA* is unenforceable in their case. SpyMon was already on a client's computer, and was giving the client grief. It was from an examination of this computer at their client's request that SpyMon was detected, and further dealt with.

Sunbelt never *ran* SpyMon, nor did they ever download it, therefore no EULA[1], nor PDA was violated.

[1] Other post deal satisfactorily with the *run* issue.

Downloading vs. Installing

[theonetruekeebler]

I can download it without installing it, right? If I don't install it, I don't violate the EULA. I'll just examine the contents using third-party tools and do some good old fashioned reverse-engineering.

And I'm 90% sure this part of the EULA wasn't written by a lawyer. Defendant can basically say "This isn't research" and tapdance all the way to the bank.

Honestly, next thing they'll be saying is that strapping these dummies to a table and yanking their entrails out with an iron hook is "anatomical research." It'll be fun to win that case by telling the jury I wasn't doing research---I was drawing and quartering a spyware manufacturer. The best part will be hearing the foreman say "not guilty on account of he was drawing and quartering a spyware manufacturer. And here's the addresses of a few spammers I know about."

how does one respond to this rationally?

[Ender Ryan]

DIE! DIE! FUCKING DIE! FUCKING DIE MOTHERFUCKERS! DIE! DIE! DIE!

That's the only response I could come up with. When the whole world's gone crazy, how does one respond rationally?

Seriously, purveyors of spyware should be brought up on charges in criminal court. We do the same for virus writers, how is malware any different? Can you imagine the courts allowing a virus writer to sue AV firms? :)

Re:My god

[MysteriousPreacher]

The person who installed and agreed to to the EULA could then be sued for allowing their installed copy to be used in research.

Re:My god

[AndroidCat]

Heh. Sunbelt is heavily involved in a group that has a EULA that makes "bend over" look tame. Google for the "Lisa Clause".

Asshole is right. Look at this...

[bigtallmofo]

Everything about these idiots screams "asshole". Look at their web site advertising their product:

Don't know what your kids are doing on the net?
Worried that your partner is cheating on you?
Want to see what your employees are really doing instead of working?
Ever wanted to be a hacker like in the movies?

Great product niche - allowing paranoid idiots to spy on everyone in their life. Then there's a fantastically smug notice at the bottom of the web site that says:

Please note that the "crack" by "team tbe" doesn't work anymore. ;)

Like I said - everything these guys do and say has asshole written all over it.

Re:My god

[ezberry]

It isn't true that both parties have to have the ability to modify the contract to their satisfaction (I'm in law school and I've taken contracts... ). EULAs are adhesion contracts, which force the accepting party to the terms of the offering party. From Obstetrics & Gynecologists Ltd. v. Pepper (693 P.2d 1259) 'An adhesion contract need not be unenforceable if it falls within reasonable expectations of the weaker or "adhering" party and is not unduly oppressive. However, courts will not enforce against an adhering party a provision limiting the duties or abilities of the stronger party absent plain and clear notification of the terms and an understanding consent.' So, in the end, you are right that this won't be enforced, but for the wrong reason.

Either Possess Guts or Does Not Possess Mind

[fdiskne1]

One or the other. It's bad enough the company has this in their EULA, but the fact they are trying to enforce it through the courts proves one of two things. They either have a legal department/management team with serious balls or their legal department/management team is out of their mind. One or the other. I personally would believe the latter. I can't wait until it gets laughed out of court or, even better, the judge takes the evidence and does whatever he has to do to get the company prosecuted.

Since I'm not logged in yet when posting this message, I have to type in a captcha. This one is "agree". By typing this, what am I agreeing to? Crap, time to get my lawyer to read this page before pressing preview.

Re:Hasn't a crime been commited by Sunbelt?

[andrewweb]

Sounds like the action of someone who understands spyware/trojans and is fully aware that their software could be used in such a capacity. And is seeking to protect their revenue stream in effect by tying the hands of spyware/trojan etc detection publishers.

It may not be a virus as you say - so GRI would be right to remove it as such - but it could be used as a trojan as you are very well aware.

If someone had installed this on my system, I would want to know it was there. Would you?

If it's my system and I have installed it to keep an eye on the kids, and XXX product spots it's there, then I simply whitelist it. Simple, no?

No need for the "I'm a burglar - and if you are a policeman then you are forbidden from speaking to me" clause.

It's an admission of guilt I think.

Re:I'm not sure which is scarier...

