Skip to main navigation Skip to content Skip to footer links
 

Outcome of review of the legislative framework on spyware

This document provides the outcome of the Government's review of existing Australian laws and their coverage in respect of the malicious practices associated with spyware.

1. General information about spyware

Spyware has emerged as a significant public policy issue, raising concerns for the privacy and security of consumers and businesses in the online environment. The term 'spyware' is often used to cover a broad range of software, capable of being used for both good and bad purposes.

1.1 What is spyware?

Spyware is computer software that is designed to secretly collect information from a computer and send it elsewhere. It can also be software that changes settings and interferes with the performance of a user's computer.

Increasingly, spyware is being used in ways that harm the security and privacy of Internet users. The information collected by spyware is often used to commit identify theft, fraud, industrial espionage and anti-competitive behaviour. Different forms of spyware may scan files for credit card or other personal information, record and transmit keystrokes, report on which Internet sites are visited, force the user to go to a particular website or even covertly turn on a computer's web camera to literally spy on the computer's user.

Spyware is computer software used in harmful and intrusive ways. The programs are not harmful in themselves, and in fact many of the same software components used by spyware can be employed to benefit computer users or to protect their security. E xamples include software that enables automatic security updates, Internet banking services and the blocking of access to offensive websites. Where spyware differs from legitimate software is the use that it is put to. A response to the spyware problem needs to target malicious and inappropriate uses of the technology, rather than the software itself.

1.2 Attributes of malicious spyware

  • Common attributes of spyware used for malicious purposes include the following. It:
  • secretly gathers information about a user and sends the information elsewhere;
  • modifies computer settings and user preferences without the permission of the user;
  • steals computer resources;
  • is difficult or impossible to remove; and
  • may be installed on a computer without the user's knowledge or consent.

1.3 Extent of the spyware problem

  • There are currently no statistics specific to Australia. During 2004 there was a substantial increase in the amount of spyware circulating on the worldwide Internet and ending up on users' computers.
  • A study undertaken in the United States of America by the National Cyber Security Alliance indicates that over 90 per cent of Internet-connected computers have forms of spyware installed on them.

1.4 How spyware is installed on a computer

There are a number of ways by which spyware may be installed on a computer, often without the knowledge or consent of the user. Spyware may be installed when software or other programs are downloaded from the Internet or when a user opens attachments in emails.

  • There are also instances of spyware being installed via computer viruses or other security breaches. Computers that do not have up-to-date Internet security tools such as firewalls and anti-virus software are more likely to be infected with spyware.

1.5 Symptoms of spyware

Spyware runs in the background during normal computer use and is often not apparent to the user. There are, however, some signs that may indicate the presence of spyware. These include:

  • the appearance of random error messages;
  • continual redirection to unwanted websites;
  • unusual telephone charges;
  • disablement of security software;
  • inability to connect to the Internet; and
  • slow Internet and computer performance.

1.6 Removing and preventing spyware

Spyware can be dealt with through technical measures similar to those used to respond to other e-security threats such as spam, phishing and worms. There are a number of freely available and commercial tools that detect, remove and prevent spyware. These are accessible on the Internet or obtainable through retail outlets. Anti-spyware programs should be maintained and updated regularly.

Other practical actions that may be taken to improve computer security are set out in the This link opens a DCITA web pageInternet Security Essentials brochure available online at the DCITA website.

2. Legislative review findings

In August 2004, the Minister for Communications, Information Technology and the Arts initiated a review of the legislative framework in Australia to determine the extent to which current laws apply to the most serious and malicious spyware activities. The review focussed on the undesirable behaviours and practices associated with the use of spyware rather than particular technologies or software.

The Department of Communications, Information Technology and the Arts led the review and advice was provided by the Attorney-General's Department and members of the Action Group into the Law Enforcement Implications of Electronic Commerce (AGEC-a working group of Commonwealth law enforcement, regulatory and revenue agencies). This advice covered the following legislation:

  • Australian Securities and Investments Commission Act 2001 (Cth) and the Corporations Act 2001 (Cth)
  • Criminal Code Act 1995 (Cth)
  • Privacy Act 1988 (Cth)
  • Criminal Law Consolidation Act 1935 (SA)
  • Telecommunications Act 1997 (Cth)
  • Telecommunications (Interception) Act 1979 (Cth)
  • Trade Practices Act 1974 (Cth)

2.1 Definition of spyware

For the purposes of the review, spyware was defined as:

"any software application that is generally installed without the knowledge or consent of the user, to obtain, use or interfere with personal information or resources, content or settings for malicious or undesirable purposes".

2.2 Key findings

The advice received indicates that most serious and culpable uses of spyware do constitute criminal offences under existing legislation. These behaviours include:

  • deceptive conduct;
  • Internet banking fraud;
  • unauthorised access;
  • content modification;
  • invasion of privacy;
  • browser hijacking;
  • cyber-stalking;
  • computer hijacking;
  • theft of computer software, resources and bandwidth;
  • anti-competitive conduct;
  • denial of service attacks;
  • impairment of security;
  • damage to computer settings;
  • cyber-harassment;
  • identity theft; and
  • harvesting and collection of personal financial information.

The coverage of particular laws is outlined below.

