Threats Against Spyware Detectors, Removers, and Critics
Benjamin Edelman - Spyware Research, Legislation, and Suits

[ Threats | Discussion | Disclosures ]

Those who make spyware detection / removal software, or who otherwise write about spyware, have come to receive threats from the companies they detect, remove, and write about. Often these threats are kept private and confidential, but sometimes they become publicly known. This page indexes such publicly-known threats, their dispositions, their apparent basis, and related research and discussion.


Related Projects

180solutions & Affiliate Commissions

Advertisers Using WhenU

WhenU Violates Own Privacy Policy

Documentation of Gator Advertisements and Targeting

"Spyware": Research, Testing, Legislation, Suits

Other Research by Ben Edelman


Threats and Demands

The table below lists threats, demands, and "requests" that certain software providers have made to those who detect, remove, and otherwise write about their products.

Complainant Target Date Complaint / Allegation Status Discussion
Enigma Software Group Bleeping Computer LLC January 2016 Claims of false advertising, trade libel / commercial disparagement, and defamation. Complaint (PDF).

Bleeping Computer's Motion to Dismiss and declaration in support of MTD.

Litigation ongoing.

Bleeping Computer response.

News coverage.

Enigma Software Group Sean G. Doyle March 2014 Claims of trade libel, commercial disparagement, and defamation, as well as violations of hte Lanham Act. Complaint (PDF). PACER docket reports case settled, and litigation dismissed, in September 2014. Settlement terms unknown.  
7Search McAfee, Inc. August 2008 Claims of willful and intentional misrepresentation of 7Search's behaviors, violations of Illinois Consumer Fraud and Deceptive Business Practices Act, Illinois Uniform Deceptive Trade Practices Act, business defamation, trade disparagement, and unfair competition.  

The Register coverage.

Eric Goldman's analysis. John Stottlemire July 2007 Claims a DMCA violation, unfair competition, conversion, and trespass to chattels. Complaint arises out of software that would have deleted deceptively-named files and registry entries from users' PCs, with the effect of allowing users to print more coupons than sought to allow. Complaint (PDF). abandoned the litigation. News coverage. My analysis of's software.
Zango Kaspersky Lab, Inc. May 2007 Claim of tortious interference with contractual rights or business expectancy, violation of Washington consumer protection act, trade libel, and unjust enrichment. Filed in Superior Court in Washington State. Complaint (PDF). Removed to Federal Court.

Kaspersky's response (PDF).

Zango's request for a temporary restraining order was denied (PDF).

Case dismissed on the basis of the Communications Decency Act. Decision (PDF).

Zango PC Tools May 2007 Claim of tortious interference with contractual rights or business expectancy, violation of Washington consumer protection act, trade libel, and unjust enrichment. Filed in Superior Court in Washington State. Complaint (PDF). Removed to Federal Court.

PC Tools' response (PDF).

Zango's request for a temporary restraining order was denied (PDF).

Zango voluntarily withdrew its suit.

180solutions (Zango) Zone Labs November 2005 Claim of trade libel, tortious interference with business expectancies, unfair and deceptive practices, and unjust enrichment. Filed in Superior Court in Washington State. Complaint (PDF), docket. 180 dropped its suit. Zone Labs reports having made no change to its reported classification of 180's software.  
Hotbar Symantec June 2005 Apparent C&D letter seeking that Symantec cease classifying Hotbar as adware. Symantec filed suit seeking a declaratory judgment that it may continue to detect Hotbar as adware. Complaint and attachments (1, 2, 3, 4, 5, 6, 7) (PDF). Symantec dismissed its suit when Hotbar "underst[ood]" that Hotbar will continue to detect Hotbar.

eWeek coverage.

Enigma Software Group Lavasoft (Ad-Aware) October 2004 Claim of false advertising, unfair competition, and tortious interference with business relations, arising out of Lavasoft's detection and classification of Enigma's software. Complaint (PDF). Enigma reports that the case was settled and that Lavasoft no longer detects Enigma's products.  
TrekEight Symantec August 2004 Claim arising out of Symantec's allegedly-false charactierzation of TrekEight software as adware. Unknown. c|net coverage.
Claria (Gator) PC Pitstop September 2003 Claim for false advertising based on "false and misleading statements" including calling Claria's products spyware. Further claims for unfair business practices, trade libel, defamation, interference with contract, and interference with prospective economic advantage. Complaint (PDF). Settled, terms confidential. PC Pitstop statement. PC Pitstop's Gator Information Center continues to discuss Gator at length.

c|net coverage.

