Digital Technology Law Journal

26. The Spyware Control Act[32] defines ‘spyware’ in a Subsection 4 beginning the extensive definition describing the ambit of the software techniques that are being regulated: monitoring software,[33] that reports back to a remote computer or delivers obtrusive ‘pop-up ads’ (without making appropriate disclosure to the Web user):

“Except as provided in Subsection (5), "spyware" means software residing on a computer that: (a) monitors the computer's usage; (b) (i) sends information about the computer's usage to a remote computer or server; or (ii) displays or causes to be displayed an advertisement in response to the computer's usage if the advertisement: (A) does not clearly identify the full legal name of the entity responsible for delivering the advertisement; (B) uses a federally registered trademark as a trigger for the display of the advertisement by a person other than: (I) the trademark owner; (II) an authorized agent or licensee of the trademark owner; or (III) a recognized Internet search engine; (C) uses a triggering mechanism to display the advertisement according to the Internet websites accessed by a user; or (D) uses a context based triggering mechanism to display the advertisement that partially or wholly covers or obscures paid advertising or other content on an Internet website in a way that interferes with a user's ability to view the Internet website”

27. The definition of spyware going on to describe the triggering mechanism for the spyware and describes categories of software which do not fall within this definition of spyware. The Act also has the definition: "Context based triggering mechanism" means a software based trigger or program residing on a consumer's computer that displays an advertisement according to: (a) the current Internet website accessed by a user; or (b) the contents or characteristics of the current Internet website accessed by a user.”

28. The key provision of the Spyware Control Act (2004) is § 13-39-201, which states the prohibited conduct as being that. “(1) A person may not: (a) install spyware on another person's computer; (b) cause spyware to be installed on another person's computer; or (c) use a context based triggering mechanism to display an advertisement that partially or wholly covers or obscures paid advertising or other content on an Internet website in a way that interferes with a user's ability to view the Internet website. (2) It is not a defense to a violation of this section that a user may remove or hide an advertisement.”

29. In response to the Spyware Control Act (2004), WhenU,[34] a supplier of ‘pop-up ad’ technology, is claiming that that the Act is an unconstitutional attempt to regulate Internet advertising on various grounds including that it is in violation of the First Amendment of the US Constitution – which describes the right of free speech.[35]

30. On 22 June 2004 Judge Joseph C Fratto Jr. of the Third Judicial District Court in Salt Lake City granted WhenU a preliminary injunction that will prevent the Act coming into effect until such time full argument on the issues is heard.[36]

31. First Amendment arguments have been successful in protecting other Web technology and techniques from legal action, such as the litigation over changes to the algorithms of Google’s search engine considered in Search King, Inc v Google Technology, Inc.[37] On May 27, 2003, federal judge, Vicki Miles-

32. The State of California is also actively pursuing legislation.[38] Federal legislation is also being considered.[39]

33. The California Assembly Bill 2787, amended June 23, 2004, would enact the Protection Against Computer Spyware Act,[40] the purpose of which is described as:

“This bill would enact the Protection Against Computer Spyware Act. The act would prohibit a person or entity conducting business in this state from knowingly causing a computer program to be copied onto the computer of a California consumer, as defined, and using the program to perform certain acts relating to altering, taking control of, or damaging, the computer or the consumer's Internet access or use. Bill 2787 in § 22581.2. prohibits specific computer techniques and actions, including: (a) Take control, through intentionally deceptive means, of the consumer's computer; (b) Modify, through intentionally deceptive means, any of the settings related to the computer's access to, or use of, the Internet; (c) Collect, through intentionally deceptive means, personally identifiable information through the use of a keystroke logging function that records all key strokes made by an authorized user who uses the computer and transferring that information from the computer to another person; (d) Prevent, through intentionally deceptive means, an authorized user's reasonable efforts to block the installation of, or to disable, software; (e) Intentionally misrepresent that software will be uninstalled or disabled by an authorized user's action, with knowledge that the software will not be so uninstalled or disabled; (f) Induce, through deceptive means, an authorized user to install a software component onto the computer, including, but not limited to, deceptively misrepresenting that installing software is necessary for security or privacy reasons or in order to open, view, or play a particular type of content; (g) Deceptively install and execute on the computer one or more additional computer software components with the intent of causing an authorized user to use the components in a way that violates any other provision of this section; (h) Through intentionally deceptive means, remove, disable, or render inoperative a security, antispyware, or antivirus technology installed on the computer.”

34. The question can be asked as to whether the Web user is in a position to give an informed consent as to what ‘parasite’ software programs are downloaded with the primary software program and what changes those programs will make to the user’s computer.

35. The Spyware Control Act (2004) of Utah is clearly designed to force disclosure from the supplier of the software to give a level of informed consent by the Web user downloading the software and to force the supplier of the software to provide for mechanisms to enable the Web user to disable or remove the software at any time after downloading.