2.2.1 Criminal Code Act 1995 (Cth)

  • Internet banking fraud
  • browser and computer hijacking
  • cyber-stalking and cyber-harassment
  • theft of computer hardware, software, resources and bandwidth
  • impairment of computer security
  • collection and misuse of personal financial information

The computer offences set out in the Commonwealth Criminal Code appear the most applicable to the malicious behaviours associated with spyware as far as they relate to fraudulent activities and damage caused by spyware including:

  • attempting to commit a serious offence (such as fraud) using a telecommunications network;
  • unauthorised access, modification or impairment of data, information or programs with intent to commit a serious offence;
  • causing unauthorised modification of data, information or programs to cause impairment-including the reliability, security or operation of the data, information or programs;
  • unauthorised impairment of electronic communication;
  • unauthorised access to or modification of restricted data-data held on a computer and to which access is restricted by an access control system (such as passwords etc) associated with the function of the computer;
  • possession or control of information with the intention to commit or facilitate a computer offence;
  • producing, supplying or obtaining data with intention to commit or facilitate a computer offence;
  • dishonestly obtaining, possessing, supplying, using or dealing in personal financial information without consent; and
  • intentionally using a carriage service to menace, harass or cause offence.

2.2.2 Trade Practices Act 1974 (Cth)

  • misleading, deceptive and anti-competitive conduct

Some malicious software applications are specifically designed to use keywords that trigger the modification of the content of incoming and outgoing email messages as well as the content of webpages that a user may visit. In other cases a user can be re-routed from a requested website to a different website or be confronted with malicious pop-up windows. Where conduct is misleading, deceptive or unconscionable in trade or commerce, or otherwise amounts to anti-competitive behaviour, the Trade Practices Act provides remedies .

Application of the Trade Practices Act is also dependent upon the content of any associated terms and conditions. A significant issue commonly associated with spyware is where a consumer is or is likely to be misled or deceived by dishonest statements. These statements can be made in or omitted from terms and conditions, privacy statements or in other situations. Relevant case law exists in relation to disingenuous terms and conditions.

2.2.3 Australian Securities and Investments Commission Act 2001 (Cth) and Corporations Act 2001 (Cth)

  • misleading and deceptive conduct

The Australian Securities and Investments Commission Act and the Corporations Act will apply in certain circumstances relating to misleading or deceptive conduct.

2.2.4 Privacy Act 1988 (Cth)

  • invasion of privacy
  • harvesting and collection of personal financial information

The Privacy Act outlines minimum requirements in relation to collection, use and disclosure of personal information, data quality, access and data security (through the National Privacy Principles-NPPs). The Act is technology neutral, regulating personal information contained in 'records' whether in paper or electronic form.

The Privacy Act regulates many private sector organisations. In particular, NPP1 provides that an organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way, and NPP2 sets out the general rule that an organisation may not use or disclose personal information unrelated to the primary purpose of collection except in certain circumstances.

The collection and subsequent use or disclosure of personal information through the use of spyware may constitute a breach of the NPPs.

2.2.5 Criminal Law Consolidation Act 1935 (SA)

  • identity theft

South Australia is the first Australian jurisdiction to legislate against identity theft. It is anticipated that the Model Criminal Code Officers Committee will make recommendations to the remaining states and territories about model identity theft offences and these are likely to be based on the South Australian Criminal Law Consolidation Act.

The South Australian Criminal Law Consolidation Act makes it an offence to possess personal identification information that enables a person to assume a false identity or to exercise a right of ownership that belongs to someone else, to funds, credit, information or other financial or non-financial benefit.

2.2.6 Telecommunications Act 1997 (Cth)

  • applies to some use of personal information

The Telecommunications Act does not appear to have coverage in relation to spyware except to apply to the handling of personal information by telecommunications carriers, carriage service providers and Internet service providers.

2.2.7 Telecommunications (Interception) Act 1979 (Cth)

  • collection of data and other information

The Telecommunications (Interception) Act generally prohibits the interception of communications, meaning the listening or recording of a conversation or message of any part in the form of data or text, visual images and signals or any other form, being carried over the national telecommunications system and could apply to the collection of data and other web browsing information by means of spyware applications.

2.3 Conclusion

The advice received during the review indicates that spyware-related malicious activities are covered by existing laws. The responsibility for the enforcement of existing laws considered under the review falls within the jurisdiction of the relevant enforcement agencies.

The malicious behaviours typically associated with spyware such as fraud, industrial espionage, privacy invasion and anti-competitive conduct are covered by legislation including the Criminal Code, the Privacy Act and the Trade Practices Act.

4. Further information

For further information about the spyware legislative framework review, or spyware in general, please contact:

Manager
Online Policy
Department of Communications,
Information Technology and the Arts
GPO Box 2154
CANBERRA ACT 2601

Telephone: 02 6271 1259

Email: spyware@dcita.gov.au

For media inquires, please contact:

Manager
Corporate Communications
Department of Communications,
Information Technology and the Arts
GPO Box 2154
CANBERRA ACT 2601

Telephone: 02 6271 1362

Footnotes

America Online and the National Cyber Security Alliance, AOL/NCSA Online Safety Study, This link sends you off DCITA's websitewww.staysafeonline.info/pdf/safety_study_v04.pdf (File size: 44Kb), October 2004

More information on AGEC can be found at This link sends you off DCITA's websitewww.austrac.gov.au/text/whole-of-government/ecommerce.html

A serious office is an offence that is punishable by imprisonment for a period of five or more years.

The Model Criminal Code Officers Committee was established to develop a Model Criminal Code for all Australian jurisdictions and is comprised of expert officers from the states, territories and Commonwealth.

  • Document ID: 24940 |
  • Last modified: 6 February 2008, 11:18am