Back More
Salem Press

Table of Contents

Privacy Rights in the Digital Age, 2nd Edition

Malware

by Ashley Baker

Identification: Malicious software, or software designed to damage computers or computer networks, or to access information stored within a computer.

Malware can assume many forms, from standard computer viruses to spyware and adware. Individuals may even choose to install malicious software because the malware masquerades as a beneficial program or application. Malware can cause catastrophic damage to a computer’s software, The damage malware can do to privacy may not be as obvious but it is equally, if not more, detrimental.

The threat of malware first became a substantial risk to the casual technology consumer when peer-to-peer networks became increasingly popular among those who were not aware of the harms involved. These networks allowed users to access other computers and servers. The networks were often used for the sharing of digital files, such as music. Eventually, malicious individuals discovered that they could disguise harmful software and use the network to corrupt and disable other computers on the peerto-peer network. One of the first examples of the mass distribution of malware was the music-streaming service Kazaa. Unsuspecting users of the music-sharing networks would inadvertently download files claiming to be MP3 files that were actually malware that would slow down or even destroy their computers. As these threats became more prominent, users became wary of the possibility of downloading malicious software. Today, malware is no longer confined to individuals acting alone on the Internet, nor is it as easy to detect, even for the most perceptive computer users.

Ransomware. (By Palo Alto Networks.)

PRDA2e_p0370_1.tif

Consumers may also encounter malware as a result of interacting with major technology companies. In September 2014, Lenovo, a prominent manufacturer of computers, preinstalled Superfish Visual Search software on its computers. The software—named after its parent company, Superfish—was designed to provide targeted advertisements to Lenovo consumers. The software logged every task in which the user of the computer engaged. It also hijacked the computer’s security system and allowed for third parties to access easily the data on the individual’s computer by altering the security preferences within the user’s Internet browsers. Thus, even information transmitted and stored via browsers such as Firefox, which is known for its substantial security, was not entirely secure. Although the practice of developing and disseminating targeted advertisements alone is controversial—if consumers are unaware of and did not consent to the practice—a preinstalled, undisclosed software is even more controversial, especially if it acts as malware to disable a consumer’s established computer security.

Because of small-time offenders and the undisclosed activities of corporations such as Lenovo, it seems that users of digital technology must always be aware that, if they are utilizing technology, their information may be at risk. Since the beginning of the digital age, efficiently completing basic tasks, whether at home or work, has become almost impossible without connection to the Internet or technology of some kind. Therefore, privacy activists argue that consumers should be compensated for the destruction of their digital privacy just as if someone violated their privacy in a traditional and tangible fashion. To date, the law has not yet evolved to compensate consumers for the transgressions of malware developers. To combat violations of privacy via court action, potential litigants have no law that promises a chance of success within the courts.

There are only two major technology-oriented laws under which claims involving malware currently have a chance of surviving: the Federal Wiretap Act, 82 Stat. 112 (1968), and the Stored Communications Act, 100 Stat. 1848 (1986), both codified in 18 U.S.C. § 2511. The Wiretap Act is a broadly written but strictly constructed piece of legislation. The first section applies to “any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept any wire, oral, or electronic communication” (18 U.S.C. § 2511). Under the Wiretap Act, the legal challenge for victims of privacy intrusions as a result of malware is the act’s use of the term intercept. The act itself does not define the term, and courts have been reluctant to construe it beyond its literal definition. For example, in United States v. Turk, 526 F.2d 658, at 659 (5th Cir. 1976), the court interpreted intercept to mean that the retrieval of the data must be contemporaneous with the transmission of the data. Thus, for the act to apply, the malware must access the user’s data at the very moment the user sends or receive the data. Thus, this standard prohibits claims in regard to most invasions of user privacy on computers because the data accessed is usually stored on the computer rather than in the process of being transmitted. There is a small hope, however, for preserving privacy under the Wiretap Act. In United States v. Councilman, 418 F.3d at 13 (1st Cir. 2005), the court held that electronic records, which are not in the state of transmission, would fall under the statute. Yet this trend has not gained momentum because few circuits have decided to adopt this view. Therefore, under the Wiretap Act, distributors of malware have no legal liability.

Malware creators will most likely not be deterred by a claim under the Stored Communications Act, 18 U.S.C. § 2701. This act provides no relief to individuals whose privacy has been negatively affected by malware because the act imposes little in terms of consumer protections. In fact, the act only applies to electronic communication services, which consist only of providers of telephone and email services. Thus, information stored on a personal computer, rather than on a remote server, receives no protection. Therefore, the Stored Communications Act provides no recourse for consumers unless the malware interfered with an email service. Distributors of this harmful software are effectively not deterred from this practice because consumer protection law in this area is so weak.