Slashdot discussion. Lavasoft (Ad-Aware) May 2003 Suit filed for false advertising and trade libel. Description.

Some claims dismissed under anti-SLAPP rules, after finding Lavasoft's detection protected under the First Amendment. The district court also awarded Lavasoft its attorneys fees and costs.

In January 2005, voluntarily dismissed its pending appeals. However, Lavasoft's August 2004 change log reports removing signatures for

PC Sympathy coverage.
Hotbar Lavasoft (Ad-Aware) April 2003 Suit filed for trademark infringement. Docket (PDF). Docket (PDF) reports suit settled, December 2004. Coverage at Eightball & Thundercloud.
Claria (Gator) Internet Advertising Bureau August 2001 Declaratory judgment suit filed for malicious disparagement and tride libel. IAB had claimed that Gator's business practices infringe the rights of web publishers and do not adequately protect consumers. Case settled, November 2001. c|net coverage.
Demands, Demand Letters, and "Requests"
TargetingEdge Cybereason December 2017 "a few cease and desist letters" demanding that Cybereason cease referring to TargetingEdge software as malware and refrain from publishing research about TargetingEdge Cybereason continues to post research about TargetingEdge, its methods, and its effects ZDNet coverage
Enigma Software Group The Computer Hospital of K-W and MyITtech February 2013 Demand letter (PDF) alleging false and misleading statements in a video posted by YouTube user MyITtech who reviewed Enigma Software Group SpyHunter. Claims that the review constituted false advertising, trade libel, and unfair competition. Demands that the reviewer take down the statements at issue. Target reviewer sent a response (PDF) indicating that he "temporarily suspended" the video with the statements at issue, but noting defenses including Right to Freedom of Speech and youth. Alleges violations of the Privacy Act of Canada when Enigma researched the reviewer's address. Enigma reply (PDF) disputed the reviewer's legal arguments.  
Local Pages Ben Edelman February 2010 Demand letter arising out of web site posting that claimed that certain Local Pages traffic came from spyware/adware and suffered from conversion inflation. Argues that "Local Pages was strictly doing media buys" and claims that Local Pages "is not involved in monetizing adware traffic." Reports that Local Pages lost its contract with InfoSpace as a result of the posting, and that lost revenue exceeds $500,000. Seeks a retraction of the posting. Edelman response argues that the web posting is accurate and carefully documented. Suggests that Local Pages' losses are the result of Local Pages' own business practices, and argues that Local Pages errs in blaming Edelman.  
Zango Zingo Zango July 2007 Demand letter seeking transfer (or other cessation of use) of Claims that is identical or confusingly similar to "Zango." Claims that Zingozango provides "software which removes software produced by Zango." Zingo Zango posted a response. Disputes Zango's claim that Zingozango distributed software to remove Zango. Disputes Zango's claim that the domain is identical to or confusingly similar to Zango's trademark, and argues that the domain was never registered or used in bad faith.  
Enigma Software Kaspersky Lab, BullGuard LTD, Ikarus, SoftWin, GData, Ewido, Esafe, Fortinet July 2007 Demand letters and press release claiming SpyHunter "is not a security threat" and describing detection of SpyHunter as "precipitous and ill-conceived."    
Enigma Software Ikarus Software May 2007 Demand letter claiming "no justification for listing SpyHunter as a Fraud Tool or any other kind of threat."    
DeskMates Safer Networking (Spybot) May 2007 Demand letter seeking that Spybot cease detecting DeskMates software, issue a public apology, delete correspondence with users who had received the software. Spybot continues to detect DeskMates software.  
Enigma Software Symantec, Malwarebytes, SecurityCadets, MalwareTeks, Temerc April 2007

Press release claiming an "anticompetitive campaign" by those who criticize Enigma's software. Requests "a neutral open discussion" of Enigma practices, and requests that participants provide their names, addresses, and phone numbers.

Specifically targets Symantec for a cease and desist letter, arising out of Symantec's classification of Enigma's software as a "severe" "security risk."

