Webbugs & Spyware – the legal perspective
The issues around webbugs and spyware are likely to get more public prominence in the next few months with lawmakers and regulators taking a fresh look at the technology and the harm it can do. Experience shows that security professionals are often not aware of the webbugs being run on their corporate websites and the damage that they can do.
What are webbugs?
In very simple terms webbugs are small (often 1 by 1 pixel) applications embedded in a webpage or email. They go by different names including:
Why are they an issue?
It is clear that there is rising public concern about the use of this type of technology. This has led to online protests including strikes where users boycotted social networking sites. It has also led to increased activity by regulators including the Federal Trade Commission in the US. The FTC announced in June that it was investigating Sears the store group over its use of this technology.
Lawmakers around the world have also expressed concern. In the US Congress held hearings last month. In Europe the Article 29 Working Party (a body of EU data protection regulators) looked at privacy issues involved with social networking sites last month. It repeated comments it had made in April last year about its concerns about the technology and the fact that putting servers with the technology on European soil is enough to give European regulators the power to act, even if the website is owned by a US corporation.
Which laws are broken?
Webbugs bring up a whole host of legal issues. The first for European websites is likely to be data protection law which will govern the data collected by the technology and its transfer. Fair trading laws may also come into play. These were the laws used by the FTC in the Sears case and this type of legislation is becoming more common in Europe - the UK for example brought in similar legislation last year. There is also the possibility of criminal prosecution under anti-hacking or interception laws and the prospect of civil actions brought by aggrieved consumers. In the US trespass laws have also been used - for various technical reasons saying in a privacy policy that you use this technology may not protect you.
Practical steps
We’ll be doing a webcast on 23rd July looking at practical steps in more detail. You can register to listen live or to a recording here: www.tinyurl.com/jpa007. Its clear that among the steps you need to take will be:
What are webbugs?
In very simple terms webbugs are small (often 1 by 1 pixel) applications embedded in a webpage or email. They go by different names including:
- web beacons
- clear gifs
- tracking bugs
- tracking pixels
- pixel tags
- 1×1 gifs
- invisible gifs
- spyware
Why are they an issue?
It is clear that there is rising public concern about the use of this type of technology. This has led to online protests including strikes where users boycotted social networking sites. It has also led to increased activity by regulators including the Federal Trade Commission in the US. The FTC announced in June that it was investigating Sears the store group over its use of this technology.
Lawmakers around the world have also expressed concern. In the US Congress held hearings last month. In Europe the Article 29 Working Party (a body of EU data protection regulators) looked at privacy issues involved with social networking sites last month. It repeated comments it had made in April last year about its concerns about the technology and the fact that putting servers with the technology on European soil is enough to give European regulators the power to act, even if the website is owned by a US corporation.
Which laws are broken?
Webbugs bring up a whole host of legal issues. The first for European websites is likely to be data protection law which will govern the data collected by the technology and its transfer. Fair trading laws may also come into play. These were the laws used by the FTC in the Sears case and this type of legislation is becoming more common in Europe - the UK for example brought in similar legislation last year. There is also the possibility of criminal prosecution under anti-hacking or interception laws and the prospect of civil actions brought by aggrieved consumers. In the US trespass laws have also been used - for various technical reasons saying in a privacy policy that you use this technology may not protect you.
Practical steps
We’ll be doing a webcast on 23rd July looking at practical steps in more detail. You can register to listen live or to a recording here: www.tinyurl.com/jpa007. Its clear that among the steps you need to take will be:
- Work out what’s on your site
- Where does information go to?
- Full written contracts with suppliers including design agencies and website analytics providers