Sneakwrapping a virus

In contrast, Symantec Security Response posted an advisory that it was aware "of a widespread e-card" with worm-like characteristics but did not classify it as a malicious threat. (At the same time, Symantec was treating the Cytron or Ortyc trojan -- another e-card virus that FriendGreetings was probably imitating -- as a serious security threat, even though the Cytron adware was downloaded in a very similar fashion but with no EULAs or spamming of Outlook contacts.) Because the second EULA "explicitly states that by accepting the agreement, you are authorizing the software to send an e-mail to all contacts," Symantec saw no reason to offer its customers the ability to detect files associated with the FriendGreetings download. Customers who wanted to remove those files were directed to a FriendGreetings page which, like the rest of the FriendGreetings.com site, was soon inaccessible. Only after the problem was dying down the next week did Symantec tell me they would respond to customer complaints and post information about how to deal with the virus.

Much of the discussion on the Internet about the attack reflected the same notion that the warning in the EULA meant that FriendGreetings was guilty of nothing more than a somewhat unethical type of viral marketing. People I know to be otherwise quite sane expressed the idea that this just shows you have to read all the EULAs carefully.

What? Wake up, folks. Call it a virus, worm, trojan, or whatever; the FriendGreetings e-mail was a sinister, deceptive attack in clear violation of federal computer fraud and data security laws. It was still not clear at press time what the real purpose behind FriendGreetings was -- perhaps it was an attempt to plant pop-up ads for porn sites similar to the Cytron virus, or maybe it was just harvesting e-mail addresses for spammers. Whatever the intent, the e-card was a false pretense.

Reading all EULAs carefully isn't the answer. The essential idea of sneakwrap, be it from spammers or Symantec, is to get this stuff past you, and they'll do whatever it takes(see " Can you really click no ," April 22). If you'll read one EULA, they'll start giving you two. If you'll read two EULAs, they'll give you three, or render them in 2-point type or Latin or whatever.

Stating in a license agreement that you're going to commit a crime doesn't give you the right to do so. Yet it seems that's what some software companies would have us believe. Why else would Symantec seem to care more about upholding the sanctity of some fly-by-night operation's EULA than helping its customers deal with a real security threat? What if the FriendGreetings' EULA had said they were going to erase your hard drive too? Would Symantec still say that's not a security threat? Hey, you agreed to it.

The real lesson of the FriendGreetings attack has to be that sneakwrap is no way to run a railroad. We can't let license agreements that no one has the time to read be the basis of Internet commerce. If we do, it will mean only those with something to hide will ever feel safe and secure.