Security Cadets had criticized forum spamming promotion of Enigma software. Temerc's Malware Advisor and MalwareTeks noted the same problem at Digg. MalwareTeks concluded that Enigma's software should be listed as a rogue application. All pages remain available. Vitalsecurity coverage.
Starware (Miva) Cloudeight Internet March 2007 Demand letter claiming "untruthful, disparaging statements." Cloudeight reply letter indicates that the page will remain available. Reply notes that multiple anti-spyware programs classify Starware unfavorably, and that Starware is advertised by spam. Cloudeight's Starware page remains available.  
Hula Direct Ben Edelman June 2006 Cease and desist letter claiming defamation and tortious interference with business relations, arising out of an article on the Edelman site. Article criticized Hula practices of buying traffic from spyware vendors and showing multiple banner ads, often overlapping, generally with automatic reloads to increase advertisers' costs. Called article's allegations "baseless and entirely false." Article remains available. Additional documentation and proof posted -- including additional screenshots and packet logs demonstrating direct relationships between Hula and spyware vendors; including another Hula site participating in a chain of spyware-delivered click fraud.  
Internext Media, ABCsearch, Daniel Yomtobian Webdefenders June 2006 Cease and desist letter claiming defamation arising out of an article on the Webdefenders site. Article criticized Xupiter (made by Internext Media principal Daniel Yomtobian) and calls Xupiter spyware, critiqued certain Yomtobian web sites (alleged to be misleading), alleged that Yomtobian runs certain pornography and gambling web sites, presented a link between Yomtobian and notorious spyware DealHelper, and rebutted claims in Yomtobian press releases. Webdefenders staff removed the article from their site, replacing it with a note explaining that they had done so under duress and that they stood by their findings, but that they lacked resources to defend themselves against Yomtobian's threats. I have summarized key findings in the removed Webdefenders article.
Oemtec (SpySpotter) May 2006 Cease and desist letter claiming "malicious intent," deception, and interference with business relationships. 2-spyware site characterized SpySpotter as "ineffective" and "produc[ing] false positives," reporting the results of their hands-on tests. 2-spyware site preserves original material as well as the Oemtec letter.  
Cassava (CasinoOnNet) Sunbelt Software December 2005 Letter requesting removal from Sunbelt's "adware" classification, with threat of legal action if the classification remains. Claims not to be adware because software is required for use of Cassava's gambling service, because no third-party ads are shown. Sunbelt reports that an investigation and response are forthcoming.


Accoona Sunbelt Software November 2005 Letter claiming false and misleading representations of fact, violations of the Lanham Act, trade libel, unfair competition, and unfair business practices, Demands removal of all classifications of Accoona software as "adware," and demands issuance of a notice of correction. Sunbelt reports that an investigation and response are forthcoming.


November 2005 Complains of "false screenshots" on Kephyr's Installation Practices research site. Links and reports remain posted. Sunbelt responds by defending its findings, concluding that "we will not post a correction, since there is nothing to correct."


Sunbelt Software

Complains that Sunbelt blog "contains false statements about" Demands removal.
Spyware Warrior Complains that Spyware Warrior site's "180solutions in 365 Days" links to, which is in turn claimed to "contain false statements."
Spymon all "antispy or antivirus software house[s]" October 2005 License agreement specifically forbids "examination ... by anyone who works for ... an AntiSpy or AntiVirus software ... company." Claims civil and criminal penalties for violation. Further claims by author. Demand for delisting sent to Sunbelt. Sunbelt continues to detect Spymon.

c|net coverage.

Spyware Warior coverage.

Hotbar unknown magazine July 2005 Threat to sue magazine that published an article describing Hotbar as "spyware/adware." Magazine described as "caving in" to write "a very nice, flattering and flashy piece on Hotbar," thereby avoiding suit. SpywareInfo discussion.
Direct Revenue Sunbelt Software May 2005 Cease and desist letter (PDF) claiming "misleading and inacurate statements" that "damage the credibility" of Direct Revenue. Sunbelt Blog says Sunbelt continues to detect and offer to remove Hotbar. Sunbelt's reply letter agrees to describe Direct Revenue as adware.  
Hotbar Sunbelt Software May 2005 Cease and desist letter demanding that Sunbelt cease detecting and removing Hotbar software. Original letter (PDF). Sunbelt Blog says Sunbelt continues to detect and offer to remove Hotbar. Sunbelt's reply letter (PDF). Broadband Reports discussion.
Claria (Gator) McAfee April 2005 "Request" that McAfee change its detection criteria in certain ways that tend to favor Claria. Complaint also mentions McAfee's prior listing of Claria as a "top threat of 2004." Press release issued in which McAfee "acknowledged that Claria ... [is] not malicious." However, McAfee continues to detect Claria software as "adware" and continues to describe Claria's advertisement features.  
IBIS BillP Studios / WinPatrol April 2005 Cease and desist letter (PDF) claiming that WinPatrol was "developed with clear intention of harming IBIS," and demanding that WinPatrol cease detecting IBIS software. Claims that WinPatrol's statements are false and defamatory. Letter posted to WinPatrol web site. WinPatrol continues to detect IBIS software.

