What packages do this?
I was thinking that a simple way this would be illegal in the US would be
"[accessing] a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer"
See a2C here: https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#C...
I'd assume you can make a decent case that the person only authorized the installation of a piece of software, not the gathering of identifying information.
IP addresses can be used as identifying information especially when paired with a timestamp.
Being an American citizen living in the US I would not want my name on this paper.