,
Pop-up ads have already inspired civil lawsuits. Here's how federal computer crime law and the USA-PATRIOT Act could put obnoxious advertisers in the pokey.
Regular readers of this column know that I have criticized government efforts, such as those expressed in the USA-PATRIOT Act, to expand the scope of the criminal law jurisdiction of the government, and to criminalize activity that is and should be lawful. However, a growing phenomenon is giving me cause to re-think this approach -- a phenomenon that I'm beginning to think should bring upon it the full weight of federal criminal law. I refer, of course to that ubiquitous and annoying bane of the Web, the pop-up ad.According to the Gartner Group, over five-million pop-up ads were delivered in September of this year, up from more than one million in January. Just as the person propagating computer viruses faces potential criminal prosecution, the author of the code directing the pop-up ad should face similar sanctions. For what are pop-up ads but unwanted, unwarranted pieces of computer code, delivered through my unsuspecting browser, that cause my computer to do things I don't want it to do, and cost me time, energy, and in some cases, loss of data when I have to reboot to remove them. In terms of victim impact, is this fundamentally any different than a computer virus?
There have already been a series of lawsuits by companies like The Washington Post, UPS, Weight Watchers, and Extended Stay America arguing that by reading the content of user's web pages and inserting ads for competing products, companies like Gator Corp. and WhenU.com are interfering with their business relationships and copyrights. The lawsuits essentially say, when I click the URL for Weight Watchers, I don't want an ad for Jenny Craig.
The companies complain that Gator clients are getting a "free ride" on their advertising. Gator fired back earlier this month by filing a lawsuit in San Francisco against Extended Stay America, arguing that the blocking of Gator's pop-up ads interferes with the rights of Gator customers.
Fundamentally, there are two types of pop-up ads. The first type, the type in the Gator lawsuits, are context specific. The user downloads and installs Gator and the GAIN advertising service and agrees to the terms of service. The software then monitors the user's browsing activity, and based on the Web page, pops up a small ad for a competing product that paid a fee to Gator.
Counter Coupons
Ever been at the grocery story buying Gleem toothpaste and wind up with a coupon automatically printed out for Crest? It's the same concept. Because the pop-up ads target users with a predisposition to buy a particular product or service, the click-through rates are relatively high.
For civil litigation purposes, these ads may be "piggybacking" the good will of the website, but they do so with the actual or constructive consent of the user, and present little in the way of possible criminal activity.
The second type of pop-up comes when a user simply browses to a website seeking content, and the site automatically opens another browser window -- and another, and another, and another -- sometimes effectively "mousetrapping" the user. While some browsers like Mozilla, and some third party software. may block such pop-ups, the fundamental nature of these ads is that they cause the user's computer to do something the user has not consented to. In some cases, the pop-up can only be removed by rebooting. In at least a few cases, the pop-up ad even sends a script to the browser changing the default home page preferences.
It is these types of ads that may give rise to criminal liability.
Computer viruses and worms are illegal under federal law because they (1) access a computer without authorization; and (2) cause damage to the affected computer. Indeed, the federal computer crime statute, 18 U.S.C. 1030 (a)(5)(A)(iii) makes it a criminal offense to intentionally access a protected computer without authorization and as a result of such conduct cause damage and loss to one or more persons during a one year period aggregating at least $5,000.
Computer code transmitted through my browser clearly "accesses" my computer in the sense that it makes use of my computer recourses, and causes my computer to run a process. Similarly, the kind of "damage" caused by the access need not be physical damage -- altering, modifying, or deleting information or processes is sufficient to constitute "damage."
Assault by JavaScript
In addition, courts have taken a liberal approach to defining "loss" -- while simple loss of privacy may be insufficient to constitute actionable loss, loss of computer time, personnel time, and costs of detection, repair and prevention can all be aggregated toward the $5,000 threshold. In fact, in the USA-PATRIOT Act, Congress made it clear that even slight loss to many people can be aggregated over a one year period to create a criminal offense.
The main issue for pop-up ads is one of consent -- or as the statute describes, "authorization." By pointing my browser to a particular Web page, I expressly or impliedly permit certain things to occur. I permit a local copy of page's content to be made and displayed on my computer. I permit (or can configure my browser to permit) certain applets or active-x controls to run on my machine. I may permit a cookie to be stored on my computer. I may also permit certain information about my computer (such as the type and configuration of my browser) to be sent to the Web server.
But does the fact that I allow certain things to be done to my computer imply that a Web server is authorized to do anything it wants to my machine? Clearly not. If a Java applet had the ability to wipe files from my hard drive, the fact that it can do so does not imply that I have authorized it to do so. What about code delivered from the Web page that is designed to slow my computer down? That's indistinguishable from the behavior of some computer viruses, and I never consented to running that code.
So the pop-up ad "infects" my computer without my consent, causes it to do something I don't want it to do, and that causes me to waste my time either closing the windows, rebooting the machine, or in many cases, simply slowing down my computer. If you aggregate the millions of pop-ups and the millions of users, a productivity loss of more that $5,000 is easy.
Thus, it seems, pop-up ads fall squarely within the definition of a computer crime. Realistically, a criminal prosecution is unlikely, but if I were advising companies about the lawfulness of such ads, I'd suggest they find a more clearly legal way to promote their products. Somewhere right now a federal prosecutor is clicking franticly at a breeding cascade of tiny browser windows, and grumbling.