Spyware Maker Sues Detection Firm

Luigi30 writes "ZDnet reports that RetroCoder, makers of the SpyMon remote monitoring program, are suing Sunbelt Software, makers of ConterSpy, a spyware detector program, for detecting the SpyMon as spyware. According to the EULA, SpyMon can not be used in 'anti-spyware research,' and detecting it is therefore a violation of it. 'In order to add our product to their list, they must have downloaded it and then examined it. These actions are forbidden by the notice,' a RetroCoder spokesperson said."

If it looks like a duck and sounds like a duck...

Since when could a company dictate to other companies what how they could classify the software?

If it looks like a duck, and sounds like a duck, then it must be a duck. :P

Re:If it looks like a duck and sounds like a duck.

But if it weighs the same as a duck, it must be a witch.

The answer...

...is for the detection firm to add a section to their EULA that forbids anti-anti-spyware research!

Re:The answer...

You moderators might think that's Funny, but it's actually a very interesting point. If I can, basically, say "you're not allowed to come anywhere near my software" in the EULA as a spyware maker, why can't I say the same thing as an anti-spyware maker?

What's nice about this is that it works out no matter whether such a clause would be accepted: if it is accepted, then the spyware maker would have violated the anti-spyware product's EULA by looking at how it classifies the spyware. If it's not accepted, on the other hand, then the corresponding clause in the spyware's EULA would also not be accepted.

Myself, I think that such clauses aren't valid, but I also think that even if a court thinks they are, it'd be pretty impossible to actually get a case, as they could trivially be circumvented. For example, if I visit a friend and use their computer to do something in Photoshop, am I then bound by Photoshop's EULA? Of course not; I didn't buy the program, I didn't install it, I didn't agree to anything. My friend might be (or not), but I certainly am not. A spyware maker could do the same thing: just don't install the spyware yourself, but rather classify it after it infected someone else's computer. (On a side note, I doubt that most spyware actually presents a EULA to the user where he can clearly see what is going to happen, where he's given the opportunity to say "no, thanks" and where, if he does, the spyware will not be installed, anyway).

I'm not sure which is scarier...

The fact that someone actually is trying this, or the fact that I'm half-afraid it might work.

Let's all hope not.

Re:I'm not sure which is scarier...

I'm actually quite glad of this. The outcome of this case will determine just what is and what is not enforceable in an EULA.

For instance, how about that bit about not disassembling, decompiling or reverse-engineering software that's in so many EULAs? That's the same kind of thing as this 'not use in spyware research' clause. If the one is unenforceable, then is the other one too?

Does it work against FBI agents too?

According to the EULA, SpyMon can not be used in 'anti-spyware research,' and detecting it is therefore a violation of it.

Anyone remember those MOTD's on pirate-software FTP sites giving us a pseudo-legal-brief about President Clinton signing some law, and then "FBI AGENTS YOU CANNOT ENTER THIS SITE"?

Re:Does it work against FBI agents too?

Anyone remember those MOTD's on pirate-software FTP sites giving us a pseudo-legal-brief about President Clinton signing some law, and then "FBI AGENTS YOU CANNOT ENTER THIS SITE"?

They never stopped, FTP simply lost importance. IRC fserves used to have them too. Websites, DC++ hubs, eMule hubs, WinMX shares as well. It's funny, I've had people present me that and then ask me if I'm a cop as well. Even after sending them this [snopes.com] and this [snopes.com] they still think it is for real. I guess it's some kind of mental self-defense, denial or whatever that makes them go LALALALALA I can't hear you.

Kjella

I dont think they'll win

This kind of thing is not likely to stand up in court. Spyware has been proven to be a malicious type of software that voilates one's privacy, therefore I would be shocked if the courts find in favor of the spyware maker. The spyware maker might have thought it was clever adding that clause in their EULA, but essentially what they've stipulated was people cannot investigate how their software works in order to prevent it's unwanted installation on to one's system. Not likely to stand up in court.

Re:Don't need to

once the expected cost of defending themselves is greater than the cost of caving in, most businesses will cheerfully cave. In fact, for publicly traded companies you can make a decent case that it's their duty to do so.

Except that if a clause like this were upheld, all the spyware makers would start adding similar clauses in short order, and anti-spyware makers would be out of business. It shouldn't be too hard to explain this to shareholders.

Prove my invisible friend ISN'T Jesus.

If you do produce a program that will affect this software's ability to perform its function, then you may have to prove in criminal court that you have not infringed this warning.

Is it legal for contracts to include conditions that are physically impossible to do? If so, my next bit of software is coming with a "If you can't prove you didn't make copies of the software, you owe us for as many copies as could possibly have been made between the time you first run the program and the time we sue you." Since nobody reads those things anyway.

On a mostly unrelated note, I wrote a program that shows funny pictures. It's awesome, and it's only 1 cent, for... processing purposes, if anyone's interested in a download.