36. The Act continues the definition of ‘spyware’ by referring the software having the functions, (discussed in 5.1 above), where the software:

“(4) (c) does not: (i) obtain the consent of the user, at the time of, or after installation of the software but before the software does any of the actions described in Subsection (4)(b): (A) to a license agreement: (I) presented in full; and (II) written in plain language; (B) to a notice of the collection of each specific type of information to be transmitted as a result of the software installation; (C) to a clear and representative full-size example of each type of advertisement that may be delivered; (D) to a truthful statement of the frequency with which each type of advertisement may be delivered; and (E) for each type of advertisement delivered by the software, a clear description of a method by which a user may distinguish the advertisement by its appearance from an advertisement generated by other software services; and (ii) provide a method: (A) by which a user may quickly and easily disable and remove the software from the user's computer; (B) that does not have other effects on the non-affiliated parts of the user's computer; and (C) that uses obvious, standard, usual, and ordinary methods for removal of computer software.”

37. The WhenU litigation against the State of Utah raises the general policy question of whether legislation is the appropriate response to the various technologies that are described as spyware given that Web users, wishing to avoid having spyware on their computer, can adopt one of the existing software solutions, such as selection preferences on Web browsers so that the browser blocks pop-up ads from appearing or give warnings that the Web site wants to deliver a ‘cookie’ to the user’s computer. [41]

38. The Spyware Control Act (2004) of Utah goes on to specifically exclude benign software such as operating systems and diagnostic software, however the exclusion of ‘cookies’ in subsection (5) (b) (ii) potentially creates a flaw in this legislation. “(5) Notwithstanding Subsection (4), "spyware" does not include: (a) software designed and installed solely to diagnose or resolve technical difficulties; (b) software or data that solely report to an Internet website information previously stored by the Internet website on the user's computer, including: (i) cookies; (ii) HTML code; or (iii) Java Scripts; or (c) an operating system.”

39. ‘Cookies’[42] may have a benign function of managing the browser (by retaining information related to the user’s previous visits to the site)[43] or for a more intrusive purpose with the downloading of the cookie being triggered simply by moving the cursor over a link or by the user clicking on mislabeled buttons.[44] ‘Cookies’ can be programmed with more sophisticated tracking functions that can track the users web surfing habits (with information being returned to the server so that the ‘pop-up’ advertisements and banner advertisements presented to the user are focused on what the computer server, to which the cookie has transmitted data from the Web user’s computer, has analysed to be advertisements relevant to the Web user’s choice of terms used in the search engine.

40. While subsection (5) (b) (ii) does start with the qualifying description of “software or data that solely report to an Internet website information previously stored by the Internet website on the user's computer”, however this may be insufficient to distinguish, in this statutory definition, between benign ‘cookies’, sophisticated tracking ‘cookies’, and malignant ‘cookies’.

41. The Spyware Control Act (2004) of Utah can be criticised for:

6. ‘Pop-Up Ads’

42. The ad-serving software, or ‘adware’, is downloaded with Peer-to-Peer (P2P) file trading software or other free software, such a screen savers. The software examines keywords, URLs and search terms in use on the user's browser and then selects which advertisements to present the Web user.[46] Pop-up advertisements may be an irritating advertising tactic, which if taken to extremes, can be described as ‘spawning’. The FTC obtained an interim injunction in November 2003 against D Squared Solutions over software that exploit a feature of the Windows Messenger Service.[47]

43. The software creates pop-up windows that appear every ten minutes, advertising a D Squared Solutions product that stops the pop-up windows. However the interim injunction was not continued in December 2003. A hearing to determine whether a permanent should be issued in set down for hearing in March 2003. [48]

44. Howard Beales, Director of the FTC’s Bureau of Consumer Protection, called the scheme, “nothing more than a high-tech version of a classic scam. The defendants created the problem that they proposed to solve – for a fee. Their pop-up spam wasted computer users’ time and caused them needless frustration.”

45. Litigation has occurred in the US courts over whether the operator of a Web site can control the information that appears of a Web user’s screen when the user is accessing a Web site. The user of ‘pop-up ad’ technology raise a number of legal issues, including:

(1) Copyright infringement & contributory copyright infringement. In the US this is argued on the basis that the presentation of the ‘pop-up ads’ incorporates the plaintiffs’ Web site into a new “derivative work” (as defined in 17 USC §101). In Australia the claim would be that an “adaptation” of the Web site has been created;[49] (2) Trade mark infringement & trade mark dilution argued to be created by simultaneous appearance of the ‘pop-up ad’ and the plaintiff’s trade marks; (3) The use of the pop-up ads suggested a (non-existent) relationship between the advertiser promoted on the ‘pop-up ads’ and the commercial entity operating the Web site (that Web site operator’s own ad are being obscured by the ‘pop-up ad’) – a ‘misrepresentation’ potentially actionable under the tort of ‘passing off’ or actionable, in Australia, under the Trade Practices Act 1974 (Cth). In the US this issue being claimed as being in breach of the Lanham Act; and (4) The economic effect of pop-up ads is causing a dilution of the commercial value of the advertising. In the US this issue being claimed as unfair competition and unfair business practices under the Lanham Act.

