(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
California's statute (applicable to Superfish) is CPC 502
The statute's verbose, but much of the following looks promising:
-------------------------------------
(c) Except as provided in subdivision (h), any person who commits
any of the following acts is guilty of a public offense:
(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.
(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.
(3) Knowingly and without permission uses or causes to be used computer services.
(4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network.
(5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.
(6) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section.
(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.
(8) Knowingly introduces any computer contaminant into any computer, computer system, or computer network.
(9) Knowingly and without permission uses the Internet domain name or profile of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages or posts and thereby damages or causes damage to a computer, computer data, computer system, or computer network.
-------------------------------------
I'd say the US and CA AGs should be reviewing relevant statutes and priming action.
Almost all of those have the phrase "and without permission", which I think is going to be one of the crucial points here. According to Lenovo, Superfish is not installed if the user doesn't accept its license agreement, so depending on what exactly that agreement says (I haven't seen it), showing a lack of permission might be difficult.
The "computer contaminant" clause is interesting, however, because it doesn't have that phrase.
Just because the computer industry loves to throw contracts of adhesion around doesn't make them legal. This kind of "gotcha" contract is the stuff of scams that hope to take advantage of the customer.
The customer paid money for a laptop, and that carries certain expectations, such as the laptop being safe to use. The customer may have agreed to some conditions, but it will be very hard to argue that there was a "meeting of the minds" with regards to the customer giving permission to disable some of the most important security features.
There's also a reason why every contract has a severability clause. There are certain things you cannot legally do, even if you have a contract saying you can do them. This is pretty close to that border IMO, but such situations really come down to the judge.
I'm also curious as to why individuals cannot simply toss contracts of adhesion back at vendors.
A standard for this, in which a standard reference format links to your terms, on an "included by reference" basis, stating what terms are and are not accepted, might create some interesting courtroom drama.
Specifically:
18 USC 1030
http://www.law.cornell.edu/uscode/text/18/1030
In part:
a) Whoever ...
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
California's statute (applicable to Superfish) is CPC 502
http://www.leginfo.ca.gov/cgi-bin/displaycode?section=pen&gr...
The statute's verbose, but much of the following looks promising:
-------------------------------------
(c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense:
(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.
(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.
(3) Knowingly and without permission uses or causes to be used computer services.
(4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network.
(5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.
(6) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section.
(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.
(8) Knowingly introduces any computer contaminant into any computer, computer system, or computer network.
(9) Knowingly and without permission uses the Internet domain name or profile of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages or posts and thereby damages or causes damage to a computer, computer data, computer system, or computer network.
-------------------------------------
I'd say the US and CA AGs should be reviewing relevant statutes and priming action.