Heuristics ? Or the admit in the EULA

First: they almost admit in the EULA that is a spyware product. Who the fuck else would put such an idiot line in the EULA. Second: the antispyware company might have used some sort of heuristics. No install required. I would really like to see this go in court: isn't there a limit on the kind of shit people put in that EULA ?

Don't agree to eula!

Em. I don't get it. Who says the the company has to agree to the eula to look at it? If the spyware company declines the eula agreement they are not bound to it and as a result the proggy is not installed. How does that restrict they spyware company from analyzing the binaries present in the setup program? Decompress the archive and create a fingerprint done!

Other great EULA small print

Section 6783.

You agree that in using this Software, You give Us the right to your first born child.

Section 6784.

You agree that in using this Software, you will never hit the "g" key on your keyboard between 4:50AM and 3:15PM. This clause will survive termination of the Agreement.

Section 6785.

You will never call the Software a Piece Of Shit in public or in private.

Unenforceble I'd Say

What's next? Passing a note to a bank teller "By reading this note you have agreed to let me rob your bank and not press the alarm button"?

EULAs are becoming increasingly cluttered with unenforceable and in cases downright silly things. With any luck a few frivolous lawsuits might see some of them struck down.

Ame

Virus creator sues McAffee for USD 200$ Mio

++++ fake ticker ++++ Johnny Bash, famous for writing applications like WORM32 and Trojan.Hoax, has today filed a lawsuit against McAffee. His complaint is that the EULA for this applications specifically forbids the reverse engineering or analyzing of the code for anti-virus companies. He says that by downloading and installing his latestes achievment, McAffee implicitly agreed to the conditions and thus violated the EULA by including the anti-virus measures in their latest software.

So much fun

U.S. lawsuits are merrier and merrier all the time! Very few surrealist artists had as much imagination as some lawyers do!

EULA's on individual computers

Perhaps there should be a system where any software installed has to agree to a license on that computer. So I can add my own EULA to my computer and any software vendor that has their software on my computer has to agree to it. There can be a nice API that can be used to get at the license and everything. If I have to agree to an EULA when installing their products on my machine, they should have to agree to my EULA to run their software on my machine. If they break it then I can sue them.

This is fair too, because as much as I don't understand their EULAs, they wont be able to understand mine. Vive la revolution in software consumer rights!

Re:i hate spyware....but..

No, it isn't genious. It's only the crap you'd expect from an asshole...

Re:i hate spyware....but..

1. EULAs are BS. The spyware company happily uploaded a copy of their software to the anti-spyware company on request. Clicking the install button below a 3000 word pile of legalese after you've been given the software isn't a valid contract, for reasons well explained many times before on this site. Heck, the spyware company doesn't even know what individual supposedly "agreed" to the EULA. The janitor? A 12-year-old child? Could have been anyone.

2. Why is the industry so lawsuit crazy? Lawsuits are supposed to reimburse you for actual unlawful damages done. What damage was done by the anti-spyware company downloading the software? A few cents' worth of bandwidth at the most. What damage was done by installing it? None at all. This is surely the most baseless lawsuit ever.

(I know that including the spyware definitions in anti-spyware software will [one hopes] hurt the spyware company, but that's not what the suit is about.)

Message for SpyMon developers

By reading this post, you agree to pay me $1,000,000.

Re:My god

Oh, don't worry... they can't possibly win this case.

The EULA only enforces certain rules if you want to use the program. If you do not use the program - which would mean running the binaries, if I'm any judge - you may not use the program.

It would be most interested to see whether their EULA contains something along the lines 'this software is provided as-is, and is not fit for any express purpouse' - something similar can IIRC be found in MS Office. That clause would counter and dispel the clause that claims it can not be used in spyware research - regardless of the fact that the program does not have to be running for it to be examined. It doesn't even have to be installed, and the EULA doesn't even have to be read, let alone agreed to.

The package can be extracted, binaries examined... And, if the sued company wants to be evil, they can just claim that any software that forbids the end-user to include it in spyware research (and how in the world would you enforce that rule against NOD32's heuristics and automatic mailing suspicious binaries to their lab really escapes me) deserves to be added to their spyware list. They never had to get past reading the EULA to add the program to their list, so they never would have installed it and, of course, never agreed to the EULA in the first place. If they never installed the program, the EULA is unenforceable.

Finally, proving a negative is not what the US court system is based on, at least from what I've heard about it - innocent until proven guilty (unless it's a terrorism accusation, but I don't really want to troll right now). So the spyware maker has to prove that there was no possible way for the sued company to examine their binaries without agreeing to their EULA. If the sued company can prove that there is at least one way for them to do that, the spyware maker cannot prove that they didn't do it. Innocent until proven guilty.

Hell, I could successfully defend them against this, and IANAL.

Re:My god

The general gist is correct, but "innocent until proven guilty" is a principle that applies to criminal matters, not civil matters.

Re:My god

Ah. the popular "Bend Over" EULA.

Re:My god

Ah.. the popular soviet russia joke...
spywares sue YOU now becomes reality

Next, write this on your T-shirt
"By looking at me, you agree to ...