Lexmark spyware puts hardware in security spotlight

The revelation that Lexmark uses software that monitors customers' printing raises interesting questions for other hardware vendors, says a technology lawyer

Allegations of printer manufacturer Lexmark installing "spyware" will cause hardware companies to reconsider their licensing practices, a leading technology law firm has said.

Experts at law firm Olswang believe hardware companies have to review their data-gathering tactics to play fairly with their customers.

"The issue with hardware vendors is they are a little less far down the line [than other firms]," said Mark Smith, solicitor for Olswang. "The Lexmark thing will make them all think a bit harder. [Data gathering] requires consent. The question is, how clear is that consent? When you are talking about respectable vendors, there needs to be more clarity over what spyware is."

Lexmark and fellow printer firm HP have admitted to ZDNet that they use software to collect information on their customers' printing habits. Although the companies claim that no personal data is collected, the Lexmark program gathers information on things such CPU and button usage.

Smith said that spyware spanned across malware, adware and software, but that there needed to be a clearer definition of what spyware was to solve the problem.

He added that Microsoft was taking the lead on its information-gathering techniques as it provided clear opt-in choices over whether users declared their computing habits.

"With malware there's no question [of malicious intent], but with adware you might agree to it because it adds value to your life," added Smith. "If it's something that redirects my homepage, I am less likely to agree to it. But then there are legitimate licence agreements where you can opt in and opt out of certain parts. Microsoft is switched on and they are pretty responsible."

In a prepared email statement from Lexmark last week, the company said that the program, Lexmark Connect, was a voluntary program that was fully disclosed to users during installation. But the company failed to mention that it provides an opt-out choice box, in which the box is already ticked, rather than an opt-in -- unticked -- box on its installation screen.

Lexmark said, "No personal information is collected. The information collected is simply operating information that will allow Lexmark to understand our customers' printing habits and needs better, such as the number of pages printed, amount of ink used and how frequently product features are used."

"Customers who sign up for this program will receive additional optional surveys from Lexmark, and again this participation is fully voluntary. To discontinue to participation [sic] in this program, the customer can simply go into the Lexmark Solutions Center (the same one used to check the ink gauge, install a new cartridge, etc.) and click on the advanced tab, for instructions to Terminate his or her participation."

Last week, a Usenet news group, comp.periphs.printers, described the software Lexmark was installing on their PCs as "spyware". They said that although the company claimed it took no personal information, the registration form required personal details such as name, address and the printer model number.