46. However, despite the pleading of these multiple causes of action, litigants attempting to stop the use of ‘pop-up ads’ have been unsuccessful in the US courts, with the developers of ‘pop-up ad’ software successfully arguing that they are operating in the public interest in bringing advertisements to the attention of Web users.

6.1 Gator Corporation Litigation

47. Gator Corporation, a developer of pop-up ad software has been the defendant in legal actions from the Washington Post[50] and United Parcel Service[51] and has now become a plaintiff in an action against Extended Stay America, Inc.[52] Gator Corp argued, in its action against Extended Stay America, that the company could not block the ‘pop-up ads’ as the Web users had agreed to accept them in return for the use of Gator’s free software.[53]

48. Gator Corporation settled the legal action commenced by the Washington Post and other publishers in February 2002, however the legal action commenced by United Parcel Services continues.[54]

49. Plaintiffs, like United Parcel Service, can put unfair competition arguments when ads for their competitors appear when users are accessing the United Parcel Service Web site. However, these arguments have been unsuccessful in WhenU.com v U-haul International[55] and Wells Fargo & Co. & Quicken Loans, Inc v WhenU.com, Inc[56] .

50. The response of the defendant companies creating the pop-up advertisements is that the ads are a legitimate form of comparative advertising. This defence has been successful in striking out the plaintiff’s claim in WhenU.com v U-haul International[57] and to deny a preliminary injunction in Wells Fargo & Co. & Quicken Loans, Inc v WhenU.com, Inc,[58] but not accepted in 1-800 CONTACTS v WhenU.com and Vision Direct[59] when a preliminary injunction was issued.

6.2 WhenU.com v U-haul International

51. U-haul International objected to the pop-up ads, created by WhenU.com appearing on its Web site as they directed its visitors to the sites of competing vehicle hire businesses.[60]

52. The causes of action asserted by U-haul International were copyright infringement and contributory copyright infringement, trade mark infringement and trade mark dilution, misappropriation, unfair competition and interference with prospective economic advantage, unjust enrichment and a violation of the Business Conspiracy Act of Virginia.

53. WhenU argued that their ads appear in clearly differentiated windows and that Internet users have the choice to control the appearance of their desktops.

54. On 5 September 2003, Judge Lee, in the Eastern District Court of Virginia, granted WhenU's motion to dismiss the trade mark and copyright arguments and the unfair competition claim. Lee J held that even if the simultaneous appearance of the pop-up advertisement and the plaintiff’s trade marks was a ‘use’ under the Lanham Act it was still immune from liability as a legitimate form of comparative advertising.[61]

6.3 Wells Fargo & Co. & Quicken Loans, Inc v WhenU.com, Inc

55. In Wells Fargo & Co. & Quicken Loans, Inc v WhenU.com, Inc.,[62] Judge Edmunds denied the plaintiffs’ application for an preliminary injunction to stop the defendant creating pop-up windows[63] on the plaintiffs’ Web sites.

56. WhenU designed their pop-up advertisements to include a ‘disclaimer’ to reduce the possibility that Web users’ would be confused about any connection between the pop-up advertisements and the Web page being viewed by the Web user. The defendant’s pop-up windows stated, “This is a WhenU offer and is not sponsored or displayed by the Web site you are visiting”.[64]

57. Judge Edmunds opined that the plaintiffs had not demonstrated a strong likelihood of success on their trade mark infringement claims[65] and had not demonstrated a strong likelihood of success on their copyright claim,[66] finding that:

58. In reaching these conclusions, Judge Edmunds concluded that:

6.4 1-800 CONTACTS v WhenU.com & Vision Direct

59. On 22 December 2003, Judge Batts of the Southern District Court of New York[79] granted 1-800 Contacts a preliminary injunction, prohibiting WhenU from sending pop-ups windows, and requiring that trade marked terms be removed from its search terms database. WhenU distributes the program known as SaveNow via ‘free’ software downloads with other programs such as P2P file trading software. Where a Web user has the SaveNow software installed on their computer, entering a URL into the search engine will trigger the SaveNow software to deliver to the Web user a pop-up advertisement in the same category of goods or services as a key word search term. The SaveNow software included an extensive directory of URLs including the address of the plaintiff’s Web site <www.1800contacts.com>.

