Well legalities are more or less moot with these kinds of things. And as I
understand it, this was code inserted by a malicious developer and as such I
would assume the users did not agree to having their machines used this way.
And
I would further assume that the software company in question removes it
swiftly and apologizes, which according to that article they did.
Now of course, if the program EULA or whatever explicitly said that this
would be done and the user agreed to that, well that's another matter, and I
see no issue with that, legal or otherwise.