[Sierpinski]

That's one thing I never really understood. Historically, its never been the case (legally at least) where just because you write it down and make someone agree to it, it becomes legally binding. If I put in the EULA for software that I wrote, that if you click OK and install this software, you immediately forfeit all rights to your house, all cars, and all cash assets to me, you know someone would just click through that without reading, but of course they wouldn't be legally bound to give me their assets. Any court in the country would overturn that, which just goes to show, just because you write something down doesn't make it legally binding.

If I got you to sign a paper saying I could beat the snot out of you, and a police officer walks by during the act, what do you think said cop would say if I said "Its OK officer, he signed a waiver saying I could do this to him." Its just ridiculous.

Congress should outlaw EULA agreements altogether, even the part that says 'If this breaks we aren't responsible.' They wrote the software saying that it works, and if it breaks, they SHOULD be responsible.

Re:Does it work against FBI agents too?

[DavidTC]

What people are missing is that it is illegal to access someone's computer if they have told you not to. This is a violation of various computer access laws.

Ergo, it is perfectly sane to put up a message banning whoever you want, and yes, that does have legal enforcablity. I don't know what this has to do with an Federal privacy bill, it's state laws that ban 'unauthorized access'.

Think of it this way: Bars are normally open to the public. People go in and out at will, and so can police.

Private clubs, with a bouncer? They have to ask to come in, and they can be told no, and then they don't get to wander in and look around.

This, of course, doesn't stop them from entering if they have a search warrant.

I don't know why people would think the police have some sort of special right to poke around online on a system they are explicitly unauthorized to use.

Re:My god

[OhHellWithIt]

The general gist is correct, but "innocent until proven guilty" is a principle that applies to criminal matters, not civil matters.

The warnings on the download page [spymon.com] talk about criminal court. Whatever they're paying the attorney that wrote it for them is too much.

Re:My god

[onepoint]

I think you wrote it out nicely, but I think I've a work around towards your argument of enforcement of the EULA. so I would present the following

a) both firms are software houses, this would negate the stronger/weaker side of the argument. make both sides equal to the judge.

b) both firms are familiar with Eula's, this would slow down or stop spy-ware detectors line of thinking. judge would only have to say " you have one in your software ", spy-ware detection company says "yes sir", Judge says " well you would expect people to agree to yours, so you now have to agree to their " ( or at least place them in a bad light )

c) because both parties are equals, the courts might lean towards the spy-ware company.

I am not a lawyer, been using lawyers since I was 9, I like lawyers. Lawyers make my life easy.

Re:Hasn't a crime been commited by Sunbelt?

[pintpusher]

1. We make software that allows you to keep an eye on your children while they are on the internet.

Fine. good luck with that product.

2. Some anti-virus software blacklisted our software.

Oh, that's unfortunate. Simply explain the situation to them and hopefully they'll change their minds. If not, well TOO BAD. Its THEIR software, they can do what they want with it.

3. We state that they are not allowed to download our software in an attempt to stop them blacklisting us

Well, a sure fire way to get someone to blacklist you is to prevent them from actually examining your product and engaging in a dialogue about its application. In the world of anti-spayware/virus I would assume that if you can't get information, then you must blacklist it rather than expose yourself.

4. They carry on doing so, ignoring our warning they they are expressly forbidden from downloading our software - it is our copyright.

See, this is where you set down the wrong path. You should have pro-actively engaged the anti-spyware industry along the lines of "Hey, you guys call us spyware, but we're not and here's why..., can we come to some agreement about this?" Unless of course, it is just crappy spyware, in which case they'll throw you out. Further, as has been written several times already, they don't have to download it. All they have to do is go to a client's computer that already has it installed. Or perhaps someone handed them a copy of the binary and asked them to figure out what it was? The point is your attempt to forbid download has no effect at all on whether they can examine your software. It is merely inflammatory.

5. They ignore our attempts to contact them

Why should they communicate with you now? You've already tried to cut them out of the process with useless but inflammatory things like your anti-anti-spyware EULA?

6. So we consider going to the police to stop them downloading our program without permission.

Well, you certainly can consider it, but first you'll have to establish that they downloaded the program, and that your EULA clause is applicable at the time of download and not time of installation. And then you'll have to find a cop who actually has time to deal with this crap instead of his backlog of robberies and car-jackings.

7. We get flamed by a load of people who don't seem to understand the situation!

What we don't understand is how you think you can pull this off. You've taken the wrong tack and need to re-examine your process. A pro-active engagement of the anti-spyware/virus industry from the start would have done a lot to remediate this situation before it arose.

Why are we sleazy?

Because you make software that spies on people. jeez, it's not complicated.