60. Judge Batts found the defendants had ‘used’ the plaintiff’s mark in commerce under the Lanham Act[80] and that the necessary requirement of “a likelihood of confusion” existed.[81] “Defendants here use Plaintiff’s mark in two ways. First, in causing pop-up advertisements of Defendant Vision Direct to appear when SaveNow users have specifically attempted to access Plaintiff’s Website – on which the Plaintiff’s trade mark appears – Defendants are displaying Plaintiff’s mark “in the … advertising of” Defendant Vision Direct’s services. …. Second, Defendant WhenU includes Plaintiff’s URL, <www.1800contacts.com>, in the proprietary WhenU directory of terms that triggers pop-up advertisements on SaveNow users computers. In so doing Defendant When U “uses” Plaintiff’s mark by including a version of Plaintiffs 1-800 CONTACTS mark, to advertise and publicise companies that are in direct competition with Plaintiff. Accordingly the Court finds that the Defendants have “used” Plaintiff’s mark in commerce.”[82]

61. Consequently the Judge found that there was trade mark confusion: “The fact that Defendants' pop-up advertisement for competing internet contact lenses retailers appears shortly after a consumer types into the browser bar Plaintiff's trademarked name and accesses Plaintiff's homepage increases the likelihood that a consumer might assume Defendants' pop-up advertisements are endorsed or licensed by Plaintiff.”[83]

62. Judge Batts stated in conclusion: “On the Internet, online shoppers have a myriad of competing retailers literally at their finger tips, are easily able to research preferences, and with very little time and effort are able to enact their preferences with purchases. In this context, the good will and reputation that Plaintiff and other online retailers have established is of extreme importance. Plaintiff has spent considerable sums to establish and maintain its marks' notoriety with online consumers, and is entitled to protect this investment from conduct that infringes those marks. An online shopper who has knowledge of Plaintiff's marks and an interest sufficient to choose to visit or find Plaintiff's Website is a potential buyer that Plaintiff is entitled to protect from confusion.”[84]

63. Judge Batts dismissed a further claim that the ads infringed on 1-800 Contacts’ copyright by blocking access to its Web site,[85] but granted an injunction against Vision Direct in respect of a likely breach[86] of the Anticybersquatting Consumer Protection Act 1999 (15.USC.) by registering: <www.www1800Contacts.com>.

64. The SaveNow program did, at the time the litigation commenced, have a statement on the pop-up ad: “A WhenU offer - click ? for info” with the “?” button opening a new window containing a notice explaining the software is provided by WhenU and the statement that “[t]he offers shown to you by SaveNow are not affiliated with the site you are visiting.”[87] However, the Judge held that this disclaimer was not sufficient to alleviate the likelihood of consumer confusion.[88]

65. Judge Batts disagreed with the decisions of Wells Fargo v WhenU[89] and U-Haul International, Inc v When U[90] and declined to follow those decisions, as they were not binding.[91]

6.5 Comparative advertising

66. The argument that pop-up ads are a legitimate form of comparative advertising was successful in striking out the plaintiff’s claim in WhenU.com v U-haul International[92] and to deny a preliminary injunction in Wells Fargo & Co. & Quicken Loans, Inc v WhenU.com, Inc,[93] but not accepted in 1-800 CONTACTS v WhenU.com and Vision Direct.[94] The different decisions reached in these cases are explained by differences in the disclaimers considered by the different courts. However the application of the ‘comparative advertising’ argument may need to be resolved by appellate courts.

67. In other common law jurisdictions, the competing supplier, whose goods or services are being compared unfavourably have resorted to litigation under a number of causes of action depending on the content of the comparative advertisements. Comparative advertising of products and services disputes have been variously claimed as the tort of malicious falsehood[95] , misleading or deceptive conduct or misrepresentations (or both),[96] infringement of trade marks,[97] and copyright infringement.[98]

68. Comparative advertising in Australia is not to be considered a disrespectable form of commercial conduct provided factual assertions are not untrue or misleading half-truths. An advertiser can lawfully compare a particular aspect of its product or services with the same aspect of a competitor’s product or service.[99] Provided the pop-up advertisements clearly ‘disclaim’ any association with the Web site, it would appear that Australian litigants are unlikely to be successful under any of the causes of action listed in the previous paragraph. The technical evidence as to the operation of pop-up window technology accepted by Judge Edmunds in the Wells Fargo case would make it very difficult for an Australian litigant to sustain trade mark or copyright causes of action.

7. Cookies and Web Bugs

69. The ‘Cookies’ are the electronic files that many Web sites use to manage information about visitors to the site. At a benign level, the cookie may record and store information so that on subsequent visits to the Web site the stored information is used to assist the visitor in gaining speedy access to the site. However, the technology may be programmed with different levels of invasiveness to collect personal information such as name and e-mail address and to secretly tracking Web users’ on-line travels to other Web sites.[100]

70. A ‘Web Bug’ is often used with Cookies on the Internet. Web Bugs are tools designed to monitor who is reading a Web page[101] or e-mail[102] . They are often used for online profiling, advertising, marketing and to measure Website statistics.[103] For many users of the Web the main practical difference between a Cookie and a Web Bug is that Web Bugs are much more difficult to detect or neutralise.

71. At an extreme level of invasion executable bugs can be inserted on the user’s computer that can:

72. The privacy implications of the exchange of data between the computer of the Web users and a Web site have become of concern to privacy advocates in two areas: (1) That the serial number, (Processor Serial Number (PSN)) embedded in Intel's Pentium III processor, and subsequent Intel processors, could be misused to identify and collect data on Web surfers;[104] and (2) The operation of online profiling[105] of Web users through the use of technology which tracks and monitors of individuals' online behaviour[106] .