Similarly, the Computer Fraud and Abuse Act allows for both criminal and civil actions to be brought against distributors of malware that access “protected computers” (18 U.S.C. § 1030). This language seems to provide some protection to information stored on computers. According to the act, however, the only computers covered under the definition of “protected computers” are computers that are “exclusively for the use of a financial institution of the United States Government, or, in the case of a computer not exclusively for such use, by or for a financial institution or the United States government” 1(8 U.S.C. § 1030 (e)(2)(A)). Therefore, most computer users have no legal protection under federal law from the damage caused by malware.

Although federal law offers little protection against malware, twenty states have passed legislation on malware. The coverage and protection in the twenty states vary, and the statutes grant only criminal causes of action. For example, in New York, the malware statute was codified in the penal code and is written broadly. None of the provisions of New York’s Article 156 specifically mention malware or any one of its various forms; rather, Article 156 defines crimes such as “Computer Trespass” in §156.10. Tthe Computer Trespass statute provides that “a person is guilty of computer trespass when he or she knowingly uses, causes to be used, or accesses a computer, computer service, or computer network without authorization and: (1) he or she does so with an intent to commit or attempts to commit or further the commission of a felony; or (2) he or she thereby knowingly gains access to computer material” (NY Penal § 156.10). The sets of broadly written laws in §156 of New York’s criminal codes have allowed for successful lawsuits against those who manipulate computers inappropriately with malware (People v. Puesan, 973 N.Y.S.2d 121 [N.Y. 2013]).

In contrast, the Consumer Protection Against Computer Spyware Act, a California law, provides for a much more specific protection for consumers against spyware. Most significantly, the Spyware Act protects against software that “collect[s], through intentionally deceptive means, personally identifiable information,” Cal. Bus. & Prof. § 22947.2. The act further specifies that software that attempts to prevent the removal of any malicious software or software that “falsely represents that it has been disabled” is prohibited (Cal. Bus. & Prof. § 22974.3). Therefore, computers housed in California are subject to more legal protection than computers within other states.

As the world continuously becomes more digitally oriented, both federal and state laws may evolve, much like California law, to quell effectively the damaging effects of malware upon consumer privacy. As consumers and lawmakers become more aware of the risks associated with various technologies, law and technology will grow in tandem, which will allow for a safer environment in which malicious computer users may not disseminate malware to infringe on privacy rights without retribution.

Further Reading

1 

Christodorescu, Mihai, et al. Malware Detection. New York: Springer, 2006.

2 

Clancy, Thomas K. “Spyware, Adware, Malware, Phishing, Spam, and Identity-Related Crime,” in Cyber Crime and Digital Evidence: Materials and Cases, 2d ed. New Providence, NJ: LexisNexis, 2014.

3 

Hyslop, Maitland. Critical Information Infrastructures: Resilience and Protection. New York: Springer, 2007.

4 

Iannarelli, John. Information Governance and Security: Protecting and Managing Your Company’s Proprietary Information. Waltham, MA: Elsevier, 2015.

5 

Kalafut, Andrew, Abhinav Acarya, and Minaxi Gupta. “A Study of Malware in Peer-to-Peer Networks.” Proceedings of the Sixth ACM SIGCOMM Conference on Internet Measurement (2006): 327–332.

6 

Schwabach, Aaron. Internet and the Law: Technology, Society, and Compromises. Santa Barbara, CA: ABCCLIO, 2014.

7 

Sloan, Robert H., and Richard Warner. Unauthorized Access: The Crisis in Online Privacy and Security. Boca Raton, FL: CRC Press, 2013.

8 

Timm, Carl, and Richard Perez. “Malware Attacks,” in Seven Deadliest Social Network Attacks, tech. ed. Adam Ely. Burlington, MA: Syngress/Elsevier, 2010.

9 

Volonino, Linda, et al. Computer Forensics: Principles and Practices. Upper Saddle River, NJ: Pearson/Prentice Hall, 2007.

10 

Wacks, Raymond. Privacy: A Very Short Introduction. New York: Oxford University Press, 2015.

See also: Computer Fraud and Abuse Act (CFAA); Spyware; Stored Communications Act (SCA)

Citation Types

MLA 9th
Baker, Ashley. "Malware." Privacy Rights in the Digital Age, 2nd Edition, edited by Jane E. Kirtley & Michael Shally-Jensen, Salem Press, 2019. Salem Online, online.salempress.com/articleDetails.do?articleName=PRDA2e_0145.
APA 7th
Baker, A. (2019). Malware. In J. E. Kirtley & M. Shally-Jensen (Eds.), Privacy Rights in the Digital Age, 2nd Edition. Salem Press. online.salempress.com.
CMOS 17th
Baker, Ashley. "Malware." Edited by Jane E. Kirtley & Michael Shally-Jensen. Privacy Rights in the Digital Age, 2nd Edition. Hackensack: Salem Press, 2019. Accessed May 30, 2026. online.salempress.com.