[Friends-only] The legal implications of virus tracking

A while ago, Shelly’s computer was hit by a nasty piece of malware, which I wrote about in great length in my LiveJournal here. I removed the malware, and wrote up an extensive report about where it came from, how it was installed, how it operates, and most important, who makes money from it. This entry received hundreds of replies, has been linked to from spamfighting and virus-fighting forums,a nd prompted me to put it up on my Web site here, where it generates tons of emails.

One of those emails was from a person claiming to have worked for a company that writes this stuff. This email fills in some of the gaps in the backtracking I did, and names names. The information in the email seems to check out–for example, the company in question is a known source of drive-by spyware and adware, as detailed by Computer Associates here, so I put it up on the VX2 site.

Imagine my surprise when I get hit by a demand letter from a Canadian attorney (note: PDF file) telling me to take the page down and release information about the person who emailed me.

Fun, fun, fun.

So I’ve spent most of the day today on the phone with lawyers. I’ve taken the email off my site, and told the lawyer I’m not giving him any more information about its source; we’ll see what happens next.

On the one hand, it’s extremely difficult and expensive for a Canadian to sue an American. On the other hand, the guys who make spyware and adware do get very, very rich from it. So we’ll see.