7.1 Processor Serial Number (PSN)

73. Intel designed the PSN as an additional security feature allowing each computer to have a unique identifier.[107] However the PSN was not universally accepted as appropriate technology for Web users. The Centre for Democracy and Technology (CDT) have stated: “The PSN is a unique identifier. Due to Intel's market dominance, the PSN has the potential to become the unique identifier for nearly everyone on the Internet -- fundamentally changing the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded.”[108]

74. In 1999 the CDT and other privacy organisations, filed a complaint and request for relief[109] with the FTC, seeking immediate action to prevent harm to consumer privacy as a result of deployment of the Intel Pentium III PSN. CDT requested that the FTC:

75. Intel responded by releasing software that allowed owners of computers with Intel chips to have the choice of either to disable or enable the ability of other computers to read the PSN, with the default setting of the Intel chip set being that the PSN is disabled.[111]

76. However the online tracking and profiling of Web users does not operate through use of the PSN, instead Cookies, Web Bugs and other software can be activated to collect and return information about the habits of Web users.

7.2 Online profiling of Web users

77. What information a Web site can learn about visitors can be understood by visiting links from the Web site of the CDT: [112] “With growing frequency, information about how you use the Web -- the sites you visit, search terms and other queries you make, online purchases, "click through" responses to advertisements -- is being captured by advertising networks or "profiling companies." With the permission of the Web site, but not your permission, these companies place a tag on your computer. This tag -- or identifier -- is then used to track your movements as you surf the Web. In addition to long lists of collected information, a profile may contain "inferential" or "psychographic" data -- information that the company infers about you based on your surfing habits. From this amassed data, elaborate inferences may be drawn, including your interests, habits, associations, and other traits.”[113]

78. The FTC has maintained self-regulatory approach to online privacy. [114] However on 23 May 2000, the FTC issued a report[115] to Congress requesting to regulate online privacy. While the report noted that an increasing number of Web sites now post privacy policies, it also noted that only 20% meet the FTC's fair information practices. The FTC issued a two-part report in June[116] and July[117] of 2000 on online profiling and industry self-regulation. The July report asked Congress to enact baseline legislation to protect consumer privacy.

79. Litigation has occurred in the US in relation to the scope of privacy protection afforded Internet users under the Electronic Communications Privacy Act 1986 (ECPA). In re Pharmatrak, Inc Privacy Litigation, [118] a class action, raised questions related to the privacy protection provided by EPCA. Pharmatrak provided a Web service to the pharmaceutical companies that allowed them to access information about Internet users accessing the Web sites of the pharmaceutical companies. The pharmaceutical companies had sought, and received, assurances from Pharmatrak that personal and identifying information about their Web users would not be collected. Notwithstanding these assurances, Pharmatrak did collect personal and identifying information about the Web users of the Web sites of the pharmaceutical companies. The First Circuit accepted that Pharmatrak ‘intercepted’ the information (as described in the EPCA 18 U.S.C. §2511 (1) (a)) and returned the matter to the lower court to consider whether the interception was ‘intentional’ with the meaning of the EPCA.[119]

80. In re Pharmatrak, Inc Privacy Litigation also discusses cases regarding ‘consent’ to intercept under §2511 (2)(d) ECPA which states, “where one of the parties to the communication has given prior consent to such interception unless such communications is intercepted for the purpose of committing any criminal or tortuous act…”. The court rejected the argument that the DoubleClick case[120] or the Avenue A case[121] established a rule that consent to interception can be inferred from the mere purchase of a service, regardless of circumstances. The court considered that neither the pharmaceutical companies nor the Web users had given the requisite consent described in Griggs-Ryan case[122] and the Berry v Funk case.[123] While the court accepted that consent may be explicit or implied, however it must be actual consent rather than constructive consent,[124] relying upon the Berry v Funk case, which held that “[w]ithout actual notice, consent can only be implied when the surrounding circumstances convincingly show that the party knew about and consented to the interception”[125] and relying upon Watkins v L.M. Berry & Co, which held that “[k]nowledge of the capacity of monitoring alone cannot be considered implied consent.”[126]

81. The same issues related to ‘interception of a communication’ can arise under sections 6 and 7 of the Telecommunications (Interception) Act 1979 (Cth),[127] with Part XA of the Act creating civil remedies in respect of unlawful interception or communication information passing over a telecommunication system.[128]

82. In respect the collection of ‘personal information’ the Federal Privacy Commissioner has issued Information Sheet 18 - Taking Reasonable Steps to Make Individuals Aware That Personal Information About Them is Being Collected (June 2003)[129] to address the implications under the Privacy Act 1988 (Cth) in relation to the collection of ‘personal information’ about Web users.

