Pennsylvania just enacted the Consumer Protection Against Computer Spyware Act. I appreciate that legislators are finally starting to take computer security seriously though this law may be more bark than bite.

Briefly, the law makes it a state crime for any “unauthorized user” to deceptively add software to your computer without your consent, prevent you from removing their software, changing your computer settings or hiding their own software. It’s a pretty good list of all the bad things that people were doing to our computers in 2008.

Unfortunately, the hackers have moved on and are using different tactics now. But I guess it never hurts to outlaw the old bad stuff. You might at least catch the stupid criminals who haven’t stayed with the times. The real problem, though, is that cybercrime is rarely investigated, much less prosecuted. If this law gets legitimately used a dozen times in the next five years, I’ll be surprised.

Which brings me to my real cause for concern – what are the ways this law could be twisted beyond its intended scope?

This law makes it illegal to change settings, modify bookmarks, impose a homepage, disable software, prevent your own software from being disabled and use techniques like keylogging. All those are bad things when done by an outsider but potentially legitimate tactics for law enforcement, your own company’s IT Security investigations or for your responsibilities as a parent.

On the plus side, PA did include wording that the person adding the software and making the modifications must be an unauthorized person. That’s a good thing. Other states have left that qualification out, making it ambiguous whether the company’s IT department could impose software restrictions on a company-owned computer. PA’s law provides a safe-harbor for the IT Security department as long as they are also authorized users on the user’s computer.

Here’s the rub, though. Several courts have passed down decisions (such as Tengart v LovingCare, US v Ziegler, US v Simons) that make it confusing when the computer is the user’s and when it is the company’s. Similar decisions have made it ambiguous whether a computer is owned by the parent or the child. (And it gets really complicated when you have two spouses going at it as in White v White.)

If the ownership and privacy right is at the company (or family) level, I don’t see a problem here. The IT department (or parent) is an authorized user by definition. One authorized user can still change settings or programs on the computer without the consent of the other authorized user(s). Whether it’s ethical or effective is another question but it would pretty clearly be legal under this law. On the other hand, if the employee (or child) has a “reasonable expectation of privacy” to the computer, then the IT department (or parent) might not be considered authorized under this law.

The fix is easy. PA did a pretty good job with this law – we don’t need to tamper with the law. You just need to make it crystal clear to every other user of the computer that you are the primary owner of the computer and that no other user can have any expectation of privacy that excludes you and your right to monitor. At the company level, you should have that in your written policy manual and probably on the login splash screen. At the family level, you need to insist on having a copy of all your children’s passwords (my one exception to the never share your password rule) and use parental controls. Exert your rights regularly both to reinforce everyone’s understanding of the rules and so that you can show that your actions were a part of your routine security practice, not for example retaliation.

That sounds pretty simple but I predict at least one lawsuit testing the expectation of privacy and complaining about actions that in the non-computer world would be considered nothing more than good parenting. Make sure that everyone knows that you are an authorized user, then you can monitor whenever you find it necessary and you can impose changes on your corporate computers whether or not the individual user likes them.

Disclaimer: I am not a lawyer. I don’t even play one on TV. This is a layman’s interpretation of the law. I like to think it’s an informed opinion but only that – an opinion. If you need specific legal advice, contact a qualified lawyer in your area.

Leave a Reply