Broadband Reports discussion.

CastleCops discussion.

Simply Super Software Cease and desist letter claiming that Simply Super's Trojan Remover was "developed with clear intention of harming IBIS," and demanding that Simply Super cease detecting IBIS software. Claims that WinPatrol's statements are false and defamatory. Specifically threatens legal action. Simply Super staff indicate that they will continue detecting IBIS software.
180solutions Intermute April 2005 "Dispute." Specifics unknown. Disposition unknown. Network World coverage.
Hotbar Javacool Software March 2005 Cease and desist letter demanding that Javacool cease detecting and removing Hotbar software. Javacool blog gives a response and appendix, indicating that Javacool will continue to detect Hotbar.  
180solutions Sunbelt Software March 2005 Request that whitepaper be removed. Whitepaper discussed 180solutions installation practices and failure to obtain consent before certain installations. Whitepaper no longer posted on Sunbelt site. Network World coverage.
Cydoor Broadband Reports March 2005 Email requesting classification as "mild adware." Disposition unknown. No Broadband Reports reply is apparent. Cydoor email widely critiqued by Broadband Reports forum discussants. Broadband Reports discussion.
Direct Revenue Eric Howes March 2005 Letter (PDF) demanding removal of description of Direct Revenue software and effects. Howes reply letter (PDF). Howes' rogue applications page continues to describe Direct Revenue practices, albeit in a "de-listed applications" section. Spyware Warrior coverage.
Claria (Gator) Computer Associates (PestPatrol) March 2005 Appealed PestPatrol classification. Claria was temporarily removed from detection database, then re-added. New classifications repeatedly add "spyware" where Claria was previously classified only as "adware."

MediaPost coverage.

Broadband Reports discussion (1, 2)

iDownload CastleCops February 2005 Letter claiming "inaccurate classification" and "false disparag[ement]." Castle Cops reply letter. Castle Cops continues to discuss iDownload's installation practices, license, and effects.

Inquirer coverage.

TechWeb coverage.

Windows Secrets coverage.

Broadband Reports discussion.

Slashdot discussion.

Spyware Guide Letter. Specific contents unknown. Disposition unknown. (reference)
Spyware Warrior Letter claiming "inaccurate classification" as malware. Spyware Warrior reply letter.
Sunbelt Software Letter. Specific contents unknown. Sunbelt Software reply letter (PDF). Sunbelt continues to describe software from iDownload (iSearch).
eblocs Tired-of-spam February 2005 Email claiming "defamatory statements" and demanding removal of contact information for eblocs. Tired-of-spam site still discusses eblocs advertising practices and user complaints, and still gives eblocs contact information.  
Hotbar Eightball & Thundercloud February 2005 Letter claiming "misrepresent[ation]" of Hotbar as "spyware/adware or any other kind of undesirable software." Claims of damaging goodwill, diluting and tarnishing trademark, interfering with contractual relations, libel, and fraudulent misrepresentation. Eightball reply letter. Discussion of Hotbar still present on site.  
Enigma Software Group (Spyhunter) Spyware Warrior May 2004 Email reporting being "upset" and "disturbed" at statements on target's web site. Requests removal of references to Enigma Software Group and its products. Spyware Warrior reply email. Spyware Warrior continues to discuss Enigma Software Group and its products. CounterExploitation March 2004 Letter claiming "false and misleading statements" and provision of "improper" removal instructions. References pending legal action against others. CounterExploitation reply letter. CounterExploitation continues to discuss installation practices, compatibility problems, effects on infected PCs, and removal procedures.  

This listing includes revisions explicitly mentioning duress or perceived threat from the makers of the software at issue. For example, this listing would include the action taken by a researcher who removes an article, stating that such removal is "at the request" of a software provider discussed in the article. However, this listing does not include revisions made without any statement of the reason for revision. For example, this listing would not include a detection service de-listing a software provider if the detection service gives no reason for the de-listing.

Please send suggested additions.


Return to top


Reminiscent of "good samaritan" laws, certain proposed anti-spyware legislation seeks to alter the legal standards governing anti-spyware vendors' classification of unwanted software.


Return to top


My interest in spyware originally arose in part from a prior consulting engagement in which I served as an expert to parties adverse to Gator in litigation. See Washingtonpost.Newsweek Interactive Company, LLC, et al. v. the Gator Corporation. More recently, I have served as an expert or consultant to other parties adverse to spyware providers.


Last Updated: February 21, 2018 - Sign up for notification of major updates and related work.