83. The European Union[130] has been pro-active in regulating online activities. In December 2001 the EU decided to move to regulate Cookies because their use is perceived to be an infringement on personal privacy and therefore a human rights violation under the European Convention for the Protection of Human Rights and Fundamental Freedoms. The Directive on the Privacy and Electronic Communications Directive[131] (DEPC) restricts the use of cookies and similar tracking devices[132] on Web sites.

84. Article 5 of the DEPC requires that, when personal information stored on the user's terminal is accessed, or when personal information about users is stored on a network (other than purely for technical reasons), the user must be clearly and fully informed about the purposes of such access or storage of his or her personal information, and then be allowed to opt out of accepting the Cookie.

85. The DEPC is a controversial move as many Web sites, especially those offering e-commerce, only function if the user accepts the Cookies.

86. The Privacy and Electronic Communications (EU Directive) Regulations 2003 (UK) implemented the DEPC which include a requirement to inform Web users that Cookies exist on a Web site and give users the opportunity to reject the Cookies.[133] The UK Information Commissioner has issued guidance on these regulations.[134]

87. Software solutions are available to Web users as Web browsers usually provide for settings to regulate whether the browser will down load Cookies (or warn the user so that the user can choose whether or not to download the Cookie). Software is available to assist the user to gain knowledge of and manage programs, which may be downloaded through use of Web searching.

8. Identity Theft and ‘Phishing’ for Information

88. Computer and Internet technology allows the access to information that is in publicly accessible databases. This ease of access that allows signification information about a person to be obtained by using search engines.[135] This can lead to ‘identity theft’[136] where information trawled from the Internet allows a person to assume the identity of another to obtain credit cards and proceed to incur debt under that stolen identity.

89. The Australian Crime Commission (ACC)[137] was established to address the threats posed by nationally significant crime.[138] The ACC estimates that identity theft costs Australia $2 million each year. [139]

90. The Internet scams that have been practiced in Australia include the setting up of fake Web sites to appear to be the site of a legitimate Internet banking operation, and the scam known as 'phishing', where e-mails that appear to come from a legitimate business in an effort to obtain recipients' information, such as bank account, password and credit card details.[140]

9. Internet Dumping

91. The imperative to generate income from the Internet leads some Web businesses to engage in ‘Internet dumping’.[141] This is an issue related to the regulation of the telecommunications system, as an Internet user accesses the ISP via the telephone system supplied by the telephone company at which the user has an account.[142] ‘Internet dumping’ occurs when the user’s computer is switched[143] without their knowledge[144] into calling a more costly Internet access connection[145] than the user’s usual ISP. The 'switch' occurs when Web users download ‘Internet dialler’ software unwittingly, by clicking on an icon or button on their screen.

92. In November 2002 the Department of Communications, Information Technology and Arts (DCITA)[146] announced draft legislation to address the problem of ‘Internet dumping’. The draft proposals have not been accepted by interested parties, either the ‘190’ service providers or the telephone companies[147] as providing a workable answer to the problem. In March 2003 DCITA directed the Australian Communications Authority (ACA) to implement safeguards for consumers against unexpected high telephone bills and Internet dumping.[148]

10. Spamming

93. The automated transmission of e-mails to multiple recipients, usually containing commercial advertisements or inducements is usually described as ‘spamming’.[149] Some US States have legislated in relation to the transmission of unsolicited e-mails.[150] The Federal Privacy Commissioner has expressed an opinion that spammers may breach the National Privacy Principles (NPPs) under the Privacy Act 1988 (Cth) and raised the possibility of a test case in relation to the practice of anonymously harvesting e-mail addresses from the Web or newsgroups, which is suggested to be a breach of NPP 1.3 and 1.5.[151] Australia has moved to regulate the practice, with the Spam Act 2003 (Cth) [152] regulating the sending of ‘spam’ and the collection and use of e-mail addresses by Australian based entities.[153] However as a majority of ‘spam’ originates from international sources, delivery of commercial advertisements or inducements and other unwanted spam is unlikely to be significantly reduced.

94. Both the US and the UK have moved to regulate spamming. However the CAN- SPAM Act 2003 (US) has be criticised by anti-spamming as being a licence for spammers to operate, as provided an ‘opt-out’ option is provided, the transmission of spam e-mails is lawful.[154] The Privacy and Electronic Communications (EU Directive) Regulations 2003 (UK) requires the sender of the spam to have the explicit consent of the individual recipient except where there is an existing customer relationship. [155] However the legislation has been criticised for differentiating between 'private' and 'business' spam and thereby creating loopholes as spammers can assert that they believed they were sending the e-mail to a ‘business’ address.[156]

95. Sending bulk unsolicited e-mails may be a criminal offence if it interferes with the operation of computers or if the subject matter of the e-mail is contrary to law. In R v Steven G. Hourmouzis.[157] . The defendant posted information in 'chat rooms' and the charges filed against the defendant were:

96. The FTC has been active against spammers: FTC v 30 Minute Mortgages, Inc, and Roth & Stolz^,158 in respect of violation of US banking and consumer- protection and privacy laws.[159]

97. The importance of compliance with the NPPs is exemplified in Seven Network (Operations) Limited v Media Entertainment and Arts Alliance (MEAA) & Connect [2004] FCA 637 in which MEAA were found, in the context of conducting an industrial relations campaign, to have infringed copyright[160] in Seven’s internal telephone directory and were held to have breached the Privacy Act 1988 (Cth). Connect, a telephone call centre, contacted Seven employee's in order to learn information about what those employees thought of the MEAA campaign.

98. Gyles held that MEAA ‘collected’ personal information[161] and that MEAA was in breach of Principle 1.1 in relation to the information received as a result of the telephone survey.[162] Connect were held to have breached NPP 1.3 in respect of the script for the telephone survey. [163]

10.1 The ancient tort of trespass to a computer server

99. Commentators have argued that the sending of spam to a computer server constitutes the tort of trespass to a chattel,[164] with the chattel being the computer server.[165] Jeremy Malcolm suggests that the common law, as applied in Australia, does not support the proposition that trespass to goods can be committed by a non-physical interference with the goods,[166] referring to Penfolds Wines v Elliot,[167] Latham CJ (citing Halsbury's Laws of England): “Trespass to goods is any direct infringement of the possession by another of corporeal personal chattels by means of an asportation or other physical invasion...”[168]

100. However, the understanding of what is understood by ‘corporeal personal chattel’, ‘direct infringement of the possession’ and ‘physical invasion’ must be considered. It is arguable that the ‘corporeal personal chattel’ is the computer server that there is ‘direct infringement' by the deliberate transmission of data (the unsolicited e-mail) to the computer server with the consequence that aspects of the ‘possession’ of the computer server are interfered with by a ‘physical invasion’.

101. This poses the question of what is sufficient to amount to an ‘infringement of the possession’ and ‘physical invasion’. Is it sufficient to prove that computer memory was used by the unwanted e-mail or to provide evidence of the lost time and unproductive effect needed to remove the unwanted e-mail? Or must ‘physical damage’ be established and whether spam, which creates unauthorised additions or changes to electronic information in a computer is a ‘physical invasion’?

102. Certainly in the criminal law context of damage to goods, Lord Lane in R v Whiteley rejected the argument that for there to be ‘physical damage’ there must be ‘tangible damage’: “The fact that the alternation [to the metallic particles on the disk] could only be perceived by operating the computer did not make the alternations any the less real, for the damage, if the alternation amounted to damage, any the less within the ambit of the Act.” [169]

103. In the context of the common law tort of trespass to chattels, Lord Lane's statements are consistent with the view of Australia courts. Latham CJ, in Penfolds Wines v Elliot,[170] concluded that the reference to ‘physical’ includes ‘intangible’ as well as ‘tangible’. That is, the deliberate transmission of data (the unsolicited e-mail) to the computer server is a ‘physical invasion’ and that proof of damage to the chattel (the computer server) is not a requirement for the common law tort of trespass to chattels.

104. Penfolds Wines v Elliot[171] related to the use, by the defendant, of the plaintiff’s wine bottles.[172] The claim being there was a trespass by the defendant to the plaintiff's goods when he filled the plaintiff's bottles with wine other than Penfold's. However there was no assertion of physical damage to the bottles. Latham CJ was of the opinion that the unauthorised use by the defendant of the plaintiff’s bottles was a trespass. On appeal, a majority of the High Court (Starke, Dixon[173] McTiernan and Williams JJ) answered the question "what wrong to possession or property on the part of the respondent do these facts disclose? The important fact being that the defendant was in lawful possession of the bottles as a bailee".[174]

105. The tort of trespass is not a single tort, as it as this form of action includes trespass de bonis asportatis,[175] (the wrongful taking of chattels – at issue in Penfolds Wines v Elliott)[176] and trespass vi et armis[177] (the species of the form of action in trespass of relevance to spamming litigation).

106. In Russell Ashby Pargiter v Vincent Harley Alexander[178] Zeeman J in the Supreme Court of Tasmania, compared the tort of trespass to chattels to the tort of detinue in relation of a dispute over a yacht, stating: “Trespass to chattels is a wrong to possession (Penfolds Wines Pty Ltd v Elliott [1946] HCA 46; (1946) 74 CLR 204 at 224) committed by an act of the defendant and as a direct consequence thereof (Hutchins v Maughan [1947] VicLawRp 18; (1947) VLR 131). The essence of the tort of detinue is the wrongful detention of a chattel to which the plaintiff has the right to immediate possession which requires that there be a demand and a wrongful refusal to comply with that demand. On one set of facts both torts may be established although there may be a trespass without detinue or detinue without a trespass. The different elements of the two torts assist in defining the nature of the damage which may flow from each. Damages in trespass are by way of compensation for the injury done to the chattel by reason of the wilful interference with it, although nominal damages may be awarded where no actual damage occurs (Kirk v Gregory (1876) 1 Ex D 55).”[179] (emphasis added).

107. US Courts have not reached a fixed view as to whether damage to the chattel is a requirement of the tort of trespass to a chattel. In Compuserve v Cyberpromotions [180] the Federal Court issued a injunction against the transmitter of spam on the basis that the applicant (as the owner of the computer server), was able to show damage both in terms of loss of customer goodwill and lost time and effort in blocking spam. However, the Californian Supreme Court, in Intel Corp v Kourosh Kenneth Hamidi[181] required proof of more than just distraction or loss of productivity due to employees reading the e-mail messages to establish trespass to chattels (in the form of sending bulk e-mails to Intel’s internal mail system, criticising aspects of Intel’s employment policies). The Californian Supreme Court held that under the Californian Trespass Act, it is necessary to prove damage to computers or their usefulness before an injunction will be issued to prohibit the sending of the e-mail.

10.2 Compuserve v Cyberpromotions

108. In Compuserve v Cyberpromotions[182] the trespass-to-chattels argument was used by Compuserve to obtain an injunction to block spammers. Compuserve presented evidence of the number of complaints from customers upset by the spam. Compuserve was able to show damage both in terms of loss of customer goodwill and lost time and effort in blocking spam.

10.3 Intel Corp v Kourosh Kenneth Hamidi

109. In Intel Corp v Kourosh Kenneth Hamidi[183] a 2-1 majority decision of the Court of Appeal affirmed the lower court decision, where an injunction was issued against the defendant to prevent him from emailing up to 35,000 Intel employees at a time. Mr Hamidi’s employment with Intel had been terminated as a result of a dispute over work related injuries. He responded by urging Intel employees, in bulk e-mails, to join in class actions for unpaid overtime and for injuries suffered. Intel sued under two courses of action: trespass to chattels (the Intel e-mail system) and nuisance.

110. The majority of the appellate court held that sending bulk e-mails via the Internet to Intel’s computer network amounted to trespassing on Intel’s private computer network. The court reviewed the history of trespass to chattels and held that:

111. The dissenting opinion considered that the mere receipt of an e-mail – the only damage from which consists of the time consumed to read it, assuming the recipient chooses to do so – did not establish the requisite injury for trespass to chattel. The dissenting opinion considered that other appellate decisions that have applied trespass to chattel to computer systems have done so only:

112. The decision was reviewed by the Californian Supreme Court with the Electronic Frontiers Foundation filing an amicus brief in the case arguing that the lower court decision threatened ‘freedom of speech’ interests.[186]

113. The California Supreme Court[187] in a 4 –3 majority decided that Hamidi did not trespass on Intel's computers when he sent e-mail messages to thousands of its employees worldwide. The majority held that Intel could only rely upon the Californian trespass law if the e-mail caused actual damage to equipment or property. The court reasoning that the legal claim of trespass to chattels requires damage to Intel's computers or their usefulness, not just distraction or loss of productivity due to employees reading messages that criticised Intel.[188]

114. The bare majority in the California Supreme Court and the conflicting decision in Compuserve v Cyberpromotions[189] in the US federal jurisdiction leaves room for further argument as to whether the tort of trespass to chattels, in the form of transmission of spam directed at a computer server managing e-mail, requires actual damage to equipment or property or whether damage both in terms of loss of customer goodwill and lost time and effort in blocking spam or removing from e-mail accounts is sufficient.

115. It would appear that there is a difference between the law of the United States, and Australia in relation to the action for trespass to chattels,[190] in respect of a direct and intentional interference with a chattel in the possession of another. In Australia the tort is actionable per se without proof of actual damage or dispossession. [191] However in the U.S. the tort is not actionable per se, as the plaintiff has to establish damage or dispossession.

Conclusion

116. Computer and Internet technology has created consumer privacy issues. These privacy issues are reflected in customers’ willingness to engage in e-commerce.

117. Australia has moved to regulate many aspects of online activities, including updating criminal statutes and statutes regulating to use of the telecommunications facilities on which the Internet and the World Wide Web operate. However the global nature of the Internet means that Australian initiatives to secure the protection of Australian Web users can be undermined by unregulated activities in other jurisdictions. International initiatives by Australian regulators can result in a reduction of harmful online practices. However, ultimately it is for the Web user to be on their guard against 'data miners' seeking to use Web user's personal information, for purposes of committing a fraud, or for those who wish to avoid being profiled, to avoid unintentionally providing information to Web sites through automated profiling software.

118. Information about the browsing habits of Web users is a commodity in itself, to be stored and analysed,[192] and applied directly by the collector; or sold to other e-commerce operations. In the struggle to make e-commerce profitable Web site operators may employ techniques ranging from the frustrating to the fraudulent.

119. Because the World Wide Web is evolving into an important medium for commerce and communication it is generating legislative responses and litigation in other jurisdictions that can be of assistance in determining the appropriate Australian response to harmful or merely irritating Web techniques. The possible responses being new legislation regulating Web techniques; civil litigation based on existing common law or statutory causes of action by those asserting that they are harmed by the Web techniques; or software solutions that Web users can adopt to counter harmful or irritating Web techniques.